Loading...

Knowledge Center


ePolicy Orchestrator console stops responding or takes several minutes to open when editing the Host Intrusion Prevention 8.0 Catalog
Technical Articles ID:   KB80102
Last Modified:  4/6/2017
Rated:


Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0

Problem

When you access the Host IPS Network Catalog (click Menu, Policy, Host IPS Catalog, and select Network for the Item type), the page takes several minutes to display or does not display at all.

This issue can become so severe that the entire ePolicy Orchestrator (ePO) console is impacted. You might not be able to log on to the ePO console at all or the entire console may be extremely slow. The ePO console might also stop responding when attempting to create or edit a server task. The task wizard stops after you click Next and never displays the next screen. 

If you are experiencing any of these symptoms, run the following query against the ePO database:

select count(*) as count from HIP8_NamedNetwork_Hosts
 
NOTE: If the return on that query is several hundred thousand (or more), you are likely to be impacted by this issue and have to implement the solution or workaround in this article. 

Cause

One or more components of Host IPS have been left in Adaptive Mode for an extended period time or have been turned on for a large number of clients. KB73399 provides guidance on the proper use of Adaptive/Learn mode in Host IPS and states the following:
 
NOTE: 
Only use Adaptive Mode temporarily on a small number of systems to aid in firewall rules tuning. This mode can create a large number of client rules on endpoint systems, and can also create significant overhead for the ePO server while processing excessive Firewall Client Adaptive Rules. McAfee recommends limiting Adaptive Mode for firewalls to a few systems for a limited period of time as an aid in firewall policy tuning.

Solution

This issue is resolved in the Host IPS 8.0 Patch 5 extension update.
Updates are available when you log on to the ServicePortal at: https://support.mcafee.com/downloads.


The extension release includes a new server task: Host IPS 8.0 Catalog Maintenance Task. For information and best practices for using Host IPS, see KB73399.

NOTE: Upgrading the extension alone does not resolve the issue. The Host IPS 8.0 Catalog Maintenance Task is disabled by default and you must run it manually to clear the data from the database. It is recommended to leave the task disabled.

To review the Host Intrusion Prevention 8.0.0 Patch 5 Release Notes, see PD25947.

Workaround

Clean up the Host IPS 8.0 database tables:
  1. Ensure that Host IPS Adaptive/Learn mode is being used properly.
     
    NOTE: Enabling this for a large number of systems or for an extended period of time will result in a recurrence of this issue.
     
  2. Confirm you have a complete and recent backup of the ePO database.
  3. Confirm you have recent Host IPS policy exports for policy backup.
  4. Stop all ePO services including any services on remote Agent Handlers (if you have any). 

    NOTE: This script might take longer to complete if the database is being heavily used while the script runs.
     
  5. Run the script in the Attachment section of this article to clean up the Host IPS tables.
     
    NOTE:
     
    Depending on the speed of the SQL server and the number of rows being deleted, this script might take several hours to complete.
     
  6. Start all ePO and remote Agent Handler services.

Attachment

HIP8TableCleanup.zip
1K • < 1 minute @ broadband


Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.