McAfee Network Security Platform 8.1 Troubleshooting Guide€¦ · 1 Troubleshooting Network Security Platform This section lists some troubleshooting tips for McAfee® Network Security

Revision J

McAfee Network Security Platform 8.1(Troubleshooting Guide)

COPYRIGHT

Copyright © 2018 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Network Security Platform 8.1

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Troubleshooting Network Security Platform 9Before you start troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Simplifying troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Issues and status checks for the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Health check of a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Failover status check of a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . 11Signature or software update status . . . . . . . . . . . . . . . . . . . . . . . . 11Download or upload status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Check the traffic status of a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . 12Conditions requiring a Sensor reboot . . . . . . . . . . . . . . . . . . . . . . . . 13Sensor does not boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Sensor stays in bad health . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Debugging critical Sensor issues . . . . . . . . . . . . . . . . . . . . . . . . . . 15Sensor response if its throughput is exceeded . . . . . . . . . . . . . . . . . . . . . 16Sensor latency monitor management . . . . . . . . . . . . . . . . . . . . . . . . 16Management of different types of traffic . . . . . . . . . . . . . . . . . . . . . . . 19Sensor failover issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19XC cable connection issues for M8000 Sensors . . . . . . . . . . . . . . . . . . . . 20XC cable connection issues for NS9300 Sensors . . . . . . . . . . . . . . . . . . . . 20External fail-open kit issues in connecting to the monitoring port . . . . . . . . . . . . . . 20Fail-open kit related issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Debugging issues with Connection Limiting policies . . . . . . . . . . . . . . . . . . . 24Issues with Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Issues and status checks for the Manager . . . . . . . . . . . . . . . . . . . . . . . . . 27The Manager connectivity to the database . . . . . . . . . . . . . . . . . . . . . . 27MySQL issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Sensor not displayed in the resource tree . . . . . . . . . . . . . . . . . . . . . . 28The Manager fails to start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29The Manager interface does not work after JRE update . . . . . . . . . . . . . . . . . 32Message on loading the Manager does not disappear . . . . . . . . . . . . . . . . . . 33Unable to log on to the Manager after typing credentials . . . . . . . . . . . . . . . . . 34Sections of the interface that do not load properly . . . . . . . . . . . . . . . . . . . 34Prompt appears in Threat Analyzer to open or save a JNLP file . . . . . . . . . . . . . . . 35Login button does not work . . . . . . . . . . . . . . . . . . . . . . . . . . . 36When using Internet Explorer 9 Real Time Threat Analyzer file download gets into a loop . . . . . 36The Manager client is unble to contact the Manager server when launching the Real Time ThreatAnalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Real Time Threat Analyzer has strange behavior . . . . . . . . . . . . . . . . . . . . 37Real Time Threat Analyzer security warning box keeps popping up . . . . . . . . . . . . . 37

McAfee Network Security Platform 8.1 3

Threat Analyzer UI stuck at downloading maps . . . . . . . . . . . . . . . . . . . . 38Many options are grayed out in Threat Analyzer menu . . . . . . . . . . . . . . . . . . 38Unable to get alerts in Historical Threat Analyzer . . . . . . . . . . . . . . . . . . . . 39

Issues and status checks for the Sensor and Manager in combination . . . . . . . . . . . . . . . 40Difficulties connecting Sensor and Manager . . . . . . . . . . . . . . . . . . . . . 40Loss of connectivity between the Sensor and Manager . . . . . . . . . . . . . . . . . . 41DoS troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Issues and status checks for the Sensor and other devices in combination . . . . . . . . . . . . . 46Connectivity issues between the Sensor and other network devices . . . . . . . . . . . . . 46

Integration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Global Threat Intelligence - API Overload . . . . . . . . . . . . . . . . . . . . . . . 53ePO - Connection failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Vulnerability Manager - Connectivity issues . . . . . . . . . . . . . . . . . . . . . . 56Vulnerability Manager - Certificate Sync and FC Agent issues . . . . . . . . . . . . . . . 57Logon Collector - Integration issues . . . . . . . . . . . . . . . . . . . . . . . . . 59

2 Performance issues 61Sniffer trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Data link errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Half-duplex setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Full-duplex setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3 Determine false positives 63Reduce false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Tune your policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

False positives and noise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Determine a false positive versus noise . . . . . . . . . . . . . . . . . . . . . . . 65

4 System fault messages 67Manager faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Manager critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Manager error faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Manager warning faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Manager informational faults . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Sensor faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Sensor critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Sensor error faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Sensor warning faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Sensor informational faults . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

NTBA faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115NTBA critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115NTBA error faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116NTBA warning faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118NTBA informational faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

5 Error messages 119Error messages for RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Error messages for LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

6 Troubleshooting scenarios 121Network outage due to unresolved ARP traffic . . . . . . . . . . . . . . . . . . . . . . . 121Delay in alerts between the Sensor and Manager . . . . . . . . . . . . . . . . . . . . . . 122Sensor-Manager Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Wrong country name in IPS alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Wrong country name in ACL alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Contents


7 Using the InfoCollector tool 133Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133How to run the InfoCollector tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Using InfoCollector tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

8 Automatically restarting a failed Manager with Manager Watchdog 137Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137How the Manager Watchdog works . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Install the Manager Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Start the Manager Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Use the Manager Watchdog with Manager in an MDR configuration . . . . . . . . . . . . . . . 138Track the Manager Watchdog activities . . . . . . . . . . . . . . . . . . . . . . . . . . 138

9 Utilize of the McAfee KnowledgeBase 141

Index 143

Contents


Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons used in thisguide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all of itsfeatures.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term, emphasis Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialog boxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, softwareinstallation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardware product.


Find product documentationAfter a product is released, information about the product is entered into the McAfee online Knowledge Center.

Task1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.

2 Enter a product name, select a version, then click Search to display a list of documents.

PrefaceFind product documentation


http://support.mcafee.com

1 Troubleshooting Network Security Platform

This section lists some troubleshooting tips for McAfee® Network Security Platform.

Contents Before you start troubleshooting Simplifying troubleshooting Issues and status checks for the Sensor Issues and status checks for the Manager Issues and status checks for the Sensor and Manager in combination Issues and status checks for the Sensor and other devices in combination Integration Scenarios

Before you start troubleshootingBefore you get too deep into troubleshooting techniques, it is a good practice to consider the followingquestions:

• Were there physical changes to your network that occurred recently?

• If another device is placed in the Sensor's position, does that device receive traffic?

• If the Sensor is in L2 mode, are your network's services still affected?

• Are you using approved McAfee GBICs or SFPs or XFPs with your Sensor? (For a list of approved hardware,see McAfee KnowledgeBase article KB56364 (Go to http://mysupport.mcafee.com/Eservice/, and click Searchthe KnowledgeBase).)

1


http://mysupport.mcafee.com/Eservice/

http://mysupport.mcafee.com/Eservice/

Simplifying troubleshootingWhen an in-line device experiences problems, most people's instinct is to physically pull it out of the path; todisconnect the cables and let traffic flow unimpeded while the device can be examined elsewhere. McAfeerecommends you first try the following techniques to troubleshoot a McAfee Network Security Sensor (Sensor)issue:

• All Sensors have a Layer2 Passthru feature. If you feel your Sensor is causing network disruption, before youremove it from the network, issue the following command:layer2 mode assert

This pushes the Sensor into Layer2 Passthru (L2) mode, causing traffic to flow through the Sensor whilebypassing the detection engine. Check to see whether your services are still affected; if they are, then youhave eliminated certain Sensor hardware issues; the problem could instead be a network issue or aconfiguration issue. (The layer2 mode deassert command pushes the Sensor back to detection mode).

• McAfee recommends that you configure Layer2 Passthru Mode on each Sensor. This enables you to set athreshold on the Sensor that pushes the Sensor into L2 bypass mode if the Sensor experiences a specifiednumber of errors within a specified time frame. Traffic then continues to flow directly through the Sensorwithout passing to the detection engine.

• Connect a fail-open kit, which consists of a bypass switch and a controller, to any GE monitoring port pairson the Sensor. If a kit is attached to the Sensor, disabling the Sensor ports forces traffic to flow through thebypass switch, effectively pulling the Sensor

• For FE monitoring ports, there is no need for the external kit. Sensors with FE ports contain an internal tap;disabling the ports will send traffic through the internal tap, providing fail-open functionality.

Note that the Sensor will need to reboot to move out of L2 mode only if the Sensor entered L2 mode becauseof internal errors. (It does not need a reboot if the layer2 mode assert command was used to put the Sensorinto L2 mode).

A Sensor reboot breaks the link connecting the devices on either side of the Sensor and requires therenegotiation of the network link between the two devices surrounding the Sensor.

Depending on the network equipment, this disruption should range from a couple of seconds to more than aminute with certain vendors' devices. A very brief link disruption might occur while the links are renegotiatedto place the Sensor back in in-line mode.

Issues and status checks for the SensorThis section describes all issues and status checks specific to the Sensor.

Contents Health check of a Sensor Failover status check of a Sensor Signature or software update status Download or upload status Check the traffic status of a Sensor Conditions requiring a Sensor reboot Sensor does not boot Sensor stays in bad health Debugging critical Sensor issues Sensor response if its throughput is exceeded Sensor latency monitor management Management of different types of traffic

1 Troubleshooting Network Security PlatformSimplifying troubleshooting


Sensor failover issues XC cable connection issues for M8000 Sensors XC cable connection issues for NS9300 Sensors External fail-open kit issues in connecting to the monitoring port Fail-open kit related issues Debugging issues with Connection Limiting policies Issues with Quarantine

Health check of a SensorTo see if your Sensor is functioning correctly, do one of the following:

On the Sensor:

• At the command prompt, type status. This displays system status (such as Operational Status, systeminitialization, signature version, trust, channel status, alert counts, and so on). Sensor should be initializedand in good health.

• At the command prompt, type show. This displays configuration information (such as Sensor image version,type, name, Manager and Sensor IP addresses, and so on).

On the Manager:

• In the Manager Home page, view the Operational Status section. Manager status should be UP, and Sensorstatus should be ACTIVE.

If you see system faults indicating that the Manager is down, see System Fault Messages to interpret the faultand, if necessary, take action to clear the fault.

Pinging a SensorThe Sensor Management port responds only to 20 pings per second. This limited rate prevents the Sensor frombeing susceptible to a ping flood. To ping a Sensor Management port from multiple hosts, increase the timeinterval between pings.

Failover status check of a SensorTo ensure that two Sensors comprising a failover pair are communicating via their interconnection cable, go toeach Sensor's CLI and type show failover-status. Failover should display as enabled (YES), and the peerSensor should display as UP.

Cable failover through a network deviceDo not connect the heartbeat cable through an external network device.

To keep overhead low and throughput high, the Sensors do not include layer 2 or 3 headers on the packets theypass over the heartbeat connection, and they pass data larger than the standard Ethernet maximum frame size(1518 bytes).

If you attempt to place a network device, such as a switch or router, between the heartbeat ports, the heartbeatconnection will fail.

Signature or software update statusTo see if your Sensor successfully received a signature update or software upgrade, you can use the statuscommand as shown in the following procedure, or the downloadstatus command, described later in thischapter.

To use the status command:

Troubleshooting Network Security PlatformIssues and status checks for the Sensor 1


Task1 On the Sensor, type status at the command prompt before updating the signature set on the Sensor. Note

the signature version.

2 Update the signature set on the Sensor using the Manager screens.

3 On the Sensor, again type status at the command prompt after the update from Manager is complete.Verify that the signature version number has incremented. The new signature version should match with thesignature set version that has been updated from the Manager and applied to the Sensor.

Download or upload statusTo see the progress of an upload or download, use the downloadstatus command.

The downloadstatus command displays the status of various download/upload operations: signature,software image, and DoS profile downloads (from Manager to Sensor) and DoS profile and debug trace uploads(from Sensor to Manager). It also lists the number of times you have performed the operation, status of yourprevious attempt to perform the operation (including—if the operation failed—the cause of failure), and thetime the command was executed.

Do the following:

On the Sensor, type downloadstatus at the command prompt.

Check the traffic status of a SensorSensor Statistics can be viewed in the Threat Analyzer by creating a new dashboard and by choosing monitorsthat display different type of Sensor statistics. Sensor Flow Statistics, IP Spoofing Statistics, Packet DropStatistics, Port Packet Drop Statistics and Rate Limiting Statistics are the monitors available.

Task1 Click Options | Dashboard | New to open the Create New Dashboard dialog.

2 Enter a name for the new dashboard in the Dashboard Dialog.

3 Click Assign Monitor to view the Assign Monitor Dialog.

4 Select the Assign an existing Monitor radio button.

5 Select Default Monitors against Category (these are the default choices).

6 Select Sensor Performance against Type to view the choice of Monitors for Sensor Performance in the Monitorchoices box.

7 Select Statistics - Flows and click OK.

8 Select the Sensor for which you want to view flow statistics.

9 Click Refresh to view the flow statistics for the selected Sensor.

10 Follow a similar procedure and select other Monitors for Sensor Performance to view the relevant SensorStatistics.

1 Troubleshooting Network Security PlatformIssues and status checks for the Sensor


List of Monitors for Sensor Statistics• Sensor Flow Statistics: Statistical view of the TCP and UDP flow data processed by a Network Security

Sensor. Checking your flow rates can help you determine if your Sensor is processing traffic normally,while also providing you with a view of statistics such as the maximum number of flows supported aswell as the number of active TCP and UDP flows.

• IP Spoofing Statistics: Statistics on the number of IP spoofing attacks detected by McAfee® NetworkSecurity Platform. Statistics are displayed per direction.

• Packet Drop Statistics: Packet drop rate on a Sensor. The statistics is displayed on a per Sensor basis. Thestatistics includes the count of number of packets dropped by Sensor due to set rate limiting on theSensor and sanity check failures.

• Port Packet Drop Statistics: Packet drop rate on a port.

• Rate Limiting Statistics: Rate limiting statistics provides the estimated number of packets dropped/bytesdropped by the McAfee Network Security Sensor (Sensor). You can view rate limiting statistics for eachSensor (per port), listed in the resource tree of Manager.

Conditions requiring a Sensor rebootThe following situations either cause or require a Sensor reboot. You have two options for rebooting theSensor. You can reboot the Sensor from the Manager interface, or you can issue the reboot CLI command.

A Sensor reboot can take up to five minutes.

• Issuing the following CLI commands causes an automatic reboot of the Sensor:

• resetconfig

• deletesignatures

• factorydefaults

For more information on the Sensor CLI commands, see McAfee Network Security Platform CLI Guide.

• Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of the Sensor,before the change takes into effect.

• Certain internal software errors can cause the Sensor to reboot itself. See a description of Sensor faultmessages later in this chapter. For more information on Operational Status Viewer, see McAfee NetworkSecurity Platform Manager Administration Guide.

• Enabling/disabling SSL requires a Sensor reboot.

• Enabling/disabling parsing and detection of attacks in IPv6 traffic passing through the Sensor monitoringport requires a manual reboot of the Sensor.

In the Manager user interface, you can enable/disable parsing and detection of attacks in IPv6 traffic withthe Scan IPv6 traffic for attacks option from the IP Settings tab (IPS Settings/<Device_Name> | Advanced Scanning | IPSettings). For more information, see Configuring IP Settings for IPv4 and IPv6 traffic, McAfee Network SecurityPlatform IPS Administration Guide.

• Upgrading Sensor software requires a manual reboot of the Sensor.

Reboot a Sensor using the ManagerThe Reboot Sensor action restarts a Sensor. You perform this action in the Manager interface.



To reboot a Sensor, do the following:

Task1 Select <Admin_Domain_Name> | Device List | <Device_Name> | Physical Device | Reboot.

2 Click Reboot Now.

Reboot a Sensor using the reboot commandThe reboot command restarts a Sensor. You perform this action in the Sensor CLI:

Task1 At the prompt, type:

reboot

2 Confirm reboot.

Sensor does not bootIf you cannot get the Sensor to boot, try the following:

• Check to ensure that the Sensor is powered on. Check the LEDs on the front of the Sensor.

• Check the front panel LEDs to ensure that the Sensor temperature is normal. For more information onSensor LEDs, see the McAfee Network Security Platform Sensor Product Guide for your Sensor model.

• If you receive an error message in the CLI: "OS not found," you might have a corrupted internal flash. If yousee this error, contact Technical Support to obtain help in recovering the Sensor.

Sensor stays in bad healthIn certain instances, the Sensor stays in bad or uninitialized health state indefinitely. The bad health of theSensor could be due to signature file download failure, or error while starting the Sensor.

You can perform the following high-level troubleshooting steps to trace the error:

1 Execute the following commands and check the output for any errors:

• show

• status

• show sensor health

• show startup stats

2 Check if the hardware is connected correctly.

3 Check the InfoCollector tool for logs and the configuration backup.

4 Check if the issue is due to signature file download failure. If it is due to the aforementioned error, contactMcAfee Support for further assistance.



5 Execute show startup stats debug CLI command and check the output for any errors.IntruDbg#> show startup stats

Controller not ready to send INIT_ACKs to datapaths and dos.

initial READY msg : not yet received from datapaths and dos

dos has sent INIT_DONE.

datapath0 has not sent INIT_DONE.

datapath1 has sent INIT_DONE.







dos has not sent READY.

datapath0 has not sent READY.

datapath1 has not sent READY.

sb1cpu0 has not sent READY.






6 Try to power cycle or netboot or reload the Sensor image.

7 Check if the issue is due to corrupt flash. Execute the flashcheck debug CLI command. Confirm that theoutput does not have any errors.Checking Flash may take more than 15 minutes and Sensor will go into Layer2 duringcommand execution.

Please enter Y to confirm:

Checking Flash....

Flash check successful. No errors in Flash

If the problem still persists, contact McAfee Support for further assistance.

Debugging critical Sensor issuesCLI commands in the debug mode are used to improve supportability of the Sensor for better debugging ofcritical issues. For more information on the CLI debugging commands, see the McAfee Network Security PlatformCLI Guide.



Sensor response if its throughput is exceededEach Sensor model has a limited throughput. For example, the Network Security Platform M-2950 Sensor israted at 1Gbps performance. With the Gigabit interfaces it is theoretically possible to cross the limit. Whathappens in this situation? Will it throttle the throughput to 1Gbps or will you just lose the IPS functionality foreverything more than 1Gbps?

The answer is that the Sensor will drop packets irrespective of the TCP flow violation settings. We also have thelatency monitor feature where the Sensor can inline-forward traffic without IPS inspection if it crosses the limit.There could also be false negatives and the traffic might experience high latency.

It is very important that you stay within the operating parameters of the device you deploy. If you are actuallyrunning at gigabit speeds, you should probably be running an M-3050/M-4050/M-6050/M-8000/NS9100/NS9200and NS9300 Sensor, which all have a much higher throughput.

Sensor latency monitor managementAll networks working from layer 2 through layer 7 experience some amount of latency. Latency monitorprovides a means to reduce latency introduced by the Sensor, when the amount of traffic seen on the networksubstantially exceeds the Sensor capacity. Sensor latency can be due to various factors such as the policiesconfigured, protocols, content, applications, type of traffic flowing through the Sensor and so on. The InspectionOptions Policies configured also adds to the latency. The following features consumes Sensor resources whichresults in latency:

• HTTP Response Traffic Scanning • Advanced Malware Policies

• Traffic Inspection • SSL decryption

• Advanced Botnet Detection

The latency can be reduced or varied, if Sensors detect the latency condition. Whenever there is a latency in thenetwork, the Sensor performs the following functions:

• Raises an alert in the Manager whenever there is a latency in processing the packets

• Mitigates latency by switching to layer 2 mode

Latency monitor is available in all M-series and NS-series Sensor models.

Latency monitor feature configured monitors the time consumed for processing the packets. If the number ofpackets exceeds the threshold for which processing time is high, then it is considered as a condition of latency.You can configure latency monitor as alert-only mode or layer 2 mode. When latency is detected, based onthe configuration, an alert is raised in the Manager for the alert-only mode. If it is configured for mitigation,the latency is mitigated before an alert is raised in the Manager.

Latency monitor feature is disabled by default. The feature has to be enabled only when there is latency in thenetwork introduced by the Sensor. If the feature is kept enabled, then there is a possibility of some attacks notbeing detected by the Sensor.

To mitigate latency, the Sensor switches to layer 2 mode based on the sensitivity level configured. This takesless than a second after latency is detected. After latency is mitigated, the Sensor switches back to inline mode,depending on the time configured using the CLI command latency-monitor restore-inline. For example,if the latency-monitor restore-inline command is configured for 10 minutes, then the Sensor tries to switch backto online mode (from layer 2) after 10 minutes.

If the Sensor is not configured to return to inline mode automatically, then it has to be manually restored to inlinemode from layer 2 mode using the CLI command latency-monitor restore-inline.



Network Security Platform provides latency monitoring at three different sensitivity levels. The sensitivity levelsconfigured in latency monitor checks for latency in two different stages:

Stage 1

• High sensitivity — Checks for latency in every incoming packet before processing.

• Medium sensitivity — Checks for latency in every alternate packet before processing.

• Low sensitivity — Does not check for latency.

In the above scenarios, if latency is not detected, the packets are forwarded for further processing to stage 2.

Stage 2

Once latency is detected, the packets are processed through multiple phases taking optimized measuresinternally to handle high latency. If latency is mitigated by this process, then the Sensor returns to normalprocessing. If latency is not mitigated, then the Sensor switches to layer 2 mode if configured.

The time consumed for processing each packet is calculated when the packet is being processed by the Sensor.The calculations are based on the following parameters:

• Number of packets for which the latency is high

• Duration for which this latency condition persists

This duration for which the latency condition is monitored depends on the configured sensitivity level. Latencyis detected based on the following sensitivity level thresholds configured:

• High latency — If latency is experienced (high) for 1/6th of a second for every 50 packets

• Medium latency – If latency is experienced for 2/6th of a second for every 100 packets

• Low latency – If latency is experienced (persists) for 3/6th of a second for every 150 packets

When latency is detected, the Sensor switches to latency management mode trying to mitigate latency byoptimizing processes. During this mode, the situation is continuously monitored to check if the latency ismitigated. Optimization of processes may include turning off the attack detection and packets being forwardedwithout attack detection. The Sensor switches to layer 2 mode, if enabled, when latency is not mitigated evenafter running the optimization processes.

The following CLI commands for Oversubscription are deprecated:

• set oversubscription enable

• set oversubscription disable

• show oversubscription status

McAfee recommends that you use latency monitoring instead.

Enable latency monitorYou can use the following CLI commands to enable, set sensitivity level, and check the status of latency monitorfeature:

latency-monitor enable action

Enables latency monitoring in the Sensor and also specifies the action to be performed if high latency isobserved in the Sensor.



The following are the actions that can be specified in this command:

• alert-only (generates an alert when a high latency is observed in the Sensor)

• put-in-layer2 (generates an alert and also forwards the traffic to layer 2).

Alerts that are generated can be seen in the System faults page in the Manager.

Syntax:

latency-monitor enable action <alert-only | put-in-layer2>

This command should be executed with a parameter value, else the command is treated as invalid.

If layer2-forward is enabled, it is necessary to set the layer 2 mode to be on. Otherwise the layer2-forward actiondoes not get executed.

Example:

latency-monitor enable action alert-only

latency-monitor sensitivity-levelConfigures the sensitivity level for latency management.

Syntax:

latency-monitor sensitivity-level high

latency-monitor sensitivity-level medium

latency-monitor sensitivity-level low

latency-monitor restore-inlineWhen a high latency is observed on the Sensor and the latency monitor is configured, the Sensor remains inlayer 2 until a layer2 mode deassert is invoked or the Sensor reboots. This command allows the Sensor tocome out of layer 2 mode without layer 2 deassert. The Sensor restores to inline from layer 2 if the followingconditions are met:

• The latency monitor has put the Sensor in layer 2 mode.

• The Sensor is in good health. If the Sensor is in bad health, a deassert cannot be performed and the Sensorreboots.

• A substantial amount of time has lapsed, as configured using this command, when the Sensor went intolayer 2 due to latency. The default time to trigger an automatic layer 2 deassert is 10 minutes.

If the latency continues to exist after the Sensor is restored to inline mode, the Sensor behaves according to thecurrent setting of the latency monitor.

Syntax:

latency-monitor restore-inline enable <10-60>

latency-monitor restore-inline disable

Parameter Description

<10-60> The time in minutes to trigger the restore inline from layer 2. It is counted since the time theSensor moved into layer 2 state due to high latency.

The latency-monitor status command displays the status of the latency monitor feature, and the status ofthe restore-inline feature of the latency monitor.



latency-monitor

Disables the latency monitoring feature or displays the status of latency monitoring feature.

Syntax:

latency-monitor <disable | status>

Default Value:

Latency monitoring feature is disabled by default. If disabled, latency monitoring feature does not generate anyalert nor forward the traffic to layer 2 when high latency is observed.

If latency monitoring is enabled, the following information is displayed.

• latency monitoring status (enable or disable)

• configured action (alert-only or layer2-forward)

Management of different types of trafficNon-ethernet frames are forwarded without inspection.

The following are the types of special traffic:

• Jumbo Ethernet frames

• ISL frames

See also Jumbo ethernet frames on page 19ISL frames on page 19

Jumbo ethernet framesSensors respond differently to jumbo frames based on which ports are receiving them. Inspection is availablefor jumbo frames only for M-3050, M-4050, M-6050, and M-8000 Sensors.

• 10/100 (FE) ports: Jumbo frames are not supported. When a 10/100 port receives a jumbo frame, the frameis dropped.

• 1000 (GE) port: The frame is passed through the Sensor, but is not subjected to IPS inspection.

ISL framesAll McAfee Network Security Sensor (Sensor) models (running all Sensor software versions) pass ISL framesthrough the Sensor without IPS inspection.

Sensor failover issuesChecking the following connections and settings might resolve Sensor failover issues.

• The Sensor model and Sensor image version on both the peer Sensors should be the same.

• The Sensor license and IPv6 status should be identical on the peer Sensors.

• Identify the interconnect port for the selected model because the interconnect ports vary for differentmodels.

• Check on the FO type setting on the Sensor. The failover creation would fail if the FO type is set on theprimary Sensor.

• The Sensor health status should be good and normal.



XC cable connection issues for M8000 SensorsXC cable connection issues can occur in the M8000 Sensors due to improper cabling of XFP interconnectports(XC2, XC3, XC5 and XC6).

Check the following connections in the M8000 Sensors while facing such issues.

• One end of an LC-LC fiber-optic cable should be plugged into the XC2 port of the primary Sensor and theother end of the cable to be plugged into the XC5 port of the secondary Sensor.

• One end of an LC-LC fiber-optic cable should be plugged into the XC3 port of the primary Sensor and theother end of the cable to be plugged into the XC6 port of the secondary Sensor.

XC cable connection issues for NS9300 SensorsXC cable connection issues can occur in the NS9300 Sensors due to improper cabling of interconnectports(G0/1, G0/2, G4/1, and G4/2).

Check the following connections in the NS9300 Sensors while facing such issues.

• One end of an LC-LC fiber-optic cable should be plugged into the G0/1 port of the primary Sensor and theother end of the cable to be plugged into the G4/1 port of the secondary Sensor.

• One end of an LC-LC fiber-optic cable should be plugged into the G0/2 port of the primary Sensor and theother end of the cable to be plugged into the G4/2 port of the secondary Sensor.

External fail-open kit issues in connecting to the monitoring portExternal fail-open kit issues can occur due to disconnection of network device cables and improper cabling orport configuration.

By having a check on the following connections might resolve the issue.

• Ensure that the cables are properly connected to both the network devices and the Bypass Switch.

• Ensure that the transmit and receive cables are properly connected to the Bypass Switch.

Fail-open kit related issuesIssues related to fail-open kit at the customer's environment

Applicable to Sensor models: M-series, NS-series

Problem scenarios

1 Passive fail-open does not bypass even though the fail-open kit Sensor is down/Sensor is rebooted

2 Passive fail-open does not come up and continuously flaps

3 Active fail-open does not come up and continuously flaps

4 Active fail-open to Sensor link flaps continuously

Data/Information Collection

1 Execute the following commands in the Sensor:

• show • show inlinepktdropstat <port>

• status • show sensor-load

• show intfport <port> (multiple times)



2 Check the following details:

• Active fail-open type (model) and configuration

• Cables and SFP type

• Physical connection details (network topology)

• Peer device port configuration

3 Trace the Sensor files.

4 Check the infoCollector tool for the logs including the configuration backup. (This is optional in case theissue is required to be reproduced locally)

Following are the troubleshooting steps for the various problem scenarios:

Problem 1: Passive fail-open does not bypass even though the fail-open kit Sensor is down/Sensor is rebooted

1 Check if the Sensor is up and in good state.

2 In the Physical Ports page of the Manager, check the following configurations:

• Port is configured to Inline Fail-Open Passive

• Appropriate media is selected, Copper/Fiber

• Auto-Negotiate is selected.

3 If peer device port does not support MDIX, use an appropriate cable to bring up the link during the Sensorbypass. If it does not work, check the Passive Fail-Open Kit for any hardware issues.

4 While using Passive Fail-Open Kit, make sure to disable the STP on the peer device ports to avoid autorenegotiate.

While using Passive Fail-Open Kit, each Sensor port individually negotiates with peer port initially when theSensor is in inline mode. When the Sensor goes to bypass mode, the peer device port re-negotiates with eachother. Make sure to enable Portfast on peer devices to minimize network outage.

Problem 2: Passive fail-open does not come up and continuously flaps


2 In the Physical Ports page of the Manager, check the following configurations:

• Port is configured to Inline Fail-Open Passive

• Appropriate media is selected, Copper/Fiber

• Auto-Negotiate is selected.

