To work around the issue, disable the IP Verification check within
cpservice.
Alerts aren’t received if multiple IP addresses try to use the same session ID on SIEM:
(Signature ID: 306-79 / Description: Multiple IP addresses were detected using the same session ID).
When you enable this workaround, it makes your ESM interface susceptible to some types of session spoofing attacks:
- Use ssh to log on to the cluster ESM, or log on to the cluster ESM console using the root user account.
- Run the following command:
nquery -d esm -q 'update syssettings set value="F" where attribute="IPVerification"'
After you complete this procedure, you can export data using the user interface without errors.
