12.6.2 host sensor enforcement do not save
Hi,
version 12.6.2 on M370
I have enabled Host sensor enforcement on TDR, but policy manager do not save the setting when you enable enforcement on a group in the sslvpn configuration page.
Robert
0
Sign In to comment.
Comments
Okay, the enforcer settings assigned to a sslvpn group is saved:
2020-08-21 21:17:06 Webshop-HA2 vpn_enforcer VPN (SSL) connection by user XXX met all TDR Host Sensor Enforcement requirements. msg_id="7800-0001" Event
But it´s not visible in policy manager, so you cannot see which groups has enforcement enabled and unable to disable it.
But it works from the WebUI.
Robert
Guess that there should have been a Beta for V12.6.2 !
I checked almost daily for Beta for V12.6.2, but never saw one. Oops!
Gregg Hill
It works normally on my T35 running 12.5.5, so I exported/imported that config to my T20 running 12.6.1 to check it, and it works, IF I understand your point correctly. Before I upgrade the T20 to 12.6.2, can you clarify the issue you are seeing for me?
Gregg Hill
Geez, I am one impatient person! Wait for an answer? Oh, heck no! I went ahead and upgraded my T20 to 12.6.2, but I don't think I have the issue you described, once again if I actually understand it correctly.
I normally just use the built-in SSLVPN-Users group with RADIUS to my AD and AuthPoint/Duo as my two 2FA providers, with a mtching SSLVPN-Users group in my AD.
I added my Firebox-DB groups so that I could test what I think is your issue, but I have no problem saving the changes, and making changes afterwards.
Maybe it's an issue with that specific Firebox?
Gregg Hill
OK, I think I see what you mean. It worked for the first save, but afterwards, unchecking enforcement on a group always reverts to it being checked after saving the file.
Gregg Hill
Still running 12.6.2, I reverted back to my config right after the upgrade, which only has the single SSLVPN-Users group, and with one that one group, I can choose to enforce or not and it saves the setting.
Gregg Hill
This is how my config looks like when Host Sensor enforcement is enable on the group SSLVPN-Admins
config looks like when Host Sensor enforcement is enable
and notice the nice new feature where you can write and name values as you like.
OK, we are not seeing the same thing. If I enable it, my boxes stay checked.
Gregg Hill
I'm having something similar happen but it depends where I check the box for Sensor Enforcement
WebUI = Shows Host Sensor Enforced is 'Yes' and works
Policy Manger: VPN/Mobile VPN/SSL. (Authentication Tab). If I check Sensor enforcement for a group here, it applies but the checkbox is no longer checked when I pull policy manager back up
Policy Manger: Setup/Authentication/Users and Groups..." If I go here and click on the group properties, the Sensor Enforcement box is always checked correctly.
I opened a case with WG (#01412695) on it