I can one error log in my PacketFence.log file. It is pfperl-api(10859) ERROR: 1: parameter found outside a section (pfconfig:: namespaces::config::Wmi::cleanup_after_read)
Multiple events generated having same information. Wmi rule is as:- Namespace : ROOT\cimv2 Request : select NAME from WIN32_Process Action : [ccSvcHst] Attribute = Name Operator = match Value = ccSvcHst.exe [1:ccSvcHst] Action = trigger_security_event Action_param = mac = $mac, tid = 1200345, type = Internal On_tab = 1 I was using EOT previously, but in logs it was showing error against that so I removed it but still wmi rule has not triggered. Any suggestions please.... On Mon, Mar 8, 2021, 20:33 NITISH AGGARWAL <[email protected]> wrote: > I was type incorrectly in email. As per configurations on PacketFence it > is ccSvcHst.exe > This is not working. > > > On Mon, Mar 8, 2021, 20:15 NITISH AGGARWAL <[email protected]> > wrote: > >> Yes...it was an typo >> >> On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected]> wrote: >> >>> Hello, >>> >>> Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>> But I am using option "Scan on registration". >>> >>> In PacketFence log, there is no log for scanning or of any security >>> event generation. I guess, I am doing something wrong with WMI rule setup. >>> Can you help me with there? >>> >>> I am using rule as :- >>> >>> [ccSvcHst] >>> Attribute = Name >>> Operator = match >>> Value = ccSvcHst.exd >>> [1:ccSvcHst] >>> Action = trigger_security_event >>> Action_param =mac = $mac, tid= 1300987, type = custom >>> on_tab = 1 >>> >>> >>> Tid as I mentioned here is also configure in one security events, that >>> detects this tid under condition and executes events as described in it. >>> >>> >>> >>> On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: >>> >>>> Hello, >>>> >>>> There is a grace time period for the security event that trigger the >>>> scan, in your case it’s the "Post Reg System Scan” and it has 1 hour grace >>>> time, meaning that it would only do a scan per hour. >>>> >>>> Lower it maybe to 2 mins. >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < >>>> [email protected]> wrote: >>>> >>>> Hello all, >>>> >>>> I have setup WMI scan in my PacketFence but I can't see any results, no >>>> tab generated for wmi scan under nodes neither I can see anything logs for >>>> scan. >>>> >>>> When using wmic command from PacketFence server, I can see the results >>>> but nothing in my Web API. What could be the problem? >>>> >>>> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>>> Sorry to disturb you again, Ludovic. >>>>> >>>>> I have setup WMI scan in PacketFence. In WMI rule I am using antivirus >>>>> check rule and added wmi scan engine in connection profile as well. >>>>> >>>>> After this, I cant see any event generated by wmi scan on my node, >>>>> neither can I see security event generated nor new tab created for wmi >>>>> scan. >>>>> >>>>> When I check wmi connectivity to end point using "wmic" command from >>>>> PacketFence server, I can see successful response. Can you help me what >>>>> went wrong with this? >>>>> >>>>> >>>>> >>>>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I believe it’s because it’s an internal check to see if that. Node >>>>>> needs something to be done. >>>>>> >>>>>> You can try it out to see if it works, for a Symantec check that >>>>>> could work because it does not requires the IP address of the device to >>>>>> do >>>>>> that check on the Symantec service. >>>>>> >>>>>> Most of the Scans requires the IP address of the device in order to >>>>>> start to scan the host for example the WMI, that why the DHCP ACK is very >>>>>> important. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Thank you Ludovic for your help so far. >>>>>> >>>>>> I have one more question, if PacketFence is not checking for >>>>>> provisioning without DHCP then why it is generating security events as >>>>>> Provisioning Enforcement against node. >>>>>> >>>>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Yes, you could do a WMI scan on post registration that checks if a >>>>>>> process is there or not. >>>>>>> >>>>>>> You need a account that has administrative rights on the device that >>>>>>> you check. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> But I can see security event triggered for SEPM provisioning on >>>>>>> node. But the problem is it actually not restricting access. >>>>>>> >>>>>>> Can I use wmi scan in my environment?? >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> No DHCP, no provisioner. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> I donot have DHCP server installed, no provisioning for DHCP. It's >>>>>>>> all static ip. >>>>>>>> >>>>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>>>>> >>>>>>>>> Did you install the DHCP sensor ? >>>>>>>>> >>>>>>>>> >>>>>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> As such there is no restriction on when to check for provisioning >>>>>>>>> although I have selected option of checking after registration of >>>>>>>>> device. >>>>>>>>> >>>>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>>>>>> Production or Registration networks. >>>>>>>>>> >>>>>>>>>> When do you want to check if Symantec is installed ? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Ludovic Zammit >>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Yes....as I connects the device it went into registration vlan >>>>>>>>>> and then if it is in domain it gets authenticated and vlan changes >>>>>>>>>> as per >>>>>>>>>> switch. >>>>>>>>>> >>>>>>>>>> Dot1x is working fine...but problem is with Symantec. How to >>>>>>>>>> check if end device has Symantec client installed and working. >>>>>>>>>> >>>>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Ludovic Zammit >>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via >>>>>>>>>>> PacketFence-users <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are >>>>>>>>>>> not >>>>>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>>>>> connection profile. >>>>>>>>>>> >>>>>>>>>>> Second, I have to check for Symantec in my endpoints. I have >>>>>>>>>>> setup SEPM provisioning as per document. During authentication, I >>>>>>>>>>> can see >>>>>>>>>>> security event generated for provisioning on my node in PacketFence >>>>>>>>>>> but my >>>>>>>>>>> end device got access to intranet no matter symantec installed on >>>>>>>>>>> it or not. >>>>>>>>>>> >>>>>>>>>>> I have tried everything I could. I need some help in this case. >>>>>>>>>>> I am using static ips and cisco 2960. >>>>>>>>>>> >>>>>>>>>>> I need devices to be registered if they have both domain >>>>>>>>>>> connected and SEPM installed. >>>>>>>>>>> >>>>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
