Risk Scan Engine Troubleshooting

Updated Aug 10, 2023

Troubleshoot Risk Scan Engine

This information provides solutions for common Arctic Wolf Risk Scan Engine (formerly Joval) issues.

Unexpected scan results

Possible cause:

Resolution: If the unexpected result is UNKNOWN, ERROR, or a PASS or FAIL that you suspect is inaccurate:

  1. Create a diagnostic report for the scan, if you haven’t already.
  2. Review the diagnostics details for the rules with suspicious results. Use the color-coded test result tree to identify the specific tests that caused the unexpected result.
  3. Review the diagnostic details for those tests. Ask yourself these questions:
    • Are there error messages that explain why the unexpected result occurred?
    • Does the assessment logic applied to the collected data appear to be accurate?
    • Does the data that Risk Scan Engine collected appear to match the actual machine state?
  4. Assign the cause of the unexpected result:
    1. Risk Scan Engine encountered a specific error evaluating this test.
    2. Risk Scan Engine did not accurately evaluate the assessment logic against the collected data.
    3. Risk Scan Engine did not accurately collect the required data from the machine.
    4. Risk Scan Engine appears to have completed the evaluation accurately and the result is, in fact, correct.
    5. Risk Scan Engine appears to have completed the evaluation accurately, but the result is inaccurate because there is an issue with the content.

If this is a Risk Scan Engine issue (4a, 4b, or 4c) or if the unexpected result is NOT SELECTED or NOT APPLICABLE:

  1. Rerun the scan using the Joval-Utilities in debug mode to create a Risk Scan Engine debug package. See Create a Risk Scan Engine debug package.
  2. Confirm that this scan produces the same result.
  3. Create a ticket for Risk Scan Engine support. Include your findings from these resolutions steps and the debug package zip file.

Host Unreachable Error on Windows targets

Possible cause: For remote connectivity to Windows devices, the Windows Remote Management Framework (WinRM) version 2.0 or higher is required.

Resolution: Make sure that the Windows Remote Management service is running on the target machine.

Host Unreachable Error on VMware VI SDK Targets

Possible cause: The host configuration is incorrect.

Resolution:

Host Unreachable Error on PAN-OS Targets

Possible cause: The PAN-OS device doesn’t have an IP address configured.

Resolution:

  1. Verify whether the PAN-OS device has an IP address. Connect to the console port and run this command:

    show interface management

    Successful output:

    -------------------------------------------------------------------------------
    Name: Management Interface
    Link status:
    Runtime link speed/duplex/state: 1000/full/up
    Configured link speed/duplex/state: auto/auto/auto 
    MAC address:
    Port MAC address <mac_address> 
    
    Ip address: <ip_address>
    Netmask: <netmask>
    Default gateway: <gateway>
    Ipv6 address: unknown
    Ipv6 link local address: unknown
    Ipv6 default gateway: unknown 
    -------------------------------------------------------------------------------
    
  2. If the device does not have an IP address, configure the IP address settings:

    1. To begin configuration, run this command in the console port:
      configure
    2. To set an IP address, run this command:
      set deviceconfig system ip-address <ip_address>
    3. To set a default gateway, run this command:
      set deviceconfig system default-gateway <gateway>
    4. To set a netmask, run this command:
      set deviceconfig system netmask <netmask>
    5. To commit your changes, run this command:
      commit
    6. Wait a few minutes, and then run this command to test the new IP address settings:
      show interface management
  3. If the IP address settings are configured correctly, verify whether your machine can access the host IP address. In the command line, run this command:

    curl -k  https://<ip_address>:<port_number>/api/\?type=keygen

    Expected output:

    <response status = 'error' code = '400'><result><msg>Missing value for parameter &quot;user&quot;.</msg></result></response>
    

Host Unreachable Error on other non-Windows targets

Possible cause: For remote connectivity to Unix, Cisco, and Juniper devices, Risk Scan Engine relies on the availability of SSH.

Resolution: Make sure that the target device permits incoming SSH connections.

Unable to sign in to a Windows device using Risk Scan Engine

Possible cause:

Resolution:

  1. Run this command to view permitted authentication methods on the target:
    winrm get winrm/config/Client/Auth
  2. To enable local account logins in this situation, create the LocalAccountTokenFilterPolicy registry value:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Value Name: LocalAccountTokenFilterPolicy
    Type: DWORD
    Value: 1
    For more information, see Description of User Account Control and remote restrictions in Windows Vista.

Create a ticket for Risk Scan Engine support

You can create a ticket for the support team and attach any relevant support files. For information about creating debug packages, see Create a Risk Scan Engine debug package.

  1. In the Customer Support Portal, click Submit New Request.
  2. (Optional) Enter an email address to receive a copy of the ticket.
  3. In the Subject field, enter a summary of your concern.
  4. In the Description field, describe the details of your concern.
  5. In the Attachments section, add the debug package and any other supporting materials.
  6. Click Submit.

Create a Risk Scan Engine debug package

A Risk Scan Engine debug package contains low-level application logs designed to help the support team quickly and accurately diagnose an issue. If you are experiencing an issue, use Joval Utilities to create a debug package using one of these methods:

Create a debug package using Joval Utilities in Scan Mode

If you are using the Joval Utilities in scan mode with a configuration file, you can edit the file to create a debug package.

  1. Remove the the semicolons before [Debug] and export.dir near the end of the file to uncomment the debug section. Expected result:
    ;
    ; Uncomment this section to create a debug package for Joval Support.
    ;
    [Debug]
    export.dir: /path/to/dir/for/debug/zips
  2. If your scan includes multiple targets, remove all but one or two that are exhibiting the issue.
  3. Rerun your scan.
  4. When the scan is complete, navigate to the specified export.dir file to access the debug package zip file.

Create a debug package using Joval Utilities in Xpert Mode

If you are using the Joval Utilities Jovaldi or Xpert mode, you can create a debug package in the command line.

Create a debug package using the Joval SDK

See also