TDA_2.5_Troubleshooting
Download
Report
Transcript TDA_2.5_Troubleshooting
TDA 2.5
Debug tool and Known issues
Cellina
NCSG QA
Agenda
• Debug Portal and Feature
– Traffic Flow Status
• Reset to Factory Default
• Known Issues Summary
Classification
2015/4/13
2
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature
• Debug Portal URL
https://[TDA_IP]/html/rdqa.htm
•
•
•
•
•
•
•
Classification
CAV Log Enable/Disable
CAV Rule Enable/Disable
Debug Log
Log Transmission Setting
tcpdump
Kernel Module Status
System Process Status: ATOP, ps
2015/4/13
3
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• CAV Log Enable/Disable
•
•
•
•
Classification
VSAPI – VSAPI virus logging
Network Virus - Network virus logging
Potential Threat – CAV rules matching
TMUFE query – TMUFE URL query
2015/4/13
4
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Threat Detections Settings
Enable Threat Detection • VSAPI – VSAPI virus logging
• Network Virus - Network virus logging
• Potential Threat – CAV rules matching (OCS rules not included)
Classification
2015/4/13
5
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• CAV Rule Enable/Disable
– Customized activated rule set
– Pattern (NCCP) update will overwrite customization
Classification
2015/4/13
6
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Debug Log
– Change debug level to 4
and save
– Select “export debug log”
and export
– Reset Debug Log
– Change back to 1 after export
Classification
2015/4/13
7
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Tcpdump
– When no ssh connection
is allowed to TDA and
need to sniffer the packet
that TDA monitors
– Select the target interface
and start
– Export file (tcpdump.tgz)
– “tcpdump.cap” is the latest
– Cap files are rotated
– Reset after export
Classification
2015/4/13
8
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Kernel Module Status
– Observe statistic count
for network connection
and memory usage
– conntrack_count is the total
connection monitored
– ESTABLISHED is the total connection
in TCP established state
– Deployment or switch setting problem
if ESTABLISHED is relatively low
Classification
2015/4/13
9
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• TDA must monitor complete data flow of a TCP
connection
Classification
2015/4/13
10
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• SYN flood protection
– Too much syn_contrack indicate
TDA may be under SYN flood
or DDoS attack
– TDA can survive and working
under packet rate < 200,000
and 1,000,000 syn packets
Classification
2015/4/13
11
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Memory protection
– when user memory is used
too much, TDA will drop
the oldest session
• Used too much user memory
(nr_pages >= 4730M)
• Usually means the application
is too busy and slow
• tail -f /var/log/kernel.log
Classification
2015/4/13
12
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Memory protection
– when kernel memory is not enough
or used too much, TDA will drop
the oldest session
• Used too much kernel memory
(sum of nr_xx_bytes > 550M)
• Usually means throughput too
high
Classification
2015/4/13
13
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Connection track capacity
~#cat /proc/sys/net/toe/conntrack_max
128000
Classification
2015/4/13
14
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• Network Flow Status
– TDA periodically detect if packet or connection is dropping
because of TDA memory protection or traffic exceed connection
track table capacity
– Network Flow turns red if packet or session keeps dropping
for more than 1 minutes
– TDA detection will not be
guaranteed under
such condition
Classification
2015/4/13
15
Copyright 2007 - Trend Micro Inc.
Debug Portal and Feature (Cont)
• ATOP
–
–
–
–
Linux atop command
CPU usage
System memory
Layer 2 throughput
• See which interface are
connected
– Process status
Classification
2015/4/13
16
Copyright 2007 - Trend Micro Inc.
Reset to factory default
• Required when moving TDA appliance from one pilot
customer to another
– Reset TDA’s GUID
– Or it will confuse backend TMSP system
– Procedure
• Ensure serial console is ready
• Reset TDA
• In serial console, during GRUB loading, press ESC to enter the
menu
• Select 3) Restore to factory mode
Classification
2015/4/13
17
Copyright 2007 - Trend Micro Inc.
Reset to factory default(Cont)
Classification
2015/4/13
18
Copyright 2007 - Trend Micro Inc.
Known Issues Summary
• Detection in FTP protocol
– file download in active mode
• Protocol shown “FTP”
• All file types supported
– file upload in active mode or passive mode
• Protocol shown “File Transfer”
• Only certain types of true file types are supported
– zip, rar, msft, office, pdf , rtf, exe
Classification
2015/4/13
19
Copyright 2007 - Trend Micro Inc.
Known Issues Summary
• TDVA firmware update
– Can not update firmware if VMI is enabled
– Same as VMWare workstation
• TMSP communication channel
– Only HTTP proxy is supported
– Only basic authentication on proxy server is supported
• Does not support TDVA Lite migration to TDA 2.5
• Does not support firmware update through Firefox
browser
Classification
2015/4/13
20
Copyright 2007 - Trend Micro Inc.
Thank You
Classification
2015/4/13
21
Copyright 2007 - Trend Micro Inc.