McAfee M-4050, Network Security Platform 6.0 Troubleshooting Manual
Troubleshooting Guide
Revision 6.0
McAfee® Network Security Platform
version 6.0
McAfee®
Network Protection
Industry-leading network security solutions
COPYRIGHT
Copyright ® 2001 - 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered tr ademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundatio n (http://www.apache.org/). A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by
Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (shammah@voyager.net
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunication s , (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C)
for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Issued APRIL 2011 / Troubleshooting Guide
700-2380-00/ 6.0 - English
Contents
Preface ........................................................................................................... v
Introducing McAfee Network Security Platform............................................................................. v
About this Guide............................................................................................................................ v
Audience ....................................................................................................................................... v
Conventions used in this book ......................................................................................................vi
Related Documentation................................................................................................................vii
Contacting Technical Support.....................................................................................................viii
Information requested for Troubleshooting ......................................................................... viii
Chapter 1 Before You Install........................................................................ 1
Pre-installation recommendations................................................................................................. 1
Planning for installation..........................................................................................................1
Functional requirements.........................................................................................................2
Using anti-virus software with the Manager ...........................................................................4
User interface responsiveness...............................................................................................5
Chapter 2 Hardening the Manager Server for Windows 2003 .................. 6
Introduction....................................................................................................................................6
Install a desktop firewall................................................................................................................6
Harden the MySQL installation......................................................................................................6
Remove test database...........................................................................................................7
Remove local anonymous users............................................................................................7
Remove remote anonymous users........................................................................................7
Secure MySQL remote access ..............................................................................................8
Rolling back your changes.....................................................................................................9
Remove debug shell at port 9001 ..........................................................................................9
Other best practices for securing Manager...................................................................................9
Chapter 3 Hardening the Manager Server for Windows 2008 ................ 10
Pre-installation.............................................................................................................................10
Installation...................................................................................................................................10
Post Installation........................................................................................................................... 10
Disabling non-required Services..........................................................................................11
Setting System Policies........................................................................................................11
Setting User Policies............................................................................................................11
Setting a Desktop Firewall ...................................................................................................11
Configuring Audit Events......................................................................................................12
Chapter 4 Troubleshooting Network Security Platform.......................... 14
Facilitating troubleshooting..........................................................................................................14
Starting your troubleshooting ...................................................................................................... 15
Difficulties connecting Sensor and Manager............................................................................... 15
Network connectivity............................................................................................................15
Inconsistency in Sensor and Manager configuration ...........................................................15
Software or signature set incompatibility..............................................................................15
Firewall between the devices...............................................................................................16
Management port configuration ...........................................................................................16
Connectivity issues between the Sensor and other network devices .........................................17
Duplex mismatches..............................................................................................................17
Valid auto-negotiation and speed configurations.................................................................17
Explanation of CatOS show port Command Counters.........................................................20
Auto-negotiation...................................................................................................................21
iii
Checking Sensor health..............................................................................................................22
Pinging a Sensor..................................................................................................................22
Ensuring that the Sensor is receiving traffic................................................................................ 22
Checking Sensor failover status.................................................................................................. 23
Cabling failover through a network device...........................................................................23
Checking whether a signature or software update was successful............................................. 24
Checking status of a download or upload ................................................................................... 24
Conditions requiring a Sensor reboot.......................................................................................... 24
Rebooting a Sensor via the Manager...................................................................................25
Rebooting a Sensor using the reboot command..................................................................25
Sensor doesn’t boot .................................................................................................................... 25
Debugging critical Sensor issues................................................................................................ 25
Loss of connectivity between the Sensor and Manager.............................................................. 29
How Sensor handles new alerts during connectivity loss ....................................................30
Manager connectivity to the database.........................................................................................30
Manager database is full......................................................................................................31
Error on accessing the Configuration page................................................................................. 31
Sensor response if its throughput is exceeded ........................................................................... 31
MySQL issues.............................................................................................................................32
How Sensors handle various types of traffic...............................................................................32
Jumbo Ethernet frames........................................................................................................32
ISL frames............................................................................................................................32
Sensor failover issues.................................................................................................................33
External fail-open kit issues in connecting to the monitoring port ............................................... 33
XC cable connection issues for M8000 Sensors......................................................................... 33
Chapter 5 Determining False Positives .................................................... 34
Reducing false positives..............................................................................................................34
Tune your policies.......................................................................................................................34
About false positives and “noise”.........................................................................................35
Determining a false positive versus noise............................................................................36
Chapter 6 System Fault Messages............................................................ 38
Critical faults................................................................................................................................ 38
Error faults...................................................................................................................................55
Warning faults ............................................................................................................................. 61
Informational faults...................................................................................................................... 65
Other faults.................................................................................................................................. 76
Chapter 7 Error Messages.......................................................................... 77
Error messages for RADIUS servers .......................................................................................... 77
Error messages for LDAP server ................................................................................................ 78
Chapter 8 Using the InfoCollector tool..................................................... 79
Introduction..................................................................................................................................79
Running the InfoCollector............................................................................................................ 80
Using InfoCollector...................................................................................................................... 80
Chapter 9 Automatically restarting a failed Manager with Manager
Watchdog..................................................................................................... 81
Introduction..................................................................................................................................81
How the Manager Watchdog Works............................................................................................ 81
Installing Manager Watchdog...................................................................................................... 82
Starting Manager Watchdog........................................................................................................82
Using Manager Watchdog with Manager in an MDR configuration ............................................82
Tracking Manager Watchdog activities ....................................................................................... 82
Chapter 10 Utilizing the McAfee Knowledge Base .................................. 84
Index............................................................................................................. 86
iv
Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as, the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion
Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical
enterprise, carrier and service provider networks, while providing unmatched protectio n
against spyware; known, zero-day, and encrypted attacks.
