Broadcom ClearPass Extension - Symantec Endpoint Protection Manager Integration User guide

Brand: Broadcom

Model: ClearPass Extension - Symantec Endpoint Protection Manager Integration

Type: User guide

Broadcom ClearPass Extension - Symantec Endpoint Protection Manager Integration helps you to gain additional context about endpoints which are authenticating to your network. By integrating with Symantec Endpoint Protection Manager (SEPM), ClearPass Policy Manager gathers endpoint attributes, such as the existence of the endpoint within SEPM, the version of SEPM installed on the endpoint, the infection status of the endpoint, and the status of the firewall and antivirus engine on the endpoint. This information can be used to create role mapping and enforcement policies that restrict access to the network based on the security posture of the endpoint.

ClearPass Extension - Symantec Endpoint Protection Manager

Integration Guide

Symantec Endpoint Protection Manager - Integration Guide 1

Symantec Endpoint

Protection Manager

Integration Guide

ClearPass

ClearPass Extension - Symantec Endpoint Protection Manager

Integration Guide

Symantec Endpoint Protection Manager - Integration Guide 2

Change Log

Version

Date

Modified By

Comments

2018-01

8/23/2018

Angel Vidal

Initial release

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU

Lesser General Public License, and/or certain other open source licenses. A complete

machine-readable copy of the source code corresponding to such code is available upon

request. This offer is valid to anyone in receipt of this information and shall expire three

years following the date of the final distribution of this product version by Hewlett-

Packard Company. To obtain such source code, send a check or money order in the

amount of US $10.00 to:

Hewlett-Packard Company

Attn: General Counsel

3000 Hanover Street

Palo Alto, CA 94304

USA

Please specify the product and version for which you are requesting source code. You may

also request a copy of this source code free of charge at HPE-Aruba[email protected].

ClearPass Extension - Symantec Endpoint Protection Manager

Integration Guide

Symantec Endpoint Protection Manager - Integration Guide 3

Contents

Introduction and Overview ................................................................................................................................................... 5

SEPM Integration workflow ................................................................................................................................................. 5

Sample Use Cases ................................................................................................................................................................ 6

Software Requirements ........................................................................................................................................................ 7

ClearPass Installation and Deployment Guide ....................................................................................................................... 7

ClearPass Extensions............................................................................................................................................................ 7

SEPM Extension Installation and Configuration.................................................................................................................... 8

Extension Configuration Reference: ................................................................................................................................... 11

Appendix ........................................................................................................................................................................... 12

Sample endpoint attributes pulled by the extension from SEPM .......................................................................................... 12

Sample Endpoint Attributes (Screenshots) .......................................................................................................................... 14

Sample Enforcement Policy and Role Mapping Screenshots ............................................................................................... 16

Additional Diagnostics and Support .................................................................................................................................... 17

SEPM Troubleshooting Considerations............................................................................................................................... 19

SEPM Database Lookup Reference .................................................................................................................................... 20

Symantec Endpoint Protection Manager - Integration Guide 4

Figures

Figure 1: Integration Workflow ........................................................................................................................................... 5

Figure 2: The “Install Extension” Search Form .................................................................................................................... 8

Figure 3: The “Install Extension” Search Results Page ......................................................................................................... 8

Figure 4: The “Install Extension” Settings Page ................................................................................................................... 9

Figure 5: The “Configuration” Link on the Manage Extensions Page ................................................................................... 9

Figure 6: The “Extension Configuration” Field .................................................................................................................. 10

Figure 7: The “Manage Extensions” Page Showing the Running State of the Extension ...................................................... 10

Figure 8: Checking the Extensions Service ........................................................................................................................ 17

Figure 9: Showing the Extension Log ................................................................................................................................ 17

Figure 10: Extension Debug Level Logging ....................................................................................................................... 18

Figure 11: The Collect Logs System Function .................................................................................................................... 18

Figure 12: Locating the Extension Logs from 'Collect Logs' Diagnostic GZ file.................................................................. 19

Symantec Endpoint Protection Manager - Integration Guide 5

Introduction and Overview

Symantec Endpoint Protection Manager (SEPM) is the management platform for Symantec Endpoint Protection (SEP). SEP

provides endpoint security for protection against threats to desktop and mobile operating systems. By integrating with SEPM,

ClearPass Policy Manager gains additional context about endpoints which are authenticating to the network.

