Troubleshooting Tips

---

 

For the latest Troubleshooting Tips on Firewall Analyzer, visit the Troubleshooting Tips on the website or the public user forums.

 

General [ Show/Hide All ]

 

1. Where do I find the log files to send to Firewall Analyzer Support?

   The log files are located in the <Firewall Analyzer Home>/logs directory. Typically when you run into a problem, you will be asked to send the serverout.txt file from this directory to Firewall Analyzer Support.

    

2. Internet Explorer says "Error opening this document. File cannot be found" when I try to open an exported PDF report.

   Internet Explorer throws this error when you try to open an exported PDF report in the web browser itself. This is a known issue, and we are working on resolving it. For now, save the report to your local machine, and open it using the regular PDF software that you use (Adobe Acrobat Reader or xpdf)

    

3. I am having a Cisco PIX, but I only see Traffic IN and not Traffic OUT?
   • You need to configure your Intranets in order to separate inbound and outbound traffic. The Inbound Outbound Traffic report will show the traffic details about inbound traffic ( traffic coming into LAN ) and outbound traffic ( traffic going out of LAN ) of the firewall.When configured, the Inbound Outbound Traffic Reports shows you which hosts and what protocol groups have been contributing the most traffic on either side of the firewall. Please follow the instructions available for Setting Up Intranets.
   • Typical firewall logs are in the following format: 16.1.1.1 www.yahoo.com 10 bytes 1MB (i.e. Source-IP Destination-IP Bytes-Sent Bytes-Received). But Cisco PIX does not provide a split-up of bytes-sent and bytes-received, but just provides a cumulative BYTES info. In most of the cases/protocols, RECEIVED will be more than SENT with respect to the source who originated the transaction. So we assume BYTES in Cisco PIX as RECEIVED. And in the case of FTP, Cisco PIX provides another log to identify the direction of the traffic. In that case, based on FTP put/get, we will determine whether the traffic is SENT or RECEIVED.

    

4. I find that Firewall Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?

   The inbuilt PostgreSQL database of Firewall Analyzer could get corrupted if other processes are accessing these directories. Kindly exclude the Firewall Analyzer installation directory 'ManageEngine' (it could be in C:ManageEngine or D:ManageEngine) from both the Backup process and Anti-Virus Scans.

    

5. How to increase the time limit of web client time out?

   To increase the time limit of web client time out, follow the steps given below:

   • Shutdown/stop the Firewall Analyzer application
   • Changes for Firewall Analyzer version 7.5 (Build 7500) onwards:
     • Rename/remove the C:ManageEngineFirewalllogs directory into logs_old directory.
     • Change the "session-timeout" value (default value is 30 minutes) as per your requirement (say 60 minutes), in the file given below and save the file,
       
       C:ManageEngineFirewallconfweb.xml
       
        
   • Changes for Firewall Analyzer version 7.4 (Build 7400) or earlier:
     • Rename/remove the C:ManageEngineFirewallserverdefaultlog directory into log_old directory.
     • Change the "session-timeout" value (default value is 30 minutes) as per your requirement (say 60 minutes), in the two files given below and save the files,
       
       C:ManageEngineFirewallserverdefaultconfweb.xml
       C:ManageEngineFirewallserverdefaultdeployjbossweb-tomcat50.sarconfweb.xml
        
   • Restart the Firewall Analyzer Server.

   The above changes will affect all the web clients connected to the FWA server.
   
   Alternatively, you can install the "Auto IE Refresher" in your machine for IE browser and monitor the pages from your machine.
   
   Reference pages:
   http://www.softpedia.com/get/Internet/Other-Internet-Related/Auto-IE-Refresher.shtml
   http://www.download.com/AutoRefresher-for-IE/3000-12512_4-10293579.html

    

6. How to apply license for troubleshooting after Trial or Registered license expiry?

   If you are unable to open the client and want to apply the license and troubleshoot a Firewall Analyzer installation, copy the license file in the <Firewall Analyzer Home>/troubleshooting directory and execute the applyLicense.bat file available in the same directory to apply the license.

