ON PREMISES SOLUTIONS

Troubleshooting

Disabling the QUIC protocol

This topic provides steps on how to disable QUIC protocol in Google Chrome and Opera browsers.

Overview

QUIC is the name for an experimental protocol and it stands for Quick UDP Internet Connection. The protocol supports a set multiplexed connections over UDP, and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency.

Some websites are not being filtered because they use the QUIC protocol. QUIC is not a standard SSL protocol and it is not filtered by MITM (certificate is not signed by MITM).

  • To check if a website is using the QUIC protocol in Google Chrome, install the "spdy http2 indicator" extension.

  • To check if a website is using the QUIC protocol in Opera, install the HTTP Headers extension.

Disabling QUIC protocol In Google Chrome

The QUIC protocol can be disabled by using one of these procedures:

  1. Disable QUIC in Google Chrome:

    1. In the URL type "chrome://flags".

    2. Search for "Experimental QUIC protocol" and disable it.

  2. Use an Endpoint Security firewall rule.

    To create a Firewall Application Rule blocking Chrome:

    1. Open the policy currently running on the affected machines.

    2. Add a Application Firewall Rule for chrome.exe.

    3. Configure the Application Firewall Rule as follows:

      1. Add a rule name and an application path for chrome.exe.

      2. Under Settings, select the Any check box next to Local Address.

      3. Select the Any check box next to Remote Address and add port 443 next to Port or port range.

      4. Select UDP for Protocol, Both for Direction, and Any for IP.

        10044_1.png
      5. Under Network, select the Home/Office and Public check boxes. For Permission, select Deny.

      6. Click the Save button.

    4. Apply the modified policy on the endpoints.

Disabling QUIC protocol in Opera

To solve this issue, you need to disable QUIC protocol by one of the following procedures:

  1. Disable QUIC protocol in Opera:

    1. In the URL field, type "opera://flags".

    2. Search for "Experimental QUIC protocol" and disable it.

  2. Disable QUIC protocol by using a firewall rule for Opera.

    1. In the GravityZone console, open the policy currently running on the affected machines.

    2. Go to Firewall > Rules > Add and select Application.

    3. In the configuration window, enter the path for opera.exe.

      The path should be should be: C:\Program Files\Opera\XX.X.XXX.XXX\opera.exe, where the folder XX.X.XXX.XXX is the current installed version of Opera.

    4. Next to Local Address, select the Any check box.Next to Local Address, select the Any check box.

    5. Next to Remote Address, check the Any box and add 443 for Port or port range.

    6. Save the changes and the policy.

      10044_2.png

Forcing re-synchronization of Active Directory and vCenter integrations in GravityZone

This section explains how to force re-synchronization of Active Directory and vCenter integrations in GravityZone Control Center.

GravityZone allows you to integrate with Active Directory and vCenter Server to reduce the effort of deploying and managing protection for physical and virtual machines.

Issue

In some cases, the Active Directory and vCenter inventories may not be visible in GravityZone Control Center because of a synchronization issue. To overcome this problem, you need to force the re-synchronization of each integration.

Out of sync GravityZone integrations

In this section, you will learn how to troubleshoot out-of-sync errors for several server infrastructure integrations with GravityZone.

Overview

GravityZone (on-premises version) integrates server infrastructure inventories. Errors could occur when the integration process encounters an issue where it is unable to resolve it on its own.

You can receive out of sync error messages for the following integrations:

• VMware vCenter Server

• Citrix XenServer

• Nutanix Prism Element

• Active Directory

Out of sync error message

Actions

Invalid Credentials

This error message is triggered by outdated credentials.

To update your credentials:

1. Go to Configuration > Virtualization Providers.

2. Click the edit button to open the integration screen.

3. In the Authentication section enter your credentials.

4. Click Save.

Connection error

A disconnected network interface can trigger this error message.

Check network connectivity between GravityZone and your server infrastructure integration.

Host is slave

You will only find this error message in Citrix XenServer integrations.

Only one Master host exists per cluster, with other slave hosts. When Master host fails, the Slave host becomes a Master.

Follow these steps to change the IP address to match the new Master host:

1. Go to Configuration > Virtualization Providers.

2. Click the edit button to open the integration screen.

3. In the Hostname field, type your new Master host IP address.

4. Click Save.

Certificate error

You will receive this error message whenever a certificate lifecycle has expired.

To renew your certificate:

1. Go to Configuration > Virtualization Providers.

2. Click the edit button to open the integration screen.

3. Click Save.

4. Click Accept to renew your certificate.

Host is unknown to master

You will only find this error message in Citrix XenServer integrations. For more information, refer to the following Citrix KB article.

Insufficient user rights

This error message is specific to a scenario in which a user does not receive rights when you configure the integration.

Unknown error

There are many different types of failures that can affect the integration.

Open an email ticket to further investigate this error message.

Issues affecting the Active Directory integration with GravityZone

This section explains how to troubleshoot issues affecting the Active Directory integration with GravityZone.

Through Active Directory integration, the existing Active Directory inventory is imported into Control Center, simplifying security deployment, management, monitoring and reporting. Additionally, Active Directory users can be assigned different user roles in Control Center.

