Nortel Threat Protection System Troubleshooting Guide
Contents
1. If an upgrade has failed the system may be in a dubious state for which reverting may exacerbate the problem Any such problem should be reported to Sourcefire Support There is a process for reverting to the previous version which is documented in the User Guides however that process is only Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Issues that require Sourcefire assistance 13 recommended in cases where the upgrade was successful but for one reason or another the customer has chosen to revert to the previous version 4 Customer is not able to add a sensor to be managed by a DC Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 14 Troubleshooting Fundam shooting Guide Threat Protection lt NN4724 Standard NN47 Copyright 2007 Nortel Networks 15 Hardware Troubleshooting This section describes the feature specific troubleshooting tools available at the operating system level Navigation e TPS Hardware page 15 e Ports to open in a firewall page 16 TPS Hardware This section provides information to troubleshoot hardware problems related to the TPS 2050 TPS 2070 and TPS 2150 devices The table Front Panel LEDs describes the Front Panel LED indicators on the TPS device Table 3 Front Panel LEDs Ambe2. 2007 Nortel Networks ing Snort through the User Interface 27 aa oni data on athe DC 28 in Procedures 29 Remediating NAS 29 Troubleshooting Global Faults 31 Navigation 31 Trouble when no white list events are generated Troubleshootin e Troubleshooting Treableshaote he ions function 33 ho an ve that does not sent 4 Emergency recovery trees 43 Lost access to the TPS DC IS device recovery tree 43 Nortel TPS 4 7 ior m Troubleshooting Guide 40 700 01 01 Standard 11 2007 Threat F Copyright 2007 Nortel Networks Licensing 5 The TPS DC IS cannot receive events recovery tree 44 Reference to third party Application Guides 47 Contact Nortel technical support 49 Navigation 49 Gathering critical information 49 Getting help from the Nortel Web site 50 Getting help over the phone from a Nortel Solutions Center 50 Getting help from a specialist by using an Express Routing Code 51 Getting help through a Nortel distributor or reseller 51 Glossary 53 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Nortel TPS 4 7 Threat Protection n Troubl NN47240 700 01 01 112007 shooting Guide Standard Copyright 2007 Nortel Networks New in this release The Nortel Threat Protection System Release 4 7 Troubleshooting Guide with Emergency Recovery Tree NN47240 700
3. go to www nortel com documentfeedback www nortel com The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Export This product software and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must strictly comply with all such laws and regulations A license to export or reexport may be required by the U S Department of Commerce Licensing This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson th cryptsoft com This product includes software developed by the Apache Software Foundation http www apache org This product includes a TAP Win32 driver derived from the CIPE Win32 kernel driver Copyright Damion K Wilson and is licensed under the GPL See Appendix D License Information in the User s Guide for more information NORTEL
4. is a new document for Nortel Threat Protection System Release 4 7 Navigation Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks shooting Guide Threat Protection lt NN4724 Standard NN47 Copyright 2007 Nortel Networks Introduction The Nortel Threat Protection System is a fully integrated intrusion detection system that consists of the following e TPS 2070 Defense Center which manages intrusion sensors in the network environment e TPS 2050 Intrusion Sensor and TPS 2070 Intrusion Sensor which detect and track network intrusions either independently or under the management of the TPS 2070 Defense Center e TPS 2150 Intrusion Sensor and TPS 2170 Intrusion Sensor which have fail open functionality in inline mode This chapter describes the prerequisites and various tools used to troubleshoot the Nortel TPS 4 7 Use these troubleshooting tools to enhance the overall performance resolve error messages and increase response time for a specific feature Each tool is described by purpose usage procedures and how to interpret the output Prerequisites Nortel recommends you to use one or more of the following commercially available troubleshooting tools as well as the tools described in this document e Capture and analyze HTTP and HTTPS with the HTTP Analyzer from IE Inspector htip www ieinspector com e Capture and
5. DC Management functions 8301 Inbound from Third Parties to eStreamer API event data DC streams 8302 Inbound from Sensor to DC eStreamer from Intrusion Sensors 8303 Inbound from Sensor to DC Heartbeat Protocol Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 17 Software Troubleshooting The TPS 2070 Defense Center DC TPS 2050 Intrusion Sensor IS TPS 2070 Intrusion Sensor TPS 2150 Intrusion Sensor and TPS 2170 Intrusion Sensor products are pre loaded with version 4 1 of the software The software is available on a CD ROM that is shipped with the hardware and is also available on the Nortel website for contracted customers The software file names for release 4 1 are as follows e Nortel TPS Defense Center 2070 v4 1 0 78 Restore iso TPS 2070 Defense Center e Nortel TPS Intrusion Sensor 2050 v4 1 0 78 Restore iso TPS 2050 Intrusion Sensor e Nortel TPS Intrusion Sensor 2150 v4 1 0 78 Restore iso TPS 2150 Intrusion Sensor e Nortel_TPS_Intrusion_Sensor 2070 v4 1 0 78 Restore iso TPS 2070 Intrusion Sensor e Nortel_TPS_Intrusion_Sensor 2170 v4 1 0 78 Restore iso TPS 2170 Intrusion Sensor This chapter describes the various procedures to troubleshoot the software on the TPS devices Navigation e Creating a troubleshoot file from a TPS device page 18 e Obtaining the troubleshoot file following a failed softwar