    

7. How to get permission to access PostgreSQL to troubleshoot?

   Permission to access PostgreSQL to troubleshoot

   • Open the pg_hba.conf file which is under <Firewall Analyzer Home>pgsqldata directory and add the line

    

   host all all <IP address of the remote machine to be used to trouble shoot>/32 trust

    

   after the line

    

   host all all 127.0.0.1/32 trust

    

   and save the file.

    

   # TYPE DATABASE USER ADDRESS METHOD   # IPv4 local connections: host all all 127.0.0.1/32 trust   # IPv6 local connections: host all all ::1/128 trust   to   # TYPE DATABASE USER ADDRESS METHOD   # IPv4 local connections: host all all 127.0.0.1/32 trust host all all <IP address of the remote machine to be used to trouble shoot>/32 trust   # IPv6 local connections: host all all ::1/128 trust

    

Installation [ Show/Hide All ]

 

1. Firewall Analyzer displays "Enter a proper ManageEngine license file" during installation.

   This message could be shown in two cases:
   Case 1: Your system date is set to a future or past date. In this case, uninstall Firewall Analyzer, reset the system date to the current date and time, and re-install Firewall Analyzer.
   Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.,
   If neither is the reason, or you are still getting this error, contact licensing@manageengine.com

    

2. When I try to access the web client, another web server comes up. How is this possible?

   The web server port you have selected during installation is possibly being used by another application. Configure that application to use another port, or change the Firewall Analyzer web server port.

    

3. Firewall Analyzer is running as a service in SUSE Linux machine. On reboot, Firewall Analyzer service is not getting started. How to overcome this?

   If Firewall Analyzer is running as a service in SUSE Linux machine and on reboot the Firewall Analyzer service is not getting started, carry out the following procedure.

   
   
   

   • Open a Command window with Super User privileges, on the SUSE Linux machine
   • Execute the YaST program. The YaST Control Center screen opens up
   • In that, select System > System Services (Runlevel) menu. The System Services (Runlevel): Details screen open up.
   • In the table displayed, select the Expert Mode and firewallanalyzer service.
   • Set the default runlevel after booting to 2 & 5. Refer the image given below.
   • Select Set and OK
   • Exit the command window
   • Now reboot the machine again

    

Startup and Shut Down [ Show/Hide All ]

 

1. MySQL-related errors on Windows machines.

   Probable cause: An instance of MySQL is already running on this machine

   Solution: Shut down all instances of MySQL and then start the Firewall Analyzer server.
    

   Probable cause: Port 33336 is not free

   Solution: Kill the other application running on port 33336. If you cannot free this port, then change the MySQL port used in Firewall Analyzer.

   Solution: Kill the other application running on port 33336. If you cannot free this port, then change the MySQL port used in Firewall Analyzer.

    

    

2. Firewall Analyzer displays "Port 8500 needed by Firewall Analyzer is being used by another application. Please free the port and restart Firewall Analyzer" when trying to start the server.

Probable cause: The default web server port used by Firewall Analyzer is not free.

Solution: Kill the other application running on port 8500. If you cannot free this port, then change the web server port used in Firewall Analyzer.

 

3. Unable to start the application in Linux

   Solution: Change it to the following format, you will be able to start the application and get reports.
   
   
   
   /etc/hosts
   
   
   
   Entry should be like:
   
   
   
   127.0.0.1 mini localhost

   Probable cause: It is due to invalid host information in the etc/hosts directory.

   Solution: Change it to the following format, you will be able to start the application and get reports. 
   
   /etc/hosts 
   
   Entry should be like: 
   
   127.0.0.1 mini localhost

 

Importing Logs [ Show/Hide All ]

 

1. Firewall Analyzer not importing logs from mapped network drive, if Firewall Analyzer is running as service.

   Solution: Instead of giving mapped network drive, you give UNC path (\\ComputerName\SharedFolder\Resource) (e.g., \\cherry\log\isa_log*.w3c). 
   If the issue still persist, check the following:

• The account in which Firewall Analyzer service runs must have full privilege to that shared drive
• If the Firewall Analyzer machine is in a domain xxxxx and the shared machine/drive is in a workgroup (i.e., cross domain), Firewall Analyzer will not fetch the logs unless the full domain admin privilege is available.

