Corrective Action When Automatic Action Taken When a Security Risk Is Detected Fails [Trend Micro VB] [Symantec] [McAfee]

Procedure

When restarting fails

For Virtual PCs
Use the virtualization management software to restart the virtual PCs.
For SBC Servers
Restart the SBC servers from the administration screen of the iRMC.

When quarantining fails

Switch the connected network
- For Virtual PCs
  Use the virtualization management software to switch the network that the virtual NICs of virtual PCs are connected to over to the quarantine network.
- For SBC Servers
  Operate (change the VLAN of) the switches adjacent to the physical servers to switch the network that the physical servers are connected to over to the quarantine network.
Switch over to the quarantine network
Execute the rcxadm avmgr quarantine command on the corresponding L-Servers to perform switchover to the quarantine network.

If "3.1.2 Operation When Security Risks Have Been Removed [Trend Micro VB] [Symantec] [McAfee]" is performed before the above operation, discrepancies may occur in network information between the following:
- Management information of virtual PCs and Resource Orchestrator
- Management information of SBC servers and Resource Orchestrator
When switching SBC servers over to the quarantine network, the statuses of those servers on the GUI (ROR console) will become "unknown".

In configurations where there are multiple Resource Orchestrator managers, if a problem occurs in switchover to the quarantine network, use the following procedure to perform corrective action.

On the GUI (ROR console) of the first manager of Resource Orchestrator, check whether the following message has been output.
```
FJSVrcx:ERROR:67198:command execution error.quarantine failed(detail=detail)
```
If it has been output, refer to the "detail" of the message, and check the information of the Resource Orchestrator manager where the problem occurred and the error message.
- When "submgr:Resource_Orchestrator_manager_IP_address_or_FQDN" is included in detail
  
  A problem has occurred on the Resource Orchestrator manager corresponding to the IP address or the FQDN.
- When "submgr:Resource_Orchestrator_manager_IP_address_or_FQDN" is not included in detail
  A problem has occurred on the first manager of Resource Orchestrator.
Connect to the Resource Orchestrator manager where the problem occurred and take corrective action based on the error message.

If an error occurs during the network switchover operation of this function, the behavior will differ depending on the status of the corresponding virtual PCs or SBC servers.

For Virtual PCs
- When the virtual NICs of the virtual PCs have been switched to the quarantine network
  To prevent the spread of infection, the virtual NICs of virtual PCs remain connected to the quarantine network. The network of the NICs of the virtual L-Servers is switched back to the operation network.
- When the virtual NICs of the virtual PCs have not been switched to the quarantine network
  The network of the NICs of the virtual L-Servers is switched back to the operation network.
For SBC Servers
- When the NICs of the SBC servers have been switched to the quarantine network
  To prevent the spread of infection, the NICs of the SBC servers remain connected to the quarantine network. The network of the NICs of the physical L-Servers is switched back to the operation network.
- When the NICs of the SBC servers have not been switched to the quarantine network
  The network of the NICs of the physical L-Servers is switched back to the operation network.

3.1.4.1 Corrective Action When Automatic Action Taken When a Security Risk Is Detected Fails [Trend Micro VB] [Symantec] [McAfee]