6. Nortel distributor or reseller page 51 Gathering critical information Before contacting Nortel Technical Support you must gather information that can help the technical support personnel when troubleshooting This section identifies all the critical information that should be gathered before contacting Nortel Technical Support You must attempt to resolve your problem using this troubleshooting guide Contacting Nortel is a final step taken only when you have been unable to resolve the issue using the information and steps provided in this troubleshooting guide Gather the following information before contacting Nortel Tech Support Collecting this information helps Nortel analyze and address the reported issue e Detailed description of the problem e Date and time when the problem started e Frequency of the problem e Is this a new installation Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 50 Contact Nortel technical support e Have you search the solutions database Were any related solutions found Is there currently a workaround for this issue e Have you recently changed or upgraded your system your network or a custom application For example has any configuration or code been changed When were these changes made Provide the date and time Who made these changes Were the changes made by a partner or customer Provide the n
7. TPS device var sf updates ls alshLvar sf updates output 2 Verify that the correct upgrade script was used to upgrade the TPS device 3 Enter the following command to obtain the troubleshoot log file results dd mm yyyy 191127 dir archives var log sf Nortel TPS DC Upgrade 4 5 1 main uograde scr ipt log This log file is a complete account of the upgrade process ATTENTION The name of the folder in which the troubleshoot log file is extracted includes the version of the software you upgrade to End Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 20 Software Troubleshooting Resetting passwords This section describes resetting passwords on TPS devices Resetting the root password of a TPS device Use this procedure to reset the root password of a TPS device 2050 model if it is lost or forgotten Procedure 3 Procedure steps Step Action 1 Connect the TPS device 2050 model to a PC or laptop using a console cable ATTENTION Connect the TPS device to a monitor and keyboard if the device is a 2070 model 2 Power cycle the TPS device 3 Press any arrow key during the boot sequence at the LILO boot prompt ATTENTION Press any arrow key during the boot sequence when the LILO boot menu appears if the device is a 2070 model 4 Enter the following command at the LILO boot prompt to load the linux ope
8. and the crossover cable between the endpoint and the IPS will combine to create a straight through cable and allows normal operation of the connection Between a switch and a router When the IPS is deployed between a switch and a router a straight through cable should be used between the switch and the IPS A crossover cable should be used between the IPS and the router The sensor supports auto MDI MDI X so the link between the IPS and the router will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode the internal crossover and the crossover cable between the endpoint and the IPS will combine to create a straight through cable This will allow normal operation of the connection Between a router and an endpoint When the IPS is deployed between a router and an endpoint no special cabling is needed Two straight through cables should be used The sensor supports auto MDI MDI X so the link will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode it internally implements a crossover and allows normal operation of the connection Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 40 Troubleshooting Global Faults Between a firewall and an endpoint When the IPS is deployed between a firewall and an endpoint no special
9. cabling is needed Two straight through cables should be used The sensor supports auto MDI MDI X so the link will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode it internally implements a crossover and allows normal operation of the connection Between two firewalls When the IPS is deployed between two firewalls no special cabling is needed Two straight through cables should be used The sensor supports auto MDI MDI X so the link will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode it internally implements a crossover and allows normal operation of the connection Between a switch and a firewall When the IPS is deployed between a switch and a firewall a straight through cable should be used between the switch and the IPS A crossover cable should be used between the IPS and the firewall The sensor supports auto MDI MDI X so the link between the IPS and the firewall will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode the internal crossover and the crossover cable between the firewall and the IPS will combine to create a straight through cable This will allow normal operation of the connection Between router and a firewall When the IPS is deployed between a router and a firewall no special cabling is needed Two stra
10. refer section Remote Management in the User Guide Troubleshooting Snort This section describes the steps to troubleshoot snort Procedure 27 Procedure steps Step 1 2 Copyright 2007 Nortel Networks Action Enter the following command to obtain the snort configuration file snort conf Enter the following command to view the traffic snort dvei fp1 fp2 OR snort dvei bond Oi Enter the following series of commands for a snort packet capture Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 38 Troubleshooting Global Faults cd var tmp mkdir logdir snort dvei bond 0 fpl fp2 b 1 logdir The preceding command will result in a log file as follows snort log 1135279299 Enter the following series of command s for a packet capture with tcpdump Set the parameter snaplento 0 to catch whole packets cd var tmp tcpdump I bond0 fp1 fp2 s0 wpcapfile End Troubleshooting memory problems This section describes the process of troubleshooting memory problems To track installed memory issues the maintenance tool RPMmust be installed Once the tool does not harm the system Procedure 28 Procedure steps Action Run the following command to install the RPM that collects data for troubleshooting performance issues rpm I Sourcefire Maintenance Tools 0 1 0 1 i386 rpm Running the preceding command adds a modified version of top that lo
