cancel
Showing results for 
Search instead for 
Did you mean: 
pptsgd
Level 7
Report Inappropriate Content
Message 1 of 7

Uncovered Subnets in ePO 5.1

We appear to have four uncovered subnets (10.250.150.0, 10.250.151.0, 10.250.160.0, 10.250.161.0), but in the same time I can see that there are managed systems in each of these subnets and also for each of these managed systems under rogue detection the status is active. Finally the policy itself states that ePO server determines the active sensors and that it should listen only on interfaces with IP addresses in these networks (all 4 subnets listed).

How can I find out why these subnets are uncovered?

6 Replies

Re: Uncovered Subnets in ePO 5.1

Most likely because you do not have a RSD sensor deployed in those subnets. There are many different ways of covering subnets with RSD sensors, but the idea is to have a sensor installed in each subnet preferrably on a server or someting always online to listen and detect.

pptsgd
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Uncovered Subnets in ePO 5.1

One of the first things we checked and when we look at the managed systems in these subnets there is at least one server that has the RSD sensor deployed, which is why I wrote "also for each of these managed systems under rogue detection the status is active"

so if I browse Managed Systems for Subnet X and click on a server - on the Rogue System Detection tab it will say:

Last Communication Time7/9/15 1:56:26 PM
Sensor Version5.0.1.60
StatusActive

the question is why ePO insists the subnet is uncovered when the server above with the sensor has a single nic in that same very subnet.

Re: Uncovered Subnets in ePO 5.1

Hi. 


Is your RSD sensor in Subnet X in broadcast mode or DHCP mode?


Regards 

Rich 

McAfee Volunteer Moderator 

Certified McAfee Product Specialist  - ePO

pptsgd
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Uncovered Subnets in ePO 5.1

How can I check that?

All I can see is that:

Sensor Name: Rogue System Sensor (MAM) - 10.250.150.26

Sensor Type: Detection

Sensor Version: 5.0.1.60

Status: Passive

Sensor Name: Rogue System Sensor (MAM) - 10.120.10.25

Sensor Type: Detection

Sensor Version: 5.0.1.60

Status: Active

Sensor Name: Rogue System Sensor (MAM) - 10.120.6.20

Sensor Type: Detection

Sensor Version: 5.0.1.60

Status: Active

Re: Uncovered Subnets in ePO 5.1

All 3 of your sensors are in detection mode and will only be able to detect devices on the same /24 subnet. Do you only have three subnets in your network since you only have three RSD's?

pptsgd
Level 7
Report Inappropriate Content
Message 7 of 7

Re: Uncovered Subnets in ePO 5.1

these 3 RSDs were for the subnets that are listed as uncovered - we have more sensors on other subnets, but it is the uncovered ones that we are interested in

take 10.250.150.0 subnet as an uncovered example - there appears to be a sensor on that subnet yet it shows as uncovered: Sensor Name: Rogue System Sensor (MAM) - 10.250.150.26

Sensor Type: Detection

Sensor Version: 5.0.1.60

Status: Passive

the rest it seems are those that have multiple nics - ePO and management in general is over our second nic and mcafee agents don't like that, but I can't edit bindings in our environment...