I'm having problem with gateway anti malware to update definition of malware. Nsm already configured with dns and one of IPS inside domain already updated malware definition to latest update, but one of our IPS is failed to update with error. But the failed IPS can update callback detector to the latest. I try to check within IPS with command show gam engine stats but it shows engine status :uninitialized. Anyone know how to troubleshoot GAM or I need to do any configuration to enable gam?
What is the error you are receiving when updating GAM for this sensor?
What is the model and software version of the sensor?
Are you manually updating or using automatic updates?
Are you seeing any errors in the EMS.log for this failure?
It could just be a communication failure with the update site. NSP uses different update sites for the different downloads (software / sigsets / bot / etc) so you may be blocking the communication.
You can also just manually download the software update here
And import it to the manager Manage > Updating > Manual Import
You should then be able to deploy it to your sensor.
Which line that contain string should I look at in EMS.log?
I also think DNS customer block the Gateway Anti-Malware update site. Did you know the site link or what should I advice customer to allow domain/site for update GAM. Automatically update will much more help as I dont need to go onsite each time for update GAM. Your kinds help much appreciate.
This is what I see in my ems.log file for an N series sensor trying to update GAM when the manager does not have access to the internet.
2015-09-18 04:52:35,600 ERROR [http-bio-0.0.0.0-443-exec-148] iv.common.HttpClient.ApachePOSTImpl - doPOST:Error while doing the http get function for the url https://tau.mcafee.com/cgi-bin/update.pl the error is java.net.ConnectException: Connection timed out: connect
2015-09-18 04:52:35,600 ERROR [http-bio-0.0.0.0-443-exec-148] com.intruvert.ui.sensor.data.GAMVersion - com.intruvert.ruleEngine.utils.gam.GamDatException: Internal Server Error
If they are using manager version 126.96.36.199 or higher they should have the option under Manage > Troubleshooting > System Log to view the tail of the EMS log, then if you turn GAM updating off and back on for the problem sensor they can see what errors are generated.
If not they will have to look in the log files for errors that match the time stamp on the error the manager is generating.
If the sensor is outside the domain and their is a firewall between it and the manager you may just need to open additional ports for communication. Look at the requirements in the Manager Installation guide to find out what ports need to be open for communication.
Yes, I'm able to update the sensor by manual but that is what we dont want to achieve. Actually, when we trying to update automatically using google public dns 188.8.131.52, it is not successful. I filtered the connection, the request has been sent to google dns but there is no traffic reply to the request.
For our IPS other domain, automatically update using local disaster recovery domain no problem. I can see the traffic response from mcafee ip using https connection.
I'm thinking of the connection has been blocked by dns google. So weird...
I am having a similar problem with NTBA T-VM. All sensor software, sigset and engine software is up to date, but I'm getting a DNS error whenever GAM tries to auto-update. DNS requests to tau.mcafee.com are seen going through the firewall. We tried updating manually and it didn't take...then I read the note on that page in the NSM that manual updating GAM does not work for NTBA. I was hoping someone may have found a fix for this by now. If you know of one, please respond.
Yup, manual updating for NTBA would be nice. I'm getting some DNS errors for auto download. There are a lot of environments where DNS and Firewall are not optimized. So manual update is only option.