.. _false-positive-platform:

A problem in which the node is assigned the wrong policy due to platform false positives
=============================================================================================

Symptom
-------

Nodes that were defined as blocking exceptions due to node type conditions detected in the enforcement policy are assigned to a different policy and blocked.

Cause
-----

The condition for the Node Group that corresponds with the Blocking Exceptions
Enforcement Policy is based on Node-Type. If the detected platform of the node
changes, it may no longer meet the conditions of the blosking exceptions Node
Group and Enforcement Policy. The detected platform may chnage over time as
more scans are conducted by the sensor, or the behavior of the node changes.

Resolution
----------

Detected node types and node platforms may experience intermittent typos,
or innaccurate detection. Therefore, the condition ``detected is equal to``
is not appropriate as a condition of exception handling policy.

If you want to use node-type conditions for defining blocking exceptions,
you should use conditions such as ``node type - Admin-Confirmed is equal to``
and ``node type - is - defined by Administrator``.

Method 1: To use exception group conditions as ``node type - Admin-Confirmed is equal to`` (recommended)

    1. Go to **Web Console > Management > Status & Filter > Node Type** and select the node type to define the exception.
    2. Select the upper left check box of the list screen to check the check box of all nodes in the list.
    3. Select **Choose Task > Node and Device > Edit Node Fileds**.
    4. ``Admin-Confirmed Node Type`` Item and ``Admin-Confirmed Platform``` Check the item and click the bottom ``modify`` button.
    5. Repeast the process with other node types if desired.
    6. In the **Preferences > General > Node > Detection** topic, change the **Auto-Confirm Detected Platform** option to **On**.
    7. Go to the **Enforcement Policy** menu and select the node group criteria for the exception handling policy **NodeType > Admin-Confirmed is equal to** condition to add the node type to define the exception.
    8. If you have added all node types, click the 'Update' button and click the ``Apply`` button at the top of the screen to apply the policy.

    .. attention:: 

        Verified node types and platforms are field values that mean information verified by the administrator **Status & Filter > Change Management** If the administrator does not check and change them directly in the **Node Details** screen, the administrator does not change them.
        The first detected platform and node type are maintained information due to setting number 6.

        Information that detects a node's platform and type differently than before can be monitored in the **Management > Status & Filter >Change  Management** menu and the Dashboard widget **Detected / Admin-Confirmed Conflict**.

Method2: To use an exception group condition as the ``node type - is - defined by Administrator``

    1. Go to **Web Console > Management > Status & Filter > Node Type** and select the node type to define the exception.
    2. Select the upper left check box of the list screen to check the check box of all nodes in the list.
    3. Select **Choose Task > Node and Device > Edit Node Fileds**.
    4. Check the ``New Node Type`` item, select the node type to be assigned, and click the ``Save`` button at the bottom.
    5. Repeast the process with other node types if desired.
    6. Go to the **Enforcement Policy** menu, add the node group conditions of the exception handling policy **node type > is > defined by Administrator** conditions, click the ``Update`` button, and click the ``Apply`` Policy button at the top of the screen to apply the policy.

    .. attention::
        If the group condition is defined as node type - is - ``defined by Administrator``, any node type that is defined by an administrator will be added to the group, regardless of the node type.

        In case of manually specifying node type, the node type will not be updated due to scanning, so it is possible to set up a policy with the ``detected is equal to``, which will group nodes based on their originally detected type/platform.

        The newly registered nodes must also be monitored to specify the node type to avoid accidentally blocking nodes that you intend to exempt from blocking.

Method 3: Use exception node group criteria as existing type/platform and disable scanning for the node(s)

    1. Go to **Web Console > Management > Status & Filter > Node Type** and select the node type to define the exception.
    2. Select the upper left check box of the list screen to check the check box of all nodes in the list.
    3. Select **Task > Node and Device > Edit Node Options**.
    4. Check the **Node Platform / Open Port Scan** item, select the **Off** option, and click the ``Save`` button at the bottom.

    .. attention::
        If you set node scanning scan OFF, scanning to that node is not performed. This does not result in node detection information renewal, which does not cause node type changes.

        You must continue to perform these settings on newly added nodes that you wish to block.