Virtual RNA Troubleshooting

Connectivity

Verify

  • The virtual RNA is powered on in your hypervisor (VMware, HyperV, Virtualbox, etc.).
  • The virtual RNA’s virtual network adapter is enabled in the virtual machine’s settings in the hypervisor.
  • There is activity on the network (network allows connected machine’s outbound connectivity to HTTPS sites, [for example, Google]).

  • View the console of the vRNA and see if there are any error messages on reboot. (Keep connected. See below.)

Configuration Verification

Verify the TCP/IP settings assigned to the RNA. These settings can be viewed by drilling into the Internal Network Profile within Fortra VM. They include:

  • IP Address - The IP address for the scanner.

  • Netmask - The subnet mask for the scanner.

  • Gateway - The IP address for the gateway device available to the scanner.

  • Primary DNS - The IP address for the DNS server available to the scanner.

External RNA IPs

The RNA will utilize the following external IP addresses as the source of scanning traffic. Set these IPs to your allow lists to facilitate all Fortra VM scanning.

us.frontline.cloud External RNA IPs

NOTE: us.external-scanners.frontline.cloud is the domain that resolves to most of the external RNAs for the US lineup. It can be used by those that can allow by domain and would prefer fewer entries.

3.91.114.138

3.138.53.66

3.141.139.5

3.141.173.8

3.146.42.96/27

3.217.24.124

3.219.143.59

3.222.21.65

3.234.19.229

18.119.31.28

18.189.0.135

18.233.91.252

44.213.167.13

52.13.110.124

52.32.146.206

52.39.199.83

54.144.81.241

54.190.210.87

54.191.129.125

209.163.151.0/24

uk.frontline.cloud External RNA IPs

NOTE: uk.external-scanners.frontline.cloud is the domain that resolves to most of the external RNAs for the UK lineup. It can be used by those that can allow by domain and would prefer fewer entries.

3.8.36.25

13.50.164.192/27

35.178.136.143

35.178.163.231

jp.frontline.cloud External RNA IPs

NOTE: jp.external-scanners.frontline.cloud is the domain that resolves to most of the external RNAs for the JP lineup. It can be used by those that can allow by domain and would prefer fewer entries.

18.177.132.124

18.178.24.42

18.178.53.188

18.182.162.60

35.75.27.80

se.frontline.cloud External RNA IPs

13.50.164.192/27

ch.frontline.cloud External RNA IPs

51.34.10.61

51.34.12.160

51.34.16.114

51.34.5.57

Debugging Console

From the RNA console, select Console for network debugging.

It is recommended that you run the status, and ping commands first to determine if you have basic network connectivity.

RNA Console

The following terminal commands are available to troubleshoot network connectivity:

ping Measures transit delay of packets (network latency) across the IP network
traceroute Displays the route (path) and measures transit delay of packets (network latency) across the IP network
ifconfig Displays the network configuration on the Ethernet adapter currently in use
route Displays the routes in the routing table
nc Creates TCP / UDP connections to test connectivity to other hosts
toggle Toggles between ports 443 and 22 for support mode, if you experience connectivity issues with either port when trying to configure support mode.
status Verifies the RNA can connect to the required domains. If you receive a failure, verify outbound perimeter security device access to the required domains.
exit Exits the console
reboot Reboots the RNA
factory-reset Resets the RNA back to factory defaults. Re-activation is required for the RNA to be used for scanning again.
support-test Verify support mode connectivity.

Common Issues and Solutions

To determine which version of the RNA platform you're running, locate the core version description for the activated RNA in question. From the navigation pane, select the Scan Settings > Scanners. Select the RNA you're investigating and scroll down to locate the Installed Software section. The core item lists the RNA platform version.

RNA Console

Before attempting troubleshooting measures, verify there is nothing that blocks a WebSocket connection outbound, such as a firewall or web proxy.

  1. Check for the following: 

    1. Perimeter security device port restrictions

    2. IDS / IPS / Firewall / Web Proxy rules that could be blocking outbound traffic.

    2. Since the RNA is not "logging in" as an authenticated user on your network, it will not receive the policies in effect to allow it to transmit data.

  2. Add specific rule to your Perimeter Security Device/IDS/Web Filtering devices to allow all outbound traffic to the domains specified in the Troubleshooting section.

    1. Contact the network security device monitoring company to ensure the domains are not block-listed.

    2. Request the domains be allow-listed instead.

    3. NOTE: If there is a web proxy on the network, it's still possible that it's blocking the RNA even if the "status" command shows everything as OK. The "status" command does a basic TCP test to the required domains which may return that it is accessible when it is not based on the response of a web proxy or other network device. This has been observed with Zscaler, but other network devices may also behave similarly.

Troubleshooting

If you have issues with your RNA scanner, you may have to add a few domains to the allow list if you are using a web proxy or some other security technology that may block the outbound connection to Fortra VM.

IMPORTANT: Your RNA scanner requires access to outbound TCP port 443 for all domains, unless otherwise specified.

threatapi.<lineup domain>

updates.<lineup domain>

checkpoint.<lineup domain>

docker.<lineup domain>

edge-uplink.<lineup domain> - Uses a secure Websocket connection. You may need to allow outbound TCP port 443 in your web proxies or other security software.

scanner-support.<lineup domain> - Uses SSH and outbound TCP ports 443 or 22. Use the toggle command to switch between ports 443 and 22 when remote support is enabled.

Where <lineup domain> above could be:

us.frontline.cloud

uk.frontline.cloud

jp.frontline.cloud

se.frontline.cloud

ch.frontline.cloud

Domains required regardless of lineup:

*.touchback.frontline.cloud - The subdomains for this domain are dynamically generated during scans. To allow some vulnerability detections to function, the scanned host will need to attempt to resolve the dynamically generated domain.

Testing Connectivity

Run the following utility to verify proper connectivity from the RNA console. This command can be used to check if the RNA can connect to the specified domain to help rule out connectivity issues prior to requiring support:

nc -v <domain> 443

The command checks connectivity and then prints a status message to the command line.

Additionally, it is recommended to run traceroute -T -p 443 -n edge-uplink.<lineup domain>. It may help diagnose a connectivity issue and would be helpful to have in any submitted support requests.