McAfee
network traffic by analyzing NetFlow information flowing through the network in real time,
thus complementing the NAC and IPS capabilities in a scenario in which McAfee Net work
Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a
single Manager.
®
Network Threat Behavior Analysis Appliance provides the capability of monitoring
About this Guide
This guide provides the basic troubleshooting techniques for Network Security Platform.
You get information on the key issues to be taken care of in the McAfee
Manager [formerly McAfee
Sensor [formerly McAfee
from installing Network Security Platform to troubleshooting the system.
This guide provides detailed sections on the following topics:
Pre-installation recommendations
Hardening McAfee Network Security Manager (Manager) Server
Troubleshooting techniques
How to use the InfoCollector tool and Manager Watchdog
Audience
This guide is intended for use by network technicians responsible for maintaini ng the
Network Security Platform and analyzing and disseminating the resulting data. It is
assumed that you are familiar with IPS-related tasks, the relationship between tasks, and
the commands necessary to perform particular tasks.
®
®
IntruShield® Security Manager] and McAfee® Network Security
®
IntruShield® Sensor] software in a step-by- step manner; right
Network Security
v
McAfee® Network Security Platform 6.0
Conventions used in this book
This document uses the following typographical conventions:
Convention Example
Preface
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
Menu or action group selections
are indicated using a right angle
bracket.
Procedures are presented as a
series of numbered steps.
Names of keys on the keyboard
are denoted using UPPER CASE.
Text such as syntax, key words,
and values that you must type
exactly are denoted using
Courier New font.
Variable information that you must
type based on your specific
situation or environment is shown
in italics.
Parameters that you must supply
are shown enclosed in angle
brackets.
Service field on the Properties tab specifies the
The
name of the requested service.
Select My Company > Admin Domain > Summary.
1. On the Configuration tab, click Backup.
Press ENTER.
Type: setup and then press ENTER.
Type: Sensor-IP-address and then press
ENTER.
set Sensor ip <A.B.C.D>
Information that you must read
Caution:
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Information that you must read to
Warning:
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Notes that provide related, but
Note:
non-critical, information are
denoted using this notation.
vi
McAfee® Network Security Platform 6.0
Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick Tour
for more information on these guides.
Quick Tour
Installation Guide
Upgrade Guide
Getting Started Guide
IPS Deployment Guide
Manager Configuration Basics Guide
I-1200 Sensor Product Guide
I-1400 Sensor Product Guide
I-2700 Sensor Product Guide
I-3000 Sensor Product Guide
I-4000 Sensor Product Guide
I-4010 Sensor Product Guide
M-1250/M-1450 Sensor Product Guide
M-1250/M-1450 Quick Start Guide
M-2750 Sensor Product Guide
M-2750 Quick Start Guide
M-3050/M-4050 Sensor Product Guide
M-3050/M-4050 Quick Start Guide
M-6050 Sensor Product Guide
M-6050 Quick Start Guide
M-8000 Sensor Product Guide
M-8000 Quick Start Guide
Gigabit Optical Fail-Open Bypass Kit Guide
Gigabit Copper Fail-Open Bypass Kit Guide
10 Gigabit Fail-Open Bypass Kit Guide
M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure
M-2750 Slide Rail Assembly Procedure
M-series DC Power Supply Installation Procedure
Administrative Domain Configuration Guide
Manager Server Configuration Guide
CLI Guide
Device Configuration Guide
IPS Configuration Guide
NAC Configuration Guide
Integration Guide
System Status Monitoring Guide
Reports Guide
Custom Attack Definitions Guide
Central Manager Administrator's Guide
Best Practices Guide
Special Topics Guide—In-line Sensor Deployment
Preface
vii
McAfee® Network Security Platform 6.0
Special Topics Guide—Sensor High Availability
Special Topics Guide—Virtualization
Special Topics Guide—Denial-of-Service
NTBA Appliance Administrator's Guide
NTBA Monitoring Guide
NTBA Appliance T-200 Quick Start Guide
NTBA Appliance T-500 Quick Start Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, custom ers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Preface
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee Contact Information
http://www.mcafee.com/us/about/contact/index.html page.
Note: McAfee requir
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.
es that you provide your GRANT ID and the serial number of
Information requested for Troubleshooting
McAfee wants to provide you with the best possible support. When you contact Technical
Support, we will request a variety of information to use to troubleshoot your deployment.
This section describes the information we ask that you have available for troubleshooting.
General information
your GRANT ID. This was provided to you when you purchased the product.
the version number of the Manager software you are using
the version number of the McAfee Network Security Sensor (Sensor) software you are
using
Is this a new or existing issue?
any physical changes made to the environment recently
viii
McAfee® Network Security Platform 6.0
Did you make any changes in your environment/setup/configuration that may have
introduced the issue?
Manager-specific information
We may ask you to use our troubleshooting tool, which is called InfoCollector. This tool will
collect all Manager-related log files (For example, ems.log, emsout, output.bin, config
back, and the Sensor trace file, if you have uploaded it to the Manager) and return them to
us for analysis
As of this writing, the tool is available at the following link:
http://serviceweb/McAfee/backline/escalations/MER_TOOL/IPSInfoCollector.zip
Sensor issues
the Sensor deployment configuration
information on the GBICs you are using with Sensor GE ports; this information is
extremely helpful for troubleshooting link issues
the volume of traffic through the Sensor
in some cases, a network diagram (particularly for troubleshooting asymmetric traffic
issues)
a Sensor trace file, which you can create using the process described in Providing a
Sensor diagnostics trace.
