1 / 31

ADVANCED FUNCTIONALITY & TROUBLESHOOTING

ADVANCED FUNCTIONALITY & TROUBLESHOOTING. Agenda. Main topics Advanced Policy Manager Server configuration Resolving Apache Web Server security issues Troubleshooting Learning how to pinpoint problem sources Inspecting Policy Manager logfiles Tips & Tricks.

candy
Download Presentation

ADVANCED FUNCTIONALITY & TROUBLESHOOTING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ADVANCED FUNCTIONALITY &TROUBLESHOOTING

  2. Agenda • Main topics • Advanced Policy Manager Server configuration • Resolving Apache Web Server security issues • Troubleshooting • Learning how to pinpoint problem sources • Inspecting Policy Manager logfiles • Tips & Tricks

  3. POLICY MANAGER SERVER CONFIGURATION

  4. X Default Configuration • The default Apache Server configuration suits most Policy Manager environments • PMS accessible from the same computer only • Web reporting accessible from the LAN • For easy administration of large, global infrastructures, administrators might need access to the Policy Manager Server/s from different locations in the corporate LAN

  5. Apache Configuration File (HTTPD.conf) • All configuration changes in Apache are done through httpd.conf • Most common configuration task are • Creating access restrictions • Creating and managing access lists • Configuring apache module ports

  6. Admin Module • By default restricted to localhost • Web Reporting Module • No restriction (restriction recommended) • Host Module • No restriction (should never be restricted!) Access Limitation

  7. Host Module (default port: 80) 81 • Admin Module (default port: 8080) 8881 • Web Reporting Module (default port: 8081) 8082 Port Changes

  8. Remove admin module access limitation • Define access list rule order • Create Global Deny: Ristrict all access • Define the allowed connections (IP) • Start with the localhost (mandatory) Listen 8080 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from <ip> Allow from <ip> Access Lists

  9. Policy Manager Security • It is impossible to deploy changes to the policy domain without access to the admin key pair • Policies signed with a wrong key will be rejected by the managed hosts • It is important to secure the policy domain • Backup the keys • Use a secure Policy Manager configuration (only allow console connections from the local computer) • Secure the private key (should be only available to administrators)

  10. Re-Signed Policy Domain...What Happened? • It is possible to re-sign the policy domain structure with a different key pair • This can happen intentionally or by a unauthorized user • The administrator will be notified about the key change at the next launch of the console • In case the key change has been done by an unauthorized user, you need to restore the policy domain • There might have been changes deeply nested in the MIB structure, which you would distribute, once you re-sign the domain with the right key

  11. TROUBLESHOOTING

  12. Involved Components • In F-Secure Policy Manager, most problems are related to communication • In a Policy Manager environment we have 3 components communicating with each other • Policy Manager Server • Policy Manager Console • Managed hosts

  13. Pinpoint the Source Of The Problem • Locating the real source of a problem is the key to successful troubleshooting • A problem that may appear to be caused by a host could actually be caused by the server • A systematic approach will bring the best results • Check one component after another (start with the PMS) • Services, communication, hardware (network) • Check logfiles • Check the product configuration • PMS and PMC configuration • Host policies

  14. Product Services • Are all necessary services up and runnining? • Check the PMS service status • What does the PMS Status monitor say, are all ports ”OK”? • Check the host service status • Test the connection to the server (poll for a new policy)

  15. Communication Checking • Having all services up and running doesn’t always mean that the communication between the PMS components works fine • Test the connection • From PMC to PMS • Telnet the server IP on the apache admin module port (default 8080) • From managed host to PMS • Telnet the server IP on the apache host module port (default 80)

  16. Server Configuration Problems • Policy Manager Server configuration problems are usually easy to spot • Services cannot be launched or are malfunctioning • Console connection to the server is rejected • Windows reports application or system error in event logs • But which configuration settings are causing the problems and where can be configuration files be found?

