Network Access Control
Jacky.Wu
|
November 15th, 2009
Since SNAC deployment, we have problems with password issue.
Whenever we made the new password in DC, the end user could not login to the system with new password. However, the end user could access to the computer with old password. end user could not access to the network.
it seems that the sychornization is not working
1 comments
Jacky.Wu
|
November 12th, 2009
Recently I try to build up the SNAC. However, after enbling the SNAC, it is impossible for my computer to access to internet.
dc: 192.168.0.1
NPS(Windows Radius Server): 192.168.0.1
My lan-enforcer ip : 192.168.0.12
Cisco SW command: radius-server host 192.168.0.12 auth-port 1812 acct-port 1813 key @@@@
Action: all open ports.
Event that my computer could not access.
I found that in the SW, there is error: Radius dead lanenforcer no responding, Radius alive lanenforcer returns.
I dont know why. Could some one help me?
1 comments
shine_meh
|
November 12th, 2009
Hi,
Our network having single SEPM server with 50 nos locations.
25 of the location are connected to the SEPM through the mpls gateway ( cisco 1800) and rest of the 25 nos through checkpoint VPN gateway.
If i have to install a gateway enforcer should i buy one or one each for both the gateways?
Thanks and Regards,
1 comments
Jacky.Wu
|
November 10th, 2009
Today I am busy with configuring the Lan-Enforcer.
Communication methods and port i used are as below,
http 801414
However, it is impossible for me to set 801414. The range is between 1 and 65535.
could some one tell me which number we use?
2 comments
Aniruddha
|
November 10th, 2009
There should be an option for adding the finger print list while applying application and device policy.
For Ex.
If there are multiple versions of a application in your network in such case, we can create a fingerprint list under policies-> policy compnents-> fingerprint list
but there is no option to include this fingerprint list while applying the application and device policy, so we have to enter every single fingerprint value manually.
If there will be such option then it will save lots time and hardwork.
11.x, Security, Best Practice, Security Risks, Features, Endpoint Protection (AntiVirus), Network Access Control
0 comments
Jacky.Wu
|
November 10th, 2009
I am a fresh man on Lan-Enforcer product. Could some one tell me what the difference between root and admin is?
Thanks very much!
2 comments
NTS0
|
November 9th, 2009
there is some bug in SNAC GW Enforcer v11.5 (I dont check older ones) that when we using and enable trunking it is almost impossible to download on-demand client, download speed of downloading on-demand client is from 100 to 200bytes/s so... its close to 0, it take about 1h to download full on-demand client!!! generally everything working ok but this on-demand client download, so its a bug, but can anybody have an idea how to workaround this??
i have pilot implementation of SNAC in some big energetic company and its some issue for me that this is not working :((
My idea was to install second GW Enforcer without trunking only for serving on-demand client installation, but here comes another problem/bug...
to do that i have to chenge http redrect ftom http://localhost to http://secondgwenforcer and ql, but it just not working, externel client still receive the same first enforcers redirect address :((
terrible, generally its possible to manually connect to...
4 comments
Amrut
|
November 9th, 2009
I have entered a few MAC addresses in the SNAC Appliance using the MAB DATABASE ADD command. Now i need to find out which are the MAC addresses i have already added in the database of the appliance.
I know we can go to the LINUX mode of the SNAC Appliance. But once in the LINUX mode, where is the location where these MAC's are saved.
Please help. This is very important for me.
2 comments
Mick377
|
November 5th, 2009
Hi,
I have purchased SNAC Essentials and based on the data sheet I thought I could build my own LAN enforcer using RedHat rather than buy a hardware appliance. I had put aside a couple of HP DL360s for this purpose.
I now cannot find any information on how to do this, and in the installation guide there is a comment "Earlier versions of Symantec Enforcer that were provided as software only are also not supported".
So is there now no option to build your own enforcer and you must use a hardware appliance ?
If this is the case I don't have budget until July to buy more hardware and may have to implement using DHCP as an interim measure. I hope for things like printers I can configure their ports to be non-NAC.