11. update feature is not working The system responds with the following output message An error message occurred while running task Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 36 Troubleshooting Global Faults ATTENTION This issue has been fixed by Sourcefire and Nortel IT team Perform the steps in the following procedure if a problem with downloading and importing the SEU still persists Procedure 24 Procedure steps Step Action 1 Configure the primary DNS server at the following location Mgmt Interface Netmask Default Network Gateway Domain Primary DNS Server 2 At the TPS IS DC command line ping the Nortel update website to see if the associated webpage appears www nortel autoupdates com 3 Ensure that the time settings on both the TPS IS DC and the local PC are the same On the menu bar choose Operation System settings Time and then Set Time to check the time for example America Los Angeles Tuesday December 12 2006 on the TPS This should match the time on the local PC 4 Ensure that the SEU downloading and importing are not scheduled to occur at the same time End Troubleshooting when a customer is unable to add a sensor to be managed by a DC This section describes the troubleshooting steps when a customer was not able to add a sensor to be managed by DC The system responds with the following output messag
12. www nortel com help contact global index htm Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers you can use an Express Routing Code ERC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or service go to http www nortel com help contact erc Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 52 chnical support shooting Guide Standard Copyright 2007 Nortel Networks 53 Glossary RS SSCS wooo LDAP Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 54 Glos hooting Guide Threat Protection Standard NN47 Copyright 2007 Nortel Networks Nortel Threat Protection System Threat Protection System Troubleshooting Guide Copyright 2007 Nortel Networks All Rights Reserved Release 4 7 Publication NN47240 700 Document status Standard Document revision 01 01 Document release date 11 2007 To provide feedback or to report a problem in this document
13. NORTEL Threat Protection System Troubleshooting Guide Release 4 7 Document Revision 01 01 www nortel com NN47240 700 324442 A Nortel Threat Protection System Release 4 7 Publication NN47240 700 Document status Standard Document release date 11 2007 Copyright 2007 Nortel Networks All Rights Reserved The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Export This product software and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must strictly comply with all such laws and regulations A license to export or reexport may be required by the U S Department of Commerce Licensing This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http Awww openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com This product includes software developed by the Apache Software Foundation http www apache org This produ
14. ames of the individuals who made the changes Also provide Nortel Technical Support with the following information e A copy of your configuration files e A detailed network topology diagram e Log files Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site http www nortel com support This site provides quick access to software documentation bulletins and tools to address issues with Nortel products More specifically the site enables you to e download software documentation and product bulletins e search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues e sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site and have a Nortel support contract you can also get help over the phone from a Nortel Solutions Center In North America call 1 800 4NORTEL 1 800 466 7835 Outside North America go to the following Web site to obtain the phone number for your region Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Getting help through a Nortel distributor or reseller 51 http
15. analyze HTTP and HTTPS with Tamper Data a plug in available for Mozilla Firefox https addons mozilla org en US firefox addon 966 e Display the time to load Web pages with Faster Fox a plug in available for Mozilla Firefox https addons mozilla org en US firefox addon 1269 e Capture and analyze packets with either Sniffer or Wireshark from Network General http www wireshark org and http www networkge neral com Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 10 Introduction Navigation e Troubleshooting Fundamentals page 11 e Hardware Troubleshooting page 15 e Software Troubleshooting page 17 e Troubleshooting Global Faults page 31 e Emergency recovery trees page 43 e Reference to third party Application Guides page 47 e Contact Nortel technical support page 49 e Glossary page 53 Acronyms Table 1 Acronyms page 10 lists the acronyms used in this guide Table 1 Acronyms Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 11 Troubleshooting Fundamentals This section provides conceptual information about the methods and tools that you can use to troubleshoot and isolate problems in TPS 4 7 Navigation Log files View the log files to see the history of system events This troubl
16. ct includes a TAP Win32 driver derived from the CIPE Win32 kernel driver Copyright Damion K Wilson and is licensed under the GPL See Appendix D License Information in the User s Guide for more information Contents New in this release 7 Navigation 7 Introduction 9 Prerequisites 9 Navigation 10 Acronyms 10 Troubleshooting Fundamentals 11 Navigation 11 Log files 11 Issues that require Sourcefire assistance 12 Hardware Troubleshooting 15 Navigation 15 TPS Hardware 15 Ports to open in a firewall 16 Software Troubleshooting 17 Creating a troubleshoot file from a TPS device 18 Obtaining the troubleshoot file following a failed software upgrade 19 Resetting passwords 20 Resetting the root password of a TPS device 20 Resetting the Administrator Password for a TPS device 21 Installing an Old Version of SEU 22 Event handling 22 Troubleshooting TPS Sensor when not receiving events 23 Troubleshooting Defense Center when not receiving events 23 Troubleshooting errors when adding sensor to DC 23 Troubleshooting the SFDataCorrelator 24 Troubleshooting alerting problems 25 Troubleshooting mail alerting problems 25 Troubleshooting SNMP alerting problems 25 Troubleshooting Syslog alerting problems 25 Troubleshooting events that show incorrect time 25 Troubleshooting LDAP authentication 26 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright
17. dc com for OpenLDAP uid s dc tps dc com for Sun Directory e Set the authentication status as enabled e Activate the LDAP object under the system policy Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 RUA Configuring Snort through the User Interface 27 Apply the system policy only after activating the LDAP object Ensure that the user for authentication is created using external authentication method If the MSAD Certification authentication fails do the following Ensure that the MSAD certificate is in the following format Base 64 encoded data from pem file you exported on your Active Directory CA machine END CERTIFICATE Base 64 encoded data from pem file that contains the certificate from the AD mail server END CERTIFICATE Do the following steps if there is a certificate for SSL TLS Ensure that the hostname of LDAP server at Server IP address field is used instead of its IP address Enter the hostname as the common name in the certificate Obtain the SSL certificate Do the following to interact with the user interface when LDAP fails Edit the following file on the appliance etc sf ims conf Add the following to the end of the file LDAP INFO 1 Retry the connection from the Authentication Object page Expand the check box that appears at the bottom of the page to view the errors in greater detail e Obtai
18. dures Use these remediation procedues for NSF SDM NAS and NSNA Remediating NAS Use this procedure to remediate NAS Copyright 2007 Nortel Networks Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 30 Software Troubleshooting Procedure 15 Procedure steps Step Action 1 Add NAS module on the DC 2 Create compliance rule s and policy and add Nortel123 responses to compliance policy 3 Add NAS IPaddress 4 Enable IP ACL on WEBOS configuration for TPS to enforce blocking the remediation 5 Enable SSHv2 access to allow Defense Center or RTI Sensor to access the NAS 6 Enable the login display ensuring that the login banner is displayed during every SSH access End Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 31 Troubleshooting Global Faults This section describes global faults and how to troubleshoot them Navigation e Troubleshooting when no white list events are generated page 32 e Troubleshooting an IS that does not generate events page 32 e Troubleshooting an SDM IS that could not be added to a DC page 32 e Troubleshooting an IS that does not block traffic page 33 e Validating the failopen function page 33 e Troubleshooting an IS that does not send email page 34 e Troubleshooting a DC that cannot push a p
19. e Could not establish a connection with sensor Procedure 25 Procedure steps Step Action 1 Check if the registration keys on the IS and the DC match On the IS menu bar choose Operations System Setting Remote Manager and then Add Manager to check the registration key for example Nortel On the DC menu bar choose Operations Sensor and then Add new sensor to check the registration key for example Nortel Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Troubleshooting a Troubleshooting Snort 37 Ensure that the software version on Is 2x70 and DC 2x70 are the same On the IS and DC menu bar choose Operations Helpand then About to ensure that the software versions are compatible Ensure that the IS and DC are on the same network and the network is not blocking connection Check if the status changes from pending registrationto registered indicating that the sensor x x x xis successfully added to the DC End system crash This section describes the details and files to look into in the event of a system crash This depends largely on how the system crash is defined for a given incident Procedure 26 Procedure steps Action Examine the syslog at the following location var log messages Verify the ports to be opened in the firewall for 4 6 The default port is 8305 which is user configurable For more information
20. e upgrade page 19 e Resetting passwords page 20 e Installing an Old Version of SEU page 22 e Event handling page 22 e Troubleshooting the SFDataCorrelator page 24 e Troubleshooting alerting problems page 25 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide N S a 01 Standard Copyright 2007 Nortel Networks 18 Software Troubleshooting e Troubleshooting events that show incorrect time page 25 e Troubleshooting LDAP authentication page 26 e RUA page 27 e Configuring Snort through the User Interface page 27 e Verifying prohibit packet data on the DC page 28 e Performing RNA IP Port Exclusion page 28 e Scanning the NMAP page 29 e Remediation Procedures page 29 Creating a troubleshoot file from a TPS device Use this procedure to create a compressed troubleshoot file from a TPS device to obtain critical information to troubleshoot it CAUTION Only authorized administrators must create a troubleshoot file from a TPS device Procedure 1 Procedure steps Step Action 1 Open a case with Nortel Enterprise Technical Support NETS 2 Enter the following command to go to the default location usr local sf bin 3 Run the script sf_troublshoot pl 4 Enter the following command to obtain the default configuration filetroubleshoot conf etc sf troubleshoot conf 5 Customize the troublshoot conf file in
21. el Belted RADIUS server SSL VPN NTML Authentication SSL VPN CRL retrieval SSL VPN Configuring NetDirect SSL VPN Authentication using certificates SSL VPN Authentication using Netegrity SiteMinder SSL VPN Syslog and Traffic log SSL VPN External Authentication using Remote Authentication Dial In User Service RADIUS SSL VPN External LDAP Authentication using Active Directory SSL VPN Configuring access rules SSL VPN Adding links to a portal page SSL VPN Configuring User Types SSL VPN Configuring User Types Adding a Server Certificate and or Private Key HTTP to HTTPS Redirect Service Using Netegrity SiteMinder with Nortel Networks SSL VPN Technical Configuration Guide Using Citrix with the Alteon SSL VPN SSL VPN and SafeWord for Nortel Technical Config Guide Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Threat Protection shooting Guide NN4724 Standard Copyright 2007 Nortel Networks 49 Contact Nortel technical support This section provides the information about Nortel technical support Navigation e Gathering critical information page 49 e Getting help from the Nortel Web site page 50 e Getting help over the phone from a Nortel Solutions Center page 50 e Getting help from a specialist by using an Express Routing Code page 51 e Getting help through a
