Yes...it was an typo On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected]> wrote:
> Hello, > > Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? > > Thanks, > > > Ludovic Zammit > [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > > > > On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> > wrote: > > But I am using option "Scan on registration". > > In PacketFence log, there is no log for scanning or of any security event > generation. I guess, I am doing something wrong with WMI rule setup. Can > you help me with there? > > I am using rule as :- > > [ccSvcHst] > Attribute = Name > Operator = match > Value = ccSvcHst.exd > [1:ccSvcHst] > Action = trigger_security_event > Action_param =mac = $mac, tid= 1300987, type = custom > on_tab = 1 > > > Tid as I mentioned here is also configure in one security events, that > detects this tid under condition and executes events as described in it. > > > > On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: > >> Hello, >> >> There is a grace time period for the security event that trigger the >> scan, in your case it’s the "Post Reg System Scan” and it has 1 hour grace >> time, meaning that it would only do a scan per hour. >> >> Lower it maybe to 2 mins. >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < >> [email protected]> wrote: >> >> Hello all, >> >> I have setup WMI scan in my PacketFence but I can't see any results, no >> tab generated for wmi scan under nodes neither I can see anything logs for >> scan. >> >> When using wmic command from PacketFence server, I can see the results >> but nothing in my Web API. What could be the problem? >> >> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> >> wrote: >> >>> Sorry to disturb you again, Ludovic. >>> >>> I have setup WMI scan in PacketFence. In WMI rule I am using antivirus >>> check rule and added wmi scan engine in connection profile as well. >>> >>> After this, I cant see any event generated by wmi scan on my node, >>> neither can I see security event generated nor new tab created for wmi scan. >>> >>> When I check wmi connectivity to end point using "wmic" command from >>> PacketFence server, I can see successful response. Can you help me what >>> went wrong with this? >>> >>> >>> >>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: >>> >>>> Hello, >>>> >>>> I believe it’s because it’s an internal check to see if that. Node >>>> needs something to be done. >>>> >>>> You can try it out to see if it works, for a Symantec check that could >>>> work because it does not requires the IP address of the device to do that >>>> check on the Symantec service. >>>> >>>> Most of the Scans requires the IP address of the device in order to >>>> start to scan the host for example the WMI, that why the DHCP ACK is very >>>> important. >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>> Thank you Ludovic for your help so far. >>>> >>>> I have one more question, if PacketFence is not checking for >>>> provisioning without DHCP then why it is generating security events as >>>> Provisioning Enforcement against node. >>>> >>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> Yes, you could do a WMI scan on post registration that checks if a >>>>> process is there or not. >>>>> >>>>> You need a account that has administrative rights on the device that >>>>> you check. >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>> But I can see security event triggered for SEPM provisioning on node. >>>>> But the problem is it actually not restricting access. >>>>> >>>>> Can I use wmi scan in my environment?? >>>>> >>>>> Thanks. >>>>> >>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> No DHCP, no provisioner. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL < >>>>>> [email protected]> wrote: >>>>>> >>>>>> I donot have DHCP server installed, no provisioning for DHCP. It's >>>>>> all static ip. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>>> >>>>>>> Did you install the DHCP sensor ? >>>>>>> >>>>>>> >>>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> As such there is no restriction on when to check for provisioning >>>>>>> although I have selected option of checking after registration of >>>>>>> device. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>>>> Production or Registration networks. >>>>>>>> >>>>>>>> When do you want to check if Symantec is installed ? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Yes....as I connects the device it went into registration vlan and >>>>>>>> then if it is in domain it gets authenticated and vlan changes as per >>>>>>>> switch. >>>>>>>> >>>>>>>> Dot1x is working fine...but problem is with Symantec. How to check >>>>>>>> if end device has Symantec client installed and working. >>>>>>>> >>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users >>>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are not >>>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>>> connection profile. >>>>>>>>> >>>>>>>>> Second, I have to check for Symantec in my endpoints. I have setup >>>>>>>>> SEPM provisioning as per document. During authentication, I can see >>>>>>>>> security event generated for provisioning on my node in PacketFence >>>>>>>>> but my >>>>>>>>> end device got access to intranet no matter symantec installed on it >>>>>>>>> or not. >>>>>>>>> >>>>>>>>> I have tried everything I could. I need some help in this case. I >>>>>>>>> am using static ips and cisco 2960. >>>>>>>>> >>>>>>>>> I need devices to be registered if they have both domain connected >>>>>>>>> and SEPM installed. >>>>>>>>> >>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> [email protected] >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
