Knowledge Center

FAQs for Network Security Platform
Technical Articles ID:   KB75269
Last Modified:  10/29/2019


McAfee Network Security Platform (NSP)


Recent updates to this article
Date Update
October 29, 2019 Added "Is Auto-MDIX is enabled for the NS series RJ-45 for all monitoring port settings?" question to Hardware section.
Added "Why is a configuration update required when enabling or disabling monitoring port status?" question to Network Security Manager section.
October 8, 2019 Added "Does McAfee guarantee that NSP extracts the correct IP address...." question to General section.
August 1, 2019 Added "show wb stats command" question to Functionality section.
June 3, 2019 Added "Linux-Based Manager" section.
May 23, 2019 Added "How do I check error codes from MariaDB?" added to Functionality section.
April 29, 2019 Added "Can I back up and restore the NSM using the Windows Backup feature?"

Click to expand the section you want to view:

What is the NSP Lite signature set?
The NSP Lite Signature Set is a lightweight version of the signature set, moderated by McAfee researchers.
This set excludes the oldest signatures without exposing you to appreciable risk from modern day attacks.
Exclusion of older signatures allows you to continue updating your Sensors with the latest attack signatures while keeping Sensor memory usage relatively low.
The first Lite Signature Set was, released April 11, 2018.

The ARP: MAC Address Flip-Flop alert is only displayed at the CIDR interface level; why doesn't this alert show the subinterface name?
CIDR-based lookup for subinterface support is performed only for IPv4 packets (PTYPE = 0x800). Because ARP does not fall under this category, only interface classification based on port and VLAN level is recorded for ARP packets. This behavior is expected.

Can an FTP file transfer be blocked?
No. The Sensor cannot consistently block FTP file transfers. For FTP, blocking is performed on a best effort basis and is the result of a limitation in the FTP protocol.

File size information is not available for the FTP transfer, so the Sensor does not reliably know when the transfer is completed.
The only way the Sensor can determine the size is when the data connection is ended (TCP FIN is received). But when the connection is ended, the file has already been transferred.

Regardless of the attack result in Threat Analyzer, blocking is not supported in FTP file transfers, which is a limitation of the FTP protocol. The Sensor still extracts the file, analyzes it for malware, and raises alerts.

I want to remove and then reinstall a Sensor to the NSM; can I keep the old IP address, but change the Sensor’s name? What precautions and steps do I take before adding the Sensor back to the NSM?
Yes. You can keep the old IP address and change the Sensor's name. After you run de-install on the Sensor, the NSM will retain the state information and IP address associated with that Sensor’s name.

Under Add and Remove Devices, you must delete the old entry for the Sensor from the NSM before you add the Sensor back to the NSM. Deleting the old entry removes the state information and IP address associated with the old Sensor name.

NOTE: If you do not remove the old entry, you see issues such as the Sensor trace being generated under the old Sensor entry in the NSM.

What happens to alerts when the Network Security Manager is unavailable or the NSM and NTBA are unable to communicate? What is the alert log capacity in these scenarios?
NTBA stores the alerts if it is unable to communicate with the NSM. NTBA performs differentiation based on the alert type and any alert generated. If it is not sent successfully to the NSM, it is dumped to a local file on the NTBA.

The limit on the file size is 10 MB. If the file size exceeds the limit, new alerts are dropped. An average alert size is about 80 bytes, so the file can hold more than 100,000 alerts.

There is a continuity process that reads the file and sends the alert to the NSM. When the connection with NSM comes back up, the alerts are sent and the entry deleted from the file.

The Backup task in Running Tasks is listed as "Success", but if I back up and then restore the NSM configuration, the task is changed to Failure. Why? 

This change is as designed. When collecting backup data (All Tables or Audit Tables), NSM adds an audit entry for backup-in-progress. When the backup completes, NSM marks this audit entry as backup-success. But, the backup file includes the audit entry which is still backup-in-progress. On startup, the restored NSM marks all in-progress entries as Failure. NOTE: Even if labeled as a failure, there is no functional impact to the manager.

Does McAfee guarantee that NSP extracts the correct IP address from the XFF header in HTTP connections with pipelining?
No. NSP does not support request and response correlation when handling HTTP pipelining.

Does the Fail-Open Kit perform Auto-MDIX?
No. This action is a function of the Auto-MDIX feature of the McAfee SFP installed on the Sensor.

Does the Copper Fail-Open Kit operate the same as the Optical Bypass Single Mode (SM) and Multi-Mode (MM) Fail-Open Kits?
The FO Kit (Fiber bypass switch) does not cross TX/RX pairs. See the Gigabit Optical Fail-Open Bypass Kit Quick Guide for your Sensor/Sensor software version. This guide includes a diagram for proper installation and other installation and connectivity details.

After changing a 10/100/1000 Copper Active Fail-Open (AFO) Bypass Kit mode from inline to TAP mode, the AFO is power cycled. On reboot, the TAP mode has been disabled. Why?
The AFO is behaving as designed. The TAP mode settings are not saved to the AFO. When power cycling the AFO, the default setting, TAP mode Off, is restored.

What XFPs are supported on M-series Sensors?
Only the following XFPs are supported on M-series Sensors:

  • IAC-1550-CG1 (Extended Reach, Single mode, 1550 nm XFP)
  • IAC-1310-CG1 (Long Reach, Single mode, 1310 nm XFP)
  • IAC-X850-CG1 (Short Reach, multimode, 850 nm XFP)

IMPORTANT: Third-party XFPs are not supported.

Is a fail-closed dongle needed to configure the monitoring ports on the M-1250 and M-1450 Sensors in fail-closed or SPAN mode?  
No. Unlike with I-series Sensors, you do not have to put in fail-closed dongles on the monitoring ports of the M-1250 and M-1450 Sensors even in fail-closed or SPAN mode. The dongle functionality is now incorporated into the monitoring ports themselves.

The NS7x00 Sensor's maximum power consumption is 250 W; why is the supplied PSU rated at 650 W?
McAfee uses this 650W PSU because of form factor requirements for the NS7x00 series appliances.

What is the initial link status of the M-8000 Sensor interconnect ports?
The M-8000 has three interconnections present on the primary and secondary Sensors:

  • Primary Sensor: XC1(Copper interface), XC2(10G interface), and XC3(10G interface)
  • Secondary Sensor: XC4(Copper interface), XC5(10G interface), and XC6(10G interface)

When the Sensor starts for the first time, the XC1 and XC4 links are UP. The XC2 and XC5, and the XC3 and XC6 links are DOWN, until the first sigset is downloaded.

When the Sensor interfaces are configured as Inline, is there any cross talk between ports when traffic passes through the Sensor?
No. The Sensor does not perform any switching or routing of traffic. The two interfaces that are grouped as an interface pair, such as 1A/1B or 2A/2B, are bound to each other in a fixed manner. Incoming traffic on an interface, for example 1A, can leave the Sensor only on the matching interface, for example 1B, of the pair. This fact is a fundamental design factor in the Sensor software. Because the Sensor does not make any routing or switching decisions, there is no support in the Sensor for forwarding of packets to any other interface on the device.