• Appropriate cable is used. The cable type should be Cat5e and above for copper, and for fibersingle-mode/multi-mode depending on the SFP used.

3 Check the control cable connection and the right controller port.

4 Check if the SFPs are according to McAfee's recommendations.

5 Check for bad/defective cable and SFPs.

6 Check if the peer device port is working and if the port settings are set to Auto-Negotiate.

7 Ensure local port testing (by connecting monitoring ports back to back).



8 Swap the working SFP and cables from another port pair.

9 If all the above steps fail, RMA the Sensor.

Problem 3: Active fail-open does not come up and continuously flaps


2 Use McAfee recommended transceivers (normal SFP for 1G, SPF+ for 10G, and QSP for 10G ports).

3 Check the Active Fail-Open Kit monitoring port setting (specifically Auto-Negotiate and speed settings). Itshould be the same as Sensor monitoring ports and peer device.

4 Ensure local loopback port testing (by connecting monitoring ports back to back).

5 Swap the working SFP and cables from another port pair.

6 Check the load on the Sensor.

7 If all the above steps fail, RMA the Sensor.

Steps to Configure and Debug active fail-open

When configuring the Active Fail-Open Kit, in case of flapping issues, the configuration on the network peerports must match with the one on Active Fail-Open Kit-Sensor monitoring port pair.

1 Ensure the power to the Optical Bypass Switch is on.

2 Using a DB-9 RS232 programming cable. Connect a PC that is running the HyperTerminal to the OpticalBypass Switch.

3 Launch a terminal emulation software like HyperTerminal, and set the following communication parameters:

• Bits per second: 19200 • Flow control: None

• Stop bit: 1 • Parity: None

• Data bits: 8

4 Click OK. The CLI banner and login prompt are displayed.

5 Type the default username and password. (The default username and password is McAfee and is casesensitive).

6 Once you are logged in, use the following commands in the table to configure and troubleshoot the ActiveFail-Open Kit:



Command Description

a Set the timeout value.To set the Timeout value, do the following:

• Type a and press Enter.

• TimeOut period (1-254 sec). Type the number of seconds between each heartbeat (1-254seconds) and press Enter. Default = 1.

• Retry Count (1-254). Type the number of missed heartbeats allowed before the BypassSwitch enters the On mode. Default = 3.

The Retry Count must be greater than or equal to the Timeout period.

b Set Switch parameters.To set speed duplex and auto-negotiation, LFD, bypass detect:

• 1= turn On.

• 0 = turn Off.

• Fail Mode Open/Close= 1

The LFD and Bypass detecting mode settings cannot be changed.

c Set TAP mode.• Type c and press Enter.

• Type 1 to set the tap mode On or 0 to set the tap mode Off. Default = Off.

d Show configuration.Type d and press Enter. The following is displayed:

• LFD = On • Fail Mode= Open

• Timeout Period= 1 • Bypass State= Off

• Bypass Detect= Off • TAP Mode= Off

• Retry Count= 3

e Show port status.Type e and press Enter. The following is displayed:

• Port A= Up/Down

• Port B= Up/Down

• Port 1= Up/Down

• Port 2= Up/Down

f Set Switch name.• Type f and press Enter.

• At the prompt, type the Switch name, which can be 8 characters long.

z Reset to Factory Defaults.

Problem 4: Active fail-open to Sensor link flaps continuously

1 Check if the Sensor is up and in a good state.

2 Use McAfee recommended transceivers (normal SFP for 1G, SPF+ for 10G, and QSP for 10G ports).



3 Check the Active Fail-Open Kit monitoring port setting (specifically Auto-Negotiate and speed settings). Itshould be the same as Sensor monitoring ports and peer device.

4 Check the Sensor ports (by connecting monitoring ports back to back).

5 Swap the working SFPs and cables from the other working port pair.

6 Swap the working Active Fail-Open Kit to confirm if a hardware problem exists or not.

7 Check the load on the Sensor to make sure that Sitera is dropping the HB packets from the Active Fail-OpenKit. To test if the Sitera is dropping the HB packets, contact McAfee Support for further assistance.

Debugging issues with Connection Limiting policiesConnection Limiting policies consist of a set of rules that enable the Sensors to limit the number of connectionsa host can establish or a connection rate. This section provides troubleshooting steps to resolve few issues withConnection Limiting policies.

Before you beginCheck that the Connection Limiting policy is correctly configured.

• You can configure the Connection Limiting policy with the monitoring ports in SPAN, tap, orinline modes. The response actions differ for SPAN and tap modes. In these modes, the Sensorcannot block the connections or quarantine the hosts.

• The connections are limited based on the predefined threshold value. The threshold value isdefined as connections per second or active connections. For example, if you define 1connection per second as the threshold value, then, 10 connections are allowed per 10 seconds.So, if there are 10 connections in the first second, all other connections from the second to thetenth second are dropped. On the other hand, if you have 1 connection for each second, all the10 connections until the tenth second are allowed.

• Connection Limiting rule based on Protocol applies to both IPv4 and IPv6 traffic. Connectionlimiting rule based on McAfee GTI applies to only IPv4 traffic. GTI does not support IPv6 traffic.

• The Connection Limiting alert raised is IP: Too many TCP/UDP/ICMP sessions. This alert is presentin the IPS Policies.

Perform these steps to configure a basic Connection Limiting policy.

Task1 Go to Policy | Intrusion Prevention | Connection Limiting Policies and select Connection Limiting Rules.

2 Click New and configure the rule properties.



3 In Connection Limiting Rules, set the parameters like state, direction, and response.

Figure 1-1 Connection Limiting Rule

4 Go to Devices | Devices | <Device_name> | IPS Interfaces.

5 From the interfaces, select <interface_name> | <subinterface_name> | Protection Profile | Connection Limiting Policy.

6 Select the Assign a Connection Limiting Policy? checkbox.

7 Select the required Connection Limiting policy on the Sensor interface and click Save.

Make sure the IP: Too many TCP/UDP/ICMP sessions alert is enabled in the IPS policy that is applied on theSensor interface.

8 Deploy the configuration changes to the Sensor.

Troubleshooting Connection Limiting issuesAfter Connection Limiting policies are configured, you might see issues like:

• No alerts are raised in the Manager

• Excess packets are not dropped or denied

• Hosts are not quarantined

Connection Limiting rules can be configured with protocol types Alert only, Alert & Drop Excess Connections, Alert &Deny Excess Connections and Alert & Quarantine.

Perform these steps to troubleshoot issues like alerts not raised in the Manager, excess packets not dropped ordenied, or hosts not quarantined after reaching the threshold value.

1 Make sure that the Connection Limiting policy rules are configured and applied to the Sensor interface.

2 From the Sensor CLI, run the show inlinepktdropstat all CLI command and check if the ConnLimiting Pkt Drop Count is 0. This means that the configured threshold value is not reached. Onlywhen the count reaches a threshold value, alerts are triggered in the Manager.

3 Check whether the incoming traffic rate to the Sensor meets the Connection Limiting rule's threshold value.If it does not meet the threshold value, send the corresponding traffic rate.

4 Set a lower threshold value and check the active connections or connections per second.



5 Check if there is any firewall ignore rule for the source IP address configured in the Connection Limiting rule.Go to Policy | Firewall Policies | <Firewall Policy> | Access Rules to check if a source IP address's Response is set asStateless Ignore or Ignore.

6 Check if the source IP address configured in the Connection Limiting rule is part of the Quarantine Exceptionslist. Go to Devices | Global | IPS Device Settings | Quarantine | Default Port Settings to if source IP address isquarantined.

Considerations for GTI connection limiting and XFF feature

When you configure GTI and XFF for a connection limiting rule:

• The Sensor cannot perform GTI lookup on the XFF IP address. That is, the GTI-based connection limitingdoes not work when the XFF feature is enabled.

• When the XFF feature is enabled, the Sensor expects that all HTTP flows should have XFF data in the HTTPheader.

• The Sensor supports connection limiting on XFF based on protocol-based connection limiting.

Alert Detection Matrix

The table briefs how alerts are detected based on the connection limiting type and XFF feature configuration.

Connectionlimiting type

XFF configuration XFF or Non XFF tagtraffic sent toSensor

Proxy IPreputation

XFF IP Alert detection

Protocol Disabled Without XFF - Yes

Protocol Enabled With XFF - Yes

Protocol Enabled Without XFF - No

GTI Disabled Without XFF - Yes

GTI Enabled With XFF Low risk High risk No

GTI Enabled With XFF High risk Low risk No

GTI Enabled Without XFF - - No

Issues with QuarantineNetwork Security Platform enables you to quarantine your network hosts when required.

There are two ways to quarantine hosts:

• Configure the Sensor to quarantine hosts automatically when they generate specific attacks.

• Manually quarantine specific hosts that are listed in the Real-time Threat Analyzer.

You might see these issues while quarantining:

• Real-time Threat Analyzer quarantine list does not have a host entry, but the host is stuck.

• Real-time Threat Analyzer has a host that is not deleted after the expiry time. You might also see an errorwhen manually deleting a host from the Threat Analyzer.

To confirm if it is a quarantine issue, put the Sensor in Layer 2 or add the host IP address to the QuarantineExceptions list and check if the issue is resolved. If the issue is not resolved, contact McAfee Support.



Issues and status checks for the ManagerThis section describes issues and status checks specific to the Manager.

Contents The Manager connectivity to the database MySQL issues Sensor not displayed in the resource tree The Manager fails to start The Manager interface does not work after JRE update Message on loading the Manager does not disappear Unable to log on to the Manager after typing credentials Sections of the interface that do not load properly Prompt appears in Threat Analyzer to open or save a JNLP file Login button does not work When using Internet Explorer 9 Real Time Threat Analyzer file download gets into a loop The Manager client is unble to contact the Manager server when launching the Real Time Threat Analyzer Real Time Threat Analyzer has strange behavior Real Time Threat Analyzer security warning box keeps popping up Threat Analyzer UI stuck at downloading maps Many options are grayed out in Threat Analyzer menu Unable to get alerts in Historical Threat Analyzer

The Manager connectivity to the databaseIn the event that the Manager loses connectivity to the database (i.e. the database goes down) the alerts arestored in a flat file on the Manager server. When the database connectivity is restored, the alerts are stored inthe database.

The Manager database is fullWe recommend that the customer monitor the disk space on a continuous basis to prevent this fromhappening.

If the Manager database or disk space is full, the Manager will unable to process any new alerts or packet logs.In addition, the Manager might not be able to process any configuration changes, including policy changes andalert acknowledgement. In fact, the Manager might stop functioning completely.

To rectify this situation, please perform maintenance operations on the database, including deletingunnecessary alerts and packet logs. Furthermore, please reevaluate database capacity planning and sizing, andmonitor free space proactively. The Manager is designed with various file and disk maintenance functions. Youcan archive alert and packetlog data and then delete the data to free up disk space. It also provides astandalone tool for creating database backups that can be archived for emergency restoration.

The Manager also provides disk maintenance alerts, which send proactive system fault messages when theManager disk space reaches a threshold of 51%. The Manager generates the disk space warning fault for diskspace utilization. The severity of this fault changes with respect to the percentage of increase in the disk spaceutilization.

The Manager database fails to startBelow are some of the reasons for the Manager database failing to start.

Troubleshooting Network Security PlatformIssues and status checks for the Manager 1


• The Manager database process is already running. This can be checked by opening Windows Task Managerand looking for mysqld.exe with Memory foot print of hundreds of MB.

• Start the service "McAfee Network Security Manager Database" from services window. If the service has notstarted, check for the reason of failure in <DBInstalldir>\data\<hostname>.err file.

• In the command prompt, navigate to <DBInstalldir>\bin and run "mysqld - -console" manually. For asuccessful startup the message will be displayed as shown below:

130626 12:05:04 [Note] mysqld: ready for connections.

Version: '5.5.31-enterprise-commercial-advanced-log' socket: '' port: 3306 MySQL Enterprise Server - AdvancedEdition (Commercial)

The version number and commercial license definition will vary across Manager versions.

To close the successful startup session, use "CTRL-C" command.

For an unsuccessful startup, the process will be abruptly shutdown mentioning the error.

If unexpected database service shutdown occurs, check the <hostname>.err file for possible reason. Also,during this unexpected shutdown, mysql will create a minidump i.e. mysqld.dmp in the data directory. Ifrequired, this file can be used for further analysis.

MySQL issuesThe common symptoms that occur if your database tables become corrupt:

• .MYI or .MYD errors reported in the ems.log file.

• Inability to acknowledge or delete faults in Operational Status .

• When trying to view packet log for in the Threat Analyzer, you receive an error message:

No Packet log available for this alert at this time

If you think that your MySQL database tables have become corrupt, follow the instructions on verifying yourtables, which is available in McAfee KnowledgeBase article KB60660. (Go to http://mysupport.mcafee.com, andclick Search the KnowledgeBase.)

Sensor not displayed in the resource treeAfter adding the Sensor and establishing trust, if the Sensor is not displayed in the resource tree, perform thefollowing steps for troubleshooting:

Task1 Capture traffic using wireshark in the Manager.

2 Check if the Manager is receiving UDP response packets from the Sensor.

3 Configure the firewall to allow UDP traffic if response packets are not coming.

4 Check if the Manager machine has multiple NIC cards. If yes, open <NSM_INSTALL_DIR>/bin/tms.bat andmodify the following line to assign a relevant IP address that is also used in Sensor configuration:

5 Set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress=""

6 Restart the Manager.

1 Troubleshooting Network Security PlatformIssues and status checks for the Manager


http://mysupport.mcafee.com


You can enable detailed debugging messages by modifying <NSM_INSTALL_DIR>/config/log4j_ism.xml file by adding and changing the following lines if it is already exists

• <category name="iv.core.DiscoveryService"> <priority value="DEBUG"/></category>

• <category name="iv.core.SensorConfiguration"> <priority value="DEBUG"/></category>

The Manager fails to startBelow are some of the common reasons for the Manager failing to start:

• The Manager Java process is already running. This can be checked by opening Windows Task Manager andlooking for a java.exe with Memory foot print of hundreds of MB. Alternatively install sysinternals' ProcessExplorer from HTTP://TECHNET.MICROSOFT.COM/EN-US/SYSINTERNALS/BB896653 to locate the javaprocess. If found, as indicated in the following image, it should be removed.

Figure 1-2 Check if Manager Java process is already running



HTTP://TECHNET.MICROSOFT.COM/EN-US/SYSINTERNALS/BB896653

• In the command prompt, navigate to <NSMInstallaitonDirectory>/bin and run tms.bat manually.Then check for below conditions.

• One of the TCP ports that Manager binds to is in use. Use netstat -nab to list out all ports in use.These netstat options also identifies the executable that is binding to the port and the executable shouldbe stopped.

Figure 1-3 Check netstats



• Check whether the logged user on the server has permissions to launch McAfee Network SecurityManager service. This can be found by right clicking on the service, selecting Properties and then Log Ontab. So, if the logged in user doesn't have permission to run local service, then the Manager does notstart.

Figure 1-4 Check user permissions

• The server does not have enough RAM. The tms.bat file has a -Xmx<MaxHeap> setting in MB thatspecifies Java heap in MB that needs to be allocated to the process. If the server does not have thatmuch RAM, then process will not start.

• Sometimes, especially on 32-bit machines when there are instances of heap exhaustion, when you try toincrease the maximum heap setting to a larger volume assuming to be having full 2000MB available.However stack space, native libraries share memory in the same 2000MB space and java heap cannot behigher than 1170MB. So, check that -Xmx setting is not greater than 1170MB if it is a 32 bit machine.

• The process fails to start with a classloader exception such as ClassNotFound. This typically indicatesissues with the Manager installation. A fresh installation or upgrade as appropriate should resolve theissue.

Tasks

• Analyze memory-related issues on page 31

Analyze memory-related issuesMemory-related issues occur in the Manager when the amount of the heap space allocated by the OperatingSystem, based on JVM options (-Xms, -Xmx) specified in tms.bat, is not enough for the application to continueto behave in desired manner.

Typical symptoms include:

• Application not being responsive – CPU usage of the Java process being high.

• Application crashing – terminating.

• Communication channel(s) flap between the Manager and the device – channel connections being resetfrequently.

• Application not being able to start.

The following logs are required for analysis:



• Infocollector logs (mainly ems, emsmem, acqount, slowquery, DB err file).

• Threads stack trace and CPU usage using stack trace and collect live objects in heap memory space usingthe heap dump tool.

These logs are required before restarting the application, which is usually done to restore the application,unless it is recurring issue; heap dump tool or stack trace doesn't require a restart as in most casesmemory leak might not be reproduced. And without these logs, an RCA would be extremely challenging.

Task1 Establish that JVM has experienced memory overload. This can be known by searching the info collector log

with string OutOfMemoryError. The most preferred way is to perform a global search in all the files part ofInfoCollector whose file name starts with ems* - with wildcard , which can be done using text editors likeTextPad. If there are no search results, it signifies that JVM does not experience any memory issue becauseof the Manager application, but it could be caused by other applications or some operating System dlls -check JVM crash files.

2 If there is above exception , check the emsmem logs to know the time of memory and frequency; usuallymost cases exhibit either slow memory, over a period of days or months, or sudden decrease in memory.

3 After establishing the time of memory leak, check alert rate in aqcount logs. The recommended value ismaximum 60alert/sec; Any value above this value over a period of time can cause memory issues. Alert Ratecan be calculated from aqcount logs using the following method:

• Look for an entry similar to : "2012-07-31 13:27:52,012 AltQ:EPR-RCD: 6178500 0 112".There are threeimportant information that needs to extracted namely :

• (t1)timestamp(2012-07-31 13:27:52,012)

• Alert received string(AltQ:EPR-RCD)

• alert count(6178500).

• Now look for next immediately occurring entry which contains "AltQ:EPR-RCD";this entry will have analert count greater by 300 - so if the above example is considered then alert count will be 6178800 - andnote the (t2)timestamp of this entry

Alert Rate = 300/(t2-t1)

4 Check the MySQL errors logs to find if there are any errors messages.

5 Check Slowquery logs to find out if there are any queries that are being called repeatedly and takingconsiderable amount time to execute - more than 5-10 minutes.

6 Search for all the error messages in ems logs using string "error" - similar to first step. Observe for the errormessages that have occurred during the time interval of memory leak.

7 If heap dump - .bin file with prefixes 850heap, 1500heap - is available then it can be used in the heap dumpanalyzer tools like MAT, VisualVM which will identify the suspects causing memory leak.

The Manager interface does not work after JRE updateProblem/Symptom: The JRE on the client workstation was updated from version 1.6 to version 1.7 and nowportions of the Manager interface does not work.

Potential Cause:

• The Manager prior to 7.1.3.5 and 6.1.1.34 did not support JRE 1.7.

• If you want to run JRE 1.7, you must install the Manager versions that supports Java version 1.7.



• If you cannot upgrade the Manager to the version that support 1.7, you must re-install Java 1.6 on yourclient system.

Remedy:

If the Manager is version 7.1. or below, then upgrade to version 7.1.3.5 or higher, refer to release notes NetworkSecurity Platform 7.1.3.5-7.1.3.6 M-series Release Notes

If you cannot upgrade the Manager to the version that supports Java 1.7, you will need to re-install JRE 6.x fromthe 'Add Remove programs'. Uninstall Java 7. Reconnect to the Manager and install the Java version whenprompted.

Message on loading the Manager does not disappearProblem/Symptom: A message is displayed stating "NSM is currently loading" but the message does not goaway even after several minutes.

Potential Cause:

• The Manager server (Java) tries to establish connections to the web server. If any of the servercommunication are not established, the Manager will not startup properly. The problem might be due to:

• Java process not running on serverClient.

• The client cannot talk to server (blocked ports).

• Database not running on the server.

• The Manager server process is not running on the appliance or on the Manager software.

Remedy:

Verify that the service is started and running properly.

1 From the Start Menu search bar type 'cmd' to open the command-prompt with elevated privileges.

2 Run the command IMAGENAME eq java.exe to verify if Java is running on the server.

3 Check the output for java.exe on the server to ensure that the mem usage is above 500MB. If there isnothing listed, the Manager service is not running.

4 Run the following commands on a command prompt to verify that 8501 to 8505 are open and activelylistening.

• netstat -an | find "LISTENING" |find "8501"





5 Verify if mysql is running, by executing the command netstat -an | find "LISTENING" | find"3306".

6 Try to start the Manager manually by running tms.bat from <install path>/App/bin/. Look for errormessages at the bottom of this output.

7 Check the bottom of the emsout.log file in <install path>/App/ for errors.



https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23861/en_US/NSP_7135-7136_M_series_Rel_Notes_RevD.pdf

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23861/en_US/NSP_7135-7136_M_series_Rel_Notes_RevD.pdf

Unable to log on to the Manager after typing credentialsProblem/Symptom: From the logon page, after typing the user name and password, the Manager applicationdoes not open. It displays only a blank page.

Potential Cause:

The Manager requires the window's pop-up capability to be disabled or have an exclusion configured.

Remedy:

Disable the pop-up blocker functionality.

or

Create an exception for the Manager server IP addresses.

Table 1-1 Internet Explorer

To disable pop-up blocker To add exception to pop-up blocker list

1 From the command prompt, executethe command Inetcpl.cpl. TheInternet Properties window is displayed.

2 In the Privacy tab, deselect the checkboxoption Turn on Pop-up Blocker.

1 From the command prompt, execute the commandInetcpl.cpl. The Internet Properties window is displayed.

2 In the Privacy tab, select the Turn on Pop-up Blocker checkbox.

3 Click Settings. The Pop-up Blocker Settings window is displayed.

4 In the Address of website to allowfield, add the IP address or hostname of the Manager to the list of websites to be allowed.

Table 1-2 Mozilla Firefox


1 In the Firefox browser,select Tools |Options and click the Content tab.

2 Deselect the, Block pop-up windowscheckbox.

1 In the Firefox browser, select to Tools | Options and click on theContent tab.

2 Select the Block pop-up windows checkbox.

3 Click Exceptions. The Allowed sites Pop-ups window is displayed.

4 In the Address of website text field, add the IP address or host nameof the Manager to the list of web sites to be allowed.

Table 1-3 Google Chrome


1 In the Google Chrome browser, typethe following in the address bar:chrome://chrome/settings/content.The Content Settings window isdisplayed.

2 Select Allow all sites to show pop-ups.

1 In the Google Chrome browser, type the following in the addressbar: chrome://settings/contentExceptions#popups. The ContentSettings window is displayed.

2 In the Hostname pattern field, add the IP address or host name of theManager to the list of exceptions.

Sections of the interface that do not load properlyProblem/Symptom: Sections of the interface that do not load properly or a Java logo is displayed instead of theManager interface.



Potential Cause:

• There might be a conflict with the version of Java running on the client machine. This happens during anupgrade to the Manager or to Java or any application that uses Java. An older/different version of Java mightbe loaded, causing the Manager to behave inconsistently.

• The Manager supports all minor versions of Java, either version 1.6 or 1.7.

• If you need to run Java version 1.7, you must run version 6.1.1.35 or higher or the Manager version 7.1.3.5or higher.

• If the base Java version is supported (either version 1.6 or 1.7), then there might be a version mis-match onyour client machine. Clearing the cache will ensure there is only one version on the endpoint. Also verifythere is only one version of Java running on the client workstation.

Remedy:

• In the Control Panel navigate to Java Control Panel window. Refer KB55469 at kc.mcafee.com to determinewhich Java version shipped on your version of the Manager.

• Try clearing temporary files using Java control panel, by performing the following steps.

1 In the Java Control Panel click the Settings tab.

2 Click Delete Files.

3 Select the files to be deleted and click OK.

• Uninstalling the currently installed client JRE will allow the Manager to push the default shipped JRE back tothe client and ensure that it is installed properly.

• Uninstall the currently installed version by closing all browser windows and using the add/remove programsfunction to uninstall Java.

Prompt appears in Threat Analyzer to open or save a JNLP fileProblem/Symptom: Clicking on Real time Threat Analyzer and Historical Threat Analyzer, launch buttonprompts to open or save a JNLP file.

Potential Cause:

• Browser is configured with 'do not save encrypted page on disk'.

• JNLP association is incorrect.

Remedy:

Verify the browser settings by performing the following steps:

1 From the command prompt, execute the command Inetcpl.cpl.

2 Click on the Advanced tab and scroll down to the Security section.

3 Ensure that the option Do not save encrypted page to disk is deselected.

Verify the .jnlp file association in the Windows configuration. The first time you are prompted to open a .jnlp fileyou can select the program, Java Web Start Launcher. Ensure that you save the setting Always use the selectedprogram to open this kind of file.



https://kc.mcafee.com/corporate/index?page=content&id=KB55469

Table 1-4 Verifying .jnpl file association

For Windows 2003 and Windows XP For Windows 2008 and Windows 7

1 From the command prompt, execute the commandcontrol foldersor use the Folder Options function in the ControlPanel.

2 Click the File Types tab and scroll down to .jnlp.

3 Click Change and select Java Web Start Launcher fromthe list

If it is not in the list, browse to the Java installlocation which is usually C:\Program Files\Java\jre<version>\bin\javaw.exe.

1 Navigate to Control Panel | Default Programs.

2 Click on the link Associate a file type or protocol with aspecific program.

3 Scroll down to the .jnlp entry and click on the Changeprogram, then select Java Web Start Launcher.

If it is not in the list, browser to the Java installlocation which is usually C:\Program Files(x86)\Java\jre<version>\bin\javaw.exe

Login button does not workProblem/Symptom: The Login button does not work.

Potential Cause:Internet Options are too restrictive.

Remedy:

Verify the following Internet Explorer browser settings by executing the Inetcpl.cpl command from thecommand prompt.

The Manager IP address or host name can be added to the trusted sites.

Or

Modify the security zone’s settings to allow the required changes. To modify the settings:

1 Click the Security tab.

2 Click Custom Level and enable the following entries:

• Run ActiveX Controls & Plugins

• Script ActiveX Controls mark safe for scripting

• Downloads: File Download

• Scripting: Active Scripting

3 Click the Advanced tab and scroll down to the Security section.

4 Verify that the option Do not save encrypted page to disk is deselected.

When using Internet Explorer 9 Real Time Threat Analyzer file downloadgets into a loopPotential Cause:Real Time Threat Analyzer relies on the Java WebStart functionality which downloads the JRE application anddata into the client workstation. The JNLP (Java Network Launching Protocol) setting for JAVAW (Java webstart) isover-written.

Remedy:

Verify file type association is pointing to javaws.exe.



Verifying .jnpl file association

For Windows 2003 and Windows XP For Windows 2008 and Windows 7

1 From the command prompt, execute the commandcontrol foldersor Navigate to Control Panel | Folder Options.

2 Select the File Types tab and scroll down to .jnlp.

3 Click on the Change button and select Java Web StartLauncher, from the list

If it is not in the list, browse to the Java installlocation which is usually C:\Program Files\Java\jre<version>\bin\javaw.exe

1 Navigate to Control Panel | Default Programs.

2 Click on the link Associate a file type or protocol with aspecific program

3 Scroll down to the .jnlp entry and click on the Changeprogram button and select Java Web Start Launcher.

1f it is not in the list, browser to the Java installlocation which is usually C:\Program Files(x86)\Java\jre<version>\bin\javaw.exe

The Manager client is unble to contact the Manager server whenlaunching the Real Time Threat AnalyzerPotential Cause:

Client traffic is blocked from getting to the server. Most likely a firewall is blocking the connection. The Managerclient communicates with the server via port 8555 for the Real Time Threat Analyzer.

Remedy:

Verify the port is open through the firewall. If telnet is not installed, then use the following command to installthe utility in Windows 7 pkgmgr /iu:"TelnetClient".

telnet nsm-server-ip 8555

Check the firewall settings if it displays 'Could not open connection to the host, on port 8555: Connect failed'.

Real Time Threat Analyzer has strange behaviorPotential Cause:

Real Time Threat Analyzer is sensitive to communication timing. It requires a certain operating window (RealTime Threat Analyzer to backend).

Remedy:

Verify the communication between client and server. Ping the Manager server. You are looking for a responsetime average is less than 200 ms. If the response is greater, increase the time-out value specified inems.properties in <install path>/App/config/ ta.timeout. Period value is set to 20 seconds. This shouldbe changed to 60 if there is latency in the ping test. Restart the Manager service for the change to take effect.

Real Time Threat Analyzer security warning box keeps popping upPotential Cause:

The publisher of the Manager certificate is not a trusted entity. The browser needs to trust the certificatepublisher to avoid the security warning. To trust the certificate the browser must use the hostname of theManager so the certificate and URL match.

Remedy:



• Verify that the Manager is accessible by host name by executing the command ping <hostname>. If it isnot accessible, add the Manager name and IP to the internal DNS servers the same way it appears in thecertificate.

• Trust the publisher of the Manager certificate by installing the certificate as a trusted root certificationauthority:

1 In Internet Explorer, view the certificate by selecting it in the address bar and clicking View Certificates.

2 Move the certificates into trusted certificate authorities by performing the following steps.

a Run certmgr.msc from the start menu.

b Navigate to Intermediate Certificate Authorities folder and then to the Certificates folder.

c Find the Manager’s hostname in the listed of Certificates.

d Copy the Certificate by right clicking on it and selecting copy.

e Navigate to Trusted Root Certification Authorities.

f Right click in the right pane and paste the certificate. Accept any prompts that come up.

Navigate to the Manager with the browser using the hostname and you should see the certificate astrusted.

Or

If you get an untrusted page message when accessing the Manager login page:

• In Internet Explorer, click on the link Continue to this website not recommended.

• In Mozilla Firefox, click on I Understand the Risks and then click on Add Exception to confirm security exception.

• In Google Chrome, click on Proceed Anyway.

Threat Analyzer UI stuck at downloading mapsPotential Cause:

Threat Analyzer and Manager communication has some issues.

