Symantec Privileged Access Management

  • Private Community

  • 1.  How to improve deployment time policies?

    Posted May 29, 2015 10:52 AM

    Good day to all

     

    I have implemented CA ControlMinder 12.8, when I deploy a simple policy to protect a resource on a host, the deployment process takes about 45 minutes.

     

    I wonder if this time may be due to some reason you can revise and improve.

     

    Thanks for the collaboration to all.



  • 2.  Re: How to improve deployment time policies?

    Broadcom Employee
    Posted Jun 01, 2015 06:44 AM

    Hello,

     

    Policies are deployed in a "pull" manner rather than pushing them to endpoints. Each endpoint has policyfetcher, which queries Distribution Host (DH) periodically for new deployment tasks. You can review policyfetcher.log to see how your endpoint is doing:

     

    15:31:18@May 27 2015 - policyfetcher initialized successfully.
15:31:19@May 27 2015 - Starting policyfetcher loop...
(...)
15:31:24@May 27 2015 - Finished policyfetcher loop...
15:31:24@May 27 2015 - Going to sleep 3600 seconds ... (abortable)
16:31:25@May 27 2015 - Starting policyfetcher loop...
16:31:25@May 27 2015 - adding "DH__@CAPIM.ACME.COM" to DH list
16:31:25@May 27 2015 - Start checking for variables changes ...
16:31:25@May 27 2015 - Start downloading deployments
16:31:25@May 27 2015 - Scanning DH list, round #1
16:31:25@May 27 2015 - trying to connect to host "DH__@CAPIM.ACME.COM"
16:31:25@May 27 2015 - successfully connected to host "DH__@CAPIM.ACME.COM"
16:31:25@May 27 2015 - fetching remote deployments from DH:
16:31:25@May 27 2015 - received 0 deployments from DH
16:31:25@May 27 2015 - stored 0 new deployments
16:31:25@May 27 2015 - Start executing deployments...
16:31:25@May 27 2015 - trying to connect to host "localhost"
16:31:25@May 27 2015 - successfully connected to host "localhost"
16:31:25@May 27 2015 - fetching local deployments:
16:31:25@May 27 2015 - no local deployments found
16:31:25@May 27 2015 - Finished policyfetcher loop...
16:31:25@May 27 2015 - Going to sleep 3600 seconds ... (abortable)
17:31:25@May 27 2015 - Starting policyfetcher loop...
17:31:25@May 27 2015 - adding "DH__@CAPIM.ACME.COM" to DH list
17:31:25@May 27 2015 - Start checking for variables changes ...
17:31:25@May 27 2015 - Start downloading deployments
17:31:25@May 27 2015 - Scanning DH list, round #1
17:31:25@May 27 2015 - trying to connect to host "DH__@CAPIM.ACME.COM"
17:31:25@May 27 2015 - successfully connected to host "DH__@CAPIM.ACME.COM"
17:31:25@May 27 2015 - fetching remote deployments from DH:
17:31:25@May 27 2015 - received 0 deployments from DH
17:31:25@May 27 2015 - stored 0 new deployments
17:31:25@May 27 2015 - Start executing deployments...
17:31:25@May 27 2015 - trying to connect to host "localhost"
17:31:25@May 27 2015 - successfully connected to host "localhost"
17:31:25@May 27 2015 - fetching local deployments:
17:31:25@May 27 2015 - no local deployments found
17:31:25@May 27 2015 - Finished policyfetcher loop...
17:31:25@May 27 2015 - Going to sleep 3600 seconds ... (abortable)

     

    Here the policyfetcher checks every 60 minutes to see if there's something to do on the DH. You can adjust this with the check_deployment_tasks registry key under HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\policyfetcher. For unix, seos.ini is the place to go.