8
New in this release
Nortel TPS 4.7
Threat Protection System Troubleshooting Guide
NN47240-700
01.01
Standard
1
2007
Copyright © 2007 Nortel Networks
.
Страница 1: ...Nortel Threat Protection System Threat Protection System Troubleshooting Guide Release 4 7 Document Revision 01 01 www nortel com NN47240 700 324442 A ...
Страница 2: ...is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must strictly comply with all such laws and regulations A license to export or reexport may be required by the U S Department of Commerce Licensing This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org This product includes c...
Страница 3: ...vice 20 Resetting the Administrator Password for a TPS device 21 Installing an Old Version of SEU 22 Event handling 22 Troubleshooting TPS Sensor when not receiving events 23 Troubleshooting Defense Center when not receiving events 23 Troubleshooting errors when adding sensor to DC 23 Troubleshooting the SFDataCorrelator 24 Troubleshooting alerting problems 25 Troubleshooting mail alerting problem...
Страница 4: ...ing when a customer is unable to add a sensor to be managed by a DC 36 Troubleshooting a system crash 37 Verify the ports to be opened in the firewall for 4 6 37 Troubleshooting Snort 37 Troubleshooting memory problems 38 IPS mode cable Deployment Scenarios 38 Deploying between two endpoints 38 Deploying between two network switches 39 Between a switch and an endpoint 39 Between a switch and a rou...
Страница 5: ... information 49 Getting help from the Nortel Web site 50 Getting help over the phone from a Nortel Solutions Center 50 Getting help from a specialist by using an Express Routing Code 51 Getting help through a Nortel distributor or reseller 51 Glossary 53 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 6: ...6 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 7: ...7 Troubleshooting Guide with Emergency Recovery Tree NN47240 700 is a new document for Nortel Threat Protection System Release 4 7 Navigation Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 8: ...8 New in this release Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 9: ...a specific feature Each tool is described by purpose usage procedures and how to interpret the output Prerequisites Nortel recommends you to use one or more of the following commercially available troubleshooting tools as well as the tools described in this document Capture and analyze HTTP and HTTPS with the HTTP Analyzer from IE Inspector http www ieinspector com Capture and analyze HTTP and HTT...
Страница 10: ...ference to third party Application Guides page 47 Contact Nortel technical support page 49 Glossary page 53 Acronyms Table 1 Acronyms page 10 lists the acronyms used in this guide Table 1 Acronyms TPS Threat Protection System CLI Command Line Interface LED Light Emitting Diode Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Net...
Страница 11: ...essage only once ATTENTION Enabling proxydebug will use more CPU resource Make sure to disable it after you finish debugging Transmit the event log from the Nortel VPN Gateway to a file on a TFTP FTP or SFTP server Specify the IP address or host name of the server as well as the file name The default value is TFTP Table 2 Log file types in a log dump page 11 lists the log file types in a log dump ...
Страница 12: ...el panic message with debug information can be captured from console directly Use Procomm to capture those messages Issues that require Sourcefire assistance Contact Sourcefire for assistance on the following issues and request the process that was taken to update customer details and restore the document 1 The DC cannot push a policy to the sensors The customer may have to re image the box 2 OPSE...
Страница 13: ... successful but for one reason or another the customer has chosen to revert to the previous version 4 Customer is not able to add a sensor to be managed by a DC Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 14: ...14 Troubleshooting Fundamentals Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 15: ...cription Amber system status LED The amber system status LED lights up when the system needs attention due to a problem with power supplies fans CPU or system temperature Hard disk drive activity LED This LED blinks when activity is detected on the hard disk drive System power LED This LED is green when the power supply is turned on System status LED The system status LED lights up when the system...
Страница 16: ...inistrator can change this port number Software release 4 1 x and below The Defense Center and the Intrusions Sensors communicate on the following TCP ports TCP Port Direction To From DC Description 22 SSH Outbound from DC to Sensor DC uses this port to push configurations updates HA 8300 SSL Inbound from Sensor to DC Management functions 8301 SSL Inbound from Third Parties to DC eStreamer API eve...
