Bulk Network Tool in CA PAM returns a failure for many of the target machines
search cancel

Bulk Network Tool in CA PAM returns a failure for many of the target machines

book

Article ID: 217374

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

One of the new features introduced in the latest versions of CA PAM is the possibility of running a bulk network tool which will check network connectivity for a batch of machines specified in a csv input file.

See for instance

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-3/implementing/configuring-your-server/diagnostics-and-troubleshooting/tools.html

This utility loads a csv file where each line has the following format

IP address, Port, Options

and performs network connectivity tests against each address and port specified. There is the possibility of downloading a sample csv file to understand the format of the file

However, there is no information about what Options may be specified and in some situations the result of the bulk tool result in many unresponsive machines.

This article aims at clarifying what the utility does and also how it can be tuned to provide a more accurate result.

Environment

CA PAM versions 3.4.X and later

Resolution

The bulk network scan tool performs an nmap operation against the different ip addresses and ports specified in the csv file.

For instance if we have...

10.10.10.1, 666, -sV -T4

this will translate in an

nmap -p 666 -sV -T4 10.10.10.1

And the result of this command is what will be displayed in the output of the network bulk tool.

This means we can specify in the Options section of the csv file used as input for every line, any option of combination of options which is valid for nmap. For instance:

nmap -p 666 -T1 10.10.10.1

There is plenty of articles describing the nmap functionality, For instance see the following brief summary

https://nmap.org/book/man-briefoptions.html

Sometimes the options provided by default in the nmap exported sample file will cause some issues when used with all the IPs specified in the csv file.

Such is the case if, for instance, remote machines take a long time to respond to nmap: the script will simply ignore the result so many of them will show up with no result for the test. In these cases it is advisable to look for a better set of options for nmap

For instance we have determined the following combination will allow good discovery in an environment with a number of heterogeneous machines

-n -T1 -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0

and this is what can be specified in the Options section of the csv file used to feed the utility