How do I schedule reports on Policy Manager 14.x?
You can configure Web Reporting to send regular reports by email to one or more recipients. To send the reports by email, you need to enter the mail server details in Policy Manager Console. To do this:
Select Tools > Server configuration and click the Mail tab. Enter the mail server address and authentication information. Enter the address that you want to display as the sender in the report emails. This does not have to be a valid email address. Click OK.
To configure the report scheduling:
Note: You cannot schedule reports for individual hosts, only for domains. You can use the root domain if you want the reports to cover all configured domains.
Use semi-colons to separate multiple addresses.
If you choose to send the reports on a monthly basis, the reports for each month are automatically sent on the first day of the following month.
On the Web Reporting main page, select Scheduled reporting. On the policy domain tree, select the domain that you want to use for the reports. Note: You cannot schedule reports for individual hosts, only for domains. You can use the root domain if you want the reports to cover all configured domains. In the Recipient emails field, enter the email addresses that should receive the reports. Choose whether to send the reports daily, weekly or monthly.
If you want to send the reports on a weekly basis, select the weekday. If you choose to send the reports on a monthly basis, the reports for each month are automatically sent on the first day of the following month.
Select which reports you want to send.
The listed recipients will receive the selected reports in HTML format according to your settings. If you want to check that the report emails are delivered correctly, click Send reports now.
For more information: https://help.f-secure.com/product.html#business/policy-manager/latest/en/task_4644F99989CB41A4BD5BBC5FE87919A2-latest-en
Article no: 000003775
How does the firewall automatic selection in Policy Manager function? What mechanism should I set up the automatic selection profile?
To set the firewall automatic selection profile changes to work, create the autoselect rule based on conditions such as gateway IP, DNS, etc. As an example, when the Windows Firewall profile is changed to different networks (public, private, domain), there is network change happening too. This can be used as the condition for firewall automatic selection rule to trigger.
When a host is connected to Domain network, it will use default firewall profile "Office, file and printer sharing". When a host is connected to Public network and assign to DHCP IP address, it will switch to firewall profile "Server". When a host is connected to Private network that communicate to gateway IP (Example: 192.168.1.103), it will switch to firewall profile "My test firewall profile".
Note that the firewall automatic selection is based on rules priority. The rule consists of two conditions: Method1/Argument1 and Method2/Argument2. When both conditions are met, the profile specified in the rule is selected. The rules are evaluated whenever changes in the network interfaces are detected, and the rule with the highest priority is applied in case there are more than one matching rule. If none of the rules match, the profile will remain unchanged. Therefore a fallback rule, with both methods set to Always, is usually put at the bottom of the rule set. Supported methods and arguments:
Never: Never true (argument ignored) Always: Always true (argument ignored) DNS Server IP Address: IP address given as the argument matches with a DNS server DHCP Server IP Address: IP address given as the argument matches with a DHCP server Default Gateway IP Address: IP address given as the argument matches with the default gateway My Network: IP address given as the argument falls within the LAN subnet of the host Dialup: A dial-up connection is open (argument ignored)
In IP address arguments, the asterisk (*) may be used as a wildcard, but only in place of whole pieces of the address. For instance 172.16.*.*, but not 172.16.*10.* or 172.16.*. Example: Method1 = Default Gateway IP Address Argument1 = 188.8.131.52 Note: The Argument value is irrelevant for Always, Never and Dialup methods.
Article no: 000013127
The symptoms include
clients are unable to download updates from the Policy Manager Server clients are unable to upload status information to the Policy Manager Server and will eventually show up in Policy Manager Console as disconnected hosts
However, clients might still be able to download updates because in the default configuration, fallback to F-Secure update servers is allowed. A couple of logfiles on the endpoont help to establish, if the client is having a connection problem due to the firewall blocking access on the server. Examples are for Client Security 14 but also apply for Server Security 14 and later. Policy Manager Server here is pms.acme.com listening on default ports 80 and 443. C:\ProgramData\F-Secure\Log\AUA\Aua.log 2019-10-02 12:07:25.311 [15d4.1d50] I: Connecting to pms.acme.com:80/guts22019-10-02 12:07:46.349 [15d4.1d50] I: Update check failed, error=110 (connection timed out) Same is also visible in this logfile: 2019-10-02 12:17:37.502 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy ''2019-10-02 12:17:58.535 [15d4.1d68] *E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Timeout, AsyncSendRequest failed: 12002)2019-10-02 12:18:07.536 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy '' Error 12002 translates to 12002 ERROR_INTERNET_TIMEOUT The request has timed out.
