Troubleshooting
Problem
Isolation does not function properly after agent installation with the --proxy parameter.
Symptom
When install the windows agent with the --proxy parameter and then pressing the Isolation button, the administrators can face the following issues.
- The message "Endpoint unreachable" is still displayed on the dashboard (Endpoints page-> Endpoint details).
- The Isolation cannot be canceled.
- The status of the endpoint would sometimes go offline after a while.
- The issue cannot be improved after restart the machine.
- The issue occurs whether the agent is installed by using ReaQta installer (GUI) or the command line.
- The event is not detected and the heartbeat is not updated.
- The keeper.exe does not exist in the firewall rules (Inbound/Outbound).
- This issue occurs even when use transparent proxy supported by ReaQta.
Cause
The presence of the --proxy parameter can cause isolation issues.
Environment
Windows
Resolving The Problem
The following workaround procedure needs to consider sensitive, it's recommended to use it only if administrators are unable to de-isolate a machine and the machine is unable to establish connections.
- The issues described in "Symptom" occur.
- Log in to the machine where the issue occurred.
- Remove the rule associated with keeper.exe from the Windows Firewall Rules (inbound and outbound) on the machine (If not found, skip to the next step).
- A backup of the following registry entry is required:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\SubLayer
Points: Backups must be made before any operations are performed.
Reference: How to back up and restore the registry in Windows
Warning: The method after step 5. must be used only if the endpoint has connectivity troubles and it's not possible to apply the de-isolation. - Run the following command from cmd.exe as admin:
NetSh.exe WFP Show State
A file named "wfpstate.xml" is then created in the current working directory.
This file contains the WFP rules created by ReaQta starting with "rqt".
ex. <filterKey>{a8531896-1b7b-4f62-af51-dbf865c00b41}</filterKey>
- Remove all filter key IDs with regard to rqt from the following folders:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter
Points: The following filter key is a partial example related to rqt. All keys related to rqt must be removed.
- Once all the rqt entries are removed, restart the machine.
- Administrator must check the following statuses on the dashboard (Endpoints page-> Endpoint details) to confirm that the connection of machine is normally.
・Is the Isolation button back to normal (make sure it is not showing Endpoint unreachable)?
・Is the endpoint online?
・Does the Hive server get endpoint events?
・Does the heartbeat work properly? (Check whether the "Last Heartbeat" time is displayed 5 minutes before the "Session ended" time.)
Currently, the IBM development team is working on this issue and will improve it in a future release. Please see here for more information.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSPAA2","label":"Administrative Tasks-\u003EUsers"}],"ARM Case Number":"TS012788161","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 May 2023
UID
ibm16989065