 

Reporting [ Show/Hide All ]

 

1. Why am I seeing empty graphs?

   Probable cause: Graphs are empty either because there is no traffic is passing through the firewall or if firewall traffic is not sufficient enough to populate the reports table of Firewall Analyzer.

   
   Solution: If you are starting Firewall Analyzer for the first time or if you are shutting down and restarting Firewall Analyzer, it will wait for the reports table to be populated with 5000 log records for the first time. From the next time onwards, Firewall Analyzer will populate reports table once in 7 minutes or once it receives the next 5000 records, whichever is earlier. You can check for the number of records received in " Packet Count " icon shown in top right corner in client UI. This will list out the details like the number of logs received and also the last received log time. It is better to run the server continuously and check whether 5000 records are collected. Do not stop and restart the server in-between!

    

   Moreover, for viewing the already collected log records in the reports, kindly do the following:

   1. Login into Firewall Analyzer client UI. You will be seeing the Dashboard page.
   2. Replace the URL shown in your browser with the following URL.
       

      http://localhost:8500/fw/genreport.do

   3. Wait for sometime. Once the reports are generated an empty page will be shown.
   4. Now remove genreport.do from the URL and just type http://localhost:8500/fw alone.
   5. Now you will be able to see the report data.

    

2. I can't see the Live Reports for my SonicWALL firewall

   You cannot see Live Reports for SonicWALL firewalls because the time duration attribute is not supported in the SonicWALL log files.

    

3. Why are some traffic values shown as 0.0MB or 0.0%?

   Since Firewall Analyzer processes log files as and when they are received, traffic values of 0.0MB or 0.0% may be displayed initially when the amount of traffic is less than 10KB. In such a case, wait until more data is received to populate the report tables.

    

4. Why do I see zero results for kilobytes transferred in the reports for Check Point firewall?

   This could be happening because bandwidth information is not being captured in the log file. Ensure that your Check Point firewall has been configured to generate both regular and accounting log files. While regular log files contain information regarding firewall activity, the accounting log file contains the bandwidth and session information.

    

5. Why do the Intranet Reports show zero results?

   Verify if intranets have been configured correctly. If you have specified IP addresses that are not actually behind the firewall, you will get zero values in the reports.

    

6. Why doesn't Trend Reports take time values or top-n values into account?

   Trend reports show historical data for the corresponding traffic statistics shown in the report. Hence time changes from the Global Calendar, or top-n value changes from the Show bar on the report, do not affect these reports.

    

7. My firewall is sending WELF logs, but the reports do not show any URL information?

   Firewall Analyzer checks for the entry "arg=your URL" in the firewall logs to populate and show URL in report data. If this entry is not present in the firewall logs then the reports wouldn't be showing any URL information.

    

8. In the Compliance Report field, the following message appears: 'Unable to generate compliance report. Reason: Failed to locate Nipper. Click here to enable it'. What should I do?

    

   Supported Platform:

   • Ubuntu 9.1.10
   • Fedora 12
   • OpenSuSE 11.2
   • CentOS 5.5

   
   Prerequisite:
   The GNU/Linux platform requires Qt 4.5 to be installed. Your package manager system should automatically install this for you.
   
   Steps:

   1. Download Nipper libraries from https://www.manageengine.com/products/firewall/download-third-party-utilities.html according to your platform
   2. Install the rpm or deb according to your Operating System
   3. Connect to Firewall Analyzer web client and type the following URL: 'http://<host name>:8500/fw/userConfig.do'
   4. In that, there is an option to provide the path in which you have installed 'Nipper'. For ex: '/usr/bin/nipper'
   5. Click on Save link

   
   After performing the above steps, go to Setting > Device Rule > Add Device Info, the option to generate compliance report for the device will be enabled.