Virtual RNA Troubleshooting

Connectivity

Verify

  • the virtual RNA is powered on in your hypervisor (VMware, HyperV, Virtualbox, etc.).
  • the virtual RNA’s virtual network adapter is enabled in the virtual machine’s settings in the hypervisor.
  • there is activity on the network (network allows connected machine’s outbound connectivity to HTTPS sites, [for example, Google]).
  • View the console of the vRNA and see if there are any error messages on reboot. (Keep connected. See below.)

Configuration Verification

Verify the TCP/IP settings assigned to the RNA. These settings can be viewed by drilling into the Internal Network Profile within Fortra VM. They include:

  • IP Address - The IP address for the scanner.

  • Netmask - The subnet mask for the scanner.

  • Gateway - The IP address for the gateway device available to the scanner.

  • Primary DNS - The IP address for the DNS server available to the scanner.

External RNA IPs

The RNA will utilize the following external IP addresses as the source of scanning traffic. Set these IPs to your allow lists to facilitate all Fortra VM scanning.

us.frontline.cloud External RNA IPs

NOTE: us.external-scanners.frontline.cloud is the domain that resolves to most of the external RNAs for US lineup. It can be used by those that can allow by domain and would prefer fewer entries.

3.91.114.138

3.138.53.66

3.141.139.5

3.141.173.8

3.146.42.96/27

3.217.24.124

3.219.143.59

3.222.21.65

3.234.19.229

18.119.31.28

18.189.0.135

18.233.91.252

44.213.167.13

52.13.110.124

52.32.146.206

52.39.199.83

54.144.81.241

54.190.210.87

54.191.129.125

209.163.151.0/24

uk.frontline.cloud External RNA IPs

NOTE: uk.external-scanners.frontline.cloud is the domain that resolves to most of the external RNAs for UK lineup. It can be used by those that can allow by domain and would prefer fewer entries.

3.8.36.25

13.50.164.192/27

35.178.136.143

35.178.163.231

jp.frontline.cloud External RNA IPs

NOTE: jp.external-scanners.frontline.cloud is the domain that resolves to most of the external RNAs for JP lineup. It can be used by those that can allow by domain and would prefer fewer entries.

18.177.132.124

18.178.24.42

18.178.53.188

18.182.162.60

35.75.27.80

tryfrontline.cloud External RNA IPs

34.207.241.142

34.207.247.203

Debugging Console

From the RNA console, select Console for network debugging.

It is recommended that you run the status, and ping commands first to determine if you have basic network connectivity.

RNA Console Version 3.x.x

The following terminal commands are available to troubleshoot network connectivity:

ping Measures transit delay of packets (network latency) across the IP network
traceroute Displays the route (path) and measures transit delay of packets (network latency) across the IP network
ifconfig Displays the network configuration on the Ethernet adapter currently in use
route Displays the routes in the routing table
nc Creates TCP / UDP connections to test connectivity to other hosts
toggle Toggles between ports 443 and 22, if you experience connectivity issues with either port
status Displays RNA network uplink status. If you receive a failure, verify outbound perimeter security device access to 18.208.54.25 on port 443 or 22
exit Exits the console
reboot Reboots the RNA

RNA Console Version 4.x.x

The following terminal commands are available to troubleshoot network connectivity:

ping Measures transit delay of packets (network latency) across the IP network
traceroute Displays the route (path) and measures transit delay of packets (network latency) across the IP network
ifconfig Displays the network configuration on the Ethernet adapter currently in use
route Displays the routes in the routing table
nc Creates TCP / UDP connections to test connectivity to other hosts
toggle Toggles between ports 443 and 22 for support mode, if you experience connectivity issues with either port when trying to configure support mode.
status Verifies the RNA can connect to the required domains. If you receive a failure, verify outbound perimeter security device access to the required domains.
exit Exits the console
reboot Reboots the RNA
factory-reset Resets the RNA back to factory defaults. Re-activation is required for the RNA to be used for scanning again.
support-test Verify support mode connectivity.

Common Issues and Solutions

To determine which version of the RNA platform you're running, locate the core version description for the activated RNA in question. From the navigation pane, select the Scan Settings > Scanners. Select the RNA you're investigating and scroll down to locate the Installed Software section. The core item lists the RNA platform version.

