Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

Posture Policy changes not taking effect in ISE!

marioderosa2008
Level 1
Level 1

‎05-03-2013 01:04 AM - edited ‎03-10-2019 08:23 PM

Hi all

I think that something is definitely wrong with the posturing rules on our ISE. I am seeing weird behaviour when changing posturing policies and thier elements in our ISE.

In Full, we currently have a policy written with a requirement that clients must have SEP 11, 12.0 or 12.1 installed and the AV defs can be up to 28 days older than the latest AV definition file date.

However, prior to us rolling out SEP12.1 in our environment, we wanted to test that the ISE could remediate SEP 12.1 just like it does for SEP 11 clients.

To do this I created a policy just to test SEP 12.1 being out of date for over 2 days. A client never matched this policy, it was still passing posture using the old policy. I imagine this is because the old policy was still referencing that sep12.1 defs can be up to 28days older than the current release date.

So, in the AV Compound Condition for the old policy I unticked references to SEP 12.0 & SEP 12.1. This had no effect. When I looked at the posture reports they were still showing SEP12.1 clients passing posture on the old policy. Well, this can’t be possible as I have unticked those conditions now.

So, in the end, I was forced to complete delete the old Posture Policy Rule, the Requirements Condition and the AV Compound Condition. I then created it all again from scratch just for SEP11, so there is no reference for SEP12.0 or 12.1.

When I check the posture reports, they are still showing that the SEP 11 clients are passing posture on the old rule and old conditions that don’t even exist any more! Luckily, I haven’t broken anything as clients are still being allowed on to the network and they are being posture checked.

It looks like the ISE is holding on to this old posture configuration somewhere and it may be that the only was to truly get the ISE to recognise the changes I have made to the posture policies is by restarting a particular service (not sure which one) or restarting the whole node (which I don’t really want to do, and shouldn’t have to do surely!).

Any suggestions? This is rather urgent as it is holding up testing of remediation for sep12.1 clients.

thanks

Mario De Rosa

Labels:
0 Helpful
3 Replies 3

marioderosa2008
Level 1
Level 1

‎05-03-2013 05:32 AM

OK, i resolved this by performing a Re-Sync between my two ISE nodes.

It appears that the secondary ISE node went in to a "Replication Disabled" state. Once I performed the Re-Sync, the posture reports now show all the correct policies getting matched.

Lesson Learnt there!

Mario

0 Helpful

manjeets
Level 3
Level 3

‎07-18-2013 04:57 AM

Kindly review the below link:

https://supportforums.cisco.com/docs/DOC-32837

0 Helpful
Customers Also Viewed These Support Documents