05-03-2013 01:04 AM - edited 03-10-2019 08:23 PM
Hi all
I think that something is definitely wrong with the posturing rules on our ISE. I am seeing weird behaviour when changing posturing policies and thier elements in our ISE.
In Full, we currently have a policy written with a requirement that clients must have SEP 11, 12.0 or 12.1 installed and the AV defs can be up to 28 days older than the latest AV definition file date.
However, prior to us rolling out SEP12.1 in our environment, we wanted to test that the ISE could remediate SEP 12.1 just like it does for SEP 11 clients.
To do this I created a policy just to test SEP 12.1 being out of date for over 2 days. A client never matched this policy, it was still passing posture using the old policy. I imagine this is because the old policy was still referencing that sep12.1 defs can be up to 28days older than the current release date.
So, in the AV Compound Condition for the old policy I unticked references to SEP 12.0 & SEP 12.1. This had no effect. When I looked at the posture reports they were still showing SEP12.1 clients passing posture on the old policy. Well, this can’t be possible as I have unticked those conditions now.
So, in the end, I was forced to complete delete the old Posture Policy Rule, the Requirements Condition and the AV Compound Condition. I then created it all again from scratch just for SEP11, so there is no reference for SEP12.0 or 12.1.
When I check the posture reports, they are still showing that the SEP 11 clients are passing posture on the old rule and old conditions that don’t even exist any more! Luckily, I haven’t broken anything as clients are still being allowed on to the network and they are being posture checked.
It looks like the ISE is holding on to this old posture configuration somewhere and it may be that the only was to truly get the ISE to recognise the changes I have made to the posture policies is by restarting a particular service (not sure which one) or restarting the whole node (which I don’t really want to do, and shouldn’t have to do surely!).
Any suggestions? This is rather urgent as it is holding up testing of remediation for sep12.1 clients.
thanks
Mario De Rosa
05-03-2013 05:32 AM
OK, i resolved this by performing a Re-Sync between my two ISE nodes.
It appears that the secondary ISE node went in to a "Replication Disabled" state. Once I performed the Re-Sync, the posture reports now show all the correct policies getting matched.
Lesson Learnt there!
Mario
07-18-2013 04:57 AM
Kindly review the below link:
07-19-2013 06:31 AM
Kindly revie wthe below link as well:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide