cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting Global Correlation Critical

138
Views
0
Helpful
0
Comments
     
  

Table of Contents

     
           

  1. Most Common Issues
  2.       

  3. How GC Works
  4.       

  5. Add a DNS Server
  6.       

  7. Verify GC Traffic
  8.    
     

  1.      Most Common Issues
  2.    
           
    1. No DNS server is configured/reachable
    2.     
    3. Firewall/Proxy Server/Traffic Shaper is blocking the GC traffic
            
    4.    
        

  3.     How GC Works
  4.     The sensor performs the following steps       
             
    1. Resolve the ironport domain name in the GC url (UDP port 53)
    2.       
    3. Connect to the ironport server via https (TCP port 443)
                 -            Retreive the ip address of the GC  server with the latest update
    4.       
    5. Connect to the GC  server and retreive the update via HTTP (TCP port 80)
           

  5. Add a DNS Server
  6.    
           
    1. Via the GUI
             Go to Configuration => Sensor Setup => Network and add a DNS entry
    2.     
    3. Via the CLI
               Enter the command        
               setup
               proceed through the setup process until it asks about DNS servers and enter
               yes
               then        enter your DNS servers      
            
    4.    
        

  7. Verify GC Connectivity
  8.     GC updates every 5 minutes, so we can do the following command to do a tcpdump to the screen, and see where the GC update process is breaking down:
        
       packet display <management interface> expression not host <management host>
      
       Where the management host includes all hosts connecting to the sensor via IDM, IME, MARS, or the CLI. The traffic we expect to see is described in How GC Works