Server Security 14 uses the Windows Firewall. It is likely that the ports that the HTTP and HTTPS services are using are blocked in the firewall on the server where Policy Manager Server is installed in. This would cause the clients to be unable to be in contact with the Policy Manager Server. To resolve the issue, create a firewall rule allowing inbound HTTP and HTTPS traffic to the server where Policy Manager Server is installed. You can find instructions how to create firewall rules in Policy Manager 14 in this guide. Things to consider:
Make sure, the firewall rule is enabled. This is the first checkbox in the Firewall rules table. Make sure, the Server profile containing the rule is assigned as the "Server host profile". In the example below, the profile is called Server (cloned). The other rules in the profiles in this screenshot are also activated but this is is not needed to meet client Policy Manager Server communication requirements. As this particular rule is only required for the server host running Policy Manager Server, we have selected the server before making the change (the server called here DC1-PETERF)
Article no: 000016843
Via proxy or direct connection, F-Secure Client Security is not receiving updates from Policy Manager. The following errors are visible in C:\ProgramData\F-Secure\Log\AUA\AUA.log: [ 8068]Thu Aug 30 11:15:32 2018(3): Connecting to http://<Policy Manager IP address>/guts2/ via http proxy <Proxy IP address> [ 3488]Thu Aug 30 11:15:32 2018(3): Update check failed. There was an error connecting http://<Policy Manager IP address>/guts2/ via http proxy Proxy IP address (Server error) Thu Aug 30 11:15:32 2018(3): Connecting to http://Policy Manager IP address/guts2/ (no http proxy) [ 3488]Thu Aug 30 11:15:32 2018(2): Update check failed. There was an error connecting http://<Policy Manager IP address>/guts2. (Unspecified error) Thu Aug 30 11:17:41 2018(3): Connecting to http://Policy Manager IP address/ via http proxy Proxy IP address [ 3488]Thu Aug 30 11:17:41 2018(3): Update check failed. There was an error connecting http://Policy Manager IP address/guts2/ via http proxy Proxy IP address (Server error)
Test the connectivity from the host to Policy Manager Server by using the HTTP and HTTPS protocol:
Open any web browser on the host that has F-Secure Client Security installed. Enter the IP address of the Policy Manager and press Enter. Repeat the test, only this time by using the HTTPS protocol (for example https://192.168.0.10:443/).
If the HTTP (automatic updates) and HTTPS (management agent) connections are working, the web page should display the following information:
If the connection fails, troubleshoot the network connectivity between the host and Policy Manager at your end. Verify whether the host and the server have permission to connect to each and other (for example corporate firewall, proxy). If the intermediate proxy is a PMP instance and the clients are unable to download updates via it, ensure that PMP can connect to the internet directly as the default configuration for the proxy is forward mode. In this mode, updates are downloaded via PMP but from the internet and not from Policy Manager Server. This configuration is controlled by changing the proxy mode to either reverse or forward. Reverse vs. forward modes define whether the virus definitions and software updates are retrieved directly from the internet or from the configured upstream Policy Manager Server or other proxy. Forward proxy is used to minimize traffic between networks, for example between a branch office and HQ. Reverse proxy is used for example in environments where the proxy has no direct connection to the internet, or to minimize the load on the master server (or other forward proxy). By default the proxy is installed in forward mode. Set "-DreverseProxy=true" additional Java argument to switch it to the 'reverse' mode. You can verify whether PMP can download updates by checking the c:\program files (x86)\Management Server 5\logs\fspms-download-updates.log file. The following message is an example of downloading updates failing: 26.03.2019 14:47:44,034 ERROR [c.f.f.s.g.d.DownloadUpdatesService] - Error while checking latest updates org.apache.http.conn.ConnectTimeoutException: Connect to guts2.sp.f-secure.com:80 [guts2.sp.f-secure.com/184.108.40.206, guts2.sp.f-secure.com/220.127.116.11] failed: connect timed out.
