Hello, Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe?
Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> wrote: > > But I am using option "Scan on registration". > > In PacketFence log, there is no log for scanning or of any security event > generation. I guess, I am doing something wrong with WMI rule setup. Can you > help me with there? > > I am using rule as :- > > [ccSvcHst] > Attribute = Name > Operator = match > Value = ccSvcHst.exd > [1:ccSvcHst] > Action = trigger_security_event > Action_param =mac = $mac, tid= 1300987, type = custom > on_tab = 1 > > > Tid as I mentioned here is also configure in one security events, that > detects this tid under condition and executes events as described in it. > > > > On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected] > <mailto:[email protected]>> wrote: > Hello, > > There is a grace time period for the security event that trigger the scan, in > your case it’s the "Post Reg System Scan” and it has 1 hour grace time, > meaning that it would only do a scan per hour. > > Lower it maybe to 2 mins. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello all, >> >> I have setup WMI scan in my PacketFence but I can't see any results, no tab >> generated for wmi scan under nodes neither I can see anything logs for scan. >> >> When using wmic command from PacketFence server, I can see the results but >> nothing in my Web API. What could be the problem? >> >> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected] >> <mailto:[email protected]>> wrote: >> Sorry to disturb you again, Ludovic. >> >> I have setup WMI scan in PacketFence. In WMI rule I am using antivirus check >> rule and added wmi scan engine in connection profile as well. >> >> After this, I cant see any event generated by wmi scan on my node, neither >> can I see security event generated nor new tab created for wmi scan. >> >> When I check wmi connectivity to end point using "wmic" command from >> PacketFence server, I can see successful response. Can you help me what went >> wrong with this? >> >> >> >> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected] >> <mailto:[email protected]>> wrote: >> Hello, >> >> I believe it’s because it’s an internal check to see if that. Node needs >> something to be done. >> >> You can try it out to see if it works, for a Symantec check that could work >> because it does not requires the IP address of the device to do that check >> on the Symantec service. >> >> Most of the Scans requires the IP address of the device in order to start to >> scan the host for example the WMI, that why the DHCP ACK is very important. >> >> Thanks, >> >> Ludovic Zammit >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Thank you Ludovic for your help so far. >>> >>> I have one more question, if PacketFence is not checking for provisioning >>> without DHCP then why it is generating security events as Provisioning >>> Enforcement against node. >>> >>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected] >>> <mailto:[email protected]>> wrote: >>> Yes, you could do a WMI scan on post registration that checks if a process >>> is there or not. >>> >>> You need a account that has administrative rights on the device that you >>> check. >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> But I can see security event triggered for SEPM provisioning on node. But >>>> the problem is it actually not restricting access. >>>> >>>> Can I use wmi scan in my environment?? >>>> >>>> Thanks. >>>> >>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> No DHCP, no provisioner. >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> I donot have DHCP server installed, no provisioning for DHCP. It's all >>>>> static ip. >>>>> >>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>> >>>>> Did you install the DHCP sensor ? >>>>> >>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>> >>>>> <https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor> >>>>> >>>>> Thanks, >>>>> >>>>> Ludovic Zammit >>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>>> :: www.inverse.ca <https://www.inverse.ca/> >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>> <http://packetfence.org/>) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> As such there is no restriction on when to check for provisioning >>>>>> although I have selected option of checking after registration of device. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>> Production or Registration networks. >>>>>> >>>>>> When do you want to check if Symantec is installed ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>> <http://packetfence.org/>) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Yes....as I connects the device it went into registration vlan and then >>>>>>> if it is in domain it gets authenticated and vlan changes as per switch. >>>>>>> >>>>>>> Dot1x is working fine...but problem is with Symantec. How to check if >>>>>>> end device has Symantec client installed and working. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>> <http://packetfence.org/>) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users >>>>>>>> <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are not >>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>> connection profile. >>>>>>>> >>>>>>>> Second, I have to check for Symantec in my endpoints. I have setup >>>>>>>> SEPM provisioning as per document. During authentication, I can see >>>>>>>> security event generated for provisioning on my node in PacketFence >>>>>>>> but my end device got access to intranet no matter symantec installed >>>>>>>> on it or not. >>>>>>>> >>>>>>>> I have tried everything I could. I need some help in this case. I am >>>>>>>> using static ips and cisco 2960. >>>>>>>> >>>>>>>> I need devices to be registered if they have both domain connected and >>>>>>>> SEPM installed. >>>>>>>> >>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> [email protected] >>>>>>>> <mailto:[email protected]> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
