background image

McAfee® Network Security Platform 6.0

 

Troubleshooting Network Security Platform 

 

 

31 

 

Manager database is full 

We recommend that the customer monitor the disk space on a continuous basis to prevent 
this from happening. 

If the Manager database or disk space is full, the Manager will unable to process any new 
alerts or packet logs. In addition, the Manager may not be able to process any 
configuration changes, including policy changes and alert acknowledgement. In fact, the 
Manager may stop functioning completely. 

To rectify this situation, please perform maintenance operations on the database, including 
deleting unnecessary alerts and packet logs. Furthermore, please reevaluate database 
capacity planning and sizing, and monitor free space proactively. The Manager is 
designed with various file and disk maintenance functions. You can archive alert and 
packetlog data and then delete the data to free up disk space. It also provides a 
standalone tool for creating database backups that can be archived for emergency 
restoration. 

The Manager also provides disk maintenance alerts, which send proactive system fault 
messages when certain database dependent processes exceed a user-defined threshold 
(say 70%). Manager generates faults for various thresholds for database space utilization. 

 

Error on accessing the Configuration page 

On some occasions, accessing the Manager Configuration page can result in an error 
message. This typically happens if you access various versions of the Manager from the 
same client or use the Manager client to access other Web-based applications as well. 
This is a Java-cache related issue.  

To resolve the issue: 

On the Manager client, go to 

Windows Control Panel > Java > General > Settings

Click 

Delete Files

 and then click 

OK 

in the Delete Temporary Files dialog. 

This deletes all Java-related temporary files on the client. 

Log out of the Manager and close Internet Explorer. 

Log in to the Manager in a new instance of Internet Explorer. 

Sensor response if its throughput is exceeded 

Each Sensor model has a limited throughput. For example, the Network Security Platform 
2700 Sensor is rated at 600Mbps performance. With the Gigabit interfaces it is 
theoretically possible to oversubscribe the limit. What happens in this situation? Will it 
throttle the throughput to 600Mbps or will you just lose the IPS functionality for everything 
more than 600Mbps? 

The answer is that the Sensor will drop packets depending on the TCP flow violation 
settings.We also have the over-subscription feature where the sensor can inline-forward 
traffic without IPS inspection if it is over-subscribed.There could also be false negatives 
and the traffic may experience high latency. 

It is very important that you stay within the operating parameters of the device you deploy. 
If you are actually running at gigabit speeds, you should probably be running an I-3000/I-

Summary of Contents for M4050 - Network Security Platform

Page 1: ...McAfee Network Protection Industry leading network security solutions Troubleshooting Guide McAfee Network Security Platform version 6 0 Revision 6 0 ...

Page 2: ...port C 2001 Stellent Chicago Inc Software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper C 1998 1999 2000 Software copyrighted by Expat maintainers Software copyrighted by The Regents of the University of California C 1996 1989 1998 2000 Software copyrighted by Gunnar Ritter Software copyrighted by Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A C ...

Page 3: ...nges 9 Remove debug shell at port 9001 9 Other best practices for securing Manager 9 Chapter 3 Hardening the Manager Server for Windows 2008 10 Pre installation 10 Installation 10 Post Installation 10 Disabling non required Services 11 Setting System Policies 11 Setting User Policies 11 Setting a Desktop Firewall 11 Configuring Audit Events 12 Chapter 4 Troubleshooting Network Security Platform 14...

Page 4: ... frames 32 ISL frames 32 Sensor failover issues 33 External fail open kit issues in connecting to the monitoring port 33 XC cable connection issues for M8000 Sensors 33 Chapter 5 Determining False Positives 34 Reducing false positives 34 Tune your policies 34 About false positives and noise 35 Determining a false positive versus noise 36 Chapter 6 System Fault Messages 38 Critical faults 38 Error ...

Page 5: ...abilities in a scenario in which McAfee Network Security Sensor NAC Sensor and NTBA Appliance are installed and managed through a single Manager About this Guide This guide provides the basic troubleshooting techniques for Network Security Platform You get information on the key issues to be taken care of in the McAfee Network Security Manager formerly McAfee IntruShield Security Manager and McAfe...