22. emove the check point firewall vpn if installed on the local PC so as to enableSFReactd to trigger the fw dynamic rule 2 Enter the following command at the DOS command prompt to check if the firewall policy is installed fw stat Ensure that no firewall vpn is installed on the local check point PC 3 Ensure that the check point PC has policy options as any any except or allow Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Troubleshooting a failed automatic SEU Update 35 4 Ensure that the httpstraffic is allowed between the TPS DC and the check point firewall PC End Troubleshooting a failed upgrade This section outlines the documented mechanism for reverting back to the previous version of code if an upgrade fails Downgrade is supported from version 4 6 0 1145 builds to version 4 5 1 3 CAUTION Only upgrade revert upgrade is supported not upgrade revert upgrade revert Procedure 23 Procedure steps Step Action 1 When an upgrade fails enter the following command to revert back to the previous code revert 2 Wait for the system to reboot completely 3 Login to the Graphical User Interface GUI On the menu bar choose Operation Help and then About to check the reverted software version End Troubleshooting a failed automatic SEU Update This section describes how to troubleshoot an SEU update when the auto
23. ensor to DC Use this procedure to troubleshoot errors that arise when adding a sensor to DC Procedure 6 Procedure steps Step Action 1 2 3 Check httpsd_error_log for errors on the DC Click Reset Comm in the Sensor GUI SSH to the Sensor Enter the following command to check for the IP address of the DC var sf managed lt DC IP gt Delete the IP address of the DC if it exists Enter the following command to find the size of the authorized keys and check if it is the same size as Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 24 Software Troubleshooting authorized_keys default var sf snorty ssh authorized keys 5 If the sizes do not match enter the following sequence of commands cd var sf snorty ssh rm authorized keys authorized keys default authorized keys 6 SSH to the Sensor Enter the following command to check for the IP address of the Sensor var sf managed lt Sensor IP gt Delete the IP address of the Sensor if it exists End Table 4 Variable Definitions lt DC_IP gt IP address of the DC IP address of the Sensor Troubleshooting the SFDataCorrelator Use this procedure to troubleshoot a SFDataCorrelator that is not running Procedure 7 Procedure steps Step Action 1 Enter the following command to check for error messages var log messages 2 Enter the following command to run the initiali
24. ers for the current version CAUTION Do not enter any other rpm e commands at the command prompt except the ones listed in step 2 End Event handling This section describes the corrective steps to be taken when TPS devices do not handle events correctly Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Troubleshooting errors when adding sensor to DC 23 Troubleshooting TPS Sensor when not receiving events Use this procedure to take corrective action when the TPS sensor does not receive events 1 2 3 Check if the time is set correctly Check if snort is running Enter the following command to check if the TPS Sensor has attained 100 capacity var Troubleshooting Defense Center when not receiving events Use this procedure to take corrective action when the Defense Center DC does not receive events 1 Enter the following command to check if the TPS DC has attained 100 capacity var Check if the TPS sensor s is are receiving events Refer section Troubleshooting TPS Sensor when not receiving events page 23 for more information Check if the time is synchronized between the DC and sensor s Check if the sensor s can reach the DC on ports 8300 8303 Troubleshoot the SFDataCorrelator Refer section Troubleshooting the SFDataCorrelator for more information Troubleshooting errors when adding s
25. eshooting guide documents only the most common messages from the ssl log maint debug proxydebug onlofflonce on enable simpleproxy to print out debug message off disable simpleproxy to print out debug message once enable simpleproxy to print out debug message only once ATTENTION Enabling proxydebug will use more CPU resource Make sure to disable it after you finish debugging Transmit the event log from the Nortel VPN Gateway to a file on a TFTP FTP or SFTP server Specify the IP address or host name of the server as well as the file name The default value is TFTP Table 2 Log file types in a log dump page 11 lists the log file types in a log dump Table 2 Log file types in a log dump Log file Description type clierror This log provides information on the CLI engine and is used by engineering to debug issues while in development Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 12 Troubleshooting Fundamentals Table 2 Log file types in a log dump cont d erlerror This log provides information on the internal Erlang language engine and SSL acceleration It is used by Engineers to debug issues while in development erlstart This log provides information on the internal Erstart language engine and SSL acceleration It is used by Engineers to debug issues while in development conslog This log contains messa
26. g Troubleshooting Syslog alerting problems Check if syslog is running Troubleshooting events that show incorrect time Use this procedure to troubleshoot events that do not show correct time Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 26 Software Troubleshooting Procedure 9 Procedure steps Step 1 2 Action Check if the system clock is set to UTC Enter the following command to check the current system time date OR date u If the current system time is wrong enter the following commands to change the local time rm etc localtime ln s usr share zoneinfo lt tzfile gt etc localtime Set the parametertimezonein User Preferences dialog box Set up the NTP End Troubleshooting LDAP authentication Use this procedure to troubleshoot LDAP authentication failure Procedure 10 Procedure steps Copyright 2007 Nortel Networks Action If LDAP authenication fails do the following sequence of actions Ensure that the user test passes when creating the LDAP object e lf the user test fails do the following Ensure that the LDAP server is working properly Check if the DC can communicate with the LDAP server Check if the LDAP server uses the correct port Enter the following commands to check the corresponding user name template s xxx com for MS Active Directory cen s dc xxx