Can I use a fiber GBIC and a copper GBIC inline on the same interface pair of the Sensor?
No. You cannot use different GBICs on the same interface pair.

Can the Sensor support an EtherChannel comprised of two connections of different SFP+ modules (SR and LR Fiber connections)?
Yes. The Sensor can support an EtherChannel comprised of these connections.

Does the Sensor support external copper bypass switch configuration on RJ-45 ports?
Yes. Currently, the external copper bypass switch can be configured on RJ-45 ports, provided the port is configured to fail-closed mode on the following Sensor models:

  • NS9300
  • NS9200
  • NS9100
  • M-2950
  • M-2850
  • M-1450
  • M-1250
Use the following steps to configure fail-closed mode:
  1. In the Manager, select Device ListSensor NamePhysical SensorPort Settings.
  2. In Monitoring ports, select the numbered port to be configured.
    You see the Configure Monitoring Port window displaying the current port settings.
  3. In the Operating Mode drop-down list, select In-line Fail-Closed(Port Pair).

    NOTE: The status of the external copper bypass switch is not displayed in the Manager. Similarly, the status is not displayed by executing the show intfport command from the Sensor CLI.
Can I obtain the serial number of the Sensor power supply (PSU) from the command line (CLI)?
No. Currently, there is no command that lists the Sensor serial number.

After I unplug the network cable from a Sensor port, the port is disabled. Does the port need to be re-enabled through the Manager?
Yes. This design is intentional. Because the Sensor does not know the reason for the port "failure," it is marked as disabled, and after the link failure is resolved, you can re-enable the port.
If the Sensor tried to automatically bring up the port, you might experience a network flap, the port would be brought up, fail, and then be re-enabled without the underlying issue being resolved.

Can I change this behavior?
You can change this behavior if there is a Passive Fail-open kit in use (external or built-in).
For further information, see the information about the setfailopencfg restore-inline command in the CLI guide for your release.

Can the failover Sensor function in an active-active setup or does it function in active-standby with the heartbeat triggering the failover action?
NSP Sensors are always Active-Active; the failover cable always copies all traffic from each Sensor to the other, which allows traffic to always flow, even if there is a failure.

Do Sensors routes traffic?
No. Sensors do not participate in the routing or failover of traffic; the network switching and routing architecture performs this action.

Can I convert a Failover (FO) appliance to a Spare?
No. This action is not possible. You can upgrade an FO model to a Standard model, but you cannot downgrade an FO model to a Spare. For more information talk to your sales contact.

What are the default settings for my NSP Sensor or other hardware?
Hardware Baud Rate Data Parity Stop Flow Control Default user Default password SSH port
M-series 38400 8 None 1 None admin admin123 22
N-series 38400 8 None 1 None admin admin123 22
NS-series 115200 8 None 1 None admin admin123 22
NTBA 9600 8 None 1 None admin admin123 22
XC240 115200 8 None 1 None admin admin123 22
AFO Kit 19200 8 None 1 None McAfee McAfee N/A

Is Auto-MDIX is enabled for the NS series RJ-45 for all monitoring port settings?
No. If you disabled Auto-Negotiation setting on 10Mbps or 100Mbps port speed, Auto-MDIX won’t work.
This is due to the current design of the NIC interface.

Back to top
What is hitless Sensor rebooting?
NSP now supports hitless rebooting and upgrading, which reduces the time needed for a Sensor to reboot, and prevents traffic interruption.

How does a hitless reboot work?
A hitless reboot restarts only select processes on the Sensor. The Sensor enters Layer 2 pass-through mode and reboots while the data path continues to pass traffic. The reboot time is also considerably reduced because the entire Sensor is not brought down.

Under what conditions does a hitless reboot occur?
The Sensor always tries a hitless reboot if it has to recover from internal errors. You can also initiate a hitless reboot from the Sensor command line or the NSM. If a hitless reboot is not possible, a notification is sent to the Manager and a full reboot occurs.

Are all Sensor upgrades hitless upgrades?
It depends on whether the Sensor software change requires a full reboot. When the Sensor upgrade is complete, you see the option for a hitless reboot depending on the software version.

What are the limitations of a hitless reboot?
The hitless reboot is not supported in upgrades when there is an internal switch or kernel level change in the software code. Also, if the Sensor cannot recover from internal errors and three auto-recovery attempts are made in a span of 15 minutes, one of two things happens. At the next auto-recovery attempt, the Sensor either remains in Layer 2 or performs a complete reboot.

What are some of the common causes for hitless reboot failures?
The hitless reboot fails if the data paths on the Sensor fail to initialize, and if they do not report a ready status.
Back to top

How often do the Sensor and Manager exchange information to verify that the Sensor is up?
The polling interval is usually every two minutes; but, when the Sensor detects a failure, the polling interval is reduced to every 30 seconds. This reduction is done to avoid issues such as a lost packet causing a failure alert. If the Sensor is still unreachable after 10 minutes, the polling frequency reverts to its normal value of two minutes.

 How much data transfer does this poll cause?
The poll is performed via an SNMP UDP packet and four MIB variables are polled. The entire SNMP application request payload is around 100 bytes.

How long does it potentially take before the Manager flags a Sensor as disconnected in System Health?
Because the initial poll is done every two minutes and the normal time-out is 60 seconds, the best case for indication of a failure is 60 seconds. But, it could be as high as 180 seconds (120 + 60).

Why are Manager action settings enabled immediately without a configuration update?
When a system administrator changes any action settings for the Manager (such as Auto ACK, SNMP, and Syslog) on the Policy Editor, a configuration update is required. But, these settings are enabled immediately without it. This behavior is as designed. The current NSP design tracks configuration changes at the granularity of the policy, and any changes to the policy indicate that a signature file push is required for the Sensor. Considerable efforts have been made in NSP to improve the signature file update for the Sensor with the introduction of caching and incremental update. The current plan is to concentrate on improving signature file push efficiency, and not on tracking policy changes at a higher granularity.

Enabled immediately items Attack Severity*; Notifications; Email, Script, Auto Ack, Pager, SNMP, Syslog
Configuration Update necessary items Attack Severity*; Sensor Actions; Logging

*Attack Severity changes are used by both the Manager and Sensor. The Manager part, such as severity changes shown in Threat Analyzer, takes effect immediately. The Sensor part, such as for NAC, requires a Sensor update.

Can I install the NSM appliance software using the appliance RMM software?
No. Using the NSM appliance installation DVD with the appliance RMM software is not supported. If you use the NSM appliance installation DVD with the Intel RMM software provided with the appliance, you might see unexpected and undesirable results.

The installation media interface must be accessed using a keyboard and mouse plugged directly into the server at the server location.

Can I aggregate or combine multiple NSM licenses in a single installation? For example, if I have a standard license, can I buy a starter pack to achieve 8 managed devices? 
No. NSM licenses are not cumulative. To manage more than six Sensors from a single NSM, you must purchase a Global NSM license.

