FAQ

May 2009

Copyright 2009 TippingPoint Technologies, Inc.. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of TippingPoint Technologies, Inc. or one of its subsidiaries. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from TippingPoint Technologies, Inc. or one of its subsidiaries. TippingPoint Technologies, Inc. reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of TippingPoint Technologies, Inc. to provide notification of such revision or change. TippingPoint Technologies, Inc. provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. TippingPoint Technologies, Inc. may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document. UNITED STATES GOVERNMENT LEGENDS: If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following: United States Government Legend: All technical data and computer software is commercial in nature and developed solely at private expense. Software is delivered as Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995) or as a commercial item as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Coms standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. Digital Vaccine is a registered trademark. TippingPoint and the TippingPoint logo are trademarks of TippingPoint Technologies, Inc. or one of its subsidiaries. Microsoft and Windows are registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brand and product names may be registered trademarks or trademarks of their respective holders.

Contents
TAC General Q How do I contact the TippingPoint Technical Assistance Center (TAC)? Q What information should I provide to TAC when opening a support case? Q Where can I find my customer ID number? IPS Q Q Q Q Q Q Q Q Q Q SMS Q Q Q Q Q How do I find the certificate serial number of my SMS? How can I recover the password to my SMS? How do I perform a Factory Reset on the SMS? Where can I find the system log of my SMS? Can I rollback an SMS upgrade if I find issues with the new version? Q If I have received an error message and am unable to distribute a profile to the IPS, how can I fix this? Q If the SMS loses contact with the IPS for a few minutes due to a WAN outage do I lose the alerts from the IPS during that time? How do I find the Certificate Serial Number of my IPS? How can I recover the password to my IPS? How do I perform a Factory Reset on the IPS What happens if I exceed the maximum rated bandwidth of my IPS? If I upgrade the TOS on my IPS will it cause a loss of network connectivity? Why do my rate limiting action sets appear to be inaccurate at times? How many entries can the IPS System/Audit log hold? Why do I see isValid errors in the IPS system log and what do they mean? Why is my vulnerability scanner reporting SSL and/or SSH vulnerabilities when scanning the IPS management port? Where can I find the system log of my IPS?

Q Why did I receive an error when trying to set up a rate limit for 50Kbps on my IPS? Q Im getting an error message that the connection to the TMC is refused. How can I fix this? DV Q Why are there so many different versions of the DV? Which one should I use? Q Are filter specific settings preserved for filters that are modified in a DV? Other Q Q Q Q Q

Where can I get third party MIB files? How do I capture packets with an IPS? What data should I backup for disaster recovery? Where can I get the latest product documentation? How do I get an account for the Threat Management Center (TMC)? Q What is ThreatLinQ and how do I get an Account on it?

TAC General
Q: How do I contact the TippingPoint Technical Assistance Center (TAC)? A: TippingPoint TAC is available twenty-four hours per day and seven days per week by telephone, email or online support request. Phone - 866.681.8324 Email - support@tippingpoint.com Online Support Request https://tmc.tippingpoint.com/TMC/ContentSupportFeedback.jsp Note: For a complete list of international phone numbers, visit https://tmc.tippingpoint.com/TMC/Content/support/Support_Contacts

Q: What information should I provide to TAC when opening a support case? A: When contacting TAC for support, please have the following information ready: Customer ID IPS/SMS Certificate Serial Number TOS Version Device Model Full System Log Full Audit Log

Please also provide the output from the following CLI commands: IPS o o o o

show version show mfg-info show health debug disk stat

SMS o version o get system o get health

Q: Where can I find my Customer ID Number? A: Your Customer ID Number can be found on the billing invoice that arrived with the order. In some cases the Customer ID Number is not included in the invoice document. If you are unable to locate the Customer ID Number, contact TippingPoint TAC. TAC will be able to provide your Customer ID Number if given the Certificate Serial Number of the TippingPoint product. TippingPoint TAC can be reached by calling 866-681-8324 or emailing the address support@tippingpoint.com. Please have your Certificate Serial Number available when you call or email.