Remedy:

Verify that the Threat Analyzer is not timed out.

1 From the command prompt type cd %USERPROFILE%/McAfee/NetworSecurityManager/<NSM_IP>/ThreatAnalyzer

2 Find "failed" in the file threatanalyzer.log and find "2013-05-05"

Replace date in bold with current date. This will filter out all messages with today's date.

3 Check if the output has a line matching the line as given belowcom.intruvert.acm.ui.test.ConnectionTask - failed

If this output is found, increase the timeout for the Threat Analyzer by adding a lineMAX_TIMEOUT_PERIOD=300000 in the ta.prop file.

4 Save the file and re-launch Threat Analyzer.

Many options are grayed out in Threat Analyzer menuPotential Cause:



• You are logged on as a user without having super user role.

• There might be a communication problem between the Threat Analyzer applet and the Network SecurityManager.

Remedy:

Verify you are logged on as a user with superuser privileges. If not, perform the following step:

In the Manager, select My Company | Users | Role Assignment and check if you have Superuser role. It is also possiblethat Threat Analyzer is unable to get permission details from the Manager. Try increasing timeout using ta.prop.To do so, refer the steps mentioned in Scenario 5

Unable to get alerts in Historical Threat AnalyzerPotential Cause:

iv_alert table may have missing indexes.

Remedy:

1 From the command prompt, type cd <MYSQL_INSTALL_DIR>\binmysql –uroot –p <type rootpassword>.

2 On mysql prompt run following statement:

show index from iv_alert. It should display iv_alert_creation_ix index in the list.

3 Stop the Manager service.

4 Create the index with:

create index iv_alert_creation_ix on iv_alert(creationTime);

If you still have problems, recreate the iv_alert table by referring to Knowledgeable article KB69132 and restartthe Manager service.



https://kc.mcafee.com/corporate/index?page=content&id=KB69132

Issues and status checks for the Sensor and Manager in combinationThis section describes issues and status checks when the Sensor and Manager are connected.

Contents Difficulties connecting Sensor and Manager Loss of connectivity between the Sensor and Manager DoS troubleshooting

Difficulties connecting Sensor and ManagerIf you experience problems getting the McAfee Network Security Manager (Manager)and Sensor tocommunicate, see if one of the following situations might be the cause.

Network connectivity• Ensure that the Sensor and Manager server have power and are appropriately connected to the network.

• Verify the link indicator lights on both devices to indicate they have an active link.

• Ping the Sensor and Manager server to ensure that they are available on the network.

Inconsistency in Sensor and Manager configuration• Verify that the Sensor name that was entered in the CLI is identical to that entered in the Manager. Ensure

the same for the shared secret key value. If these values do not match, the two cannot communicate.

The Sensor name is case sensitive.

• Check the network addresses for the Manager, the Manager's gateway, and the Sensor to ensure everythingis configured correctly by typing show at the Sensor CLI command prompt.

Software or signature set incompatibilityVerify that the Sensor software image, Manager software version, and signature set version are compatible.

• A compatibility matrix is provided in the release notes that accompany each product release.

Firewall between the devicesIf there is a firewall between the Sensor and the Manager server, make sure the devices are able tocommunicate by opening the appropriate ports.

Ports used by the Manager server are listed in the McAfee Network Security Platform Installation Guide.

Management port configurationIf you experience problems getting your Sensor and Manager to communicate, it might be a communicationissue between the Sensor's Management port and the network device to which it is connected. Check theManagement Port Link indicator lights on the Sensor; if the link is down, see if any of the following suggestionsenable connectivity.

• Check that the network device is online.

• Check the cable connecting the Sensor to the network device.

1 Troubleshooting Network Security PlatformIssues and status checks for the Sensor and Manager in combination


• Ensure that the port on the device to which the Management port is connected is enabled and active.

• The port speed and duplex mode of the two devices must match. For example, if the device connecting tothe Sensor is not set to auto-negotiate, you must configure the Management port to use the same settingsas those of the device connecting to the Management port. To troubleshoot this, use the set mgmtportcommand.

Check the link LEDs on the devices to see if communication is established, or use the show mgmtportcommand to show the link's status.

Try each of these configuration options to see if one establishes a link:

1 If possible, set the other device's port configuration to auto-negotiate. (The Sensor is set to auto-negotiateby default.)

2 Using the set mgmtport command as described below in Setting the management port speed and duplexmode, try setting the speed and port of the Sensor to speed 100 and duplex half or full.

3 If no link is established, try speed 10 and duplex half or full.

4 If none of these attempts creates a link, try setting the port on the other device to a speed of 100, duplexhalf or full, and try step 2 again.

5 If this does not establish a link, you can then do the same, setting the other device to a speed of 10, duplexhalf or full, and try step 3 again.

6 If you are still experiencing difficulties, contact McAfee technical support.

M series Sensors Management port support 1000 Mbps(1 Gbps) too. Use the set mgmtport autocommand to establish a link to the connecting device (before performing this, see to it that the other device'sport configuration's speed is fixed to 1000 and also set to auto-negotiate).

Set the management port speed and the duplex mode

Task• Set the speed of the Management port and whether the port should be set to half-or full-duplex. At the

prompt, type:

set mgmtport speed <10 | 100 | 1000> duplex <half | full> where< 10> indicates 10 Mbps, <100> indicates 100 Mbps, < 1000> indicates 1000 Mbps, < half> indicates half-duplex, and < full >indicates full-duplex.

1000 Mbps is applicable only for M-series Sensors.

Example: set mgmtport speed 100 duplex half.

Loss of connectivity between the Sensor and ManagerIf you have previously established a connection between the Sensor and the Manager and the connection fails,try the following:

• Check network connectivity.

• View the system status on both the Manager and the Sensor.

Troubleshooting Network Security PlatformIssues and status checks for the Sensor and Manager in combination 1


• Check to ensure the Management port on the Sensor is configured with the proper speed and duplex modeas described in Management port configuration.

• Has the time been reset on the Manager server? The connection between the Sensor and Manager server issecure, and this secure communication is time-sensitive, so the time on the devices should remainsynchronized. You must set the time on the Manager server before you install the Manager software andnever change the time on that machine. If the time changes on the Manager server, the Manager will lose itsconnectivity with the Sensor and the Update Server. A time change could ultimately cause serious databaseerrors.

For more information, see the KnowledgeBase article KB55587. (Go to http://mysupport.mcafee.com, and clickSearch the KnowledgeBase.)

How Sensor handles new alerts during connectivity lossThe Sensor stores alerts internally until connection is restored. Network Security Platform classifies events andprioritizes to ensure the buffer is filled with the most meaningful events to an analyst.

The following table lists the number of alerts that can be stored locally on the Sensor.

Number Alert Type

100000 Signature based alerts

2500 Throttled alerts (with source and destination IP information)

2500 Compressed throttled alerts (alerts with no source and destination IP information)

2500 Statistical or anomaly DoS

2500 Throttled DoS alerts

1000 Host sweep alerts

1000 Port scan alerts

Once the connection from the Sensor to the Manager has been re-established, the queued alerts are forwardedup to the Manager. So the customer will retain them even in the event that connectivity is disrupted for sometime.

If the buffer fills up before connectivity is restored, the Sensor will drop new alerts, but if blocking is enabled,the Sensor will continue to block irrespective of the Sensor's connectivity with the Manager.

DoS troubleshootingIssues related to DoS alerts.


Problem scenario

DoS alerts raised in Network Security Manager.


1 Execute show dospreventionprofile <dos-measure-name> <inbound/outbound> in the Sensor.

2 Trace the Sensor files.





Troubleshooting Steps

1 Check for the source IP of the profile learning each of the packet types. Execute the following commands:

• show dospreventionprofile tcp-syn inbound/outbound

• show dospreventionprofile tcp-syn-ack inbound/outbound

• show dospreventionprofile tcp-rst inbound/outbound

• show dospreventionprofile udp inbound/outbound

• show dospreventionprofile icmp-echo inbound/outbound

• show dospreventionprofile icmp-echo-reply inbound/outbound

• show dospreventionprofile icmp-non-echo-echoreply inbound/outbound

• show dospreventionprofile ip-fragment inbound/outbound

• show dospreventionprofile non-tcp-udp-icmp inbound/outbound

Check the bins for long-term average traffic rate and short-term average traffic rate values. An alert is raisedwhen the short-term traffic rate is higher than the long-term traffic rate.



2 Check bins that are blocked. A sample of the source IP profile during the detection stage which indicates theblocked bins is shown in the figure.



3 If many DoS alerts are raised frequently for a particular IP, it could be false positive. The reason could be dueto the profile of that IP not studied properly.

4 For volume related alerts (for example, if the inbound UDP volume is too high), check if the IP is missing inthe alert details. To check the alert details, navigate to Analysis | <Admin Domain Name> | Threat Analyzer |Real-Time | Start the Real-Time Threat Analyzer.

Solution

Relearn the profile to resolve the issue.



DoS scenarios

• Observed value is calculated based on the following formula:

Observed value = (collected count * (threshold duration/collected duration))

• When there is a burst of traffic, and the threshold is reached, the Sensor starts collecting the DoS IPinformation. This results in showing the packet count as zero, whereas the actual observed value is veryhigh. This works in accordance with the design.

• Similarly, in some scenarios the packet count is a non-zero value, whereas the actual observed value is zero.This happens when the traffic has stopped but the DoS IP collection and attack detection are still inprogress.

Issues and status checks for the Sensor and other devices incombination

This section describes issues and status checks that involve a Sensor and any other devices, includingthird-party devices, that can be added.

Connectivity issues between the Sensor and other network devicesThe most common Sensor problems relate to configuration of the speed and duplex settings. Speeddetermination issues can result in no connectivity between the Sensor and the switch.

Duplex mismatchesA duplex mismatch (for example, one end of the link in full-duplex and the other in half-duplex) can result inperformance issues, intermittent connectivity, and loss of communication. It can also create subtle problems inapplications. For example, if a Web server is talking to a database server through an Ethernet switch with aduplex mismatch, small database queries might succeed, while large ones fail due to a timeout.

1 Troubleshooting Network Security PlatformIssues and status checks for the Sensor and other devices in combination


Manually setting the speed and duplex to full-duplex on only one link partner generally results in a mismatch.This common issue results from disabling auto-negotiation on one link partner and having the other linkpartner default to a half-duplex configuration, creating a mismatch. This is the reason why speed and duplexcannot be hard-coded on only one link partner. If your intent is not to use auto-negotiation, you must manuallyset both link partners' speed and duplex settings to full-duplex.

Valid auto-negotiation and speed configurationsThe table below summarizes all possible settings of speed and duplex for Sensors and Cisco catalyst switchports.

Table 1-5 Speed Configurations

Network SecurityPlatformConfiguration10/100/1000 port(Speed/Duplex)

Configuration ofSwitch(Speed/Duplex)

ResultingSensor(Speed/Duplex)

ResultingCatalyst(Speed/Duplex)

Comments

100 MbpsFull-duplex

1000 MbpsFull-duplex

No Link No Link Neither side establishes link,due to speed mismatch

100 MbpsFull-duplex

AUTO 100 MbpsFull-duplex

100 MbpsFull-duplex

Correct configuration

100 MbpsFull-duplex

1000 MbpsFull-duplex

100 MbpsFull-duplex

100 MbpsFull-duplex

Correct ManualConfiguration

100 MbpsHalf-duplex

AUTO 100 MbpsHalf-duplex

100 MbpsHalf-duplex

Link is established, butswitch does not see anyauto-negotiationinformation from McAfeeNetwork Security Platformand defaults to half-duplexwhen operating at 10/100Mbps.

10 MbpsHalf-duplex

AUTO 100 MbpsHalf-duplex

100 MbpsHalf-duplex

Link is established, butswitch does not see FastLink Pulse (FLP) and defaultsto 10 Mbps half-duplex.

10 MbpsHalf-duplex

1000 MbpsHalf-duplex

No Link No Link Neither side establishes link,due to speed mismatch.

Gigabit auto-negotiation (no link to connected device)Gigabit Ethernet has an auto-negotiation procedure that is more extensive than that which is used for 10/100Mbps Ethernet (per Gigabit auto-negotiation specification IEEE 802.3z-1998). The Gigabit auto-negotiationnegotiates flow control, duplex mode, and remote fault information. You must either enable or disable linknegotiation on both ends of the link. Both ends of the link must be set to the same value or the link will notconnect.

If either device does not support Gigabit auto-negotiation, disabling Gigabit auto-negotiation forces the link up.

Troubleshooting a Duplex Mismatch with Cisco Devices

When troubleshooting connectivity issues with Cisco switches or routers, verify that the Sensor and the switch/routers are using a valid configuration. The show intfport <port> command on the Sensor CLI will help revealerrors.

Troubleshooting Network Security PlatformIssues and status checks for the Sensor and other devices in combination 1


Sometimes there are duplex inconsistencies between Network Security Platform and the switch port.Symptoms include poor port performance and frame check sequence (FCS) errors that increment on the switchport. To troubleshoot this issue, manually configure the switchport to 100 Mbps, half-duplex. If this actionresolves the connectivity problems, you might be running into this issue. Contact Cisco's TAC for assistance.

Use the following commands to verify fixed interface settings on some Cisco devices that connect to Sensors:

Cisco PIX® Firewall• interface ethernet0 100full.

Cisco CSS 11000• interface ethernet-3

• phy 100Mbits-FD

Cisco catalyst 4000, 5000, 6000 series (native)• set port speed 1/1 100

• set port duplex 1/1 full

Connectivity issues with Cisco 3750-12S switchUse the following ports when connecting a Cisco 3750-12s switch to your Sensor: 3, 4, 7, 8, 11, or 12.Connections using ports 1, 2, 5, 6, 9, or 10 might cause network issues, which is an inconsistent delay ofpackets.

Cisco CSS 11000• interface ethernet-3

• phy 100Mbits-FD

Explanation of CatOS show port command counters

Counter Description Possible causes

AlignmentErrors

Alignment errors are a count of the number offrames received that do not end with an evennumber of octets and have a bad CRC.

These are the result of collisions athalf-duplex, duplex mismatch, badhardware (NIC, cable, or port), or aconnected device generating frames that donot end with on an octet and have a badFCS.

FCS FCS error count is the number of frames thatwere transmitted or received with a badchecksum (CRC value) in the Ethernet frame.These frames are dropped and not propagatedonto other ports.

These are the result of collisions athalf-duplex, duplex mismatch, badhardware (NIC, cable, or port), or aconnected device generating frames withbad FCS.

Xmit-Err This is an indication that the internal transmitbuffer is full.

This is an indication of excessive input ratesof traffic. This is also an indication oftransmit buffer being full. The countershould only increment in situations in whichthe switch is unable to forward out the portat a desired rate. Situations such asexcessive collisions and 10 Mb ports causethe transmit buffer to become full.Increasing speed and moving the linkpartner to full-duplex should minimize thisoccurrence.



Counter Description Possible causes

Rcv-Err This is an indication that the receive buffer is full. This is an indication of excessive outputrates of traffic. This is also an indication ofthe receive buffer being full. This countershould be zero unless there is excessivetraffic through the switch. In some switches,the Out-Lost counter has a directcorrelation to the Rcv-Err.

UnderSize These are frames that are smaller than 64 bytes(including FCS) and have a good FCS value.

This is an indication of a bad framegenerated by the connected device.

SingleCollisions

Single collisions are the number of times thetransmitting port had one collision beforesuccessfully transmitting the frame to the media.

This is an indication of a half-duplexconfiguration.

MultipleCollisions

Multiple collisions are the number of times thetransmitting port had more than one collisionbefore successfully transmitting the frame to themedia.

This is an indication of a half-duplexconfiguration.

LateCollisions

A late collision occurs when two devices transmitat the same time and neither side of theconnection detects a collision. The reason for thisoccurrence is that the time to propagate thesignal from one end of the network to another islonger than the time to put the entire packet onthe network. The two devices that cause the latecollision never see that the other is sending untilafter it puts the entire packet on the network. Latecollisions are detected by the transmitter after thefirst time slot of the 64-byte transmit time occurs.They are only detected during transmissions ofpackets longer than 64 bytes. Its detection isexactly the same as it is for a normal collision; itjust happens later than it does for a normalcollision.

This is an indication of faulty hardware (NIC,cable, or switch port) or a duplex mismatch.

ExcessiveCollisions

Excessive collisions are the number of frames thatare dropped after 16 attempts to send the packetresulted in 16 collisions.

This is an indication of over utilization of theswitch port at half-duplex or duplexmismatch.

CarrierSense

Carrier sense occurs every time an Ethernetcontroller wants to send data and the counter isincremented when there is an error in theprocess.

This is an indication of faulty hardware (NIC,cable, or switch port).

Runts These are frames smaller than 64 bytes with a badFCS value.

This is an indication of the result ofcollisions, duplex mismatch, IEEE 802.1Q(dot1q), or an Inter-Switch Link Protocol(ISL) configuration issue.

Giants These are frames that are greater than 1518 bytesand have a bad FCS value.

This is an indication of faulty hardware,dot1q, or an ISL configuration issue.

Auto-negotiationAuto-negotiation issues typically do not result in link establishment issues. Instead, auto-negotiation issuesmainly result in a loss of performance. When auto-negotiation leaves one end of the link in, for example,full-duplex mode and the other in half-duplex (also known as a duplex mismatch), errors and re-transmissionscan cause unpredictable behavior in the network causing performance issues, intermittent connectivity, andloss of communication. Generally these errors are not fatal-traffic still makes it through, but locating and fixingthem is a time waster.



Situations that might lead to auto-negotiation issuesAuto-negotiation issues with the Sensor might result from nonconforming implementation, hardwareincapability, or software defects.

Generally, if the switch used with the Sensor adheres to IEEE 802.3u auto-negotiation specifications and alladditional features are disabled, auto-negotiation should properly negotiate speed and duplex, and nooperational issues should exist.

• Problems might arise when vendor switches/routers do not conform exactly to the IEEE specification 802.3u.

• Vendor-specific advanced features that are not described in IEEE 802.3u for 10/100 Mbps auto-negotiation(such as auto-polarity or cabling integrity) can also lead to hardware incompatibility and other issues.

DNS connectivity and reputation issuesDNS connectivity

DNS connectivity to the Sensor sometimes has issues due to incorrect configuration or incorrect DNS server IPaddress. You can view the DNS connectivity fault in the System Faults page in the Manager. The Device DNS serverconnectivity status faults are generated by the Sensor whenever there is an issue in DNS connectivity.

Figure 1-5 DNS server connectivity warning fault

Figure 1-6 GTI server connectivity critical fault



You can perform the following high-level troubleshooting steps to solve the connectivity problem:

1 Check the Devices | <Admin Domain Name> | Global | Default Device Settings | Common | Name Resolution for theglobal level setting in the Manager to see if the parent domain has the primary and secondary DNS serverinformation entered correctly.

Figure 1-7 Global level DNS server setting

2 If the global setting has the correct information, check the Devices | <Admin Domain Name> | Devices | <DeviceName> | Setup | Name Resolution device level setting to see if it inherits the global settings. Make sure that theInherit Settings? is selected and also check if the inherited information is correct.

Figure 1-8 Device level DNS server setting

If the connectivity problem still persists contact McAfee Support for further assistance.

GTI file reputation



In case of any errors for file reputation analysis, you can perform the following high-level troubleshooting steps:

1 Check if the malware detection is enabled in Policy | <Admin Domain Name> | Intrusion Prevention | AdvancedMalware | Advanced Malware Policies.

2 In case of file reputation, the request is sent for bad file reputation. The file is sent as an MD5 checksum inDNS requests. If there is no response from the DNS, check the DNS connectivity. If the DNS connectivity hasany issues, perform the high-level steps mentioned under DNS connectivity to solve the problem.

If the DNS connectivity is working correctly, there will a response for the file reputation request. Confirm theconnectivity by executing and checking the output of show malwareenginestats CLI command.

Check the output of malware statistics for GTI file reputation engine. The Number of files sent andNumber of response Received should show an increase in comparison with the number of files sent/received before sending the reputation request.

Malware Statistics for GTI File Reputation Engine

Number of files sent: 11132

Number of response Received: 9377

Number of files ignored: 1755

Number of files with malware score clean: 0

Number of alerts with malware score very low: 37

Number of alerts with malware score low: 0

Number of alerts with malware score medium: 0

Number of alerts with malware score high: 0

Number of alerts with malware score very high: 1233

Number of alerts with malware score unknown: 8051

Total number of alerts sent: 1233

Total number of attacks blocked: 1233

Total number of TCP resets sent: 1233


GTI IP reputation

When a syn packet is seen, the Sensor checks to see if IP reputation is enabled for that port/protocol. Whenenabled, the Sensor sends a query to the management process. The first flow is always allowed to pass throughsince the reputation score is not available. After a reputation score is assigned to the packet, the score isupdated to the Sensor. The subsequent flows from the same IP address is marked with the reputation score inthe header for lookup in datapath processor. Source IP is checked for inbound flows, and destination IP ischecked for outbound flows, even though the entire 5-tuple is passed in the query.



The Sensor connectivity status with GTI server critical fault is generated by the Sensor in the Manager whenever theGTI server has connectivity issues to the Sensor.

Figure 1-9 Sensor connectivity fault

You can perform the following high-level troubleshooting steps to solve the connectivity problem:

1 Check if proxy configuration is required. If the organization has a firewall/proxy between the Sensormanagement port and the cloud, then the proxy has to be configured with username/password if required.You can configure the proxy server under Manage | <Admin Domain Name> | Setup | Proxy Server.

2 Port 443 should not be blocked on the management port network.

3 Check the Devices | <Admin Domain Name> | Global | Default Device Settings | Common | Name Resolution for theglobal level setting in the Manager to see if the parent domain has the primary and secondary DNS serverinformation entered correctly.


Integration ScenariosThis section explains about the troubleshooting in integration scenarios and the required steps fortroubleshooting.

Tasks• Global Threat Intelligence - API Overload on page 53

• ePO - Connection failure on page 54

• Vulnerability Manager - Connectivity issues on page 56

• Vulnerability Manager - Certificate Sync and FC Agent issues on page 57

• Logon Collector - Integration issues on page 59

Global Threat Intelligence - API OverloadWhen the Manger integrates with Global Threat Intelligence to obtain the reputation scores on hosts andgeo‑locations, the API is used to send back the feature usage data to McAfee and there is a possibility of the APIgetting overloaded.

Troubleshooting Network Security PlatformIntegration Scenarios 1


Perform the following steps for troubleshooting:

Task1 If the proxy server is enabled, verify that "tunnel.web.trustedsource.org" is allowed by proxy server ACLs.

2 In the Manager, selectManage | Integration | Global Threat Intelligence and check if the Alert Data Details option isenabled.

3 Check if SDK boot straps to Global Threat Intelligence cloud successfully by checking for below in ems.log.

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -Major version:

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper - 2

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -Minor version:

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper - 0

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -Version description:

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -TrustedSource SDK 2.0.5.02 (Build 1117)

• 2011-12-06 15:55:01,510 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -Version:

• 2011-12-06 15:55:01,511 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -2.0.5.02-1117

• 2011-12-06 15:55:01,672 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -Using Proxy Server:1.1.1.1, port: 20

• 2011-12-06 15:55:01,780 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -Device Id: 9b11e1c4-069e-4195-8dd1-c2842ba338f6

• 2011-12-06 15:55:01,780 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -MIICZjCCAc+gAwIBAgICEFIwDQYJKoZIhvcNAQEFBQAwNjEZMBcGA1UEAxQQVHJ1c3RlZFNvdXJjZV9DQTEMMAoGA1UEChMDU0NDMQswCQYDVQQGEwJVUzAe

• 2011-12-06 15:55:01,780 INFO [http-0.0.0.0-9999-3] com.intruvert.ts.helper.TSRatingLookupHelper -MIICXQIBAAKBgQDegOtxL2JHaGLwU6RTQKPfGtzMp3zxiKRc4yPqgPtIgZqReQj7yw6pqvpBmpcx/OobEjs0hA8v0abE3BFwEX0Mezre2B9NpPhuJnNHhe4c/cGdxtC53

ePO - Connection failureIf there is a connection failure between the Manager and the ePO server, perform the following steps fortroubleshooting.

In the Manager:

1 Ensure that the provided configurations like IP address, port numbers, user name and the password to theePO server are correct.

2 Ping or try to access ePO server directly from the Manager server. If it is not accessible, check the firewallconfiguration and follow other regular network troubleshooting steps.

1 Troubleshooting Network Security PlatformIntegration Scenarios


3 Ensure that the required permissions are given to the configured user name. To isolate the permission issue,use global administrator user name or password for testing the connection. If the connection is successfulwith global administrator credentials, then it could be a problem with configured user name.

4 Check these log files for any errors:

• For Manager Versions below 7.5.5: Check ems.log file for any errors

• For Manager Version 7.5.5 and above: Check epo.log file for any errors

5 Manager uses the following URLs. Try accessing them from the Manager server through a browser.https://EPO_SERVER_IP:8443/remote/ISExtension.HostForensicsCommand.do?command=getHostDetails&ip=[specify_IP]

Check these logs files. Following denotes is a successful "TestConnection"

011-11-22 15:09:51,500 INFO [ajp-127.0.0.1-8009-3] iv.common.HttpClient.ApacheGetImpl - doGET(),succesfully made the request to http client, url is https://172.16.101.37/remote/ISExtension.HostForensicsCommand.do?command=getHostDetails&ip=127.0.0.1&orion.user.security.token=tpc5pvsNVHxo3fiS

The following denotes an error in connection

ems.log.3:2011-11-17 12:15:10,914 ERROR [ajp-127.0.0.1-8009-5] iv.common.HttpClient.ApacheGetImpl -doGET:Error while doing the http get function for the url https://172.17.94.80/remote/ISExtension.HostForensicsCommand.do?command=getHostDetails&ip=127.0.0.1&orion.user.security.token=kSffjTChbZRcE0IJ the errorisjava.net.SocketTimeoutException: Read timed out

ems.log.3:2011-11-17 12:48:21,435 ERROR [ajp-127.0.0.1-8009-4] iv.common.HttpClient.ApacheGetImpl -doGET:Error while doing the http get function for the url

In the ePO

1 Ensure that the ePO server has the latest NSPExtension installed.

2 Ensure that the required permissions are given to the configured username. Check if user has sufficientpermission to access NSP Extension.

• In Menu | User Management | Users | desired User note down "Permissions Sets".

• In Menu | User Management | Permission sets select the permission that is assigned to this user. Check ifNetwork Security Platform has view and change settings.

3 To test the connection to the Manager server, manually run the NSP:Dashboard Data Pull Task. If connectionfails, ping or try to access the Manager server directly from the ePO server. If connection fails, check thefirewall and follow regular network troubleshooting steps.

4 Check orion.log file for any error messages at C:\Program Files\McAfee\ePolicy Orchestrator\Server\Logs\orion.log.

If test connection is carried out from child admin domain then make test connection for parent admin domain byfollowing above trouble shooting steps.



HTTPS://EPO_SERVER_IP:8443/REMOTE/ISEXTENSION.HOSTFORENSICSCOMMAND.DO?COMMAND=GETHOSTDETAILS&IP=%5BSPECIFY_IP



Vulnerability Manager - Connectivity issuesWhen you run through the integration wizard when connecting to the Vulnerability Manager database, thefollowing error is displayed: The attempt to confirm connectivity with the McAfee Vulnerability Manager database has failed forthe following reason: Internal Server Error

Perform the following steps for troubleshooting:

1 Stop the service of the Manager.

2 Disable CBC protection mode in App/bin/tms.bat.

3 Open tms.bat file and do the following java option to turn off CBCProtection.

• set JAVA_OPTS=%JAVA_OPTS% -server -Xms768m -Xmx768m -Xss128K

• set JAVA_OPTS=%JAVA_OPTS% -XX:NewRatio=4 -XX:PermSize=128m -XX:MaxPermSize=256m -XX:+UseParallelOldGC

• set JAVA_OPTS=%JAVA_OPTS% -Dapp.home.dir="%APPROOT%"

• set JAVA_OPTS=%JAVA_OPTS% -Dapp.install.root="%APPROOT%"

• set JAVA_OPTS=%JAVA_OPTS% -Dapp.home.dir.url="%APPROOT%"

• set JAVA_OPTS=%JAVA_OPTS% -Dwin.dir="%WINDIR%"

• set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPUDPPort="4167"

• set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress=""

• set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPv6address=""

• set JAVA_OPTS=%JAVA_OPTS% -Dpython.path="%JYTHONLIB%"

• set JAVA_OPTS=%JAVA_OPTS% -Div.policymgmt.RuleEngine.compiler.netl7antlr.strictCheckEnabled="FALSE"

• set JAVA_OPTS=%JAVA_OPTS% -Div.compiler.snort.dumpPCRE="TRUE"

• rem set JAVA_OPTS=%JAVA_OPTS% -Div.policymgmt.RuleEngine.compiler.enableAPforSPM="FALSE"

• set JAVA_OPTS=%JAVA_OPTS% -Div.compiler.snort.dumpSSIDandStates="TRUE"

• set JAVA_OPTS=%JAVA_OPTS% -Div.controlchannel.snmpv3.useLocalizedKeys="FALSE"

• set JAVA_OPTS=%JAVA_OPTS% -Dsun.lang.ClassLoader.allowArraySyntax=true

• set JAVA_OPTS=%JAVA_OPTS% -Djava.rmi.server.hostname="localhost"

• set JAVA_OPTS=%JAVA_OPTS% -Dcatalina.home="%CATALINA_HOME%"

• set JAVA_OPTS=%JAVA_OPTS% -Djsse.enableCBCProtection=false

4 Restart the Manager service.

After performing these steps, run through the integration wizard to try and connect the Vulnerabiltiy Managerdatabase.



