6 Replies Latest reply on Jul 13, 2015 11:31 AM by pptsgd

    Uncovered Subnets in ePO 5.1

    pptsgd

      We appear to have four uncovered subnets (10.250.150.0, 10.250.151.0, 10.250.160.0, 10.250.161.0), but in the same time I can see that there are managed systems in each of these subnets and also for each of these managed systems under rogue detection the status is active. Finally the policy itself states that ePO server determines the active sensors and that it should listen only on interfaces with IP addresses in these networks (all 4 subnets listed).

       

      How can I find out why these subnets are uncovered?

        • 1. Re: Uncovered Subnets in ePO 5.1
          fitchsoccer342

          Most likely because you do not have a RSD sensor deployed in those subnets. There are many different ways of covering subnets with RSD sensors, but the idea is to have a sensor installed in each subnet preferrably on a server or someting always online to listen and detect.

          • 2. Re: Uncovered Subnets in ePO 5.1
            pptsgd

            One of the first things we checked and when we look at the managed systems in these subnets there is at least one server that has the RSD sensor deployed, which is why I wrote "also for each of these managed systems under rogue detection the status is active"

             

            so if I browse Managed Systems for Subnet X and click on a server - on the Rogue System Detection tab it will say:

            Last Communication Time7/9/15 1:56:26 PM
            Sensor Version5.0.1.60
            StatusActive

             

            the question is why ePO insists the subnet is uncovered when the server above with the sensor has a single nic in that same very subnet.

            • 3. Re: Uncovered Subnets in ePO 5.1
              Richard Carpenter
              Hi. 


              Is your RSD sensor in Subnet X in broadcast mode or DHCP mode?


              Regards 

              Rich 

              McAfee Volunteer Moderator 

              Certified McAfee Product Specialist  - ePO

              • 4. Re: Uncovered Subnets in ePO 5.1
                pptsgd

                How can I check that?

                 

                All I can see is that:

                 

                Sensor Name: Rogue System Sensor (MAM) - 10.250.150.26

                Sensor Type: Detection

                Sensor Version: 5.0.1.60

                Status: Passive

                 

                Sensor Name: Rogue System Sensor (MAM) - 10.120.10.25

                Sensor Type: Detection

                Sensor Version: 5.0.1.60

                Status: Active

                 

                Sensor Name: Rogue System Sensor (MAM) - 10.120.6.20

                Sensor Type: Detection

                Sensor Version: 5.0.1.60

                Status: Active

                • 5. Re: Uncovered Subnets in ePO 5.1
                  Richard Carpenter

                  All 3 of your sensors are in detection mode and will only be able to detect devices on the same /24 subnet. Do you only have three subnets in your network since you only have three RSD's?

                  • 6. Re: Uncovered Subnets in ePO 5.1
                    pptsgd

                    these 3 RSDs were for the subnets that are listed as uncovered - we have more sensors on other subnets, but it is the uncovered ones that we are interested in

                     

                    take 10.250.150.0 subnet as an uncovered example - there appears to be a sensor on that subnet yet it shows as uncovered: Sensor Name: Rogue System Sensor (MAM) - 10.250.150.26

                    Sensor Type: Detection

                    Sensor Version: 5.0.1.60

                    Status: Passive

                     

                    the rest it seems are those that have multiple nics - ePO and management in general is over our second nic and mcafee agents don't like that, but I can't edit bindings in our environment...