Help with Forescout integration

rtannenbaum
rtannenbaum
in ForeScout

Newbie here.  Have followed all instructions to integrate Infoblox/Forescout, uploaded templates, created extensible attributes, etc.

 

Debug output has a template error:

 

Variable E:values sub-addressing cannot be executed successfully. 

 

[2019/02/05 16:22:37.270467] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step DebugOnStart (1)
[2019/02/05 16:22:37.270540] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace H contents are: {'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': '[*********]', 'User-Agent': 'Infoblox Security Integration'}
[2019/02/05 16:22:37.270616] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace E contents are: {u'member_ip': u'10.64.19.210', u'event_type': 'HOST_ADDRESS_IPV4', u'timestamp': u'2019-02-06T00:22:34Z', u'vnode_oid': 0, u'object_type': u'HostAddress', u'previous_values': {}, u'values': {u'host': u'test-forescout', u'ipv4addr': u'10.41.8.10', u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQubm9uX0ROU19ob3N0X3Jvb3QuMC4xNTQ5NDEyNTU0MDg3LnRlc3QtZm9yZXNjb3V0LjEwLjQxLjguMTAu:10.41.8.10/test-forescout/%20', u'network_view': u'default', u'extattrs': {u'FS_Sync': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'true'}, u'FS_Site': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'Lab'}, u'Change Number': {u'value': u'12345678'}}}, u'member_name': u'wtc-ddi.ucsf.edu', u'operation_type': u'INSERT'}
[2019/02/05 16:22:37.270657] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace I contents are: {}
[2019/02/05 16:22:37.270689] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace L contents are: {}
[2019/02/05 16:22:37.270724] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace S contents are: {'URI': u'https://128.218.28.162', 'TIMEOUT': 30, 'USER': u'fs_infoblox_lab@Infoblox_lab'}
[2019/02/05 16:22:37.270756] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace P contents are: {}
[2019/02/05 16:22:37.270883] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace UT contents are: {'USERNAME': '[redacted]', 'PROTOCOL': u'https', 'UUID': '7df6e149-0c57-41ad-8995-c0ca3bbd75e2', 'WAPIUSERNAME': u'aa-tannenbaumr', 'URI': u'https://128.218.28.162', 'HOST': u'128.218.28.162', 'EPOCH': '1549412557', 'TIME': '2019-02-06T00:22:37Z', 'PATH': u'', 'PASSWORD': '[redacted]', 'PORT': 443}
[2019/02/05 16:22:37.270939] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step assignSyncTime (1)
[2019/02/05 16:22:37.271050] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step stop_if_just_changed (1)
[2019/02/05 16:22:37.271090] sdsc-ddi-01.ucsf.edu (DEBUG): Found a/an AND condition step!
[2019/02/05 16:22:37.271177] sdsc-ddi-01.ucsf.edu (DEBUG): Evaluating statement:  == 2019-02-06T00:22
[2019/02/05 16:22:37.271210] sdsc-ddi-01.ucsf.edu (DEBUG): The condition did not match!
[2019/02/05 16:22:37.271245] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step check_for_not_Lease (1)
[2019/02/05 16:22:37.271279] sdsc-ddi-01.ucsf.edu (DEBUG): Found a/an AND condition step!
[2019/02/05 16:22:37.271331] sdsc-ddi-01.ucsf.edu (DEBUG): Evaluating statement: HOST_ADDRESS_IPV4 != LEASE
[2019/02/05 16:22:37.271406] sdsc-ddi-01.ucsf.edu (DEBUG): Evaluating statement: true == true
[2019/02/05 16:22:37.271438] sdsc-ddi-01.ucsf.edu (DEBUG): The condition matched!
[2019/02/05 16:22:37.271461] sdsc-ddi-01.ucsf.edu (DEBUG): Executing the eval block
[2019/02/05 16:22:37.271618] sdsc-ddi-01.ucsf.edu (DEBUG): An error has occurred while processing a template
[2019/02/05 16:22:37.271648] sdsc-ddi-01.ucsf.edu (DEBUG): Variable E:values sub-addressing cannot be executed successfully, please verify the indexes / keys passed are correct (last key tried: "<a complex substitution inner selector>" in "<a complex variable>")
[2019/02/05 16:22:37.271718] sdsc-ddi-01.ucsf.edu (DEBUG): The namespace E contains the following data {u'member_ip': u'10.64.19.210', u'event_type': 'HOST_ADDRESS_IPV4', u'timestamp': u'2019-02-06T00:22:34Z', u'vnode_oid': 0, u'object_type': u'HostAddress', u'previous_values': {}, u'values': {u'host': u'test-forescout', u'ipv4addr': u'10.41.8.10', u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQubm9uX0ROU19ob3N0X3Jvb3QuMC4xNTQ5NDEyNTU0MDg3LnRlc3QtZm9yZXNjb3V0LjEwLjQxLjguMTAu:10.41.8.10/test-forescout/%20', u'network_view': u'default', u'extattrs': {u'FS_Sync': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'true'}, u'FS_Site': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'Lab'}, u'Change Number': {u'value': u'12345678'}}}, u'member_name': u'wtc-ddi.ucsf.edu', u'operation_type': u'INSERT'}
[2019/02/05 16:22:37.271785] sdsc-ddi-01.ucsf.edu (DEBUG): Execution failed, retry if 0 < 0
[2019/02/05 16:22:37.271843] sdsc-ddi-01.ucsf.edu (WARNING): Template execution retry limit is reached.Event `{u'member_ip': u'10.64.19.210', u'event_type': 'HOST_ADDRESS_IPV4', u'timestamp': u'2019-02-06T00:22:34Z', u'vnode_oid': 0, u'object_type': u'HostAddress', u'previous_values': {}, u'values': {u'host': u'test-forescout', u'ipv4addr': u'10.41.8.10', u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQubm9uX0ROU19ob3N0X3Jvb3QuMC4xNTQ5NDEyNTU0MDg3LnRlc3QtZm9yZXNjb3V0LjEwLjQxLjguMTAu:10.41.8.10/test-forescout/%20', u'network_view': u'default', u'extattrs': {u'FS_Sync': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'true'}, u'FS_Site': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'Lab'}, u'Change Number': {u'value': u'12345678'}}}, u'member_name': u'wtc-ddi.ucsf.edu', u'operation_type': u'INSERT'}` is skipped

 

Appreciate any help.

Thanks.

 

 

 

Answers

  • rtannenbaum
    rtannenbaum

    Turned out to be a missing Extensible Attribute.

     

    No need to reply.

     

     

  • Vadim
    Vadim Infoblox Product Expert

    Superb!

  • rtannenbaum
    rtannenbaum

    Hi,

     

    Great integration.  Are dhcp lease actions also supposed to generate IB_Location and IB_Delete events in Counteract?  Debug log shows the dhcp events but no match on any action.

     

    Debug log attached showing dhcp request and dhcp release.

     

     

    Thanks.

    Robert

     

     

     

  • kzettel
    kzettel

    Hello Robert,

     

    They do not.

     

    if the asset is a lease then the asset does not sync.

     

    Step: check_for_not_Lease (assigns false to sync variable)

    ${XC:ASSIGN:{LSmiley Frustratedync}:{S:false}}

     

    Step: stop_if_no_sync (stops the template if sync is equat to false)

    {"left": "${L:Smiley Frustratedync}", "op": "==", "right": "false"}

    "stop": true

     

    Let me know if this answer the question or if you need more help.

     

    Hope this helps,

    Kevin Zettel

  • kzettel
    kzettel

    Hello Robert,

     

    It does however it looks like the Extensible attribute "FS_Sync" is set to an empty value.

     

    Executing step check_for_Lease

    Found a/an AND condition step!

    Evaluating statement: LEASE == LEASE

    Evaluating statement: == true <-- (this empty variable on the left is the "FS_Sync" Extensible attribute)

     

    Hope this helps,

     

    Kevin Zettel

Categories