Vulnerability Manager - Certificate Sync and FC Agent issuesTable 1-6 Issue 1

Problem Solution

FC Agent service doesn'tget installed whileinstalling the Manager

To install FCAgent service:

1 Download the software vcredist_x86.exe and run it in that host.

2 Download link http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5638.

3 At the command prompt, go to c:\Program Files (x86)\foundstone\FCM and runthe command fcagent -i to install the service.

Table 1-7 Issue 2

Problem Solution

When you click on API tabin the Manager, internalserver error is displayed

This issue might be seen in some systems when the command sc queryFCAgent is executed internally in the Manager. To run this command, the server inwhich manager is deployed might not have the right permission settings. theAdministrator has to provide permission to run sc.exe.To change permission settings for sc.exe.

1 Go to //windows/system32/sc.exe.

2 Right-click sc.exe and select Properties.

3 Click the Security tab.

4 Add a local service and provide full permission.



HTTP://WWW.MICROSOFT.COM/DOWNLOAD/EN/DETAILS.ASPX?DISPLAYLANG=EN&ID=5638

HTTP://WWW.MICROSOFT.COM/DOWNLOAD/EN/DETAILS.ASPX?DISPLAYLANG=EN&ID=5638

Table 1-8 Issue 3

Problem Solution

FCAgent servicedoesn't start inManager server

To integrate with Vulnerability Manager, the Manager must update the Windows registry.However, the user account used to run the Manager service will not have permissions towrite to the Windows registry if the Manager is fully locked down. To give that user accountthe required permissions, follow these steps:

1 On the server running the Manager, run regedit.exe.

2 Change the permissions on registry and allow Full Control to 'Local Service' for the keys:

• HKLM

• HKLM\Software

• HKLM\Software\Foundstone

3 Right-click on these keys and choose Permissions.

4 Add the user account used to run the Manager service (likely LOCAL SERVICE).

5 Give that user account Full Control over the key.

6 Click OK.

Changes take effect immediately. A reboot is not required.

7 In the API Server page, click Save.

If the operating system is 64-bit, perform this procedure for these keys:

• HKLM

• HKLM\Software

• HKLM\Software\wow6432Node

• HKLM\Software\wow6432Node\Foundstone.

Table 1-9 Issue 4

Problem Solution

You are able to start the FCAgent service, clicking on'Retrieve MVM Certificate'returns error message.

It might be because port 3801 is not enabled in the API server. Check if port3801 has been enabled.Vulnerability Manager could be deployed in distributed mode where FCM Servercould be in one server. The API Server, DB , Enterprise Manager and ScanEngines could be another server. In the API server page try configuring the FCMServer IP address and port 3801. Try clicking the Retrieve Certificates button. If theOnDemand scan fails, try changing the port back to 3800.

Table 1-10 Issue 5

Problem Solution

Retrieve MVM certificate is failing eventhough the SSHStauscache andStatuscache keys are present in theregistry

This might occur if C:program files\found stone or C:programFiles(x86) \Foundstone" does not have write permission for LocalService.

1 Add local service and giving full permission to local service.

2 Click Retrieve MVM Certificate again after giving the requiredpermissions.



Logon Collector - Integration issuesTo ensure connectivity between the McAfee® Logon Collector and Manager, the following configurations aremandatory.

• Ensure that the Active Directory services are up and running. If the Active Directory (AD) is not configuredcorrectly or down, then the Manager does receive Logon Collector updates and test connectivity does notget verified.

• Add the domain that needs to be monitored in the Logon Collector server. If the domain is not added testconnection fails and the Manager does not receive Logon Collector updates.

• Ensure that all Logon Collector components of the Logon Collector server are running.

• While exchanging Logon Collector certificate with the Manager by pasting, ensure that you copy thecertificate content to Notepad to remove any inadvertent spaces that might cause certificate exchangefailure during connectivity.

• To verify that Manager is receiving Logon Collector updates, create a Firewall then double-click the SourceUser field to verify that the Groups are configured in the AD.

As a part of the Manager-Sensor Logon Collector Integration, the Manager sends IP User mapping andUser-Group mapping periodically on certain well defined events. The Sensor receives the Logon Collectorupdates from the Manager only when user-based Firewall policies are assigned to Sensors. Manager notifiesthe following two faults related to this integration which will be available in System Fault page:

• number of user configured in AD is more than 75000 or IP-user mapping is more than 100,000.

• MLC bulk update file exceeds 25mb limit which is a critical fault and user intervention is needed.





2 Performance issues

Most performance issues are related to switch port configuration, duplex mismatches, link up/down situations,and data link errors.

Contents Sniffer trace Data link errors

Sniffer traceA Sniffer details packet transfer, and thus a Sniffer trace analysis can help pinpoint switch and McAfee® NetworkSecurity Platform performance or connectivity issues when the issues persist after you have exhausted theother suggestions in this document. Sniffer trace analysis reveals every packet on the wire and pinpoints theexact problem.

Note that it may be important to obtain several Sniffer traces from different ports on different switches, andthat it is useful to monitor ("span") ports rather than spanning VLANs when troubleshooting switch connectivityissues.

Data link errorsMany performance issues may be related to data link errors. Excessive errors usually indicate a problem. Formore information, see also Configuration of Speed and Duplex settings.

Half-duplex settingWhen operating with a duplex setting of half-duplex, some data link errors such as FCS, alignment, runts, andcollisions are normal. Generally, a one percent ratio of errors to total traffic is acceptable for half-duplexconnections. If the ratio of errors to input packets is greater than two or three percent, performancedegradation may be noticeable.

In half-duplex environments, it is possible for both the switch and the connected device to sense the wire andtransmit at exactly the same time, resulting in a collision. Collisions can cause runts, FCS, and alignment errors,which are caused when the frame is not completely copied to the wire, resulting in fragmented frames.

Full-duplex settingWhen operating at full-duplex, FCS, cyclic redundancy checks (CRC), alignment errors, and runt counters shouldbe minimal. If the link is operating at full-duplex, the collision counter is not active. If the FCS, CRC, alignment, orrunt counters are incrementing, check for a duplex mismatch. Duplex mismatch is a situation in which theswitch is operating at full-duplex and the connected device is operating at half-duplex, or vice versa. The result

2


of a duplex mismatch is extremely slow performance, intermittent connectivity, and loss of connection. Otherpossible causes of data link errors at full-duplex are bad cables, a faulty switch port, or software or hardwareissues.

2 Performance issuesData link errors


3 Determine false positives

This section lists methods for determining and reducing false positives.

Contents Reduce false positives Tune your policies

Reduce false positivesYour policy determines what traffic analysis your McAfee® Network Security Sensor (Sensor) will perform.McAfee® Network Security Platform provides a number of policy templates to get you started toward yourultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the ThreatAnalyzer to those which are valid and useful for your analysis.

There are two stages to this process: initial policy configuration and policy tuning.Though these are tedioustasks, McAfee has extended its blocking options to include SmartBlocking, which only activates blocking whenhigh confidence signatures are matched, thus minimizing the possibility of false positives.Network SecurityPlatform is replacing its present Recommended for Blocking (RFB) designation with Recommended forSmartBlocking (RFSB) because this new level of granularity enables McAfee to recommend many more attacks –the list of RFB attacks is a subset of the list of RFSB attacks.

The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities oflegitimate, but anticipated alerts.

Tune your policiesThe default McAfee Network Security Platform policy templates are provided as a generic starting point; you willwant to customize one of these policies for your needs. So the first step in tuning is to clone the mostappropriate policy for your network and your goals, and then customize it. (You can also modify a policy directlyrather than modifying a copy.)

Some things to remember when tuning your policies:

• We ask that you set your expectations appropriately regarding the elimination of false positives and noise. Aproper Network Security Platform implementation includes multiple tuning phases. False positives andexcess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to arare occurrence.

• When initially deployed, Network Security Platform frequently exposes unexpected conditions in the existingnetwork and application configuration. What may at first seem like a false positive might actually be themanifestation of a misconfigured router or Web application, for example.

3


• Before you begin, be aware of the network topology and the hosts in your network, so you can enable thepolicy to detect the correct set of attacks for your environment.

• Take steps to reduce false positives and noise from the start. If you allow a large number of "noisy" alerts tocontinue to sound on a very busy network, parsing and pruning the database can quickly becomecumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives thaninto working around them. Exception objects are also an option where you can have custom rule setsspecific to his environment. You can disable all alerts that are obviously not applicable to the hosts that youprotect. For example, if you use only Apache Web servers, you can disable IIS-related attacks.

False positives and noiseThe mere mention of false positives always causes concern in the mind of any security analyst. However, falsepositives may mean quite differently things to different people. In order to better manage the security risksusing any IDS/IPS devices, it's very important to understand the exact meanings of different types of alerts sothat appropriate response can be applied.

With Network Security Platform, there are three types of alerts which are often taken as "false positives:"

• incorrectly identified events

• correctly identified events subject to interpretation by usage policy

• correctly identified events uninteresting to the user.

Incorrect identificationThese alerts typically result from overly aggressive signature design, special characteristics of the userenvironment, or system bugs. For example, typical users will never use nested file folders with a path morethan 256 characters long; however, a particular user may push the Windows' free-style naming to the extremeand create files with path names more than 1024 characters. Issues in this category are rare. They can be fixedby signature modifications or software bug fixes.

Correct identification — significance subject to usage policyEvents of this type include those alerting on activities associated with Instant Messaging (IM), Internet Relaychat (IRC), and Peer to Peer programs (P2P). Some security policies forbid such traffic on their network; forexample, within a corporate common operation environment (COE); others may allow them to various degrees.Universities, for example, typically have a totally open policy for running these applications. Network SecurityPlatform provides two means by which to tune out such events if your policies deem these eventsuninteresting. First, you can define a customized policy in which these events are disabled. In doing so, theSensor will not even look for these events in the traffic stream to which the policy is applied. If these events areof interest for most of the hosts except a few, creating exception objects to suppress alerts for the few hosts isan alternative approach.

Correct identification — significance subject to user sensitivity (also known as noise)There is another type of event which you may not be interested in, due to the perceived severity of the event.For example, Network Security Platform will detect a UDP-based host sweep when a given host sends UDPpackets to a certain number of distinct destinations within a given time interval. Although you can tune thisdetection by configuring the threshold and the interval according to their sensitivity, it's still possible that someor all of the host IPs being scanned are actually not live. Some users will consider these alerts as noise, otherswill take notice because it indicates possible reconnaissance activity. Another example of noise would be ifsomeone attempted an IIS-based attack against your Apache Web server. This is a hostile act, but it will notactually harm anything except wasting some network bandwidth. Again, a would-be attacker learns somethinghe can use against your network: Relevance analysis involves the analysis of the vulnerability relevance ofreal-time alerts, using the vulnerability data imported to Manager database. The imported vulnerability data can

3 Determine false positivesTune your policies


be from Vulnerability Manager or other supported vulnerability scanners such as Nessus.The fact that theattack failed can help in zero in on the type of Web server you use. Users can also better manage this type ofevents through policy customization or installing attack filters.

The noise-to-incorrect-identification ratio can be fairly high, particularly in the following conditions:

• the configured policy includes a lot of Informational alerts, or scan alerts which are based on requestactivities (such as the All Inclusive policy)

• deployment links where there is a lot of hostile traffic, such as in front of a firewall

• overly coarse traffic VIDS definition that contains very disparate applications, for example, a highlyaggregated link in dedicated interface mode

Users can effectively manage the noise level by defining appropriate VIDS and customize the policy accordingly.For dealing with exceptional hosts, such as a dedicated pentest machine, alert filters can also be used.

Determine a false positive versus noiseSome troubleshooting tips for gathering the proper data to determine whether you are dealing with a falsepositive or uninteresting event;

• What did you expect to see? What is the vulnerability, if applicable, that the attack indicated by the alert issupposed to exploit?

• Ensure that you capture valid traffic dumps that are captured from the attack attempt (for example, havepacket logging enabled and can view the resulting packet log)

• Determine whether any applications are suspected of triggering the alert—which ones, which versions, andin what specific configurations.

If you intend to work with McAfee Technical Support on the issue, we ask that you provide the followinginformation to assist in troubleshooting:

• If this occurred in a lab using testing tools rather than live traffic, please provide detailed information of theattack/test tool used, including its name, version, configuration and where the traffic originated.

• If this is a testing environment using a traffic dump relay, make sure that the traffic dumps are valid, TCPtraffic follows a proper 3-way handshake, and so on

• Also, please provide detailed information of the test configuration in the form of a network diagram.

• Create an Evidence Report (within Threat Analyzer) with the packet log

• Be ready to tell Technical Support how often you are seeing the alerts and whether they are ongoing

Determine false positivesTune your policies 3


3 Determine false positivesTune your policies


4 System fault messages

This section lists the system fault messages visible in the Manager Operational Status viewer, organized byseverity, with Critical messages first, then Errors, then Warnings, then Informational messages.

You can view the faults from the Operational Status menu in Manager. For more information, see fault messagesfor Vulnerability Manager Scheduler and Automatic report import using Scheduler, McAfee Network SecurityPlatform Integration Guide.

The fault messages you might encounter, their severity, and a description, including information on what actionclears the fault are briefed. In many cases, the fault clears itself if the condition causing the fault is resolved. Incases where the fault does not clear, you must acknowledge or delete it to dismiss it.

For Sensor faults, go through Manager and Sensor faults. Similarly for NTBA issues, refer to Manager and NTBAfaults.

Contents Manager faults Sensor faults NTBA faults

Manager faultsThe Manager faults can be classified into critical, error, warning, and informational. The Action column providesyou with troubleshooting tips.

Manager critical faultsThese are the critical faults for a Manager and Central Manager.

Fault Severity Description/Cause Action

AD groups sizeexceeded

Critical Currently Manager-MLC integrationsupports only 2,000 AD groups forNS-series and Virtual IPS and 10,000AD groups for M-series which hasexceeded now. Sensor behaviorcannot be guaranteed, if thesenumbers are not brought down.

Reduce the number of admindomain user groups to bewithin the specified limit.

Approaching maxallowable table size

Critical <Percentage value>% capacity.Current largest table size: <Tablesize value>. To ensure successfuldatabase tuning, Manager begins todrop alerts and packet logs.

Please perform maintenanceoperations to clean and tunethe database.

AD groups sizelimitation

Critical Currently Manager-MLC integrationsupports only {0} AD groups. Sensorversion {1} cannot accommodate{2} AD groups

Reduce the number of groupsin Active Directory.

4



Audit failed andManager shuttingdown

Critical The Manager is not able to log anaudit and is shutting down.

Check ems log to determine thereason for audit failure.

Botnet detectorsdeployment failure

Critical Cannot deploy the botnet detectorsto device <Sensor_name>. Seesystem log for details.

Occurs when the Managercannot push the BOT DAT file tothe Sensor. This can result fromnetwork connectivity issue.

Cannot push downpersisted Deviceconfigurationinformation

Critical The attempt by the Manager todeploy the configuration to device{0} failed during devicere-initialization. The deviceconfiguration is now out of syncwith the Manager settings. Thedevice may be down. See thesystem log for details.

The Manager cannot deploy theoriginal device configurationduring device re-initialization.This can also occur when afailed device is replaced with anew unit, and the new unit isunable to discover itsconfiguration information.

Cannot pull upSensorconfiguration MIBinformation fromthe Sensor againduring a statetransition fromdisconnected toactive

Critical Device re-discovery failure. Theupload of device configurationinformation for device {0} failedagain after being triggered by thestatus polling thread. The device isnot properly initialized.

This fault occurs as a secondpart to the “device discoveryfailure” fault. If the condition ofthe device changes such thatthe Manager can againcommunicate with it, theManager again checks to see ifthe device discovery wassuccessful. This fault is issued ifdiscovery fails, thus the deviceis still not properly initialized.Check to ensure that the devicehas the latest software imagecompatible with the Managersoftware image. If the imagesare incompatible, update thedevice image via a tftp server.

Cannot start controlchannel service (keystore)

Critical The Manager's key file is unavailableand possibly corrupted. This faultcould indicate a databasecorruption.

If you have a database backupfile (and think it is notcorrupted) you can attempt aRestore. If this does not work,you may need to manuallyrepair the database. ContactMcAfee Technical Support.

Cannot start controlchannel service(EMS certificate)

Critical Can't obtain the Manager certificate If you have a database backupfile (and think it is notcorrupted), you can attempt aRestore. If this does not work,try executing the DatabaseMaintenance action.

Cannot generate theSNMP associationfor the specifiedSensor

Critical Failed to create command channelassociation. The device is notproperly initialized. This errorindicates a failure to create a secureconnection between the Managerand the device, which can be causedby loss of time synchronizationbetween the Manager and device orthat the device is not completelyonline after a reboot.

Restart the Manager and checkthe device operating status toensure that the device’ healthand status are good.

Cluster softwaremismatch status

Critical The software versions on the clusterprimary and cluster secondary arenot the same.

Check for errors in softwareimage download to cluster.

4 System fault messagesManager faults



Database backupfailed

Critical The Manager was unable to back upits database. Error Message:<exception string>.

This message indicates that anattempt to manually back upthe database backup has failed.The most likely cause of failureis insufficient disk space on theManager server; the backup filemay be too big. Check your diskcapacity to ensure there issufficient disk space, and try theoperation again.

Disk space warning Critical When the utilized disk space in theManager server exceeds 89% of thecapacity.Example:• Disk space used = 90% invokes a

critical fault.

Make sure that the drive wherethe Manager is installed hassufficient disk space. Pleaseprune and tune the database.

Dropping alerts andpacket logs

Critical <Percentage value>% capacity.Dropping alerts and packet logs.


DXLService is down Critical The DXLService is down due to:• Failure to connect to the ePolicy

Orchestrator Server.

• Failure to connect to the DataeXchange Layer.

• Failure to start the McAfee Agentservice.

• Failure to start the Data eXchangeLayer service.

• Check the connectivitybetween IPS and ePO, orcheck the logs.

• Check the connectivitybetween IPS and DataeXchange Layer, or check thelogs.

• Check the logs.

• Check the logs.

Fan error Critical The fan has failed. Check the fan LEDs on the frontof the device to ensure allinternal fans are functioning.The fault clears when thetemperature falls below itsinternal ‘low’ temperaturethreshold.

Firewall connectivityfailure

Critical The connectivity between the deviceand the firewall is down. CheckPacket Capture configuration isdown.

This fault can occur in situationswhere, for example, the firewallmachine is down, or thenetwork is experiencingproblems. Ping the firewall tosee if the firewall is available.Contact your IT department totroubleshoot connectivityissues.

GatewayAnti-Malware engineinitialization failed

Critical Gateway Anti-Malware EngineInitialization failed due to someinternal error.Gateway Anti-Malware Engine couldnot be initialized as the requiredsignature files are not available.

Check the logs. Try enablingautomatic signature updateoption or downloadingsignatures manually using cli.

System fault messagesManager faults 4



GatewayAnti-Malwaresignature downloadfailure

Critical Gateway Anti-Malware signaturedownload failed because ofsignature update failed.Gateway Anti-Malware signaturedownload failed because ofsignature is not available.

Gateway Anti-Malware signaturecould not be downloaded becauseof update server connection issue.

Gateway Anti-Malware signaturevalidation failed.

Gateway Anti-Malware signaturecould not be downloaded as updateserver is not reachable.

Gateway Anti-Malware signaturecould not be downloaded as DNSresolution failed for Anti-Malwareupdate server.

Gateway Anti-Malware signaturecould not be downloaded becauseproxy server is not reachable.

Gateway Anti-Malware signaturecould not be downloaded becauseproxy authentication failed

Check the logs.Try enabling automaticsignature update option ordownloading signaturesmanually using CLI.

Check the network connection.

Check the network connection.

Configure appropriatecredentials for proxy.

Geo IP location filedownload failure

Critical Cannot push Geo IP location file todevice <Sensor_name>. See systemlog for details.

Occurs when the Managercannot push the Geo IPLocation file to a Sensor. Couldresult from a networkconnectivity issue.

GTI File ReputationDNS Error

Critical Connectivity to Artemis server isrestored. Error connecting to localDNS server";Malformed DNS response fromArtemis server";

Error connecting to Artemis server";

Information not available in Artemisserver";

Sensor internal memory error onconnecting to Artemis server";

Sensor internal query error onconnecting to Artemis server";

Unknown internal error onconnecting to Artemis server";

You may need to correct theArtemis DNS configuration.

Hardware error Critical This is a Generic Hardware relatederror in the device.

Check the device to know more.

Incompatiblecustom attack

Critical One or more custom attackdefinition is incompatible with thecurrent signature set. Errormessage: <exception string>.

The Custom Attack Editorindicates which definitions areincompatible. (Incompatibilitycould result from attack orsignature overlap.) Update thedefinition in the Custom AttackEditor and try again.




Incompatible UDSsignature

Critical A user-defined signature (UDS) isincompatible with the currentsignature set.

You will need to edit yourexisting UDS attacks to makethem conform to the newsignature set definitions. Bringup the Custom Attack Editor(IPS Settings > AdvancedPolicies > Custom Attack Editor)and manually performing theedit / validation.This fault clears when asubsequent UDS compilationsucceeds.

Link failure of<Sensor>

Critical The link between this port and theexternal device to which it isconnected is down.

This is a connectivity issue.Contact your IT department totroubleshoot networkconnectivity. This fault clearswhen communication isre-established.

Low JVM Memory Critical The Manager is experiencing highmemory usage. Available systemmemory is low.

Reboot the Manager server.

Low Tomcat JVMMemory

Critical The Manager is experiencing highmemory usage. Available systemmemory is low.

Reboot the Manager server.

Packet log savefailed

Critical The Manager was unable to accessthe packet log tables in thedatabase. Error Message:<exception string>.

An attempt to save packet logdata to the database failed,most likely due to insufficientdatabase capacity. Pleaseensure that the disk spaceallocated to the database issufficient, and try the operationagain.

Power supply error Critical There is a power supply error to thedevice. Restore the power supply toclear this fault.

Check power to the outletproviding power to the powersupply; if a power interruptionis not the cause, replace thefailed power supply.

<Sensor_name>configurationupdate failure

Critical The attempt by the Manager todeploy the configuration to device<Sensor_name> failed during devicere-initialization. The deviceconfiguration is now out of syncwith the Manager settings. Thedevice may be down. See thesystem log for details.

The Manager cannot push theoriginal device configurationduring device re-initialization.This can also occur when afailed device is replaced with anew unit, and the new unit isunable to discover itsconfiguration information.

Sensor attackdetection error

Critical The Sensor attack detectionstopped on one or more engines.Device reboot may be required toresolve the issue.

Message generated based onthe Sensor attack detectionerror. A device reboot may berequired.

Simultaneous FIPSrole logon

Critical Users from all three FIPS mode roles(Audit Administrator, CryptoAdministrator and SecurityAdministrator) have logged onto theManager at the same time.

This message is informational.

Software error Critical A recoverable software error hasoccurred within the device. A devicereboot may be required.

This error may require a rebootof the device, which may thenresolve the issue causing thefault.




Temperature error Critical Device temperature is outside itsnormal range.

Check the fan LEDs on the frontof the Sensor to ensure allinternal device fans arefunctioning. This fault will clearwhen the temperature returnsto its normal

SNMP query

Device rebootrequired

Critical This fault can be due to tworeasons - SNMPD process restartexceeded the maximum thresholdor due to communication failure inthe management processor.

Manually reboot the Sensor,which may then resolve theissue causing the fault.

Signature set

IPS signature setimport failure

Critical The attempt to import the IPSsignature set into the Manager wasnot successful.

A valid signature set must bepresent before any action canbe taken in Network SecurityPlatform.

Memory Error Critical This is a Generic Memory relatederror in the device.

Check the device to know more.

Signature set importfailed

Critical The attempt to import the signatureset into the Manager was notsuccessful. (A valid signature setmust be present on the Manager forit to work as expected.)

A valid signature set must bepresent before any action canbe taken in Network SecurityPlatform.

Signature setdownload failure

Critical The attempt by the Manager todeploy the signature set to device<Sensor_name> failed. See thesystem log for details. (The Managerwill continue to attemptdeployment.)

Occurs when the Managercannot push the signature setfile to a Sensor. Could resultfrom a network connectivityissue.

Server communication

Communicationfailure with theNetwork SecurityPlatform UpdateServer

Critical The Manager is unable tocommunicate with the UpdateServer.Any connectivity issues with theUpdate Server will generate thisfault, including DNS nameresolution failure, Update Serverfailure, proxy server connectivityfailure, network connectivity failure,and even situations where thenetwork cable is detached from theManager server.

This fault clears whencommunication with the UpdateServer succeeds.If your Manager is connected tothe Internet, ensure it hasconnectivity to the Internet.

Communicationfailure with theproxy server

Critical The Manager is unable tocommunicate with the proxy server.(This fault can occur only when theManager is configured tocommunicate with a proxy server.)

This fault clears whencommunication to the UpdateServer through the proxysucceeds.




Communicationfailure with theMcAfee UpdateServer

Critical The Manager is unable to establishnetwork connectivity with theUpdate Server. See system log fordetails.

Any connectivity issues with theUpdate Server will generate thisfault, including DNS nameresolution failure, UpdateServer failure, proxy serverconnectivity failure, networkconnectivity failure, and evensituations where the networkcable is detached from theManager server. This faultclears when communicationwith the Update Server isrestored.

Manager Disaster Recovery(MDR)

Conflict in MDR IPaddress type

Critical Device detected a conflict with MDRIP Address type as <IPv4/IPv6>instead of type <IPv6/IPv4>

You may need to correct theMDR configuration.

Conflict in MDRMode

Critical MDR mode: Manager IP address /MDR status.

There is a problem with MDRconfiguration. Check your MDRsettings.

Conflict in MDR PairIP address

Critical Device detected a conflict withMDR-Pair IP Address: Manager-IPaddress / MDR action.

You may need to correct theMDR configuration.

Conflict in MDRStatus

Critical Sensor found a conflict withMDR-Status; ISM-IPAddress /MDR-Status as <ISMAddress> / Up/Down and <PeerISMAddress> / Up/Down


Generic device error Critical Review device status.

MDR - system timesynchronizationerror

Critical The two Managers in an MDR pairmust have the same operatingsystem time. Ensure both Managersare in sync with the same timesource. (Otherwise, the devicecommunication channels willexperience disconnects.)

Ensure both Managers are insync with current time.

MDR pair changed<NSM Name orNSCM Name>

Critical The < NSM Name or NSCM Name>Manager is<previousPrimaryIpAddr/previousSecIpAddr> and nowprimary and secondary are<presentPrimaryIpAddr/presentSecIpAddr>.

Corrected the MDR pair.

The Manager<Manager_name>has switched toMDR mode, and thisManager cannothandle the change

Critical The Manager found InActive (standby) for now, the peer Manager iseither not reachable or does nothave data.

If the Manager that has movedto MDR mode is NetworkSecurity Central Manager, thenmake the Central Manager,which has all the NetworkSecurity Manager data as Activeor reform MDR.If the MDR moved Manager isNetwork Security Manager thenmake the Manager which hasCentral Manager data as activeor make sure that activeManager has Central Managerconfiguration data.




The Manager_namehas moved to MDRmode, and thisManager cannothandle the change

Critical The Central Manager server is inStandby mode. The Manager serverwhich is configured by CentralManager goes into secondaryStandby mode after MDR creationor before data dump from primaryto secondary takes place.The Manager server configured byCentral Manager is in Active modebut is in a disconnected state andtherefore cannot communicate withCentral Manager.

If Manager is reconnected andCentral Manager is in Standbymode, then the Peer CentralManager does not have Managerconfiguration.

If the Central Manager serverhas moved to Standby, then theCentral Manager with latestManager information is movedto Active mode or recreate MDRpair.If the Manager has moved toStandby, then make theManager with Central Managerinformation as Active or makesure that active CentralManager or Manager has latestconfiguration data.

The Manager hasmoved to MDRmode, and thisManager cannothandle the change

Critical The Manager server is in Standbymode(MDR action) and active peerManager does not have CentralManager information

If the Manager server hasmoved to Stand by, then makeCentral Manager with latestManager information as Activeor reform MDR; if the Managerhas moved to Standby, thenmake the Manager with CentralManager information as Activeor make sure that active CentralManager or Manager has latestconfiguration data.

There is conflict inthe MDRconfiguration forthe Manager<Manager_name>

Critical The configuration between anexisting MDR pair (Manager 1 andManager 2 - both Managers areCentral Manager configured) isdisabled and a new MDR pairconfiguration has been created withManager 2 and Manager 3. Manager2 is in Standby mode and Manager3 does not have Central Managerconfiguration

Dissolve and recreate an MDRpair.

The MDRconnection is down.

Critical The communication from <Primary/Secondary> to <Secondary/Primary> is down.

Please look into the connectionstatuses of the systems andmanager logs.

Vulnerability Manager configuration

ScheduledVulnerabilityManagervulnerability dataimport failed

Critical This message indicates that thevulnerability data import by theScheduler from VulnerabilityManager database has failed.

Refer to error logs for details

Vulnerability dataimport fromVulnerabilityManager failed

Critical Scheduled import of vulnerabilitydata failed from FoundStonedatabase server into ISM databasetable





On demand scanfailed

Critical Scan failed because the connectionto Vulnerability Manager ScanEngine was refused. <Connectionhas been reset by FoundstoneServer. Unable to communicate withFoundstone Server. FoundScanEngine may not be reachable orFailed to resolve Fully QualifiedDomain Name SSL Handshake withFoundScan Engine Failed.>, <Pleasecheck if the FS API Service port hasbeen blocked by Firewall or if validport has been specified. Pleasecheck the ems log for more details.Try adding the engine host nameentry to the DNS Server or Tryadding an entry for engine IP andhost name in hosts file located inwindows\system2\drivers\etc. NoTrusted Certificate found, Pleasecheck the Foundstone version andcertificates used forcommunication. Please check if theFS API Service port has beenblocked by Firewall or if valid porthas been specified.>

See the fault message

Advanced Threat Defense connectivity

Communicationfailure with theAdvanced ThreatDefense device

Critical The Manager is unable to establishconnectivity with the AdvancedThreat Defense (ATD) device. Seesystem log for details. This fault willbe cleared when connection isrestored.