Sensor operating mode (i.e., In-line, SPAN or TAP). This information can be obtained
from:
Sensor_Name > Interface > View Details
peer device port settings (For example, for Cisco switches/routers, you would provide
the output of the show port [mod[/port] command.
Management port configuration (obtained by issuing a show mgmtport command)
Preface
Signature set issues
the signature set and software versions you are running
the frequency at which you see the false positive
whether the alert condition is reproducible
policy configuration
alert evidence reports
traffic volume, if possible
traffic type
what software and systems are on the affected systems
your network topology
ix
C HAPTER 1
Before You Install
This chapter lists pre-installation recommendations.
Pre-installation recommendations
These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation
recommendations are a compilation of the information gathered from individual interviews
with some of the most seasoned McAfee Network Security Platform System Engineers at
McAfee.
Planning for installation
Before installation, ensure that you complete the following tasks:
®
The server, on which McAfee
should be configured and ready to be placed online.
You must have administrator privileges for McAfee Network Security Manager
(Manager) server.
This server should be dedicated, hardened for security, and placed on its own subnet.
This server should not be used for programs like instant messaging or other non-
secure Internet functions.
Make sure your hardware requirements meet the requirements. See Server
requirements.
Ensure the proper static IP address has been assigned to the Manager server. For the
Manager server, McAfee strongly recommends assigning a static IP against using
DHCP for IP assignment.
If applicable, configure name resolution for the Manager.
Ensure that all parties have agreed to the solution design, including the location and
mode of all McAfee
groups, and if and how the Manager will be connected to the production network.
Get the required license file and grant number.
Accumulate the required number of wires and (supported) GBICs, SFPs, or XFPs.
Ensure these are approved hardware from McAfee or a supported vendor. Ensure
that the required number of Network Security Platform dongles, which ship with the
McAfee Network Security Sensors (Sensors), are available.
Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they
are directly connected to a firewall, router, or end node. Otherwise, standard patch
cables are required for the Fast Ethernet ports.
If applicable, identify the ports to be mirrored, and someone who has the knowledge
and rights to mirror them.
Allocate the proper static IP addresses for the Sensor. For the Sensors, you cannot
assign IPs using DHCP.
®
Network Security Sensor, the use of sub-interfaces or interface
Network Security Manager software will be installed,
1
McAfee® Network Security Platform 6.0
Identify hosts that may cause false positives, for example, HTTP cache servers, DNS
servers, mail relays, SNMP managers, and vulnerability scanners.
Functional requirements
Following are the functional requirements to be taken care of:
Before You Install
Install Wireshark (formerly known as Ethereal http://www.wireshark.com
http://www.wireshark.org) on the client PCs. Etherea
l is a network protocol analyzer
for Unix and Windows servers, used to analyze the packet logs created by Sensors.
Ensure the correct version of JRE is installed on the client system, as described in the
Release Notes. This can save a lot of time during deployment.
Determine a way in which the Manager maintains the correct time. To keep time from
drifting, for example, point the Manager server to an NTP timeserver. (If the time is
changed on the Manager server, the Manager will lose connectivity with all Sensors
and the McAfee
®
Network Security Update Server because SSL is time sensitive.)
If Manager Disaster Recovery (MDR) is configured, ensure that the time difference
between the Primary and Secondary Managers is less than 60 seconds. (If the spread
between the two exceeds more than two minutes, communication with the Sensors
will be lost.)
If you are upgrading from a previous version, we recommend that you follow the
instructions in the respective version’s release notes or, if applicable, the Upgrade
Guide
.
Install a desktop firewall
McAfee strongly recommends that you configure a packet-filtering firewall to block
connections to ports 8551, 3306, 8007, 8009, and 8552 of your Manager server. The
firewall can either be a host-based or a network-based.
Set your firewall to deny connections to these ports if the connections are not initiated by
the localhost. The only connections that should be allowed are those from the Manager
server itself; that is, the localhost.
For example, if another machine attempts to connect to port 8551, 8552, 3306, 8007 and
8009 the firewall should automatically block any packets sent. If you need assistanc e in
blocking these, contact Technical Support.
If a firewall will reside between the Sensor, Manager, or administrative client, which
includes a personal firewall on the Manager, the following ports must be opened:
Port # Protocol Description Direction of communication
4167 (high ports)
(source port on the Manager)
and
UDP
Default SNMPv3
(command
channel)
Manager-->Sensor
8500
(destination port on the
Sensor)
2
McAfee® Network Security Platform 6.0
Port # Protocol Description Direction of communication
Before You Install
8501 TCP Proprietary
Sensor-->Manager
(install port)
8502 TCP Proprietary
Sensor-->Manager
(alert
channel/control
channel)
8503 TCP Proprietary
Sensor-->Manager
(packet log
channel)
8504 TCP Proprietary
Sensor-->Manager
(file transfer
channel)
8555 TCP SSL/TCP/IP
client-->Manager
(Threat Analyzer)
443 TCP HTTPS client-->Manager
80 TCP Web-based user
interface
client-->Manager
(Webstart/JNLP, Console
Applets)
22 TCP SSH Remote console access
Note: If you choose to use non-default ports for the Install port, Alert port, and Log
port, ensure that those ports are also open on the firewall.
Note that 3306/TCP is used internally by the Manager to connect to the MySQL
database.
