But I am using option "Scan on registration". In PacketFence log, there is no log for scanning or of any security event generation. I guess, I am doing something wrong with WMI rule setup. Can you help me with there?
I am using rule as :- [ccSvcHst] Attribute = Name Operator = match Value = ccSvcHst.exd [1:ccSvcHst] Action = trigger_security_event Action_param =mac = $mac, tid= 1300987, type = custom on_tab = 1 Tid as I mentioned here is also configure in one security events, that detects this tid under condition and executes events as described in it. On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: > Hello, > > There is a grace time period for the security event that trigger the scan, > in your case it’s the "Post Reg System Scan” and it has 1 hour grace time, > meaning that it would only do a scan per hour. > > Lower it maybe to 2 mins. > > Thanks, > > > Ludovic Zammit > [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > > > > On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < > [email protected]> wrote: > > Hello all, > > I have setup WMI scan in my PacketFence but I can't see any results, no > tab generated for wmi scan under nodes neither I can see anything logs for > scan. > > When using wmic command from PacketFence server, I can see the results but > nothing in my Web API. What could be the problem? > > On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> > wrote: > >> Sorry to disturb you again, Ludovic. >> >> I have setup WMI scan in PacketFence. In WMI rule I am using antivirus >> check rule and added wmi scan engine in connection profile as well. >> >> After this, I cant see any event generated by wmi scan on my node, >> neither can I see security event generated nor new tab created for wmi scan. >> >> When I check wmi connectivity to end point using "wmic" command from >> PacketFence server, I can see successful response. Can you help me what >> went wrong with this? >> >> >> >> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: >> >>> Hello, >>> >>> I believe it’s because it’s an internal check to see if that. Node needs >>> something to be done. >>> >>> You can try it out to see if it works, for a Symantec check that could >>> work because it does not requires the IP address of the device to do that >>> check on the Symantec service. >>> >>> Most of the Scans requires the IP address of the device in order to >>> start to scan the host for example the WMI, that why the DHCP ACK is very >>> important. >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>> Thank you Ludovic for your help so far. >>> >>> I have one more question, if PacketFence is not checking for >>> provisioning without DHCP then why it is generating security events as >>> Provisioning Enforcement against node. >>> >>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> wrote: >>> >>>> Yes, you could do a WMI scan on post registration that checks if a >>>> process is there or not. >>>> >>>> You need a account that has administrative rights on the device that >>>> you check. >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>> But I can see security event triggered for SEPM provisioning on node. >>>> But the problem is it actually not restricting access. >>>> >>>> Can I use wmi scan in my environment?? >>>> >>>> Thanks. >>>> >>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> No DHCP, no provisioner. >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>> I donot have DHCP server installed, no provisioning for DHCP. It's all >>>>> static ip. >>>>> >>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>> >>>>>> Did you install the DHCP sensor ? >>>>>> >>>>>> >>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>> [email protected]> wrote: >>>>>> >>>>>> As such there is no restriction on when to check for provisioning >>>>>> although I have selected option of checking after registration of device. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>>> Production or Registration networks. >>>>>>> >>>>>>> When do you want to check if Symantec is installed ? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Yes....as I connects the device it went into registration vlan and >>>>>>> then if it is in domain it gets authenticated and vlan changes as per >>>>>>> switch. >>>>>>> >>>>>>> Dot1x is working fine...but problem is with Symantec. How to check >>>>>>> if end device has Symantec client installed and working. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are not >>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>> connection profile. >>>>>>>> >>>>>>>> Second, I have to check for Symantec in my endpoints. I have setup >>>>>>>> SEPM provisioning as per document. During authentication, I can see >>>>>>>> security event generated for provisioning on my node in PacketFence >>>>>>>> but my >>>>>>>> end device got access to intranet no matter symantec installed on it >>>>>>>> or not. >>>>>>>> >>>>>>>> I have tried everything I could. I need some help in this case. I >>>>>>>> am using static ips and cisco 2960. >>>>>>>> >>>>>>>> I need devices to be registered if they have both domain connected >>>>>>>> and SEPM installed. >>>>>>>> >>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