After I upgrade the Manager, I see a Sensor update process that has not been manually actioned. Sensors do not show any active download when the downloadstatus command is run, and the latest Signature Set is present on the Manager. If I reboot the Manager, the update process eventually restarts, the Ems.log does not show any clear push, and the Audit log shows no user activity pushing an updated configuration to the Sensors. What is the cause of this update process?
After a Manager upgrade, the NSM compiles the latest Signature Set and automatically pushes it to the Sensors.

NOTE: This update fails if the Sensors already have the latest Signature Set.

How can I set a proxy for yum updates on an MLOS-based NSM appliance?

  1. Open an NSM command-line session.
  2. Type sudo vi /etc/yum.conf and press Enter.
  3. Navigate to the [main] section.
  4. Add the following lines under the [main] section:
  5. Type :wq

Can I back up and restore the NSM using the Windows Backup feature?
McAfee has not tested using Windows backup to back up and restore an NSM installation and cannot guarantee if it works. If this backup feature does not work correctly, contact Microsoft support.

Why is a configuration update required when enabling or disabling monitoring port status?
To improve performance, internal Alert Filtering setting is applied or removed when you enable or disable its port status.
The configuration push is required because this change needs to be applied to the Sensor.
The internal alert filtering takes care of the ignored attacks, so if the configuration change is not pushed, the NSM will receive unwanted alerts.

Back to top
How do I enable the Real-time Threat Analyzer in NSM 8.3 and later?
For NSM 8.3 and later, Threat Explorer has replaced the Real-time Threat Analyzer. If you must enable the Real-time Threat Analyzer, perform the following steps:
  1. On the Manager server, use Windows Explorer to navigate to: C:\Program Files\McAfee\Network Security Manager\App\config.
    NOTE: This path might be different if you installed NSM on another location.
  2. Locate the ems.properties file and open it using Windows Notepad.
  3. Add the following entry:

  4. Save the file and restart the NSM service.
NOTE: RTTA is only partially supported in later versions of NSM. McAfee will not enhance the analyzer or fix issues. This part of the product is as supplied.
How do I import previously exported ignore rules?
To import previously exported ignore rules to NSM 8.3 and later, select PolicyIntrusion Prevention, AdvancedPolicy Import, Ignore Rules.

How do I import previously exported custom attacks?

This functionality is updated in NSM 8.3. To import previously exported custom attacks, select PolicyPolicy TypesIPS PoliciesCustom AttacksOther ActionsImport.

Can the Sensor send netflows to third-party NetFlow analyzers or just NTBA?
No. The NetFlow data generated by the Sensors are not standard NetFlow; they are in a proprietary McAfee format and so, only NTBA can process them.  

Can I change the port NSM uses for communication to the configured email server?
No. By default, NSM uses TCP port 25 for communication to the email server. You cannot change this port.

Back to top

Why are Sensor log files encrypted?
The Sensor log files are primarily designed to log information that Technical Support and Development teams need for troubleshooting, as needed. Because the primary audience for these files is internal to McAfee, the files can sometimes contain details that are internal or propriety in nature. So, they must be encrypted. NSP does provide all critical events that you need to know using the Sensor CLI commands. McAfee welcomes you to submit PERs for any information you require, but is not currently available. These requests are then consolidated into subsequent NSP maintenance releases.

How does the Sensor handle traffic for hosts that have been quarantined?
The IPS Quarantine feature allows the Sensor to quarantine noncompliant hosts while providing access to remediation. With IPS Quarantine enabled, when an attack is detected on a Sensor inline monitoring port, the Sensor creates a quarantine rule for the source IP address of the host. But it creates a quarantine rule only if the host is not listed in the NAC exclusion list. The Sensor never blocks traffic from hosts in the NAC exclusion list. If the host is not in the NAC exclusion list, it is placed in the quarantine table for a specified length of time.

The Sensor checks all traffic that passes through the ports against the quarantine table and blocks any packets sent from quarantined hosts. This check prevents noncompliant hosts from harming other systems on the network. You can configure an IPS Network Access Zone with specific IP addresses that the host is allowed access to while it is quarantined (for example, the remediation portal or DNS server). This fact allows the quarantined host to access remediation materials without compromising the overall security of the network. A host can be added to the quarantine table by matching a NAC policy or by matching a signature that has the quarantine response option enabled.

How can I force/change the Sensor DOS detection into the learning mode?
Select Denial of Service, Data Management, and select Rebuild DoS Profile (start the learning from scratch).

Does NSP compensate for network latency during time synchronization?
No. NSP does not compensate to address network latency issues during time synchronization.

If there is a 100-msec network delay between the Sensor and the Manager, the Sensor time would be 100 msec slower than the actual time on the Manager. The Sensor has an internal clock obtaining its time setting from the Manager so that the Sensor and Manager stay synchronized. If the Sensor loses the connection with the Manager, the internal clock periodically updates the time on the Sensor. The time delay between the Sensor and the Manager would be the network latency delay between that specific Sensor and the Manager. Longer or shorter delays might exist between the Manager and other deployed Sensors.

The Sensor writes the time to its own flash memory because the Sensor does not have a battery backup clock. If there is a power outage, when the Sensor reboots and comes back online, the possibility exists that the Sensor might be unable to connect to its associated Manager immediately. In this case, the Sensor uses the last time it saved in flash. This situation is the only time the Sensor retrieves the time from flash; otherwise, the time saved in the flash is of no relevance.

When the NSM is installed with two Managers configured in Manager Disaster Recovery (MDR), both Managers must be updated with Sensor alert data. How do the Sensors communicate to the NSM to update the alert information?
The Sensor tries to send alerts to both NSMs in an MDR configuration. If the alert was sent successfully to one NSM, you can remove the alert from the Sensor buffer. If the Sensor cannot send the alert to either of the NSMs, it is saved in the Sensor buffer. The Managers synchronize their databases with each other to update any alerts that might not have been received on the other Manager when they communicate the next time. Each alert is tagged with unique attributes to aid in the synchronization between the Managers.

How do the IPS Quarantine and Access Control List (ACL) features in NSP differ?
  • The IPS quarantine rules are processed independently from, and evaluated before, ACL rules.
  • An IPS quarantine rule drops all traffic from a source IP address, whereas an ACL rule can be more specific to the type of traffic that is dropped.
  • IPS quarantine rules are created dynamically. You must explicitly add ACL rules when you create a policy.
  • You can dynamically remove IPS quarantine rules after a predefined amount of time. You must remove ACL rules explicitly via a policy update.

How are botnet attacks displayed in the Threat Analyzer?
When traffic is encountered, the addresses are looked up against the botnet DAT file to determine if an IP address or domain name is a known botnet address.

If the data is matched, an alert is triggered and the Command and Control (C&C) IP address or domain is marked as an attacker. The attacker address is put in the source IP column in the Threat Analyzer. The address of the host that is connecting to the C&C address is labeled as a victim. The victim appears in the destination IP address column in the Threat Analyzer.
The direction of the flow is based on who initiated the connection and indicates whether the initiating flow was inbound or outbound.