  17. HTTPD.conf Problems • Changes in the HTTP configuration file have to be done with extreme care. Wrong settings can cause a series of problems • E.g. Policy Manager Server service cannot be started anymore • Take a backup copy of the existing httpd.conf before you start doing changes • Httpd.original backup file is created during installation, but it will not include any changes done afterwards • In case something goes wrong, it’s easy to rollback the settings

  18. Access Rights • The Policy Manager Server installation automatically creates a local account, used for commdir authorization. • User account name: fsms_<computername> • Policy Manager Server service is started under this user account • It needs to have full control to the Management Server 5 directory • Access permissions for important directories might be changed or deleted without notification • Example: Restoring of a backup from a write protected media • Commdir directory rights will be read-only • Solution: Recreate the access rights (full control) on commdir directory level and propagate them downwards

  19. Host Configuration Problems • In a Policy Manager environment, all host settings are defined in policy files, either created by the administrator (base policy files) or by the local user (incremental policy file) • Once distributed, base policy files are fetched by the hosts and taken into use • There is no possibility of undoing policy distributions (wrong configurations will be taken into use) • Depending on your host polling interval, you might be able to create a new, corrected policy, before the host fetches the current policy

  20. How Does a Policy Reach aHost? • A new policy can reach its host in one of the following ways: • The Management Agent fetches it periodically • The Management Agent checks for new policies whenever it is started: • when the host boots up • by stopping and re-starting fsma • Manually copy the correct policy from PMS to a host. You need to stop fsma and fspm before the copying • On a host, click on “Import base policy” button and manually browse to it

  21. Wrong Communication SettingsDead End? • The hosts cannot reach the server anymore, due to a wrongly defined communication address in the latest policy • Creating a new policy will not help, since the hosts will not be able to fetch the policy • Solution: Export the base policy files of the affected hosts and import them manually through the local user interface

  22. Policy Changes Not Taken Into Use...Why? • It is important to keep in mind that policies can be defined on multiple levels. • The policy domain tree has a hierarchical structure • A policy defined on host level will make domain level policies irrelevant • In such a case, if a host is copied to different domain, it will keep the settings defined on the host level (no domain inheritance) • From which level has the policy change been inherited? • Check if there is a host level policy (use ”Show Domain Value”) • Clear the host level policy or force the domain values

  23. AVCS FSMA IPF BPF BPF BPF Incremental Policy Logic • All settings changes made through the local user interface are saved to the incremental policy file (policy.ipf) • The incremental policy file has priority over the base policy file • Settings changes should always be marked as ”final”, in order to overwrite possible incremental settings

  24. Example: Missing Access Restriction • The administrator allows the user to change the anti-virus security level • The user changes the security level to ”Normal” (ipf is taken into use) • A new policy is created with the idea of forcing the ”Custom” security profile • The administrator does not mark the setting as ”final” (unlocked) • The host fetches the new policy but the setting security profile is not changed

  25. Logfiles • If the problem can traced to either the Server or the Console, the best places to start troubleshooting are the errorlogs: • Policy Manager Server • Logs\access.* • Logs\error.* • Policy Manager Console • Lib\administrator.error.log • Policy Manager Server Status Monitor information can also be accessed remotely • http://<server_address>/fsms/fsmsh.dll

  26. TIPS & TRICKS

  27. Accidentally Deleted Host • Host was accidentally deleted in the security domain pane. How can it be recreated? • Distribute policy and wait for the computer to send autoregistration request • The host can also be recreated manually (using a unique name, e.g. DNS name)

  28. Recreating the Whole Domain Structure • The whole security domain was accidentally deleted. Is there anything I can do? • If you have a backup of the domain structure, use that. • Else hard manual work is needed • Distribute policy and wait for the computer to send autoregistration request. • If you have created autoregistration import rules, apply them • Else move them manually to the right location

  29. Performance Improvments • Policy file optimization • Remove indendation (default: OFF) • Policy comments should be disabled (default) • Minimize the size of the policy file by disabling unneccesary MIB files • Polling intervals (large environments) • Server polling (10 - 60 min.) • Client status updates (>30 min.)

  30. Problems with Web Reporting • Web Reporting doesn’t seem to connect to the server. What next? • Refresh the connection • Check Server Monitor port status • Distribute policies • Check the URL (DNS name, ip, port) • Restart F-Secure Policy Manager Web Reporting • Restart Policy Manager Server • Restart host • Reset Web Reporting database • Reinstall Web Reporting (allow Web Reporting from remote hosts)

  31. Summary • Main topics • Advanced Policy Manager Server configuration • Resolving Apache Web Server security issues • Troubleshooting • Learning how to pinpoint problem sources • Inspecting Policy Manager logfiles • Tips & Tricks

More Related