The most common error messages when configuring the Active Directory integration are related to:

  1. Connectivity between GravityZone machine and domain controller or DNS resolution issues.

    GravityZone appliance is not able to resolve the name of the domain or is not able to reach the domain controller. Use the following steps to investigate this:

    1. Verify the network settings configured for GravityZone (especially the gateway and DNS servers)

    2. Make sure that the IP assigned to GravityZone is not being used by another device within your network

    3. Make sure the appliance can reach the domain controller port 389 or 636 if you have SSL authentication enabled:

      # telnet dc_name port

      # telnet dc_name port

    4. Make sure the appliance can resolve the domain name and domain controller name:

      # ping domain_name

      # ping dc_name

  2. “Invalid username or password” - The username and password couldn’t be validated.

    Please follow these steps to troubleshoot this:

    1. Make sure the username and the password configured in Control Center are correct (login to a domain machine or domain controller with the same credentials or try using another account).

    2. If it is a new account created for the integration, the option “User must change password at next logon” must be disabled.

  3. If you are unable to save the AD settings or after pressing Save button the screen frozen connect SSH to GravityZone machine and check:

    • RabbitMQ service is started on the GravityZone machine:

      # service rabbitmq-server status

    • RabbitMQ cluster status:

      # rabbitmqctl cluster_status

    • Processors status:

      # ps aux | grep php

Should the above steps not resolve the issue, contact the Bitdefender Support Team attaching full logs together with outputs from the above commands.Troubleshooting: Using the GravityZone LogCollector

Issues affecting the vCenter integration with GravityZone

This section explains how to troubleshoot issues affecting the vCenter integration with GravityZone.

Through VMware vCenter integration, the existing VMware vCenter inventory is imported into Control Center, simplifying security deployment, management, monitoring and reporting.

The most common error messages when configuring the VMware vCenter integration are related to:

  1. Connectivity between GravityZone machine and VMware vCenter/vShield Manager or DNS resolution issues.

    GravityZone appliance is not able to resolve the name of the VMware vCenter or is not able to reach the domain controller. Use the following steps to investigate this:

    • Verify the network settings configured for GravityZone (especially the gateway and DNS servers).

    • Make sure that the IP assigned to GravityZone is not being used by another device within your network.

    • Make sure the appliance can reach the VMware vCenter on port 443:

      # telnet vcenter port

    • Make sure the appliance can resolve the domain name and domain controller name:

      # ping vcenter

  2. “Invalid username or password” - The username and password do not have vCenter Administrator permissions.

    Please follow these steps to troubleshoot this:

    • Make sure the username and the password configured in Control Center are correct (login to vSphere Client with the same credentials or try using another account).

    • Make sure the user used for integration has vCenter Administrator permissions:

      26209_1.png
  3. If you are unable to save the vCenter settings or after pressing Save button the screen frozen connect SSH to GravityZone machine and check:

    • RabbitMQ service is started on the GravityZone machine:

      # service rabbitmq-server status

    • RabbitMQ cluster status:

      # rabbitmqctl cluster_status

    • Processors status:

      # ps aux | grep php

Should the above steps not resolve the issue, contact the Bitdefender Support Teamattaching full logs together with outputs from the above commands.Troubleshooting: Using the GravityZone LogCollector

GravityZone On-Premises integration with Amazon EC2

This section presents the prerequisites and some basic troubleshooting steps for integrating GravityZone (on-premises) with an Amazon EC2 inventory.

As an Amazon EC2 customer, you can integrate the inventory of EC2 instances grouped by Regions and Availability Zones with the GravityZone network inventory.

Prerequisites
  • A company administrator account in a fully functional on-premise GravityZone console, able to communicate with the address of your specific AWS EC2 region:

    • ec2.[aws-region].amazonaws.com:44 (view the full list here)

  • An active AWS IAM service account with the following privileges:

    • Programmatic access (access / secret key)

    • IAMReadOnlyAccess

    • AmazonEC2ReadOnlyAccess for all required AWS regions

Troubleshooting

If you fail to create an Amazon EC2 integration in GravityZone, or the integration becomes out of sync, check the following possible causes and solutions:

Issue

Solution

The AWS account linked to the provided credentials is missing one or both of the required permissions (IAMReadOnlyAccess and AmazonEC2ReadOnlyAccess).

Access the AWS user roles and policies and add all the required permissions.

The recently modified AWS account user permissions have not yet propagated all across AWS, while creating the AWS integration in GravityZone.

Wait for a few minutes, and then try again to configure the integration.

The AWS policy linked to the AWS user account includes only a part of the specific regions (for example us-east-1, or us-east-1 and us-east-2). We only support integrations for AWS user accounts with access rights on all regions.

Apply the AWS user account with AmazonEC2ReadOnlyAccess permission for all the required EC2 regions.

Some Amazon EC2 regions are unavailable. GravityZone requires connectivity to all AWS regions when creating the integration or synchronizing the AWS inventory. When GravityZone cannot communicate with one or several regions, the integration fails or becomes out of sync. Possible reason: outage of the corresponding AWS regions.

Check the AWS regions status page and try again to create / synchronize the integration when the outage is solved.

Trying to create multiple Amazon EC2 integrations using the same AWS account. GravityZone supports multiple AWS EC2 integrations based on access and secret keys of different AWS accounts. It is not possible to create two Amazon EC2 integrations using the same AWS account, even when providing two sets of access and secret keys.

Use a set of credentials of a user created under a different AWS account, when trying to create another Amazon EC2 integration in GravityZone.

The provided secret and access keys are no longer valid or available, and the integration becomes out of sync.

Access the AWS account and create another key pair for the corresponding IAM user.

Your firewall is blocking the communication between GravityZone appliance and AWS.

Configure the firewall (or a proxy) to allow network access between GravityZone and AWS.