IPS
Q: How do I find the Certificate Serial Number of my IPS? A: The Certificate Serial Number can be found by connecting via SSH or serial console to the device and running the following Command Line Interface (CLI) command: show version If the device is not accessible via the CLI, the Certificate Serial Number can also be found on a white sticker on the underside of the IPS.

Q: How can I recover the password to my IPS? A: To recover the SuperUser account, please follow these steps: 1) Connect to the IPS via the console port. The serial port connection settings are as follows: Speed: 115200 - Databits: 8 - Parity: None Stopbits: 1 2) Reboot the IPS. Note: The IPS will reboot during this procedure and will interrupt traffic flow through the IPS.

3) After the IPS completes its initial startup screens the TippingPoint UnityOne splash screen is displayed in ASCII characters. Shortly thereafter you will see Loading. Type the following command and press the Enter key within three seconds: mkey Note: If you see any dots after "Loading" (as in Loading........) then you were not fast enough and will have to reboot and try again. 4) If you were successful then you will be prompted to specify the security level for the initial SuperUser account and password creation. 5) Enter the desired username for the SuperUser account. 6) Enter your new password. Once the new username and password has been accepted, the IPS will complete the boot process and you will be able to login to the IPS with the new credentials.

Q: How do I perform a Factory Reset on the IPS? A: To perform a factory reset, connect to the IPS via SSH and log in using a SuperUser account. From the CLI, issue the following command: debug factory-reset Note: The IPS will reboot during this procedure and will interrupt traffic flow through the IPS. Do NOT interrupt this process. The process is complete when the IPS prompts you to Press any key to begin the Initial Setup Wizard or use the LCD panel. This process can take a long time to complete. When the IPS finishes the process of resetting to factory defaults, it will need to be reconfigured using the Initial Setup Configuration Procedure via the Serial Console. Please consult the Quick Start Guide for the appropriate product if you are not familiar with the Initial Setup Configuration Procedure.

Q: What happens if I exceed the maximum rated bandwidth of my IPS? A: The IPS is capable of handling short traffic spikes above the maximum rated bandwidth with minimal packet loss. However, exceeding the maximum rated bandwidth of the IPS for periods of time can lead to system performance degradation, congestion, adaptive filter configuration, and Layer 2 Fallback.

Q: If I upgrade the TOS on my IPS will it cause a loss of network connectivity? A: As of TOS version 2.5.2 the TippingPoint 600E, 1200E, 2400E, and 5000E IPS models provide the ability to perform a TOS software upgrade without interrupting traffic through the IPS segments. During the reboot process each segment continues to handle traffic based on the Intrinsic Network HA: Layer-2 Fallback settings configured for the segment (Permit All or Block All). However, no IPS filtering functions are performed on the traffic during the update process. The Hitless Update feature will not be in effect when you upgrade to version 2.5.2 (or greater) but will be in effect for any upgrades after 2.5.2. Rollbacks to earlier TOS versions are not hitless. This feature is only available on the TippingPoint 600E, 1200E, 2400E, and 5000E IPS models. TOS upgrades performed on other IPS models will cause a loss of network connectivity.

Q: Why do my rate limiting action sets appear to be inaccurate at times? A: A rate limiting action set defines a maximum bandwidth that can be used by traffic that matches filters assigned to that action set. Incoming traffic in excess of the defined rate limit for the filter that the traffic matches is dropped. If two or more filters use the same rate limiting action set, then all packets matching these filters share the bandwidth. For example, if filters 164 (ICMP Echo Request) and 161 (ICMP Redirect Undefined Code) use the same 10 Mbps action set, then both Echo Requests and Redirect Undefined Codes filters share the 10 Mbps pipe as opposed to each filter getting a dedicated 10Mbps pipe. Rate limits are not implemented exactly according to rate. Higher rates are less precise. For example, on a 5000E device the observed rate on a 125Mbps limiter could be closer to 130Mbps.