Why are Low and Informational alerts not shown in the Real Time Threat Analyzer (RTTA)?
This behavior is as designed. Use the Historical Threat Analyzer to view Low and Informational alerts.

I can configure attacks to be blocked in the Policy Editor, so why does the Sensor send an alert to the Manager even if 'Send Alert to the Manager' is deselected for the attack?
This behavior is as designed. Because the attack is blocked, the Sensor sends the alert regardless of the Send alert to the Manager setting so that the administrator is notified of which Sensor blocked the attack.

In RTTA, the DoS Analysis section of the alert details screen for the alerts Inbound/Outbound UDP Packet Volume Too High shows the DoS IP Range and Top 3 Attack IP Ranges. Why is this section sometimes blank without IP Range information displayed?
This behavior is as designed. When the Sensor sees the attack, it immediately starts IP address collection. The Sensor waits for a period before raising the alert to also report the IP address information. But, if the attack stops immediately afterward, the Sensor does not obtain any IP address information and raises an alert without the IP address.
Why does the SYN cookie not work when there is MPLS traffic on the network?
The SYN Cookie cannot be supported on MPLS traffic because NSP does not know what MPLS Tag to use in the return direction when the Sensor proxy responds to the SYN packets.

Does the Sensor prevent a possible SYN flood when you enable the SYN cookie on a Sensor where one port is configured in span to see MPLS traffic and the other is configured inline and does not see MPLS traffic?
Yes. The SYN cookie continues to work for normal traffic on the inline port pair.

Can I use the SYN cookie if I use a VLAN tag in traffic? For example, if all traffic contains a VLAN tag and the Sensor sees traffic only from one VLAN but does not receive traffic from any other VLAN, does the SYN cookie still work? Or, should the VLAN tag not be present at all on the inline traffic for the SYN cookie to work?
The SYN cookie works for VLAN tagged traffic. Even a mix of VLAN and non-VLAN tagged traffic works. There are some restrictions if the packets return via the same interface again.

Can the total of all traffic, both Ingress and Egress, at any given instance in time be greater than the inspection capabilities at a given Sensor (for example, NS9100 is 10-Gbps IPS performance)?
No. The inspection capabilities are common or shared to all ports of the Sensor. It is these inspection capabilities that determine the rated capacity of the Sensor.

What is the difference between “Recon Correlation attack” and “Recon signature attack”? Are both of these Recon attacks part of “Default Recon policy”?
It depends on the NSP/NSM version being used. For 8.1, both IPS policies and recon policies are used. The IPS policies contain the signature-based attacks, and the recon policies contain the correlation-based attacks. 
But, from 8.2 onward, recon policies no longer exist and both the signature-based and correlation-based recon attacks are found in the IPS policies.
To differentiate them in the IPS policy editor, McAfee has introduced specific Attack Categories (Reconnaissance Correlation Attack and Reconnaissance Signature Attack) for each.

The web browser of a manually quarantined host does not display a quarantined message or advisory and does not offer a redirection to the remediation portal. Why not?
When you configure a Sensor to display a browser message on a quarantined client or redirect it to a remediation portal, it is implemented only for hosts quarantined automatically by the Sensor. This behavior is by design. When a user manually quarantines a host from Threat Analyzer, the browser message or remediation portal is not offered, and the only action taken is that the host is placed into the corresponding quarantine zone.

Will the Sensor detect an EICAR test file downloaded over HTTP?
Yes. NSP detects the latest EICAR antimalware test file. You must download the eicarcom2 test file from: http://www.eicar.org/.
NOTE: Older versions of the test file might not be detected.

What network packet loss is seen, when using the Sensor fail-open, if the Sensor is rebooted or suffers a power fluctuation?
When a Sensor reboots or some other failure occurs, the link that connects the devices on either side of the Sensor is broken. This breaking of the link, causes some networking devices to renegotiate, and, depending on the networking devices, this renegotiating can take time to complete. 
During the negotiation time, no link is present, and any applications that do not resend packets or have a short timeout, might fail to communicate. Usually, a small packet loss occurs because the relay begins to switch to fail open. Depending on the specific networking equipment in your environment, the disruption could range from a couple of seconds to more than a minute. The same is true when moving a Sensor back into in-line mode, after it has been failed open.

What is the Network Security Platform fail-open kit heartbeat interval and what happens when the signal is lost?
During normal Sensor in-line fail-open operation, the fail-open controller or built-in control port supplies the heartbeat and power signal to the bypass switch. The signal is pre-programmed with a four-second interval. If the signal is not presented within its four-second interval, the fail-open kit removes the Sensor from the data path and moves to bypass mode.

What is the synchronization process between the NSP Manager and Sensor?
  1. The Sensor periodically sends a time request over the Control or Alert Channel, for synchronization purposes. 
    The Sensor uses port 8502 or 8507, the Alert Channel.
  2. The Sensor asks the NSM for the time every 30 seconds.
    NOTE: The Sensor asks only if the Alert Channel has no alerts or system events to send to NSM for the above duration. If the channel is active, the time sync is already being maintained.
  3. Every 10 minutes this synchronized time is written into the Sensor's flash memory.
Can I remove or uninstall Java from the NSM server?
No. Java is still required on the server hosting the NSM. The server runs a java.exe process taking 2gb of memory or more, depending on your installation settings.

Does NSP offer built-in HIPAA compliance reports?
There is no in-built compliance based reporting available on the NSP platform. McAfee recommends the Event Reporter Appliance as it is supplied with preconfigured reports.
Further information about the Event Reporter Appliance is available from your McAfee sales contact.

What changes are made to the Sensor settings when an attack is added back into the NSP signature (sigset)?
The returned signature retains the settings you applied before the signature was removed.
For example, if you change the severity to Medium from High before the attack is removed, you see this setting recovered and applied after the attack is added back.
NOTE: The attack is Enabled even if you disable it.

Which default Identity-Based Access Control policies cannot be deleted in NSM?
You cannot delete the following policies, but you can edit their settings to specify if System Health is considered when granting network access, and the actual level of access to grant:
  • Default
  • Guest User
  • Self Registered
Can I create an ignore rule and not add any attack name?
No. Ignore rules must have an attack name, because the Sensor cannot otherwise understand this type of alert filter.

How can I exclude a specific IP address from inspection?
Add a Firewall rule with the action set to Stateless Ignore. This action forwards all packets that match the rule without performing any inspection, except for the FW rule lookup/match.

Can I implement active-active high availability using NSP Sensors?
The Sensor is always active-active high availability; it is the peer network devices that determine if the Sensor is being used as active-passive (one network path is blocked) or active-active.

I create Ignore rules to ignore Reconnaissance attacks (scans from vulnerability scanners) with the internal network as source (Attacker), and Any as Target; but I still see alerts in the RTTA. Why? 
Using Ignore Rules is the wrong way to address vulnerability scanners. Instead, add an Access Rule to the Firewall Policy to ignore all traffic (use Stateless Ignore) to the Vulnerability scanner and another rule for all traffic from the scanner (two rules).