Page 6: ...PER CASE Press ENTER Text such as syntax key words and values that you must type exactly are denoted using Courier New font Type setup and then press ENTER Variable information that you must type based on your specific situation or environment is shown in italics Type Sensor IP address and then press ENTER Parameters that you must supply are shown enclosed in angle brackets set Sensor ip A B C D I...

Page 7: ...ide M 3050 M 4050 Sensor Product Guide M 3050 M 4050 Quick Start Guide M 6050 Sensor Product Guide M 6050 Quick Start Guide M 8000 Sensor Product Guide M 8000 Quick Start Guide Gigabit Optical Fail Open Bypass Kit Guide Gigabit Copper Fail Open Bypass Kit Guide 10 Gigabit Fail Open Bypass Kit Guide M 8000 M 6050 M 4050 M 3050 Slide Rail Assembly Procedure M 2750 Slide Rail Assembly Procedure M ser...

Page 8: ...s available for customers with Gold or Platinum service contracts Global phone contact numbers can be found at McAfee Contact Information http www mcafee com us about contact index html page Note McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support You will be provided with a user name and password for the online case subm...

Page 9: ...y helpful for troubleshooting link issues the volume of traffic through the Sensor in some cases a network diagram particularly for troubleshooting asymmetric traffic issues a Sensor trace file which you can create using the process described in Providing a Sensor diagnostics trace Sensor operating mode i e In line SPAN or TAP This information can be obtained from Sensor_Name Interface View Detail...

Page 10: ...as been assigned to the Manager server For the Manager server McAfee strongly recommends assigning a static IP against using DHCP for IP assignment If applicable configure name resolution for the Manager Ensure that all parties have agreed to the solution design including the location and mode of all McAfee Network Security Sensor the use of sub interfaces or interface groups and if and how the Ma...

Page 11: ... less than 60 seconds If the spread between the two exceeds more than two minutes communication with the Sensors will be lost If you are upgrading from a previous version we recommend that you follow the instructions in the respective version s release notes or if applicable the Upgrade Guide Install a desktop firewall McAfee strongly recommends that you configure a packet filtering firewall to bl...

Page 12: ...hat those ports are also open on the firewall Note that 3306 TCP is used internally by the Manager to connect to the MySQL database If you have Email Notification or SNMP Forwarding configured on the Manager and there is firewall residing between the Manager and your SMTP or SNMP server ensure the following ports are available as well Additional communication ports Port Protocol Description Direct...

Page 13: ... there that might conflict with the anti virus scanner Note If you install McAfee VirusScan 8 5 0i on the Manager after the installation of the Manager software the MySQL scanning exceptions will be created automatically but the Network Security Platform exceptions will not McAfee VirusScan and SMTP notification From 8 0i VirusScan includes an option enabled by default to block all outbound connec...

Page 14: ...e through those records for display in the Threat Analyzer The default Network Security Platform settings err on the side of caution and leave alerts and their packet logs in the database until the user explicitly decides to remove them However most users can safely remove alerts after 30 days Caution It is imperative that you tune the MySQL database after each purge operation Otherwise the purge ...

Page 15: ...he server and open the proper ports Harden the MySQL installation Harden the Manager host Install a desktop firewall It is recommended that you operate a desktop firewall on the Manager server Certain ports are used within the McAfee Network Security Platform Some of these required for Manager McAfee Network Security Sensor Sensor and Manager client server communication All remaining unnecessary p...

Page 16: ...should see only two databases MYSQL and LF if you are using the default Network Security Platform installation of MySQL mysql show databases Remove local anonymous users To remove local anonymous users 1 Look for blank entries for user mysql select host db user from db 2 Remove anonymous access to databases mysql update db set host localhost where user 3 Remove anonymous blank accounts mysql flush...

Page 17: ...ve ALL remote access Recommended Remove individual users remote access Do ONE of the following Remove admin Network Security Platform user remote access mysql delete from user where host localhost and user admin The admin user cannot login remotely however Manager root can Use second cmd window to validate mysql flush privileges Remove root remote access Recommended minimum action mysql delete fro...

Page 18: ...he port set the value in the field called value 1 Other best practices for securing Manager Use a clean dedicated machine for the Manager server and perform a fresh install of the Manager software including the installation of the embedded MySQL database No other software should be available on the server with the exception of a host based firewall as described in Install a desktop firewall on pag...

