Hello, There is a grace time period for the security event that trigger the scan, in your case it’s the "Post Reg System Scan” and it has 1 hour grace time, meaning that it would only do a scan per hour.
Lower it maybe to 2 mins. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users > <[email protected]> wrote: > > Hello all, > > I have setup WMI scan in my PacketFence but I can't see any results, no tab > generated for wmi scan under nodes neither I can see anything logs for scan. > > When using wmic command from PacketFence server, I can see the results but > nothing in my Web API. What could be the problem? > > On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected] > <mailto:[email protected]>> wrote: > Sorry to disturb you again, Ludovic. > > I have setup WMI scan in PacketFence. In WMI rule I am using antivirus check > rule and added wmi scan engine in connection profile as well. > > After this, I cant see any event generated by wmi scan on my node, neither > can I see security event generated nor new tab created for wmi scan. > > When I check wmi connectivity to end point using "wmic" command from > PacketFence server, I can see successful response. Can you help me what went > wrong with this? > > > > On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected] > <mailto:[email protected]>> wrote: > Hello, > > I believe it’s because it’s an internal check to see if that. Node needs > something to be done. > > You can try it out to see if it works, for a Symantec check that could work > because it does not requires the IP address of the device to do that check on > the Symantec service. > > Most of the Scans requires the IP address of the device in order to start to > scan the host for example the WMI, that why the DHCP ACK is very important. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thank you Ludovic for your help so far. >> >> I have one more question, if PacketFence is not checking for provisioning >> without DHCP then why it is generating security events as Provisioning >> Enforcement against node. >> >> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected] >> <mailto:[email protected]>> wrote: >> Yes, you could do a WMI scan on post registration that checks if a process >> is there or not. >> >> You need a account that has administrative rights on the device that you >> check. >> >> Thanks, >> >> Ludovic Zammit >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> But I can see security event triggered for SEPM provisioning on node. But >>> the problem is it actually not restricting access. >>> >>> Can I use wmi scan in my environment?? >>> >>> Thanks. >>> >>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected] >>> <mailto:[email protected]>> wrote: >>> No DHCP, no provisioner. >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> I donot have DHCP server installed, no provisioning for DHCP. It's all >>>> static ip. >>>> >>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> Does PF receives DHCP ACK from the production DHCP server ? >>>> >>>> Did you install the DHCP sensor ? >>>> >>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>> >>>> <https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor> >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> As such there is no restriction on when to check for provisioning >>>>> although I have selected option of checking after registration of device. >>>>> >>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>> Production or Registration networks. >>>>> >>>>> When do you want to check if Symantec is installed ? >>>>> >>>>> Thanks, >>>>> >>>>> Ludovic Zammit >>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>>> :: www.inverse.ca <https://www.inverse.ca/> >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>> <http://packetfence.org/>) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Yes....as I connects the device it went into registration vlan and then >>>>>> if it is in domain it gets authenticated and vlan changes as per switch. >>>>>> >>>>>> Dot1x is working fine...but problem is with Symantec. How to check if >>>>>> end device has Symantec client installed and working. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> Hello, >>>>>> >>>>>> Your devices that connect on PF are statically IP addressed? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>> <http://packetfence.org/>) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users >>>>>>> <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>> authentication working with MSCHAPv2 auth, so non domain users are not >>>>>>> getting access, which is required. I am using auto-registration in >>>>>>> connection profile. >>>>>>> >>>>>>> Second, I have to check for Symantec in my endpoints. I have setup SEPM >>>>>>> provisioning as per document. During authentication, I can see security >>>>>>> event generated for provisioning on my node in PacketFence but my end >>>>>>> device got access to intranet no matter symantec installed on it or not. >>>>>>> >>>>>>> I have tried everything I could. I need some help in this case. I am >>>>>>> using static ips and cisco 2960. >>>>>>> >>>>>>> I need devices to be registered if they have both domain connected and >>>>>>> SEPM installed. >>>>>>> >>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> [email protected] >>>>>>> <mailto:[email protected]> >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>> >>>>> >>>> >>> >> > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
