McAfee M4050 Troubleshooting Guide - Page 39

How Sensor handles new alerts during connectivity loss, Manager connectivity to the database

Get McAfee M4050 - Network Security Platform PDF manuals and user guides
UPC - 731944582832
View all McAfee M4050 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 39 highlights

McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform  Check to ensure the Management port on the Sensor is configured with the proper speed and duplex mode as described in Management port configuration.  Has the time been reset on the Manager server? The connection between the Sensor and Manager server is secure, and this secure communication is time-sensitive, so the time on the devices should remain synchronized. You must set the time on the Manager server before you install the Manager software and never change the time on that machine. If the time changes on the Manager server, the Manager will lose its connectivity with the Sensor and the Update Server. A time change could ultimately cause serious database errors. For more information, see the KnowledgeBase article KB55587 (Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase) How Sensor handles new alerts during connectivity loss The Sensor stores alerts internally until connection is restored. Network Security Platform classifies events and prioritizes to ensure the buffer is filled with the most meaningful events to an analyst. The following table lists the number of alerts that can be stored locally on the Sensor. Number Alert Type 100000 Signature based alerts 2500 Throttled alerts (with source and destination IP information) 2500 Compressed throttled alerts (alerts with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep alerts 1000 Port scan alerts Once the connection from the Sensor to the Manager has been re-established, the queued alerts are forwarded up to the Manager. So the customer will retain them even in the event that connectivity is disrupted for some time. If the buffer fills up before connectivity is restored, the Sensor will drop new alerts, but if blocking is enabled, the Sensor will continue to block irrespective of the Sensor's connectivity with the Manager. Manager connectivity to the database In the event that the Manager loses connectivity to the database (i.e. the database goes down) the alerts are stored in a flat file on the Manager server. When the database connectivity is restored, the alerts are stored in the database. 30

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
McAfee® Network Security Platform 6.0
Troubleshooting Network Security Platform
30
Check to ensure the Management port on the Sensor is configured with the proper
speed and duplex mode as described in
Management port configuration
.
Has the time been reset on the Manager server? The connection between the Sensor
and Manager server is secure, and this secure communication is time-sensitive, so
the time on the devices should remain synchronized. You must set the time on the
Manager server before you install the Manager software and never change the time
on that machine. If the time changes on the Manager server, the Manager will lose its
connectivity with the Sensor and the Update Server. A time change could ultimately
cause serious database errors.
For more information, see the KnowledgeBase article KB55587 (Go to
, and click
Search the KnowledgeBase
)
How Sensor handles new alerts during connectivity loss
The Sensor stores alerts internally until connection is restored. Network Security Platform
classifies events and prioritizes to ensure the buffer is filled with the most meaningful
events to an analyst.
The following table lists the number of alerts that can be stored locally on the Sensor.
Number
Alert Type
100000
Signature based alerts
2500
Throttled alerts (with source and destination IP
information)
2500
Compressed throttled alerts (alerts with no source and
destination IP information)
2500
Statistical or anomaly DoS
2500
Throttled DoS alerts
1000
Host sweep alerts
1000
Port scan alerts
Once the connection from the Sensor to the Manager has been re-established, the queued
alerts are forwarded up to the Manager. So the customer will retain them even in the event
that connectivity is disrupted for some time.
If the buffer fills up before connectivity is restored, the Sensor will drop new alerts, but if
blocking is enabled, the Sensor will continue to block irrespective of the Sensor's
connectivity with the Manager.
Manager connectivity to the database
In the event that the Manager loses connectivity to the database (i.e. the database goes
down) the alerts are stored in a flat file on the Manager server. When the database
connectivity is restored, the alerts are stored in the database.