27. ges displayed on the console port of the device These messages are the one that are generated during boot sequence These messages are generated during boot sequence This log contains messages generated by the kernel ssl log This log contains messages generated by the simpleproxy features The user needs to completely logoff and then close the browser login and then active the ssidump IPsec module related messages message This log contains standard syslog types of messages and contains general information such as system level status and non application acceleration errors across the device Procomm Kernel panic message with debug information can be captured from console directly Use Procomm to capture those messages Issues that require Sourcefire assistance Contact Sourcefire for assistance on the following issues and request the process that was taken to update customer details and restore the document 1 The DC cannot push a policy to the sensors The customer may have to re image the box OPSEC is not working properly The trust between the DC and the sensors are configured correctly and the trust is established but the SFReactddoes not seem to trigger thefw same dynamic rule The customer may have to re image the box Software upgrade fails This largely depends on where within the upgrade process the upgrade fails In most cases the problem will need to be examined on a case by case basis to determine what happened
28. gs output to the following location every 60 seconds var log top log IPS mode cable Deployment Scenarios This section describes the various IPS mode cable deployment scenarios Deploying between two endpoints e Use two straight through cables to deploy the IPS between 2 end points No special cabling is needed e The sensor supports auto MDI MDI X so the link will be negotiated properly when the sensor is in the normal operational state e When the sensor is placed into bypass mode it internally implements a crossover and allows normal operation of the connection Copyright 2007 Nortel Networks Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 IPS mode cable Deployment Scenarios 39 Deploying between two network switches Use two straight through cables to deploy the IPS between two network switches No special cabling is needed The sensor supports auto MDI MDI X so the link will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode it internally implements a crossover and allows normal operation of the connection Between a switch and an endpoint When the IPS is deployed between a switch and an endpoint a straight through cable should be used between the switch and the IPS A crossover cable should be used between the IPS and the endpoint When the sensor is placed into bypass mode the internal crossover
29. h the inline or Inline Failopeninterfaces End Validating the failopen function This section describes the validation process when the failopen function does not work properly Procedure 20 Procedure steps Step 1 2 3 Copyright 2007 Nortel Networks Action Ensure that the Interface Set is failopen Ensure that the policy is IPS Ensure that both endHosts are connected to both sides of the failopen card Ensure that the cables are correct Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 34 Troubleshooting Global Faults 5 Ensure that the STP is disabled at the switch ports End Troubleshooting an IS that does not send email This section describes troubleshooting an IS that does not send email Procedure 21 Procedure steps Step Action 1 Check if the Host Addressis correct 2 Ensure that the system policy is applied End Troubleshooting a DC that cannot push a policy to a sensor that it is managing Select the IS default detection engine when pushing a policy from the DC Troubleshooting a faulty OPSEC This section describes how to troubleshoot a faulty OPSEC If the DC and sensors are configured correctly a trust is established between them However if for some reason the SFReactd does not trigger the fw sam dynamic rule stop reimaging the check point firewall PC to make it work Procedure 22 Procedure steps Step Action 1 R
30. ight through cables should be used The sensor supports auto MDI MDI X so the link will be negotiated properly when the sensor is in the normal operational state When the sensor is placed into bypass mode it internally implements a crossover and allows normal operation of the connection Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Viewing the enabled rules on the CLI 41 Checking IPv6 configurations on the CLI This section describes checking IPv6 configurations on the command line interface CLI Procedure 29 Procedure steps Step Action 1 Enter the following command on the CLI var sf detection engines uuid 2 Disable SMTP globally in Detection and Prevention options for a particular policy when working on the IPv6 partial support feature End Verification of Detection Resources on the CLI This section describes the verification of the maximum and optimal number of detection resources in CLI Procedure 30 Procedure steps Action Enter the following command in the CLI etc sf ims conf Search for MAX NUM DR OPTIMAL _NUM_DR Viewing the enabled rules on the CLI This section describes viewing enabled rules on the CLI Procedure 31 Procedure steps Step Action 1 Enter the following command in the CLI var sf detection engines de uuid active rules Nortel TPS 4 7 Threat Protection System Troubleshooting G
31. ite list Ensure that the time range for showing white list events is correct End Troubleshooting an IS that does not generate events This section describes the steps to troubleshoot an IS that does not generate events Procedure 17 Procedure steps Step 1 2 3 Action Ensure that the correct policy is applied Ensure that the rules are configured properly Ensure that the rules are selected as Enable Drop in the Rule State page Ensure that the Time Range is suitable End Troubleshooting an SDM IS that could not be added to a DC This section describes troubleshooting an SDM IS to be managed by a DC that could not be added Copyright 2007 Nortel Networks Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Validating the failopen function 33 Procedure 18 Procedure steps Step 1 2 Action Fill in all the information in the fields marked required Fill in the optional field when there is a known issue that is not fixed yet End Troubleshooting an IS that does not block traffic This section describes troubleshooting an IS that does not block traffic as expected Procedure 19 Procedure steps Step 1 2 Action Create the Interface Set with the Inline or Inline Failopenoptions selected Configure the IPS policy Configure the rules and select these rules as the Drop status Ensure that both the hosts are connected to bot