This TechNote covers how to deploy and configure a ClearPass Extension to integrate with SEPM. It also describes the

endpoint attributes which are retrieved from SEPM as well as defines their meaning within SEPM. This technote does not

cover creating role mapping and enforcement policy based on those attributes.

SEPM Integration workflow

Figure 1: Integration Workflow

The SEPM extension

adds those endpoints to

the ClearPass Policy

Manager endpoints

repository

ClearPass Policy Manager services

make use of the endpoints repository

for authorization

The SEPM extension

starts and pulls

endpoints from SEPM

• Changes to endpoints are

synchronized every 5 minutes

• All endpoints are synchronized

every 24 hours

Symantec Endpoint Protection Manager - Integration Guide 6

Sample Use Cases

The table below describes some common integration capabilities:

Use Case

Attribute

Sample Value

Check for the existence of the endpoint within SEPM. The extension includes an attribute named

“Source”. A role mapping or enforcement policy could use this attribute for granting a different

level of access for devices which are known to be managed by SEPM. The “Source” endpoint at-

tribute will have the value of: “SymantecEPM” if the endpoint exists within SEPM.

Source

SymantecEPM

Check what version of SEPM is installed on the endpoint. The extension includes an attribute

named “Agent Version”. If the most recent version of SEPM is 14.0.3876.1100 and there is a pol-

icy requiring version 14.0.x or later, the role mapping or enforcement policy can use the “Agent

Version” attribute with the operator “BEGINS_WITH” and the required major version numbers

such as 14.0

Agent

Version

14.0.3876.1100

Check whether or not SEPM is reporting this device to be infected. The extension includes an

attribute named “Infected”. If SEPM is reporting that this device IS NOT infected, the value will

be 0. If SEPM is reporting that this device IS infected, then the value will be 1.

Infected

Check whether or not the firewall component of SEP is running. When the FIREWALL_ONOFF

attribute returns a “1”, then the firewall is on. If the value is “0”, then the firewall is off. Check the

value of this attribute using a role mapping or enforcement policy.

Firewall on

Off

Check whether or not the SEP antivirus engine is running. When the AVENGINE_ONOFF

attribute returns a “1”, the real time virus scan engine is enabled. If the attribute returns a “0”, that

means the antivirus engine is disabled.

Av Engine

on Off

Check when the endpoint last checked in with SEPM. The attribute “Last Update Time” will

display the timestamp for when the endpoint last updated its record in SEPM. Use the [Time

Source] authentication source to calculate the amount of time that has passed since the endpoint

has last checked in. Use a role mapping or enforcement policy to restrict access to endpoints which

have not checked in recently.

Last Update

Time

2018-07-24

22:18:13

Symantec Endpoint Protection Manager - Integration Guide 7

Software Requirements

The minimum software version required for ClearPass is 6.7.2. At the time of writing, ClearPass 6.7.5 is the latest available

and recommended release. Any subsequent ClearPass software release will support this integration. The minimum version of

SEPM supported is 14+

ClearPass Installation and Deployment Guide

This document assumes that your ClearPass environment is already configured and operational. If you require assistance with

basic deployment, refer to the following deployment guide:

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Default.htm

ClearPass Extensions

The integration between ClearPass Policy Manager and SEPM is driven through a ClearPass capability known as Extensions,

a sub-component of the ClearPass Exchange Integration framework. ClearPass Extensions are micro-services running on top

of the base ClearPass platform. These micro-services enable Aruba to deliver new features outside of the main software

release cycle and facilitate a faster time to market for specific features and integrations.

Symantec Endpoint Protection Manager - Integration Guide 8

SEPM Extension Installation and Configuration

This document covers the process for installing the extension In ClearPass 6.7 via the Manage Extensions interface. Prior to

ClearPass 6.7, the installation of extensions is performed via the REST API interface and is not covered in this document.

