Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Troubleshoot Approvals Out of Date

App Control: How To Troubleshoot Approvals Out of Date

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Objective

How to troubleshoot Agents reporting to the Console as Approvals out of Date.

Resolution

  1. Verify the Agent is currently showing as Connected in the Console.
  2. Verify the Agent is not the Agent Upgrade cycle, as this will prevent CL Updates.
  3. Verify the Server-Agent Certificate in the Console > System Configuration > Security is not expired, and formatted correctly.
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  4. Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
  5. Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  6. Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
  7. Verify whether a Proxy or other Network Appliance is between the Agents and App Control Server.
    • If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
    • If SSL Inspection is enabled the Agents will reject the modified packets.
    • If any other authentication (such as 2FA) is enabled for 41002 or 443 the Agents may fail to properly communicate.
  8. Verify the TrustedCertList.pem file is not corrupt.

If the issue persists, the Disconnected Agent Logs will be required to properly begin an investigation into these communication issues:

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-14-2022
Views:
368
Contributors