Page 19: ... Ensure that the server is located in a physically secure environment Connect the server on a protected or isolated network If the hard disk is old use fdisk a command line utility to remove all partitions and create new partitions Installation Installation of Manager should be performed as follows Install the US version of Windows Server 2008 Use NTFS on all partitions Post Installation After ins...

Page 20: ... compliance toolkit or set local security policy Display legal notice at during interactive logon window Do not display username that was earlier used to login Disable Posix Clear virtual memory page file during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP IP settings Setting User Policies Ensure to set the following user policies Rename the administrator account ...

Page 21: ...hen email notification or SNMP forwarding is configured on Manager and there is firewall between Manager and SNMP Server ensure that the following ports are allowed through firewall Port Description Communication 25 SMTP port Manager to SMTP server 162 SNMP forwarding Manager to SNMP server If you have ePO integration configured on Manager and there is firewall between Manager and the ePO Server e...

Page 22: ...McAfee Network Security Platform 6 0 Hardening the Manager Server for Windows 2008 13 Audit policy change Success Audit privilege use Failure Audit system events Success ...

Page 23: ...that pushes the Sensor into L2 bypass mode if the Sensor experiences a specified number of errors within a specified timeframe Traffic then continues to flow directly through the Sensor without passing to the detection engine Connect a fail open kit which consists of a bypass switch and a controller to any GE monitoring port pairs on the Sensor If a kit is attached to the Sensor disabling the Sens...

Page 24: ...llowing situations may be the cause Network connectivity Ensure that the Sensor and Manager server have power and are appropriately connected to the network Verify the link LEDs on both devices to indicate they have an active link Ping the Sensor and Manager server to ensure that they are available on the network Inconsistency in Sensor and Manager configuration Check to ensure that the Sensor nam...

Page 25: ...device connecting to the Management port To troubleshoot this use the set mgmtport command Note Check the link LEDs on the devices to see if communication is established or use the show mgmtport command to show the link s status Try each of these configuration options to see if one establishes a link 1 First if possible set the other device s port configuration to auto negotiate The Sensor is set ...

Page 26: ...ex mismatch for example one end of the link in full duplex and the other in half duplex may result in performance issues intermittent connectivity and loss of communication It can also create subtle problems in applications For example if a Web server is talking to a database server through an Ethernet switch with a duplex mismatch small database queries may succeed while large ones fail due to a ...

Page 27: ...Link is established but switch does not see Fast Link Pulse FLP and defaults to 10 Mbps half duplex 10 Mbps Half duplex 1000 Mbps Half duplex No Link No Link Neither side establishes link due to speed mismatch Gigabit auto negotiation no link to connected device Gigabit Ethernet has an auto negotiation procedure that is more extensive than that which is used for 10 100 Mbps Ethernet per Gigabit au...

Page 28: ...terface ethernet0 100full Cisco CSS 11000 interface ethernet 3 phy 100Mbits FD Cisco Catalyst 2900XL 3500XL Series Hybrid interface FastEthernet0 2 duplex full speed 100 Cisco Catalyst 4000 5000 6000 Series Native set port speed 1 1 100 set port duplex 1 1 full Connectivity issues with Cisco 3750 12S switch Use the following ports when connecting a Cisco 3750 12s switch to your Sensor 3 4 7 8 11 o...

Page 29: ...r should only increment in situations in which the switch is unable to forward out the port at a desired rate Situations such as excessive collisions and 10 Mb ports cause the transmit buffer to become full Increasing speed and moving the link partner to full duplex should minimize this occurrence Rcv Err This is an indication that the receive buffer is full This is an indication of excessive outp...

Page 30: ... resulted in 16 collisions This is an indication of over utilization of the switch port at half duplex or duplex mismatch Carrier Sense Carrier sense occurs every time an Ethernet controller wants to send data and the counter is incremented when there is an error in the process This is an indication of faulty hardware NIC cable or switch port Runts These are frames smaller than 64 bytes with a bad...

Page 31: ...initialization signature version trust channel status alert counts and so on Sensor should be initialized and in good health At the command prompt type show This displays configuration information such as Sensor image version type name Manager and Sensor IP addresses and so on On the Manager In the Manager Home page view the Operational Status section Manager status should be UP and Sensor status ...

