Logic and rules of the NAC

Similar Questions

• Need of a rule on the NAC to deny access to the XP machines

  We run NAC 4.9.1 and I'm trying to think of a way to refuse any client Windows XP to get full network access. I created a new cheque which examines the registry key under:

  HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductName

  For any string that contains "Windows XP." I have it on Audit right now and I see in the newspapers that the XP mahcines hit this requirement.

  Now, how can I deny that check?

  Hello

  The NAC itself has rules of compliance different OS that you want to allow on your network.

  Simply create a compliance rule indicating that you only allow windows 7. It works much better than the condition of the registry.

  I used to support this product back to Cisco, but unfortunately I don't have access to a NAC server so I don't know where exactly is this option.

  If you need more help feel free to ask and I'll be happy to help you.

  Kind regards

  Erdelgad

• Doesnot work of digitization of the NAC

  Hello;

  I got the website tenable nessus plugins, and downloaded on the nac manager then tried to apply the plugins in the installation of plugins, but I have found nothing is there any cli or installation process I must perform a operation of nessus plugins?

  you will need to extract the contents and create new files less than 10 MB. Load each one separately. Maintain the structure of directories in the tar file.

• logical AND with the structure of the event

  Hello world

  The structure of the event can manage several events at once to do the same thing: looks like an OR logical operator. But I have not found a way to sequence events to approach a logic and example: you must click on a button to draw, then enter the image would change the mouse cursor. With a structure of the event, I can handle these 2 events separately or together (i.e. change the cursor), but I can't do a sequence of events.

  Is this possible to do with a structure of the event?

  I hope that I am clear (sorry for English btw). And thanks in advance.

  Christophe

  I don't think this is possible directly. You will need to add status information to your event loop that could enforce the order of events and the rules of logic you want. Where transformation you would have to check whether the required event has occurred before this event. If that were the case, perform your treatment. If this isn't the case, ignore the event. Your first event would need set this status information. You can also include some kind of time-out for the second event were to occur within a specific period.

  This type of logic may be better treated with the help of producer/consumer architecture and a state machine in the task of the consumer.

• How to configure Enterprise Manager Database Control (MCCD) to make it work on 2 servers (primary and standby) work according to the rules of the DG

  Hello everyone I use Oracle Database EE 11.2.0.4 with DG.

  In these cases, I need to get Enterprise Manager Database Control running against DB with no CARS and no DG I do the following:

  I have SQLPLUS logon as user SYS or SYSTEM and drop the account sysman and business objects:

  DECLARE

  CURSOR c1 IS

  SELECT master, synonym_name name

  OF dba_synonyms

  WHERE table_owner = "SYSMAN";

  BEGIN

  TO r1 c1 LOOP

  IF r1.owner = "PUBLIC" THEN

  RUN IMMEDIATELY "DROP PUBLIC SYNONYM ' |" R1. Name;

  ON THE OTHER

  RUN IMMEDIATELY "DROP SYNONYM ' |" R1. Owner: '. ' || R1. Name;

  END IF;

  END LOOP;

  END;

  /

  Mgmt_view DROP USER CASCADE;

  /

  DROP ROLE mgmt_user;

  /

  Sysman DROP USER CASCADE;

  /

  After that, I run

  EMCA - config dbcontrol db-rest recreate

  But what do I do in case I have 2 servers (primary and standby) work according to the rules of the DG?

  Hello

  It is not possible to monitor and administer a basic physical or logical standby, IE using Enterprise Manager Database Control Data Guard.  This is mainly due to the fact that Database Control is designed to monitor the 1-database and an environment Data Guard, by definition, includes more than 1 database.

  If you attempt to run emca against a database of pending, you will get an error like (i.e. ORA-01219: database is not open).

  Of course, database Control, can be used to monitor the current main database (with no capacity to administer or control Data Guard related features).  In such a case, failover Database Control needs to be reconfigured to run on the new primary database using the commands described in detail in Note 278100.1 how to remove, create and recreate DB Control In A Database, section c. recreate/ReConfig DB control, Option 2 10 g. recreate the control DB Configuration files and repository.

  Enterprise Manager Grid Control or Cloud control provides the functionality for display, monitor, and administer the primary and standby databases in a Data Guard configuration.

  Reference: It is Possible to configure the database for a logical or physical Standby Database command? (Doc ID 315116.1)

  You can effectively use EM 12 c cloud control to monitor and manager ensures DB

  Ref to the link for more details below

  Set up and manage to Oracle Data Guard with Oracle Enterprise Manager Cloud control 12 c

  Kind regards

  Rahul

• Force evaluation of the rules for the non-existent entities and unknown attributes...