Does the NSP UDS editor support the NOT operation?
No. The UDS editor does not support the NOT operation. The Sensor pattern matching acceleration hardware would have to perform string matching on all strings other than the one specified with the NOT expression.
McAfee recommends that you do not perform this type of search because it can cause severe performance issues and is not an efficient solution.

Does the UDS editor support wildcard character searches?
No. Wildcard character searches are not supported because using only a wildcard in a search would cause it to retrieve all records from the database.

Can the DCOM service be turned off on the Server hosting the NSP?
Yes. The DCOM can be turned off without affecting the running of the NSP Manager. For information about disabling the DCOM service and the implications for other programs and services, go to http://support.microsoft.com/default.aspx?kbid=825750.

How do you detect a single space character using the UDS editor?
If you have to detect a single space in an expression, for example, xyz xyz, you can perform the string search by typing xyz xyz. McAfee recommends that you do not search for just a single space or short strings because it can cause performance issues and generate false positives.

How do I check error codes from MySQL?
In MySQL, you can check the error codes generated by using the perror command. Open a command-line session (click Start, Run, type CMD and click OK), and from the mysql\bin directory, type the command perror <error code> and press Enter. For example, perror 28 Error code 28: No space left on device.

How does the NSP Manager or Sensor define internal or external addresses for alert filters?
Internal or external addresses are defined according to the configured mode:

  • TAP/INLINE mode: Under port configuration, specify which port is inside and which is outside. The alert filters use the same specifications to define internal or external, respectively.
  • SPAN mode: To detect and mark internal/external for SPAN, the user must configure CIDR-based VIDs. If there are no CIDR-based VIDs, the Sensor marks the packets as unknown.
Why do bidirectional DoS Alerts not include a Packet Rate tab?
The Packet Rate tab is not present for Statistical DoS Alerts categorized as bidirectional because:
  • These statistical alerts involve more than one packet type.
  • The volume of packet flow between the two directions is different.

What is the difference between Successful and Maybe Successful in the Threat Analyzer Attack Result Status?
To determine if an attack is successful or not, NSP covers both the detection and post-detection aspects of the attack. NSP identifies whether the attack is successful based on the responses seen on the wire:

Successful Attack is successful
Maybe Successful Unknown results, NSP cannot determine if the attack succeeds or not
Can Network Security Platform identify the True-Client IP address of traffic from Content Delivery Network such as Akamai?
Yes. By enabling X-forwarded-for (XFF) options, Network Security Sensor can detect and block attacks based on True-Client-IP.
NOTE: This functionality is applicable for HTTP only.

Does NSP support using the private keys embedded in the SHA-2 signed certificate?  
Yes. SHA-2 signed certificates are supported. The inbound SSL decryption feature only performs a raw-data match of the server certificate, and does not validate the certificate. So, NSP can decrypt using the private keys embedded in the SHA-2 signed certificate.

When you run the command clrstat to clear the Sensor statistics, then run the command show sensor-load, the Sensor-load lists a high value such as 90%. It can list this value even when there is almost no traffic passing through the Sensor. Why? 
This behavior is by design. The clrstat command clears the counters used to calculate the load on the Sensor. To allow the Sensor to generate up-to-date counters and the accurate load to be reflected, wait for about 20–30 seconds and run show sensor-load again.

Is TIE and DXL integration supported on all Sensor models?
No. These features are supported only on NS-series Sensors.
Can I block files by uploading MD5 file hashes to NSP?
Yes. This NSP feature does not require the creation of a custom attack definition. The NSP Sensor maintains both a blacklist and a whitelist of hashes, and applies these hash values to files extracted from HTTP, SMTP, and FTP flows when instructed to do so by malware policy.
For instructions on how to import a hash value, see the "Advanced Malware Policies" section of the IPS Administration Guide for your release.

Can I use a Sensor response port to connect the Sensor to my NTBA Appliance?
No. You cannot use the response port as a monitor port.

How does NSP determine the file type for Advanced Malware Policy?
NSP uses a combination of content type, file extension, file properties, and proprietary McAfee technology.

When the Sensor blocks an attack packet, why does NSP not retrieve its X-Forwarded-For (XFF) header information?
When the NSP Sensor blocks an attack packet, it cannot view the Forwarded Layer7 information. This behavior is as designed.

If I create a custom UDS, is this UDS placed above all other signatures, or is it placed at the end of all other signatures?
A Custom UDS helps with the definition of the attack/signature and is added to the list of all attacks. But, there is no order for attack detection, unlike firewall ACL rules.

In the Top 10 Attack Source Countries report, one of the entries is titled AP - what does this stand for?
This title is used when the specific country of origin is not known. For further information, see: http://dev.maxmind.com/geoip/legacy/codes/iso3166/

Can NSP submit PNG, JPG or other picture type files to ATD for scanning?
NSP cannot extract picture files from flows. These files can be part of a .zip file that NSP extracts and sends to ATD, but, NSP does not extract standalone picture files.

Why do I see DNS queries originating from the Sensor? 
You see this traffic when you configure a firewall rule and specify a host name as the source or destination address.
The Sensor sends DNS queries on UDP port 53 to the specified DNS server assigned to the Sensor for these host names. 
This behavior is by design. 

What Sensors support integration with the McAfee malware analysis cloud service, Cloud Threat Detection (CTD)?
The N/S series of Sensors support this functionality. For more information about configuring NSP integration with CTD, see:

Can I import a pcap file to the NSM or Sensor to be analyzed by the configured policies or simulate traffic passing through them?
No. You must set up a TCPReplay to capture the attack and then replay it.

What is Application Identification?
Application Identification functionality, allows the Network Security Sensors to identify the applications in your network and act on them.
This feature can be enabled on specific Sensor ports, including an individual port that is part of a pair. This functionality gives you more control over the type and direction of monitored traffic.

What is the impact on Sensor performance?
If Application Identification is applied to all traffic that passes through the Sensor, it could potentially decrease Sensor throughput by about 10%. The actual Sensor throughput varies, based on the type of traffic.
This process is resource-intensive and must be enabled only when required.
For more information about enabling this functionality, see the Network Security Platform Manager Administration Guide for your release.

How do I check error codes from MariaDB?
To check the error codes generated, use the perror command.

Open a command-line session (click Start, Run, type CMD and click OK).
From the MariaDB\bin directory, type the command perror <error code> and press Enter.
For example, perror 28 Error code 28: No space left on device.
NOTE: For upgrades, the default location is the previous database installation directory.

Why does the count displayed using the show wb stats command rise even though the white and black lists are empty?
The WB hash count rises due to hashes included in the DAT (Callback Detectors) file. When downloaded to the NSM, this file is pushed to the Sensor and increases the WB hash count.
These hashes are developed by McAfee to address attacks and vulnerabilities but are not listed in the NSM GUI.
IMPORTANT: This behavior is as designed.

Back to top
Why can't I access NSM from a non-English language mobile device?
NSM does not work correctly if you access NSM from a non-English mobile device because only devices set to English language are supported. To access the Manager, change the operating system language setting to English.