Page 32: ...s Statistics on the number of IP spoofing attacks detected by McAfee Network Security Platform Statistics are displayed per direction Packet Drop Statistics Packet drop rate on a Sensor The statistics is displayed on a per Sensor basis The statistics includes the count of number of packets dropped by Sensor due to set rate limiting on the Sensor and sanity check failures Port Packet Drop Statistic...

Page 33: ...d use the downloadstatus command The downloadstatus command displays the status of various download upload operations signature software image and DoS profile downloads from Manager to Sensor and DoS profile and debug trace uploads from Sensor to Manager It also lists the number of times you have performed the operation status of your previous attempt to perform the operation including if the oper...

Page 34: ...ensor action restarts a Sensor You perform this action in the Manager interface To reboot a Sensor do the following 1 Select root admin domain Device List Device_Name Node Physical Device Reboot 2 Click Reboot Now Rebooting a Sensor using the reboot command The reboot command restarts a Sensor You perform this action in the Sensor CLI 1 At the prompt type reboot 2 Confirm the reboot Sensor doesn t...

Page 35: ...acks detection Note This setting should be reconfigured if the Sensor is rebooted show recon status Displays reconnaissance attack detection status Note This setting should be reconfigured if the Sensor is rebooted show startup stats Displays the startup initialization information set intfportid Available parameters 1A 6B a valid ethernet monito port on the Sensor adminstatus up down ifo ifc tap s...

Page 36: ...tatistics It includes the following information Total layer 4 flow blocks Total SYN flow blocks Total active TCP flows Total Inactive TCP flows Total TCP in timewait Total active UDP flows Total flows in SYN state Total free TCBs Total created flows Total timeout flows show attackcount Displays the total number of attacks detected in a datapath show eccerrors Displays the number of ecc errors show...

Page 37: ...its Displays the number of process units in a datapath set loglevel Available parameters all dos dp m Assigns the log level for modules at each sensor processing unit reset debugmode passwd Resets the password for entering into the debug mode Note This command can be executed only from debug mode perf Displays the count of total watermark exceeded in the DoS processor clearactiveflows Clears the e...

Page 38: ...les or disables a single VLAN ID or a range of vlan IDs on all the interfaces available on the Sensor layer 2 forward vlan interface Available parameters enable disable 0 4095 0 4095 optional all interfaceA interfaceB optional Enables or disables a single VLAN ID or a range of VLAN IDs on specific interfaces available on the Sensor layer2 forward clear Available parameters all tcp udp vlan Removes...

Page 39: ...curity Platform classifies events and prioritizes to ensure the buffer is filled with the most meaningful events to an analyst The following table lists the number of alerts that can be stored locally on the Sensor Number Alert Type 100000 Signature based alerts 2500 Throttled alerts with source and destination IP information 2500 Compressed throttled alerts alerts with no source and destination I...

Page 40: ...asions accessing the Manager Configuration page can result in an error message This typically happens if you access various versions of the Manager from the same client or use the Manager client to access other Web based applications as well This is a Java cache related issue To resolve the issue 1 On the Manager client go to Windows Control Panel Java General Settings 2 Click Delete Files and the...

Page 41: ...McAfee KnowledgeBase article KB60660 Go to http mysupport mcafee com Eservice and click Search the KnowledgeBase How Sensors handle various types of traffic Non ethernet frames are forwarded without inspection The following are the types of special traffic Jumbo Ethernet frames on page 32 ISL frames on page 32 Jumbo Ethernet frames Sensors respond differently to jumbo frames based on which ports a...

Page 42: ... to disconnection of network device cables and improper cabling or port configuration By having a check on the following connections may resolve the issue Ensure that the cables are properly connected to both the network devices and the Bypass Switch Ensure that the transmit and receive cables are properly connected to the Bypass Switch XC cable connection issues for M8000 Sensors XC cable connect...

Page 43: ...tives and noise and avoid overwhelming quantities of legitimate but anticipated alerts Tune your policies The default McAfee Network Security Platform policy templates are provided as a generic starting point you will want to customize one of these policies for your needs So the first step in tuning is to clone the most appropriate policy for your network and your goals and then customize it You c...

