Security

last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Ingress Events and Field Mapping

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  Ingress Events and Field Mapping

    Posted Mar 01, 2019 07:08 AM

    Hi,

    I've created a new Ingress Events Dictionaries, in which I parse logs.

    In Monitoring » Live Monitoring » Access Tracker I see assigned values

    event1.PNG

    unfortunately, when enforcing policies, it does not honor mapped values

    event2.PNG

    when I use pre-defined events that are mapped, everything works.

    is it possible to edit predefined events or where I can create such type of events?



  • 2.  RE: Ingress Events and Field Mapping

    Posted Mar 01, 2019 09:52 AM
    My guess is it's because blocked vs Blocked.


  • 3.  RE: Ingress Events and Field Mapping

    Posted Mar 01, 2019 02:19 PM

    Also check the xml: in the Access Tracker you have attributes as "Event:Action" and in the Enforcemnt Profile you're checking "Event:Fortigate:action". 

    In the Ingress Event Dictionary you need to add the "Pattern-Name" with the value "Fortigate" and confirm that it's also in the attributes that you show in the Access Tracker.



  • 4.  RE: Ingress Events and Field Mapping

    Posted Mar 04, 2019 08:02 AM

    I added the "Pattern-Name" attribute as "fortigate".
    Unfortunately, nothing has changed

    cppm4.PNG

    cppm5.PNG



  • 5.  RE: Ingress Events and Field Mapping

    Posted Mar 04, 2019 08:07 AM

    can you share the xml?



  • 6.  RE: Ingress Events and Field Mapping

    Posted Mar 04, 2019 08:11 AM

    Here you are



  • 7.  RE: Ingress Events and Field Mapping
    Best Answer

    Posted Mar 04, 2019 08:16 AM

    I think you missed a small piece of code in you xml. You can download an example of other IEE dictionary from ClearPass and look for a ruby code. You need to add it to your file and modify the line:

    newFieldName = 'Event:Fortigate:'+ k