RNA Console Version 3.X.X and Earlier

Run the "status" command from the RNA Console to see if any connectivity issues are highlighted.

Confirm that there is nothing restricting outbound SSH traffic on port 443 or 22 to the Proxy server hosted in AWS. (IP address 18.208.54.25).

  1. Check for the following:
    1. Perimeter security device port restrictions.
    2. IDS / IPS rules that could be blocking outbound traffic.
      Using a workstation on the same subnet that the RNA is configured to work on, attempt to Telnet to 18.208.54.25 443 or 18.208.54.25 22.
  2. From a command prompt or the Run line in Windows, type the following command:

    telnet 18.208.54.25 22

    If a SSH banner is not received back, verify that the outbound traffic is not restricted based on security privileges (Policy).

  3. Since the RNA is not "logging in" as an authenticated user on your network, it will not receive the policies in effect to allow it to transmit data.

  4. Add a specific rule to your Perimeter Security Device/IDS/Web Filtering devices to allow all outbound traffic to use 18.208.54.25 on ports 443 or 22

    1. Contact the IDS/IPS monitoring company to ensure that the IP is not blocklisted.
    2. Request that the IP address be allowlisted instead.

Firewall

  • In some cases, a firewall outbound rule may be necessary to permit the RNA to communicate with IP 18.208.54.25 via port 443 (for TryFrontline.Cloud evaluation: 52.20.219.197 via port 443 ).
  • If your firewall has a service policy configured, an exception is needed for the RNA. In cases where that is not possible (e.g. service policy is global), the RNA will need to be replaced with a virtual RNA.

Proxy

  • If your web traffic is routed through a proxy, appropriate changes are needed to allow the RNA to establish a connection with IP 18.208.54.25 via port 443 (for TryFrontline.Cloud evaluation: 52.20.219.197). Check with your proxy administrator.
IMPORTANT: If troubleshooting efforts do not remedy this issue, or a hardware malfunction is indicated, contact your agent to coordinate a replacement.

RNA Console Version 4.0.0 and Later

Before attempting troubleshooting measures, verify there is nothing that blocks a WebSocket connection outbound, such as a firewall or web proxy.

  1. Check for the following: 

    1. Perimeter security device port restrictions

    2. IDS / IPS / Firewall / Web Proxy rules that could be blocking outbound traffic.

  2. Since the RNA is not "logging in" as an authenticated user on your network, it will not receive the policies in effect to allow it to transmit data.

  3. Add specific rule to your Perimeter Security Device/IDS/Web Filtering devices to allow all outbound traffic to the domains specified in the Troubleshooting section.

    1. Contact the network security device monitoring company to ensure the domains are not block-listed.

    2. Request the domains be allow-listed instead.

  4. NOTE: If there is a web proxy on the network, it's still possible that it's blocking the RNA even if the "status" command shows everything as OK. The "status" command does a basic TCP test to the required domains which may return that it is accessible when it is not based on the response of a web proxy or other network device. This has been observed with Zscaler, but other network devices may also behave similarly.

Troubleshooting

If you have issues with your RNA, you may have to add a few domains to the allow list if you are using a web proxy or some other security technology that may block the outbound connection to Fortra VM.

threatapi.<lineup domain>

updates.<lineup domain>

checkpoint.<lineup domain>

docker.<lineup domain>

edge-uplink.<lineup domain>

scanner-support.<lineup domain>

Where lineup domain could be:

us.frontline.cloud

uk.frontline.cloud

tryfrontline.cloud

jp.frontline.cloud

Domains required regardless of lineup:

*.touchback.frontline.cloud

NOTE: All domains will attempt to connect back to TCP port 443.

Testing Connectivity

Run the following utility to verify proper connectivity from the RNA console. This command can be used to check if the RNA can connect to the specified domain to help rule out connectivity issues prior to requiring support:

nc -v <domain> 443

The command checks connectivity and then prints a status message to the command line.

Additionally, it is recommended to run "traceroute -T -p 443 -n edge-uplink.<lineup domain>". It may help diagnose a connectivity issue and would be helpful to have in any submitted support requests.