  Hi all
  
  I have another issue potentially easy for the gurus of the OPA in this forum - there must be a simple explanation to this question but I'm just not see it.
  
  The problem that I am having with several of my rules, it's that the conclusion is not evaluated due to the non-existent entity instances or unknown entity attributes. As an example of the first scenario, I have a rule that checks for the existence of an instance of an entity with a type and status. The conclusion is evaluated as if there is at least an instance of this entity, otherwise, the conclusion remains unknown.
  
  Similarly, I wrote an equation to annualize all its (financial) obligations in a case, where the frequency of the obligation can be weekly, fortnightly, monthly, etc.. I created an attribute for each type of frequency, which are then added to the equation. The issue in this example, is that the equation does not conclude if there is not a value for each attribute in the equation. For example, if:
  
  assign 1 = A + B + C
  
  where A = 1, B = 2 and C is unknown, does not examine the attribute from 1 to 3, but will remain unknown. Logically, I expect that the lack of a digital defaults to 0, and rather unknown attribute value, but this is not the case.
  
  I looked at the 'Certain and known operator rule examples' help topic to try to understand how assign a value to an unknown attribute, but the example at the bottom of the topic page does not provide a sufficient explanation as to how the logic:
  
  point of the total team = team 1 round points + points of the round 2 team + team of turn 3 points
  
  the team of the round 1 points = 0 if
  Round 1 team points (such as recorded by the team) is unknown
  
  the team from round 2 points = 0 if
  etc.
  
  It seems from the example that there are 2 attributes used to the same variable: [team of the Tower, 1 points] and [team of the round 1 points (such as recorded by the team)]. It is not clear to me how the original equation can be concluded if the values are stored in the alternate attribute [points of the round 1 team (such as recorded by the team)] etc.
  
  I have also considered using fragments of rule by the help topic "Prove an attribute using multiple rules", while I could use two equations separated to set the value of an attribute according to the circumstances, that is to say:
  
  assign 1 = A + B + C
  
  1 = 0 if attribute
  attribute 1 is unknown
  
  This attempt results in a logic loop error, probably because I am trying to set the value of an attribute based on the same attribute value.
  
  Any help will be greatly appreciated!
  Philippe

  Hi Philippe,.

  I suggest the following way to solve this problem, although there are other ways too.
  You can use a table of rules for it.

  Open a Working Document, and then press 'Alt + Z' created a rules table.

  Use the following rule: -.
  Keep the text in bold in the left-hand column and the text in italics as a condition for the title in the right column. Use a correct indentation during the compilation of the rules.

  -------------------------------------------
  Attribute 1
  -------------------------------------------
  *0*     any
  A is unknown or

  Uncertain East
  and
  any
  B is unknown or
  B is uncertain
  and
  any
  C is unknown or
  C is uncertain
  ----------------------------------------------
  Has any     
  B is unknown or
  B is uncertain
  and
  any
  C is unknown or
  C is uncertain
  ----------------------------------------------
  A + B C is unknown or     
  C is uncertain
  -----------------------------------------------
  A+B+C in the opposite case     

  Thank you
  Sofiane

• Re Mail Yosemite: where are the files of signatures and rules are?

  I had to reinstall Yosemite from scratch. I want to import Signatures and rules - without accounts - back-up of the previous installation. What are the names of the files in question and where are they located?

  You need locate the folder ~/Library/Mail/V2/MailData/Signatures for your signatures and ~/Library/Mail/V2/MailData/SyncedRules.plist for your rules.

  Drag and drop in the same location on your new installation.

  I hope this helps.

• How to enable and disable, copy or rename the rules via the groovy script?

  A client, we received this question:

  How to enable and disable, copy or rename the rules via the groovy script?

  Foglight 5.7.5

  Hello

  There is this example of support KB

  support.Software.Dell.com/.../99059

  and there is also documentation of Service layer of the administration on the RuleService console.

  Best regards

  Golan

• How to distinguish the physical interface and logic (subinterface) interface to the Cisco router/Switch?

  Hi Expert,

  How to distinguish the physical interface and logic (subinterface) interface to the Cisco router/Switch? Can you please clarify a formal way for this so have?

  A physical interface is numbered with the same name of the interface when printing on the physical port. For example "GigabitEthernet 0/1" corresponds to port 1 of the 0 module (or the base unit).