If you have Email Notification or SNMP Forwarding configured on the Manager, and
there is firewall residing between the Manager and your SMTP or SNMP server,
ensure the following ports are available as well.
Additional communication ports
Port # Protocol Description Direction of communication
25 TCP SMTP Manager-->SMTP server
49 TCP TACACS+ Integration Sensor-->TACACS+ server
162 UDP SNMP Forwarding Manager-->SNMP server
389 TCP LDAP Integration
(without SSL)
443 TCP Secure communication
for MDR
443 TCP Secure communication
for MDR
514 UDP Syslog forwarding (ACL
logging)
636 TCP LDAP Integration (with
SSL)
3
Manager-->LDAP server
Manager 1-->Manager 2
Manager 2-->Manager 1
Manager-->Syslog server
Manager-->LDAP server
McAfee® Network Security Platform 6.0
Port # Protocol Description Direction of communication
1812 UDP RADIUS Integration Manager-->RADIUS server
Close all open programs, including email, the
instant messaging before installation to avoid port conflicts. A port conflict may
prevent the application from binding to the port in question because it will already be
in use.
Caution: The Manager is a standalone system and should not have other
applications installed.
Using anti-virus software with the Manager
If you plan to install anti-virus software such as McAfee VirusScan on the Manager, be
sure the MySQL directory and its sub-directories are excluded from the anti-virus scanning
processes. For example selecting
entire MySQL installation directory from the anti-virus scanning processes. Otherwise,
Network Security Platform packet captures may result in the deletion of essential MySQL
files.
Also exclude the Network Security Platform installation directory and its sub-directories
because temporary files are created there that might conflict with the anti-virus scanner.
Administrative Tools > Services window, and
...\Manager\MySQL and its subdirectories will exclude the
Before You Install
Note: If you install McAfee VirusScan 8.5.0i on the Manager after the installation of
the Manager software, the MySQL scanning exceptions will be created
automatically, but the Network Security Platform exceptions will not.
McAfee VirusScan and SMTP notification
From 8.0i, VirusScan includes an option (enabled by default) to block all outbound
connections over TCP port 25. This helps reduce the risk of a compromised host
propagating a worm over SMTP using a homemade mail client.
VirusScan avoids blocking outbound SMTP connections from legitimate mail clients, such
as Outlook and Eudora, by including the processes used by these products in an exclusion
list. In other words, VirusScan ships with a list of processes it will allow to create outbound
TCP port 25 connections; all other processes are denied that access.
The Manager takes advantage of the JavaMail API to send SMTP notifications. If you
enable SMTP notification and also run VirusScan 8.0i or above, you must therefor e add
java.exe to the list of excluded processes. If you do not explicitly create the exclusion
within VirusScan, you will see a Mailer Unreachable error in the Manager Operational Status
to each time the Manager attempts to connect to its configured mail server.
To add the exclusion, follow these steps:
4
McAfee® Network Security Platform 6.0
1 Launch the VirusScan Console.
2 Right-click the task called
menu.
3 Highlight the rule called
4 Click
Edit.
5 Append java.exe to the list of
6 Click
OK to save the changes.
User interface responsiveness
The responsiveness of the user interface, the Threat Analyzer in particular, has a lasting
effect on your overall product satisfaction.
In this section we suggest some easy but essential steps, to ensure that Network Security
Platform responsiveness is optimal:
During Manager software installation, use the recommended values for memory and
connection allocation.
You will experience better performance in your configuration and data forensic tasks
by connecting to the Manager from a browser on a client machine. Performance may
be slow if you connect to the Manager using a browser on the server machine itself.
Perform monthly or semi-monthly database purging and tuning. The greater the
quantity of alert records stored in the database, the longer it will take the user
interface to parse through those records for display in the Threat Analyzer. T he
default Network Security Platform settings err on the side of caution and leave alerts
(and their packet logs) in the database until the user explicitly decides to remove
them. However, most users can safely remove alerts after 30 days.
Caution: It is imperative that you tune the MySQL database after each purge
operation. Otherwise, the purge process will fragment the database, which can
lead to significant performance degradation.
Defragment the disks on the Manager on a routine basis, with the exception of the
MySQL directory. The more often you run your defragmenter, the quicker the process
will be. Consider defragmenting the disks at least once a month.
Warning: Do NOT attempt to defragment the MySQL directory using an O/S
defrag utility. To defragment MySQL tables, use a MySQL-specific utility,
myisamchk available in the <mysqlinstallation>\bin directory.
Limit the quantity of alerts to view when launching the Threat Analyzer. This will
reduce the total quantity of records the user interface must parse and therefore
potentially result in a faster initial response on startup.
When scheduling certain Manager actions (backups, file maintenance, archivals,
database tuning), set a time for each that is unique and is a minimum of an hour
after/before other scheduled actions. Do not run scheduled actions concurrently.
Access Protection and choose Properties from the right-click
Prevent mass mailing worms from sending mail.
Processes to Exclude.
Before You Install
5
C HAPTER 2
Hardening the Manager Server for Windows 2003
This section describes methods for hardening your McAfee® Network Security Manager
(Manager) server.
Introduction
Manager implementation varies between environments. The Manager server’s pos itioning
in the network, both physically and logically, may influence specific remote access and
firewall configuration requirements.
The following best practices are intended to cover the configurable features that can
impact the security of Manager. This information should be used in combination with the
McAfee
McAfee’s recommendations, at a high level:
Install a desktop firewall on the server and open the proper ports
Harden the MySQL installation
Harden the Manager host
®
Network Security Platform Release Notes and the rest of the documentation set.
