topic Re: Why user "localhost" install policies on the FW? in General Topics

Why user "localhost" install policies on the FW?

VicOropeza420 — Wed, 27 Nov 2024 20:08:27 GMT

Hi, Folks.

Do you know why the user "localhost" is installing policies on the firewall? Recently, i identified on the FW logs this activity, I leave a sample of the log:

"Nov 11 12:09:50 x.x.x.x 1 2024-11-11T15:09:48Z FW - [action:"Accept"; flags:"xxx"; ifdir:"outbound"; loguid:"{xxx}"; origin:"x.x.x.x"; originsicname:"xxxx"; sequencenum:"1"; time:"1731337788"; version:"x"; additional_info:"Desktop Policy : policy_name"; administrator:"localhost"; audit_status:"Success"; client_ip:"127.0.0.1"; machine:"localhost"; objectname:"xxxx"; objecttable:"applications"; objecttype:"dtps_application"; operation:"Install Policy"; operation_number:"7"; product:"SmartConsole"; subject:"Policy Installation"; uid:"{xxxxx}"]"

The policy installed is "Desktop Policy", This activity can be "normal" or as part of policy program updates?

I would greatly appreciate your support.

Regards,

Victor.

Re: Why user "localhost" install policies on the FW?

PhoneBoy — Thu, 28 Nov 2024 00:29:21 GMT

Desktop Policy is used by Remote Access clients.
Normally, this is pushed as part of the regular Access Policy.
Not sure why "localhost" is doing this...might be worth a TAC case.

Re: Why user "localhost" install policies on the FW?

the_rock — Thu, 28 Nov 2024 00:49:59 GMT

Just by pure logic, I would say thats not an actual user and here is why. So, if you think about it, ANY computer in the world can technically be "localhost" and we all know what IP is 127.0.0.1. I think @PhoneBoy even has shirt about it lol

Anyway, Im fairly positive this is simply default. system log, or, as you described it, normal in this instance. As Phoneboy had said, desktop policy is related to remote access clients.

Hope that helps.

Andy