ADVANCED FUNCTIONALITY

1
ADVANCED FUNCTIONALITY TROUBLESHOOTING
2
Agenda

• Main topics
• Advanced Policy Manager Server configuration
• Resolving Apache Web Server security issues
• Troubleshooting
• Learning how to pinpoint problem sources
• Inspecting Policy Manager logfiles
• Tips Tricks

3
POLICY MANAGER SERVER CONFIGURATION
4
Default Configuration

• The default Apache Server configuration suits
  most Policy Manager environments
• PMS accessible from the same computer only
• Web reporting accessible from the LAN
• For easy administration of large, global
  infrastructures, administrators might need access
  to the Policy Manager Server/s from different
  locations in the corporate LAN

5
Apache Configuration File (HTTPD.conf)

• All configuration changes in Apache are done
  through httpd.conf
• Most common configuration task are
• Creating access restrictions
• Creating and managing access lists
• Configuring apache module ports

6
Access Limitation
7
Port Changes
8
Access Lists
9
Policy Manager Security

• It is impossible to deploy changes to the policy
  domain without access to the admin key pair
• Policies signed with a wrong key will be rejected
  by the managed hosts
• It is important to secure the policy domain
• Backup the keys
• Use a secure Policy Manager configuration (only
  allow console connections from the local
  computer)
• Secure the private key (should be only available
  to administrators)

10
Re-Signed Policy Domain...What Happened?

• It is possible to re-sign the policy domain
  structure with a different key pair
• This can happen intentionally or by a
  unauthorized user
• The administrator will be notified about the key
  change at the next launch of the console
• In case the key change has been done by an
  unauthorized user, you need to restore the policy
  domain
• There might have been changes deeply nested in
  the MIB structure, which you would distribute,
  once you re-sign the domain with the right key

11
TROUBLESHOOTING
12
Involved Components

• In F-Secure Policy Manager, most problems are
  related to communication
• In a Policy Manager environment we have 3
  components communicating with each other
• Policy Manager Server
• Policy Manager Console
• Managed hosts

13
Pinpoint the Source Of The Problem

• Locating the real source of a problem is the key
  to successful troubleshooting
• A problem that may appear to be caused by a host
  could actually be caused by the server
• A systematic approach will bring the best results
• Check one component after another (start with the
  PMS)
• Services, communication, hardware (network)
• Check logfiles
• Check the product configuration
• PMS and PMC configuration
• Host policies

14
Product Services

• Are all necessary services up and runnining?
• Check the PMS service status
• What does the PMS Status monitor say, are all
  ports OK?
• Check the host service status
• Test the connection to the server (poll for a new
  policy)

15
Communication Checking

• Having all services up and running doesnt always
  mean that the communication between the PMS
  components works fine
• Test the connection
• From PMC to PMS
• Telnet the server IP on the apache admin module
  port (default 8080)
• From managed host to PMS
• Telnet the server IP on the apache host module
  port (default 80)

16
Server Configuration Problems

• Policy Manager Server configuration problems are
  usually easy to spot
• Services cannot be launched or are malfunctioning
• Console connection to the server is rejected
• Windows reports application or system error in
  event logs
• But which configuration settings are causing the
  problems and where can be configuration files be
  found?

17
HTTPD.conf Problems

• Changes in the HTTP configuration file have to be
  done with extreme care. Wrong settings can cause
  a series of problems
• E.g. Policy Manager Server service cannot be
  started anymore
• Take a backup copy of the existing httpd.conf
  before you start doing changes
• Httpd.original backup file is created during
  installation, but it will not include any changes
  done afterwards
• In case something goes wrong, its easy to
  rollback the settings

18
Access Rights

• The Policy Manager Server installation
  automatically creates a local account, used for
  commdir authorization.
• User account name fsms_ltcomputernamegt
• Policy Manager Server service is started under
  this user account
• It needs to have full control to the Management
  Server 5 directory
• Access permissions for important directories
  might be changed or deleted without notification
• Example Restoring of a backup from a write
  protected media
• Commdir directory rights will be read-only
• Solution Recreate the access rights (full
  control) on commdir directory level and propagate
  them downwards

