When deploying policies to hosts it may become confusing when the policies do not end up where they are supposed to. This simple breakdown of the procedure should help some if not all identify where the issue is taking place helping themselves resolve the issue or give a deeper analysis of the issue to support.
Below is the procedure to how policies make there way to the endpoints
- The policy is written on the ENTM and pushed to the DMS
- The ENTM's or the DS's DH__ then picks up the policy from the DMS (if a DS is present its DH__WRITER/DH will be the default one except for the ENTM endpoint)
- The endpoint's POLICYFETCHER then periodically looks to the ENTM/DS DH__ for an update.
- The endpoint then sends a heartbeat to the DH_WRITER updating it received the policies
If the policies are not making there way to the endpoint:
sepmd -L DH__WRITER --- This command should be used on the DS or the ENTM (depending on the set up) which will identify the offsets and if there are any errors indicating an issue.
sepmd -L DMS__ --- This command should be run on the ENTM as this is the primary DMS and will identify the DH__ 's associated with it and there status (synced, out of sync, last update time)
This all updates about every hour so if there is any other last update time there may be an issue other than the more obvious 'out of sync' state.
Policyfetcher.log -- This is the log on the endpoint and will show the connection to the DH__ & DH__WRITER (which work in unison) as well as the policies it is trying to pull down.