Node is Blocked After Changed Node Type

Symptom

The type of node is changed in the policy server, resulting in an enforcement action being taken against the node.

Cause

  • The network sensor scans the nodes and classifies them using the collected information.
  • The node type can be changed as more info is gathered.
  • If an enforcement policy is linked to a group based on node type, a changing node type can result in an unwanted enforcement.

Resolution

If a node is classified as a network device for the first time, if the node type is defined by a user, or if scanning of the node is disabled, node type scanning will be stopped.

How to Define Node type:

  1. Go to Management > Node in the top panel.
  2. Click on the desired IP or MAC Address.
  3. Click General tab.
  4. Check the box of User-Defined Platform.
  5. Select the Node type.
  6. Click Update.

How to Disable scanning on a node:

  1. Go to Management > Node in the top panel.
  2. Click on the desired IP or MAC Address.
  3. Click Policy tab.
  4. Set the Node Platform/Open Port Scan option to Off.

Identifying information gathered about a specific Node:

To see how a node was classified, you can view the collected information.

  • Follow the below steps, as shown in the code box.
  • Log in to the Policy Server console directly or by SSH.
  • Enter Configuration mode.
  • Enter shell mode.
  • Navigate to the directory that holds the node scan data.
  • Node scan data files will be in .raw format , with a [Node IP-Node MAC] naming scheme.
  • Use the cat command to display the contents of the file.
genian> en

genian# @shell

Genians$ Cd /disk/data/logs/system/scanraw

Genians$ cat [Node IP-Node MAC].raw