Q: How many entries can the IPS System/Audit log hold? A: There are not a specific number of entries that a System or Audit log can hold. There is, however, a specific log file size which is defined as 4 Mbytes.

Q: Why do I see isValid errors in the IPS system log and what do they mean? A: There can be a number of reasons for these messages: Distributing the following filters to an IPS that is NOT an E-Series:

4127, 4129, 4143, 4144, 4146, 4147, 4150, 4968, 4971, 4974, 4979, 4980, 4981, 4982, 4983, 5240, 5241, 5242, 5244, 5245, 5246 The SMS attempting to push a security profile to the ANY-ANY zone pair when that zone pair already has an existing security profile configured i.e. all pairs are defined (1A-1B, 1B-1A, 2A-2B, 2B-2A, etc) therefore the anyany pair can never be valid. A version mismatch between the Digital vaccine on the SMS and IPS. Custom Shield Writer (CSW) package issue (Deactivating the CSW usually resolves this issue.)

To resolve these issues, reset the IPS filters from the SMS client and then redistribute the profile. To reset the filters, login to the SMS client and navigate to the devices menu. Select the IPS that is posting the error messages and open the Edit Configuration window. On the first screen of the Edit Configuration screen, there is a Reset IPS Filters button. Click this button and then click OK on the pop-up. Once the Filter Reset is complete, push the profile back down to the IPS and it will stop posting the error messages. Note: Resetting the IPS filters will not cause a loss in network traffic, however all custom Action Sets, Virtual Segmetn definitions and Traffic Management Rules will be lost. Resetting the filters causes the device to run with all filters set to recommended settings for the short amount of time in between the completion of the reset and your redistribution of the profile.

Q: Why is my vulnerability scanner reporting SSL and/or SSH vulnerabilities when scanning the IPS management port? A: TippingPoints version of SSH advertises a version number of 2.0 so that it can interoperate with all SSH clients that support 2.0. It is a highly customized and hardened version that has been ported to VxWorks. There is no equivalent OpenSSH version number. The version of SSL that TippingPoint implements is based on OpenSSL 0.9.6b and is also customized, hardened and ported to VxWorks. It is important to note that the IPS is an in-line layer two device with no MAC address or IP address in the data path. TippingPoint recommends that all customers secure network access to the management port of their IPS as additional precaution and as industry best practices dictates.

Also important to highlight is that Nessus and similar scanning tools typically read the version number and infer what potential vulnerabilities may be present. Only a tool that actually attempts to exploit a weakness could provide a meaningful statement as to the vulnerability of a product. Since the IPS is based on a customized version of VxWorks, it is not susceptible to common vulnerabilities that may be reported by a scanning tool. Q: Where can I find the system log of my IPS? A: The system log of an IPS can be found via the CLI, LSM, or SMS. To view the system log via the CLI, SSH or serial console into the device and run the following command: show log sys Other logs can be viewed using the show log command as well. To see all of the available logs and viewing options, type the following: show log ? To view the system log using the LSM, log into the HTTPS webpage of the IPS and click on the System Log link under the Log Summary section of the System Summary page. You can also see the system log by expanding the Events menu on the left, expanding Logs and clicking on the System Log link. To find the IPS system log using the SMS client click on the Devices button at the top of the client and expand All Device, expand your IPS name and expand Events in the tree menu on the left. Then select System Log from the menu, choose the date range you wish to view and click the Refresh button.

SMS
Q: How do I find the certificate serial number of my SMS? A: The Certificate Serial Number can be viewed by connecting via SSH to the device and running the following command: get sys If the SMS is inaccessible, the Certificate Serial Number can also be found on a white sticker on the underside of the device.

Q: How can I recover the password to my SMS? A: The SMS provides a mechanism for password recovery. Please follow these steps: 1) Connect a monitor and keyboard directly to the SMS server. 2) Reboot the SMS and watch for the GNU GRUB menu that displays after the Grub: prompt. 3) When the prompt displays, press the Esc key. 4) Select the Password Recover option and press Enter. 5) When the SMS completes the boot sequence the factory SuperUser account is reactivated and the password will be the Certificate Serial Number of your SMS.

Q: How do I perform a Factory Reset on the SMS? A: To perform a factory reset of the SMS, SSH into the SMS and log in using a SuperUser account. From the CLI issue the following command: factoryreset Note: Issuing this command will cause all information and settings on the SMS to be completely lost. The data must be backed up prior to issuing the command in order to be recovered. It is strongly recommended that you perform a complete SMS backup and export the file to a safe location prior to running this command.

Q: Where can I find the system log of my SMS? A: The system log of an SMS can be viewed using the SMS client by clicking the Admin button at the top and expanding General in the tree menu on the left. Select System Log from the menu, choose the date range you wish to view, and click the Refresh button.

Q: Can I rollback an SMS upgrade if I find issues with the new version?

A: No. Once an SMS has been upgraded to a new TOS version there is not a way to rollback the upgrade.

Q: If I have received an error message and am unable to distribute a profile to the IPS, how can I fix this? A: The number one cause of this issue has historically been poor network communication on the management ports of either the IPS or SMS due to duplex mismatch with the network switch. Please check the management port settings on the IPS, SMS and their link partners to ensure that they are matching. Both sides should be set to Autonegotiate, according to best practices. If Autonegotiate does not work between the link partners, then set both sides to the same speed and duplex. If this action does not resolve the issue, reset the IPS filters from the SMS client and redistribute the profile. To reset the filters, login to your SMS client and navigate to the devices menu. Select the IPS that is posting the error messages and open the Edit Configuration window. There is a Reset IPS Filters button on the first screen of the Edit Configuration page. Click this button and then click OK on the pop-up. Once the Filter Reset has been completed push your profile back down to the IPS and the IPS will no longer post the error messages. Note: Resetting the IPS filters will not cause a loss in network traffic, however all custom Action Sets and Traffic management Rules will be lost. The resetting of the filters causes the device to run with all filters set to recommended settings for the short amount of time in between the completion of the reset and your redistribution of the profile.

Q: If the SMS loses contact with the IPS, will I lose the alerts from the IPS during that time? A: No. Alerts are stored on the IPS in the Block and Alert logs. Once communication between the IPS and SMS is re-established the alerts that occurred during the outage time will be retrieved from the IPS by the SMS.

Q: Why did I receive an error when trying to set up a rate limit for 50Kbps on my IPS? A: The SMS works at a policy level rather than a device level. Therefore, the SMS presents a uniform set of rates from 50Kbps to 1000Mbps. Some rates are not available on all devices. If you attempt to use a rate limit that is not available for a specific model of IPS you will receive an error message. The SMS Users

Guide contains a table of the supported rates for each IPS model. This guide can be downloaded from the Threat management Center at tmc.tippingpoint.com.

Q: Im getting an error message that the connection to the TMC is refused. How can I fix this? A: To correct the TMC connection refused error, follow these steps: 1) Make sure that DNS is properly configured on the SMS or IPS. 2) The following websites and ports must be allowed through your firewall, proxy server or content filter: d.tippingpoint.com port 80 i.tippingpoint.com port 80 a1.g.akamai.net port 80 tmc.tippingpoint.com port 4043 and 443 3) Make sure that no proxy servers or content filters are altering or prohibiting the connection to TMC. 4) On very rare occasions this problem can occur due to RX errors. If you see RX errors in the System Log, check to make sure that any ports that are getting these RX errors are configured to match their link partner. If Auto Negotiate is not possible then please make sure that the speed and duplex of the IPS port and its link partner match. Also verify that there is no damage to the physical layer connection.