Article no: 000006708
Clients are not able to get updates from the Policy Manager server Virus definitions shows later than the Policy Manager is Serving Update server is shown as wait.pmp-selector.local Policy Manager shows that Client Security is still in the old version even though on the client it is the newer version
The update server is shown as wait.pmp-selector.local until the client has successfully connected to the Policy Manager Server for the first time after the upgrade or installation. This is an indication that there is a connectivity issue between the clients and the Policy Manager server. First, check that you have set the correct Policy Manager Server address when exporting the installation file. You can check if the address is correct and if the HTTP connection works by opening a web browser on a client and then entering the Policy Manager Server address and the HTTP port in the address field. Example: 10.132.2.19:80 Client Security 13 and earlier versions supported fallback to using HTTP connection if HTTPS did not work. Please check that both the HTTP and HTTPS ports are open in the firewall on the Policy Manager Server. By default Policy Manager listens to HTTP port 80 and HTTPS port 443, but these can be changed during installation. Check that you have entered the correct Policy Manager Server address, HTTP port and HTTPS port when creating the installation file. If you have used the wrong address or ports when creating the installation file, you will need to reinstall the product with a new installation file with the correct settings.
If you are using Policy Manager Proxy in your environment, try these steps:
Make sure that Policy Manager proxy servers are updated to 14 versions For Client Security 14 clients HTTPS connection support is required and for versions 13 and earlier it was not "Allow fallback" is not mandatory if everything is configured properly
If you are not sure if it is configured properly, allow the option Fall back to Policy Manager Proxy which can be found under Automatic Update Agent in Policy Manager Console. If you cannot find an issue with your configuration, open a support request and submit an FSDiag diagnostic file from the Policy Manager Server and one of the affected client for further analysis and troubleshooting.
Article no: 000009396
User get the following error message when trying to log in to Policy Manager Console:
Cannot connect to server: authorization failed because the specified user credentials are invalid.
This error message appears because you are using either a wrong username or password when logging in. The default username when logging in to Policy Manager Console is Admin. The password for the Admin account was set at installation, and if you do not know the correct password for the Admin account, you can reset it by following these steps:
Shut down the F-Secure services Open command line prompt as administrator Run the reset-admin-account.bat from this location: C:\Program Files (x86)\F-Secure\Management Server 5\bin\ Enter your new password Start the F-Secure services Try to log in to Policy Manager Console.
To change the password for any other Policy Manager Console user account, use the following instructions:
Log in by using the Admin account (If needed, reset the password for the set Admin account by using the above instructions) To use the setting, in Policy Manager Console select Tools > Users To change the password, delete the existing user account Recreate the account. This option allows you to configure a new password for the set account.
Article no: 000009319
I am unable to have connectivity for my computer running a Business Suite product. We are using WPAD (Web Proxy Auto-Discovery protocol) to deploy http proxy server settings. Does Business Suite support WPAD for http proxy setting deployment?
WPAD is not officially tested nor supported by the Business Suite products, including Policy Manager.
Article no: 000010593
The Policy Manager registration does not work and it returns a "Customer number is invalid" error. How to fix this?
Check the following items:
Make sure that the customer number entered during registration is a correct one (the number is visible in the license certificate). Make sure that the license is still valid (the information is visible in the license certificate).