What version of Nessus does NSM support?
Nessus reports generated using Nessus 4 and Nessus 5.x scanners import successfully into NSM. If the generated report contains Host IPs as fully qualified domain names (FQDNs) or NetBIOS names, NSM fails to resolve the target Host IPs in the report. It also fails to import vulnerabilities for those hosts to the Manager database. A Nessus 4 or Nessus 5.x report in .nessus format, containing valid host IP addresses in dotted format, successfully imports to the Manager database.

Why can't the Sensor detect any attack when traffic is PPPoE encapsulated? 
PPPoE is not supported. The Sensor forwards all PPPoE encapsulated packets, without any detection. This behavior is by design.

When NSM is configured to auto-deploy downloaded sigsets to all devices, auto-deployment works for NSP Sensors but not Network Threat Behavior Analysis (NTBA) Sensors. Why?
Auto-deployment for NTBA is supported in NSM 8.1 and later. To implement auto-deployment, upgrade to NSM or later.

Is GTP parsing supported for M-series Sensors?
No. GTP parsing is supported only on NS-series Sensors.

Can NSP inspect GRE encapsulated traffic detect attacks using this protocol? 
NSP can inspect GRE encapsulated traffic and detect attacks. But, this capability must be enabled because the default Sensor configuration is to not inspect GRE tunneled traffic.

Does NSP support scanning of the new HTTP/2 protocol (HTTP 2.0)?
NSP currently does not support HTTP/2, but support is scheduled for a future release of NSP.

When a network switch supports AutoMDI/MDI-X, can a Sensor use AutoMDI/MDI-X to establish a link between the switch and the Sensor?
Yes. But, AutoMDI/MDI-X does not work properly if Auto-Negotiation is disabled on the Sensor port. You must enable Auto-Negotiation on the Sensor port, before you set up the link between the switch and the Sensor using AutoMDI/MDI-X.

Are multiple Sensors with duplicate IP address supported on the Network Security Manager?
No. Multiple Sensors with duplicate IP address are not supported on the Network Security Manager (NSM).
For example: 
Sensor-A (IP: is already installed to an NSM.
Sensor-B (IP: needs to be added to the NSM.

If you add the new Sensor to the Manager and assign the same IP address as the existing Sensor, updates and configuration changes are applied incorrectly on an intermittent basis.
In this scenario Sensor-A must be removed from the Manager, before adding Sensor-B. 
Running the deinstall command on Sensor-A is not sufficient. Sensor-A must be removed from the Manager before adding Sensor-B. 

IMPORTANT: There is one exception to this rule. A Sensor can be added with the same IP address only if the Sensor name and model are identical to an old Sensor that is no longer physically connected to the Manager. This situation is similar to when replacing a broken Sensor.

What Skype coverage does Network Security Platform provide? Can NSP Block Skype traffic?
Currently, Network Security Platform does not provide blocking coverage on Skype traffic, due to obfuscation and encryption.
Network Security Platform can detect Skype traffic using the following P2P signatures:

  • 0x42c02600 P2P: Skype Logon Process Detected
  • 0x40015f00 P2P: Skype-like Traffic Detected
  • 0x40015e00 P2P: Skype Sweep Traffic Detected

Attack ID 0x40015f00 and 0x40015e00 are a component or correlated attack pair, which cannot be blocked.
Attack ID 0x42c02600 can be detected and blocked due to the clear text contained in the TCP session.

Skype can use an encrypted session to log on. The Network Security Platform correlated signature can detect such Skype traffic, but cannot be configured to block, due to the correlation nature.
So, Network Security Platform does not have blocking coverage on Skype.

Can I run a Sensor failover pair with the monitor ports in SPAN mode?
No. You can only create a failover pair when the monitor ports are placed in in-line mode. After you have created the pair, you cannot change the port mode.
Back to top

Under what conditions do I use Re-Import to import SSL keys into the Manager?
Only use Re-Import when you reimport a key that exists on the Manager. You can use Re-Import several times to replace the existing key on the Manager when SSL updates have not yet been pushed to the Sensor. Do not use Re-Import to replace an old SSL key with a new key.

Is the correct renewal procedure to delete the old SSL key from the Sensor and import a new SSL key after manual deletion?
Yes. McAfee recommends that you import the new SSL key to the Manager and then push out the SSL update to the Sensor after the old SSL key has been deleted.

Is a Sensor reboot required after a new SSL key has been imported/re-imported and pushed to the Sensor from the Manager?
A Sensor reboot is only required if you enable or disable SSL functionality on the Sensor. It is not required after import/re-import of SSL keys.

Why do I see 'SSL: Bad State Transition alerts(0x00006000)' in the Alert Manager after an SSL key has been replaced?
You can see these alerts in the Alert Manager if there are active HTTP flows when the new SSL certificate is being pushed to the Sensor. Contact Technical Support if this behavior continues, and submit packet captures during and after the SSL key import/renewal.

Why do I see 'SSL: Bad State Transition alerts(0x00006000)' in the Alert Manager? Is it a false positive detection? 
Collect evidence reports of the given alerts as explained in KB55743, and then open the packet log generated in the evidence reports with a packet sniffer such as Wireshark and check the TLS/SSL version used. NSP Sensors do not currently support TLS v1.1 and v1.2 and trigger this alert. To ignore this traffic, create an attack filter or use a supported version of SSL/TLS (SSLv2, SSLv3, TLSv1.0).

Is there a size limit to the Shared Secret Key when set via the Sharedsecretkey command?
The NSP Shared Secret Key must be a minimum of 8 characters and maximum of 25 characters. The key cannot start with an exclamation point or have any spaces.

Back to top
What is GTI?
GTI is a global threat correlation engine and intelligence base of global messaging and communication behavior, which enables the protection of customers against both known and emerging electronic threats across all threat areas.

What ports does GTI use?
Source Port
Destination Port
For sending Participation information 
Source Port
Destination Port
Destination Address
For sending McAfee IP Reputation queries
Manager and Sensor
For sending McAfee File Reputation queries  UDP Sensor Random DNS/53 avqs.mcafee.com

  • IP Reputation was formerly called TrustedSource.
  • File Reputation was formerly called Artemis.
What information does the Sensor use in a GTI query?
The connection 5-tuple (source IP, destination IP, source port, destination port, and protocol).

What information does the NSP Manager use in a GTI query?
The 5-tuple and any additional attack information that might be available are:
Attack Name, Attack Time, Category, Count, Destination OS, Detection Mechanism, Direction of Attack, Malware URL, NSP Attack ID, Result, Signature ID, Source OS, Sub-Category, and Attack Type.

