Network devices#
Before Endpoint Analytics can start collecting endpoint data from network interface devices (NIDs), they will first need to be added to the system using the Configuration > Network Devices submenu.
Note
Endpoint Analytics can collect endpoint information from switches and routers using SNMP versions 1, 2c, and 3. The system will poll devices using either the SNMP version set in the individual device configurations or the version set for the network device group (if the device has been assigned to one). Devices configured for SNMP v1 will not respond to v2c queries.
The options under the submenu correspond to the following network device management tasks:
Adding a network device#
To configure a new network device, select Add Device under Configuration > Network Devices, and then do the following:
In the Name section of the Add Network Device page, enter a unique, case-sensitive name to identify the device and the IP address that it uses for SNMP queries.
(Optional) To add the device to an existing network device group, select the group name from the dropdown menu.
In the Access section of the page, select the SNMP version to use for communication with the device, and then enter the read-only community string. The community string is required for SNMP v1 and v2c.
Note
When a network device is assigned to a device group, the group’s SNMP version and community string settings will override its individual device settings.
3a. If SNMPv3 is selected as the communication method, then the following settings will also need to be configured:
User Name - Used to authenticate an SNMPv3 session with the device.
Security Level - Enables or disables hashing and/or encryption.
Hash Type - Hash function that is used by the device (SHA1 or MD5, only available for AuthNoPriv and AuthPriv security levels).
Authentication Passphrase - Passphrase that is used with the selected hash type.
Encryption Type - Encryption type that is used by the device (AES128 or DES, only available with AuthPriv security level).
Privacy Passphrase - Passphrase that is used with the selected encryption type.
Select Poll as Endpoint to allow Endpoint Analytics to treat the device as an endpoint rather than a network device. If the device does not support MAC notification traps (i.e. not a Cisco or Enterasys device or has MAC notification traps disabled), then select Does not support MAC notification traps.
(Optional) In the RADIUS section of the page, select Enable RADIUS to allow the system to process RADIUS accounting data from the device, and then enter the Shared Secret set on the device.
(Optional) In Trunk Ports, select Edit All to manually designate ports as trunk ports. This process is used when the system is unable to automatically identify trunk ports using CDP or by inspecting the SAT of the device. Port numbers can be entered as individual comma-separated numbers or port ranges (e.g., “1-5”).
Hint
Designating a port as a trunk does not disable endpoint discovery on that port, but it instructs the UI not to display the MAC addresses learned on that port when viewing endpoints by network device port.
(Optional) In Ignored Trunk Ports, click Edit All to add known trunk ports to be treated as regular switch ports so that the UI displays the MAC addresses learned on those ports.
Click Save to save the configuration and establish SNMP communication with the network device.
Adding a network device group#
Device groups allow certain settings to be applied over the individual configurations of devices assigned to them and can be used to streamline device administration and management in larger network environments.
Note
The settings configured for the group are automatically applied to all new devices added to the device group. The original configurations of these devices are overwritten.
To add a new network device group, select Add Group under Configuration > Network Devices, and then do the following:
In the Name section of the Add Network Device Group page, enter a unique, case-sensitive name for the device group.
In the Access section of the page, select the SNMP version to use to communicate with all devices in this group, and then enter the read-only community string that the devices have been configured with. The community string is required for SNMP v1 and v2c.
2a. If SNMPv3 is selected as the communication method for the group, then the following settings will also need to be configured:
User Name - Used to authenticate SNMPv3 sessions with the devices in the group.
Security Level - Enables or disables hashing and/or encryption for devices in the group.
Hash Type - Hash function that is used by the devices in the group (SHA1 or MD5, only available for AuthNoPriv and AuthPriv security levels).
Authentication Passphrase - Passphrase that is used by the devices in the group with the selected hash type.
Encryption Type - Encryption type that is used by the devices in the group (AES128 or DES, only available with AuthPriv security level).
Privacy Passphrase - Passphrase that is used by the devices in the group with the selected encryption type.
Select Poll as Endpoint to allow Endpoint Analytics to treat the devices in this group as endpoints rather than network devices. If none of the devices in the group support MAC notification traps (i.e. not Cisco or Enterasys devices or have MAC notification traps disabled), then select Does not support MAC notification traps.
(Optional) In the RADIUS section of the page, select Enable RADIUS to allow the system to process RADIUS accounting data from devices in this group, and then enter the shared secret set on the physical devices.
Click Save to save the device group configuration.
