Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Review widgets and graph 

Widget and graph typeDescription
Protection Score

This widget displays a calculated score that includes the number of subagents in an unhealthy state.

Score rangeHealth status
10 - 8

Good

7 - 4Fair
3 - 1Poor
  • For Armor Complete, only virtual machines that are in a Powered On state are included. 
  • For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included. 
Assets ProtectedThis widget displays the number of virtual machines that contain the Armor agent.
Healthy ServicesThis widget displays the percentage of agents and subagents that are working properly.
Protection Score TrendThis graph displays the history of your protection scores.  



Understand Service Health 

The Service Health section displays the virtual machines that contain the installed Armor agent. 

To view this section, you must have the Read Virtual Machines(s) permission assigned to your account.
ColumnDescription
Asset Name

This column displays the name of the virtual machine.

You can click the name of the virtual machine to access the Virtual Machine details screen.

Status

This column displays the security status of the virtual machine.

  • Unprotected indicates the agent is not installed in the instance.
    • Instances without an agent will be labeled as Unprotected. All instances from the public cloud account will be displayed.
  • Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor.
  • OK indicates that the agent is installed and has communicated (hearbeated) with Armor.
Location

For Armor Complete, this column will display name of the Armor virtual site.

For Armor Anywhere, this column will display the name of the public cloud provider.

Ticket

This column displays the support ticket that troubleshoots the Protection issue.

A Protection issue will automatically generate a support ticket.



Improve your Protection score 

You can use the information below to troubleshoot the issues displayed in the Protection screen. 

Armor recommends that you troubleshoot these issues to:

  • Improve your Protection scores
  • Improve your overall Health scores
  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket. 


Logging

Armor ServiceIssueRemediation
LoggingThe filebeat logging agent is not installed.
 Step 1: Verify the status of filebeat

DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
 Step 2: Send a support ticket

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Support

  2. Click Tickets
  3. Click Create A Ticket
    • A new tab will appear in your web browser.  
  4. Review the categories for ticket request types. These request types are used internally to automatically route your ticket to the appropriate department for a more efficient response. 

    CategorySupport for Urgent IssuesCommon RequestsOther RequestsAccount Requests
    Request Type
    • Outage - Report an Outage
    • Performance Issue - Report device performance or degradation issue
    • General Incident - Report an Unlisted Incident
    • Potential Security Incident - Report a Potential Security Issue
    • Armor Services - Armor Agent Services, Logging, Monitoring, etc.
    • VPN - VPN Inquiries
    • Armor Portal - AMP Inquiries and Requests
    • L2L Tunnels
    • WAF - WAF Exceptions and Requests
    • Firewall - Inquiries on Self-Service Firewall Rules
    • SSL Certificate
    • Backup Service - Backup Services Request
    • Disaster Recovery Service
    • DNS - Add/Configure DNS Records
    • Encryption Service - Encryption Service Request
    • Load Balancer - Load Balancer Appliance Request
    • OS Patching / Updates - Request for OS Patching and Updates
    • Vulnerability Scanning - Vulnerability Scanning Services
    • Recurring Issue - Report a Recurring or Periodically Repeating Problem
    • Professional Services - Request a Statement of Work for Out of Scope Services
    • Access & Users - Request for Access & User Management
    • Billing / Invoices - General Billing or Invoice Request
    • Compliance - Compliance or Audit Requests
    • Legal / TOS / SLA - Legal Inquiries
    • Professional Services - Request Statement of Work for Out of Scope Services
    • Account Cancellation - Cancel an Armor Account
  5. Complete the missing fields.
    1. In Description, enter useful details that can help Armor quickly troubleshoot the problem. For example, consider the following questions: 
      • What is the specific issue? 
      • What are the steps to reproduce the issue? 
      • What is the level of business impact? 
      • Are there additional contacts that should be notified? 
      • Have there been any troubleshooting steps already performed? 
      • Are there any error messages or screenshots to share?
  6. Click Create.
    • After you create the ticket, you will receive updates on the ticket via an email notification.

      You can easily review the details and status of your existing ticket by clicking the View Request link provided within the email notifications that are generated from the ticketing system. 

  7. (Optional) After you create a ticket, you can add additional users or organizations to the ticket. 
    1. On the ticket detail screen, in the right-side menu, click Share.
    2. Type the name of the user or the user's email address. To share with a specific organization, type the account name, and then select the desired organization (AdminBillingTechnical, or Security).

      The ticket can be shared with multiple users and organizations.

    3. Click Share.

  8. (Optional) To view the status of this newly created ticket, in the Tickets screen, click View Existing Tickets.

Logging

The winlogbeat logging agent is not installed.

This section only applies to Windows users.

 Step 1: Verify the status of winlogbeat
DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
 Step 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

LoggingArmor has not received a log in the past 4 hours.
 Step 1: Check logging services

DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
 Step 2: Check connectivity
PortDestination
515/tcp

Malware Protection

Armor ServiceIssueRemediation
Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

Malware Protection

Malware Protection is not installed or configured.

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Check the components for the agent
Windows
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
Linux
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.

 Step 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

Malware Protection

Reboot is required for Malware Protection.

 Step 1: Reboot your server
Step 1: Reboot your server
 Step 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.


File Integrity Monitoring (FIM)

Armor ServiceIssueRemediation
File Integirty Monitoring (FIM)FIM has not provided a heartbeat in the past 4 hours.
 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

File Integirty Monitoring (FIM)FIM is installed but has not been configured.
 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Check the components for the agent
Windows
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

 Step 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

File Integirty Monitoring (FIM)FIM is not installed.
 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.


Intrusion Detection System (IDS)

Armor ServiceIssueRemediation
IDSIDS has not provided a heartbeat in the past 4 hours.
 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent

 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

IDSIDS is installed but has not been configured.
 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

IDSIDS is not installed or enabled.
 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent
Windows
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
/opt/ds_agent/dsa_control -m
 Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.


Vulnerability Scanning

Armor ServiceIssueRemediation
Vulnerability ScanningIf IR Agent is not installed
 Step 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
 Step 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

 Step 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.

Vulnerability ScanningThe Vulnerability Scanning agent did not run during the most recent scan.
 Step 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
 Step 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

 Step 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

To learn how to send a support ticket, see Support Tickets.