Loading...

Knowledge Center


Agent Wakeup port is not translated from ServerSiteList.xml to the /etc/init.d/sva-firewall config file
Technical Articles ID:   KB89319
Last Modified:  5/15/2017
Rated:


Environment

McAfee Antivirus Multi-Platform (MOVE AV Multi-Platform) 4.x, 3.6.1
McAfee ePolicy Orchestrator (ePO) 5.9, 5.3.x, 5.1.x

Summary

ePO uses TCP 8081 as the default Agent Wakeup port. When an ePO server uses an Agent Wakeup port other than the default, an issue arises on Ubuntu devices, where the mechanism to update the host firewall with this custom port configuration is not present. This results in a communication issue between ePO and the MOVE AV Multi-Platform SVM Manager.

NOTE: Running the netstat -tnl command will demonstrate that masvc is listening on that port, but Agent Wakeup calls will fail.

Problem

The Agent Wakeup port is not translated from ServerSiteList.xml to the /etc/init.d/sva-firewall config file.

Cause

When the /home/svaadmin/sva-config script runs during initial setup and the McAfee Agent is registered with ePO, a new SiteList.xml is downloaded. The agent then enforces the EPOAGENT3000, DC__AM__4000, and LYNXSHLD2000 policies, which write policy data to a store on the system. 

The movesvamanager service then pulls from that store to update the /etc/init.d/sva-firewall file, which is a configuration file containing policy settings for MOVE, including the Agent, MOVE Client, and SVM ports, as well as other considerations such as SSH.

The /opt/McAfee/movesvamanager/sva-firewall script is then used to reload the Ubuntu host firewall into memory with the configuration indicated in the sva-firewall config file.  The movesvamanager service looks in the DC__AM__4000 policy to update the sva-firewall config file, but does not look at the EPOAGENT3000 policy. Therefore, the Agent Wakeup port is not translated from the ServerSiteList.xml to the /etc/init.d/sva-firewall config file. 

Solution

Technical Support is investigating this issue. As a temporary measure, implement the following workaround.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Workaround

Modify the sva-firewall config file with the vi utility, and then run the sva-firewall script and update the firewall:

IMPORTANT: The vi utility is a non-intuitive, powerful text editor. Execute only the commands provided in the steps below, exactly as described.

  1. Log on to the SVM Manager device.
  2. Open the sva-firewall config file in vi using the following command:
sudo vi /etc/init.d/sva-firewall
  1. Use the up/down arrow keys to scroll through the file, and locate the following entry:

# Allow ePO Agent wakeup call
$IPTABLES -A INPUT -I $ETH -p tcp --dport 8081 -j LOGACCEPT #ePO_Port

  1. Press the i key. This will shift the vi utility from command mode to edit mode. It will behave similar to a normal text editor at this point, but there are some significant differences. Until you shift back to command mode, try to use only the arrows, delete, and number keys.
  2. Modify --dport 8081 to the correct port (example: --dport 8981).
  3. Press the ESC key to return to command mode.
  4. In command mode, type the following command, and then press ENTER to exit the vi utility:

:wq!

The sva-firewall config file should now reflect the correct port. To verify, examine the /etc/init.d/sva-firewall file.

  1. Reboot the system using the following command:

sudo systemctl reboot -i

The Ubuntu firewall will no longer block the custom Agent Wakeup call port.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.