  A logical interface can be a subinterface on a routed port and will have a point ("". "") preceding the number sous-interface (ex. GigabitEthernet 0/1.1). It can also be a loop or a virtual interface (on a router this could also include interfaces like the tunnel and virtual tunnel or VTI types). A switch may also have a VLAN logical interfaces (e.g. interface vlan 1) which are used as layer 3 virtual interfaces of type.

• Activation of the NAC HA puts several hosts and ASA with processor clocked at 100%

  I installed a NAC Manager and a NAC server in OOB without any problems, but when I configured the AP (high availability) with another server, my ASA and several guests in my network started work ant 100% of the cpu.

  I tried to configure each interface of the NAC on a single DMZ and the problem stops there.

  -That someone had this problem (NAC version 4.7)

  TKX

  Miguel Amaral

  Hello Miguel.

  When I started a NAC InBand HA solution I had a similar problem that I solved the heart rate HA configuration to use ETH0 just instead use ETH0 and ETH1.

  Best regards

  Luciano Carvalho

• Dynamic assignment of the NAC to the same vlan came on and off strip

  Hello

  Pls forgive my ignorance, I'm fresh in the biz of the NAC.

  I have a requirement for a client, very large high rising with numerous hospital, they want to assign MDs to the same vlan, if he or she uses the Office at out clinic, which would be OOB Layer 3, and even he or she uses the Tablet PC/PDA wireless during the round room.

  The question is whether this is something achievable. A little trick how to do it would be very useful.

  Appreciate your expertise.

  Thank you

  Saami

  By user role VLAN can be activated for OOB.

  The VIRTUAL LAN is configured on the role and setting up OOB, there is a check box that you need to activate so that the user receives the vlan configured on the role (I don't remember the exact section now..).

  With that, whenever a user who belongs to a specific role connects, he will receive the same VLAN according to what is set up on its role.

  I hope this helps.

• Comment of the NAC and preconfigured server accounts duration

  There seems to be a bug in the way the comment of the NAC Server manages the lifetime pre-configured of guest accounts.

  I followed the manual and I did:

  -Set up 3 times (24 h, 48 h and 1 week) under templates/accounts/accounts times.

  - And the value 'period maximum of account' under user groups

  I understand I should now be able to select one of the configured three times when I log on as a co-author.

  However, I get only the number I mentioned to the user group.

  The strange thing is that if I change the Maximum duration per user group, I have this as the only choice (for example 14 days).

  If other have experienced this?

  Best regards

  Steffen Lindemann

  You can use one of the option to know the number of days or hours.

  For days;

  Authentication > user groups > Add Group | Edit Group includes two new parameters for the number of days in the future, the account can be created and maximum duration of the account (in days)

  For the opening hours:

  User interface > models > add model. Change the Template > accounts > account duration

  http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/11/gsrn110.html

• Severity of the error for Agent of LogFilter and rule

  Hello

  When you change the list of messages of LogFilter trap, you get to choose the severity of the error and a Message from the user for the particular match strings:

  

  I already know how to make the message to display in the body of the e-mail message, but how can we get the string the severity of error to be displayed in the subject line?  If I use @foglight_severity_level, it returns 1, which is the level of seriousness for the real LogFilter rule.  If I use @foglight_severity_level_name, this returns fire, which is the name of the level of seriousness for the real LogFilter rule.

  Given the ability to choose the level within the list of messages of Logfilter trap, there must be an easy way to get this as a variable to use in an e-mail subject line?

  Thank you

  Brian

  Hello everyone

  I finally managed to get this working.  I created a new Expression called error using the following code:

  def controls = checkObservationAlarms (#LogFilter_ErrorVerbose to 1ms #,)

  {the entry->

  If (entry.get ("Severity") == "WARNING") {}

  return 2;

  }

  If (entry.get ("Severity") == 'CRITICAL') {}

  return 3;

  }

  If (entry.get ("Severity") == "FATAL") {}

  return 4;

  }

  return 0;

  },

  {entry, severity-> {switch (severity)}

  case 2:

  'WARNING '.

  case 3:

  return "criticism";

  case 4:

  return "Fatal."

  by default:

  Return ' ';

  }}, @foglight_rule_id);

  If (checks.size () > 0) {}

  return checks [0] [1];

  } else {}

  Return ' ';

  }

  .. who I picked up community forums.  I also created an additional call to the UserError Expression that takes the custom error that you provide in the trap of messageliste within the agent that uses the following code:

  def controls = checkObservationAlarms (#LogFilter_ErrorVerbose to 1ms #,)