Device and group management#
The List Devices, List Groups, and Unconfigured Devices options under Configuration > Network Devices serve as the main administrative console for network devices and device groups once an initial batch of devices and groups has been configured.
Each menu item provides access to the tools and functionality necessary for the efficient management of the corresponding entities.
Network device management#
Selecting List Devices from the Network Devices configuration submenu opens a summary page that lists all the network devices that have been added to the system.
Note
To apply a filter to the device list, enter text in the Name/Description and/or IP Address fields or click one of the device counts in the page header.
The following device management operations can also be accessed from the List Devices page:
Adding a new device
Clicking Add Device opens the Add Network Device page. The Add Network Device page can also be accessed by clicking Add Device in the Network Devices configuration submenu.
Editing device settings
Clicking the IP address of a network device in the list opens its Edit Network Device page where the current device settings can be modified.
The following settings/options are only available in the Edit Network Device page:
Context - Clicking Add opens a popup window to attach SNMP context information to the device. This setting is disabled if Poll as Endpoint is selected.
Translated Addresses - Clicking Add opens a popup window to attach the additional IP addresses that will be polled on the physical device.
Device Ports - Opens a list of physical ports and connected endpoints. This setting can also be accessed by navigating to Endpoints > By Network Device > Ports.
Clear Device Ports - Removes current endpoint information from all ports.
Query Now - Triggers an immediate SNMP poll of the network device.
Deleting network devices
Network devices can be deleted individually through its Edit Network Device page. Multiple network devices can be deleted at once by selecting multiple devices, and then clicking Delete Selected Devices.
Adding a network device to a group
A network device can be added (or reassigned) to a device group through its Edit Network Device page, and then selecting a device group from the dropdown menu.
Exporting device information
Clicking Export as exports the device information as a CSV file. A smaller subset of the list can also be exported by selecting multiple endpoints before clicking on the CSV export button.
Device group management#
Selecting List Groups in the Network Devices submenu opens a summary page that lists all the configured network device groups. The list also includes an Ungrouped category that contains all ungrouped devices.
Clicking the + button next to a group name expands the group and displays all the NIDs assigned to it.
Expanding a group allows the following actions to be performed:
Adding a device group
Clicking Add Device Group opens the Add Network Device Group page. The Add Network Device Group page can also be accessed by clicking Add Group in the Network Devices configuration submenu.
Editing device group settings
Clicking the name of a device group opens its Edit Network Device Group page where the current group settings can be modified.
Editing device settings
Clicking the name of a network device opens its Edit Network Device page. For more details on this page, see network device management.
Changing group assignments
One or more NIDs can be assigned to a different group by selecting the new group from the dropdown menu, and then clicking Change Group.
Clicking Ungroup Selected removes the selected devices from the current group without assigning them to a new group.
Removing devices from the system
Select one or more NIDs, and then click Remove Selected to permanently delete the devices from the system.
Clicking Remove ALL Network Infrastructure Devices permanently deletes all NIDs in the group from the system.
Unconfigured devices#
Selecting Unconfigured Devices in the Network Devices configuration submenu opens a summary page that lists all network devices that have been discovered but are not configured as network devices under the Endpoint Analytics environment.
Hint
This view may also include network devices that have multiple IP addresses associated with their SNMP agent. The additional interfaces will need to be mapped to their main network device, if it has already been configured in the system.
The Unconfigured Devices page displays the information that is extracted from the CDP or LLDP data of each unconfigured device. The following details are shown for the discovered devices:
Name - Name that is configured in the device
IP Address - IP address of the primary interface of the device
System Description - Current value of the SysDescr OID on the device (including the full name and version identifier of the system hardware), its OS, and its networking software
Known Name Found - Indicates whether the device name matches the name of a network device that has already been configured in the system
Updated - Timestamp of the most recent data captured from the device. Clicking the refresh button shows the latest device data
The following actions can also be performed:
Adding a device
Clicking Add opens the Add Network Device page with fields that are pre-populated with the discovered information.
Mapping a device
Clicking Map maps the device data to an already configured network device by adding its IP address as a secondary interface (under Translated Addresses).
Note
Devices that have been added or mapped will be not be listed in the Unconfigured Devices page.
Exporting device information
The contents of the Unconfigured Devices page can be exported as a CSV file by clicking the corresponding Export as button.
Importing network device and group information#
NIDs and device groups can also be added in batches by selecting either Import Devices or Import Groups from the Network Devices configuration submenu.
Importing devices#
To add multiple network devices as a batch, select the Import Devices option, and then do the following in the Import Network Devices page:
Download the CSV file template that corresponds to the SNMP version for the devices to be added (SNMPV1-2C or SNMPV3), and then populate the columns with the necessary device details. For additional information, see adding a network device.
Click Choose File, browse to the edited CSV file, and then click Import File.
In the Import Network Device Information form, select the correct SNMP version for the devices to be added, and then if necessary, select Poll as Endpoint.
Hint
Use the Omit checkboxes and Edit button in the form to make any necessary changes to the data before importing it. An error message is also displayed when duplicate IP addresses are found.
Verify that the details are correct and complete, and then click Import Devices to add the devices to the system.
Importing device groups#
To add multiple device groups as a batch, select Import Groups, and then do the following in the Import Network Device Groups page:
Download the CSV file template that corresponds to the SNMP version for the device groups to be added (SNMPV1-2C or SNMPV3), and then populate the columns with the necessary group details. For additional information, see adding a network device group.
Click Choose File, browse to the edited CSV file, and then click Import File.
In the Import Network Device Group Information form, select the correct SNMP version for the device groups to be added, and then, if necessary, select Poll as Endpoint.
Hint
Use the Omit checkboxes and Edit button in the form to make any necessary changes to the data before importing it.
Verify that the details are correct and complete, and then click Import Device Groups to add the groups to the system.
Data collection matrix#
The following tables show the different collection methods and data types used by Endpoint Analytics to configure your devices and/or firewalls.
Collection methods#
Collection Method |
Function |
Notes |
|---|---|---|
Discovery |
||
SNMP Polling |
MAC-identity ••• |
Identifying Attributes •• |
SNMP Traps |
MAC-identity •• |
|
SPAN DHCP |
MAC-identity •• |
Identifying Attributes •• |
SPAN Other |
MAC-identity • |
Identifying Attributes •••/•• |
IP Helper |
MAC-identity •• |
Identifying Attributes •• |
Active Directory Queries |
Identifying Attributes •• |
|
RADIUS Accounting |
MAC-identity •• |
Behavioral Attributes •• |
NetFlow, J-Flow, SFlow |
Identifying Attributes • |
|
DNS Transfers |
Identifying Attributes • |
Classification:
Required: •••
Recommended: ••
Supplemental: •
Data types#
The SPAN column in the following table indicates whether the data type is collected through receiving SPAN traffic.
SPAN |
Data Type |
Functionality |
Configuration |
|---|---|---|---|
No |
Active Directory |
Profile data (computer info, OS, SP, etc.) |
Active directory collection (EA) |
No |
DHCP Request Data |
Profile data (vendor, hostname, request options, other options), informative (FQDN), logistics (location), initial discovery |
IP helper (external), subnet groups (EA) |
No |
DNS Names |
Informative (IP to DNS mapping) |
Zone transfers, DNS zones (EA) |
No |
CDP/LLDP |
Initial discovery, logistics (trunk ports, port status, authentication status, location), profile data |
SNMP collection (EA) |
No |
IP - ARP Cache |
Mac to IP binding |
SNMP collection (EA) |
No |
IP - RADIUS |
Mac to IP binding, logistics (location) |
RADIUS accounting forwarding (external) |
No |
MAC - SNMP Traps |
Initial discovery |
SNMP trap forwarding (external) |
No |
MAC - ARP Cache/SNMP General |
Initial discovery, profile data, logistics (location) |
SNMP collection (EA) |
No |
Location - Other |
Logistics (location) |
Internal algorithm, UI |
No |
RADIUS Usernames |
Informative (radius usernames to MAC) |
RADIUS accounting forwarding (external) |
No |
SNMP Description |
Profile data |
SNMP collection (EA) |
No |
Traffic - NetRelay |
Profile data |
Flow forwarding (external) |
Yes |
DICOM/Healthcare |
Profile data |
SPAN (external) |
Yes |
IP - ARP Transaction |
MAC to IP binding |
SPAN (external) |
Yes |
IP - DHCP Response |
MAC to IP binding |
SPAN (external) |
Yes |
MAC - Traffic |
Initial discovery, profile data |
SPAN (external) |
Yes |
Stack Info |
Profile data (TTL, window size, TCP options) |
SPAN (external) |
Yes |
Network Traffic |
Profile data (ports), informative (connections) |
SPAN (external) |
Yes |
URL |
Profile data |
SPAN (external) |
Yes |
Web User Agent |
Profile data |
SPAN (external) |
Note
NetWatch will still observe local traffic without SPAN.