Troubleshoot Arctic Wolf Risk Scan Engine

This information provides solutions for common Arctic Wolf Risk Scan Engine (formerly Joval) issues.

Note: This information only applies to Risk Scan Engine. It does not apply to any Managed Risk services. For more information about Managed Risk services, see Managed Risk.

Unexpected scan results

Possible cause:

  • A Risk Scan Engine defect or a content defect.
  • The result might be accurate.

Resolution: Based on the unexpected result, do one of these actions:

  • If the unexpected result is UNKNOWN, ERROR, or a PASS or FAIL:
    1. Create a diagnostic report for the scan.
    2. Review the diagnostics details for the rules with suspicious results, using the color-coded test result tree to identify the specific tests that caused the unexpected result.
    3. Consider these questions:
      • Do any error messages explain why the unexpected result occurred?
      • Does the assessment logic applied to the collected data appear to be accurate?
      • Does the data that Risk Scan Engine collected appear to match the actual machine state?
    4. Determine what is causing the unexpected result. For example:
      • Risk Scan Engine encountered a specific error evaluating this test.
      • Risk Scan Engine did not accurately evaluate the assessment logic against the collected data.
      • Risk Scan Engine did not accurately collect the required data from the machine.
      • Risk Scan Engine appears to have completed the evaluation accurately and the result is correct.
      • Risk Scan Engine appears to have completed the evaluation accurately, but the result is inaccurate because there is an issue with the content.
  • If this is a Risk Scan Engine issue or if the unexpected result is NOT SELECTED or NOT APPLICABLE:
    1. Run the scan again using the Joval-Utilities in debug mode to create a Risk Scan Engine debug package. See Create a Risk Scan Engine debug package for more information.
    2. Confirm that this scan produces the same result.
    3. Create a ticket for Risk Scan Engine support. Include your findings and the debug package zip file.

Host Unreachable Error on Windows targets

Possible cause: For remote connectivity to Windows devices, the Windows Remote Management Framework (WinRM) version 2.0 or higher is required.

Resolution:

  • Run this command to make sure that the Windows Remote Management service is running on the target machine:
    BASH 
    runas /u:Administrator "winrm qc"

Host Unreachable Error on VMware VI SDK Targets

Possible cause: The host configuration is incorrect.

Resolution:

  • Verify that you can reach the host from a web browser.
  • Verify that the username and password for the host are valid and match the data in the scan configuration file.

Host Unreachable Error on PAN-OS Targets

Possible cause: The PAN-OS device doesn’t have an IP address configured.

Resolution:

  1. Connect to the console port.
  2. Run this command to determine if the PAN-OS device has an IP address:
    BASH 
    show interface management

    An example of a successful output:

    PRE CODEBLOCK LANGUAGE- 
    -------------------------------------------------------------------------------
Name: Management Interface
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto 
MAC address:
Port MAC address <mac_address> 

Ip address: <ip_address>
Netmask: <netmask>
Default gateway: <gateway>
Ipv6 address: unknown
Ipv6 link local address: unknown
Ipv6 default gateway: unknown 
-------------------------------------------------------------------------------
  3. If the device does not have an IP address, configure the IP address settings:
    1. Run this command to begin the configuration:
      BASH 
      configure
    2. Run this command to set an IP address:
      BASH 
      set deviceconfig system ip-address <ip_address>
    3. Run this command to set a default gateway:
      BASH 
      set deviceconfig system default-gateway <gateway>
    4. Run this command to set a netmask:
      BASH 
      set deviceconfig system netmask <netmask>
    5. Run this command to commit your changes:
      BASH 
      commit
    6. Wait a few minutes, and then run this command to test the new IP address settings:
      BASH 
      show interface management
  4. If the IP address settings are configured correctly, run this command to determine if your machine can access the host IP address:
    BASH 
    curl -k  https://<ip_address>:<port_number>/api/\?type=keygen

    Example of expected output:

    PRE CODEBLOCK LANGUAGE- 
    <response status = 'error' code = '400'><result><msg>Missing value for parameter "user".</msg></result></response>

Host Unreachable Error on other non-Windows targets

Possible cause: For remote connectivity to Unix, Cisco, and Juniper devices, Risk Scan Engine requires access to SSH.

Resolution: Make sure that the target device permits incoming SSH connections.

Unable to sign in to a Windows device using Risk Scan Engine

Possible cause:

  • The password entered is incorrect.
  • You are attempting to sign in as a user who is not a member of the Administrators or Remote Management Users groups.
  • The target machine is configured to disallow the negotiate authentication method.
  • Signing in using a local machine account is disabled. For example, this issue sometimes occurs on a Windows 2008 Server machine after upgrading from Windows Management Framework 1.0 to 2.0.

Resolution:

  1. Run this command to view permitted authentication methods on the target:
    BASH 
    winrm get winrm/config/Client/Auth
  2. To enable local account logins in this situation, create the LocalAccountTokenFilterPolicy registry value:
    JAVA 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: LocalAccountTokenFilterPolicy
Type: DWORD
Value: 1

    See Description of User Account Control and remote restrictions in Windows Vista for more information.

Create a ticket for Risk Scan Engine support

You can create a ticket for the support team and attach any relevant support files. See Create a Risk Scan Engine debug package for more information.

  1. In the Customer Support Portal, click Submit New Request, and then configure these settings:
    • Email — (Optional) Enter an email address to receive a copy of the ticket.
    • Subject — Enter a short summary of your concern.
    • Description — Describe your concern.
    • Attachments — Add the debug package and any other supporting materials.
  2. Click Submit.

Create a Risk Scan Engine debug package

A Risk Scan Engine debug package contains low-level application logs designed to help the support team quickly and accurately diagnose an issue. If you are experiencing an issue, use Joval Utilities to create a debug package using one of these methods:

Create a debug package using Joval Utilities in Scan Mode

  1. In the configuration file, remove the semicolons before [Debug] and export.dir near the end of the file to uncomment the debug section.

    For example:

    LOG 
    ;
; Uncomment this section to create a debug package for Joval Support.
;
[Debug]
export.dir: /path/to/dir/for/debug/zips
  2. If your scan includes multiple targets, keep only the ones exhibiting the issue. Remove the rest.
  3. Rerun your scan.
  4. When the scan is complete, navigate to the specified export.dir file to access the debug package zip file.

Create a debug package using Joval Utilities in Xpert Mode

In the command line, add -debug to the end of the command and rerun the scan.

For example:

JAVA 
-jar Joval-Utilities.jar xpert <additional parameter> -debug

The xpert-debug.zip or jovaldi-debug.zip files are generated.

Create a debug package using the Joval SDK

Create a debugging package using the org.joval.util.DebugPackage Java class:
JAVA 
IReport report; SessionFactory factory;
...
Configurator.get(factory.getClass()).addConfigurationProperty("jsaf.intf.system.ISession", ISession.PROP_DEBUG, "true");
ISession session;
...
File dir = new File(".");
File ws = session.getWorkspace();
DebugPackage pkg = new DebugPackage(dir, "debug-package.zip", report, ws); pkg.addLog(logFile);
File debugFile = pkg.generate();
System.out.println("Generated debug package file: " + debugFile.getPath());