ANYWHERE Protection Dashboard

Content Layer

id	443839770

Content Column

id	443839777

Content Block

background-color	$lightGrayColor
id	443839764

Topics Discussed

Table of Contents

maxLevel	3
minLevel	3

Content Block

id	443839776

In the Protection screen, the Protection score focuses on the stability of Armor services to determine if

The agent is responding (hearbeating) to Armor
The agent has registered properly

For Armor Anywhere, the Protection scores focuses on the following services:

Malware Protection
FIM
IDS
Filebeat (for Windows and Linux)
Winlogbeat (for Windows)
Vulnerability Scanning

Review Widgets and Graph

Widget and Graph Type

Description

Protection Score

This widget displays a calculated score that includes the number of subagents in an unhealthy state.

Score range	Health status
10 - 8	Good
7 - 4	Fair
3 - 1	Poor

Note
For Armor Complete, only virtual machines that are in a Powered On state are included. For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included.

Info
Scores in the security dashboards are calculated and updated every night at 2:00 AM UTC.

Assets Protected

This widget displays the number of virtual machines that contain the Armor agent.

Healthy Services

This widget displays the percentage of agents and subagents that are working properly.

Protection Score Trend

This graph displays the history of your protection scores.

Understand Service Health

The Service Health section displays the virtual machines that contain the installed Armor agent.
To view this section, you must have the Read Virtual Machines(s)permission assigned to your account.

Column	Description
Asset Name	This column displays the name of the virtual machine. You can click the name of the virtual machine to access the Virtual Machine details screen.
Status	This column displays the security status of the virtual machine. Unprotected indicates the agent is not installed in the instance. Instances without an agent will be labeled as Unprotected. All instances from the public cloud account will be displayed. Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor. To troubleshoot a specific error message under Needs Attention, see Troubleshoot Protection Scores. OK indicates that the agent is installed and has communicated (hearbeated) with Armor.
Location	For Armor Complete, this column will display name of the Armor virtual site. For Armor Anywhere, this column will display the name of the public cloud provider.
Ticket	This column displays the support ticket that troubleshoots the Protection issue. A Protection issue will automatically generate a support ticket.

Improve your Protection Score

You can use the information below to troubleshoot the issues displayed in the Protection screen.

Armor recommends that you troubleshoot these issues to:

Improve your Protection scores
Improve your overall health scores
Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.

Note
To learn how to send a support ticket, see Armor Support

Tickets

.

Logging

Expand

title	Issue: The filebeat logging agent is not installed.

	Description	Command	Extra information
Windows	Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
	To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
	To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
	Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Linux	Configurations are stored within /etc/filebeat/filebeat.yml	`cat` `/etc/filebeat/*.yml`
	Verify the operation of the filebeat service	`ps` `aux \|` `grep` `filebeat`
	Confirm the configured log endpoint	`grep` `-i hosts` `/etc/filebeat/filebeat.yml`
	Confirm the external_id	`grep` `-i external_id` `/etc/filebeat/filebeat.yml`
	Confirm the tenant ID	`grep` `-i tenant_id` `/etc/filebeat/filebeat.yml`

Expand

title	Issue: The winlogbeat logging agent is not installed.

Step 1: Verify the status of filebeat

Note
This section only applies to Windows users.

Description	Command	Extra Information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Expand

title	Issue: Armor has not received a log in the past 4 hours.

Step 1: Check Logging Services

	Description	Command	Extra information
Windows	Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
	To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
	To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
	Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Linux	Configurations are stored within /etc/filebeat/filebeat.yml	`cat` `/etc/filebeat/*.yml`
	Verify the operation of the filebeat service	`ps` `aux \|` `grep` `filebeat`
	Confirm the configured log endpoint	`grep` `-i hosts` `/etc/filebeat/filebeat.yml`
	Confirm the external_id	`grep` `-i external_id` `/etc/filebeat/filebeat.yml`
	Confirm the tenant ID	`grep` `-i tenant_id` `/etc/filebeat/filebeat.yml`

Step 2: Check Connectivity

Port	Destination
515/tcp	46.88.106.196 (1a.log.armor.com) 146.88.144.196 (2a.log.armor.com)

Malware Protection

Expand

title	Issue: Malware Protection has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Expand

title	Issue: Malware Protection is not installed or configured

Step 1: Verify the status of the agent

	Description	Command
Linux	Verify that the service is running	ps_axu \| grep ds_agent
Windows	Verify that the service is running	gsv -displayname trend

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Step 4: Check the components for the agent

Windows

Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo \| sls -pattern Component.AM

Linux

Code Block

theme	Midnight

/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM

Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand

title	Issue: Reboot is required for Malware Protection

Step 1: Reboot your server

File Integrity Monitoring (FIM)

Expand

title	Issue: FIM has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Expand

title	Issue: FIM is installed but has not been configured

Step 1: Verify the status of the agent

Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Step 4: Check the components for the agent

Windows

Code Block

theme	Midnight

& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM

Linux

Code Block

theme	Midnight

/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM

Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand

title	Issue: FIM is not installed

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Intrusion Detection System (IDS)

Expand

title	Issue: IDS has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Expand

title	Issue: IDS is installed but has not been configured

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Expand

title	Issue: IDS is not installed or enabled

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	gsv -displayname trend
Linux	Verify that the service is running	ps_axu \| grep ds_agent