Find the extension in the extension store

1. Navigate to the Manage Extensions menu in ClearPass Guest by clicking on “Administration” and then clicking on

“Extensions” in the left navigation pane.

2. In the Manage Extensions menu, click “Install Extension”

3. Copy and paste the following extension name into the search field: Symantec Endpoint Protection Manager

4. Click on search

Figure 2: The “Install Extension” Search Form

Install the extension

5. Click on the extension and then click Install

Figure 3: The “Install Extension” Search Results Page

Symantec Endpoint Protection Manager - Integration Guide 9

6. Optional: In the Extension Settings, enter in the IP address to be used by this extension.

7. Click on the Install button

Figure 4: The “Install Extension” Settings Page

Configure the extension

8. After the extension finishes downloading and shows the state as “Stopped”, click on the extension and then click on

“Configuration”

Figure 5: The “Configuration” Link on the Manage Extensions Page

9. Modify the configuration, leaving all quotes in place.

Symantec Endpoint Protection Manager - Integration Guide 10

Figure 6: The “Extension Configuration” Field

10. Check the box, “Restart extension after updating configuration”

11. Click “Save Changes”

Figure 7: The “Manage Extensions” Page Showing the Running State of the Extension

Symantec Endpoint Protection Manager - Integration Guide 11

Extension Configuration Reference:

Configuration Value

Description

Values

verifySSLCerts

Should the extension validate SSL certificates.

true or false

syncUpdatedDelaySeconds

The delay in seconds between looking for com-

puters that have been updated. This setting only

applies when syncUpdated is true.

300

syncUpdated

When this option is set to true, the system will

check for devices that have been updated in

SEPM between update checks. The time be-

tween checks is set in the syncUpdatedDelay-

Seconds field.

true or false

syncAllOnStart

If this option is set to true, when the extension

starts, the system will attempt to sync all com-

puters in the SEPM system to ClearPass.

true or false

syncAllDelayMinutes

The delay in minutes between sync all events.

This time must be greater than the syncUpdat-

edDelaySeconds field when both syncUpdated

and syncAll are enabled. This setting only ap-

plies when syncAll is true.

10080

syncAll

When this option is set to true, the system will

sync all computers from SEPM. The syncAllDe-

layMinutes controls how frequently this runs.

true or false

symantecEpmUser

The user name of a user that has access to the

SEPM API.

symantecEpmPort

The port used to access the SEPM API.

8446

symantecEpmPassword

The password of the user entered in the syman-

tecEpmUs er setting.

symantecEpmHost

The host name or IP address of the SEPM sys-

tem.

sepm14.mydomain.com

symantecEpmDomain

The domain the user is entered in the symante-

cEpmUser setting is in. This can also be blank

("").

logLevel

The logging level the extensions should use.

DEBUG, INFO, WARN,

ERROR

cppmUser

The user name of an admin CPPM user. This is

used for device profiling.

cppmPassword

The password for the cppmUser.