Страница 17: ...ortel_TPS_Intrusion_Sensor 2150 v4 1 0 78 Restore iso TPS 2150 Intrusion Sensor Nortel_TPS_Intrusion_Sensor 2070 v4 1 0 78 Restore iso TPS 2070 Intrusion Sensor Nortel_TPS_Intrusion_Sensor 2170 v4 1 0 78 Restore iso TPS 2170 Intrusion Sensor This chapter describes the various procedures to troubleshoot the software on the TPS devices Navigation Creating a troubleshoot file from a TPS device page 1...
Страница 18: ...e steps Step Action 1 Open a case with Nortel Enterprise Technical Support NETS 2 Enter the following command to go to the default location usr local sf bin 3 Run the script sf_troublshoot pl 4 Enter the following command to obtain the default configuration filetroubleshoot conf etc sf troubleshoot conf 5 Customize the troublshoot conf file into a custom conf file if necessary ATTENTION Although t...
Страница 19: ...ed steps and tips on performing a complete and correct Nortel TPS DC 4 5 1 Upgrade on a TPS device Procedure 2 Procedure steps Step Action 1 Enter the following command to obtain the output file that contains the list of updates pushed to the TPS device var sf updates ls alshL var sf updates output 2 Verify that the correct upgrade script was used to upgrade the TPS device 3 Enter the following co...
Страница 20: ...e when the LILO boot menu appears if the device is a 2070 model 4 Enter the following command at the LILO boot prompt to load the linux operating system linux s System response Loading linux Linux version 2 4 26st p4smp 13 build renowm sfeng so urcefire com gcc version 2 95 320010315 release 1 SMP Fri Aug 12 16 37 04 UTC 2005 5 Enter the following command LILO 22 2 boot passwd root At the prompt e...
Страница 21: ...y if you know the root password for the TPS device Refer section Modifying root password for a TPS device if you forget or lose the password to reset the same Procedure 4 Procedure steps Step Action 1 Go to root prompt on the TPS device 2070 model 2 Enter the following command root DC2070 resetadmin 3 Enter the root login password at the password prompt Please enter the root login password passwor...
Страница 22: ...wing sequence of commands to install an earlier version of an SEU rpm e snort rpm e Sourcefire_Module_Pack dev rpm e Sourcefire_Rule_Pack vrt rpm e Sourcefire_Snort_Engine_Upgrade where the character represents placeholders for the current version CAUTION Do not enter any other rpm e commands at the command prompt except the ones listed in step 2 End Event handling This section describes the corre...
Страница 23: ...s page 23 for more information 3 Check if the time is synchronized between the DC and sensor s 4 Check if the sensor s can reach the DC on ports 8300 8303 5 Troubleshoot the SFDataCorrelator Refer section Troubleshooting the SFDataCorrelator for more information Troubleshooting errors when adding sensor to DC Use this procedure to troubleshoot errors that arise when adding a sensor to DC Procedure...
Страница 24: ...ubleshoot a SFDataCorrelator that is not running Procedure 7 Procedure steps Step Action 1 Enter the following command to check for error messages var log messages 2 Enter the following command to run the initialization script etc rc d init d SFDataCorrelator start 3 If the SFDataCorrelator fails to start repeat step 1 to check for error messages 4 If the SFDataCorrelator still fails to start ente...
Страница 25: ...l alerting 2 Run the following shell script at the command prompt sfmail sh 3 Enter the following command to check for errors var log messages 4 Ensure that the IP address of the Sensor or DC is reverse resolvable via DNS 5 Enter the following command to add hostname information etc hosts End Troubleshooting SNMP alerting problems Check if SNMP is running Troubleshooting Syslog alerting problems C...