32. n the RUA licence It is mandatory e Create the RUA Detection Engine since RUA requires it Configuring Snort through the User Interface Use this procedure to make Snort configuration via the user interface user conf editable by the user To support the dynamic features of Snort outside of the core product releases you can provide the raw snort configuration via the user conf Copyright 2007 Nortel Networks Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 28 Software Troubleshooting Procedure 11 Procedure steps Step 1 Action Manually add the following variable to provide raw snort configuration via the user interface USER_CONF Apply the policy to store data in the variable USER_CONFathe the following location var sf detection engines uuid user conf End Verifying prohibit packet data on the DC Use this procedure to verify prohibit packet data on the DC Procedure 12 Procedure steps Step 1 2 Action Register a 4 7 IS sensor to the DC Select the Prohibit Packet Data from Sensor option at the registration screen On the managed sensor or IS ensure that the following line ignore packet datal is present in var sf peers DC UUID ids forward conf If the parameter ignore_packet_data is set to 1 then the prohibit packet data on DC is done properly End Performing RNA IP Port Exclusion Use this procedure for RNA IP P
33. olicy to a sensor that it is managing page 34 e Troubleshooting a faulty OPSEC page 34 e Troubleshooting a failed upgrade page 35 e Troubleshooting a failed automatic SEU Update page 35 e Troubleshooting when a customer is unable to add a sensor to be managed by a DC page 36 e Troubleshooting a system crash page 37 e Verify the ports to be opened in the firewall for 4 6 page 37 e Troubleshooting Snort page 37 e Troubleshooting memory problems page 38 e IPS mode cable Deployment Scenarios page 38 e Checking IPV6 configurations on the CLI page 41 e Verification of Detection Resources on the CLI page 41 e Viewing the enabled rules on the CLI page 41 Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 32 Troubleshooting Global Faults e Viewing remediation log page 42 e Viewing the LDAP SSL certificate page 42 Troubleshooting when no white list events are generated This section describes troubleshooting when no white list events are generated for disallowed operating systems services or appliances Procedure 16 Procedure steps Step BE O N a Action Ensure that the RNA is monitoring the hosts in the network Ensure that the white list is created for the proper network Ensure that a policy is created and activated for the wh
34. oot file st_troubleshoot pi incu The TPS DC IS cannot receive events recovery tree This section details the flow diagram for the recovery tree The TPS DC IS does not receive events Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks The TPS DC IS cannot receive events recovery tree 45 DCAS not recieving events Is the time zone set properly Navigate to Analysis amp Reporting gt IPS gt Intrusion Events View the events Check for the events Adjust the events settings time to the current time View the events range to view the events Check whether the Snort is running or not Contact support i for further in CLI by ps efwww assistance Igrep snort command si Check for the events Check whether f var is 100 sn View the events If Nar is 100 PP Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks very trees Nortel TPS 4 7 Threat Protection n Troubl NN47240 700 01 01 112007 shooting Guide Standard Copyright 2007 Nortel Networks 47 Reference to third party Application Guides This section contains reference to third party Application Guides for VPN product You can refer to the following Application Guides available at SSL VPN Authentication using Ste
35. ort Exclusion Procedure 13 Procedure steps Step 1 2 Copyright 2007 Nortel Networks Action Configure the RNA detection policy and apply the policy Run the traffic to see the RNA events and flow events for the particular ports and IPs Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Remediation Procedures 29 Configure Exclusion of IP Port pairs for the RNA Detection Policy Apply the detection policy The traffic is still seen from the particular ports which is the previous traffic before exclusion of IP Port Purge the RNA events and flow events Wait for 10 minutes for the appliance to exclude the IP Ports End Scanning the NMAP Use this procedure to troubleshoot an NMAP scan failure Procedure 14 Procedure steps Step 1 2 Action Ensure that the scanning host is reachable from DC and IS Ensure that the scanning host is A amp R RNA and then Network map If the scanning host still fails the NMAP scan enter the following command to debug Set sfmgrand sftunnel to debug Find the sfmgr and sftunnel processes at the following location etc sf PM conf Scan the same host that failed again by entering the following series of commands option d option f option etc sf sftunnel conf option D View the error details logged in the following files var log messages var log httpd httpsd error log End Remediation Proce
36. r system status LED The amber system status LED lights up when the system needs attention due to a problem with power supplies fans CPU or system temperature Hard disk drive activity LED This LED blinks when activity is detected on the hard disk drive System power LED This LED is green when the power supply is turned on System status LED The system status LED lights up when the system needs attention due to a problem with power supplies fans system temperature or hard drives Overheat indicator LED This LED is red when the system overheats Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 16 Hardware Troubleshooting ATTENTION Call Nortel for RMA if Amber System status LED can not be cleared Ports to open in a firewall If there are one or more firewalls in between the Defense Center and Intrusion Sensors then you will need to open one or more ports on the firewall depending on the software version of the TPS devices Software release 4 5 x and above The Defense Center and the Intrusions Sensors communicate on TCP port 8305 only by default The administrator can change this port number Software release 4 1 x and below The Defense Center and the Intrusions Sensors communicate on the following TCP ports 22 SSH Outbound from DC to Sensor DC uses this port to push configurations updates amp HA 8300 EE Inbound from Sensor to