  {the entry->

  If (entry.get ("Severity") == "WARNING") {}

  return 2;

  }

  If (entry.get ("Severity") == 'CRITICAL') {}

  return 3;

  }

  If (entry.get ("Severity") == "FATAL") {}

  return 4;

  }

  return 0;

  },

  {entry, severity-> {switch (severity)}

  case 2:

  Return entry.get ("User_Message");

  case 3:

  return "" + entry.get ("User_Message") + "";

  case 4:

  return "" + entry.get ("User_Message") + "";

  by default:

  Return ' ';

  }}, @foglight_rule_id);

  If (checks.size () > 0) {}

  return checks [0] [1];

  } else {}

  Return ' ';

  }

  The most attentive of you will notice that case 2 has a different format in the box 4-3 and case in the above.

  Part of the reason for this rule takes so much time programming is that if I made a change to the rule code (for example change WARNING WARNING in the case statement of the first code), Foglight would not record the change and would rather a null value or an empty value.  Weird next workaround often worked: I would like to return to what it was originally, trigger the alarm, change to what it should be, the alarm and continue to do that until the change has been recognized by more.  For the above code, no matter how many times I changed the cases 3 and 4 to resemble the presentation of case 2, I could never make it work

  This behavior has only affected this particular rule; other custom rules that I programmed in the past have been absolutely perfect.

  My matiere2 line becomes:

  @ServerName: @Error: @UserError

  (@ServerName is set elsewhere) which gives a very nice:

  Some.Server.com: caveat: NetWorker backup failure - backup failed

  .. What is exactly what I'm looking for.

  Brian

• FxM rules and alerts in the FMS

  Hello, is it possible to configure alerts of FxM in foglight to application-specific thresholds? How can we determine the optimal values for the alert?

  I ask specifically rule processing time Service level agreements (apnps) (EUMetricContainerPercent), when we added the components of the application to follow us left the off the field values to see how everything worked and now we are at a time where we need to adjust the rules to how the application behaves normally. I don't know what is the best value in select service level threshold for treatment time in the configuration of the components of the application.

  I think I was going to set the threshold for the level of service of processing time, I would like to start with the list of resources in the drop of the analysis.  If I'm picking for a component of the application, I select the component of the Application and then choose the specific resource for which I want to put the limit.  You will be presented with different statistics for this resource for any interval or the desired period.  You can also view the base line.

  This information should help you choose the appropriate threshold.

  I hope this helps.

  Jeff

• bean, containing the business logic and user interface components

  Hello experts design ADF, please guide me.   I came across a critical design aspects.  I have the homepage with a lot of UI, region 1, region 2 components. I bind the components of the user interface of the page at a session scope managed bean and is the reason why, when control passes to the region 1 or region 2, I'm going to do a lot of processing logic and then on that basis, I have to update the page user interface components.   Same thing with region 2 also.  And then I should be able to access the information in all regions and also through other components of interface user etc.

  I see only the scope session bean can help me here to get my tasks in all regions and in all the other components of the interface user to the page because I'm not able to spend too many parameters in all regions.     Now the problem is, I can't serialize this bean because as I've mentioned a lot of user interface components are updated based on logic.

  If I do not serialize the bean, I might have a problem in the future when the application must be deployed to the cluster envt.

  I don't know how can I go with my design now.   Please give me ideas, brilliant and very grateful for your advice.

  Thank you

  Hello

  I did not follow the entire thread, but this last message, I can tell that you are not using ADF how it should be used. So let me address two issues

  1. I use data controls generated on methods of bean managed my areas (workflow).

  If you create a POJO data control that you configured as controlled beans then this will be two instances (separated) from the same Java class. This means that they do not share anything. The only option to share state between a managed bean and a data control is if you would have the data dynamically control bean up the bean managed using the language of Expression of the 8which then however creates a dependency between the DC and the bean - however, there are use cases like that)

  2 activation / deactivation of the buttons in the parent view of a region

  This can be done using bean-injection, which is a bean managed in extended view defined on the parent view that you pass as parameter for the workflow. See: http://www.oracle.com/technetwork/issue-archive/2013/13-may/o33adf-1920483.html

  As said, I haven't read the entire thread, but want to point out that there is enough information in writing (product documentation) and video (Insider ADF - who teach the development of SFM practices http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adfinsider-093342.html take the time to review this)

  Frank