Administrators should read the chapter of the relevant Admin Guide first to understand how to configure this feature and the basics of how it operates, this article will answer questions not covered by the Admin Guide.
Q. What anomalies can be detected in 9.0R3?
A. PCS supports detecting device and location anomalies, PPS also supports Anomalous Traffic from IoT Devices and Potential Malware Detection as part of Behavioral Analytics which is covered in the Behavioral Analytics section of the 9.0R3 PPS Admin Guide.
Q. How are device anomalies detected?
A. The client MAC address is used and will be triggered if a user connects from a device with a different MAC address than used previously.
Q. Does the admin need to configure anything to detect device anomalies?
A. PCS/PPS will automatically record MAC addresses for users accessing the system with the Pulse client, for users using a browser a Host Checker policy needs to be enabled. The Host Checker policy does not need to be a specific one, any Host Checker policy which runs on the client will obtain and relay the MAC address to the PCS/PPS.
Q. What happens if a browser based login does not use Host Checker?
A. Without Host Checker the browser login will only trigger location anomalies as the PCS/PPS will not receive a MAC address to compare with the user's PCS/PPS database entries.
Q. How are location anomalies detected?
A. The client source IP is geo-located to a country and city location using a third-party database. If the source IP is determined to be in a different city than the previous connections then the anomaly is triggered and the user will need to do a secondary authentication. For the PPS, IP subnets can be defined for locations under Enable subnet based location anomaly detection within the Behavioral Analytics configuration section.
Q. How does the PCS/PPS keep track of user's device and location information?
A. The MAC address and geo-location of each user are stored in a database on the PCS/PPS.
Q. What is the behavior when a new user connects for the first time?
A. The user will have to complete primary and secondary authentication during their first login, their location and MAC address will then be stored in the PCS/PPS database and as long as they use the same device from the same location they will subsequently only need to perform primary authentication to login.
Q. How can an admin view details on the detected anomalies?
A. A summary of anomalies in various charts is available under the dashboard at System > Status > Behavioral Analytics > Behavioral Analytics Dashboard. Details of all the anomalies and more detailed information about them can be seen on the Behavioral Analytics reports pages at System > Reports > Behavioral Analytics. The Reports page captures entries for each user/device and clicking on them will open up new window which shows all the details for that particular user/device.
Q. A user has triggered an anomaly but does not have the credentials/token etc. to complete secondary authentication, can the admin remove the anomaly to allow the user to login with just primary authentication?
A. Yes, in the Reports section find the user entry and there is an option at the far right to perform a Clear action which will remove the anomaly, add it to the details to the PCS/PPS database and allow the user to authenticate with only primary authentication.
Q. Does the PCS/PPS database keep track of only one allowed location and device, so moving back and for between two cities or devices would keep triggering anomalies?
A. The database keeps track of all devices and locations per user and as long as the current location and device have been used to successfully authenticate in the past an anomaly would not be generated. For example, a user based in city A has been authenticated from that location and it is stored in the PCS/PPS database, they then move to city B which would trigger an anomaly and force the user to use secondary authentication to logon. Once they successfully authenticate in city B (or the anomaly is cleared by the admin) then it will be added to the database along with city A and the user can login from either city without triggering a location anomaly. The same behavior is also experienced with switching between different devices.
Q. Is there a limit to the amount of location or device entries in the PCS/PPS database?
A. As of 9.0R3 there are no limits to the amount of records per user or overall for the size of the database and no entries are deleted. Testing has been done with the rated user limits of each appliance.
Q. Is it possible to clear the whole PCS/PPS database or remove individual location or device entries per user?
A. An Admin can clear the PCS/PPS database via the console connection under System Operations, there is no mechanism for administrators to delete specific entries. If you need specific entries removed please contact our Pulse Secure Global Support Center (PSGSC) and a Remote Debugging session can be arranged to perform the action.