2.8.11 Timing of network control list updates

1

Device connection detected by network monitor

The network monitor feature detects a connection from a device while monitoring the network.

If a device connects to and then immediately disconnects from the network, a situation might arise in which the manager detects the connection but cannot acquire the IP address or MAC address of the device, preventing its addition to the network control list.

2

Device connection detected by device search

A network-connected device is discovered by a device search.

--

3

Adding or deleting a managed device

• A device is deleted in the Device Inventory - Device List view of the Inventory module.

• An administrator adds a management target in the Discovery - Discovered Nodes view of the Settings module.

• An administrator adds an exclusion target in the Discovery - Discovered Nodes view of the Settings module.

• An administrator deletes a device from the Discovery - Managed Nodes view of the Settings module.

• A device is set to Ignored in the Discovery - Managed Nodes view of the Settings module.

• An administrator deletes a device from the Discovery - Discovered Nodes view of the Settings module.

• A device is set to Managed in the Discovery - Ignored Nodes view of the Settings module.

• An administrator deletes an exclusion target from the Discovery - Ignored Nodes view of the Settings module.

• An administrator deletes a device from List of Devices Suggested for Deletion in the Device Maintenance Settings and Detection Results view that opens from Inventory of the Settings module.

• If device information can be collected from the managed device, and the device incorporates more than one component with network connectivity (such as NICs), each of those components is added to the network control list.

• Ordinarily, a device is added to the network control list when discovered by the network monitor or a device search. Devices are not added to the network list in response to the addition or deletion of a managed device, unless the device is deleted manually.

• In environments that use a whitelist approach to network access control, a computer that becomes a management target by installation of the agent program is not initially able to access the network. To automatically grant such computers network access, assign a security policy that permits network access in the Add Security Policy dialog box, or in the Action Items - Network Connection Control view of the Edit Security Policy dialog box.

4

Network connection hardware (such as a NIC) is changed

• An administrator adds or removes a network connection device (such as a NIC) to or from a managed device.

• The IP address assigned to a managed network connection device (such as a NIC) changes (including IP address changes in a DHCP environment).

When changes are made to the configuration or settings of a network connection device (such as a NIC) in an environment where device information can be collected from managed devices, the changes are reflected in the network control list.

5

Network access is manually permitted or denied

• You select Allow Network Access or Deny Network Access in the Device Inventory - Device List view of the Inventory module.

• You select Allow Network Access or Deny Network Access in the Computer Security Status - Device List view of the Security module.

The changes you make in these windows apply to the setting (allow/deny network access) for the device in the Connection to Network part of the network control list.

6

Automatic network access control resulting from security assessment

A device for which a Network Connection Control setting is enabled and a Violation Level (for controlling computer network connection) is assigned in the Edit Security Policy view for the security policy selected in the Security Policies - Security Policy List of the Security module is subjected to network access control.

Depending on the security policy setting, the device is automatically permitted or denied network access. The automatic setting applies to the setting (allow/deny network access) for the device in the Connection to Network part of the network control list.

7

New hardware registration, modification, or disposal

• A new hardware asset is added with an IP address or MAC address specified.

• The IP address or MAC address of a hardware asset is changed.

• An administrator changes the Asset Status of a hardware asset to Disposed.

• Applies to hardware assets that are not associated with a device. Hardware assets associated with devices takes its settings from the device.

• The result is the same as if the information were added, changed, or deleted manually.

8

Manual addition, modification, or deletion of network control list entries

An administrator adds, changes, or deletes data manually in the Network Access Control - Network Filter Settings view of the Settings module.

Data in the network control list that is associated with a device or hardware asset takes its value from the last change that was made to the device, hardware asset, or network control list, whether by an automatic or manual operation. Keep in mind that the value might be changed by an automatic process.

9

Notification of device information from a management relay server under the local server

In a multi-server configuration, the network control list is automatically updated based on the device information added, modified, or deleted by a management relay server under the local server.

Multi-server configuration is required, and the Network Access Control - Network Filter Settings view of the Settings module must be configured so that devices managed by a management relay server under the local server are automatically updated.

10

CSV-file import of information on whether network connection is allowed or denied

A CSV file is imported from the Action menu of the Network Access Control - Network Filter Settings view of the Settings module.

--

11

Execution of the network control command (jdnrnetctrl command)

The network control command (jdnrnetctrl command) is executed.

--