Article no: 000015351
Windows Management Instrumentation (WMI) Integration with F-Secure Policy Manager for Windows
F-Secure Policy Manager supports Windows Management Instrumentation (WMI) Integration. Policy Manager 13.xx Refer to the F-Secure Policy Manager admin guide Chapter 18, page 113 for more information. Policy Manager 14.xx Refer to the F-Secure Policy Manager admin guide Chapter 10, page 97 for more information. Instructions on how to obtain properties via WMI:
For PSB, check the following link: https://help.f-secure.com/product.html#business/psb-portal/latest/en/task_D863946C3247471F948CD82785CC1A3A-psb-portal-latest-en For Business Suite, check the following link: https://help.f-secure.com/product.html#business/policy-manager/14.20/en/concept_E55FFF0187A54B79B30637C7983BDCC8-14.20-en
Article no: 000002821
How can I manually isolate hosts from the network with Policy Manager?
You can isolate one or more hosts from the network. Note: Use network isolation with caution and only in case of a network attack.
To isolate a host from the network:
Select the target host in the policy domain tree Go to the Operations tab Click Isolate under Network isolation. This isolates the selected host from the network To reconnect an isolated host to the network, click Release on the Operations tab.
Isolated hosts are shown on the Host issues section of the dashboard. This feature is only available in Policy Manager 14.10 and newer.
Article no: 000015929
How to migrate the F-Secure Policy Manager Server to the new Windows Server?
If you want to keep the DNS name, just move h2db to the new host, stop the old host and start the new one. If you change the DNS name of the server, you must follow the instructions below: Please read the following instructions completely before you start working on the server. Create a backup of the PMS: 1. Stop the Policy Manager Server service. 2. Back up the directory <F-Secure Installation Folder> \ Management Server 5 \ data \ h2db>. 3. Restart the Policy Manager Server service. Now perform the installation on the new server. The current installation file can be found on our website: https://www.f-secure.com/en/web/business_global/downloads/policy-manager Note: To avoid the communication issues, use exactly the same ports by the installation like for the old F-Secure Policy Manager Server . To restore secured Policy Manager data: 1. Stop the Policy Manager Server service. 2. Copy the backup to the <F-Secure Installation Folder> \ Management Server 5 \ data \ h2db> directory to the correct location. 3. Restart the Policy Manager Server service. After the installation is complete, the new F-Secure Policy Manager Server has the complete domain structure, including the settings. After logging into the old server using the Policy Manager Console, enter the address of the new Policy Manager Server <F-Secure Management Agent / Data Communication / Protocols / HTTP / Management Server Address> and distribute the policies for all your policy domain. Now all clients will connect the new server. Once all clients are connected without errors with the new Policy Manager Server, you can turn off the old one. The procedure is also discussed in the following community article: https://community.f-secure.com/t5/Business/i-need-to-move-policy-manager-to/m-p/13961
Article no: 000002290
The DeepGuard status of a F-Secure Client Security 14.0x client in Policy Manager in the Overall Protection section, the status is shown as "Unknown".
This is a known issue and an upgrade to F-Secure Client Security version 14.10 or newer fixes the issue. The older Client Security 14 do not have the upload of DeepGuard module version to Policy Manager enabled.
Article no: 000012983
Policy Manager Console runs slow and unable to connect to Policy Manager.
Make sure your Policy Manager and Policy Manager Console are the same version. Otherwise connection will not work. If both are the same version it could be due to having very high number of alerts, or very high volume of scanning reports being kept in Policy Manager Server. This would slow down the console.
You may remove some of the alerts, or scanning reports to improve the performance. If the above mentioned does not help, proceed to do the following:
Stop F-Secure Policy Manager Server service. Backup the H2DB (...\F-Secure\Management Server 5\data\h2db). DO NOT proceed further without having a working H2DB backup in place. Run the database maintenance tool (...\F-Secure\Management Server 5\bin\fspms-db-maintenance-tool.exe) and follow the on-screen instructions to optimize the database. Start F-Secure Policy Manager Server service. Log on to Policy Manager Console.
In case issue remain, you can execute the H2DB recovery tool (...\F-Secure\Management Server 5\bin\fspms-db-recover.bat) in the command prompt window, to repair the H2DB. Note: Do stop F-Secure Policy Manager Server service before running the tool. If necessary, you can refer to the read me file (..\F-Secure\Management Server 5\bin\README-recover-db.txt) on how to execute the H2DB recovery tool. Once you have finish repairing the H2DB using the tool, you can proceed to take the repaired H2DB into used, and start back F-Secure Policy Manager Server service. Try to logon to Policy Manager Console again after this.
