ADVANCED FUNCTIONALITY & TROUBLESHOOTING

Page 2 Agenda Main topics Advanced Policy Manager Server configuration Resolving Apache Web Server security issues Troubleshooting Learning how to pinpoint problem sources Inspecting Policy Manager logfiles Tips & Tricks

POLICY MANAGER SERVER CONFIGURATION

Page 4 Default Configuration The default Apache Server configuration suits most Policy Manager environments PMS accessible from the same computer only Web reporting accessible from the LAN For easy administration of large, global infrastructures, administrators might need access to the Policy Manager Server/s from different locations in the corporate LAN X

Page 5 Apache Configuration File (HTTPD.conf) All configuration changes in Apache are done through httpd.conf Most common configuration task are Creating access restrictions Creating and managing access lists Configuring apache module ports

Page 6 Access Limitation Admin Module By default restricted to localhost Web Reporting Module No restriction (restriction recommended) Host Module No restriction (should never be restricted!)

Page 7 Port Changes Host Module (default port: 80) 81 Admin Module (default port: 8080) 8881 Web Reporting Module (default port: 8081) 8082

Page 8 Access Lists Listen 8080 Remove admin module access limitation Order Deny,Allow Deny from all Define access list rule order Create Global Deny: Ristrict all access Allow from Allow from Define the allowed connections (IP) Start with the localhost (mandatory)

Page 9 Policy Manager Security It is impossible to deploy changes to the policy domain without access to the admin key pair Policies signed with a wrong key will be rejected by the managed hosts It is important to secure the policy domain Backup the keys Use a secure Policy Manager configuration (only allow console connections from the local computer) Secure the private key (should be only available to administrators)

Page 10 Re-Signed Policy Domain... What Happened? It is possible to re-sign the policy domain structure with a different key pair This can happen intentionally or by a unauthorized user The administrator will be notified about the key change at the next launch of the console In case the key change has been done by an unauthorized user, you need to restore the policy domain There might have been changes deeply nested in the MIB structure, which you would distribute, once you re-sign the domain with the right key

TROUBLESHOOTING

Page 12 Involved Components In F-Secure Policy Manager, most problems are related to communication In a Policy Manager environment we have 3 components communicating with each other Policy Manager Server Policy Manager Console Managed hosts

Page 13 Pinpoint the Source Of The Problem Locating the real source of a problem is the key to successful troubleshooting A problem that may appear to be caused by a host could actually be caused by the server A systematic approach will bring the best results Check one component after another (start with the PMS) Services, communication, hardware (network) Check logfiles Check the product configuration PMS and PMC configuration Host policies

Page 14 Product Services Are all necessary services up and runnining? Check the PMS service status What does the PMS Status monitor say, are all ports ”OK”? Check the host service status Test the connection to the server (poll for a new policy)

Page 15 Communication Checking Having all services up and running doesn’t always mean that the communication between the PMS components works fine Test the connection From PMC to PMS Telnet the server IP on the apache admin module port (default 8080) From managed host to PMS Telnet the server IP on the apache host module port (default 80)

Page 16 Server Configuration Problems Policy Manager Server configuration problems are usually easy to spot Services cannot be launched or are malfunctioning Console connection to the server is rejected Windows reports application or system error in event logs But which configuration settings are causing the problems and where can be configuration files be found?

Page 17 HTTPD.conf Problems Changes in the HTTP configuration file have to be done with extreme care. Wrong settings can cause a series of problems E.g. Policy Manager Server service cannot be started anymore Take a backup copy of the existing httpd.conf before you start doing changes Httpd.original backup file is created during installation, but it will not include any changes done afterwards In case something goes wrong, it’s easy to rollback the settings

Page 18 Access Rights The Policy Manager Server installation automatically creates a local account, used for commdir authorization. User account name: fsms_ Policy Manager Server service is started under this user account It needs to have full control to the Management Server 5 directory Access permissions for important directories might be changed or deleted without notification Example: Restoring of a backup from a write protected media Commdir directory rights will be read-only Solution: Recreate the access rights (full control) on commdir directory level and propagate them downwards

