Network Access Control

 View Only

  • 1.  What will cause "Policy Check" failed?

    Posted May 19, 2010 10:56 AM
    Under the action of switch policy, i can take an action if a client's "Policy Check" results failed. When i refer to Help (RU6a)
    Failed means: Client has a profile that is too old.

    So does anyone know what consider as "too old"?

    Thanks


  • 2.  RE: What will cause "Policy Check" failed?

    Posted Jun 07, 2010 01:01 PM
    If it is not the current policy then it is old


  • 3.  RE: What will cause "Policy Check" failed?

    Posted Jul 09, 2010 12:20 PM
      When a client connects to network, the LAN enforcer would give 30 seconds grace period for client to communicate with SEPM. During this time, client would pull new policy if it is different. If client failed to do so, it would follow the rules set by policy "check requirement" from the LAN Enforcer.

    Profile check "Passed": Client has the latest profile.
    Profile check "Failed": Can either ignore result (it may also fail HI check) or switch to V-LAN to run remediation process (update new policy serial number from SEPM).
    Profile check "Unavailable":  Profile check result was not  available.

    Policy check can either ignore result  or switch to V-LAN to run remediation process (allowing client option to update new policy serial number from SEPM).

     This result for the profile might occur under the following conditions:
    - If the client has an invalid identifier so that the Enforcer can obtain no profile information from the Protection Manager. This result can occur if the Protection Manager that deployed the client profile is no longer available.
    - When the client is first exported and installed, before it connects to the Protection Manager and receives its profile. 


  • 4.  RE: What will cause "Policy Check" failed?

    Posted Oct 22, 2010 07:26 AM

    Great explaination Scooby !

     

    Oykun



  • 5.  RE: What will cause "Policy Check" failed?

    Posted Nov 11, 2010 03:53 AM

    Hi,

    Profile is consider old or too old, as long its timestamp is older than that SEP Manager has, even if its in minutes are seconds.

    Scooby: The 30 secs grace period mentioned is only applicable to Gateway Enforcer and not LAN enforcer. I believe you might have accidentally typed "LAN" or overlooked this? or correct me if I'm wrong.

    LAN Enforcer takes actions (quarantine or switch vlan etc) configured immediately on connecting or connected clients / machines without any grace period. Therefore, if you are checking for policy serial number, ensure SEP Manager is available in Quarantine Vlan.