Install a desktop firewall
It is recommended that you operate a desktop firewall on the Manager server. Certain
ports are used within the McAfee Network Security Platform. Some of these required for
Manager--McAfee® Network Security Sensor (Sensor) and Manager client-server
communication. All remaining unnecessary ports should be closed. The ports used by
Network Security Platform are listed in Install a desktop firewall (on page 2
).
Harden the MySQL installation
Ensure the cmd window used for making changes to database tables in the “mysql”
database stays opened in the mysql shell until validation is completed.
This is necessary to enable you to rollback the changes in case you need to. Rollback
procedures are shown at the end of this section.
Use another cmd window, where necessary, to validate hardening changes you h ave
made.
6
McAfee® Network Security Platform 6.0
Remove test database
Remove the ‘test” database from the server.
Hardening the Manager Server for Windows 2003
1. Start My SQL.
2. Backup db table to do
dbbackup before changing it.
3. Validate that the backup table
was created and row count
matches that of the mysql.db table.
4. Check all the databases on the
Manager server.
5. Remove the test db, Keep only
the MYSQL and Network Security
Platform (for example, lf)
databases.
6. You should see only two
databases (MYSQL and LF) if you
are using the default Network
Security Platform installation of
MySQL.
mysql> use mysql;
mysql> create table db_backup as
select * from db;
mysql> select count(*) from
db_backup;
mysql> show databases;
mysql> drop database test;
mysql> show databases;
Remove local anonymous users
To remove local anonymous users:
1. Look for blank entries for user.
2. Remove anonymous access to databases
3. Remove anonymous/blank accounts
4. Validate that “localhost” replaced % entry
under the host column. You will also notice
you will now need to qualify username and
password on the local machine to get into
mysql shell from the mysql.exe CLI.
mysql> select host,db,user from db;
mysql> update db set
host="localhost" where user="";
mysql> flush privileges;
Remove remote anonymous users
To remove remote anonymous users, you harden mysql.exe CLI access by forcing the
requirement for a username and password to get into the mysql shell as follows.
7
McAfee® Network Security Platform 6.0
Hardening the Manager Server for Windows 2003
Start MySQL.
Back up the user table to
user_backup before changing it.
Validate that the backup table was
created and row count matches that
mysql> use mysql;
mysql> create table user_backup
as select * from user;
mysql> select count(*) from
user_backup;
of the mysql.db table.
List all users and hosts.
mysql> select user,host from
user;
Remove anonymous/blank
accounts.
Validate that rows with blank user
columns have been removed.
mysql> delete from user where
user="";
mysql> select user,host from
user;
Secure MySQL remote access
This section provides two options for removing remote access.
Remove individual users’ remote access
Remove ALL remote access (Recommended)
Remove individual users’ remote access
Do ONE of the following:
Remove admin (Network Security Platform user) remote access
mysql> delete from user where host!='localhost' and
user='admin';
(The admin user cannot login remotely; however Manager root can. Use second cmd
window to validate.)
mysql>flush privileges;
Remove root remote access (Recommended minimum action)
mysql> delete from user where host!='localhost' and
user='root';
This ensures that the root user cannot login remotely; however Manager user can log
in remotely. Use second cmd window to validate.
mysql>flush privileges;
Remove ALL remote access
mysql> delete from user where host!='localhost'
ALL user access is disabled including Manager users from remote host(s).
Use another cmd window to validate; you can ONLY log in to the MySQL CLI on the
Manager server by qualifying username, password and db. For example: mysql -
uadmin -pXXX lf
8
McAfee® Network Security Platform 6.0
Rolling back your changes
If you need to roll back your changes, use the following commands:
To roll back changes made to the mysql.db table from the mysql.db_backup table:
mysql> rename table db to db_1;
mysql> rename table db_backup to db;
mysql> flush privileges;
To roll back changes made to the "mysql.user" table from mysql.user_backup table:
mysql> rename table user to user_1
mysql> rename table user_backup to user;
mysql> flush privileges;
Remove debug shell at port 9001
In addition to denying traffic over port 9001 and 9002 (as per Install a desktop firewall) (on
), the debugging shell that runs on port 9001 can be disabled by modifying the
page 2
value o
f the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in the iv_emsproperties table.
To disable the port, set the value in the field called “value” = -1
Hardening the Manager Server for Windows 2003
Other best practices for securing Manager
Use a clean, dedicated machine for the Manager server and perform a fresh install of
the Manager software, including the installation of the embedded MySQL database.
No other software should be available on the server, with the exception of a hostbased firewall as described in Install a desktop firewall. (on page 2
Make sure the PC is in an isolated, physically secure environment
Disallow access to the directory clumsily and all its sub-directories to anyone other
than authorized administrators. Use Microsoft Knowledge Base article # 324067 to
accomplish this procedure. Disallow the following permissions:
Read
Write
Read and Write
Modify
List folder contents
Full control
Disable HTTP TRACE request. It can be disabled with the following mod_rewrite
syntax in the Apache Server's httpd.conf file (available in the “<Network Security
Platform installation directory>/Apache/conf” directory).
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
)
9
C HAPTER 3
Hardening the Manager Server for Windows 2008
Implementation of Manager varies from environment to environment. The Manager's
physical and logical position in the network influences specific remote access and firewall
configuration requirements. The following best practices on managing configurable
features on Manager impacts the security of Manager.
Pre-installation
Use a dedicated machine for the Manager server and then install Manager and the
embedded MySQL database. Other than the host-based firewall, no other software should
be installed on the server. Before installation of Manager do the following:
Ensure that the server is located in a physically secure environment.