Thanks
Mick
3 comments
igor.ramalho
|
November 4th, 2009
HI Everyody,
I have a question about the Gateway Implementation,for example i have a 6100 appliance:
We want just to block the internet acess for clients that have old virus defs , with a popup message appearing on the screen.
Tthe diagram http://img682.imageshack.us/i/poofconcept.gif/ shows how we are using and testing in our enviroment,but we are having a lot of problems,
My questions:
Maybe a simple host integrity is enough ,so the appliance is unnecessary??
The enforcer function gateway only works with IPsec/ Vpn ?
PLease i´m lost with this SNAC
Thanks,
4 comments
NTS0
|
November 3rd, 2009
Hi all,
Witch SNAC Enforcers (LAN and Gateway) we can do a lot of very nice things, for example we can check that there is a firewall or antivirus on a client...
for other vendors its depends but when we check that there is a SEP/SNAC client... we can alsow check and start FW and AV... ussing command line
so the question is...
how to start AV or FW (Network Treat Protection) on SEP/SNAC Client from command line (CLI)?
of course "smc -start" doesnt solve a problem, I need to start FW or AV, not a SEP engine itself.
so anybody know how to do it?
kind Regards and thanks for help
Dawid Fusek
IT Security Consultant
COMP SA
Poland
2 comments
Rajesh Kumar-SEP
|
November 2nd, 2009
Hi,
Can some one hlep me where I can get Symantec Gateway Enforcer and Lan Enforcer diagrams.
Regards,
Rajesh.
1 comments
kkitajima
|
November 1st, 2009
CLI console will log out automatically after a few minutes.
Customer would like to change the timing to log out from CLI command.
1 comments
kkitajima
|
November 1st, 2009
The customer would like to set the SSH client to allow connection or to deny connection.
The SNAC appliance does not have the interface to set it as CLI command.
He requests to implement this function.
0 comments
GSecurity
|
October 27th, 2009
Greetings:
Would like to utilize a 3rd party bilateral authetnication solution to identity user before they enter certain network segments. If the segments are protected with SNAC, can SNAC be configured to utilize a SAML assertion for authentiction??
The workflow would be:
1. User tries to obtain access to network segment (Wifi, etc)
2. SNAC blocks user
3. SNAC forces user to do Browser based authentication
4. USer is redirected to 3rd party appliance URL
5. Authentication is conducted
6. 3rd party product sends a SAML assertion to SNAC
7. SNAC accepts user, allows access to network segment
Is this doable w/ SNAC?
2 comments
minnie
|
October 26th, 2009
Hello,
I came across a customer who mentioned that he was getting limited bandwidth after installing SEP 11.0.5 and mentioned that he was also using BEWS 12.5.
Informed the customer to remove the network threat protection and reboot. The things seem to work fine once the Network threat protection was removed.
0 comments
thumpertwin
|
October 25th, 2009
I have had a thread going under Antivirus but hope to get some ansers on the this portal.
I have 3 groups created
I have 3 firwall policies created
Each group is assign their own policy
gorup 1 uses inherited standard out of Box policy no problems
Group 2 uses not inherited assigned poicy 2
Group 3 uses not inherited assigned poicy 3
Edited non shared policy 2 + 3 to limited control of internet acces to certain sites
When the group 2 + 3 clients get this policy the Firwall policy dissapears from the client.. Client can browse the net ,any site.
I followed instructions from tech articles in the KB of how to do it, but still missing something.
when I move the client back to group 1 the FW policy (standard) comes back.
I have considerd and tried in my non shared edited FW Policy to include the server, by IP by name etc and the sites I want to allow but still dissapears off client. when updated.
Has any one done this and does it really work !!!
2 comments
kkitajima
|
October 25th, 2009
SNAC checks the client by the following step to quarantine.
1. SNAC checks whether HI check is pass or not.
2. If fail, client is remediation in the HI policy.
3. If remediation fails, the client is moved to quarantine.
Customers think the best way to the following step for quarantine.