Страница 26: ...Procedure steps Action If LDAP authenication fails do the following sequence of actions Ensure that the user test passes when creating the LDAP object If the user test fails do the following Ensure that the LDAP server is working properly Check if the DC can communicate with the LDAP server Check if the LDAP server uses the correct port Enter the following commands to check the corresponding user ...
Страница 27: ... hostname as the common name in the certificate Obtain the SSL certificate Do the following to interact with the user interface when LDAP fails Edit the following file on the appliance etc sf ims conf Add the following to the end of the file LDAP_INFO 1 Retry the connection from the Authentication Object page Expand the check box that appears at the bottom of the page to view the errors in greater...
Страница 28: ...Prohibit Packet Data from Sensor option at the registration screen 3 On the managed sensor or IS ensure that the following line ignore_packet_data 1 is present in var sf peers DC UUID ids_forward conf If the parameter ignore_packet_data is set to 1 then the prohibit packet data on DC is done properly End Performing RNA IP Port Exclusion Use this procedure for RNA IP Port Exclusion Procedure 13 Pro...
Страница 29: ... host is A R RNA and then Network map 3 If the scanning host still fails the NMAP scan enter the following command to debug Set sfmgrand sftunnel to debug 4 Find the sfmgr and sftunnel processes at the following location etc sf PM conf 5 Scan the same host that failed again by entering the following series of commands option d option f option etc sf sftunnel conf option D 6 View the error details ...
Страница 30: ...Paddress 4 Enable IP ACL on WEBOS configuration for TPS to enforce blocking the remediation 5 Enable SSHv2 access to allow Defense Center or RTI Sensor to access the NAS 6 Enable the login display ensuring that the login banner is displayed during every SSH access End Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 31: ...naging page 34 Troubleshooting a faulty OPSEC page 34 Troubleshooting a failed upgrade page 35 Troubleshooting a failed automatic SEU Update page 35 Troubleshooting when a customer is unable to add a sensor to be managed by a DC page 36 Troubleshooting a system crash page 37 Verify the ports to be opened in the firewall for 4 6 page 37 Troubleshooting Snort page 37 Troubleshooting memory problems ...
Страница 32: ...e that the time range for showing white list events is correct End Troubleshooting an IS that does not generate events This section describes the steps to troubleshoot an IS that does not generate events Procedure 17 Procedure steps Step Action 1 Ensure that the correct policy is applied 2 Ensure that the rules are configured properly 3 Ensure that the rules are selected as Enable Drop in the Rule...
Страница 33: ... 2 Configure the IPS policy 3 Configure the rules and select these rules as the Drop status 4 Ensure that both the hosts are connected to both the inline or Inline Failopeninterfaces End Validating the failopen function This section describes the validation process when the failopen function does not work properly Procedure 20 Procedure steps Step Action 1 Ensure that the Interface Set is failopen...
Страница 34: ...EC If the DC and sensors are configured correctly a trust is established between them However if for some reason the SFReactd does not trigger the fw sam dynamic rule stop reimaging the check point firewall PC to make it work Procedure 22 Procedure steps Step Action 1 Remove the check point firewall vpn if installed on the local PC so as to enableSFReactd to trigger the fw dynamic rule 2 Enter the...
Страница 35: ...ure steps Step Action 1 When an upgrade fails enter the following command to revert back to the previous code revert 2 Wait for the system to reboot completely 3 Login to the Graphical User Interface GUI On the menu bar choose Operation Help and then About to check the reverted software version End Troubleshooting a failed automatic SEU Update This section describes how to troubleshoot an SEU upda...
Страница 36: ...ember 12 2006 on the TPS This should match the time on the local PC 4 Ensure that the SEU downloading and importing are not scheduled to occur at the same time End Troubleshooting when a customer is unable to add a sensor to be managed by a DC This section describes the troubleshooting steps when a customer was not able to add a sensor to be managed by DC The system responds with the following out...