Connect the server on a protected or isolated network.
If the hard disk is old, use fdisk (a command line utility) to remove all partitions and
create new partitions.
Installation
Installation of Manager should be performed as follows:
Install the US version of Windows Server 2008.
Use NTFS on all partitions.
Post Installation
After installation of Manager perform the following installations:
Install the latest Windows Server 2008 patches, service packs, and hot fixes from
Install a Virus Scanner and update the signatures.
Also keep a check on the following:
Minimize the number of Windows roles and features that are installed.
Uninstall applications that are not necessary.
Microsoft.
Note: Exclude “Network Security Manager” and “MySQL” directories from being
scanned.
10
McAfee® Network Security Platform 6.0
Disabling non-required Services
Disable the following services.
DHCP Client
FTP
Print spooler
Remote access auto connection manager
Remote procedure call locator
Remote registry
Server
TCP/IP NetBIOS helper service
Telephony service.
Note: Enable these services only if it is absolutely required.
Setting System Policies
Ensure to set the following system policies:
Hardening the Manager Server for Windows 2008
Implement the System key and strong encryption of the password database by
running SYSKEY.EXE
Use Microsoft security compliance toolkit or set local security policy
Display legal notice at during interactive logon window.
Do not display username that was earlier used to login.
Disable Posix
Clear virtual memory page file during shutdown
Disable autorun
Disable LMHOSTS lookup while setting the advanced TCP/IP settings.
Setting User Policies
Ensure to set the following user policies:
Rename the administrator account.
Disable guest account .
Passwords should be at least 8 ASCII characters.
Enable locking of screensaver.
Setting a Desktop Firewall
It is recommended that a desktop firewall operates on the Manager server. The following
ports are required for Manager-Sensor communication.
Note: Ensure that there are no other open ports using a scanning tool such as
Vulnerability Manager.
11
McAfee® Network Security Platform 6.0
Port Description Communication
80 HTTP port Client to Manager
443 HTTPS Client to Manager
3306 MySQL database Open only while using external SQL database
8500 Command channel(UDP) Manager to Sensor
8501 Install port(TCP) Sensor to Manager
8502 Alert channel(TCP) Sensor to Manager
8503 Packet log channel(TCP) Sensor to Manager
8504 File transfer channel(TCP) Sensor to Manager
8555 Alert viewer(TC) Client to Manager
Hardening the Manager Server for Windows 2008
When email notification or SNMP forwarding is configured on Manager and there is firewall
between Manager and SNMP Server, ensure that the following ports are allowed through
firewall.
Port Description Communication
25 SMTP port Manager to SMTP server
162 SNMP forwarding Manager to SNMP server
If you have ePO integration configured on Manager, and there is firewall between Manager
and the ePO Server, ensure the following port is also allowed through firewall.
Port Description Communication
8443 ePO
Manager to ePO server
communication port
Configuring Audit Events
Set the following events to be audited:
Audit account logon events
Audit account management
Audit logon events
Audit object access (Failure)
12
McAfee® Network Security Platform 6.0
Audit policy change (Success)
Audit privilege use (Failure)
Audit system events (Success)
Hardening the Manager Server for Windows 2008
13
C HAPTER 4
Troubleshooting Network Security Platform
This section lists some troubleshooting tips for McAfee® Network Security Platform.
Facilitating troubleshooting
When an in-line device experiences problems, most people ’s instinct is to physically pull it
out of the path; to disconnect the cables and let traffic flow unimpeded while the device
can be examined elsewhere. McAfee recommends yo u first try the follo wing techniques to
troubleshoot a McAfee
All Sensors have a Layer2 Passthru feature. If you feel your Sensor is causing
network disruption, before you remove it from the network, issue the following
command:
layer2 mode assert
This pushes the Sensor into Layer2 Passthru (L2) mode, causing traffic to flow
through the Sensor while bypassing the detection engine. Check to see whether your
services are still affected; if they are, then you have eliminated certain Sensor
hardware issues; the problem could instead be a network issue or a configuration
issue. (The layer2 mode deassert command pushes the Sensor back to
detection mode.)
McAfee recommends that you configure Layer2 Passthru Mode on each Sensor. This
enables you to set a threshold on the Sensor that pushes the Sensor into L2 bypass
mode if the Sensor experiences a specified number of errors within a specified
timeframe. Traffic then continues to flow directly through the Sensor without passing
to the detection engine.
Connect a fail-open kit, which consists of a bypass switch and a controller, to any GE
monitoring port pairs on the Sensor. If a kit is attached to the Sensor, disabling the
Sensor ports forces traffic to flow through the bypass switch, effectively pulling the
Sensor out of the path. For FE monitoring ports, there is no need for the external kit.
Sensors with FE ports contain an internal tap; disabling the ports will send traffic
through the internal tap, providing fail-open functionality.
®
Network Security Sensor (Sensor) issue:
Caution 1: Note that the Sensor will need to reboot to move out of L2 mode only if
the Sensor entered L2 mode because of internal errors. (It does not need a reboot if
the layer2 mode assert command was used to put the Sensor into L2 mode).
Caution 2: A Sensor reboot breaks the link connecting the devices on either side of
the Sensor and requires the renegotiation of the network link between the two
devices surrounding the Sensor.
Caution 3: Depending on the network equipment, this disruption should range from
a couple of seconds to more than a minute with certain vendors’ devices. A very
brief link disruption might occur while the links are renegotiated to place the Sensor
back in in-line mode.
