12.6.2 host sensor enforcement do not save

Hi,

version 12.6.2 on M370

I have enabled Host sensor enforcement on TDR, but policy manager do not save the setting when you enable enforcement on a group in the sslvpn configuration page.

Robert

Comments

  • Okay, the enforcer settings assigned to a sslvpn group is saved:
    2020-08-21 21:17:06 Webshop-HA2 vpn_enforcer VPN (SSL) connection by user XXX met all TDR Host Sensor Enforcement requirements. msg_id="7800-0001" Event

    But it´s not visible in policy manager, so you cannot see which groups has enforcement enabled and unable to disable it.

    But it works from the WebUI.

    Robert

  • Guess that there should have been a Beta for V12.6.2 !

  • I checked almost daily for Beta for V12.6.2, but never saw one. Oops!

    Gregg Hill

  • It works normally on my T35 running 12.5.5, so I exported/imported that config to my T20 running 12.6.1 to check it, and it works, IF I understand your point correctly. Before I upgrade the T20 to 12.6.2, can you clarify the issue you are seeing for me?

    Gregg Hill

  • Geez, I am one impatient person! Wait for an answer? Oh, heck no! I went ahead and upgraded my T20 to 12.6.2, but I don't think I have the issue you described, once again if I actually understand it correctly.

    I normally just use the built-in SSLVPN-Users group with RADIUS to my AD and AuthPoint/Duo as my two 2FA providers, with a mtching SSLVPN-Users group in my AD.

    I added my Firebox-DB groups so that I could test what I think is your issue, but I have no problem saving the changes, and making changes afterwards.

    Maybe it's an issue with that specific Firebox?

    Gregg Hill

  • OK, I think I see what you mean. It worked for the first save, but afterwards, unchecking enforcement on a group always reverts to it being checked after saving the file.

    Gregg Hill

  • Still running 12.6.2, I reverted back to my config right after the upgrade, which only has the single SSLVPN-Users group, and with one that one group, I can choose to enforce or not and it saves the setting.

    Gregg Hill

  • This is how my config looks like when Host Sensor enforcement is enable on the group SSLVPN-Admins

    config looks like when Host Sensor enforcement is enable

  • @RVilhelmsen said:
    This is how my config looks like when Host Sensor enforcement is enable on the group SSLVPN-Admins

    config looks like when Host Sensor enforcement is enable

    OK, we are not seeing the same thing. If I enable it, my boxes stay checked.

    Gregg Hill

  • edited August 2020

    I'm having something similar happen but it depends where I check the box for Sensor Enforcement

    WebUI = Shows Host Sensor Enforced is 'Yes' and works

    Policy Manger: VPN/Mobile VPN/SSL. (Authentication Tab). If I check Sensor enforcement for a group here, it applies but the checkbox is no longer checked when I pull policy manager back up

    Policy Manger: Setup/Authentication/Users and Groups..." If I go here and click on the group properties, the Sensor Enforcement box is always checked correctly.

    I opened a case with WG (#01412695) on it

Sign In to comment.