cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filtering on FlexNet Beacon to exclude login attempts to specific vcenters

Hi,

I'm relatively new to FNMS and hoping to better understand how the filtering option works on the beacon Password Manager.  We have an issue where we are seeing frequent remote login attempts to a number of vcenters in our production environment.  These login attempts are failing resulting in alarms getting raised and concern from the security team, and it is my team's job to diagnose and resolve the issue.  We have a scheduled rule set up to query vcenter inventory by calling the SDK webservice, and initially I thought the issue lay here.  However upon checking the VMWareInventory log I was able to see that these logins are actually successful, and much less frequent then the failed ones.   The rule is configured to execute once daily, whereas the failed logins are occurring every 30mins.   Upon further investigation I discovered that the source of the failed login attempts is coming from having the IBM PVU scanning option enabled, under Inventory Settings.   This makes sense as it's configured to run every 30mins and the checkbox to 'Perform remote scans against all known VMware vCenter and Oracle VM Manager servers' is enabled.

Now if I start the FlexNet beacon GUI from the beacon that is initiating both the successful vcenter inventory logins, and the failed IBM PVU attempts, I can see there are 3 sets of credentials configured under Password Manager.  The first credential record is used for querying the vcenter inventory (successful), and there are 2 other records that follow.  So what I believe is happening, is that when the IBM PVU task runs it attempts to use all 3 configured credentials to login to all previously discovered devices which are labelled 'VMWare vCenter'.  The first credentials will work, but the remaining 2 will fail because they were setup to for something else (unsure of what at this stage).  

 My question is, regarding the filtering option available when editing a configured set of credentials, is there a way to say 'do not include' an IP address or address range?  Essentially we want to ignore the affected vcenters from the IBM PVU scan.  If not possible here, is there another method for ignoring particular targets for this scan?  I can see ways to create target inclusions, but no way to create exclusions.

Any help appreciated.

 

 

(1) Reply
ChrisG
By Community Manager Community Manager
Community Manager

You've done a pretty good job at describing how things work. One small elaboration: the credentials that are configured are tried one after the other in an undefined order until one of them succeeds - once a connection attempt succeeds, further credentials are not tried.

The only filtering I know of is an "include" filter. I can't think of any way to configure a filter to exclude usage of a particular credential against particular targets. So your best bet here will likely to be to work out what the 2 "unknown" credentials are for, and configure "include "filters on them so they are only used on the relevant servers.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)