Any connectivity issues with theAdvanced Threat Defense (ATD)will generate this fault, includingATD device failure, networkconnectivity failure, and evensituations where the networkcable is detached from theManager server. This faultclears when communicationwith the ATD is restored.

Valid Edgecertificate downloadfailure

Critical Cannot push Valid Edge certificateto device <Sensor_name>. Seesystem log for details.

Occurs when the Managercannot push the Valid EdgeCertificate to a device. Couldresult from a networkconnectivity issue.

Central Manager

Central Managercustom attacksynchronizationfailed

Critical Port conflict in Central Managercustom attack definitionsynchronization. Port <port_name>is already in use. Free this port forCentral Manager synchronization tosucceed.

Free this port for McAfee®

Network Security CentralManager synchronization tosucceed.

Deleted Managerinformation

Critical The Manager information<mgr_ip_address> has beendeleted. Reason: <The action Standalone to MDR is received where thepeer is already having configured<standby_manager> and hencedeleting, mgr info of<standby_managers> this LM will beno longer trusted>.

See the fault message.




Manager<Manager_name>unreachable

Critical Connectivity with Manager<Manager_name> has been lost.

Indicates that the NetworkSecurity Central Manager andNetwork Security Managerscannot communicate eachother, the connection betweenthese two may be down, or theManager has beenadministratively disconnected.Troubleshoot connectivityissues: 1) check that aconnection route existsbetween the Network SecurityCentral Manager and theNetwork Security Manager; 2)Access to the Network SecurityManager/Network SecurityCentral Manager directly. Thisfault clears when the Managerdetects the Sensor again.

Manager<Manager_name>MDR error

Critical Manager <Manager_name>detected in standby mode. The peerManager <peer_Manager_name> iseither not reachable or does nothave <configuration> data.

If the above managers whichhas moved to MDR mode isNetwork Security CentralManager, then make the CentralManager which as all theNetwork Security Managersdata as Active or reform MDR, iftbe MDR moved manages isNetwork Security Manager, thenmake the Manager which hasCentral Manager data as activeor make sure that activeManager has Central Managerconfiguration data.

The Manager <Manager_name>used to be the <previousIp>/<previousPeerIp> MDRconfiguration and is now the<currentIp>/ <currentIpsPeer> MDRconfiguration, and the primaryManager <currentIp> is not activeand its peer <currentIpsPeer> doesnot have <ICC> configured.

MDR configurationconflict for Manager<Manager_name>

Critical Manager <primary_mgr_ip> is in<standalone/MDR pair> mode, andits peer Manager<secondary_mgr_ip> is in<standalone/MDR pair> mode.

Correct the MDR pair.

MDR pair changed Critical This fault tells about change of MDRconfiguration for a Local Manageror Central Manager. The fault tellsthat for this Manager, the IPaddresses of the underlying MDRpair has changed. The fault givesthe old and new IP addresses of theprimary and secondary Manager.

Correct the MDR pair.

The Manager<Manager_name> isnot reachable

Critical Indicates that the Network SecurityCentral Manager and Managercannot communicate each other,the connection between these twomay be down, or the Manager hasbeen administratively disconnected.

1 Check that a connection routeexists between the NetworkSecurity Central Manager andthe Manager.

2 Access the Manager/NetworkSecurity Central Managerdirectly.

This fault clears when theManager detects the Sensoragain.




Nocommunicationexists betweenCentralManager andManager.

Indicates that the Central Managerserver and Manager cannotcommunicate with each other. Theconnection between these two maybe down, or Central Manager hasbeen administratively disconnected.

1 Check that a connection routeexists between the CentralManager and Manager;

2 Access the Manager directly. Thisfault clears when the Managerdetects the Sensor again.

Network SecurityCentral ManagerUDS signaturesynchronizationfailed

Critical Port conflict in Network SecurityCentral Manager UDSsynchronization. Port already in useby UDS. Free this port for CentralManager synchronization tosucceed.

Free this port for NetworkSecurity Central Managersynchronization to succeed.

Trust request failure Critical The trust request has failed. Errormessage: <exception string>.The trust request has failed becauseManager <Network Security CentralManager> may not be reachable.Please confirm the Manager IPaddress and that its service is upand running.

The trust request has failed becausemanager <Network Security CentralManager> has not yet configured.

The trust request has failed becausethe <Network Security CentralManager> already has a trust usingthe configured name. The previoustrusted with <Network SecurityCentral Manager> may representManager or another. The solution isto delete and re-add theconfiguration with <NetworkSecurity Central Manager>.

The trust request has failed becausethe configured Manager is in MDRmode, and no active <NetworkSecurity Central Manager> Managerhas been detected with which toestablish the trust.

The trust request failed due aninternal error.

See additional text information.

Alert queue threshold alarms

Alert save failed Critical The Manager was unable to accessthe alert tables in the database.Error Message: <exception string>.

An attempt to save alerts to thedatabase failed, most likely dueto insufficient databasecapacity. Please ensure that thedisk space allocated to thedatabase is sufficient, and trythe operation again.




Alert capacitythreshold exceeded

Critical <Percentage value>% capacity.Number of alerts: <Number ofalerts> (Database maintenance andtuning is required.)


Databaseconnectivityproblems

Critical The Manager is having problemsCommunicating with it's database.Error Message: <exception string>.

Please check if the databaseservice is running andconnectivity is present.

Databaseconnectivity lost

Critical The Manager has lost connectivitywith its database. Error Message:<exception string>

Please check the DBConnectivity.

Database integrityerror

Critical Unable to locate index file for table:<index_file_name>.

Repair the corrupt Databasetables

Exceeding alertcapacity threshold

Critical As with the "Approaching alertcapacity threshold" fault message,this message indicates thepercentage of space occupied byalerts in the database. This messageappears once you have exceededthe alert threshold specified inManager | Maintenance.

Perform maintenanceoperations to clean thedatabase. Delete unnecessaryalerts, such as alerts older thana specific number of days.Failure to create additionalspace could cause undesirablebehavior in the Manager.

Licensing

License expiressoon

Critical Indicates that your Network SecurityPlatform license is about to expire;this fault first appears 7 days priorto expiration.

Contact [email protected] a current license. This faultclears when the license iscurrent. Please contactTechnical Support or your localreseller.

License expired Critical Indicates that your Network SecurityPlatform license has expired.

Contact [email protected] a current license.This fault clears when thelicense is current.

Virtual IPS Sensor

Licensenon-compliance

Critical When the number of virtual IPSSensors installed crosses thelicenses purchased, this faultappears in the Manager.

Import the required licenses tothe Manager before installation,or please contact TechnicalSupport or your local reseller.

Manager does nothave enoughlicenses to managethe current numberof virtual IPSSensors

Critical The number of licenses needed tobecome compliant.

Contact Technical support oryour local reseller to obtain aLicense.



Manager error faultsThese are the error faults for a Manager and Central Manager.


Anti-virus DAT file error Error A Device is detecting an error onav-dat file segment <segment_id>. Thesegment error cause is <unknowncause>, and the download type is <init/update>.

Make sure that the Sensor isonline and in good health. TheManager will make anotherattempt to push the file to theSensor. This fault will clear whenthe av-dat file is successfullypushed to the Sensor.

Device in bad health Error Please check the running status ofdevice <device_name>. This faultoccurs with any type of devicesoftware failure. (It usually occurs inconjunction with a software errorfault.)

If this fault persists, werecommend that you perform aDiagnostic Trace and submit thetrace file to Technical Support fortroubleshooting.

ePO Server ConnectionError

Error The Manager has no connection to theconfigured ePO server.

Indicates that the Manager has noconnection to the configured ePOserver. This can be due to networkconnectivity issues, incorrectcredentials, or incorrectconfiguration. Refer to the ePOintegration documentation formore information.

Firewall filterapplication error

Error Error applying firewall filter <FILTER:[AttackID=<attackId>][VidsID=<vidsId>] [SrcIP=<srcIP>][DstIP=<dstIP>] [Port=<port>][Protocol=<protocol>][type=<typeString>]> An attempt toapply this firewall filter from the deviceto the firewall has failed. Failurereason: <Exceed Max Number ofFiltersError Applying Filter

Timeout During Adding Filter

Unknown Host Isolation Error#>

Check your firewall configuration.If possible, increase the maximumnumber of available filters. Ensureconnectivity between the sensorand the firewall.

IP: IPS quarantineblock nodes exhausted

Error When the number of quarantine rulesexceed the permitted limit, the CentralManager raises a fault message to theManager when the number ofquarantine rules exceeds themaximum permitted limit. This can beviewed as an alert in the ThreatAnalyzer.

For more information onquarantine and remediationfunctionality, see Quarantinesettings.

You can have up to 1000Quarantine rules for an IPv4addresses, and up to 500Quarantine rules for IPv6addresses.

MLC Server ConnectionError

Error Manager has no connection toconfigured MLC server.

Indicates that the Manager has noconnection to the configured MLCserver. This can be due incorrectcertificate import, networkconnectivity issues or issuesinternal to the MLC server. Referto the MLC integrationdocumentation for moreinformation.

Mail server and queue




Alert queue full Error The Manager has reached its limit<queue_size_limit> for alerts that canbe queued for storage in the database.(<no_of_alerts> alerts dropped)

Indicates that the Manager hasreached the limit (default of100,000) of alerts that can bequeued for storage in thedatabase. Alerts are beingdetected by your sensor(s) fasterthan the Manager can processthem. This is evidence ofextremely heavy activity. Checkthe alerts you are receiving to seewhat is causing the heavy trafficon the sensor(s).

E-mail serverunreachable

Error Connection attempt to e-mail server<mail server> failed. Error: <MessagingException String>.

This fault indicates that the SMTPmailer host is unreachable, andoccurs when the Manager fails tosend an email notification or ascheduled report. This fault clearswhen an attempt to send theemail is successful.

Packet log queue full Error The Manager packet log queue hasreached its maximum size of<pktlog_queue_size_limit>.(<no_of_pktlogs_dropped> packets)

The Manager packet log queuehas reached its maximum size(default 200,000 packets), and isunable to process packets untilthere is space in the queue.Packets are being detected byyour sensor(s) faster than theManager can process them. This isevidence of extremely heavyactivity. Check the packets you arereceiving to see what is causingthe heavy traffic on the sensor(s).

Error The Manager packet log queue hasreached its maximum size (default200,000 alerts), and is unable toprocess packet logs until there is spacein the queue.

This is evidence of extremelyheavy activity. Check the packetlogs you are receiving to see whatis causing the heavy traffic on theSensor.

Also see the suggested actions forthe alert Unarchived, queued alertcount full.

Packet capturing error Error The device detected an errorconnecting to the SCP server whileattempting to transfer a packetcapture file.The device is unable to send thepacket capture file via SCP.

The device has stopped capturingpackets due to insufficient internalmemory.

The device experienced an internalerror while performing the packetcapture.

The device is unable to authenticatewith target server to transfer a packetcapture file.

Device shall attempt toautomatically recover. CheckPacket Capture configuration.




Queue size full Error The Manager alert queue has reachedits maximum size (default 200,000alerts), and is unable to process alertsuntil there is space in the queue. Alertsare being detected by your sensor(s)faster than the Manager can processthem. This is evidence of extremelyheavy activity.

Check the alerts you are receivingto see what is causing the heavytraffic on the sensor(s).

The Manager alert slow consumer(SNMP Trap forwarder) queue hasreached its maximum size of alertsdropped)

The Manager alert slow consumer(SNMP Trap forwarder) queue hasreached its maximum size, and isunable to forward alerts untilthere is space in the queue. Alertsare being detected by yoursensor(s) faster than the Managercan process them. This is evidenceof extremely heavy activity. Checkthe alerts you are receiving to seewhat is causing the heavy trafficon the sensor(s).

Syslog Serverunreachable

Error Connection attempt to Syslog server<server address> failed. Error: <SyslogTCP connection failed>.

This fault indicates that the SyslogServer is unreachable, and occurswhen the Manager fails to send ansyslog notification. This faultclears when an attempt to sendthe syslog is successful.

Unarchived, queuedpacket log count full

Error Indicates that the Manager hasreached the limit (default of 100,000)of packet logs that can be queued forstorage in the database. Also indicatesthe number of dropped packet logs.

Indicates that the Manager hasreached the limit (default of100,000) of packets that can bequeued for storage in thedatabase. Packets are beingdetected by your sensor(s) fasterthan the Manager can processthem. This is evidence ofextremely heavy activity. Checkthe packets you are receiving tosee what is causing the heavytraffic on the sensor(s).

Update device configuration

Device configurationupdate failed

Error A Device configuration update failed tobe pushed from the Manager server tothe sensor.

Please see ems.log file to isolatereason for failure.

Alert capacity monitor

Approaching alertcapacity threshold

Error <Percentage_value>% capacity.Number of alerts: <number_of_alerts>.(Database maintenance and tuning isrecommended.)

Please perform maintenanceoperations to clean and tune thedatabase.

Approaching alertcapacity

Error Current database size is <x> GB anddisk capacity is <y>.

Incident Manager

Incident update failed Error The Manager is unable to accept moreincidents from the Incident Generator.Error message: <exception string>.

You have reached the maximumnumber of incidents that can beaccepted by the Manager. Deleteold incidents to provide room forincoming incidents.





Alert pruning failure Error The Manager was unable to prunealerts and packet logs during normalmaintenance. Error Message:<exception string>.

Check your Database Connections

Device upload scheduler

Scheduled botnetdetector deploymentfailure

Error The Manager was unable to performthe scheduled Bot DAT deployment tothe device <Sensor_name>.

Indicates that the Manager wasunable to perform the scheduledBOT DAT deployment to theSensor. This is because of networkconnectivity between the Mangerand the Sensor, or an invalid DATfile. This fault clears when anupdate is sent to the Sensorsuccessfully.

Scheduled IPSsignature setdeployment failure

Error The Manager was unable to performthe scheduled signature setdeployment to the device. ErrorMessage: <exception string>.

This fault can indicate problemswith network connectivitybetween the Manger and thesensor, incompatibility betweenthe update set and the Managersoftware, compilation problemswith the signature update set, oran invalid update set. This faultclears when an update is sent tothe sensor successfully.

Real-time update scheduler

Real-timeScheduler -signatureset update fromManager to Sensorfailed

Error Unable to make scheduled signatureset update from the Manager toSensor.

This fault can indicate problemswith network connectivitybetween the Manager and theSensor. This fault clears when asignature update is appliedsuccessfully.

Scheduled real-timeupdate from UpdateServer to Managerfailed

Error Unable to make scheduled update ofManager signature sets. This fault canindicate—for example, problems withnetwork connectivity between theUpdate Server and the Manager orbetween the Manager and the Sensor;invalid update sets; or update sets thatwere not properly signed.

This fault clears when a signatureupdate is applied successfully.

Scheduled BOT DATsignature set downloadfailure

Error The Manager is unable to perform thescheduled BOT DAT signature setdownload from the GTI Server. ErrorMessage: <exception string>.

This fault can indicate problemswith network connectivitybetween the GTI Server and theManager, invalid BOT DAT file. Thisfault clears automatically once anew signature set update issuccessfully installed.




Scheduled IPSsignature set downloadfailure

Error The Manager is unable to perform thescheduled signature set downloadfrom the Update Server. ErrorMessage: <exception string>.

This fault can indicate problemswith network connectivitybetween the Update Server andthe Manager ; invalid update sets;or update sets that were notproperly signed. This fault clearswhen a signature update isapplied successfully.

Queue size full Error The Manager alert queue has reachedits maximum size (default 200,000alerts), and is unable to process alertsuntil there is space in the queue. Alertsare being detected by your sensor(s)faster than the Manager can processthem. This is evidence of extremelyheavy activity.

Check the alerts you are receivingto see what is causing the heavytraffic on the Sensor(s).

Manager warning faultsThese are the warning faults for a Manager and Central Manager.


Disk Space Warning Warning When the utilized disk space on theManager server is between 80% and 89%.Example:• Used disk space = 80% invokes a warning.

• Used disk space = 79% does not result inany fault.

Make sure that the drivewhere the Manager is installedhas sufficient disk space.

Failed to backup IDSPolicy

Warning Failed to backup Policy. Delete previous versions.

Warning Failed to backup Policy. Please contact technicalsupport or local reseller.

Failed to backupRecon Policy

Warning Failed to backup Policy. Please contact technicalsupport or local reseller.

Warning Failed to backup Policy. Delete previous version.

Initiating Audit Log filerotation

Warning The Audit Log capacity of the Manager wasreached, and the Manager will beginoverwriting the oldest records with thenewest records (i.e. first in first out).The fault indicates the number of recordsthat have been written to the audit log; andequal number of audit log records are nowbeing overwritten.

This fault will be raised after aconfigured number of recordswritten. No action is required.The capacity is configured inthe iv_emsproperties table inMySQL; this option can beturned off. If this feature isenabled, when disk capacity isreached or audit log capacityis reached, then Audit Logrotation is initiated.

Invalid Malware FileArchive StorageSettings

Warning The available free disk space on theManager is less than the disk spacerequired to support the current malwarestorage settings.

Reduce the maximum diskspace allowed for one or morefile type.

MLC IP - Usermapping/User countexceeds limit

Warning Currently, NSM-MLC integration supportsonly 100000 IP-user mapping and 75000users. One of these has exceeded, so thedevice behavior cannot be guaranteed untilthese numbers are brought down.

Check the MLC serverconfigured with this Manager.Consider reducing the numberof users/computers that ismonitored by MLC.




Packet capturecomplete

Warning The device is near capacity. Packet capturesmight not capture all packets.

Check Packet Captureconfiguration and restart ifrequired.

Policy Update Failed Warning Failed to update following policies duringSignature Set import. Please edit the policyto fix the issue.

Please edit the policy to fix theissue.

System startup inprogress; alerts beingrestored

Warning System startup restored alerts from thearchive file. Threat Analyzer may not showall alerts.

Threat Analyzer may not showall alerts.


IPS policy backupfailure

Warning Failed to back up policy <policy_name>. See ems logs.

Warning Failed to back up policy <policy_name>. Themaximum limit of <value> has beenreached.

Delete previous versions.

Reconnaissance policybackup failure

Warning Failed to back up policy <policy_name>. See ems logs.

Warning Failed to back up policy <policy_name>. Themaximum limit of <value> has beenreached.

Delete previous versions.

Policy synchronization

Policy synchronizationaborted

Warning Policy synchronization has aborted becauseconcurrent processes are running on theManager.

Policy Synchronizationaborted because concurrentprocesses are running on theNetwork Security Manager.

Policy Synchronizationaborted becauseconcurrent processesare running on theManager Server

Warning Unable to synchronize policy due toconcurrent processes are running on theManager Server.

Try again later .

Scheduled configuration report

Scheduled reportserror

Warning Report generation failed for reporttemplate <report_template_name> becauseone or more of the selected resources is nolonger available.

Edit and save the disabledtemplate in ReportGeneration.


MDR - IPv4 and IPv6address configuration

Warning You have specified only the peer Manager<IPv4/IPv6> address. So you cannot addany <IPv4/IPv6> devices to the currentManager nor will the existing <IPv4/IPv6>devices be able to communicate to the peerManager.

If Device is needed tocommunicate over IPv6 toManager and Manager is inmdr mode, then mdr has tobe reconfigured to includeIPv6 version of the peermanager.

Manager Reboot

Manager shutdownwas not graceful

Warning The Manager was not shut down gracefully.(Database tuning is recommended.)

Perform database tuning(dbtuning) to fix possibledatabase inconsistencies thatmay have resulted. Tuningmay take a while, dependingon the amount of datacurrently in the database.



Manager informational faultsThese are the informational faults for a Manager and Central Manager.


Alert Archival state haschanged

Informational The alert archival process has started. This message is for userinformation. No actionrequired.

Command to invokeupload internal hostsprocess to NSM

Informational The internal host information is sent tothe Manager.

This message is for userinformation. No actionrequired.

Cluster softwareinitialization status

Informational Device software has been initialized. On initialization failure,check if clustercross-connects arepresent as documented.

Custom attacks are beingsaved to the Manager

Informational One or more custom attack definition isin the process of being saved from theCustom Attack Editor to the Manager.


Database backup inprogress

Informational A database backup is in progress. This message isinformational

Data dump retrieval frompeer has been completedsuccessfully

Informational The data dump retrieval from peer hasbeen completed successfully


Data dump retrieval frompeer is in progress

Informational The data dump retrieval from peer is inprogress


Database backup failure Informational Unable to backup database tables. This message indicatesthat an attempt tomanually back up thedatabase backup hasfailed. The most likelycause of failure isinsufficient disk space onthe Manager server; thebackup file may be toobig. Check your diskcapacity to ensure thereis sufficient disk space,and try the operationagain.

Manager Request is notfrom Trusted IP Address

Informational The Manager Request is not fromTrusted IP Address.

Ensure the Peer Manageris not already in MDR withother Manager.

Network SecurityPlatform-defined UDSoverridden by signatureset.

Informational An Network Security Platform-definedUDS has been incorporated in a newsignature set and has been removedfrom the Custom Attack Editor.

This message isinformational andindicates that anemergencyMcAfee-provided UDSsignature has beenappropriately overwrittenas part of a signature setupgrade.




Packet capture filetransfer status

Information The device has started sending thepacket capture file via SCP.The device has completed sending thepacket capture file via SCP.

The device has stopped capturingpackets because it has reached theconfigured maximum capture file size.

The device has stopped capturingpackets because it has reached theconfigured maximum duration.

The device is ready to transfer thepacket capture file to Manager.

This message isinformational.

Packet Log Archival statehas changed

Informational Indicates that the packet log archivalstate has changed


Scheduler - Signaturedownload from Managerto Sensor failed

Informational Scheduler - Signature download fromManager to Sensor has failed.


Sensor software image orsignature set import inprogress

Informational A Sensor software image or signatureset file is in the process of beingimported from the Network SecurityPlatform Update Server to the Managerserver.


Informational This message is for userinformation. No actionrequired.

Signature set updatefailed

Informational Signature set update failed whiletransferring from the Manager serverto the Sensor.


Signature set update notsuccessful

Informational The attempt to update the signatureset on the Manager was not successful,and thus no signature set is availableon the Manager.

You must re-import asignature set beforeperforming any action onthe Manager. A validsignature set must bepresent before any actioncan be taken in NetworkSecurity Platform.

Switchback has beencompleted, the primaryManager has got thecontrol of Sensors now

Informational N/A This message is for userinformation. No actionrequired.

System startup inprocess - alerts beingrestored

Informational The Manager is starting up andrestoring alerts from the device archivefile. Threat Analyzer may not show allalerts until the Manager is fully online.

You need to restartManager, to view therestored alerts in ThreatAnalyzer.

Syslog Forwarder is notconfigured for the AdminDomain: <Admin DomainName> to accept the ACLlogs.

Informational ACL logging is enabled, but no Syslogserver has been configured to acceptthe log messages.

Configure a Syslog serverto receive forwarded ACLlogs.

Successful scheduled DATfile download

Informational The scheduled DAT file download fromthe McAfee GTI Server to the Managerwas successful.

This message is for userinformation, no actionrequired




UDS export to theManager in progress

Informational One or more UDS is in the process ofbeing exported from the Custom AttackEditor to the Manager server.



Successful vulnerabilitydata import fromVulnerability Manager

Informational Vulnerability data successfullyimported from FoundStone databaseserver into ISM database table.No vulnerability records found forimport from FoundStone database.


Scheduled VulnerabilityManager vulnerabilitydata import failed

Informational Scheduled Vulnerability Managervulnerability data import has failed

Refer to error logs fordetails

Vulnerability data importfrom McAfee VulnerabilityManager database wassuccessful

Informational This message indicates that thevulnerability data import from McAfeeVulnerability Manager database issuccessful.For more information on importingvulnerability data reports in Manager,see Importing Vulnerability ScannerReports, McAfee Network SecurityPlatform Integration Guide.

Policy synchronization

Deleted NSCM rule set inuse

Informational Rule set is currently assigned to one ormore resource. Create a clone beforedeletion.

Remove the referenceand try again.

Deleted NSCM attack filterin use

Informational Attack filter is currently assigned to oneor more resource. Create a clonebefore deletion.


Deleted NSCM policy inuse

Informational Policy is currently assigned to one ormore resource. Create clone beforedeletion.


Central Manager

Deleted Network SecurityCentral ManagerException object isapplied on resource

Informational Exception object is applied onresource(s). Creating a clone beforedelete.

Deleted Network SecurityCentral ManagerException object isapplied on resource(s)

Deleted Central Managerpolicy is applied onresources

Informational Deleted Central Manager policy is inuse

Remove the referenceand try again

Policy <policy name> is applied onresources. Creating clone <policyname> before delete.


Reset to standalone hasbeen invoked; the Primary<Manager/CentralManager> is in control of<Sensors/Manager>

Informational A "Reset to Standalone" has beeninvoked; the Primary Manager isstandalone and is in control of Sensors

This message is for userinformation, no actionrequired.

Reset to standalone isinvoked; the Secondary<Manager/CentralManager> is in control of<Sensors/Manager>

Informational A "Reset to Standalone" has beeninvoked; the Secondary Manager isstandalone and is in control of Sensors





Reset to standalone isinvoked; the <Manager/Central Manager> is incontrol of <Sensors/Manager>

Informational A "Reset to Standalone" has beeninvoked; the current Manager isstandalone and in control of Sensors.


Reset to standalone hasbeen invoked; the peer<Manager/CentralManager> is in control of<Sensors/Manager>

Informational A "Reset to Standalone" has beeninvoked; the Peer Manager isstandalone and in control of Sensors.



Alert archival in progress Informational The Manager is archiving alerts Wait for the Alert archivalto complete

Packet log archival inprogress

Informational The Manager is archiving packet logs Kindly wait for the PacketLog archival to complete.


Manager versionmismatch. PrimaryManager has latestversion

Informational The two Managers in an configurationmust have the same Manager softwareversion installed. The Primary Managersoftware is more recent than that ofthe Secondary Manager.

Ensure the two Managersrun the same softwareversion.

Manager versionmismatch. SecondaryManager has latestversion

Informational The two Managers in an MDRconfiguration must have the sameManager software version installed.The Secondary Manager software ismore recent than that of the PrimaryManager.

Ensure the two Managersrun the same softwareversion.

MDR synchronization inprogress

Informational The synchronization from the peerManager is in progress.


MDR synchronizationfailure

Informational There was a problem while retrievingdata from the peer Manager - abortingthe synchronization process.

Check whether the peerManager machine isreachable from thismachine

MDR - Manager <CentralManager/Manager>switched from<Standalone/MDR> to<MDR/Standalone> mode

Informational Manager <(mgr_name) OR (ICC)(mgr_name)> is taking the control.The Manager <mngr_name> is<Primary/Secondary> and its peerManager, <peer_mgr_ip_addr> is<Primary/Secondary>

See the fault message.

MDR manual switch oversuccessful; the Secondary<Manager/CentralManager> is in control of<Sensors/Manager>

Informational Manager Disaster Recovery initiated viaa manual switchover, is successfullycompleted. Secondary Manager is nowin control of Sensors.


MDR automaticswitchover has beencompleted; the Secondary<Manager/CentralManager> is in control of<Sensors/Manager>

Informational Manager Disaster Recovery switchoverhas been completed; the SecondaryManager is in control of Sensors.

Failover has occurred; theSecondary Manager isnow in control of theSensors. Troubleshootproblems with thePrimary Manager andattempt to bring it onlineagain. Once it is onlineagain, you can switchcontrol back to thePrimary.




MDR configurationinformation retrieval fromPrimary Managersuccessful

Informational Manager Disaster Recovery SecondaryManager has successfully retrievedconfiguration information from thePrimary Manager.


MDR forced switch overhas been completed; theSecondary <Manager/Central Manager> is incontrol of <Sensors/Manager>

Informational Manager Disaster Recovery iscompleted via a manual switchover.Secondary Manager is now in control ofSensors.


MDR operations havebeen resumed

Informational Manager Disaster Recoveryfunctionality has been resumed.Failover functionality is again available.


MDR operations havebeen suspended

Informational Manager Disaster Recoveryfunctionality has been suspended. Nofailover will take place while MDR issuspended.


MDR switchback has beencompleted; the Primary<Manager/CentralManager> is in control of<Sensors/Manager>

Informational Manager Disaster Recovery switchbackhas been completed; the PrimaryManager has regained control ofSensors.


MDR pair is changed Informational McAfee® Network Security CentralManager (Central Manager) has anMDR pair created and the Manager is indisconnected mode. If Central ManagerMDR pair is dissolved, and recreated,making the existing primary Manageras secondary Manager and existingsecondary Manager as primaryManager, the fault is raised.

Dissolve and re-create anMDR pair.

Network SecurityManager Type mismatch

Informational The two Managers in an MDRconfiguration must have the sameManager Type.

Ensure both Managersare of same Type(Network Security CentralManager or NetworkSecurity Manager)

Successful MDRsynchronization from<Network Security CentralManager/NetworkSecurity Manager>

Informational The secondary <Central Manager/Manager> has successfully retrievedconfiguration information from theprimary <Central Manager/Manager>.


Successful MDRswitchback. (Primary<Central Manager/Manager> will takecontrol of the <Managers/Sensors>)

Informational The MDR switchback has completedwithout error. (The primary <CentralManager/Manager> will take control ofthe <Managers/Sensors>.)


