As the title says, I'm trying to get an alert configured so that I can log/track the self signed certs that are hit by my inside clients. I have a very basic SSL rule set up currently, that only looks at cert status, and is set to log to the event viewer, with an action of "Do not decrypt".
It's my understanding that anything that matches the rule should be logged to the event viewer, then sent on the the access control policy for action there. And in fact, I see the events in the connection events log, with an SSL status of "Do Not Decrypt", so it appears that part is working.
The issue I seem to be having is getting notified when this happens.
As I'm typing this, I wonder if I'm actually trying to go about this the wrong way. Would it be easier to just run a scheduled connection events report every 24 hours? If I can eliminate duplicate responder IPs, I think I might get something very useful.
Anyway, sorry if I'm rambling. If you have experience with ISE alerting and/or reporting, I'd really appreciate if you could chime in.
No comments:
Post a Comment