14
McAfee® Network Security Platform 6.0
Starting your troubleshooting
Before you get too deep into troubleshooting techniques, it is a good practice to consider
the following questions:
Were there physical changes to your network that occurred recently?
If another device is placed in the Sensor’s position, does that device receive traffic?
If the Sensor is in L2 mode, are your network’s services still affected?
Are you using approved McAfee GBICs or SFPs or XFPs with your Sensor? [For a list
of approved hardware, see McAfee KnowledgeBase article KB56364 (Go to
http://mysupport.mcafee.com/Eservice/
Difficulties connecting Sensor and Manager
If you experience problems getting the McAfee® Network Security Manager (Manager) and
Sensor to communicate, see if one of the following situations may be the cause.
Network connectivity
Troubleshooting Network Security Platform
, and click Search the KnowledgeBase)]
Ensure that the Sensor and Manager server have power and are appropriately
connected to the network.
Verify the link LEDs on both devices to indicate they have an active link.
Ping the Sensor and Manager server to ensure that they are available on the network.
Inconsistency in Sensor and Manager configuration
Check to ensure that the Sensor name that was entered in the CLI is identical to that
entered in the Manager. Ensure the same for the shared secret key value. If these
values do not match, the two cannot communicate.
Note: The Sensor name is case-sensitive.
Check the network addresses for the Manager, the Manager’s gateway, and the
Sensor to ensure everything is configured correctly by typing show at the Sensor CLI
command prompt.
Software or signature set incompatibility
Check to ensure that the Sensor software image, Manager software version, and signature
set version are compatible.
A compatibility matrix is provided in the release notes that accompany each product
release.
15
McAfee® Network Security Platform 6.0
Firewall between the devices
If there is a firewall between the Sensor and the Manager server, make sure the devices
are able to communicate by opening the appropriate ports.
Note : Ports used by the Manager server are listed in the section Install a desktop
firewall. (on page 2)
Management port configuration
If you experience problems getting your Sensor and Manager to communicate, it may be a
communication issue between the Sensor’s Management port and the network device to
which it is connected. Check the Management Port Link LEDs on the Sensor; if the link is
down, see if any of the following suggestions enable connectivity.
Check that the network device is on-line.
Check the cable connecting the Sensor to the network device.
Ensure that the port on the device to which the Management port is connected is
enabled/active.
The port speed and duplex mode of the two devices must match. For example, if the
device connecting to the Sensor is not set to auto-negotiate, you must configure the
Management port to use the same settings as those of the device connecting to the
Management port. To troubleshoot this, use the set mgmtport command.
Note: Check the link LEDs on the devices to see if communication is
established, or use the show mgmtport command to show the link’s status.
Try each of these configuration options to see if one establishes a link:
Troubleshooting Network Security Platform
1 First (if possible) set the other device’s port configuration to auto-negotiate. (The
Sensor is set to auto-negotiate by default.)
2 Using the set mgmtport command as described below in Setting the management
port speed and duplex mode, try setting the speed and port of the Sensor to speed
100 and duplex half or full.
3 If no link is established, try speed 10 and duplex half or full.
4 If none of the above attempts creates a link, try setting the port on the other device to
a speed of 100, duplex half or full, and try step 2 again.
5 If this does not establish a link, you can then do the same, setting the other device to
a speed of 10, duplex half or full , and try step 3 again.
6 If you are still experiencing difficulties, contact McAfee Technical Support.
Note: M series Sensors Management port support 1000 Mbps(1Gbps)too.Use the
set mgmtport auto command to establish a link to the connecting device(before
performing this,see to it that the other device's port configuration's speed is fixed to
1000 and also set to auto-negotiate).
16
McAfee® Network Security Platform 6.0
Setting the management port speed and duplex mode
1 Set the speed of the Management port and whether the port should be set to half-or
full-duplex. At the prompt, type:
set mgmtport speed <10 | 100 | 1000> duplex <half | full>
where
<10> indicates 10 Mbps, <100> indicates 100 Mbps, and <1000> indicates 1000
Mbps
<half> indicates half-duplex and <full> indicates full-duplex.
Note: 1000 Mbps is applicable only for M-series Sensors. I-Series sensors
support only 10/100 Mbps for Management port
Example: set mgmtport speed 100 duplex half
Connectivity issues between the Sensor and other network
devices
The most common Sensor problems relate to configuration of the speed and duplex
settings. Speed determination issues may result in no connectivity between the Sensor
and the switch.
Troubleshooting Network Security Platform
Duplex mismatches
A duplex mismatch (for example, one end of the link in full-duplex and the other in halfduplex) may result in performance issues, intermittent connectivity, and loss of
communication. It can also create subtle problems in applications. For example, if a Web
server is talking to a database server through an Ethernet switch with a duplex mismatch,
small database queries may succeed, while large ones fail due to a timeout.
Manually setting the speed and duplex to full-duplex on only one link partner generally
results in a mismatch. This common issue results from disabling auto-negotiation on one
link partner and having the other link partner default to a half-duplex configuration, creating
a mismatch. This is the reason why speed and duplex cannot be hard-coded on onl y one
link partner. If your intent is not to use auto-negotiation, you must manually set both link
partners' speed and duplex settings to full-duplex.
Valid auto-negotiation and speed configurations
The table below summarizes all possible settings of speed and duplex for Sensors and
Cisco catalyst switch ports.