1. SNAC checks whether HI check is pass or not.
2. If fail, client is moved to quarantine at first.
3. Do remediation in quarantine network. If remediation done, then back to production.
To implement that, customer requests to add the function to apply the HI policy in the location of "Quarantine Policies when Host Integrity Fails:"
0 comments
kkitajima
|
October 25th, 2009
By default, DHCP enforcer cannot allow to access SSH from external network interface role.
It needs to add the routing to IP address of SSH clients by hands.
Customer requests the configuration for the routing in the initial settings to allow to access by SSH client.
0 comments
kkitajima
|
October 25th, 2009
Customer would like to add the function for counting the message dialog pop-up.
We can use the "Utility: Show message dialog" in the custome requirement.
Customer does not hope to continue the dialog pop-up every HI check.
To avoid that, he requests to add the count setting into the function of "Utility: Show message dialog".
He understands to handle it by script but they request it as the default function.
0 comments
shp
|
October 24th, 2009
How to Install Symantec Network Access Control when SEPM is already installed and Running
About SNAC: Symantec Network Access Control ensures that a company's client computers are
compliant with the company's security policies before the computers are allowed
to access the network. Symantec Network Access Control uses a Host Integrity
Policy and an optional Symantec Enforcer to discover and evaluate which
computers are compliant.
Availability: Symantec Network Access Control can be downloaded from https://fileconnect.symantec.com.
How to enable: There are two methods to enable SNAC on already running SEPM...
Method 1:Manually copy the License file (SNAC.XML) from SNAC CD and add the packages to Client Install packages under SEPM.
a. Go to SEPM folder on SNAC CD and copy the snac.xml file.
b. Paste the snac.xml file inside "Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\license" folder.
c. Restart the "Symantec Endpoint Protection...
11.x, Security, Basics, Configuring, Installing, Endpoint Protection (AntiVirus), Tip/How to, Network Access Control
16 comments
SymantecUser
|
October 21st, 2009
I have a HI rule stating that client must have endpoint protection running with no worse then 7 days old defs. I also set up a compliance notification to email if there are any Compliance events. Will I get a notification if a new machine comes on the network that isn’t running the NAC agent? I will be using either a DCHP or Lan Enforcer to force the Quarantine. If so what will the notification say.? What information about the client would it show, Or will it just quarantine the machine, without any alert.
The notifcation I set up is under client security. All Compliance events. Is there a another notification besides that. My goal is to get alerts everytime someone fails a Compliance check, with or without the agent installed.
14 comments
Oykun_Satis
|
October 20th, 2009
Hello Friends,
I'm trying to use DHCP Enforcer plug-in(ver.11.05) on Windows 2008 Server. Both Enforcer Plugin and DHCP services are running correctly and i see DHCP Enforcer on SEP Manager under servers. But the client's network connections still same,the default gateway on the client doesnt drop or subnet mask doesnt 255.255.255.255 when the client is running or compliance rules failed.
I checked the document about DHCP Enforcer and i saw a requirement like Windows 2000 Server SP4,Windows 2003 with Service Pack and Windows 2003 with Service Pack 1.
Anybody have an idea about this problem?
Is DHCP Enforcer Plug-in really doesn't work on Windows 2008 DHCP servers or is there any procedure to work with Windows 2008
Regards,
Oykun
6 comments
kkitajima
|
October 13th, 2009
To connect the device like printer with MAB, we should set "Unavailable" as "Host authentiation", "Pass" as "User authentication" and "Ignore Result" as "Policy Check result" to open the port.
This means no client machine can connect the port.
So our customer requests to enhancement to create the separate area to set 802.1x and MAB.
1 comments
Jacky.Wu
|
October 12th, 2009
Hi,
I just implemented the LanEnforcer or GatewayEnforcer in our network. Could some one tell me what the difference between root and admin in LanEnforcer and GatewayEnforcer is?
What are they used for individually?
Thanks very much!
1 comments