Successful MDR manualswitchover. (Secondary<Central Manager/Manager> will takecontrol of the <Managers/Sensors>)

Informational The administrator-initiated MDRswitchover has completed withouterror. (The secondary <CentralManager/Manager> will take control ofthe <Managers/Sensors>)


MDR - Reset tostandalone invoked

Informational The MDR pair has been reset tostandalone Managers. This <CentralManager/Manager> is standalone andwill take control of the <Managers/Sensors>.





Informational (This <Central Manager/Manager> willtake control of the <Managers/Sensors>)

The MDR pair has beenreset to standaloneManagers. The peer<Central Manager/Manager> is standaloneand will take control ofthe <Managers/Sensors>.

MDR has been canceled Informational Manager Disaster Recovery has beencancelled


MDR automaticswitchover detected.(Secondary <CentralManager/Manager> willtake control of the<Managers/Sensors>)

Informational An automatic MDR switchover hascompleted without error. (Thesecondary <Central Manager/Manager> will take control of the<Managers/Sensors>.)


MDR manual switchoverin progress. (Secondary<Central Manager/Manager> will takecontrol of the <Managers/Sensors>)

Informational The administrator has initiated an MDRswitchover. (The secondary <CentralManager/Manager> will take control ofthe <Managers/Sensors>)


Successful MDR paircreation

Informational Manager Disaster Recovery (MDR) hasbeen successfully configured.


Successful MDRsynchronization inprogress

Informational Synchronization from the peerManager has been completedsuccessfully.


MDR suspended Informational Manager Disaster Recovery has beenadministratively suspended. (Noswitchover will take place while MDR issuspended.)


MDR resumed Informational Manager Disaster Recoveryfunctionality has been resumed by theadministrator. Failover functionality isagain available.


MDR - Device-to-ManagerIP mismatch

Informational The device-to-Manager communicationIP <Manager_ip> does not match withthe peer Manager IP<peer_Manager_ip>.

Ensure that the Sensor-Manager communicationIP matches with the peerManager's peer IP in MDRconfiguration.

MDR - <Network SecurityCentral Manager/NetworkSecurity Manager>version mismatch. (Peer<Central Manager/Manager> has newerversion)

Informational The two <Central Manager/Manager>sin an MDR configuration must have thesame <Network Security CentralManager/Network Security Manager>software version installed. The peer<Network Security Central Manager/Network Security Manager> serversoftware is more recent than that ofthe current <Central Manager/Manager>.

Ensure both Managersare running the sameversion of the Managersoftware.

MDR - Manager typemismatch

Informational The two Managers in an MDR pair mustbe of the same type (Manager versusCentral Manager).

Ensure both Managersare of same Type(Network Security CentralManager or NetworkSecurity Manager).




MDR - <Central Manager/Manager> request is notfrom a trusted IP address

Informational The <Central Manager/Manager>request is not from a trusted IPaddress.

Ensure the Peer Manageris not already in MDR withother Manager.

MDR - system timesynchronization error

Informational The two Managers in an MDR pair musthave the same operating system time.Ensure both Managers are in sync withthe same time source. (Otherwise, thedevice communication channels willexperience disconnects.)

Ensure both Managersare in sync with currenttime.

Database archival

Alert archival in progress Informational Alerts are currently being archived. Do not attempt to tunethe database or performany other databaseactivity such as a backupor restore until thearchival processsuccessfully completes.

Successful alert archival Informational The alert archival successfullycompleted.


Database tuning

Database tuning inprogress

Informational The Manager database is currentlybeing tuned.

The user cannot do thefollowing operationsduring tuning process (1)Viewing / Modifying alertsfrom Threat Analyzer (2)Generating IDS reports onalerts (3) Backing up /Restoration of all tablesOR alert and packet logtables. (4) Archiving alertsand packet logs into files

Database tuningrecommended

Informational Database tuning is recommended.<no_of_days> days have passed sincethe last database tuning.

Shutdown the Managerand execute the DatabaseTuning Utility at theearliest

Successful databasetuning

Informational The Manager database was tunedwithout error.


ACL logging

Required syslog forwardermissing

Informational Firewall logging has been enabled, yetno syslog server is currently defined/enabled for admin domain<admin_domain_name>.

This message will appearuntil a Syslog server hasbeen configured for usein forwarding ACL logs.

Update scheduler

Automatic botnetdetectors deployment inprogress

Informational A new botnet detector has recentlybeen downloaded from the GTI Serverto the Manager and is being deployedto the devices.


Automatic signature setdeployment in progress

Informational A new signature set has recently beendownloaded from the Update Server tothe Manager and is now beingdeployed to the devices.





Botnet detectorsdeployment in progress

Informational A new botnet detectors version hasrecently been downloaded from theMcAfee update server to the Managerand is being deployed to the devices.


Connecting to McAfeeupdate server for updates

Informational Connecting to McAfee update serverfor updates.


Failed connection attemptto McAfee GTI Server.

Informational Failed to connect to the McAfee GTIServer.


Scheduled signature setdeployment in progress

Informational A new signature set has recently beendownloaded from the Update Server tothe Manager and is now beingdeployed to the devices, as scheduled.


Scheduled signature setdownload in progress

Informational A scheduled signature set update is inthe process of downloading from theMcAfee Update Server to the Managerserver


Scheduled botnetdetectors download is inprogress

Informational The scheduled botnet detectorsdownload from the McAfee updateserver to the Manager is in progress.


Successful scheduledsignature set deployment

Informational A new signature set has recently beendownloaded from the Update Server tothe Manager and successfully deployedto the devices, as scheduled.


Successful scheduledsignature set download

Informational The scheduled signature set downloadfrom the McAfee Update Server to theManager was successful.


Successful scheduledbotnet detectorsdownload

Informational The scheduled botnet detectorsdownload from the McAfee updateserver to the Manager was successful.


Successful scheduledbotnet detectorsdeployment

Informational A new botnet detectors version hasrecently been downloaded from theMcAfee update server to the Managerand is being deployed to the devices.


Successful automaticbotnet detectorsdeployment

Informational A new botnet detectors version hasrecently been downloaded from theMcAfee Update Server to the Managerand successfully deployed to thedevices.


Successful automaticsignature set deployment

Informational A new signature set has recently beendownloaded from the Update Server tothe Manager and successfully deployedto the devices.


Update Scheduler inprogress

Informational This message indicates that the updatescheduler is in progress.


Signature download from Update Server to Manager

Signature set deploymentin progress

Informational A signature set is in the process ofbeing deployed from the Manager tothe device.


Successful signature setdownload from UpdateServer

Informational The signature set was successfullydownloaded from the McAfee UpdateServer to the Manager.






Device configurationupdate in progress

Informational The Manager is in the process ofpushing the configuration (andsignature set, as applicable) to thedevice.


Signature set

DAT file import is inprogress

Informational A DAT file is being imported into theManager.


Device software, IPSsignature set, or botnetdetectors import inprogress

Informational A device software, IPS signature set, orbotnet detectors file is being importedinto the Manager.


Device software, IPSsignature set, or botnetdetectors download inprogress

Informational A device software, IPS signature set, orbotnet detectors file is beingdownloaded from the McAfee UpdateServer to the Manager.


Audit logger

Rotating audit logs Informational The audit log capacity on the Manageris <value taken from ems propertyiv.policymgmt.RuleEngine.CircularAuditLogMax> records. After this number ofrecords is reached, the Manager willoverwrite the oldest records with thenewest records (i.e. first in, first out).This fault indicates that <value takenfrom ems propertyiv.policymgmt.RuleEngine.CircularAuditLogMax> records have been written tothe audit log and that the oldest auditlog records are now being overwritten.This fault will be raised every <valuetaken from ems propertyiv.policymgmt.RuleEngine.CircularAuditLogMax> records written. No action isrequired. This is an informational fault.

No action, this is anindicator to inform thataudit log is overwritten.

User defined signature

Custom attack overriddenby signature set

Informational One or more custom attack definitionhas been incorporated into the currentsignature set and therefore removed asa custom attack. Removed customattacks: <list of removed customattacks>


Custom attack save inprogress

Informational One or more custom attack definition isin the process of being saved to theManager.


Custom attack savesuccessful

Informational One or more custom attack definitionhas been successfully saved to theManager.


Backup Manager

Database backup is inprogress

Informational A manual or scheduled databasebackup process is in progress.

Do not attempt to tunethe database or performany other databaseactivity such as an archiveor restore until thebackup processsuccessfully completes.




Database backupsuccessful

Informational The database backup was successful. This message is for userinformation. No actionrequired.

Backup scheduler

Scheduled backup failed Informational Unable to create backup for scheduleddatabase

This fault indicatesproblems such as SQLexceptions, databaseconnectivity problems, orout-of-disk space errors.Check your backupconfiguration settings.This fault clears when asuccessful backup ismade.

Mail server and queue

System startup inprocess - alerts beingrestored

Informational The Manager is starting up andrestoring alerts from the device archivefile. Threat Analyzer may not show allalerts until the Manager is fully online.

Threat Analyzer may notshow all alerts. Restartingthe manager is requiredto show the restoredalerts in Threat Analyzer.

Sensor faultsThe Sensor faults can be classified into critical, error, warning, and informational. The Action column providesyou with troubleshooting tips.

Sensor critical faultsThese are the critical faults for a Sensor device.


BOT DAT file downloadfailure

Critical The Manager cannot push the BOTDAT file to device <Sensor_name>

Occurs when the Manager cannotpush the BOT DAT file to the Sensor.Could result from the networkconnectivity issue.

Bootloader upgradefailure

Critical The firmware upgrade has failed onthe Sensor.

Debug or reload the firmware on theSensor.

Conflict in MDR Status Critical Sensor found a conflict with MDRstatus; Manager IP address / MDRstatus as ...


CRC Errors Critical A recoverable CRC error hasoccurred within the Sensor.

Reboot the Sensor, which may thenresolve the issue causing the fault.

Cluster softwaremismatch status

Critical The software versions on the clusterprimary and cluster secondary arenot the same.

Check for errors in software imagedownload to cluster.

4 System fault messagesSensor faults



Device re-discoveryfailure

Critical The upload of device configurationinformation for device<Sensor_name> failed again afterbeing triggered by the status pollingthread. The device is not properlyinitialized.

This fault occurs as a second part tothe “device discovery failure” fault. Ifthe condition of the Sensor changessuch that the Manager can againcommunicate with it, the Manageragain checks to see if the Sensordiscovery was successful. This fault isissued if discovery fails, thus theSensor is still not properly initialized.Check to ensure that the Sensor hasthe latest software image compatiblewith the Manager software image. Ifthe images are incompatible, updatethe Sensor image via a tftp server.

Device is unreachable Critical SNMP ping failed: Device<Sensor_name> is unreachablethrough its command channel.

Indicates that the device cannotcommunicate with the Manager: theconnection between the device andthe Manager is down, or the devicehas been administrativelydisconnected. Troubleshootconnectivity issues: 1) check that aconnection route exists between theManager and the device; 2) check thedevice'’s status using the <status>command in the device commandline interface, or ping the device orthe device's gateway to ensureconnectivity. This fault clears whenthe Manager detects the deviceagain.

Device droppingpackets internally

Critical Device capacity has been reached.

Device front end is overloaded. Reduce the amount of traffic passingthrough the Sensor as there is anoverload of traffic on the Sensor.

Device model changedetected

Critical Device <Sensor_name> has beenreplaced by a different model<model_name>, which does notmatch the original model. The alertchannel will not be able to establisha connection.

Make sure you replace the modelwith the same Sensor model (e.g.,replace a NS-7300 with a NS-7300,not a NS-9300).

Device switched toLayer 2 bypass mode

Critical Device is now operating in Layer 2bypass mode. (Inspection has beendisabled.)

The Sensor has experienced multipleerrors, surpassing the configuredLayer2 mode threshold. Check theSensor's status.


Critical The SSL decryption state orsupported flow count on device<Sensor_name> has been changed(new value = <value>). A devicereboot is required to make thechange take effect.

Reboot the Sensor to cause the SSLchange to take effect.

Dropping alerts andpacket logs

Critical Manager is not communicating withthe database; the alert and packetlogs overflowing queues.

Perform maintenance operations toclean and tune the database ordisable dropping option.

System fault messagesSensor faults 4



Fail Open ControlModule Timeout

Critical Communication has timed outbetween the Fail Open Controller inthe Sensor's Compact Flash portand the Fail Open Bypass Switch.This situation has caused the Sensorto move to Bypass mode and trafficto bypass the Sensor.

The fault could be the result of acable being disconnected, or removalof the Bypass Switch. This fault clearsautomatically when communicationresumes between the Fail OpenController and Fail Open BypassSwitch.

Failed to createcommand channelassociation

Critical Command channel associationcreation failed for device<Sensor_name>. The device is notproperly initialized. This errorindicates a failure to create a secureconnection between the Managerand the device, which can be causedby loss of time synchronizationbetween the Manager and device orthat the device is not completelyonline after a reboot.

Restart the Manager and/or checkthe Sensor’s operating status toensure that the Sensor’s health andstatus are good.

Failed to update thefailover Sensorconfiguration

Critical Monitoring port IP settings are notconfigured for the ports that requireit.For example, monitoring port IPsettings are required for amonitoring port to export NetFlowdata to NTBA and to implementrequire-authentication Firewallaccess rules.

Either configure the Monitoring PortIPs for all the above ports (or) Disablethose features.

Failover peer status Critical This fault indicates whether theSensor peer is up or down.

This fault clears automatically whenthe Sensor peer is up.

Fan error Critical One or more of the fans inside theSensor have failed.

If a fan is not operational, McAfeestrongly recommends poweringdown the Sensor and contactingTechnical Support to schedule areplacement unit.

In the meantime, you can use anexternal fan (blowing into the front ofthe Sensor) to prevent the Sensorfrom overheating until thereplacement is completed.

Fail-open bypassswitch timeout

Critical The device is not able tocommunicate with the fail-openbypass switch.

Check external FailOpen kitconnections or portpair configurationto restore Inline FailOpen mode.

Firewall connectivityfailure

Critical The connectivity between the deviceand the firewall is down.

This fault can occur in situationswhere, for example, the firewallmachine is down, or the network isexperiencing problems. Ping thefirewall to see if the firewall isavailable. Contact your IT departmentto troubleshoot connectivity issues.

Hardware error Critical There is an error in the hardwarecomponent on the Sensor.

Debug or replace the hardwarecomponent.

Sensor connectivitystatus with GTI server

Critical Sensor is unable to communicatewith GTI server. This fault will becleared when connection isrestored.

Message generated based on SensorConnectivity with GTI Server.




Illegal In-line, fail-openconfiguration of<port_name>.

Critical The Sensor is configured to operatewith an external Fail-Open Modulehardware component, but cannotdetect the hardware.

This error applies only to Sensorsrunning in in-line mode with a gigabitport in fail-open mode (using theexternal Fail Open Module). Whenthis fault is triggered, the port will bein bypass mode and will sendanother fault of that nature to theManager. When appropriateconfiguration is sent to the Sensor(either the hardware is discovered orthe configuration changes), and theSensor begins to operate inin-line-fail open mode.

Image downgradedetected

Critical Unsupported configurationupgrade/downgrade, defaultconfigurations are used.

This is an internal error. Check theSensor status to see that the Sensoris online and in good health.

Internal configurationerror

Critical An internal applicationcommunication error occurred onthe device during <handlingsignature segments fileSNMP configuration request orother Sensor internalcommunication.

Image downgrade, Please do aresetconfig.

Unsupported configurationupgrades, default configurations areused.

Image downgrade detected. Pleaseexecute <resetconfig> on the deviceCLI to complete the downgrade.

Unsupported BOT DAT configurationdetected after upgrade/downgrade.The default configuration will beused.

This is an internal error. Check thesensor status to see that the Sensoris online and in good health.

Interface/sub-interfacecreation failure

Critical Device <Sensor_name> could notgenerate an interface orsub-interface. See the system log fordetails.

This fault generally occurs insituations where the port in questionis configured incorrectly. Forexample, a pair of ports is configuredto be in different operating modes(1A is In-line while 1B is in SPAN).Check the configuration of the portpair for inconsistencies, thenconfigure the port pair to run in thesame operating mode.

Invalid fail-openconfiguration:<port_pair_name>

Critical An invalid configuration has beenapplied to <port_pair_name>

The Sensor requires appropriatehardware to support in-line, fail-openconfiguration on its gigabit ports.Ensure that the hardware is availableand that the correct ports are in-lineand configured to run in this mode.

Invalid SSL decryptionkey

Critical Device has detected invalid SSLdecryption key: <SSL decryptionkey>

User may need to re-import theserver SSL decryption key.




Late Collision of<count Up/Down>

Critical This fault can indicate a problemwith the setup or configuration ofthe 10/100 Ethernet ports or devicesconnected to those ports. It can alsoindicate a compatibility issuebetween the Sensor and the deviceto which it is connected.

Check the speed and duplex settingson the Sensor ports and the peerdevice ports and ensure that they arethe same.

Link failure of Port<port_name>

Critical The link between a Monitoring porton the Sensor and the device towhich it is connected is down, andcommunication is unavailable. Thefault indicates which port isaffected.

Contact your IT department totroubleshoot connectivity issues:check the cabling of the specifiedMonitoring port and the deviceconnected to it; check the speed andduplex mode of the connection tothe switch or router to ensureparameters such as port speed andduplex mode are set correctly; checkpower to the switch or router.This fault clears whencommunication is re-established.

Users from all three FIPS mode roles(Audit Administrator, CryptoAdministrator and SecurityAdministrator) have logged onto theManager at the same time. The linkon port <port_name> is <up/down>.The link between port"<port_name>" and the device towhich it is connected is down, andcommunication is unavailable.

License expires soon Critical Your license is going to expire in lessthan 7 days.

Please contact Technical Support oryour local reseller.

Load Balancer fail-overconfigurationmismatch

Critical Load Balancer<Load_Balancer_name> reportsfail-over peer configuration is notmatching.

Verify Load Balancer configuration.Both Load Balancers in fail-over pairis expected to have sameconfiguration.

Load Balancer isunreachable

Critical SNMP ping failed; load balancer<load_balancer_name> isunreachable through its commandchannel.

Indicates that the load balancercannot communicate with theManager: the connection betweenthe load balancer and the Manager isdown, or the load balancer has beenadministratively disconnected.Troubleshoot connectivity issues: 1)check that a connection route existsbetween the Manager and the loadbalancer; 2) check the load balancerstatus using the status command inthe load balancer command lineinterface, or ping the load balanceror the load balancer gateway toensure connectivity to the loadbalancer. This fault clears when theManager detects the load balanceragain.

Malware File ArchiveDiskUsage(Compressedfiles)

Critical The disk usage for archivedcompressed files has reached theuser defined threshold of themaximum allowed. New files of thistype will no longer be saved to thedisk once usage reaches100%.

Prune/delete unwanted files, orincrease the maximum disk space orboth.

Malware File ArchiveDisk Usage(Executables)

Critical The disk usage for archivedexecutables has reached theuser-defined threshold of themaximum allowed. New files of thistype will no longer be saved to thedisk once usage reaches 100%.





Malware File ArchiveDisk Usage (OfficeFiles)

Critical The disk usage for archived officefiles has reached the user-definedthreshold of the maximum allowed.New files of this type will no longerbe saved to the disk once usagereaches 100%.


Malware File ArchiveDisk Usage (PDFs)

Critical The disk usage for archived PDFshas reached the user-definedthreshold of the maximum allowed.New files of this type will no longerbe saved to the disk once usagereaches 100%.


Manual Sensor RebootRequired

Critical Sensor requires manual reboot dueto an issue. Please reboot theSensor.

Please Reboot the Sensor.

Memory error Critical A recoverable software memoryerror has occurred within theSensor.

Reboot the Sensor, which may thenresolve the issue causing the fault.

MLC Group Size fault Critical Sensor version 8.0 or lower notsupported for this group size.

Fault is raised when the admindomain user group exceeds 2,000 inan 8.0 or lower M-series model. The10,000 admin domain user group issupported only in the 8.1 Managerfor M-series model. Reduce thenumber of admin domain usergroups to a value that is supportedby your Sensor.

MPE certificatedownload failure

Critical Cannot push MPE certificate todevice <Sensor_name>. See systemlog for details.

Occurs when the Manager cannotpush the MPE Certificate to a Sensor.Could result from a networkconnectivity issue.

NTBA IPS connectionfailure

Critical Device can't communicate to NTBAover management port on TCPprotocol.

If any of devices are uninstalled, thisproblem may exists initially for a fewminutes and should go away. If thefault still appears, then check thefirewall rules and connections andconnectivity from IPS Managementport to NTBA management port.

Ondemand scan failedbecause connectionwas refused toFoundScan engine

Critical This fault can be due to tworeasons- the user has not specifiedthe Fully Qualified Domain NameOR the FoundScan engine isshutdown.

For more information on using FullyQualified Domain Name, see McAfeeNetwork Security Platform IntegrationGuide.

Packet capture rulesdownload

Critical Cannot push packet capture rules todevice <Sensor_name>. See systemlog for details.

Occurs when the Manager cannotpush the packet capture rules to aSensor. Could result from a networkconnectivity issue.

Packet overflow Critical A recoverable software bufferoverflow error has occurred withinthe Sensor.

Reboot the Sensor. which may thenresolve the issue causing the fault

Port late collision Critical This fault could indicate a problemwith the setup or configuration ofthe 10/100 Ethernet ports or devicesconnected to those ports. It couldalso indicate a compatibility issuebetween the Sensor and the deviceto which it is connected.

The Sensor may be detecting anissue with another device located onthe same network link. Check to seeif there is a problem with one of theother devices on the same link as theSensor. This situation could causetraffic to cease flowing on the Sensorand may require a Sensor reboot.




Port pair <port_name>is back to In-line,Fail-Open Mode

Critical Sensor is back to In-line, Fail-OpenMode.

This message indicates that the portshave gone from Bypass mode back tonormal.

Port pair <port_name>is in Bypass Mode

Critical This fault indicates that theindicated GBIC ports are unable toremain in In-line Mode asconfigured. This has causedfail-open control to initiate and theSensor is now operating in BypassMode. Bypass mode indicates thattraffic is flowing through the FailOpen Bypass Switch, bypassing theSensor completely.

Check the health of the Sensor andthe indicated ports. Check theconnectivity of the Fail Open ControlCable to ensure that the Fail OpenControl Module can communicatewith the Fail Open Controller in theSensor's Compact Flash port.

Port pair<port_pair_name> inbypass mode

Critical Device <Sensor_name> isconfigured to run in-line and to failopen, but it is in bypass mode.

This fault indicates that some failurehas occurred, causing the fail-opencontrol module to switch operationto Bypass Mode. No traffic is flowingthrough the Sensor.

Port pair<port_pair_name> inin-line, fail-open mode

Critical Device <Sensor_name> hasreturned to in-line, fail-open mode.

This message indicates that the portshave gone from Bypass Mode back tonormal.

Port pair<port_pair_name>fail-open kit status

Critical Device <Sensor_name> isconfigured to run in-line and to failopen, but it is in <Bypass, Tap,Absent, Unknown, L2Bypass,Timeout, IllegalConfig,Restore>Mode.

This fault indicates that some failurehas occurred, causing the fail-opencontrol module to switch operationto <Bypass, Tap, Absent, Unknown,L2Bypass, Timeout,IllegalConfig,Restore> Mode. Notraffic is flowing through the Sensor.

Port media typemismatch

Critical <Port_name>: Configured mediatype is <none/optical/copper/unknown>. Inserted media type is<optical/copper/unknown>

Check if pluggable connectormatched user configuration.Example: Copper SFP inserted in cageconfigured for Fiber. Replace themedia according to the configuredvalue.

Port certificationmismatch

Critical <Port_name>: McAfee Certifiedpluggable interface. McAfeecertification status is <not matching/matching>.

Check if pluggable interface isMcAfee certified. Replace withMcAfee certified connector or disablecheck-box to use non certifiedconnector (recommended to useMcAfee certified).

Power supply error Critical The <primary/secondary> powersupply to the device <wasinserted/was removed/isOperational/is non-operational>.Restore the power supply to clearthis fault.

Check power to the outlet providingpower to the power supply; if apower interruption is not the cause,replace the failed power supply.

Sensor changes to adifferent model

Critical A Sensor was replaced with adifferent model type (for example, aNS-9100 was replaced with anNS-9100-FO (failover only) Sensor).The alert channel will be unable tomake a connection.

When replacing a Sensor, ensure thatyou replace it with an identical model(for example, replace an NS-9100with an NS-9100, do not attempt toreplace a regular Sensor with afailover-only model, and vice-versa).




Sensor configurationdownload failure

Critical The Manager cannot push originalSensor configuration to Sensorduring Sensor re-initialization,possibly because the trustrelationship is lost betweenManager and Sensor.This can also occur when a failedSensor is replaced with a new unit,and the new unit is unable todiscover its configurationinformation .It happens if theSensor's health is bad.

The link between Manager andSensor may be down, or you mayneed to re-establish the trustrelationship between Sensor andManager by resetting the shared keyvalues.

<Sensor_name>configuration updatefailure

Critical The attempt by the Manager todeploy the configuration to device<Sensor_name> failed during devicere-initialization. The deviceconfiguration is now out of syncwith the Manager settings. Thedevice may be down. See the systemlog for details.

The Manager cannot push theoriginal device configuration duringdevice re-initialization. This can alsooccur when a failed device is replacedwith a new unit, and the new unit isunable to discover its configurationinformation.

Sensor rebootrequired for SSLdecryptionconfiguration change

Critical User-configured SSL decryptionsettings for a particular Sensorchanged, requiring a Sensor reboot.

Reboot the Sensor to cause thechanges to take effect.

Signature set error Critical The device has detected an error onsignature segment <segment_id>.The segment error cause is<unknown cause>, and thedownload type is <init/update/unknown signature download type>.

Ensure that the Sensor is online andin good health. The Manager willmake another attempt to push thefile to the Sensor. This fault will clearwith the signature segments aresuccessfully pushed to the Sensor.

Solid State Drive<drive 0> Error

Critical The solid state drive <drive 0> is<drive 1>.

Check the respective SSD status, onfailure replace the SSD.

Sensor switched toLayer 2 mode

Critical The Sensor has moved fromdetection mode to Layer 2(Passthru) mode. This indicates thatthe Sensor has experienced thespecified number of errors withinthe specified timeframe and Layer 2mode has triggered.

The Sensor will remain in Layer 2mode until it is rebooted.

Sensor switched toLayer 2 Bypass mode

Critical Sensor is now operating in Layer2Bypass mode. Intrusion detection/prevention is not functioning.

The Sensor has experienced multipleerrors, surpassing the configuredLayer2 mode threshold. Check theSensor's status.

Software error Critical A recoverable software error hasoccurred within the device. A devicereboot may be required.

This error may require a reboot ofthe Sensor, which may then resolvethe issue causing the fault.

SSL decryption keydownload failure

Critical Cannot push SSL decryption keys todevice <Sensor_name>. See systemlog for details.

Occurs when the Manager cannotpush the SSL decryption keys to aSensor. Could result from a networkconnectivity issue.

Temperature status Critical Inlet Temperature value increasedabove 50.

Check the Fan LEDs in front of thechassis to ensure all internal chassisfans are functioning.

This fault will clear when thetemperature returns to its normalrange.




User login via consoleafter Sensorinitialization

Critical Sensor reports user <user_name>login via console after Sensorinitialization. This is a FIPS 140-2Level 3 violation.


Advanced Threat Defense connectivity

Sensor connectivitystatus with AdvancedThreat Defense device

Critical Message generated based onSensor Connectivity with AdvancedThreat Defense (ATD) device.

Sensor is unable to communicatewith Advanced Threat Defense (ATD)device due to . This fault will becleared when connection is restored.

Licensing

Device discoveredwithout license

Critical Device <Sensor_name> discoveredwithout license, and may not detectattacks.

To obtain a permanent license now,kindly contact Technical Support oryour local reseller.

Device discovered withcluster secondarylicense.

Critical Device <Sensor_name> wasdiscovered with a cluster secondarylicense. This device not beconnected to the Manager directly.

Device license expired Critical Device license expired. The devicemay not detect attacks.

Device support licenseexpired

Critical Device support license expired. Thedevice may not detect attacks.

Expired device license Critical Device license expired. The devicemay not detect attacks.

Expired device supportlicense

Critical Device support license expired. Thedevice may not detect attacks.

Expired license fordevice of type<device_type>

Critical The device may not detect attacks. Please contact technical support oryour local reseller to obtain a License.

Expired supportlicense for device oftype <device_type>

Critical The device may not detect attacks.

No valid licensedetected for device oftype <device_type>

Critical The discovered device may notdetect attacks.

Pending supportlicense expiration fordevice of type<device_type>

Critical Support license for this deviceexpires in <x> days.

Please contact technical support oryour local reseller to renew thesupport License.



Sensor error faultsThese are the error faults for a Sensor device.


Alert channeldown

Error The alert channel for device<Sensor_name> is down. Reason:<"Channel connection failed reasonunknown",

"Channel is up",

"Sensor unable to sync time with NSM(error 2)",

"Sensor unable to generate valid certificate(error 3)",

"Sensor unable to persist Sensor certificate(error 4)",

"Sensor fail connecting to NSM (error 5)",

"Sensor in untrusted connection mode(error 6)",

"Sensor install connection failed (error 7)",

"Sensor unable to persist NSM certificate(error 8)",

"Mutual trust mismatch between Sensorand NSM (error 9)"

"Error in SNMPv3 key exchange (error 10)",

"Error in initial protocol message exchange(error 11)",

"Sensor install in progress",

"Opening alert channel in progress",

"Link error. Attempting to reconnect (error14)",

"Alert channel reconnect failed (error 15)",

"Closing alert channel in progress",

"Closing alert channel failed (error 17)",

"Send alert warning (error 18)",

"Keep alive warning (error 19)",

"Sensor unable to delete certificate (error20)",

"Sensor unable to create SNMP user (error21)",

"Sensor unable to change SNMP user key(error 22)">

The Manager cannot communicate withthe device via the channel on which theManager listens for Sensor alerts.