DV
Q: Why are there so many different versions of the DV? Which one should I use? A: There are many DV versions because new filters are constantly being added to protect against the latest vulnerabilities. This means that you want to use the latest DV version available. The DV version number is the last 4 digits of the Digital Vaccine package. In addition to the different DV version numbers the DV name consists of a number that designates the base TOS that the DV should be installed on. The base TOS release numbers are the first 3 digits separated by periods. The base

TOS release numbers are 2.2.6 and 2.5.2. The 2.2.6 DV will only run on TOS 2.2.X and the 2.5.2 DV will run on TOS 2.5.X. To determine which DV package to install, find out what TOS version you are running on your IPS and what the latest DV version is. For example: if your IPS is running TOS version 2.5.4.6948 and the latest Digital Vaccine is 7687 you would download and install DV package 2.5.2.7687.

Q: Are filter specific settings preserved for filters that are modified in a DV? A: Filters that are overridden retain their filter specific settings even though they have been modified in a DV. The only time filter specific settings are not preserved is when a filter is actually removed by a DV. Note: If a filter is configured to use Recommended Settings and the DV modifies the default action for that filter, the action the filter takes will change.

Other
Q: Where can I get the Third Party Management MIB files? A: Third Party Management MIB files are available for download from our TMC website at the following locations: IPS https://tmc.tippingpoint.com/TMC/library/ips_product_documentation/254_ips_do cumentation/mib_files.zip.4 Core Controller https://tmc.tippingpoint.com/TMC/library/core_controller/ccdocs/cc_mib_files.zip SMS https://tmc.tippingpoint.com/TMC/library/sms_product_documentation/300_sms_ documentation

Q: How do I capture packets with the IPS?

10

A: To use the IPS to capture packets, log into the LSM, expand the Network menu on the left, click Tools, and then on the Tools window click the Traffic Capture tab in the top right. On the traffic capture window click the Create Capture File button. On the Create Traffic Capture window name the capture, select the Any -> Any virtual segment and then click the Start Capture button. To stop the capture click the Stop sign button under the Functions column. You can then click the floppy disk icon and download the capture file. The capture file will include those packets that were sent to Tier Three for additional inspection (suspicious or malicious flows). TippingPoint recommends that you also have additional tools, such as WireShark, available to capture traffic flows before and after the IPS in the event that the TippingPoint TAC needs to examine the effect of the IPS on the traffic flow for troubleshooting purposes. Note: Our current packet capture capability limits the capture to 10Mb of data or a maximum of 10,000 packets.

Q: What data should I backup for disaster recovery? A: For the most comprehensive backup protection we suggest regularly creating and saving IPS snapshots, SMS backups, and Security Profiles. Export each of these to a secure location external to the devices each time a change is made to one of your TippingPoint products. Q: Where can I get the latest product documentation? A: The most current product documentation can be found on the TippingPoint Threat Management Center (TMC) website. This website is located at the following location: https:\\tmc.tippingpoint.com Log in to the website and click on the navigation link for documentation. Follow the menus to the appropriate product type and download the Adobe PDF file for the manual that you are seeking.

Q: How do I get an account for the Threat Management Center (TMC) A: To create an account on the TMC, navigate to the following link in you browser: https://tmc.tippingpoint.com/TMC/ContentXtraRegister.jsp From here you can fill out the registration for and your account will be created. The form will require you to input your Customer ID Number and a valid Device

11

Certificate Number. You can consult this FAQ for information on how to obtain this information. TippingPoint prefers that you use your corporate email account over a public email hosting service for your TMC account. Your information will not be shared outside of TippingPoint for any reason. Q: What is ThreatLinQ and how do I get an Account on it? A: TippingPoint created ThreatLinQ to collect and analyze information about the security posture of the Internet. ThreatLinQ presents this information to TippingPoint customers and acts as a portal for the DVLabs team to provide additional information about TippingPoint IPS filters. This information helps customers make decisions about how, why, and when to enable different TippingPoint filters. ThreatLinQ is also designed to provide TippingPoint customers with extra security information about Filter IDs and attack activity by country, TCP ports, and IP addresses. Because this data is concentrated in one easy-to-use dashboard, customers can access security information quickly and easily. Access to ThreatLinQ is available if you have an active Threat Management Center (TMC) account. To obtain a TMC account, follow the instructions in the preceding questions answer in this FAQ.

12