Page 44: ...rectly identified events uninteresting to the user Incorrect identification These alerts typically result from overly aggressive signature design special characteristics of the user environment or system bugs For example typical users will never use nested file folders with a path more than 256 characters long however a particular user may push the Windows free style naming to the extreme and crea...

Page 45: ...tions the configured policy includes a lot of Informational alerts or scan alerts which are based on request activities such as the All Inclusive policy deployment links where there is a lot of hostile traffic such as in front of a firewall overly coarse traffic VIDS definition that contains very disparate applications for example a highly aggregated link in dedicated interface mode Users can effe...

Page 46: ...curity Platform 6 0 Determining False Positives 37 Create an Evidence Report within Threat Analyzer with the packet log Be ready to tell Technical Support how often you are seeing the alerts and whether they are ongoing ...

Page 47: ...update failed Critical An attempt to save alerts to the database failed most likely due to insufficient database capacity Ensure that the disk space allocated to the database is sufficient and try the operation again Bootloader upgrade failure Critical The firmware upgrade has failed on the Sensor Debug or reload the firmware on the Sensor Cannot start control channel service certificate Critical ...

Page 48: ...date Server authentication information Communication failure with the proxy server Critical The Manager is unable to communicate with the proxy server This fault can occur only when the Manager is configured to communicate with a proxy server This fault clears when communication to the Update Server through the proxy succeeds Conflict in MDR IP address type Critical Sensor found a conflict with MD...

Page 49: ...age appears once you have exceeded the alert threshold specified in Manager Maintenance Perform maintenance operations to clean the database Delete unnecessary alerts such as alerts older than a specific number of days Failure to create additional space could cause undesirable behavior in the Manager Failed to create command channel association Critical Indicates a failure to create a secure conne...

Page 50: ...l Support to schedule a replacement unit In the meantime you can use an external fan blowing into the front of the Sensor to prevent the Sensor from overheating until the replacement is completed Fail Open Bypass Switch timeout Critical The Sensor is not communicating with the Fail Open Bypass Switch Check external FailOpen kit connections or portpair configuration to restore Inline FailOpen mode ...

Page 51: ...and the Sensor begins to operate in in line fail open mode Incompatible custom attack Critical One or more custom attack definition is incompatible with the current update set Modify any invalid custom attack definition and try again Incompatible UDS signature Critical A user defined signature UDS is incompatible with the current signature set You will need to edit your existing UDS attacks to mak...

Page 52: ...rk Security Platform license has expired Contact licensing mcafee com for a current license This fault clears when the license is current Link failure of Port port name Critical The link between a Monitoring port on the Sensor and the device to which it is connected is down and communication is unavailable The fault indicates which port is affected Contact your IT department to troubleshoot connec...

Page 53: ...o the Sensor This could result from a network connectivity issue Check Manager connection to NSP Check to ensure that the Network Security Platform has the latest software image compatible with the Manager software image If the images are incompatible update the Network Security Platform image via a tftp server Network Security Central Manager UDS signature synchronization failed Critical Port con...

Page 54: ...ween the Sensor and the device to which it is connected The Sensor may be detecting an issue with another device located on the same network link Check to see if there is a problem with one of the other devices on the same link as the Sensor This situation could cause traffic to cease flowing on the Sensor and may require a Sensor reboot Port certification mismatch Critical There is a mismatch in ...

Page 55: ... supply is in place and plugged in to a power source check power to the outlet providing power to the power supply If the fault indicates that there is no power and a power interruption is not the cause replace the failed power supply Contact McAfee Technical Support to schedule a replacement unit Sensor changed to a different model Critical Sensor has been replaced by a different model which does...

Page 56: ...g the shared key values Sensor device license expired Critical Sensor device license expired and may not detect attacks To obtain a permanent license kindly contact Technical Support or your local reseller Sensor discovered with cluster secondary license Critical Sensor discovered with cluster secondary license and must not be connected to Manager directly To obtain a standard license now kindly c...

Page 57: ...S Configuration Guide and submit the trace file to Technical Support for troubleshooting Sensor reboot required for SSL decryption configuration change Critical User configured SSL decryption settings for a particular Sensor changed requiring a Sensor reboot Reboot the Sensor to cause the changes to take effect Sensor re discovery failure Critical This fault occurs as a second part to the Sensor d...

