We have a NS9100 IPS sensor that seems to intermittently stop the download of PDF files on our website for our internal users. The only reason that the sensor is being suspected is that toggling an ignore rule from a given subnet to the server hosting the files over HTTP allows the connection to complete with no problems. Switching it off can end with some users being able to access the file and others not being able to.
We have also pulled pcaps to experiment with the traffic to see whats going on. When the ignore rule was active - a HTTP 200 application/pdf was returned. However in the event the rule was off and the user was unable to access the file - a RST from the hosting server was eventually sent to terminate the connection after a few idle seconds despite some of the PDF being sent. Does anyone know what part of the policy could cause this issue or are we looking at a potential bug?
No, there are no upticks in alerts that come across the NSM. We also experimented with disabling the evaluation of files via ATD, GTI, etc. This did not change the intermittency of the files.
What about GAM on the malware policy? The NS sensors have GAM builtin.
Also, is there a minimum file size you can observe having this issue? This also has to do with the Malware policy as per previous point.
To be honest though and based on experience - if you are serving "content" out from behind your sensors, you either are very careful with your outbound policies (IPS, Malware, DOS) or you may run into problems like the one you are describing.
Whitelisting content that is served 'outbound' from behind the sensors is not a practical solution either. You could look at using McAfee TIE to catalog/whitelist the files on the TIE server and integrate TIE with the NS Series sensors to overcome this issue. But if not using TIE, then I would have another look at the policies applied to the outbound content.
Also I forgot to mention DoS prevention settings. I.e., do users experience the problem only during certain periods of time? Could it be some DOS setting (i.e. SYN Cookies, Connection Limiting Policies) affecting the downloads from the specific subnet during that time? You should see some DoS/Connetion liimiting alerts tho.
Just another idea
As part of some troubleshooting, we did look at the various parts of the malware policy. Unfortunately disabling it altogether for the affected ports did not alter the availibility of the documents. We do not currently have any Connection Limiting policies placed and we see no DoS alerts for the affected server/internal endpoints. The timing itself is pretty random regardless of the time of day.
It sounds like we will have to wait until our TIE is implemented to see if we can resolve this issue. Thank you for the help - we really appreciate it.
Out of curiousity, have you reached out to McAfee for Support?
What version of software is on the sensor?
I recall from my time as an NSP support Engineer that we had an issue with the NS series and PDFs. I can't recall the exact issue, but I can reach out to one of my old workers that still works there and see what the bug was...might be similar but on the new software.
Yes we have reached out to McAfee for some support and the ticket remains open at this time to see if we can locate the issue. The NS9100 sensor is sitting at version 126.96.36.199.