37. rating system linux s System response Loading linux Linux version 2 4 26st p4smp 13 build renowm sfeng so urcefire com gcc version 2 95 320010315 release 1 SMP Fri Aug 12 16 37 04 UTC 2005 5 Enter the following command LILO 22 2 boot passwd root At the prompt enter the new root password Reenter to confirm the root password 6 Enter the following command to reboot the 2050 TPS device LILO 22 2 boot reboot 7 Enter the following command to login to the 2050 TPS device Nortel TPS 2X50 DC Series v4 1 0 build 78 DC2050 ca nortel com login root Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Resetting passwords 21 Enter the password at the prompt Password lt password here gt System response Copyright 2007 Nortel Networks Inc and Sourcefire Inc All rights reserved Sourcefire is a registered trademark of Sourcefire Inc All other trademarks are property of their respective owners Nortel Linux OS v4 0 1 build 21 Notel TPS 2X70 DC Series v4 1 0 build 78 Last login Mon Oct 24 15 25 54 0000 2005 on ttySO No mail End Resetting the Administrator Password for a TPS device Reset the administrator password for a TPS device if it is lost or forgotten CAUTION Reset the administrator password if and only if you know the root password for the TPS device Refer section Modifying root passwo
38. rd for a TPS device if you forget or lose the password to reset the same Procedure 4 Procedure steps Step Action 1 Go to root prompt on the TPS device 2070 model 2 Enter the following command root DC2070 resetadmin 3 Enter the root login password at the password prompt Please enter the root login password lt password here gt 4 Enter the administrator login password at the password prompt Please enter the admin login password lt password here gt 5 Reenter the administrator login password at the reenter login password prompt Please enter the admin login password again lt password here gt System response Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 22 Software Troubleshooting Password reset successfully Control returns to the root prompt End Installing an Old Version of SEU Use this procedure to install a lower version of Snort Engine Upgrade SEU than that currently installed for test purposes Procedure 5 Procedure steps Step Action 1 Enter the following command to query the versions of SEUs currently installed run rpm qa 2 Enter the following sequence of commands to install an earlier version of an SEU rpm e snort rpm e Sourcefire Module Pack dev rpm e Sourcefire Rule Pack vrt rpm e Sourcefire Snort Engine Upgrade where the character represents placehold
39. to a custom conf file if necessary ATTENTION Although there is a predefined set of data to collect defined in troublshoot conffile you can specify acustom conf file to customize what data is collected 6 Enter the following command to obtain the default results file FTP the SFTP client to obtain the file var tmp results The format of theresults file is Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Obtaining the troubleshoot file following a failed software upgrade 19 results mm dd yyyy xxxxxxx tag gz You can use the toption to allow the case number to be placed within the name of the results file ATTENTION WINSCP is a freeware SFTP client for windows and can be downloaded from the location http www winscp com End Obtaining the troubleshoot file following a failed software upgrade Use this procedure to obtain a troubleshoot file from a TPS device in case of a failed Nortel TPS Defense Center Upgrade An upgrade on a TPS device is done by customers or support personnel CAUTION Refer TPS 4 7 Release Notes part number for information on prerequisites detailed steps and tips on performing a complete and correct Nortel TPS DC 4 5 1 Upgrade on a TPS device Procedure 2 Procedure steps Step Action 1 Enter the following command to obtain the output file that contains the list of updates pushed to the
40. uide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 42 Troubleshooting Global Faults 2 Enter the following command to view the list of rules that are imported in the SEU var st rules sid msg map End Viewing remediation log This section describes viewing the remediation log for Nortel Secure Network Access NSNA and Nortel VPN Gateway NVG Procedure 32 Procedure steps Action View the remediation log at the following location tmp lt RemediationName gt lt RemediationName log gt Viewing the LDAP SSL certificate This section describes how to view the LDAP SSL certificate once it is uploaded Procedure 33 Procedure steps Action Enter the following command to view the LDAP SSL certificate once it is uploaded var sf userauth temp0 pembl Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Emergency recovery trees This chapter provides the procedures to recover from field outages as quickly as possible Lost access to the TPS DC IS device recovery tree This section details the flow diagram for the recovery tree Lost access the TPS DC IS GUI Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks 43 44 Emergency recovery trees Figure 1 Recover lost access to a TPS DC IS device Generate No troublesh
41. zation script etc rc d init d SFDataCorrelator start 3 If the SFDataCorrelator fails to start repeat step 1 to check for error messages 4 If the SFDataCorrelator still fails to start enter the following command to delete the event table mysql uroot padmin sfsnort e drop table event 5 Enter the following command to rerun the initialization script Wait for a minute after running the script etc rc d init d SFDataCorrelator restart Nortel TPS 4 7 Threat Protection System Troubleshooting Guide NN47240 700 01 01 Standard 11 2007 Copyright 2007 Nortel Networks Troubleshooting events that show incorrect time 25 6 Enter the following command ps auxww grep SFD Send the output to the respective development team End Troubleshooting alerting problems Use this procedure to troubleshoot alerting problems in mail SNMP and Syslog Troubleshooting mail alerting problems Use this procedure to roubleshoot email alerting problems Procedure 8 Procedure steps Step Action 1 Check if the mailing application is configured and enabled for email alerting 2 Run the following shell script at the command prompt sfmail sh 3 Enter the following command to check for errors var log messages 4 Ensure that the IP address of the Sensor or DC is reverse resolvable via DNS 5 Enter the following command to add hostname information etc hosts End Troubleshooting SNMP alerting problems Check if SNMP is runnin
Download Pdf Manuals
Related Search