Страница 37: ...tem crash is defined for a given incident Procedure 26 Procedure steps Action Examine the syslog at the following location var log messages Verify the ports to be opened in the firewall for 4 6 The default port is 8305 which is user configurable For more information refer section Remote Management in the User Guide Troubleshooting Snort This section describes the steps to troubleshoot snort Proced...
Страница 38: ...ollects data for troubleshooting performance issues rpm I Sourcefire_Maintenance_Tools 0 1 0 1 i386 rpm Running the preceding command adds a modified version of top that logs output to the following location every 60 seconds var log top log IPS mode cable Deployment Scenarios This section describes the various IPS mode cable deployment scenarios Deploying between two endpoints Use two straight thr...
Страница 39: ...r When the IPS is deployed between a switch and a router a straight through cable should be used between the switch and the IPS A crossover cable should be used between the IPS and the router The sensor supports auto MDI MDI X so the link between the IPS and the router will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode the inte...
Страница 40: ...eployed between a switch and a firewall a straight through cable should be used between the switch and the IPS A crossover cable should be used between the IPS and the firewall The sensor supports auto MDI MDI X so the link between the IPS and the firewall will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode the internal crossove...
Страница 41: ...cation of Detection Resources on the CLI This section describes the verification of the maximum and optimal number of detection resources in CLI Procedure 30 Procedure steps Action Enter the following command in the CLI etc sf ims conf Search for MAX_NUM_DR OPTIMAL _NUM_DR Viewing the enabled rules on the CLI This section describes viewing enabled rules on the CLI Procedure 31 Procedure steps Step...
Страница 42: ... Procedure steps Action View the remediation log at the following location tmp RemediationName RemediationName log Viewing the LDAP SSL certificate This section describes how to view the LDAP SSL certificate once it is uploaded Procedure 33 Procedure steps Action Enter the following command to view the LDAP SSL certificate once it is uploaded var sf userauth temp0 pembl Nortel TPS 4 7 Threat Prote...
Страница 43: ...es as quickly as possible Lost access to the TPS DC IS device recovery tree This section details the flow diagram for the recovery tree Lost access the TPS DC IS GUI Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 44: ...ce The TPS DC IS cannot receive events recovery tree This section details the flow diagram for the recovery tree The TPS DC IS does not receive events Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 45: ...The TPS DC IS cannot receive events recovery tree 45 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 46: ...46 Emergency recovery trees Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 47: ...N External Authentication using Remote Authentication Dial In User Service RADIUS SSL VPN External LDAP Authentication using Active Directory SSL VPN Configuring access rules SSL VPN Adding links to a portal page SSL VPN Configuring User Types SSL VPN Configuring User Types Adding a Server Certificate and or Private Key HTTP to HTTPS Redirect Service Using Netegrity SiteMinder with Nortel Networks...
Страница 48: ...48 Reference to third party Application Guides Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 49: ...ting This section identifies all the critical information that should be gathered before contacting Nortel Technical Support You must attempt to resolve your problem using this troubleshooting guide Contacting Nortel is a final step taken only when you have been unable to resolve the issue using the information and steps provided in this troubleshooting guide Gather the following information befor...
Страница 50: ...ortel com support This site provides quick access to software documentation bulletins and tools to address issues with Nortel products More specifically the site enables you to download software documentation and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation ...
Страница 51: ...to a specialist in your Nortel product or service To locate the ERC for your product or service go to http www nortel com help contact erc Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller Nortel TPS 4 7 Threat Protection Sys...
Страница 52: ...52 Contact Nortel technical support Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 53: ...NTP Nortel Technical Publication LADP OS RNA IS Intrusion Sensor STP OPSEC DNS SDM IS SEU Snort Engine Upgrade LDAP MSAD RUA Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 54: ...54 Glossary Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks ...
Страница 55: ......
Страница 56: ...ument is proprietary to Nortel Networks Export This product software and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must strictly comply with all such laws and regulations A license to export or reexport may be required by the U S Department of Commerce Licensing This product includes software developed by the...