Symantec Endpoint Protection Manager - Integration Guide 12

Appendix

Sample endpoint attributes pulled by the extension from SEPM

{

"Computer Name": "win10-1",

"Logon User Name": "Administrator",

"Domain or Workgroup": "arubasecurity.net",

"Processor Type": "Intel64 Family 6 Model 15 Stepping 1",

"Processor Clock": 1998,

"Physical Cpus": 2,

"Logical Cpus": 0,

"Memory": 4294496256,

"BIOS Version": "INTEL - 6040000 PhoenixBIOS 4.0 Release 6.0",

"OS Function": "Workstation",

"OS Flavor Number": 48,

"OS Name": "Windows 10",

"Operating System": "Windows 10 Professional Edition",

"OS Version": "10.0",

"OS Major": 10,

"OS Minor": 0,

"OS Bitness": "x64",

"Unique ID": "4E0847B20A0264BA7471DC0C74489886",

"Hardware Key": "8B6D6CF717463DD33C627B4B79EE6E03",

"Uuid": "C9BB1942-7339-194E-83D2-2B0915805C7F",

"Total Disk Space": 81368,

"Group Update Provider": false,

"Deployment Status": " 302469120",

"Last Deployment Time": 1522705452000,

"Virtualization Platform": "VMware",

"Serial Number": "VMware-42 19 bb c9 39 73 4e 19-83 d2 2b 09 15 80 5c 7f",

"Install Type": "0",

"Agent Version": "14.0.3876.1100",

"Deleted": 0,

"Login Domain": "ARUBASECURITY.NET",

"Agent ID": "F0B3F30A0A0264BA7471DC0CB1271AA2",

"Agent Type": "105",

"Profile Version": "14.0.3876",

"Profile Serial No": "D807-01/23/2018 08:00:11 055",

"Creation Time": "2018-01-24 22:15:33",

"Online Status": 1,

"Last Update Time": "2018-01-24 22:18:13",

"Last Server ID": "DBE773570A0264BA0C13B3937C672CA4",

"Last Server Name": "SEPM14",

"Last Site ID": "97AF04220A0264BA1EEE4EDE2FF21A1F",

"Last Site Name": "My Site",

"Agent Time Stamp": "2018-07-24 22:20:13",

"Agent Usn": 30020,

"Ap on Off": 1,

"Infected": 0,

"Worst Infection Idx": "9999",

Symantec Endpoint Protection Manager - Integration Guide 13

"Last Scan Time": 0,

"Last Virus Time": 0,

"Content Update": 1,

"Av Engine on Off": 1,

"Tamper on Off": 1,

"Major Version": 14,

"Minor Version": 0,

"Reboot Required": 0,

"License Status": -1,

"License Expiry": 0,

"Time Zone": 480,

"Firewall on Off": 1,

"Free Mem": 1787805696,

"Free Disk": 57314492416,

"Last Download Time": 1534359432612,

"Current Client ID": "34D467990A0264BA7471DC0C70E2C4A5",

"Is Grace": 0,

"Ptp on Off": 1,

"Last Heuristic Threat Time": 0,

"Bash Status": 1,

"Da on Off": 1,

"Cids Drv on Off": 1,

"Cids Silent Mode": 0,

"Cids Drv Mulf Code": 0,

"Cids Browser Ie on Off": 1,

"Cids Browser Ff on Off": 1,

"Elam on Off": 1,

"OS Elam Status": 0,

"Vsic Status": 3,

"Is Npvdi Client": 0,

"Last Connected IP Addr": "10.2.100.211",

"Pep on Off": 1,

"Edr Status": 0,

"Tpm Device": "0",

"Computer Time Stamp": "2018-01-24 22:17:54",

"Computer Usn": 30006,

"Hypervisor Vendor ID": "1",

"Bwf": 2,

"Fbwf": 0,

"Uwf": 0,

"Osflavor Number": 48,

"Osname": "Windows 10",

"Osfunction": "Unknown",

"Osmajor": 10,

"Osminor": 0,

"Osversion": "10.0",

"Osbitness": "x64",

"Source": "SymantecEPM"

}

Symantec Endpoint Protection Manager - Integration Guide 14

Sample Endpoint Attributes (Screenshots)

Symantec Endpoint Protection Manager - Integration Guide 15

Symantec Endpoint Protection Manager - Integration Guide 16

Sample Enforcement Policy and Role Mapping Screenshots

Symantec Endpoint Protection Manager - Integration Guide 17

Additional Diagnostics and Support

Checking on the Extensions Service

The ClearPass Extensions are supported by a system service named “Extensions service”. This service should be running by

default. To check on the state and make changes to the service navigate to Administration > Server Manager > Server

Configuration [select your ClearPass node] > Service Control. You can also start/stop the extension service from here. By

default, this service is automatically started.

Restarting this service will affect all deployed and running extensions.

Figure 8: Checking the Extensions Service

Extension Logs and Debugging

The extension logs can be accessed by navigating to the Home » Administration » Extensions section of ClearPass

Guest. From there, click on the “Show Logs” button to display the extension logs.

