I installed the CSA 5.1 both desktop and server test mode agent kits. Now how can i convert it to real protect mode.Also let me understand the learn mode concept.
Deploying the test mode agent kits puts hosts in the default test mode group.
To put them in protect mode, move them out of the test mode group (once you have the policies tuned).
You could use group or rule module learn mode when you put them in protect mode.
Learn mode allows the system to learn normal behavior for the specific host and store that information locally.
The persistent queries must have "allow" and "don't ask me again" enabled in order to work properly.
When the system is moved out of learn mode, it remembers the learned behavior and doesn't query the user when it sees it again.
There i found both test and learn mode. If i select the learn mode from test mode do you say the learn mode would change to protect mode after learning the normal behavior.
The agent goes into learn mode for 72 hours after the initial install but you are probably past that now.
You will have to remove them from learn mode after you are satisfied that they have gotten enough information.
You can do this with a host managing task or do it manually.
Also can u tell me that when i access the ASA 5520 THRO ASDM,
unable to launch ASDM from 192.168.1.1.unexpected end of file from server" error.
What could be the reason. It was once working fine.Sometimes i used RDP to access the ASA via ASDM.
hi tom i am new to csa.
i have learnd abt the test mode is that. after selecting the test mode in a group . all the actions will be allowed by the csa agent even though the actions are denied in the policies applied to the group.
main doubt is in learn mode is that .
in learn mode is it the same???. i mean as per the documentation they have only mentioned that the rules in which the action is set to query the user in learn mode it will not query the user rather allow the action for the query responses.
what abt the rules in which the action is set to deny or terminate. will these actions be taken in learn mode or since learn mode is applied on the group all the actions to the rules will be set to query the user .
this is not mentioned any where.
can u pls help me out.
Learn mode will automatically allow an action if allow is one of the choices in a query rule.
If "Don't ask again" is checked, it will remember the automatic allow response.
Once out of learn mode it will remember the allow action and always allow it until the learned responses are reset from the MC.
Test mode allows ALL actions regardless of the rule and doesn't remember anything.
If test AND learn mode are enabled, no learning occurs.
hi tom thanks for ur reply. but i have to tell u that i have tested the learn mode.
what i saw in learn mode is that if the rule which is triggered in the policy. if the action to the rule is set to deny the action then the action is taken and no query is asked ot the user.
the user is prompted for query only if the action in the rule is set to query.
unlike in test mode where no matter the action to the rule is to deny the action. the action will still be permitted and only a log is sent to the csamc.
so for successful working of the learn mode we have to set the actions of the rules in the policy to query the user and learn the actions of the user to the queries and then move the group from learn mode to live mode.
hope i am getting it right.
pls correct me if i am wrong.
This is how I understand the query behavior of a rule Learn Mode:
The user won't see the query if allow is one of the choices.
It answers with allow even if the query is default deny.
The user will see a query if allow is not one of the choices.
It may not be the best method for all rules since any default denies are remembered as allows.
You can always reset the learned responses from the MC if it's not working the way you'd like it to.
I would use test mode for a while then use learn mode selectively if needed.
hi tom i am getting what u are saying.
but i tried setting the document security and file access control rule modules by setting their actions to query first.
then in the variable for query settings. when i set the default action to allow. then the user is not prompted for action the actions is allowed.
when i set the default action to deny then the user is prompted for action .
but if i set the action in the rules to deny. then the user is not promted for query response.the action set on the rule is taken and it is denied.
this is what i have learned mate.
can u pls correct me if i am wrong.
Sushil, I want to thank you for asking this question!
Make sure you are clearing the learned behavior, cached reponses and logging on the agent from both the MC and the Agent UI.
This is the only way to get accurate behavior.
hi tom thanks for ur reply.
yeah i tried clearing the cache on the agent by resetting the agent. and i have also enabled logs on all the rules on the csamc.
did u try out what i did.
let me know.
Yes, I tried what you did and it worked as advertised.
If you think it's not working properly perhaps you should open a TAC case.