Summary of Configuration

To prepare your network to perform alert-based admission control using Ivanti Policy Secure, Splunk Enterprise and Firewall, perform the following tasks:

  • Configure Ivanti Policy Secure with Splunk Enterprise

  • Configure Splunk Enterprise

The following sections describe each of these steps in detail.

Configuring Ivanti Policy Secure with Splunk Enterprise

The Ivanti Policy Secure configuration requires defining the Splunk Enterprise as a client in Ivanti Policy Secure. Ivanti Policy Secure acts as a REST API server for Splunk Enterprise.

A high-level overview of the configuration steps needed to set up and run the integration is described below:

  • The Administrator configures the basic Ivanti Policy Secure configurations such as creating an authentication server, authentication realm, user roles, and role mapping rules.

  • Configure Splunk as a client in Ivanti Policy Secure. Ivanti Policy Secure acts as a REST API Server for Splunk. The REST API access for the admin user needs to be enabled by accessing the serial console or alternatively from the Ivanti Policy Secure admin UI (Authentication > Auth Server > Administrators > Users > click “admin”, enable Allow access to REST APIs).

  • Configure Ivanti Policy Secure to block/quarantine the endpoint based on the threat prevention policy.

  • Configure the Switches/WLC as RADIUS Client in Ivanti Policy Secure (Endpoint Policy > Network Access > Radius Clients > New Radius Client). Switch should be configured with Ivanti Policy Secure as a RADIUS server.

  • Configure RADIUS return attribute policies to define the action upon receiving the event.

Ensure that Ivanti Policy Secure has the endpoint IP Address for the enforcement to work correctly.

Admission Control Template

The admission control template provides the list of possible events that can be received from the network security device along with regular expression to parse the message. The template also provides possible actions that can be taken for an event. Ivanti Policy Secure is loaded with default templates for Splunk enterprise.

To view the admission control template in Ivanti Policy Secure:

  1. Select Endpoint Policy > Admission Control > Templates.

Admission Control Client

The admission control clients are the network security devices on which the syslog forwarding is enabled. The messages are received by the syslog server module running on Ivanti Policy Secure.

To add Splunk Enterprise as a client:

  1. Select Endpoint Policy > Admission Control > Clients.

  2. Click New Client.

  3. Enter the name.

  4. Enter the description.

  5. Enter the IP address of the client.

  6. Under Template, select Splunk-SIEM-HTTP-JSON.

  7. Click Save Changes.

Admission Control Policies

The admission control policies define the list of actions to be performed on Ivanti Policy Secure for the user sessions. The actions are based on the event and the severity information received from the network security device.

To view and add the new integration policy:

  1. Select Endpoint Policy > Admission Control > Policies.

  2. Click New Policy.

  3. Enter the policy name.

  4. Select Splunk-SIEM-HTTP-JSON as a template.

  5. Under Rule on Receiving, select the event type (block-endpoint, quarantine-endpoint, alert, any) and the severity level. The event types and the severity level are based on the selected template.

  6. The actions on sessions supported are:

    • Block Endpoint: Blocks the host MAC Address on the Ivanti Policy Secure permanently. If admin choose to clear this, it can be cleared either by using Splunk application or by using the Ivanti Policy Secure Admin UI.

    • Quarantine Endpoint (Change user roles): Changes the roles assigned to the user on Ivanti Policy Secure so that restriction/privileges for the user can be changed.

    • Alert – Generated based on the Severity level of the alert. Specify the severity of the alert (High, Information, Low, Medium, Any)

  7. Under then perform this action, select the desired action.

    • Block the endpoint from authenticating the network.

    • Put the endpoint into a quarantine network by assigning this role — choose the role to put endpoint in quarantine role. Specify whether to apply the role assignment permanently or only for the session.

    • Terminate user session—Terminates the user session on the Ivanti Policy Secure.

    • Ignore (log the event) —Received syslog event details are logged on the Ivanti Policy Secure and no specific action is taken.

  8. Under Roles, specify:

    • Policy applies to ALL roles—To apply the policy to all users.

    • Policy applies to SELECTED roles—To apply this policy only to users who are mapped to roles in the Selected roles list. You must add roles to this list from the Available roles list.

    • Policy applies to all roles OTHER THAN those selected below—To apply this policy to all users except for those who map to the roles in the Selected roles list. You must add roles to this list from the Available roles list.

  9. Click Save Changes.

Once the policy is created. You can see the summary page as shown below. The following page shows the different policies created for different events with different user roles.