Figure 9: Showing the Extension Log

To enable DEBUG level logging in the extension, the following line needs to be set in the configuration of the extension:

"logLevel": "DEBUG",

After collecting logs or turning off DEBUG, please ensure you return it back to the INFO level. DEBUG mode should only be enabled

under guidance from Aruba TAC.

Symantec Endpoint Protection Manager - Integration Guide 18

Figure 10: Extension Debug Level Logging

Accessing the Extension Logs Using ‘Collect Logs’ System Function

In addition to viewing the log messages as shown above, you can also configure the extension to log messages so that they

can be collected and examined via the Policy Manager Collect Logs system function.

If there is a requirement for Aruba TAC to investigate a system issue, one of the items they regularly ask for is the system

logs to aid with their diagnostic investigation. By default the “logLevel” is set to INFO, but TRACE, DEBUG, INFO,

WARN, ERROR, or FATAL can also be set. Any of the levels will display the information for the selected state and lower. If

INFO is selected, it will show messages for INFO, WARN, ERROR, FATAL.

Figure 11: The Collect Logs System Function

Symantec Endpoint Protection Manager - Integration Guide 19

After the logs have been collected and expanded, you can locate the extension logs in the following location

PolicyManagerLogs > extension as shown below.

Figure 12: Locating the Extension Logs from 'Collect Logs' Diagnostic GZ file

SEPM Troubleshooting Considerations

The SEPM extension relies on the data from the endpoints being reported correctly by SEPM. It is possible for SEPM to

return the value of some attributes as “127”, rather than “0” or “1”. This “127” value means “Not Reported”. Simply put, if

the attribute value is “127” for “Firewall ON/Off”, then SEPM doesn’t know whether or not the firewall on the endpoint is

enabled. This could be for various reasons and should be reported to Symantec Technical Support for resolution.

Symantec Endpoint Protection Manager - Integration Guide 20

SEPM Database Lookup Reference

Below is a partial lookup table of the table structure from SEPM. This helps identify what field values actu-

ally are. The "column" column should loosely match an endpoint attribute name, e.g. "FIREWALL_ONOFF"

= "Firewall on Off". For a complete list of available attributes in the SEPM API, please contact Symantec

Technical Support or your Symantec Account Representative

Column

Type

Size

Nulls

Default

Comments

AVENGINE_ONOFF

tinyint

√

((127))

Antivirus Engine Status:

0 = Off

1= On

2= Not Installed

127 = Not reporting

CIDS_BROWSER_FF

_ONOFF

tinyint

((127))

See

SEM_AGENT.CIDS_BROWSER_

FF_ONOFF. Included again in this

table because it represents a filter

option.

CIDS_BROWSER_IE_

ONOFF

tinyint

((127))

See

SEM_AGENT.CIDS_BROWSER_I

E_ONOFF. Included again in this

table because it represents a filter

option.

CIDS_ONOFF

tinyint

((127))

Network intrusion prevention sta-

tus:

0 = Off

1 = On

2 = Not installed

3 = Off by administrator policy

127 = Unknown.

Default is 127.

DA_ONOFF

tinyint

((127))

Download advisor status

Enabled state of DA

0 = off

1 = on

2 = not installed

3 = off by admin policy

127 = unknown.

DELETED

tinyint

((0))

Deleted row: 0 = Not deleted, 1 =

Deleted.

DEPLOY_STATUS

tinyint

((0))

See SEM_AGENT.DEPLOY_STA-

TUS. Included again in this table

because it represents a filter op-

tion.

Page is loading ...

Broadcom ClearPass Extension - Symantec Endpoint Protection Manager Integration User guide

Brand: Broadcom

Model: ClearPass Extension - Symantec Endpoint Protection Manager Integration

Type: User guide

Download PDF

report

Broadcom ClearPass Extension - Symantec Endpoint Protection Manager Integration User guide

Broadcom ClearPass Extension - Symantec Endpoint Protection Manager Integration User guide

Other documents