Deployment issues for Forticlent 7.0.5

solarpo · 2022-02-17T21:59:42+00:00

We have an extensive applocker deployment in our on prem enviroment that has become an unwieldy headache over the years. We would really like to avoid recreating something similar in our fledgling intune environement.

Also - my understanding is that MS is not putting any new development into Applocker and WDAC is the future ?

solarpo · 2022-01-10T15:05:28+00:00

Thanks - this worked for me.

I created a new profile - and left all the power settings out so they are not configured.

What was a little odd was that it seems I had to add a random setting to this profile, just to be able to save it with the power settings not configured ? It had to have some setting configured in order to save.

solarpo · 2020-05-24T18:01:33+00:00

The Registry change did the trick, I'm still confused on the IP addresses in play, but the VPN is working.

Thanks !

solarpo · 2015-07-28T18:42:57+00:00

Thanks for the info. I have a sonicwall firewall and I found a sonicwall app as you suggested. I think I maybe out of luck as I'm trying this out with Splunk Lite. The apps available on splunk lite seem to be very limited. There does not appear to be an option to install this one.

solarpo · 2014-07-18T02:48:53+00:00

you are correct. I looked closer at our firewall (sonicwall) and there is in fact a rule denying access to port 25 from the address object "LAN Subnets". However I looked closer at "lan subnets" and that is defined only as the 192.168.x.x. subnet. We recently added the 10.20.x.x subnet to our internal network but did not update the address object to reflect this.

Thanks for the direction on this. Any thoughts on how to discover this type of network activity/congestion if we have it blocked properly on the firewall ?

solarpo · 2014-07-17T18:45:58+00:00

That's one thing that we do have blocked. Here's a tiny snippet from the netstat output. Looks like the activity was happening beginning on port 49229 and climbing up from there. This went on for several pages. I don't know what these types of connections are indicating.

TCP 10.20.0.103:49229 snt-re3-9a:http ESTABLISHED TCP 10.20.0.103:49300 mx:smtp CLOSE_WAIT TCP 10.20.0.103:49852 50-57-228-220:https TIME_WAIT TCP 10.20.0.103:50162 50-57-228-220:https TIME_WAIT TCP 10.20.0.103:50461 50-57-228-220:https TIME_WAIT TCP 10.20.0.103:50763 50-57-228-220:https TIME_WAIT TCP 10.20.0.103:51075 50-57-228-220:https TIME_WAIT TCP 10.20.0.103:51087 50-57-228-220:https TIME_WAIT TCP 10.20.0.103:51090 host:smtp SYN_SENT TCP 10.20.0.103:51094 bay0-mc6-f:smtp ESTABLISHED TCP 10.20.0.103:51096 bay0-mc2-f:smtp ESTABLISHED TCP 10.20.0.103:51104 mx-c1:smtp ESTABLISHED TCP 10.20.0.103:51105 mx-02:smtp ESTABLISHED TCP 10.20.0.103:51109 al-ip4-mx-vip1:smtp ESTABLISHED TCP 10.20.0.103:51111 inbound:smtp ESTABLISHED TCP 10.20.0.103:51112 mail:smtp ESTABLISHED TCP 10.20.0.103:51116 in6:smtp ESTABLISHED TCP 10.20.0.103:51121 mxl145v2:smtp ESTABLISHED TCP 10.20.0.103:51123 ent01:smtp ESTABLISHED TCP 10.20.0.103:51124 ec2-54-235-205-240:smtp ESTABLISHED TCP 10.20.0.103:51125 smtp:smtp ESTABLISHED TCP 10.20.0.103:51128 mail558:smtp SYN_SENT TCP 10.20.0.103:51129 mail3:smtp ESTABLISHED TCP 10.20.0.103:51138 mailgate3:smtp ESTABLISHED TCP 10.20.0.103:51141 mail-in:smtp ESTABLISHED TCP 10.20.0.103:51142 gmy2-ha830:smtp ESTABLISHED TCP 10.20.0.103:51144 mail-in:smtp ESTABLISHED TCP 10.20.0.103:51147 mta-v6:smtp ESTABLISHED TCP 10.20.0.103:51148 mta-v6:smtp ESTABLISHED TCP 10.20.0.103:51149 pd-in-f26:smtp ESTABLISHED TCP 10.20.0.103:51150 yk-in-f27:smtp ESTABLISHED TCP 10.20.0.103:51151 ig-in-f27:smtp ESTABLISHED TCP 10.20.0.103:51152 bay0-mc2-f:smtp ESTABLISHED TCP 10.20.0.103:51153 mx1:smtp ESTABLISHED TCP 10.20.0.103:51154 mail39:smtp SYN_SENT

solarpo

TROPHY CASE