Sorry to disturb you again, Ludovic. I have setup WMI scan in PacketFence. In WMI rule I am using antivirus check rule and added wmi scan engine in connection profile as well.
After this, I cant see any event generated by wmi scan on my node, neither can I see security event generated nor new tab created for wmi scan. When I check wmi connectivity to end point using "wmic" command from PacketFence server, I can see successful response. Can you help me what went wrong with this? On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: > Hello, > > I believe it’s because it’s an internal check to see if that. Node needs > something to be done. > > You can try it out to see if it works, for a Symantec check that could > work because it does not requires the IP address of the device to do that > check on the Symantec service. > > Most of the Scans requires the IP address of the device in order to start > to scan the host for example the WMI, that why the DHCP ACK is very > important. > > Thanks, > > > Ludovic Zammit > [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > > > > On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected]> > wrote: > > Thank you Ludovic for your help so far. > > I have one more question, if PacketFence is not checking for provisioning > without DHCP then why it is generating security events as Provisioning > Enforcement against node. > > On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> wrote: > >> Yes, you could do a WMI scan on post registration that checks if a >> process is there or not. >> >> You need a account that has administrative rights on the device that you >> check. >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected]> >> wrote: >> >> But I can see security event triggered for SEPM provisioning on node. But >> the problem is it actually not restricting access. >> >> Can I use wmi scan in my environment?? >> >> Thanks. >> >> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> wrote: >> >>> No DHCP, no provisioner. >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>> I donot have DHCP server installed, no provisioning for DHCP. It's all >>> static ip. >>> >>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> wrote: >>> >>>> Does PF receives DHCP ACK from the production DHCP server ? >>>> >>>> Did you install the DHCP sensor ? >>>> >>>> >>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>> As such there is no restriction on when to check for provisioning >>>> although I have selected option of checking after registration of device. >>>> >>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>> Production or Registration networks. >>>>> >>>>> When do you want to check if Symantec is installed ? >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>> Yes....as I connects the device it went into registration vlan and >>>>> then if it is in domain it gets authenticated and vlan changes as per >>>>> switch. >>>>> >>>>> Dot1x is working fine...but problem is with Symantec. How to check if >>>>> end device has Symantec client installed and working. >>>>> >>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Your devices that connect on PF are statically IP addressed? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>> authentication working with MSCHAPv2 auth, so non domain users are not >>>>>> getting access, which is required. I am using auto-registration in >>>>>> connection profile. >>>>>> >>>>>> Second, I have to check for Symantec in my endpoints. I have setup >>>>>> SEPM provisioning as per document. During authentication, I can see >>>>>> security event generated for provisioning on my node in PacketFence but >>>>>> my >>>>>> end device got access to intranet no matter symantec installed on it or >>>>>> not. >>>>>> >>>>>> I have tried everything I could. I need some help in this case. I am >>>>>> using static ips and cisco 2960. >>>>>> >>>>>> I need devices to be registered if they have both domain connected >>>>>> and SEPM installed. >>>>>> >>>>>> Any help will be appreciated. Thanks in advance... >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
