You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 139
Current »
You can use the information below to troubleshoot the issues displayed in the Protection screen.
Armor recommends that you troubleshoot these issues to:
Improve your Protection scores
Improve your overall Health scores
Increase the overall security of your environment
Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.
Armor Service | Issue | Remediation |
---|
Logging | The filebeat logging agent is not installed. |
Step 1: Verify the status of filebeat
| Description | Command | Extra information |
---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0 -windows -x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0 -windows -x86_64\filebeat.yml
| - Windows uses both winlogbeat and filebeat.
- Commands should run in Powershell.
To review additional configurations, certificates, and service information, review a server's directory: - C:\.armor\opt\winlogbeat*
- C:\.armor\opt\filebeat*
|
---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname winlogbeat,filebeat |
|
---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat |
|
---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts |
|
---|
|
|
|
|
---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/ *.yml |
|
---|
| Verify the operation of the filebeat service | ps aux | grep filebeat |
|
---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat .yml |
|
---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat .yml |
|
---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat .yml |
|
---|
Step 2: Send a support ticket In the Armor Management Portal (AMP), in the left-side navigation, click Support. Click Tickets. Click Create A Ticket.
On the Armor Ticketing System screen, review the categories for ticket request types. These request types are used internally to automatically route your ticket to the appropriate department for a more efficient response.
Scenario | Request Types |
---|
Support for Urgent Issues | Outage – report an outage Performance Issue – report device performance or degradation issue General Incident – report an unlisted incident Potential Security Incident – report a potential security issue
| Common Requests | Armor Services – Armor agent services, logging, monitoring, etc. VPN – VPN inquiries Armor Portal – AMP inquiries and requests L2L Tunnels WAF – WAF exceptions and requests Firewall – inquiries on self-service firewall rules SSL Certificate
| Other Requests | Backup Service – backup services request Disaster Recovery Service DNS – add/configure DNS records Encryption Service – encryption service request Load Balancer – load balancer appliance request OS Patching/Updates – request for OS patching and updates Vulnerability Scanning – vulnerability scanning services Recurring Issue – report a recurring or periodically repeating problem Professional Services – Request a statement of work for out of scope services.
| Account Requests | Access & Users – request for access and user management Billing/Invoices – general billing or invoice request Compliance – compliance or audit requests Legal/TOS/SLA – legal inquiries Account Cancellation – cancel an Armor account.
|
In Account, select the AMP account that relates to the ticket. Complete the missing fields. In Summary, enter a very brief description. You can only enter a maximum of 255 characters. In Description, enter useful details that can help Armor quickly troubleshoot the problem. For example, consider the following questions: What is the specific issue? What are the steps to reproduce the issue? What is the level of business impact? Are there additional contacts that should be notified? Have there been any troubleshooting steps already performed? Are there any error messages or screenshots to share?
If applicable, in Device, enter the name of the affected virtual machine.
If applicable, add any screenshots to help explain the issue. Click Create.
(Optional) After you create a ticket, you can add additional users or organizations to the ticket. On the ticket detail screen, in the right-side menu, click Share. Type the name of the user or the user’s email address. To share with a specific organization, type the account name, and then select the desired organization (Admin, Billing, Technical, or Security). The ticket can be shared with multiple organizations. Click Share.
(Optional) To view the status of this newly created ticket, in the Tickets screen, click View Existing Tickets.
|
Logging | The winlogbeat logging agent is not installed.
| Step 1: Verify the status of winlogbeat
Description | Command | Extra information |
---|
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0 -windows -x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0 -windows -x86_64\filebeat.yml
| - Windows uses both winlogbeat and filebeat.
- Commands should run in Powershell.
To review additional configurations, certificates, and service information, review a server's directory: - C:\.armor\opt\winlogbeat*
- C:\.armor\opt\filebeat*
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname winlogbeat,filebeat |
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat |
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts |
|
|
Logging | Armor has not received a log in the past 4 hours. |
Step 1: Check logging services
| Description | Command | Extra information |
---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0 -windows -x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0 -windows -x86_64\filebeat.yml
| - Windows uses both winlogbeat and filebeat.
- Commands should run in Powershell.
