The error is removed but still wmi scan is not triggered on my end points On Tue, Mar 9, 2021, 12:34 NITISH AGGARWAL <[email protected]> wrote:
> I can one error log in my PacketFence.log file. > > It is pfperl-api(10859) ERROR: 1: parameter found outside a section > (pfconfig:: namespaces::config::Wmi::cleanup_after_read) > > Multiple events generated having same information. > Wmi rule is as:- > > Namespace : ROOT\cimv2 > Request : select NAME from WIN32_Process > Action : [ccSvcHst] > Attribute = Name > Operator = match > Value = ccSvcHst.exe > [1:ccSvcHst] > Action = trigger_security_event > Action_param = mac = $mac, tid = 1200345, type = Internal > On_tab = 1 > > I was using EOT previously, but in logs it was showing error against that > so I removed it but still wmi rule has not triggered. Any suggestions > please.... > > On Mon, Mar 8, 2021, 20:33 NITISH AGGARWAL <[email protected]> > wrote: > >> I was type incorrectly in email. As per configurations on PacketFence it >> is ccSvcHst.exe >> This is not working. >> >> >> On Mon, Mar 8, 2021, 20:15 NITISH AGGARWAL <[email protected]> >> wrote: >> >>> Yes...it was an typo >>> >>> On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected]> wrote: >>> >>>> Hello, >>>> >>>> Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>> But I am using option "Scan on registration". >>>> >>>> In PacketFence log, there is no log for scanning or of any security >>>> event generation. I guess, I am doing something wrong with WMI rule setup. >>>> Can you help me with there? >>>> >>>> I am using rule as :- >>>> >>>> [ccSvcHst] >>>> Attribute = Name >>>> Operator = match >>>> Value = ccSvcHst.exd >>>> [1:ccSvcHst] >>>> Action = trigger_security_event >>>> Action_param =mac = $mac, tid= 1300987, type = custom >>>> on_tab = 1 >>>> >>>> >>>> Tid as I mentioned here is also configure in one security events, that >>>> detects this tid under condition and executes events as described in it. >>>> >>>> >>>> >>>> On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> Hello, >>>>> >>>>> There is a grace time period for the security event that trigger the >>>>> scan, in your case it’s the "Post Reg System Scan” and it has 1 hour grace >>>>> time, meaning that it would only do a scan per hour. >>>>> >>>>> Lower it maybe to 2 mins. >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < >>>>> [email protected]> wrote: >>>>> >>>>> Hello all, >>>>> >>>>> I have setup WMI scan in my PacketFence but I can't see any results, >>>>> no tab generated for wmi scan under nodes neither I can see anything logs >>>>> for scan. >>>>> >>>>> When using wmic command from PacketFence server, I can see the results >>>>> but nothing in my Web API. What could be the problem? >>>>> >>>>> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>>> Sorry to disturb you again, Ludovic. >>>>>> >>>>>> I have setup WMI scan in PacketFence. In WMI rule I am using >>>>>> antivirus check rule and added wmi scan engine in connection profile as >>>>>> well. >>>>>> >>>>>> After this, I cant see any event generated by wmi scan on my node, >>>>>> neither can I see security event generated nor new tab created for wmi >>>>>> scan. >>>>>> >>>>>> When I check wmi connectivity to end point using "wmic" command from >>>>>> PacketFence server, I can see successful response. Can you help me what >>>>>> went wrong with this? >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I believe it’s because it’s an internal check to see if that. Node >>>>>>> needs something to be done. >>>>>>> >>>>>>> You can try it out to see if it works, for a Symantec check that >>>>>>> could work because it does not requires the IP address of the device to >>>>>>> do >>>>>>> that check on the Symantec service. >>>>>>> >>>>>>> Most of the Scans requires the IP address of the device in order to >>>>>>> start to scan the host for example the WMI, that why the DHCP ACK is >>>>>>> very >>>>>>> important. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Thank you Ludovic for your help so far. >>>>>>> >>>>>>> I have one more question, if PacketFence is not checking for >>>>>>> provisioning without DHCP then why it is generating security events as >>>>>>> Provisioning Enforcement against node. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Yes, you could do a WMI scan on post registration that checks if a >>>>>>>> process is there or not. >>>>>>>> >>>>>>>> You need a account that has administrative rights on the device >>>>>>>> that you check. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> But I can see security event triggered for SEPM provisioning on >>>>>>>> node. But the problem is it actually not restricting access. >>>>>>>> >>>>>>>> Can I use wmi scan in my environment?? >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> No DHCP, no provisioner. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> I donot have DHCP server installed, no provisioning for DHCP. It's >>>>>>>>> all static ip. >>>>>>>>> >>>>>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>>>>>> >>>>>>>>>> Did you install the DHCP sensor ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Ludovic Zammit >>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> As such there is no restriction on when to check for provisioning >>>>>>>>>> although I have selected option of checking after registration of >>>>>>>>>> device. >>>>>>>>>> >>>>>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>>>>>>> Production or Registration networks. >>>>>>>>>>> >>>>>>>>>>> When do you want to check if Symantec is installed ? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Ludovic Zammit >>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> Yes....as I connects the device it went into registration vlan >>>>>>>>>>> and then if it is in domain it gets authenticated and vlan changes >>>>>>>>>>> as per >>>>>>>>>>> switch. >>>>>>>>>>> >>>>>>>>>>> Dot1x is working fine...but problem is with Symantec. How to >>>>>>>>>>> check if end device has Symantec client installed and working. >>>>>>>>>>> >>>>>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Ludovic Zammit >>>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via >>>>>>>>>>>> PacketFence-users <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are >>>>>>>>>>>> not >>>>>>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>>>>>> connection profile. >>>>>>>>>>>> >>>>>>>>>>>> Second, I have to check for Symantec in my endpoints. I have >>>>>>>>>>>> setup SEPM provisioning as per document. During authentication, I >>>>>>>>>>>> can see >>>>>>>>>>>> security event generated for provisioning on my node in >>>>>>>>>>>> PacketFence but my >>>>>>>>>>>> end device got access to intranet no matter symantec installed on >>>>>>>>>>>> it or not. >>>>>>>>>>>> >>>>>>>>>>>> I have tried everything I could. I need some help in this case. >>>>>>>>>>>> I am using static ips and cisco 2960. >>>>>>>>>>>> >>>>>>>>>>>> I need devices to be registered if they have both domain >>>>>>>>>>>> connected and SEPM installed. >>>>>>>>>>>> >>>>>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> >>>>> >>>>> >>>>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