Article no: 000010142
After the file SHA-1 hash and file path is excluded in F-Secure Client Security 13.x/14.x, Deepguard continues to block the application.
If you are using F-Secure Policy Manager version 14, in Real-time scanning the option "Do not scan the following files and applications" is only applicable for F-Secure Client Security 14 and newer. In order to exclude an application path from Deepguard for F-Secure Client Security 13.x, do the following:
Log in to Policy Manager Console. Click on the Settings tab. Click Advanced View. Click F-Secure DeepGuard. Click Settings. Click Excluded applications. Enter the full path of the application. Distribute the policies.
If you are using F-Secure Client Security 13.10, kindly upgrade to 13.11 since the latest version has improvements for Deepguard. Wildcard exclusions are only applicable for Real-time scanning. For Deepguard exclusion, kindly use file or folder path. F-Secure Security Cloud (ORSP) has a higher priority compared to SHA-1 exclusions. Only file or folder path exclusion has higher priority over ORSP.
If the exclusions were done for F-Secure Client Security 14.10 and the application is still being blocked, kindly contact F-Secure Customer Care here for assistance.
Article no: 000009628
The Allow button to Restore files from quarantine is grayed out in Client Security 14.10 . How can I allow this from Policy Manager?
You can allow a local user to restore files sent to quarantine by following these steps:
Log in to Policy Manager console. Select a host or domain from the Domain Tree. Go to the Settings tab. Go to the Real-time scanning page. Uncheck Prevent users from adding scanning exclusion.
6. Distribute the new policy to the hosts. Note: By default the "delete" option in Client User Interface is allowed, as the option "delete" does not contain any risk.
Article no: 000012976
How to migrate from Client Security to Computer Protection using Policy Manager?
Kindly follow the steps explained here on migrating from Client Security to Computer Protection using Policy Manager Console. NOTE: The bs2cp_psb*.jar file that needs to be downloaded is dependable on which F-Secure PSB portal you have your F-Secure PSB Computer Protection subscription in and not the region where you are located. EMEA: https://emea.psb.f-secure.com/ AMER: https://amer.psb.f-secure.com/ APAC: https://apac.psb.f-secure.com/ EMEA2: https://emea2.psb.f-secure.com/ EMEA3: https://emea3.psb.f-secure.com/ Your login credentials will only be applicable to one of these portals, therefore, the bs2cp_psb*.jar file is dependent on this.
Article no: 000007334
New updates for some software such as Citrix Receiver appear on the Software Updates list in Policy Manager console Software Updater. Whenever I try to download and install them, I receive the following status message: The update package must be downloaded manually. What does it mean and how can I install the newest updates?
The message means that the updates must be downloaded directly from the Citrix Receiver official website. After downloading the updates, install them manually as it is not possible to do it via the Policy Manager console or by using Software Updater. The reason why it is not possible is that more and more sites require authentication (e.g. "I'm not a robot" captcha). In those cases where Software Updater cannot download the updates, it advises that an update is available and can be installed manually to ensure security.
Article no: 000014817
The F-Secure Client Security products started sending security alerts to F-Secure Policy Manager for every single blocked URL. This started when F-Secure Online Safety 2019-09-02_02 update was released. The security alerts have following details:
Unknown alert: online_safety.page.block.
The fix was released in the F-Secure Online Safety 2019-09-10_01 update package. The update is installed automatically and does not require user or administrator actions.
Article no: 000015569
I would like to register my F-Secure Policy Manager Server which is not connected to a network (offline), how do I proceed?