To review additional configurations, certificates, and service information, review a server's directory: - C:\.armor\opt\winlogbeat*
- C:\.armor\opt\filebeat*
|
---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname winlogbeat,filebeat |
|
---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat |
|
---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts |
|
---|
|
|
|
|
---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/ *.yml |
|
---|
| Verify the operation of the filebeat service | ps aux | grep filebeat |
|
---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat .yml |
|
---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat .yml |
|
---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat .yml |
|
---|
Step 2: Check connectivity Port | Destination |
---|
515/tcp | - 46.88.106.196
- 146.88.144.196
|
|
Armor Service | Issue | Remediation |
---|
Malware Protection | Malware Protection has not provided a heartbeat in the past 4 hours. |
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
Step 4: Send a support ticket In the Armor Management Portal (AMP), in the left-side navigation, click Support. Click Tickets. Click Create A Ticket.
On the Armor Ticketing System screen, review the categories for ticket request types. These request types are used internally to automatically route your ticket to the appropriate department for a more efficient response.
Scenario | Request Types |
---|
Support for Urgent Issues | Outage – report an outage Performance Issue – report device performance or degradation issue General Incident – report an unlisted incident Potential Security Incident – report a potential security issue
| Common Requests | Armor Services – Armor agent services, logging, monitoring, etc. VPN – VPN inquiries Armor Portal – AMP inquiries and requests L2L Tunnels WAF – WAF exceptions and requests Firewall – inquiries on self-service firewall rules SSL Certificate
| Other Requests | Backup Service – backup services request Disaster Recovery Service DNS – add/configure DNS records Encryption Service – encryption service request Load Balancer – load balancer appliance request OS Patching/Updates – request for OS patching and updates Vulnerability Scanning – vulnerability scanning services Recurring Issue – report a recurring or periodically repeating problem Professional Services – Request a statement of work for out of scope services.
| Account Requests | Access & Users – request for access and user management Billing/Invoices – general billing or invoice request Compliance – compliance or audit requests Legal/TOS/SLA – legal inquiries Account Cancellation – cancel an Armor account.
|
In Account, select the AMP account that relates to the ticket. Complete the missing fields. In Summary, enter a very brief description. You can only enter a maximum of 255 characters. In Description, enter useful details that can help Armor quickly troubleshoot the problem. For example, consider the following questions: What is the specific issue? What are the steps to reproduce the issue? What is the level of business impact? Are there additional contacts that should be notified? Have there been any troubleshooting steps already performed? Are there any error messages or screenshots to share?
If applicable, in Device, enter the name of the affected virtual machine.
If applicable, add any screenshots to help explain the issue. Click Create.
(Optional) After you create a ticket, you can add additional users or organizations to the ticket. On the ticket detail screen, in the right-side menu, click Share. Type the name of the user or the user’s email address. To share with a specific organization, type the account name, and then select the desired organization (Admin, Billing, Technical, or Security). The ticket can be shared with multiple organizations. Click Share.
(Optional) To view the status of this newly created ticket, in the Tickets screen, click View Existing Tickets.
|
Malware Protection | Malware Protection is not installed or configured. |
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
Step 4: Check the components for the agent Windows |
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
|
---|
Linux |
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM
|
---|
|
Malware Protection | Reboot is required for Malware Protection. |
Step 1: Reboot your server Step 1: Reboot your server
|
Armor Service | Issue | Remediation |
---|
File Integrity Monitoring (FIM) | FIM has not provided a heartbeat in the past 4 hours. |
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
|
File Integrity Monitoring (FIM) | FIM is installed but has not been configured. |
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
Step 4: Check the components for the agent Windows |
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
|
---|
Linux |
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM
|
---|
|
File Integrity Monitoring (FIM) | FIM is not installed. |
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
|
Armor Service | Issue | Remediation |
---|
IDS | IDS has not provided a heartbeat in the past 4 hours. | Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
|
IDS | IDS is installed but has not been configured. | Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
|
IDS | IDS is not installed or enabled. |
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
Windows |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux |
/opt/ds_agent/dsa_control -m
|
---|
|
To remediate Vulnerability Scanning issues, please refer to this documentation.