Page 19 Host Configuration Problems In a Policy Manager environment, all host settings are defined in policy files, either created by the administrator (base policy files) or by the local user (incremental policy file) Once distributed, base policy files are fetched by the hosts and taken into use There is no possibility of undoing policy distributions (wrong configurations will be taken into use) Depending on your host polling interval, you might be able to create a new, corrected policy, before the host fetches the current policy

Page 20 How Does a Policy Reach a Host? A new policy can reach its host in one of the following ways: 1.The Management Agent fetches it periodically 2.The Management Agent checks for new policies whenever it is started: when the host boots up by stopping and re-starting fsma 3.Manually copy the correct policy from PMS to a host. You need to stop fsma and fspm before the copying 4.On a host, click on “Import base policy” button and manually browse to it

Page 21 Wrong Communication Settings Dead End? The hosts cannot reach the server anymore, due to a wrongly defined communication address in the latest policy Creating a new policy will not help, since the hosts will not be able to fetch the policy Solution: Export the base policy files of the affected hosts and import them manually through the local user interface

Page 22 Policy Changes Not Taken Into Use...Why? It is important to keep in mind that policies can be defined on multiple levels. The policy domain tree has a hierarchical structure A policy defined on host level will make domain level policies irrelevant In such a case, if a host is copied to different domain, it will keep the settings defined on the host level (no domain inheritance) From which level has the policy change been inherited? Check if there is a host level policy (use ”Show Domain Value”) Clear the host level policy or force the domain values

Page 23 Incremental Policy Logic All settings changes made through the local user interface are saved to the incremental policy file (policy.ipf) The incremental policy file has priority over the base policy file Settings changes should always be marked as ”final”, in order to overwrite possible incremental settings FSMA AVCS IPF BPF

Page 24 Example: Missing Access Restriction 1.The administrator allows the user to change the anti-virus security level 2.The user changes the security level to ”Normal” (ipf is taken into use) 3.A new policy is created with the idea of forcing the ”Custom” security profile 4.The administrator does not mark the setting as ”final” (unlocked) 5.The host fetches the new policy but the setting security profile is not changed

Page 25 Logfiles If the problem can traced to either the Server or the Console, the best places to start troubleshooting are the errorlogs: Policy Manager Server Logs\access.* Logs\error.* Policy Manager Console Lib\administrator.error.log Policy Manager Server Status Monitor information can also be accessed remotely /fsms/fsmsh.dll

TIPS & TRICKS

Page 27 Accidentally Deleted Host Host was accidentally deleted in the security domain pane. How can it be recreated? Distribute policy and wait for the computer to send autoregistration request The host can also be recreated manually (using a unique name, e.g. DNS name)

Page 28 Recreating the Whole Domain Structure The whole security domain was accidentally deleted. Is there anything I can do? If you have a backup of the domain structure, use that. Else hard manual work is needed Distribute policy and wait for the computer to send autoregistration request. If you have created autoregistration import rules, apply them Else move them manually to the right location

Page 29 Performance Improvments Policy file optimization Remove indendation (default: OFF) Policy comments should be disabled (default) Minimize the size of the policy file by disabling unneccesary MIB files Polling intervals (large environments) Server polling ( min.) Client status updates (>30 min.)

Page 30 Problems with Web Reporting Web Reporting doesn’t seem to connect to the server. What next? Refresh the connection Check Server Monitor port status Distribute policies Check the URL (DNS name, ip, port) Restart F-Secure Policy Manager Web Reporting Restart Policy Manager Server Restart host Reset Web Reporting database Reinstall Web Reporting (allow Web Reporting from remote hosts)

Page 31 Summary Main topics Advanced Policy Manager Server configuration Resolving Apache Web Server security issues Troubleshooting Learning how to pinpoint problem sources Inspecting Policy Manager logfiles Tips & Tricks