19
Host Configuration Problems

• In a Policy Manager environment, all host
  settings are defined in policy files, either
  created by the administrator (base policy files)
  or by the local user (incremental policy file)
• Once distributed, base policy files are fetched
  by the hosts and taken into use
• There is no possibility of undoing policy
  distributions (wrong configurations will be taken
  into use)
• Depending on your host polling interval, you
  might be able to create a new, corrected policy,
  before the host fetches the current policy

20
How Does a Policy Reach a Host?

• A new policy can reach its host in one of the
  following ways
• The Management Agent fetches it periodically
• The Management Agent checks for new policies
  whenever it is started
• when the host boots up
• by stopping and re-starting fsma
• Manually copy the correct policy from PMS to a
  host. You need to stop fsma and fspm before the
  copying
• On a host, click on Import base policy button
  and manually browse to it

21
Wrong Communication SettingsDead End?

• The hosts cannot reach the server anymore, due to
  a wrongly defined communication address in the
  latest policy
• Creating a new policy will not help, since the
  hosts will not be able to fetch the policy
• Solution Export the base policy files of the
  affected hosts and import them manually through
  the local user interface

22
Policy Changes Not Taken Into Use...Why?

• It is important to keep in mind that policies can
  be defined on multiple levels.
• The policy domain tree has a hierarchical
  structure
• A policy defined on host level will make domain
  level policies irrelevant
• In such a case, if a host is copied to different
  domain, it will keep the settings defined on the
  host level (no domain inheritance)
• From which level has the policy change been
  inherited?
• Check if there is a host level policy (use Show
  Domain Value)
• Clear the host level policy or force the domain
  values

23
Incremental Policy Logic

• All settings changes made through the local user
  interface are saved to the incremental policy
  file (policy.ipf)
• The incremental policy file has priority over the
  base policy file
• Settings changes should always be marked as
  final, in order to overwrite possible
  incremental settings

24
Example Missing Access Restriction

1. The administrator allows the user to change the
   anti-virus security level
2. The user changes the security level to Normal
   (ipf is taken into use)
3. A new policy is created with the idea of forcing
   the Custom security profile
4. The administrator does not mark the setting as
   final (unlocked)
5. The host fetches the new policy but the setting
   security profile is not changed

25
Logfiles

• If the problem can traced to either the Server or
  the Console, the best places to start
  troubleshooting are the errorlogs
• Policy Manager Server
• Logs\access.
• Logs\error.
• Policy Manager Console
• Lib\administrator.error.log
• Policy Manager Server Status Monitor information
  can also be accessed remotely
• http//ltserver_addressgt/fsms/fsmsh.dll

26
TIPS TRICKS
27
Accidentally Deleted Host

• Host was accidentally deleted in the security
  domain pane. How can it be recreated?
• Distribute policy and wait for the computer to
  send autoregistration request
• The host can also be recreated manually (using a
  unique name, e.g. DNS name)

28
Recreating the Whole Domain Structure

• The whole security domain was accidentally
  deleted. Is there anything I can do?
• If you have a backup of the domain structure, use
  that.
• Else hard manual work is needed
• Distribute policy and wait for the computer to
  send autoregistration request.
• If you have created autoregistration import
  rules, apply them
• Else move them manually to the right location

29
Performance Improvments

• Policy file optimization
• Remove indendation (default OFF)
• Policy comments should be disabled (default)
• Minimize the size of the policy file by disabling
  unneccesary MIB files
• Polling intervals (large environments)
• Server polling (10 - 60 min.)
• Client status updates (gt30 min.)

30
Problems with Web Reporting

• Web Reporting doesnt seem to connect to the
  server. What next?
• Refresh the connection
• Check Server Monitor port status
• Distribute policies
• Check the URL (DNS name, ip, port)
• Restart F-Secure Policy Manager Web Reporting
• Restart Policy Manager Server
• Restart host
• Reset Web Reporting database
• Reinstall Web Reporting (allow Web Reporting from
  remote hosts)

31
Summary

• Main topics
• Advanced Policy Manager Server configuration
• Resolving Apache Web Server security issues
• Troubleshooting
• Learning how to pinpoint problem sources
• Inspecting Policy Manager logfiles
• Tips Tricks