Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  SFA - Blacklist IP addresses

    Posted Nov 17, 2019 09:14 PM
    HI,

    I would like to restrict RDP access from server to any IP addresses. I am not able to configure "0.0.0.0/0" or "*" as a blacklisted IP addresses in CA PAM. Can you please help how to do it ?

    Thanks,


  • 2.  RE: SFA - Blacklist IP addresses

    Broadcom Employee
    Posted Nov 18, 2019 12:33 AM

    Hello Vijay,

    The best way to contain this would be to deploy CA PAM Socket filter agent and this would allow you to restrict uses from doing an RDP to a remote host after connecting the Target RD server using CA PAM.

    Do look at the following to look at the supported OS for the Socket Filter Agent.
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-2-6/release-information/supported-environments.html

    Thanks,
    Reatesh.



    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------

    Original Message


  • 3.  RE: SFA - Blacklist IP addresses

    Posted Nov 18, 2019 01:04 AM
    Hello Reatesh,

    Yes, I have installed SFA on our windows server and configured necessary settings as per CA KB article. I have blacklisted 10.0.0.0/8 network under socket filter settings in CA PAM and it is working as expected. When i try to access RDP, it is closing automatically, so no issues on that. But my question is how to block all IP's instead of 10.0.0.0/8 ? I have tried to put 0.0.0.0/0 under blacklisted IP subnet but not working. 

    And also when RDP session is getting blocked, i am not getting any violation message it is simply closing the RDP window. 
    Original Message


  • 4.  RE: SFA - Blacklist IP addresses
    Best Answer

    Broadcom Employee
    Posted Nov 18, 2019 01:12 AM

    Just an idea;

    Use whitelist filter with own host IP, then it would allow RDP access only to the own host.


    Original Message


  • 5.  RE: SFA - Blacklist IP addresses

    Posted Nov 25, 2019 12:13 AM
    Thanks for your suggestion. I have configured whitelist.

    Now the problem is i am not getting a warning message in CA PAM client while the violation is happening. I have followed the KB as suggested by CA.
    CA PAM simply closing the RDP session without any warning message to the client. I have tried from IE as well but still same issue. TAC confirmed that they have tested in their Lab with same version (3.3) and it is working fine. Only difference in CA PAM client side is, we have disabled update check.
    Original Message


  • 6.  RE: SFA - Blacklist IP addresses

    Broadcom Employee
    Posted Nov 25, 2019 02:47 AM

    Did you configure the violation message?

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/socket-filter-agent-support.html#concept.dita_b3f854156c71c418a1c18ce13577dc350828717d_ConfigureaSocketFilterPolicy


    Original Message


  • 7.  RE: SFA - Blacklist IP addresses

    Posted Nov 25, 2019 03:04 AM
    Hi Tomo,

    Yes, I have configured violation message.

    Thanks,
    Vijay
    Original Message