This fault clears when the alertchannel is back up.

Device in badhealth

Error Please check the running status of device<device_name>. This fault occurs with anytype of device software failure. (It usuallyoccurs in conjunction with a software errorfault.)

If this fault persists, we recommendthat you perform a Diagnostic Traceand submit the trace file toTechnical Support fortroubleshooting.




Game error Error Indicates that the engine could not beinitialized or downloaded and also if theDat file could not be downloaded.

This fault clears when the enginecould be initialized or downloadedand also if the Dat file can bedownloaded.

Internal packetdrop error

Error Device is dropping packets due to trafficload.

Reduce the amount of trafficpassing through the Sensor as thisfault indicates overload of traffic onthe Sensor.

MLC Bulk updatefile size exceedslimit

Error Device has a limit for the MLC Bulk Updatefile size that it can process. As this hasexceeded, update to the device<Sensor_name> is aborted.

Check the MLC server configured inthis Manager for the number ofusers, groups, and IP usermappings. Make sure they do notexceed the limits specified in theMLC Integration documentation.

Out-of-rangeconfiguration

Error Device <Sensor_name> has detected anout-of-range configuration value.

Contact McAfee Technical Supportfor assistance.

Packet logchannel down

Error The packet log channel for device<Sensor_name> is down. Reason:<Channel is up",Sensor unable to sync time with NSM(error 2)",

Sensor unable to generate valid certificate(error 3)"

Sensor unable to persist Sensor certificate(error 4)"

Sensor fail connecting to NSM (error 5)",

Sensor in untrusted connection mode(error 6)",

Sensor install connection failed (error 7)",

Senor unable to persist NSM certificate(error 8)",

Mutual trust mismatch between Sensorand NSM (error 9)

Error in SNMPv3 key exchange (error 10)",

Error in initial protocol message exchange(error 11)"

Sensor install in progress",

Opening packet-log channel in progress",

Link error. Attempting to reconnect (error14)",

Packet-log channel reconnect failed (error15)",

Closing packet-log channel in progress",

Closing packet-log channel failed (error17)",

Send alert warning (error 18)",

Keep alive warning (error 19)">

The Manager cannot communicate withthe device via the channel on which theManager receives packet logs.

This fault clears when the packetlogchannel is back up.




Put peer DoSprofile failure

Error The Sensor was unable to push arequested profile to the Manager.

See the ems.log file for details onwhy the error is occurring. The faultwill clear when the Sensor is able topush a valid DoS profile.

Peer DoS profileretrieval failure

Error Peer DoS profile retrieval request fromdevice <Sensor_name> failed. No DoSprofile for peer <peer_Sensor_name> isavailable.

The Manager cannot obtain therequested profile from the peerSensor, nor can it obtain a savedvalid profile. See log for details.

Peer DOS profile retrieval request fromdevice <Sensor_name> failed because theprofile cannot be pushed to the device thatrequested it. See system log for details.

Check Manager connection toNetwork Security Platform.

<Sensor>discovery failure

Error <Sensor>, <Sensor_name> failed todiscover configuration information. Thedevice is not properly initialized.

Typically, the Manager will beunable to display the Sensor in thissituation, which could indicate anold software image on the Sensor.If this fault is triggered because theSensor is temporarily unavailable,the Manager will clear this faultwhen the Sensor is back online. Ifthe fault persists, check to ensurethat the Sensor has the latestsoftware image compatible with theManager software image. If theimages are incompatible, updatethe Sensor image via a tftp server.

Sensor reports anout-of-rangeconfiguration

Error The Manager received a value from theSensor that is invalid. The additional text ofthe message contains details.

This fault does not clearautomatically; it must be clearedmanually.Contact McAfee Technical Supportfor assistance.

Sensor reports anout-of-rangeconfiguration

Error The Manager received a value from theSensor that is invalid. The additional text ofthe message contains details.

This fault does not clearautomatically; it must be clearedmanually.Contact McAfee Technical Supportfor assistance.

Sensor reportsNMS user privacykey decryptfailure

Error NMS user privacy key decryption failed foruser <user_name>.

Please delete NMS user and addagain with valid credential.

Sensor reportsNMS userauthenticationkey decryptfailure

Error NMS user authentication key decryptionfailed for user <user_name>.

Please delete NMS user and addagain with valid credential.

Sensorconfigurationupdate failed

Error The Sensor configuration update failed tobe pushed from the Manager Server to theSensor.

Please see ems.log file to isolatereason for failure.




Sensor discoveryfailure

Error The Sensor failed to discover itsconfiguration information, and thus is notproperly initialized. Typically, the Managerwill be unable to display the Sensor. Couldindicate an old Sensor image on theSensor.

Check the Manager connection toNetwork Security Platform. Checkto ensure that the Network SecurityPlatform has the latest softwareimage compatible with theManager software image. If theimages are incompatible, updatetheThe Manager has reached its

limit (<queue_size_limit>)

for

alerts that can be queued forstorage in the database.

(no_of_alerts alerts dropped)

image via a tftp server.

Sensor reportsthat the alertchannel is down

Error This fault indicates that the Sensor isreporting that the alert channel is down,but the physical channel is actually up.Channel is up", Sensor unable to sync timewith NSM (error 2)", Sensor unable togenerate valid certificate (error 3)" Sensorunable to persist Sensor certificate (error4)" Sensor fail connecting to NSM (error 5)",Sensor in untrusted connection mode(error 6)", Sensor install connection failed(error 7)", Sesnor unable to persist NSMcertificate (error 8)", Mutual trust mismatchbetween Sensor and NSM (error 9) Error inSNMPv3 key exchange (error 10)", Error ininitial protocol message exchange (error11)" Sensor install in progress", Openingpacket-log channel in progress", Link error.Attempting to reconnect (error 14)",Packet-log channel reconnect failed (error15)", Closing packet-log channel inprogress", Closing packet-log channelfailed (error 17)", Send alert warning (error18)", Keep alive warning (error 19)"

The Sensor will typically recover onits own. If you are receiving alertswith packet logs and your Sensor isotherwise behaving normally, youcan ignore this message.Check to see if trust is establishedbetween the Sensor and Managerissuing a show command in theSensor CLI.

If this fault persists, contact McAfeeTechnical Support.

SSL decryptionkey invalid

Error The Manager detects that a particular SSLdecryption key is no longer valid. Thedetailed reason why the fault is occurringis shown in the fault message. Thesereasons can range from the Sensorre-initializing itself with a differentcertificate to an inconsistency between thedecryption key residing on a primarySensor and its failover peer Sensor.

Re-import the key (which isidentified within the errormessage). The fault will clear itselfwhen the key is determined to bevalid.

TrustEstablishmentError – BadShared Secret

Error Device <Sensor_name> could not be addedto the Manager because the shared secretit provided does not match what wasdefined for it on the Manager.

Make sure the shared secretentered on the device CLI matchesthe one defined within the ManagerGUI. (Note: The shared secret iscase sensitive.)




TrustEstablishmentError – UnknownDevice

Error Device <Sensor_name> could not be addedto the Manager because it has not beendefined on the Manager.

Make sure the device you wouldlike to add to the Manager hasbeen defined within the ManagerGUI before trying to add it via thedevice CLI. (Note: The device nameis case sensitive.)


DeviceConfigurationupdate failed

Error Device configuration update failed to bepushed from the Manager server to theSensor.

See the ems.log file to isolatereason for failure.

Device upload scheduler

Scheduled botnetdetectordeploymentfailure

Error The Manager was unable to perform thescheduled BOT DAT deployment to thedevice <Sensor_name>.

Indicates that the Manager wasunable to perform the scheduledBOT DAT deployment to the Sensor.This is because of networkconnectivity between the Managerand the Sensor, or an invalid DATfile. This fault clears when anupdate is sent to the Sensorsuccessfully.

Sensor warning faultsThese are the warning faults for a Sensor device.


DAT Config is outof sync

Warning The DAT Segments Config update to thedevice <Sensor_name> failed. The Bot DATConfig file on the failover pair is out of syncas a result. (The Manager will automaticallymake another attempt to deploy the BOT DATConfig file).

Ensure that theSensor is online andis in good health.The Manager willmake anotherattempt to push thefile. The fault will becleared when theManager issuccessful.

Deviceconfigurationupdate is inprogress

Warning Device configuration update is in progress. Device configurationupdate is inprogress.

Device power up Warning The device has completed booting and isonline.

This message isinformational.Acknowledge ordelete the fault toclear it.




Deviceperformance -<CPU Utilization,TCP/UDP FlowUtilization, PortThroughputUtilization,SensorThroughputUtilization, L2Error Drop,L3/L4 ErrorDrop>

Warning Network Security Device PerformanceMonitoring <CPU Utilization, TCP/UDP FlowUtilization, Port Throughput Utilization,Sensor Throughput Utilization, L2 Error Drop,L3/L4 Error Drop> triggered since the <% orempty string> crossed the threshold valuewith <fallen/risen/been> for <metric_value>band on <Sensor_name>.<Sensor_name> has <fallen/risen/been> to<above/below> <% or empty string> on<Sensor_name>, which is <above/below> theconfigured<alarm_name_as_configured_by_the_ user>threshold of <threshold_value> <% or emptystring>.

Device in highlatency mode

Warning Device high latency mode is currently<LatencyConflict/LatencyConflictCleared>.(The device will attempt to automaticallyrecover from the high latency condition.)Device high latency mode and Layer 2 bypassmode are currently <LatencyConflict/LatencyConflictCleared>. (the device willattempt to automatically recover from thehigh latency condition.)

The device willattempt toautomaticallyrecover from thehigh latencycondition.

Device latencymonitoringconfiguration isconflicting withLayer 2monitoringconfiguration

Warning Device latency monitoring configurationrequires Layer 2 pass-through monitoring tobe enabled. Disable moving Sensor to Layer 2bypass mode on high latency or enable Layer2 pass-through monitoring.

Disable movingSensor to Layer 2bypass mode onhigh latency orenable Layer 2pass-throughmonitoring.

Device loginfailure

Warning <Console/SSHD> login failure threshold of 3attempts is exceeded for user name<user_name> from remote IP Address<remote_ip> on remote port <remote_port>.

Device packetcapturingterminated

Warning Packet capturing has been stopped duringdevice re-initialization. Please explicitlyrestart packet capturing, as required.

Restart PacketCapture if required.

Device DNSserverconnectivitystatus

Warning DNS server is <Up and Reachable/Down orUnreachable> from the device.

Physicalconfigurationchange

Warning The physical configuration for device <Sensor_name> has changed. A new physicalconfiguration has been discovered.

Occurs when theSensor connects tothe Manager with adifferent physicalconfiguration.

Pluggableinterface isabsent

Warning Indicates that the Pluggable interface isabsent.

Indicates if thepluggable connectoris absent in thecage.

Pluggableinterfacecertificationstatus

Warning Indicates if pluggable connector is McAfeecertified or not.

Indicates ifpluggable connectoris McAfee certifiedor not.




Sensor resettingdue to FIPSmode change

Warning This message is informational.

SNMP trapreceived fromload balancer

Warning Load balancer <load_balancer_name>reported trap type<oid_of_the_mib_object_reported>.

Message generatedbased on SNMP trapreceived fromdevice.

Uninitializeddevice

Warning Device <Sensor_name> is not properlyinitialized.

The Sensor mayhave just beenrebooted and is notup yet. Wait a fewminutes to see ifthis is the issue; ifnot, check to ensurethat a signature setis present on theSensor. Aresetconfigcommand may havebeen issued, andthe Sensor not yetbeen reconfigured.

Up Warning The Sensor has just completed booting and ison-line.

This message isinformational.Acknowledge thefault.

XC Cluster

Load balancerport modechange for<port_pair>

Warning Load balancer <load_balancer_name>reports operating mode for port <port_pair>changed to <Fail-open/Span/Tap/Fail-close>.

Message generatedbased on SNMP trapreceived from loadbalancer device.

Load balancerpower up

Warning Load balancer <load_balancer_name> hascompleted booting and is online.

This message isinformational.Acknowledge ordelete the fault toclear it.

Load balancerport fail-overmode changefor <port_pair>

Warning Load balancer <load_balancer_name>reports port <port_name> fail-over modechanged.


Load balancersystem fail-overmode change

Warning Load balancer <load_balancer_name>reports fail-over mode change to <UnknownHunting for peer

Stand-alone

Primary

Secondary

Peer device software mismatch>





Load balancersystem fail-overstatus change

Warning Load balancer <load_balancer_name>reports fail-over status change to <UnknownHunting for peer

Stand-alone

Primary

Secondary



Load balancersystem peerfail-over statuschange

Warning Load balancer <load_balancer_name>reports peer fail-over status change to<UnknownHunting for peer

Stand-alone

Primary

Secondary



Load balancerport loadbalancing modechange for<port_name>

Warning Load balancer <load_balancer_name>reports port <port_name> load balancingmode changed to <Good/Bad/Active/Inactive/Loopback/Rebalance/Spare/Standby/Standby Failure/Spare Active/Spare Inactive/Spare Failure>


Device IP settings


Warning The jumbo frame parsing setting on thisdevice has been updated and a reboot isrequired for the change to take effect.

Please reboot thedevice to effect thechange.


Offline devicedownload inprogress

Warning Offline device download has been initiatedfrom the device command line interface.

Please wait foroffline Sensordownload tocomplete.

Successfuloffline devicedownload

Warning Offline device download has completed withstatus <successful/failed>. Downloadtype=<sigfile/software/software sigfilecombo>, Time=<timestamp>,Filename=<downloaded_file_name>

Please see logmessages ifdownload hasfailed, status code=<Successful/ Failed>.

Licensing

Pending devicelicenseexpiration

Warning Device license expires in less than <x> days. Please contactTechnical Support oryour local reseller.

Pending devicesupport licenseexpiration

Warning Device support license expires in less than<x> days.

Pending deviceadd-on licenseexpiration

Warning Device license expires in less than <x> days.

Pending devicesupport add-onlicenseexpiration

Warning Device license expired in less than <x> days.




Pending licenseexpiration fordevice of type<device_type>

Warning License for this device expires in <x> days. Please contacttechnical support oryour local reseller torenew the License.

Device failover

Attempt todisable failoverfailed

Warning Cannot disable failover on device<Sensor_name>. The device is offline. (TheManager will make another attempt whenthe device comes back online.)

Make sure that theSensor is on-line.The Manager willmake anotherattempt to disablefailover when itdetects that theSensor is up. Thefault will clear whenthe Manager issuccessful.

Botnet detectorsout of sync

Warning The deployment of botnet detectors to thedevice <Sensor_name> failed. The botnetdetectors on the failover pair<Sensor_name1> are out of sync as a result.(The Manager will automatically makeanother attempt to deploy them.)

Make sure that thedevice is online andis in good health.The Manager willautomatically makeanother attempt todeploy the botnetdetectors. The faultwill be cleared oncethe deployment iscomplete.

Firewallconnectionstatusinconsistent onfailover Sensorpair

Warning The firewall connection status on the failoverpair <Sensor_peer_name> is inconsistent.This may cause the firewall function to beinconsistent for the pair.

Ensure that bothSensors of thefailover pair areconnected to thefirewall and thatboth Sensors areonline and in goodhealth.




Signaturesegments out ofsync

Warning An attempt to update the signature set onboth Sensors of a failover pair wasunsuccessful for one of the pair, causing thesignature sets to be out of sync on the twoSensors.

The Manager willmake anotherattempt toautomatically pushthe signature filedown to the Sensoron which the updateoperation failed.Ensure that theSensor in questionis on-line and ingood health. Thefault will clear whenthe Manager issuccessful.

If the operation failsa second time, aCritical Signature setdownload failurefault will be shownas well.

Both faults will clearwhen the signatureset is successfullypushed to theSensor.

Signature deploymentto device<Sensor_name> failed.The signaturesegments on failoverpair<Sensor_peer_name>are out of sync. (TheManager willautomatically makeanother attempt todeploy the signature.)

Ensure that the Sensor is online and in goodhealth. The Manager will make anotherattempt to push the file down. The fault willclear when the Manager is successful.

SSL decryptionkeys out of sync

Warning SSL decryption keys update to device<Sensor_name> failed, and the SSLdecryption keys on failover pair<Sensor_peer_name> are out of sync as aresult. (The Manager will automatically makeanother attempt to deploy the new keys.)

Ensure that theSensor is online andin good health. TheManager will makeanother attempt topush the file down.The fault will clearwhen the Manageris successful.

TemperatureStatus

Warning Inlet Temperature value increased above 44. Check the Fan LEDsin front of thechassis to ensure allinternal chassis fansare functioning.

This fault will clearwhen thetemperature returnsto its normal range.




Signature set

Deprecatedapplicationsdetected infirewall policies

Warning The Manager has detected the following useof deprecated applications in firewall policies:<Deprecated Application <app_name> usedin Policy <policy_name>/Rule#<ruleOrderNum>Deprecated Application <app_name> used inRule Element(of type Application Group)<rule_name>@<policy_name>/Rule#<ruleOrderNum>>

These applicationsmust be removedfrom the firewallpolicies.

Sensor informational faultsThese are the informational faults for a sensor device.


Automatic BOT DAT setdeployment in progress

Informational A new BOT DAT set has recently beendownloaded from the GTI Server to theManager and is being deployed to thedevices.


BOT DAT deployment inprogress

Informational A new BOT DAT file has recently beendownloaded from the GTI Server to theManager and is being deployed to thedevices.


Cluster softwareinitialization status

Informational Device software has been initialized. On initialization failure,check if clustercross-connects arepresent as documented.

Device software orsignature set import inprogress

Informational A device software image or signatureset file is being imported into theManager.


Device software orsignature set download inprogress

Informational A device software image or signatureset file is being downloaded from theMcAfee Update Server to the Manager.


Port pair <port name> isback to In-line Fail-OpenMode

Informational Indicates that the ports have gonefrom Bypass Mode back to normal.


Resource mismatch Informational A configured memory or CPU is lesserthan the optimal number


Sensor configurationupdate in progress

Informational A Sensor configuration update is in theprocess of being pushed from theManager server to the Sensor.


Sensor configurationupdate successful

Informational Sensor configuration updatesuccessfully pushed from the Managerserver to the Sensor.


Sensor discovery is inprogress

Informational The Manager is attempting to discoverthe Sensor.


Sensor resetting due toFIPS mode change

Informational An upgrade or downgrade betweenFIPS and non-FIPS software images hasbeen detected. This resets the sensorconfiguration and restores the defaultlogin password.





Sensor software imagedownload failed

Informational Sensor software image failed todownload from the McAfee UpdateServer to the Manager server.


Sensor swappable portmodule status for group<G0/G1/G2/G3>

Informational Sensor reports port module <removed/added> for group <G0/G1/G2/G3>.Sensor reports port module is removedfrom slot for group <G0/G1/G2/G3>.

Sensor reports <NULL/QSFP/SFP> portmodule inserted into slot for group<G0/G1/G2/G3>.

This message generatedbased on user removingor inserting port moduleinto sensor slot.

Successful automaticbotnet detectorsdeployment

Informational A new botnet detector set has recentlybeen downloaded from the GTI Serverto the Manager and is being deployedto the devices.


User login via consoleafter sensor initialization

Informational Sensor reports user login via consoleafter sensor initialization. This is a FIPS140-2 Level 3 violation.


Licensing

Device discovered withlicense

Informational Device <Sensor_name> was discoveredwith a license that will expire on<date>.

Renew the license beforeexpire.

License detected for<Sensor_name> of type

Informational License valid until <date>. Renew the license beforeit expires.

Device discovery

The <NTBA Appliance/Sensor>, <device_name>The <NTBA Appliance/Sensor>, <device_name>discovery in progress

Informational The Manager is in the process ofdiscovering the device.

Wait for the discovery ofthe device to complete.

Download software

Device software imagedownload in progress

Informational Device software image is in the processof downloading from the McAfeeUpdate Server to the Manager server.


Device software imagedownload successful

Informational Device software image successfullydownloaded from the McAfee UpdateServer to the Manager server.


Update device software

Device software update isin progress

Informational A Sensor software update is in theprocess of being pushed from theManager Server to the Sensor.


Device software updatesuccessful

Informational Device software update successfullypushed from the Manager server tosensor.



Device configurationdeployment successful

Informational The Manager successfully deployed thelatest configuration to device<Sensor_name>. This includes new IPSsignature sets, botnet detectors, andSSL keys, as applicable.


Signature set




Device software, IPSsignature set, or botnetdetectors import inprogress

Informational A device software, IPS signature set, orbotnet detectors file is being importedinto the Manager.


Device software, IPSsignature set, or botnetdetectors download inprogress

Informational A device software, IPS signature set, orbotnet detectors file is beingdownloaded from the McAfee UpdateServer to the Manager.


NTBA faultsThe NTBA faults can be classified into critical, error, warning, and informational. The Action column providesyou with troubleshooting tips.

NTBA critical faultsThese are the critical faults for a NTBA device.


BOT DAT filedownload failure

Critical The Manager cannot push theBOT DAT file to device<Sensor_name>

Occurs when the Manager cannot push theBOT DAT file to the Sensor. Could resultfrom the network connectivity issue.

EndpointIntelligence Serviceis down

Critical Endpoint Intelligence Service hasnot started as the ePO server isnot reachable.

Please make sure that the ePO server is upand running and is reachable to NTBA.

Endpoint Intelligence Service hasnot started as the ePO extensiondoes not support auto-signingservice.

Make sure that the ePO server supportsePO Auto Signing functionality(Change onName confirmation).

Endpoint Intelligence Service hasnot started because ofauthentication error connectingto the ePO server.

Please provide valid ePO Server credentials.

Endpoint Intelligence Service hasnot started because of due tointernal error from the ePOserver.

ePO server responded error, please look atthe ePO logs.

Endpoint Intelligence Service hasnot started because ofunexpected errors.

Please look at the ePO server and NTBA logsfor the error. Please try again.

Endpoint Intelligence Service hasnot started due to corruptcertificate.

Certificate invalid, please retry saving again.

Endpoint Intelligence Service hasnot started because of theconfigured port for EndpointIntelligence Service is already inuse.

This port is already in use; please configurean unused port.

Link failure of<Appliance name>

Critical The link between this port andthe device to which it isconnected is down, andcommunication is unavailable.

This is a connectivity issue. Contact your ITdepartment to troubleshoot networkconnectivity. This fault clears whencommunication is re-established.

System fault messagesNTBA faults 4



NTBA Publickeydownloadfailure

Critical Cannot push NTBA Public keyfileto device <Sensor_name>

Occurs when the Manager cannot push theNTBA Public key file to the Sensor. Couldresult from the network connectivity issue.

NTBA Applianceunreachable

Critical A command channel ping failedto NTBA Appliance <Appliancename> failed. The device isunreachable through itscommand channel.

Indicates that the NTBA cannotcommunicate with the Manager: theconnection between the NTBA and theManager is down, or the NTBA has beenadministratively disconnected. Troubleshootconnectivity issues: 1) check that aconnection route exists between theManager and the NTBA; 2) check the NTBA’sstatus using the status command in theNTBA command line interface, or ping theNTBA or the NTBA gateway to ensureconnectivity to the NTBA. This fault clearswhen the Manager detects the NTBA again.

NTBA error faultsThese are the error faults for a NTBA device.


Device Configurationupdate failed

Error Device configuration update failed to bepushed from the Manager server to theSensor.

See the ems.log file toisolate reason for failure.

Scheduled BOT DAT filedeployment failed

Error The Manager was unable to perform thescheduled Bot DAT deployment to thedevice <Sensor_name>.

Indicates that the Managerwas unable to perform thescheduled Bot DATdeployment to the Sensor.This is because of networkconnectivity between theManger and the Sensor, oran invalid DAT file. Thisfault clears when an updateis sent to the Sensorsuccessfully.

GAME configuration

NTBA <GAME Error> Error <GAME Error> Please re-check the NTBAGAME configuration.

System related

4 System fault messagesNTBA faults



NTBA ConfigurationUpdate Error

Error Sigfile parsing failed.";

Sigfile parsing failed in zone segment.";

Sigfile parsing failed in communication rulessegment.";

Sigfile parsing failed in service segment.";

Sigfile parsing failed in anomaly segment.";

Sigfile parsing failed in reconnaissancesegment.";

Sigfile parsing failed in FFT segment.";

Sigfile parsing failed in NBA segment.";

Sigfile parsing failed in worm segment.";

Sigfile parsing failed in policy segment.";

Sigfile parsing failed in pre-processingsegment.";

Sigfile parsing failed in application profilesegment.";

Sigfile parsing error.";

Please retry the NTBAconfiguration update.

NTBA Sigset MismatchError

Error There has been a mismatch between theNTBA version <tba_sw_version> and thesigset version <sigset_version>. NSM willnow try to automatically push theappropriate matching sigset.

Please check for the statusof the follow-up NTBAconfiguration update.

NTBA ZoneConfiguration Event

Error Invalid interface or zone configuration. Allthe zones configured are <Outside/Inside>.<Netflow processing will not work till thisconfiguration is fixed. GTI reputation is notretrieved for internal hosts>.

Please verify the zoneconfiguration in NTBA.

Storage server

NTBA <Storage ServerErrorStorage Server NotReachable

Storage ServerPermission Denied

Storage Server LimitReached 50%

Storage Server LimitReached 75%

Backup Storage FileCorrupted

Storage Server LimitExhausted>

Error <Storage Server ErrorStorage Server Not Reachable

Storage Server Permission Denied

Storage Server Limit Reached 50%

Storage Server Limit Reached 75%

Backup Storage File Corrupted

Storage Server Limit Exhausted>

Please re-check the StorageService Configuration.

TrustedSource

NTBA <TrustedSourceError>

Error <TrustedSource Error> Please re-check theTrustedSourceconfiguration.

System fault messagesNTBA faults 4


NTBA warning faultsThese are the warning faults for a NTBA device.


DAT Config is outof sync

Warning The DAT Segments Config update to thedevice <Sensor_name> failed. The BotDAT Config file on the failover pair is outof sync as a result. (The Manager willautomatically make another attempt todeploy the BOT DAT Config file).

Ensure that the Sensor is online andis in good health. The Manager willmake another attempt to push thefile. The fault will be cleared whenthe Manager is successful.

This Release ofNSM supportsonly one instanceof NTBA vm.

Warning The NTBA <NTBA_Appliance_name> is notdiscovered because of exceeding the maxof supported instances of NTBA virtualmachines.

Please delete the device from ismGUI

Uninitializeddevice

Warning Device <Sensor_name> is not properlyinitialized.

The Sensor may have just beenrebooted and is not up yet. Wait afew minutes to see if this is theissue; if not, check to ensure that asignature set is present on theSensor. A resetconfig commandmay have been issued, and theSensor not yet been reconfigured.

NTBA informational faultsThese are the informational faults for a NTBA device.


Automatic BOT DAT setdeployment in progress



BOT DAT deployment inprogress



Interface change Informational During startup , the NTBA identifieschanges(addition or removal) in theinterface count.


NTBA database pruning Informational Current database usage:<percentage_value>%

NTBA Database Pruningthreshold notification.

Successful automaticBOT DAT setdeployment



Successful scheduledBOT DAT setdeployment



The <NTBA Appliance/Sensor>,<device_name> The<NTBA Appliance/Sensor>,<device_name>discovery in progress

Informational The Manager is in the process ofdiscovering the device.

Wait for the discovery ofthe device to complete.

4 System fault messagesNTBA faults


5 Error messages

This section lists the error messages displayed in McAfee Network Security Manager (Manager).

Contents Error messages for RADIUS servers Error messages for LDAP server

Error messages for RADIUS serversThe table lists the error messages displayed in the Manager.

Error Name Description/Cause Action

RADIUS Connection Successful RADIUS server is up and running RADIUS server is up and running

RADIUS Connection Failed Network failure, congestion atservers or RADIUS server notavailable

Try after sometime, check IPaddress and Shared Secret key

No RADIUS server configured No server available Configure at least one RADIUSserver

Server with IP address and portalready exists for RADIUS server

IP address and port connectionnot unique

Use a different IP address and portnumber

RADIUS server host IP address/hostname is required

Field cannot be blank Enter a valid host name /IP address

Shared Secret key is unique in case ofRADIUS server

Field cannot be blank Enter a valid host name /IP address

RADIUS server host IP address/hostname cannot be resolved as entered

Invalid host name /IP address Enter a valid host name /IP address

The table lists the error messages displayed in the User Activity Audit report.

Error Name Description/Cause Error Type

RADIUS Authentication User <user name> with login Id <login Id> failed to authenticate toRADIUS server <RADIUS server host name /IP address> on port <portnumber> due to server timeout/ network failure

User

Add Radius Server Added RADIUS server IP Address/Host <IP address or host name>, port<port number> enable <Yes/No>

Manager

Edit RADIUS server IP Address/Host <IP address or host name> set port <port number>,setEnabled <Yes/No>

Manager

Delete RADIUS server Deleted RADIUS Server IP Address/Host <IP address or host name>, port<port number>

Manager

5


Error messages for LDAP serverThe table lists the error messages displayed in the Manager.

Error Name Description/Cause Action

Server with IP address and portalready exists for LDAP server

IP address and port connection notunique

Use a different IP address andport number

LDAP server host IP address/hostname is required

Field cannot be blank Enter a valid host name /IPaddress

LDAP server host IP address/hostname cannot be resolved as entered

Invalid host name /IP address Enter a valid host name /IPaddress

LDAP Connection Successful LDAP server is up and running LDAP server is up and running

LDAP Connection Failed Network failure, congestion atservers or LDAP server notavailable

Try after sometime, check IPaddress

No LDAP server configured No server available Configure at least one LDAP server

The table lists the error messages displayed in the User Activity Audit report.

