Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

Cyber Command is correlated with public IP but displays private IP

Posted
Updated
Bykokfu.tan@sangfor.com
Views5

Issue Description

Cyber Command is correlated to Endpoint Secure via public IP but on the Endpoint Secure it show’s the local IP instead of public IP.

Error/Warning Information

file

Handling Process

  1. Enter the Endpoint Secure backend console.

  2. Escalate to root privilege and switch to mongodb shell.
    file
    Command:
    sudo -i
    /ac/dc/ldb/bin/mongo

  3. Authenticate and use .find() method to query the correlated devices.
    Command:
    use sangfor_edr;
    db.auth(‘sangfor_edr’,’Esa0ad1bQz!’)
    db.link_devices.find().forEach(printjson)

  4. Locate the ClientID.
    file

  5. Modify the following command with corresponding public IP and clientID.
    Command :

    • db.link_devices.updateOne({"clientId" : "11339564623410964785"},{$set:{"logUrls" : {"update" : "https://121.123.183.140:7443/sangforinter/v1/collection/logs?token=","login" : "https://121.123.183.140:7443/sangforinter/v1/auth/login"}}})
    • db.link_devices.updateOne({"clientId" : "11339564623410964785"},{$set:{"assetUrls" : {"add" : "https://121.123.183.140:7443/sangforinter/v1/assets?token=","update" : "https://121.123.183.140:7443/sangforinter/v2/assets/set?token=&_method=PUT","delete" : "https://121.123.183.140:7443/sangforinter/v1/assets?token=","login" : "https://121.123.183.140:7443/sangforinter/v1/auth/login"}}})
    • db.link_devices.updateOne({"clientId" : "11339564623410964785"},{$set:{"ip" : "121.123.183.140"}})
      Note:
      Modify the values highlighted in red.
      file

  6. Click Ctrl + D to exit the MongoDB shell.

  7. Restart Endpoint Secure services to take effect.
    Command: /sf/edr/manager/bin/eps_services restart
    file
    Note:
    Does not impact production.
    WebUI will be temporarily unaccessible.

  8. Wait for around 2 minutes and then access the webui again. The correlated devices now shows the public IP which has been modified on backend.
    file

Root Cause

Even though the correlated device is configured with private IP, the Endpoint Secure receives data from Cyber Command that carries the IP information of its private IP.

Solution

Perform modifications on backend to modify the data.

Suggestions

If the Endpoint Secure is running on virtual machine, take a backup / snapshot.