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl
	Confirm connection to the URL	`telnet` `146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Windows

Code Block

theme	Midnight

PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

Linux

Code Block

theme	Midnight

/opt/ds_agent/dsa_control -m

Vulnerability Scanning

Expand

title	Issue: If IR Agent is not installed

Step 1: Verify the status of the agent

Windows	IR Agent files are located within C:\Program Files\Rapid7 The IR Agent service name is "Rapid7 Insight Agent"
Linux	IR Agent files are located within /opt/rapid7/ir_agent IR Agent logs are located within /opt/rapid7/ir_agent/agent.log* Upgrade logs are one level above, within /opt/rapid7/upgrade*

Step 2: Check connectivity of the agent

Port	Destination
443/tcp (IR Agent)	endpoint.ingress.rapid7.com * (United States) eu.endpoint.ingress.rapid7.com * (Europe, Middle East, Africa)

Note
* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand

title	Issue: The Vulnerability Scanning agent did not run during the most recent scan

Step 1: Verify the status of the agent

Windows	IR Agent files are located within C:\Program Files\Rapid7 The IR Agent service name is "Rapid7 Insight Agent"
Linux	IR Agent files are located within /opt/rapid7/ir_agent IR Agent logs are located within /opt/rapid7/ir_agent/agent.log* Upgrade logs are one level above, within /opt/rapid7/upgrade*

Step 2: Check connectivity of the agent

Port	Destination
443/tcp (IR Agent)	endpoint.ingress.rapid7.com * (United States) eu.endpoint.ingress.rapid7.com * (Europe, Middle East, Africa)

Note
* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand

title	Issue: The Vulnerability Scanning agent is not installed

Step 1: Verify the status of the agent

Windows	IR Agent files are located within C:\Program Files\Rapid7 The IR Agent service name is "Rapid7 Insight Agent"
Linux	IR Agent files are located within /opt/rapid7/ir_agent IR Agent logs are located within /opt/rapid7/ir_agent/agent.log* Upgrade logs are one level above, within /opt/rapid7/upgrade*

Step 2: Check connectivity of the agent

Port	Destination
443/tcp (IR Agent)	endpoint.ingress.rapid7.com * (United States) eu.endpoint.ingress.rapid7.com * (Europe, Middle East, Africa)

Note
* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Step 3: Re-install the Armor agent.

Expand

title	Issue: The Vulnerability Scanning agent did not successfully sync

Step 1: Verify the status of the agent

Windows	IR Agent files are located within C:\Program Files\Rapid7 The IR Agent service name is "Rapid7 Insight Agent"
Linux	IR Agent files are located within /opt/rapid7/ir_agent IR Agent logs are located within /opt/rapid7/ir_agent/agent.log* Upgrade logs are one level above, within /opt/rapid7/upgrade*

Step 2: Check connectivity of the agent

Port	Destination
443/tcp (IR Agent)	endpoint.ingress.rapid7.com * (United States) eu.endpoint.ingress.rapid7.com * (Europe, Middle East, Africa)

Note
* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Step 3: Re-install the Armor agent.

Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Protection.
(Optional) Use the search bar to customize the data displayed.

Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).

Column	Description
Asset Name	This column display the name of the virtual machine (or instance).
Location	This column displays the data center location for for the virtual machine (or instance).
Service	For Armor Complete, the Protection scores focuses on the following services: Malware Protection FIM Filebeat (for Linux) Winlogbeat (for Windows) For Armor Anywhere, the Protection scores focuses on the following services: Malware Protection FIM IDS Filebeat (for Linux) Winlogbeat (for Windows) Vulnerability Scanning
Status	This column displays the security status of the virtual machine (or instance), which can be: Warning Needs Attention OK
Message	This column displays a brief message to explain the reason for the Warning or Needs Attention status.

Was this helpful?
Rate Macro

Scrolltotop

Space shortcuts

Page tree

Theme Press Tour Guide

com.brikit.tour.guide.title

EXTRA LAYER

NOTES

Not the Real Navigation

Dolor Sit Amet

Internal

Customer

Versions Compared

Old Version 50

New Version 59

Key

Topics Discussed

Review Widgets and Graph

Understand Service Health

Improve your Protection Score

Logging

Malware Protection

File Integrity Monitoring (FIM)

Intrusion Detection System (IDS)

Vulnerability Scanning

Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

Was this helpful?
Rate Macro

Browse by Topic

Popular Articles

US +1 877 262 3473 | UK +44 800 500 3167

©2019 Armor Defense Inc. All Rights Reserved.

Space shortcuts

Page tree

Theme Press Tour Guide

com.brikit.tour.guide.title

EXTRA LAYER

NOTES

Not the Real Navigation

Dolor Sit Amet

Internal

Customer

Versions Compared

Old Version 50

New Version 59

Key

Topics Discussed

Review Widgets and Graph

Understand Service Health

Improve your Protection Score

Logging

Malware Protection

File Integrity Monitoring (FIM)

Intrusion Detection System (IDS)

Vulnerability Scanning

AnchorExport Protection screen dataExport Protection screen dataExport Protection Screen Data

Was this helpful? Rate Macro

Browse by Topic

Popular Articles

US +1 877 262 3473 | UK +44 800 500 3167

©2019 Armor Defense Inc. All Rights Reserved.

Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

Was this helpful?
Rate Macro