Generic selectors
Exact matches only
Search in title
Search in content
post
page
Introducing Rapid Verification of Zone-to-Zone Segmentation with Enhanced NP-View 5.0 Platform
Network Perception
Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Connectors (Server)

Updated

NP-View includes a utility to automatically retrieve network device configuration files on a schedule. The connector types supported in NP-View Server are below:

Configuration Managers

For retrieving config files from network management systems. For each connector, the user can select the devices to be uploaded for monitoring.

Manufacturer
Type/Model
Configuration Information Required
Connection Type
Check PointR80.x/R81.xHostname or IP address plus login credentials
See device selection and service account sections below for additional information		HTTPS + optional SSL server verification
ForescoutEnterprise Manager

Install of the NP-View Plugin for ForeScout into your ForeScout Enterprise manager. See this document for details and the additional instructions section below.

Note that NP-View will discontinue support for Forescout in 2024.

Java based plugin for Forescout
FortinetFortiManager (7.0.5, 6.4.8, 6.2.10, 6.0.14)Hostname or IP address plus login credentialsHTTPS + optional SSL server verification
Palo AltoPanorama (9.1.x, 10.1.x)Hostname or IP address plus login credentials
See device selection section below for additional information		HTTPS
SolarWindsNetwork Configuration Manager (Orion Platform HF3, NCM HF1: 2020.2.6)Hostname or IP address plus login credentialsHTTPS

 

Direct Device Connection

For retrieving config files directly from the network device.

Manufacturer
Type/Model
Configuration Information Required
Connection Type
CiscoAdaptive Security Appliance (ASA)Hostname or IP address plus login credentials, enabling password and optional contextSSH
CiscoInternetwork Operating System (IOS)Hostname or IP address plus login credentials, enabling password and optional contextSSH
FortinetFortiGate Firewall and NGFWHostname or IP address plus login credentials
Note: SCP should be enabled in the configuration (instructions)		SSH
JuniperJunOS FirewallHostname or IP address plus login credentialsSSH
Palo AltoNGFW (PAN-OS)Hostname or IP address plus login credentialsHTTPS

 

Volume Shares

For retrieving config files that are uploaded to a common collection repository.

Platform
Connection
Configuration Information Required
Connection Type
WindowsSMB Share w/ Folder Recursion (Samba)

Hostname or IP address, share name and device name.

Optional: Root folder path, recursive search, name filter and a PGP key can also be provided if the files retrieved have been encrypted.

SMB/CIFS
LinuxSSH ShareHostname or IP address and folder path. Optionally a white list and black list can be defined. Optional. A PGP key can also be provided if the files retrieved have been encrypted.SSH

 

Asset Managers

For retrieving asset related information from asset management systems. 

Manufacturer
Type/Model
Configuration Information Required
Connection Type
ClarotyCTD

Hostname or IP address plus login credentials

HTTPS

 

Experimental Connectors

Support for the following device connectors are in various stages of development and are provided for field testing purposes.  Using these device connectors may or may not work for your specific environment or configurations.  If you find issues with these devices, please provide your feedback to support@network-perception.com

Cloud Providers

For retrieving VLAN and services configurations from cloud providers.

Provider
Type/Model
Configuration Information Required
Connection Type
AmazonAWSAWS API Access Key, Secret Key and Region to monitorBoto3 (HTTPS + OAuth2)
GoogleGoogle Cloud PlatformGCP ID, Service Account CredentialsHTTPS + OAuth2
MicrosoftAzureAzure Tenant ID, Client ID, Client Secret, Subscription ID, and Resource Group NameHTTPS

 

Configuration Managers

For retrieving config files from network management systems. For each connector, the user can select the devices to be uploaded for monitoring.

Manufacturer
Type/Model
Configuration Information Required
Connection Type
InfobloxNetMRI

Hostname or IP address plus login credentials

Note that NP-View will discontinue support for NetMRI in 2024.

HTTPS

 

Legacy Configuration Managers

These devices are no longer supported by NP-View.  While the system did support these devices in the past, the vendor no longer provides support to external developers and these devices have been removed from active support.

Manufacturer
Type/Model
Configuration Information Required
Connection Type
TripwireEnterprise ManagerHostname or IP address and login credentials plus a tripwire policy rule to invoke.HTTPS + optional SSL server verification

 

 

Additional Connector Instructions

The use of service accounts is a recommended best practice when connecting to devices through connectors. The service account can be read-only and must have API privileges.  When entering credentials related to an Active Directory domain, it is recommended to enter the username using the format account@domain.xyz instead of domain.xyzaccount as the backslash can cause unexpected issues.

For R80, we recommend creating the service account in the SmartCenter (not Gaia) ensuring the account provides access to the Web API.

The fields required for the AWS connector can be found at:

  1. Access Key ID & Secret Access Key
The services on AWS we currently support are:
  • Virtual Networks
  • Network Security Groups
  • Subnets
  • Network Interfaces
  • Virtual Machines (EC2)

The fields required for the Azure connector are:

  1. Tenant ID
  2. Client ID & Client Secret
  3. Subscription ID
  4. Resource Group Name
The services on Azure we currently support are:
  • Virtual Networks
  • Network Security Groups
  • Subnets
  • Storage Accounts
  • Network Interfaces
  • Virtual Machines
NP-View connects to the Claroty CTD (cloud or on premise) through the API.  NP-View will extract the following fields of data and map them to NP-View:
 Claroty  NP-View
name Name
ipv4 IP Address
vendor OS
mac MAC Address
protocol Service

For the connector to work CheckPoint devices, the API setting need to be enabled in the SmartConsole.  See the image below for settings and commands to restart the API.

CheckPoint and Palo Alto network management systems provide files with multiple devices. The connectors for these systems allow for the selection of individual devices to load into NP-View. The user can input the names of the devices, one per line, or select the “Retrieve device list” button to be provides a selection list.

If Forescout is truncating the data imported into NP-View, use the following command on Forescout to extend the size of the retrieved file:  fstool set_property fs.np.field.string.limit.def YYYY where YYYY represents the number of lines to import (e.g., fstool set_property fs.np.field.string.limit.def 25000)

The fields required for the GCP connector are:

  1. GCP ID
  2. Service Account Credentials
The services on GCP we currently support are:
  • Firewall rules (`gcloud compute firewall-rules list –format=json`)
  • Instances (`gcloud compute instances list –format=json`)
  • Subnets (`gcloud compute networks subnets list –format=json`)
  • Routes (`gcloud compute routes list –format=json`)
  • VPN Gateways (`gcloud compute vpn-gateways list –format=json`)
  • VPN Tunnels (`gcloud compute vpn-tunnels list –format=json`)

Network Perception suggests the following when setting up the SMB connection.

  1. Create a read-only user in Active Directory or on the SMB server.
  2. Determine the available share (Get-SMBShare” in Windows PowerShell) or create a new one.
  3. Share the SMB folder containing the Configuration files with the read-only user. For example:
  4. If using the date folder and recursive search feature, clicking “See Current Date Folder” will retrieve most recent folder, in YYYYMMDD format, in the “Current Root Folder” f field. For example:

Optional fields:

  1. Path to Root Folder – Directory you want to be the root folder relative to your default SMB root folder.
  2. Recursive Search – Whether or not to search recursively starting at the connector’s root folder.
  3. Name Filter – Filters file/directory names based on given regex statements. Any file/directory that fully matches ANY given regex statement will be included in result.
  4. File Decryption Key – a PGP key can also be provided if the files retrieved have been encrypted.

If during the connector test, access is denied, the following settings should be verified and may need to be changed for the SMB to work as expected.

Running PowerShell as administrator

Input command Get-SmbServerConfiguration

Verify that EncryptData is set to false

If set to true, run command “Set-SmbServerConfiguration -EncryptData 0

Verify  SmbServerHardeningLevel is set to 0

If not set to 0, run command “Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0

Microsoft recommended default is off (0). More information about these settings can be found on the Microsoft website.

 

NP-View has the ability to handle HA Groups.

As a best practice, if using SSH shares, it is best to erase the entire folder and replace with the config files from the current active devices.  It is also a best practice to name the HA devices similarly for comparison.  For example:

Pittsburgh_FW1

Pottsbirgh_FW2

etc.

For Samba shares, a similar method should be used but, the SMB connector has an extra feature of navigating date labeled folders.

Refer to the Samba section for details.

If you have a system for which you need a connector or if you encounter a technical issue, please contact support@network-perception.com.

Table of Contents

Network Perception 2024. All Rights Reserved.

Linkedin Twitter Youtube

Contact us to learn more!