NOTE: See the GTI Participation page in the Manager for a detailed view of what is sent. Select Configure, Integration, GTI Participation.
Where are the GTI queries sent?
The Sensor performs a specialized DNS query to mcafee.com. The Manager queries are addressed at https://tunnel.web.trustedsource.org.
How can I see what reputation a specific site or address has?
Use the lookup tool available at www.trustedsource.org.
Why is the address I look up showing a different reputation?
GTI uses many factors to determine the reputation for a specific connection. If the connection is to port 80 or 8080, the web reputation is used. If the connection is to port 25, mail reputation is used. All other ports use IP reputation, which can be a composite of the web and mail reputation, and over time will have a unique value as more data is collected.
Can McAfee adjust the reputation on a specific IP address?
After performing a query on www.trustedsource.org, there is an option for Threat Feedback. Use this form to request review. Alternately, you can request a review for a specific IP by email. For web reputations, contact sites@mcafee.com. For network and mail reputations, contact trusign-feedback@mcafee.com. Always include the IP address, port, and what type of traffic was being used.
Where can I find out more information about GTI?
See the Network Security Platform Integration Guide for your product version, or go to www.trustedsource.org

Does the NSP Sensor perform GTI IP lookup for all traffic that it sees?
Not by default. You can configure the Sensor to perform a GTI lookup for all traffic by enabling Endpoint Reputation Analysis.

NOTE: Currently, NSP can use IP reputation information with the Smart Blocking and Connection Limiting features. NSP cannot currently detect callback with IP reputation.

Why am I unable to open a file detected by GTI within the NSP for further analysis; how can I open files convicted by GTI?
These files are encrypted, even when exported via the UI. You must use the MalwareDecrypter.bat utility to decrypt them. The file location for this utility is: 


NOTE: If you run the file with no parameters, it displays the available options.
Where can I find additional information about decrypting files?
See the information about the Malware Decrypter utility in the "Archive malware files" section of the Network Security Platform Manager Administration Guide, and the Network Security Platform IPS Administration Guide for your product version.
Back to top
When is the default Identity-Based Access Control policy used in NSP?
The default Identity-Based Access Control (IBAC) policy is used in the following scenarios when IBAC is configured in NSP:
  • When the user name in question does not match any other defined (non-default) IBAC Policy.
  • In a special case, if connectivity between the Sensor and Manager is lost.

What is the NAC and 802.11Q implementation in NSP?
The current implementation of NAC on the NSP supports NAC on traffic from multiple VLANs seen on the NAC monitoring port. The Sensor NAC monitoring port is configured with one VLAN. But, the local infrastructure must support inter-VLAN communication (Inter-VLAN Routing) between the VLAN on the Sensor NAC monitoring port, and all other VLANs that have hosts that require NAC monitoring or enforcement.

What are the NSP NAC Implicitly Trusted Hosts?
The following IP addresses are automatically excluded from NAC enforcement by the Network Security Sensor:

  • Sensor Monitoring Port IP
  • Sensor Management Port IP
  • NSM IP (If in MDR mode, both Managers are added)
  • McAfee NAC Server IP
  • Guest Client Portal IP
  • Remediation Portal IP
  • VPN Concentrator IP

What DHCP server implementations does NSP DHCP NAC mode support?
There are two types of DHCP server implementation approaches available when NSP is configured to operate in DHCP NAC mode:

  • Integrated DHCP server
    In this implementation, a single DHCP server assigns IP addresses to healthy and unhealthy hosts. The DHCP Server is configured with user classes and assigns IP addresses based on the user class field in the DHCP discover packet. Each user class can have defined parameters that are unique to the user class, such as DNS IP, default gateway, and static routes. User classes can be defined for the production, quarantine and pre-admission networks, with each having its own defined IP pool and parameters.
  • Separate DHCP server
    With this approach, two separate DHCP servers are configured for the healthy (production IP pool) and unhealthy (pre-admission and quarantine) hosts. Each DHCP server has independent configuration information. One for the healthy hosts and another for unhealthy hosts.
Back to top
What is a heterogeneous Signature Set (sigset)?
Older versions of NSP required that you ran the same point version of NSM software (8.x, 7.x) as your Sensor. If you managed multiple point versions of Sensor software, you required a separate NSM for each point version of Sensor software. To resolve this issue, McAfee added the functionality to NSM to manage previous versions of Sensor software. For example, NSM 8.3 can manage Sensors with software 8.x and 7.x installed. To support this functionality, McAfee developed the heterogeneous sigset, which contains all signatures for each version of Sensor software.

The heterogeneous sigset is a format that includes all major version releases in a single, unified sigset. Administrators download and apply a single sigset that the Manager uses to control any of the Sensors.

Are all sigsets going to be heterogeneous? Has McAfee stopped releasing homogeneous sigsets?
Yes, McAfee has stopped releasing homogeneous sigsets. All sigsets are now heterogeneous.

What does a heterogeneous sigset contain, what is the numbering scheme, and what further information can you obtain from the sigset number?
The heterogeneous sigset contains two or more individual major version sigsets in a new unified format. The numbering scheme is as follows: sigsetW.X.Y.Z where:
  • W denotes the highest Sensor software release supported.
  • X denotes the lowest Sensor software release supported.
  • Y denotes the sigset release version number.
  • Z denotes the build version.

    For example, sigset means that this sigset supports 9.x and 8.x Sensors.
How does McAfee test the heterogeneous sigset?
McAfee has comprehensive testing methods to test heterogeneous sigsets to ensure compatibility with all Sensor software versions. In addition to all testing that is performed with normal sigsets, McAfee performs additional test cases. This testing is to ensure that the heterogeneous sigset works well in a heterogeneous environment, where multiple Sensor software versions are used.

Do I need to change my Manager configuration to use the heterogeneous sigset?

Is there a different heterogeneous sigset for every major release (for example: 8.x, 9.x)?
There is only one heterogeneous sigset that contains all signatures for all Sensor versions currently supported. For example, supports all Sensors running versions 9.x and 8.x.
Back to top
What is a Linux-based Manager Appliance?
The Linux-based Manager Appliance is a McAfee hardware appliance, running a preinstalled, hardened McAfee Linux Operating System. The appliance comes pre-loaded with the Network Security Manager software.

What is the McAfee Linux Operating System (MLOS)?
MLOS is a McAfee proprietary, standardized Linux-based platform on which several McAfee security appliances are built.

What is the version of McAfee Linux Operating System (MLOS) used in the Linux-based Manager Appliance?
Currently, the Linux-based Manager Appliance is preinstalled with MLOS version 3.5.x (MLOS3).

Which Sensor models can a Linux-based Manager manage?
The following Sensor models can be managed by a Linux-based Manager:
  • NS-series: NS9500, NS9300, NS9200, NS9100, NS7350, NS7250, NS7150, NS7300, NS7200, NS7100, NS5200, NS5100, NS3500, NS3200, and NS3100
  • Virtual IPS Sensors: IPS-VM600 and IPS-VM600-VSS
  • M-series: M-8000, M-6050, M-4050, M-3050, M-2950, M-2850, M-1450, and M-1250
What is the total number of Sensors that can be managed by a Linux-based Manager?
The Linux-based Manager can manage the same number of Sensors as a Windows-based Manager. The maximum number of Sensors that a Linux-based Manager can manage varies according to the database size, alert rate, and the total traffic inspected by all Sensors attached to the Manager.

Can I install the Linux-based Manager/Central Manager as a virtual instance?
You can deploy the Linux-based Manager/Central Manager as a virtual machine in your ESXi servers. The virtual Manager/Central Manager is an OVA image that deploys a virtual instance of the Network Security Manager/Central Manager running on a Linux machine.