Page 58: ...rom detection mode to Layer 2 Passthru mode This indicates that the Sensor has experienced the specified number of errors within the specified timeframe and Layer 2 mode has triggered The Sensor will remain in Layer 2 mode until it is rebooted Sensor support license expired Critical Sensor support license is expired and may not detect attacks To obtain a permanent license now kindly contact Techni...

Page 59: ...tificate to Sensor Kindly see the log for details Check NSM connection to Network Security Platform Check to ensure that the Network Security Platform has the latest software image compatible with the Manager software image If the images are incompatible update the Network Security Platform image via a tftp server Signature set update not successful Critical The attempt to update the signature set...

Page 60: ...at a connection route between the Manager and the Sensor Temperature error Critical Indicates that the temperature of the Sensor is abnormal The Sensor will raise a temperature alert when the internal temperature of the Sensor crosses 50 degrees Centigrade The fault is removed only when the temperature falls below 40 degrees Centigrade Check for a Fan Status fault and also check the Sensor s front...

Page 61: ...ata If the Manager that has moved to MDR mode is Network Security Central Manager then make the Central Manager which has all the Network Security Manager data as Active or reform MDR If the MDR moved Manager is Network Security Manager then make the Manager which has Central Manager data as active or make sure that active Manager has Central Manager configuration data The Manager Manager name is ...

Page 62: ...gured by Central Manager is in Active mode but is in a disconnected state and therefore cannot communicate with Central Manager If Manager is reconnected and Central Manager is in Standby mode then the Peer Central Manager does not have Manager configuration If the Central Manager server has moved to Standby then the Central Manager with latest Manager information is moved to Active mode or recrea...

Page 63: ...s not have Central Manager configuration Dissolve and recreate an MDR pair The Trust request failed Critical No communication exists between Central Manager and Manager Central Manager may not be configured Manager failed to establish trust with Central Manager server Central Manager could not be configured onto Manager or Central Manager server is not reachable The Manager IP address is not confi...

Page 64: ...d in the following table have a severity of Error Fault Severity Description Cause Action Alert channel is down Error Indicates a failure to communicate with the Sensor via the channel on which the Manager listens for Sensor alerts This fault clears when the alert channel is back up Approaching alert capacity threshold Error Displays the percentage of space occupied by alerts in the database As av...

Page 65: ...ear when the av dat file is successfully pushed to the Sensor SSL decryption key invalid Error The Manager detects that a particular SSL decryption key is no longer valid The detailed reason why the fault is occurring is shown in the fault message These reasons can range from the Sensor re initializing itself with a different certificate to an inconsistency between the decryption key residing on a...

Page 66: ...e Sensor Also see the suggested actions for the alert Unarchived queued alert count full Queue size full Error The Manager packet log queue has reached its maximum size default 200 000 alerts and is unable to process packet logs until there is space in the queue This is evidence of extremely heavy activity Check the packet logs you are receiving to see what is causing the heavy traffic on the Sens...

Page 67: ... Error This fault occurs with any type of Sensor software failure and usually occurs in conjunction with a Software error fault If this fault persists McAfee recommends that you execute a logstat from the Sensor CLI twice 1 minute apart then perform a Diagnostic Trace and submit the trace file to McAfee Technical Support for troubleshooting Sensor reports an anti virus dat file error Error The Sen...

Page 68: ...text of the message contains details This fault does not clear automatically it must be cleared manually Contact McAfee Technical Support for assistance Sensor configuration update failed Error The Sensor configuration update failed to be pushed from the Manager Server to the Sensor Please see ems log file to isolate reason for failure Sensor discovery failure Error The Sensor failed to discover i...

Page 69: ...l Inclusive with Audit which is causing too many alerts packet logs to be sent to the Manager or packet logging is excessive for example packet logging is enabled for entire flow for all alerts Your Manager server may not have sufficient disk space processing power to accommodate the number rate of alerts your Sensors are generating Rectify the situation in your policies and let the queue drain an...

Page 70: ...ver when it detects that the Sensor is up The fault will clear when the Manager is successful Disabled scheduled Report Template Warning Report Generation has failed for Schedule Report Template due to unavailability of resource s in the Manager Edit and save the disabled template in Report Generation Warning Failed to backup Policy Delete previous versions Failed to backup IDS Policy Warning Fail...

Page 71: ...nstall McAfee NAC if you updated the McAfee NAC installation parameters Reinstall McAfee NAC if you updated the McAfee NAC installation related configuration Manager shutdown was not graceful Warning The Manager experienced an abrupt shutdown such as a crash Perform database tuning dbtuning to fix possible database inconsistencies that may have resulted Tuning may take a while depending on the amo...

Page 72: ...ronization aborted because concurrent processes are running on the Manager Server Warning Unable to synchronize policy due to concurrent processes are running on the Manager Server Try again later Signature segments out of sync Warning An attempt to update the signature set on both Sensors of a failover pair was unsuccessful for one of the pair causing the signature sets to be out of sync on the t...

Page 73: ...as risen to 70 on Sensor name which is above the configured alarm band value threshold of 60 then this type of warning will be generated Check NSP operation to bring down the metrics below configured threshold level up Warning The Sensor has just completed booting and is on line This message is informational Acknowledge the fault SSL decryption keys out of sync Warning The Manager was unable to up...

Page 74: ... No action required Custom attack overridden by signature set Informational One or more custom attack definition has been incorporated in a new signature set and has been removed from the Custom Attack Editor This message is for user information No action required Custom attacks successfully saved to the Manager Informational One or more custom attack definition was successfully saved from the Cus...

Page 75: ...ed since the last database tuning Shutdown the Manager and execute the Database Tuning Utility at the earliest Database archival in progress Informational The database archival process is in progress Do not attempt to tune the database or perform any other database activity such as a backup or restore until the archival process successfully completes Database archival successful Informational The ...

Page 76: ... following operations during tuning process 1 Viewing Modifying alerts from Threat Analyzer 2 Generating IDS reports on alerts 3 Backing up Restoration of all tables OR alert and packet log tables 4 Archiving alerts and packet logs into files Database tuning successful Informational The database tuning process successfully completed This message is for user information No action required Deleted N...

Page 77: ...ry Manager has latest version Informational The two Managers in an MDR configuration must have the same Manager software version installed The Secondary Manager software is more recent than that of the Primary Manager Ensure the two Managers run the same software version Network Security Platform defined UDS overridden by signature set Informational An Network Security Platform defined UDS has bee...

Page 78: ...nager Central Manager is in control of Sensors Manager Informational Manager Disaster Recovery is completed via a manual switchover Secondary Manager is now in control of Sensors This message is for user information no action required MDR has been cancelled Informational Manager Disaster Recovery has been cancelled This message is for user information no action required MDR has been configured Inf...

Page 79: ...l appear until a Syslog server has been configured for use in forwarding ffhfjhjjjjfj forwarding forwarding Manager Request is not from Trusted IP Address Informational The Manager Request is not from Trusted IP Address Ensure the Peer Manager is not already in MDR with other Manager Packet Log archival in progress Informational Manager is archiving the Packet Logs Kindly wait for the Packet Log a...

Page 80: ...nformational A Reset to Standalone has been invoked the Secondary Manager is standalone and is in control of Sensors This message is for user information no action required Reset to standalone is invoked the Manager Central Manager is in control of Sensors Manager Informational A Reset to Standalone has been invoked the current Manager is standalone and in control of Sensors This message is for us...

Page 81: ...as SQL exceptions database connectivity problems or out of disk space errors Check your backup configuration settings This fault clears when a successful backup is made Scheduled signature set download from Update Server to Manager in progress Informational A scheduled signature set update is in the process of downloading from the McAfee Update Server to the Manager server This message is for user...

Page 82: ... This message is for user information No action required Sensor configuration update successful Informational Sensor configuration update successfully pushed from the Manager server to the Sensor This message is for user information No action required Sensor discovered with license Informational Sensor discovered with license that will expire Renew the license before expire Sensor discovery is in ...

Page 83: ...age is for user information No action required Sensor software update is in progress Informational A Sensor software update is in the process of being pushed from the Manager Server to the Sensor This message is for user information No action required Sensor software update successful Informational Sensor software update is successfully pushed from the Manager Server to Sensor This message is for ...

