A problem in which the node is assigned the wrong policy due to platform false positives

Symptom

Nodes that were defined as blocking exceptions due to node type conditions detected in the enforcement policy are assigned to a different policy and blocked.

Cause

The condition for the Node Group that corresponds with the Blocking Exceptions Enforcement Policy is based on Node-Type. If the detected platform of the node changes, it may no longer meet the conditions of the blosking exceptions Node Group and Enforcement Policy. The detected platform may chnage over time as more scans are conducted by the sensor, or the behavior of the node changes.

Resolution

Detected node types and node platforms may experience intermittent typos, or innaccurate detection. Therefore, the condition detected is equal to is not appropriate as a condition of exception handling policy.

If you want to use node-type conditions for defining blocking exceptions, you should use conditions such as node type - Admin-Confirmed is equal to and node type - is - defined by Administrator.

Method 1: To use exception group conditions as node type - Admin-Confirmed is equal to (recommended)

  1. Go to Web Console > Management > Status & Filter > Node Type and select the node type to define the exception.
  2. Select the upper left check box of the list screen to check the check box of all nodes in the list.
  3. Select Choose Task > Node and Device > Edit Node Fileds.
  4. Admin-Confirmed Node Type Item and Admin-Confirmed Platform` Check the item and click the bottom modify button.
  5. Repeast the process with other node types if desired.
  6. In the Preferences > General > Node > Detection topic, change the Auto-Confirm Detected Platform option to On.
  7. Go to the Enforcement Policy menu and select the node group criteria for the exception handling policy NodeType > Admin-Confirmed is equal to condition to add the node type to define the exception.
  8. If you have added all node types, click the 'Update' button and click the Apply button at the top of the screen to apply the policy.

Attention

Verified node types and platforms are field values that mean information verified by the administrator Status & Filter > Change Management If the administrator does not check and change them directly in the Node Details screen, the administrator does not change them. The first detected platform and node type are maintained information due to setting number 6.

Information that detects a node's platform and type differently than before can be monitored in the Management > Status & Filter >Change Management menu and the Dashboard widget Detected / Admin-Confirmed Conflict.

Method2: To use an exception group condition as the node type - is - defined by Administrator

  1. Go to Web Console > Management > Status & Filter > Node Type and select the node type to define the exception.
  2. Select the upper left check box of the list screen to check the check box of all nodes in the list.
  3. Select Choose Task > Node and Device > Edit Node Fileds.
  4. Check the New Node Type item, select the node type to be assigned, and click the Save button at the bottom.
  5. Repeast the process with other node types if desired.
  6. Go to the Enforcement Policy menu, add the node group conditions of the exception handling policy node type > is > defined by Administrator conditions, click the Update button, and click the Apply Policy button at the top of the screen to apply the policy.

Attention

If the group condition is defined as node type - is - defined by Administrator, any node type that is defined by an administrator will be added to the group, regardless of the node type.

In case of manually specifying node type, the node type will not be updated due to scanning, so it is possible to set up a policy with the detected is equal to, which will group nodes based on their originally detected type/platform.

The newly registered nodes must also be monitored to specify the node type to avoid accidentally blocking nodes that you intend to exempt from blocking.

Method 3: Use exception node group criteria as existing type/platform and disable scanning for the node(s)

  1. Go to Web Console > Management > Status & Filter > Node Type and select the node type to define the exception.
  2. Select the upper left check box of the list screen to check the check box of all nodes in the list.
  3. Select Task > Node and Device > Edit Node Options.
  4. Check the Node Platform / Open Port Scan item, select the Off option, and click the Save button at the bottom.

Attention

If you set node scanning scan OFF, scanning to that node is not performed. This does not result in node detection information renewal, which does not cause node type changes.

You must continue to perform these settings on newly added nodes that you wish to block.