Contact F-Secure support by opening a support request (https://www.f-secure.com/en/web/business_global/support/support-request) Provide the following information for F-Secure technical support to create an offline registration file:
Account Name Customer ID Installation ID Business Suite license Expiry date
How to obtain Customer and Installation ID:
Open F-Secure Policy Manager console, and go to Help menu > Registration dialog, or; Find the information from the Policy Manager Server installation folder, ...\F-Secure\Management Server 5\Data (Windows) or /var/opt/f-secure/fspms/data (Linux), open the file called upstream-statistics.json using notepad. Customer ID is on line 5 and Installation ID is on line 6.
Once support has provided you with an offline registration file, use the following steps to activate it on your Policy Manager Server Windows:
Copy the offline registration file to the folder F-Secure\Management Server 5\data Restart the F-Secure Policy Manager Server services by typing the following command in an elevated command prompt (CMD):
net stop fsms net start fsms
Copy the offline registration file to the folder /var/opt/f-secure/fspms/data Restart the fspms daemon:
# /etc/init.d/fspms restart
F-Secure Policy Manager will be activated until the expiry of your current subscription. After renewing the subscription you need to request a new registration token from support. Make sure to do this some time in advance so that you don't end up with an expired Policy Manager Server.
Article no: 000001107
The firewall rules pushed from Policy Manager 14.x to Client Security 14.x clients do not appear in the Windows firewall.
Check that you have edited the same profile that is in use on the client. This can be done by following these steps:
Open F-Secure Policy Manager Console Select the host or domain from the Domain tree Go to the Settings tab Go to the Firewall page Check that Host profile and Profile being edited match
If they match, the reason why the rule is not applied on the client is because it is an invalid rule. If the rule has many IP addresses in it, make sure that you have used a comma ( , ) in between each IP range as a value separator. Using a space or semicolon ( ; ) in between the IP ranges will invalidate the rule and it will not be visible in the Windows Firewall.
Article no: 000011310
Logging in to the Policy Manager Console returns an error message: "F-Secure Policy Manager Console cannot start: internal error. See Administrator.error.log for more information." The Administrator.error.log contains several SQL-related entries with "error code :The total number of locks exceeds the lock table size"
These SQL-errors are in most cases related to the value innodb_buffer_pool_size, and increasing this value usually fixes the issues. The value is verified by looking it up in the my.ini file on the MySQL-server, where it can also be increased as needed. Due to the large possible variations in user environments we are not able to give a direct number that this value should be set to. You can look for additional guidance from the MySQL Reference Manual and try an incremental approach, making several smaller changes and monitoring the results. After modifying the value in the my.ini file, restart the MySQL-server and the Policy Manager Server to make sure everything is running with the latest configuration. Note: Observe that getting or setting the value through Command line does not show or modify the correct value for every version of MySQL. To guarantee that the value is set correctly all changes need to happen via interaction with the my.ini file.
Article no: 000016309
The F-Secure Client Security reports that a suspiciously small datagram fragment has been blocked How to get rid of the warning if it is a false positive?
This type of alerts might be related to a DDoS attack. If they appear on a network, they might also be a sign of a broken or wrongly configured router or device in the network, for example a printer. Proceed to investigate the issue on a network level before applying the modification below. In practice packet with a size below 128 bytes are normally considered inefficient (ratio data/data+headers). To get rid of the alert, you can change what the F-Secure firewall considers as the minimum size for a fragment. In Policy Manager, this setting has to be changed by using the Advanced view. Follow these steps:
Log into Policy Manager Console. Select the host or domain from the Domain tree. Go to the Settings tab and select the Advanced view. Navigate to F-Secure Internet Shield > Settings > Firewall Engine > Minimum fragment size. Set the Minimum Fragment Size to 0. Distribute the policy to the hosts.
Article no: 000001900
How to disable Advanced Network Protection for Client Security 14 in Policy Manager 14?
To centrally disable Advanced Network Protection from the chosen clients:
Open F-Secure Policy Manager. Choose the target host or domain from the Domain Tree. Go to the Settings tab and use Standard View. Go to Web traffic scanning section. Choose from HTTP Scanning HTTP scanning enabled and set the value as disabled. Distribute the new policy with the Distribute policies button.
Now Advanced Network protection is disabled from the target hosts.
Article no: 000008143