17
McAfee® Network Security Platform 6.0
Troubleshooting Network Security Platform
Network Security
Platform Configuration
10/100/1000 port
(Speed/Duplex)
100 Mbps
Full-duplex
100 Mbps
Full-duplex
100 Mbps
Full-duplex
100 Mbps
Half-duplex
Configuration of Switch
(Speed/Duplex)
1000 Mbps
Resulting
Sensor
(Speed/Duplex)
Resulting
Catalyst
(Speed/Duplex)
No Link No Link Neither side
Full-duplex
AUTO 100 Mbps
Full-duplex
1000 Mbps
Full-duplex
100 Mbps
Full-duplex
AUTO 100 Mbps
Half-duplex
100 Mbps
Full-duplex
100 Mbps
Full-duplex
100 Mbps
Half-duplex
Comments
establishes link, due
to speed mismatch
Correct configuration
Correct Manual
Configuration
Link is established,
but switch does not
see any autonegotiation
information from
McAfee Network
Security Platform and
defaults to halfduplex when
operating at 10/100
Mbps.
10 Mbps
Half-duplex
10 Mbps
Half-duplex
AUTO 100 Mbps
Half-duplex
100 Mbps
Half-duplex
Link is established,
but switch does not
see Fast Link Pulse
(FLP) and defaults to
10 Mbps half-duplex.
1000 Mbps
Half-duplex
No Link No Link Neither side
establishes link, due
to speed mismatch.
Gigabit auto-negotiation (no link to connected device)
Gigabit Ethernet has an auto-negotiation procedure that is more extensive than that which
is used for 10/100 Mbps Ethernet (per Gigabit auto-negotiation specification IEEE 802.3z-
1998). The Gigabit auto-negotiation negotiates flow control, duplex mode, and rem ote fau lt
information. You must either enable or disable link negotiation on both ends of the link.
Both ends of the link must be set to the same value or the link will not connect.
If either device does not support Gigabit auto-negotiation, disabling Gigabit autonegotiation forces the link up.
Troubleshooting a Duplex Mismatch with Cisco Devices
When troubleshooting connectivity issues with Cisco switches or routers, verify that the
Sensor and the switch/routers are using a valid configuration. The show intfport <port>
command on the Sensor CLI will help reveal errors.
18
McAfee® Network Security Platform 6.0
Sometimes there are duplex inconsistencies between Network Security Platform and the
switch port. Symptoms include poor port performance and frame check sequence (FCS)
errors that increment on the switch port. To troubleshoot this issue, manually configure the
switchport to 100 Mbps, half-duplex. If this action resolves the connectivity problems, you
may be running into this issue. Contact Cisco's TAC for assistance.
Use the following commands to verify fixed interface settings on some Cisco devices that
connect to Sensors:
Cisco PIX® Firewall
interface ethernet0 100full
Cisco CSS 11000
interface ethernet-3
phy 100Mbits-FD
Troubleshooting Network Security Platform
Cisco Catalyst® 2900XL, 3500XL Series (Hybrid)
interface FastEthernet0/2
duplex full
speed 100
Cisco Catalyst 4000, 5000, 6000 Series (Native)
set port speed 1/1 100
set port duplex 1/1 full
Connectivity issues with Cisco 3750-12S switch
Use the following ports when connecting a Cisco 3750-12s switch to your Sensor: 3, 4, 7,
8, 11, or 12. Connections using ports 1, 2, 5, 6, 9, or 10 may cause network jitter, which is
an inconsistent delay of packets.
Cisco IOS® for Catalyst 4000, 6000 Series
Router(config)# interface fastethernet slot/port
Router(config-if)# speed 100
Router(config-if)# duplex full
When troubleshooting Network Security Platform performance issues with Cisco switches,
view the output of the show port mod/port command, and note the counter
information.
19
McAfee® Network Security Platform 6.0
Explanation of CatOS show port Command Counters
Counter Description Possible Causes
Troubleshooting Network Security Platform
Alignment
Errors
Alignment errors are a count of the
number of frames received that do
not end with an even number of
octets and have a bad CRC.
FCS FCS error count is the number of
frames that were transmitted or
received with a bad checksum
(CRC value) in the Ethernet frame.
These frames are dropped and not
propagated onto other ports.
Xmit-Err This is an indication that the internal
transmit buffer is full.
Rcv-Err This is an indication that the receive
buffer is full.
These are the result of collisions at half-duplex,
duplex mismatch, bad hardware (NIC, cable, or
port), or a connected device generating frames
that do not end with on an octet and have a bad
FCS.
These are the result of collisions at half-duplex,
duplex mismatch, bad hardware (NIC, cable, or
port), or a connected device generating frames
with bad FCS.
This is an indication of excessive input rates of
traffic. This is also an indication of transmit
buffer being full. The counter should only
increment in situations in which the switch is
unable to forward out the port at a desired rate.
Situations such as excessive collisions and 10
Mb ports cause the transmit buffer to become
full. Increasing speed and moving the link
partner to full-duplex should minimize this
occurrence.
This is an indication of excessive output rates of
traffic. This is also an indication of the receive
buffer being full. This counter should be zero
unless there is excessive traffic through the
switch. In some switches, the Out-Lost counter
has a direct correlation to the Rcv-Err.
UnderSize These are frames that are smaller
than 64 bytes (including FCS) and
have a good FCS value.
Single
Collisions
Single collisions are the number of
times the transmitting port had one
collision before successfully
transmitting the frame to the media.
Multiple
Collisions
Multiple collisions are the number of
times the transmitting port had more
than one collision before
successfully transmitting the frame
to the media.
This is an indication of a bad frame generated
by the connected device.
This is an indication of a half-duplex
configuration.
This is an indication of a half-duplex
configuration.
20
Loading...