Error Name Description/Cause Error Type

LDAP Authentication User <user name> with login Id <login Id> failed to authenticate to LDAPserver <LDAP server host name /IP address> on port <port number> due toserver timeout/ network failure.

User

Add LDAP server Added LDAP server IP Address/Host <IP address or host name>, port <portnumber>, enable <Yes/No>

Manager

Edit LDAP server IP Address/Host <IP address or host name> set port <port number>,setEnabled <Yes/No>

Manager

Delete LDAP server Deleted LDAP Server IP Address/Host <IP address or host name", port<portnumber>

Manager

5 Error messagesError messages for LDAP server


6 Troubleshooting scenarios

Contents Network outage due to unresolved ARP traffic Delay in alerts between the Sensor and Manager Sensor-Manager Connectivity Issues Wrong country name in IPS alerts Wrong country name in ACL alerts

Network outage due to unresolved ARP traffic

Scenario

Sudden outage in the network due to unresolved ARP traffic.


Sensor software version: 7.1, 7.5, 8.1

Problem type to be solved

Resolve the ARP traffic which is dropped by the Sensor due to heuristic web application server protectionconfiguration setting.


1 Check if the attack ARP MAC Address Flip-Flop is disabled from the policy.

Go to Policies | IPS Policies | Customized Active Policy. Click Edit.

Check the policy on the entire device interfaces and make sure ARP flip flop alert is either disabled or notincluded in the policy on the entire device interfaces.

6


2 Check if the Heuristic Web Application Server Protection is enabled.

Go to Devices | Devices | <Device Interface> | Protection Profile.

Check each interface of the device individually.

3 Check if ARP spoofing is enabled on the Sensor. Use the command show arp spoof status.

Explanation

When heuristic web application server protection is enabled, the Manager caching is disabled and only selectedattacks are pushed to the Sensor. If the MAC Flip-Flop attack is not part of the attacks chosen by the user, theSensor drops the ARP packets. This happens in scenarios such as:

• Assignment of dynamic MAC address in the network (vmac)

• For the firewall in failover mode which uses the Virtual MAC address, the IP address remains the same butthe MAC address will change


1 Disable ARP spoofing on the Sensor. Use the command arp spoof to disable ARP spoofing.

2 Disable Heuristic Web Application Server Protection on the device’s individual interfaces.


Delay in alerts between the Sensor and Manager

Scenario

Delay in receiving the Sensor alerts on the Manager.


6 Troubleshooting scenariosDelay in alerts between the Sensor and Manager


Sensor software versions: 7.1, 7.5, 8.0, 8.1


• Delay in the Sensor alerts being sent to the Manager

• Sensor alerts are not seen in real time on the Manager

• Time lag in sending the Sensor alerts to the Manager


1 Execute the following commands on the Sensor :

• status (execute 5 times in 10 seconds duration)

• show sensor-load (execute 5 times in 10 seconds duration)

• getccstats (execute 5 times in 10 seconds duration)

Also execute the same commands on a similar model Sensor, which does not have the issue.

2 Collect graphs for Sensor throughput utilization and port utilization.

3 Collect the attack csv file for this Sensor from the Threat Analyzer.

4 Collect the alert archival for the last 24 hour time duration.

5 Retrieve the configuration backup of the Manager.

6 Create/collect the network diagram that clearly indicates where the Sensor and the Manager are located.

Troubleshooting steps

1 Check if there are any network connectivity issues or any delay in the network. If there is a delay in thenetwork between the Sensor and the Manager, it can lead to low alert rates.

2 Verify that the entire link between the Sensor management port and the Manager is 1G auto, and they areusing the correct CAT6 cables.

3 Check if the other Sensors connected to the same the Manager are also facing this issue. If yes then it is aManager issue.

4 Check the Sensor policy being used. If the All Inclusive with Audit or All Inclusive without Audit is used, the Sensorprocesses more alerts and hence alert generation rate increases. Switching to Default Inline policy can helpresolve the delay issue sometimes.

5 Check if there are any saved alerts/packetlogs on the Sensor.

Command: show savedalertinfo

6 Check if there is any specific category of alerts, which is delayed or all the alerts are delayed. Also check ifthe system events that are being raised, are also delayed.

7 Check if the alerts are seen in the Historical Threat Analyzer. The Real Time Threat Analyzer reflects the alerts fromcache but the Historical Threat Analyzer shows from the database. This check will confirm if the issue is on thedatabase or cache. Check the database size and if it is very high, purge and tune the database.

8 Check the time on the Sensor and if it matches with the Manager system time. If there is any issue with thetime stamp, the Manager may show the wrong timestamp in the Threat Analyzer, which can incorrectlyappear as alerts being delayed.

Troubleshooting scenariosDelay in alerts between the Sensor and Manager 6


9 Check the rate of alert generated/detected by the Sensor using the following command:

getccstats:

• To check the status of control/alert channel (to the Manager)

• To check the alert suppression/throttling configuration status and suppression intervals

• To check the sensor failover action (1 = Enabled, 2 = Disabled) and failover status (1 = Active, 2 = Standby,3 = Init/Not Applicable), failover peer status (1 = Up, 2 = Down, 3 = Incompatible, 4 = Compatible, 5 =Init/Not Applicable), fail-open status (1 = Enabled, 2 = Disabled)

• To check the count of detected alerts (signature-based, scan/recon, DoS) sent to management port andpeer Manager (in case of MDR)

• To check the count of throttled alerts

• To check the count of alerts sent to and received from Correlation Engine, alert correlation counts

• To check the count of alerts in ring buffer, queued to be sent to the Manager

• To check ACL alerts’ throttling configuration status (throttling interval and threshold)

• To check the count of throttled ACL alerts (both IPS and NAC)

• To check the Sensor reboot count and/or alert wrap count

The following statistics indicate many alerts still pending in ring buffer:

AlertsInRngBufPriCount = 83621

AlertsInRngBufSecCount = 83606

PutAlertInRngBufErrCount = 6499317

The alert rate could be really high that the Manager may not be able to handle. It then introduces a delaythat is similar to backoff (with the delay reaching a max of 30 seconds per alert) and this causes the alerts tobe queued up in Ring Buffer. Once this condition is reached, the alerts delay will increase with time. Torecover, check the type of attacks and then try to create an exception rule to filter the attack, and see if theManager recovers.

6 Troubleshooting scenariosDelay in alerts between the Sensor and Manager


10 Take the packet captures at the Sensor and the Manager side to identify whether the issue is at the Sensor/Manager side or network side.

On the Manager, use Wireshark or equivalent to take packet captures on the Manager port 8502.

Sample packet capture on the Sensor:

Sample packet capture on the Manager:

Using packet captures from the Sensor and the Manager, which are taken simultaneously, you can identify ifthere is a delay in the Sensor sending the alert to the Manager or there is a delay in the Manager sendingthe alert acknowledgment to the Sensor or is it both (pointing to a network issue).

11 Check if Layer 7 Data Collection is enabled on the Sensor. There is a known issue when Layer 7 DataCollection is enabled, where the alerts in the Real-Time Threat Analyzer are no longer received in real time.

IntruDbg#> show l7dcap-usage

Layer-7 Dcap Buffers Allocated at Init 16000

Layer-7 Dcap Buffers Available now 16000

Layer-7 Dcap Buffers Alloc Errors 0

Layer-7 Dcap Alert Buffers Allocated 40960

Layer-7 Dcap Alert Buffers Available 40960

Layer-7 Dcap Alert Buffers Allocate Error 0

Layer-7 Dcap Regular Alert's Sent 0

Layer-7 Dcap Special Alert's sent 0

Layer-7 Dcap Context End Alert's Sent 0

Layer-7 Dcap CB InActive when DCAP Called 0

Layer-7 Dcap Ring Buffer Errors 0

Alert Ring Buffer Full Cnt 0

Num Alerts Dropped at Sensors 0

Layer-7 Dcap Fifo Check Seen 0

Troubleshooting scenariosDelay in alerts between the Sensor and Manager 6


12 On the Manager database, use SQL queries output to check the frequency of alerts going to the Manager.This can be done by logging into MySQL on the Manager server and executing the following command:

a Get Sensor ID from database:

select sensor_id, name from iv_sensor;

b Input the time range for which the alert generation rate needs to be checked:

SELECT "2014-05-29 18:39:47", "2014-05-30 18:39:47" INTO @stdate, @enddate;

c Total Attacks for Sensor ID and the time range:

SELECT sensorid,COUNT(*) atcount FROM iv_alert WHERE creationtime BETWEEN @stdateAND @enddate GROUP BY sensorid ORDER BY atcount;

d Total packetlog for Sensor ID and time range:

SELECT sensorid,COUNT(*) pktcount FROM iv_packetlog WHERE (creationtime BETWEEN@stdate AND @enddate) AND sensorid=<id of problematic sensor> GROUP BY sensoridORDER BY pktcount;


Sensor-Manager Connectivity Issues

Scenario

Connectivity issues between the Sensor and Manager.


Sensor software versions: 8.1, 8.3, 9.1

Problems type to be solved

Sensor is not detected on the Manager.

Trust establishment does not happen between the Sensor and Manager.


1 Execute the following commands on the Sensor:

• status

• show

• show sbcfg

• show mgmtcfg

• show doscfg

• show mgmtport

• getccstats

• show netstat

• checkmanagerconnectivity (applicable only to Sensor software 8.1 and above)

6 Troubleshooting scenariosSensor-Manager Connectivity Issues


2 Collect the Manager infocollector logs. If possible, enable detailed debugging messages by modifying<Manager_INSTALL_DIR>/config/log4j_ism.xmlfile, by adding/changing the following lines:

<category name="iv.core.DiscoveryService"> <priority value="DEBUG"/></category>

<category name="iv.core.SensorConfiguration"> <priority value="DEBUG"/></category>

3 Collect the Sensor trace files.

4 Collect packet capture at the Manager (for the problematic Sensor).

5 Network diagram clearly mentioning where the Sensor and Manager are located.


1 Check if there is any network connectivity issue such as conflicting IP address of the Sensor. This can resultin alert/pktlog channel flaps.

2 Verify that the Management Interface speed and duplex settings are configured correctly on the Managerand Sensor and that they are hard-coded. If this fails, change one link to auto and change the other side'sduplex and speed settings until communications are established or combinations are exhausted.

3 Ping from the Sensor to Manager and Manager to Sensor, and make sure the ping goes fine.

4 Check if the other Sensors connected to the same Manager are also facing this issue.

If yes, then it is a Manager issue.

5 Check the IP address of the system on which the Manager is installed. Make sure the correct IP address isprovided in the Sensor command set manager ip.

6 Try a deinstall and establish the trust again with the Manager.

7 Check if the Manager machine has multiple NIC cards. If yes then open below file:<Manager_INSTALL_DIR>/bin/tms.batModify the following line to assign the relevant IP address that is also used in the Sensor configuration: setJAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress=""restart Manager

8 Check the Sensor name, which is given on the Manager while adding the Sensor using the Add New Devicewizard. Sensor name is case sensitive so make sure it exactly matches the one given on the Manager.

9 Check that the device type is selected as IPS Sensor while adding the Sensor using Add New Device. Selectingincorrect device type can also lead to connectivity issues.

10 Make sure that firewall is not blocking traffic between the Manager and Sensor for the following ports :

Manager:4167 -> Sensor:8500 (UDP)

Sensor:Any -> Manager:8501-8504,8510 (TCP) for 1024-bit trusts

Sensor:Any -> Manager:8504,8506-8509 (TCP) for 2048-bit trusts

11 If using the malware policy, check if the file save option is enabled. Make sure firewall is not blocking ports8509 and 8510, which are used for saving malware files.

12 Check that UDP port 8500 is open and allows the Manager to Sensor SNMP communication.

13 Use the netstat -na command to verify that ports 8501 - 8505 are listening on the Manager. Click Start |Run type cmd, press ENTER, then type netstat -na.

Troubleshooting scenariosSensor-Manager Connectivity Issues 6


14 Make sure large UDP and/or fragmented UDP packets are not dropped between the Sensor and Managercommunication. This can lead to SNMP timeout. Look for the following logs in ems.log:

Ems log

******

014-06-27 15:47:29,150 INFO [Thread-135] iv.core.SensorConfiguration - M1450Experience a SNMP error during set/get, Change the STATUS to DISCCONECTED

2014-06-27 15:47:29,163 ERROR [Thread-135] iv.core.SensorConfiguration - Fail toprocess SNMP return node:

com.intruvert.ext.sensorconfig.leap.SensorConfigException: Time Out

15 Capture UDP traffic using Wireshark on the Manager. Check if the Manager is receiving UDP responsepackets from the Sensor.

Sample capture on the Manager:

16 Check the time on the Sensor, and if it matches with the Manager system time.

17 Check if there are any Out Of Memory related logs in the Manager. This can lead to connectivity issues betweenthe Sensor and Manager.

18 Check if the Manager is an MDR pair. If yes, then verify that the IP of primary Manager in the sensormatches the IP of the active Manager. Also check if the Sensor is treating the standby Manager as theprimary Manager or not. This may lead to connectivity issues.


Wrong country name in IPS alerts

Scenario

To find the root cause of cases for IPS alerts in the Threat Analyzer that shows wrong country name for sourceor destination IP addresses.


Sensor software versions: 7.1, 7.5, 8.1 and 8.2

Problems type to be solved

Threat analyzer displays wrong country name for source or destination IP address for an IPS alert.

6 Troubleshooting scenariosWrong country name in IPS alerts



1 Check for IP address in maxmind.com to find the geographic location for a particular IP address.

If the IP address does not match the geographic location, then it is an issue with the Manager or thegeographic database in the cloud.

2 Login to the Sensor with “admin” ID, and then in the Sensor CLI, type the debug command and then enterthe following command:

set loglevel mgmt (all | <0-12>) <0-15>

To disable logging, execute set loglevel mgmt 0 0.

ug 28 06:36:16 localhost tL: DBG2 ctrlch|postAlertDataToSyslogViewer: syslog msglen 174, data <36>Aug 28 06:36:16 GMT mil-ips-01 AlertLog: mil-ips-01 detectedOutbound attack HTTP: IIS3 ASP dot2e (severity = Medium). 1.2.0.2:43058 ->1.2.0.4:80 (result = Inconclusive)

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|alertTransmittedCountUpdate: IN

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|alertTransmittedCountUpdate: msgId is(335)

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|alertTransmittedCountUpdate: EXIT

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|CCout(0) processCtrlChanAlerts Id:335(baseId:83886415)

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| -out-BEGIN Mobile SIGNATURE(335),size(565)

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Attack Id = 4202651

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Syslog Attack Id = 1438464

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Time Stamp = 1409207775

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Alert Count = 1

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| VIDS Id = 2030

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Syslog VIDS Id = 4

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| VLAN Id = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Alert Duration = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Log ID = 6052501239499929418

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Slot Id = 2

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Port Id = 25

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Protocol Id = 16

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Qualifier 1 = 1

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Qualifier 2 = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Src IP = 0x1020002

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Dstn IP = 0x1020004

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Request LastByte Offset = ffffffff

Troubleshooting scenariosWrong country name in IPS alerts 6


Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Response LastByte Offset = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Attack Pkt Search Num = 1

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| SrcPort = 43058

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| DstnPort = 80

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Protocol = 6

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Signature Id = 226

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| PP State = 14

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Prev Stream Flag = 1

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Frag Flag = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Corr Flag = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Inside = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| SuppressedSigId Bits = 1

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| inline Drop = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| ReCfg Firewall = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| flags = 40

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| mpeFlags = 8

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| appId = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| normalize reputation = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| normalize geoLocation = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| xff ip direction= 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| mobileFlags = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src deviceInfo = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src confLevel = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src osInfo = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src detectSrcType = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst deviceInfo = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst confLevel = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst osInfo = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst detectSrcType = 0

Aug 28 06:36:16 localhost tL: DBG0 ctrlch| --------------------

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|64-bit Uid = a a0 50 8 be 8a d3 57.

Aug 28 06:36:16 localhost tL: DBG0 ctrlch|id: 335, msgType: 1

6 Troubleshooting scenariosWrong country name in IPS alerts


Aug 28 06:36:16 localhost tL: DBG0 ctrlch|processSigAlertMsg - reCfgFw mask = 0x0

Here geographic ID of 0 means that the Sensor does not send any geographic information for thecorresponding source or destination IP addresses.

3 Execute step 2 and wait for the IPS alert to be raised again.

This time the Sensor prints the country code sent from Sensor for the corresponding IPS alert.

If the Sensor sends the geographic location ID as 0, then it’s an issue with the geographic database cloudwhen the Manager sends a geographic based query to find the geographic location matching an IP address.Typically for an IPS alert, the Sensor does not send any geographic location ID value.


When a wrong country name is displayed for the source or destination IP address for an IPS alert, then it is anissue with the Manager.

Wrong country name in ACL alerts

Scenario

Wrong country name appears in ACL alerts/ACL logs.

Applicable to Sensor models: M-series

Sensor software version: 8.1, 8.3, 9.1


Wrong country name is displayed in the ACL alerts/ACL logs when forwarded to third party software either fromthe Sensor or from the Manager.


Execute show acl stats in the Sensor CLI.


Execute the show acl stats command in the Sensor CLI to fetch the following data from the managementprocess:

• Number of ACL alerts sent by the datapath processor to the management processor

• Number of ACL alerts sent from the management processor to the Manager or third party software tool.

If there is difference between the received and sent/sent directly count by a large value but within 10,000, thenthe buffer to keep the ACL alerts at management processor is full. This might potentially be the cause for theissue.

intruShell@mil-ips-01> show acl stats

[Acl Alerts]

Received : 0

Suppressed : 0

Sent : 0

Troubleshooting scenariosWrong country name in ACL alerts 6


Sent Direct : 0

Stateless ACL Fwd count : 0

The buffer kept for receiving the ACL alerts from datapath processor is full, and is not flushed in an event likeACL alert suppression disabled/enabled. In this type of scenario, if the ACL alert buffer is not flushed, then thecountry name for the old ACL alert is mixed with the new ACL alert, which results in the wrong country name inthe ACL logs.

If the country name is displayed wrong in the ACL alert, for either source IP address or destination IP address,then there is an issue with the Sensor. If you are not able to solve the problem even after repeating the stepsexplained in troubleshooting, or the problem is not understood, contact McAfee Support for further assistance.

6 Troubleshooting scenariosWrong country name in ACL alerts


7 Using the InfoCollector tool

This section describes the following aspects of using the Infocollector tool.

Contents Introduction How to run the InfoCollector tool Using InfoCollector tool

IntroductionInfoCollector is an information collection tool, bundled with Manager that allows you to easily provide McAfeewith McAfee® Network Security Platform-related log information. McAfee can use this information to investigateand diagnose issues you may be experiencing with the Manager.

InfoCollector can collect information from the following sources within McAfee Network Security Platform:

Information Type Description

Ems.log Files Configurable logs containing information from various components of the Manager.The current ems.log file is renamed when its size reaches 1MB, using the currenttimestamp. Another ems.log is created to collect the latest log information.

Configuration backup A collection of database information containing all Network Security Platformconfiguration information.

Configuration files XML and property files within the Network Security Platform config directory.

Fault log A table in the Network Security Platform database that contains generated fault logmessages.

Sensor Trace A file containing various McAfee® Network Security Sensor(Sensor)-related log files.

Compiled Signature A file containing signature information and policy configuration for a given Sensor.

InfoCollector is a tool that can be used both by you and by McAfee.

McAfee systems engineers can use the InfoCollector tool to provide you with a definition (.def) file via email.This file is configured by McAfee to automatically choose information that McAfee needs from your installationof Network Security Platform. You simply open the definition file within the InfoCollector and it willautomatically select the information that McAfee needs from your installation of the Manager.

Alternatively, a manual approach can also be used with InfoCollector, and you can select information yourself toprovide to McAfee. For example, McAfee may ask you to select checkboxes that correspond to different sets ofinformation available within Network Security Platform.

7


How to run the InfoCollector toolTo run InfoCollector, follow the following steps:

1 If you do not already have InfoCollector installed, download the InfoCollector.zip file from the McAfeewebsite and extract it to a specific location in a specific drive:

Example

C:\[Network Security Manager_INSTALL_DIR]\App\diag

Files related to InfoCollector, such as infocollector.bat should be in a specific location:

Example

C:\[Network Security Manager_INSTALL_DIR]\App\diag\InfoCollector

2 Run the following batch file:

C:\[Network Security Manager_INSTALL_DIR]\App\diag\InfoCollector\infocollector.bat

Using InfoCollector toolTo use InfoCollector, follow these steps:

Task1 After you run InfoCollector, do one of the following:

• If McAfee provides you with a definition file:

a After you run InfoCollector, open the File menu and click Open Definition.

Figure 7-1 Navigating to Open Definition option

7 Using the InfoCollector toolHow to run the InfoCollector tool


b Select the definition file that McAfee sent you via email and click Select.

• If McAfee instructs you to select InfoCollector checkboxes:

a After you run InfoCollector, select the checkboxes as instructed by McAfee.

b Select a Duration. Select Date to specify a start and end date, or select Last X Days.

c Select the number of days from which InfoCollector should gather information.

d Click Browse and select the path and filename of the output ZIP file.

2 Click Run.

Figure 7-2 Running selected files

3 Provide the output ZIP file to McAfee as recommended by McAfee Technical Support. You can send the filevia email or through FTP.

The output ZIP file contains the toolconfig.txt file, which lists the information that you have chosen to provideMcAfee.

Using the InfoCollector toolUsing InfoCollector tool 7


7 Using the InfoCollector toolUsing InfoCollector tool


8 Automatically restarting a failed Manager withManager Watchdog

This section provides information on how the Manager Watchdog works, installing the Manager Watchdog,starting the Manager Watchdog, using the Manager Watchdog in an MDR configuration, and tracking theManager Watchdog activities.

Contents Introduction How the Manager Watchdog works Install the Manager Watchdog Start the Manager Watchdog Use the Manager Watchdog with Manager in an MDR configuration Track the Manager Watchdog activities

IntroductionThe Manager Watchdog feature is designed to restart the Manager if the Manager crashes, potentially bringingthe Manager back online before MDR enables.

The Manager Watchdog monitors the Manager process on the Manager server periodically for availability. IfManager Watchdog detects that the Manager has gone down unexpectedly, it restarts the service automatically.(It does not restart the Manager if the Manager has been shut down intentionally.)

How the Manager Watchdog worksManager Watchdog runs as a separate process and monitors Manager through the Windows OS Servicesmodel. Manager Watchdog polls Manager every 10 seconds. If the Manager Watchdog does not detect theManager during a polling period, it waits 30 seconds and then restarts the Manager service automatically.Manager Watchdog will make five attempts to restart the Manager and then, if it has not succeeded, it will exit.

Manager Watchdog, by default, is a manual service; you must explicitly start it.

You can instead change this setting to be automatic if you wish the service to start automatically after a systemreboot.

If you have chosen to change the Manager service setting from its default (Auto) to "Manual," (during atroubleshooting session, for example) then consider doing the same for Manager Watchdog. This will prevent theManager Watchdog from restarting Manager automatically.

8


Install the Manager WatchdogManager Watchdog is installed automatically during Manager installation, and a new OS service called "NetworkSecurity Platform Watchdog Service" is created to enable you to start and stop the Manager Watchdog service.When you first install the Manager, this service is started automatically. However, the default Windows StartupType for this service is manual.

Manager Watchdog monitors only the "Network Security PlatformMgr" service; it does not monitor services likeMySQL or Apache.

Start the Manager WatchdogThe Manager watchdog process is, by default, not started after installation; you must start the Managerwatchdog process manually.

To start/stop Manager Watchdog:

Task1 Select Start | Settings | Control Panel. Double-click Administrative Tools, and then double-click Services.

2 Click Network Security Platform Watchdog Service.

3 Do one of the following:

• To start the service, select Action | Start.

• To stop the service, selectAction | Stop.

Alternatively, you can also use the Manager icon in the Windows system tray to start or stop ManagerWatchdog. Right-click on the Manager icon at the bottom-right corner of your server and select Start Watchdogor Stop Watchdog as required.

Use the Manager Watchdog with Manager in an MDR configurationWhen using Manager Watchdog on an Manager that is part of an MDR configuration, consider whether youwant the Manager Watchdog to restart the Manager before failover can occur. If so, you must ensure that thevalue set for the MDR setting "Downtime Before Switchover" is greater than the Manager Watchdog setting of30 seconds. This prevents the initiation of MDR, wherein the peer Manager takes over if the primary Managerfails. McAfee suggests retaining the default value of 5 minutes or greater to allow the Manager Watchdog timeto restart the Manager.

If the Manager Watchdog brings up a primary Manager after MDR has initiated, note that the primary Managerdoes not come back Active; it checks first to determine whether the secondary is Active and if so, remains asstandby.

Track the Manager Watchdog activitiesThe Manager Watchdog logs all controlled activities in a log file. Log files can be found at:

/<Network Security Platform install directory>/ named with the filename conventionwdout_<<time stamp>>.log

8 Automatically restarting a failed Manager with Manager WatchdogInstall the Manager Watchdog


A sample log file entry follows:

Sample Manager Watchdog Log

-----------------------------------------------------------------------------------------------------------------------------------

Restarting server at Mon Jun 09 14:48:53 GMT+05:30 2006

SERVER STDOUT: The Network Security Platform Manager Service is starting.

SERVER STDOUT: The Network Security Platform Manager Service was started successfully.

SERVER STDOUT:

SERVER STDOUT:

-----------------------------------------------------------------------------------------------------------------------------------

If the Manager Watchdog fails after five attempts to restart Manager, the following line appears in the log file:

SERVER STDOUT: Failed to restart Manager after five attempts. Exiting. [kl]

Automatically restarting a failed Manager with Manager WatchdogTrack the Manager Watchdog activities 8


8 Automatically restarting a failed Manager with Manager WatchdogTrack the Manager Watchdog activities


9 Utilize of the McAfee KnowledgeBase

The McAfee Knowledgebase (KB) contains a large number of useful articles designed to answer specificquestions that might not have been addressed elsewhere in the documentation set. We suggest checking to seeif a question you have is answered in a KB article.

To access McAfee Knowledgebase:

Go to http://mysupport.mcafee.com, and click Search the KnowledgeBase.

The following list contains some of the more commonly accessed KB articles.

New Number Topic

KB55446 All signature set releases with links to signature set release notes

KB55447 All UDS releases and release notes of the UDS's (this is a restricted article and requires theuser to log into service portal or be internal)

KB55448 Table displaying the current versions for McAfee® Network Security Platform

KB55449 Listing of McAfee Network Security Platform's response to high profile public vulnerabilities

KB55450 How to request coverage for a threat that isn't already covered

KB55451 List of all McAfee Recommended for Blocking (RFB) attacks

KB55318 Sensor heat dissipation rates (BTUs per hour)

KB60660 Verifying MySQL Database Tables

KB55470 Network Security Platform maximum number of CIDR blocks using VIDS

KB55549 Collecting a diagnostics trace from the McAfee Network Security Sensor (Sensor)

KB55568 VLAN limitations for Network Security Platform

KB55723 Maximum number of SSL keys for McAfee Network Security Manager (Manager) or Sensor

KB55743 How to submit Network Security Platform false positives and incorrect detections to McAfeeSupport

KB55908 Support for legacy versions

KB55364 Asymmetric traffic

KB56069 "Login failed: Unable to get the McAfee Network Security Manager (Manager) licenseinformation"

KB56071 Configuring authentication on the Manager for the update server

KB56364 3rd Party Recommended Hardware for Sensors

Error: Download Failed: Reason 42: Sensor fails to apply new updates internally(Sensorsignature updates fails)

Network Security Platform Release Notes (Master List)

KB59347 Sensor is reporting false DOS attacks / New network device is added and Sensor is nowreporting DOS attacks

KB59344 Recover the password for the Manager

9



9 Utilize of the McAfee KnowledgeBase


Index

Aabout this guide 7auto-negotiation 49, 50

auto-negotiation and speed configurations 47

Cisco 3750-12S switch 48

Cisco catalyst 4000, 5000, 6000 series 48

Cisco CSS 11000 48

Cisco PIX® Firewall 48

gigabit auto-negotiation 47

CCatOS show port command counters 48

connection difficulties 40

connection limiting 24

connectivity difficultiesconfiguring management port 40

firewall 40

setting management port speed 41

software set incompatibility; signature set compatibility 40

connectivity issues 46

duplex mismatches 46

connectivity loss 41

conventions and icons used in this guide 7correct identification

user sensitivity 64

Ddata link errors 61

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

download status 12

Eerror messages 119

external fail-open kit issuesconnecting to monitoring ports 20

Ffalse positives 63, 64

false positives determinationtuning policies 63

IInfoCollector tool 133

KKnowledgeBase 141

MManager database connectivity 27

Manager status check 27

Manager watchdog 137

McAfee ServicePortal, accessing 8MySQL issues 28

Ppinging 11

Qquarantining 26

SSensor and Manager status checks 40

Sensor failover issues 19

Sensor failover status check 11

Sensor health check 11

Sensor issues, debugging 15

Sensor reboot 13

Sensor responseexceeding throughput 16

Sensor status checks 10

Sensor traffic status 12

ServicePortal, finding product documentation 8sniffer trace 61

status checks for Sensor and other devices 46

system fault messages 67

Ttechnical support, finding product information 8traffic management 19


troubleshootingbefore starting 9

troubleshooting tips 9

Uupdate status 11

XXC cable connection issues

M8000 Sensors 20

NS9300 Sensors 20

Index


0J00

Documents

McAfee Network Security Platform 8.1 Troubleshooting Guide€¦ · 1 Troubleshooting Network Security Platform This section lists some troubleshooting tips for McAfee® Network Security