Hello all, I have setup WMI scan in my PacketFence but I can't see any results, no tab generated for wmi scan under nodes neither I can see anything logs for scan.
When using wmic command from PacketFence server, I can see the results but nothing in my Web API. What could be the problem? On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> wrote: > Sorry to disturb you again, Ludovic. > > I have setup WMI scan in PacketFence. In WMI rule I am using antivirus > check rule and added wmi scan engine in connection profile as well. > > After this, I cant see any event generated by wmi scan on my node, neither > can I see security event generated nor new tab created for wmi scan. > > When I check wmi connectivity to end point using "wmic" command from > PacketFence server, I can see successful response. Can you help me what > went wrong with this? > > > > On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: > >> Hello, >> >> I believe it’s because it’s an internal check to see if that. Node needs >> something to be done. >> >> You can try it out to see if it works, for a Symantec check that could >> work because it does not requires the IP address of the device to do that >> check on the Symantec service. >> >> Most of the Scans requires the IP address of the device in order to start >> to scan the host for example the WMI, that why the DHCP ACK is very >> important. >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected]> >> wrote: >> >> Thank you Ludovic for your help so far. >> >> I have one more question, if PacketFence is not checking for provisioning >> without DHCP then why it is generating security events as Provisioning >> Enforcement against node. >> >> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> wrote: >> >>> Yes, you could do a WMI scan on post registration that checks if a >>> process is there or not. >>> >>> You need a account that has administrative rights on the device that you >>> check. >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>> But I can see security event triggered for SEPM provisioning on node. >>> But the problem is it actually not restricting access. >>> >>> Can I use wmi scan in my environment?? >>> >>> Thanks. >>> >>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> wrote: >>> >>>> No DHCP, no provisioner. >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>> I donot have DHCP server installed, no provisioning for DHCP. It's all >>>> static ip. >>>> >>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>> >>>>> Did you install the DHCP sensor ? >>>>> >>>>> >>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>> As such there is no restriction on when to check for provisioning >>>>> although I have selected option of checking after registration of device. >>>>> >>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>> Production or Registration networks. >>>>>> >>>>>> When do you want to check if Symantec is installed ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Yes....as I connects the device it went into registration vlan and >>>>>> then if it is in domain it gets authenticated and vlan changes as per >>>>>> switch. >>>>>> >>>>>> Dot1x is working fine...but problem is with Symantec. How to check if >>>>>> end device has Symantec client installed and working. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>> authentication working with MSCHAPv2 auth, so non domain users are not >>>>>>> getting access, which is required. I am using auto-registration in >>>>>>> connection profile. >>>>>>> >>>>>>> Second, I have to check for Symantec in my endpoints. I have setup >>>>>>> SEPM provisioning as per document. During authentication, I can see >>>>>>> security event generated for provisioning on my node in PacketFence but >>>>>>> my >>>>>>> end device got access to intranet no matter symantec installed on it or >>>>>>> not. >>>>>>> >>>>>>> I have tried everything I could. I need some help in this case. I am >>>>>>> using static ips and cisco 2960. >>>>>>> >>>>>>> I need devices to be registered if they have both domain connected >>>>>>> and SEPM installed. >>>>>>> >>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> [email protected] >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