From where do I download an OVA image of the Linux-based Manager/Central Manager?
The OVA images for a Linux-based Manager/Central Manager are available from the McAfee Product Downloads site and McAfee Update Server.

Where do I download an ISO image of the Linux-based Manager/Central Manager from?
McAfee does not provide an ISO image of the Linux-based Manager/Central Manager.
NOTE:  McAfee recommends that you use an OVA image for Linux-based Manager virtual machine deployment and bootable image shared by Technical Support for migrating from Windows-based Manager to Linux-based Manager.

Can I run the Linux-based Manager software on a Windows-based Manager Appliance hardware?
You can migrate your appliance from a Windows-based Manager to a Linux-based Manager.

How do I migrate a Windows-based Manager to a Linux-based Manager?
Take a database backup from the Windows-based Manager and restore it to a fresh Linux-based Manager. See PD27843 for full steps.
  • You cannot migrate from a later version of a Windows-based Manager to an earlier version of a Linux-based Manager.
    For example, you cannot migrate a Windows-based Manager version to a Linux-based Manager version
  • Make sure that the Windows Manager Server is running on Network Security Manager version 9.1 or later.

What is the Manager shell?
Manager shell is the command line interface for the Linux-based Manager and allows you to perform various Manager/Central Manager activities.

Which application should I use for SSH connection to the Linux-based Manager CLI?
McAfee recommends that you use the Tera Term or Bitvise applications for SSH connection to the Linux-based Manager CLI.
NOTE: SSH connections to the Linux-based Manager CLI are not supported by the PuTTY application.

What are the credentials for logging on to the Manager shell?
For Manager:
User name: admin
Password: MLOSnsmApp
For Central Manager:
User name: admin
Password: MLOSnscmApp
How do I upgrade the Linux-based Manager/Central Manager?
You can upgrade your Linux-based Manager/Central Manager using the upgrade command in the Manager shell. For more information, see McAfee Network Security Platform Installation Guide for your release.

Where do I download the Linux-based Manager upgrade file from?
The Linux-based Manager software upgrade file (setup.bin) is available from the McAfee Product Downloads site and McAfee Update Server.
NOTE: You cannot directly download the Linux-based Manager upgrade file (setup.bin) to your Linux-based Manager. Download the upgrade file to a separate server running SCP or TFTP service in your network.

Are the upgrade files for a Linux-based Manager virtual machine and Manager Appliance same?
The upgrade file (setup.bin) is the same for the Linux-based Manager virtual machine and Manager Appliance.

How do I back up the database of a Linux-based Manager?
You can take back the database either using the Manager GUI or Manager shell.
To collect the database backup from the Manager shell, run the dbBackup.sh script.
  • If you are running Linux-based Manager version or, McAfee recommends that you take the database backup from the Manager GUI.
  • If you are running Manager version or later, McAfee recommends that you stop the Manager database service before taking the backup.
  • See the Network Security Platform Manager Appliance (Linux) Installation Guide for further information.

How do I avoid data corruption when upgrading or migrating?
McAfee strongly recommends that you take a database backup before an upgrade or migration to avoid data corruption.

How do I migrate from a Windows Manager running MySQL database to a Linux-based Manager running MariaDB database?
The Manager upgrade process migrates the database from MySQL to MariaDB. Users are not required to perform other procedures for this migration.

Can I restore a backup taken from a Manager running MySQL database to a higher Manager version running MariaDB?
Yes. You can restore the database backup taken from a Manager running MySQL to a later Manager version running MariaDB.
NOTE: The first digits of both the Managers must be identical (the same McAfee managed product). For example, you cannot restore a database backup taken from NSM version to, but you can restore to

How do I access the MariaDB shell?
Open a Manager command-line session and run dbShell command.
NOTE: The default user name for the MariaDB admin and the password admin123 respectively.

How do I change the database password?
Open a Command-line session and run the passwordchange.sh command.
NOTE: The default database root password is root123.

Can a Central Manager running MariaDB manage Managers running MySQL database and conversely?
The Central Manager running Maria DB cannot manage the Managers running MySQL database, and a Central Manager running MySQL database cannot manage Managers running MariaDB.
NOTE: The Central Manager version and earlier, and and earlier, cannot manage the Manager version

How do I transfer files from a Windows-based Manager to a Linux-based Manager?
You can transfer files from a Windows-based Manager to a Linux-based Manager securely using the Bitvise application.
NOTE: File transfer from a Windows-based Manager to a Linux-based Manager is not supported by WinSCP application because of cipher mismatch.

Can I use scpToRemote command to copy files from a Linux-based Manager to a Windows host?
The scpToRemote command can only be used to copy files to a remote Linux host.

Can I create an MDR with a Windows Manager and a Linux Manager combination?
You cannot create an MDR pair with a Windows Manager and a Linux Manager. In an MDR, both Managers must be running the same operating system.

How do I upgrade an MDR pair with Managers running MySQL database to Managers running MariaDB database?
McAfee recommends that you break the MDR pair, upgrade the individual Managers, and recreate the MDR pair.

Can a Linux-based Central Manager manage a Windows-based Manager?
A Linux-based Central Manager can only manage a Linux-based Manager. The Linux-based Central Manager cannot manage a Windows-based Manager, and a Windows-based Central Manager cannot manage a Linux-based Manager.

What does the collect logs command do?
The collect logs command is used for debugging purposes. It collects all Manager logs. For example, ems.log, emsout.log, emssync.log, and initdb.log.

What is the difference between the logs collected using the InfoCollector utility as opposed to the logs collected using the collect logs command?
The Collect logs command collects only the logs related to the Manager. The InfoCollector utility collects system information, Manager logs, and configuration backup.

Can a Linux-based Manager manage an NTBA Appliance?
Yes, the Linux-based Manager can manage an NTBA Appliance.

Is McAfee Linux Operating System (MLOS) FIPS Compliant?
Yes, MLOS is FIPS Compliant. The Linux-based Manager is built on the FIPS-compliant operating system.
NOTE: The Manager software built on FIPS-certified MLOS is not FIPS-compliant by itself.

Does McAfee continue to support Windows-based Manager software?
McAfee continues to release and support Windows-based Manager software. A Windows-based Manager software installation file will be available for every release on the McAfee Product Downloads Server and McAfee Update Server.
But, the Windows-based Manager Appliance is end of life in January 2020. Technical Support will not address issues for the Windows Appliance after this date.

What happens when I RMA a Windows-based Manager Appliance?
When you RMA a Windows-based Manager Appliance, you receive a new Linux-based Manager Appliance.
NOTE: The End of Sale (EOS) for Windows-based Manager Appliance was announced in January 2018. McAfee no longer supplies any new Windows-based Manager Appliances.

Can I install the Linux-based Manager software on third-party hardware?
McAfee recommends that you do not install the Linux-based Manager software on a third-party Linux hardware.

Does McAfee support any other Linux platforms for the Manager software?
Currently, Linux-based Manager software can only be installed in a McAfee Linux Operating System (MLOS).

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.