Page 84: ... Syslog Forwarder is not configured for the Admin Domain Admin Domain Name to accept the ACL logs Informational ACL logging is enabled but no Syslog server has been configured to accept the log messages Configure a Syslog server to receive forwarded ACL logs The Sensor to Manager communication IP do not match with the peer Manager s peer IP configured in the MDR set up Informational The Sensor to ...

Page 85: ...tion in progress Informational Weekly scheduled report generation process in progress This message is for user information No action required Other faults IPS Quarantine In the case of IPS Quarantine an error message is raised when the number of quarantine rules exceed the permitted limit The Sensor raises a fault message to the Manager when the number of quarantine rules exceeds the maximum permi...

Page 86: ... and port connection not unique Use a different IP address and port number RADIUS server host IP address host name is required Field cannot be blank Enter a valid host name IP address Shared Secret key is unique in case of RADIUS server Field cannot be blank Enter a valid host name IP address RADIUS server host IP address host name cannot be resolved as entered Invalid host name IP address Enter a...

Page 87: ...ame IP address Enter a valid host name IP address LDAP Connection Successful LDAP server is up and running LDAP server is up and running LDAP Connection Failed Network failure congestion at servers or LDAP server not available Try after sometime check IP address No LDAP server configured No server available Configure at least one LDAP server The table lists the error messages displayed in the User...

Page 88: ...tabase information containing all Network Security Platform configuration information Configuration files XML and property files within the Network Security Platform config directory Fault log A table in the Network Security Platform database that contains generated fault log messages Sensor Trace A file containing various McAfee Network Security Sensor Sensor related log files Compiled Signature ...

Page 89: ...nfoCollector To use InfoCollector follow these steps 1 After you run InfoCollector do one of the following If McAfee provides you with a definition file i After you run InfoCollector open the File menu and click Open Definition ii Select the definition file that McAfee sent you via email and click Select If McAfee instructs you to select InfoCollector checkboxes iii After you run InfoCollector sel...

Page 90: ...omatically It does not restart the Manager if the Manager has been shut down intentionally How the Manager Watchdog Works Manager Watchdog runs as a separate process and monitors Manager through the Windows OS Services model Manager Watchdog polls Manager every 10 seconds If the Manager Watchdog does not detect the Manager during a polling period it waits 30 seconds and then restarts the Manager s...

Page 91: ...ct Action Stop Using Manager Watchdog with Manager in an MDR configuration When using Manager Watchdog on an Manager that is part of an MDR configuration consider whether you want the Manager Watchdog to restart the Manager before failover can occur If so you must ensure that the value set for the MDR setting Downtime Before Switchover is greater than the Manager Watchdog setting of 30 seconds Thi...

Page 92: ...rm Manager Service is starting SERVER STDOUT The Network Security Platform Manager Service was started successfully SERVER STDOUT SERVER STDOUT If the Manager Watchdog fails after five attempts to restart Manager the following line will appear in the log file SERVER STDOUT Failed to restart Manager after five attempts Exiting kl ...

Page 93: ...e Network Security Platform KB38003 KB55449 Listing of McAfee Network Security Platform s response to high profile public vulnerabilities KB38004 KB55450 How to request coverage for a threat that isn t already covered KB38005 KB55451 List of all McAfee Recommended for Blocking RFB attacks KB37553 KB55318 Sensor heat dissipation rates BTUs per hour KB37773 KB60660 Verifying MySQL Database Tables KB...

Page 94: ...64 3rd Party Recommended Hardware for Sensors KB61131 Error Download Failed Reason 42 Sensor fails to apply new updates internally Sensor signature updates fails KB65523 Network Security Platform Release Notes Master List NAI32011 KB59347 Sensor is reporting false DOS attacks New network device is added and Sensor is now reporting DOS attacks NAI32008 KB59344 Recover the password for the Manager ...

Page 95: ...false positives 38 H hardening the ISM server 7 hardening the MySQL installation 7 I InfoCollector tool 86 informational faults 69 M management port configuration 18 MySQL issues 36 O other faults 82 P problems with sensor reboot 27 28 R rolling back changes 10 S sensor failover status 26 system health 25 T technical support x W Watchdog 89 ...

Reviews: