5. Configuring NP-Connect and Notifications

You are here:
< All Topics

Overview

Once logged in, users will have access to the NP-Live home page on which they can manage their workspaces. See the Workspaces section for more information on using workspaces.

Once one or more workspaces have been created, the user can configure automated data imports through NP-Connect and automated reporting through the Notification Manager. NP-Connect can be accessed through the main menu (+Import Data) and then New Connector to setup a connector group. The configuration steps for NP-Connect are:

  • Create (or access) a connector group (name and password required)
  • Configure device or device manager connector
  • Assign workspace
  • View results in workspace

NP-Connect

NP-Connect automates the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-Connect hosts one or more connectors that securely retrieves configuration files at a specific frequency. By default, NP-Connect is accessible through HTTPS on port TCP/8443 of the NP-Live server and is isolated for security purposes.

Configuring NP-Connect

The first time an administrator accesses NP-Connect from NP-Live (+Import Data -> New connector -> Manage connectors with NP-Connect), they are required to define a Connector group name and a secure passphrase. The Connector group name will be used to create the encrypted connector file store. Connector information is encrypted at rest and in transit using a passphrase protected PGP key. Only system administrators know the passphrase and the passphrase is never stored. Once initiated, NP-Connect runs in the background collecting network information.  If the NP-Live server is restarted, the administrator has to re-authenticate to re-enable the process. Users can create multiple connector groups and each will require their own login. Once created, the user can select from the list of available connectors when logging in.

To add a new connector, select “+Add new connector”  button and a list of available Devices and Network management System connectors is presented. Upon selecting the Device or Network Management System to add, the user is requested to fill in connection information. The user must enter a Connector name (no spaces), host name, and credentials.  The user can then verify the credentials are correct with the “Test access” button.  Additional information may also be required based on the connector selected.  Finally, a refresh schedule can be selected and a list of workspace the user wishes the device to be added can be input. The user can then test the connector or add the connector to complete the operation.

Note:  Workspaces must be added to the connector for data to be transferred and displayed in the workspace.  If workspaces are added after a connector is setup, data will not be sent to the workspace until the next scheduled import and a configuration change is identified.  Creating workspaces before connectors facilitates faster visualization of data.

Once the connector is added, a tile is added to the NP-Connect home page.  From the tile, the user can:

manually activate the connector for a one time data pull, run / pause the connector, edit the connector, copy the connector, and delete the connector.  To delete the connector group, the user must be logged into the connector group to select delete from the top right drop down. The tile banner will show in three colors, red – connector failed, blue – connector running, gray – connector paused. Click the start / pause button to restart a failed or paused connector, note that a connector may take several minutes to change the banner color.

NP-Connect fails to initiate connection to outside devices

In some instances, the Linux distribution is preventing NP-Connect (Docker) from initiating connections to outside devices. The solution is to update the firewall settings on the Linux distribution using the following commands:

# firewall-cmd --zone=public --add-masquerade --permanent
# firewall-cmd --reload
# systemctl restart docker
Configuring Read-only Access to Cisco
The NP-Live Connector for Cisco uses a read-only SSH connection to collect the output of the show running-config command. It is best practice to create a dedicated read-only user on your Cisco devices when configuring NP-Connect. Here are the commands to only give the minimum permissions needed for this user:

conf t
aaa authorization command LOCAL
privilege show level 2 mode exec command running-config
privilege cmd level 2 mode exec command terminal
username $USERNAME password $PASSWORD priv 2
end
NP-Live Connector for Forescout
The NP-Live Connector for Forescout 8.1 and later enables integration between CounterACT and NP-Live such that network device configuration files managed by CounterACT can be automatically imported into NP-Live and aggregated into specific workspaces. Currently, Cisco switches are supported through the Forescout Switch Plugin.

  • Download the Forescout Extended Module for NP-Live from https://updates.forescout.com.
  • Start your Forescout Console and login into Enterprise Manager.
  • Then open “Options”, select “Modules”, and install the fpi.
  • Detailed instruction can be Found Here.

To request additional support for this connector or to request support for other devices, please contact support@network-perception.com.

NP-Connect + Samba (SMB) Access Error

When connecting NP-Connect to a Windows Server using SMB, an error message may occur.

This error can be caused by two communication scenarios between Linux and Window.  Either SMB encryption is enabled on the Server or SPN target name validation level is enabled (or both).  To check which of these features is causing the issue, Run PowerShell on the Windows Server as administrator and run the following command:

Get-SmbServerConfiguration

If EncryptData = True, it can be disabled using:

Set-SmbServerConfiguration -EncryptData 0

If SmbServerNameHardeningLevel is set to any value other than the default of 0 run:

Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0 

to restore the default.

Configuring Notification Manager

Notification manager is used to configure services and rules for generating and sending system notifications about Workspaces.  Before rules can be configured in notification manger, the administrator is required to configure at least one notification service.  Services include: e-mail, STIX/TAXII, SIEM (Syslog), and select ticketing systems.

  • SMTP configuration requires a server IP address, communication port, user id and password.  Note that a firewall port may need to be opened for NP-Live to communicate with your SMTP server.
  • Syslog configuration requires a server IP address and a communication port.
  • ServiceNow configuration requires a server address, user name and password.
  • TAXII configuration requires a server address, server port, data path and a destination collection name.

Notification Rules

NP-Live can automatically send information to the configured services for changes and activities impacting your workspaces. Select the system menu (top right corner) and then “Notification management” to setup rules. Rules can be set to precisely choose which activities and events to include in notifications.  When configuring the notification rule, the user will select a service to deliver the notification to, the workspace to be monitored and frequency the report should be delivered. After that, the criterion for generating the report is selected.  The AND between each section is a logical AND for example: Activity Type = Warning AND Activity Status = New / open AND activity severity = Low will trigger only when all criterion are met.  Additionally, the notification rule can be triggered by keywords.  Finally, the output can be sanitize to remove IP addresses and saved for future viewing.

The matrix below illustrates what status and severity is possible with each activity type.


Additional Configuration Details for LDAP/AD
When connected to LDAP or Active Directory, the user’s email addresses are extracted from the authentication server. They are typically stored within the LDAP/AD email field. The test button will pull the LDAP/AD information for inspection. If a field other than email is used, the field name should be added to the LDAP setup page replacing the default “email”. If the email field is missing, please contact your system administrator to have the email field added and populated for each user who wishes to receive automated notifications.

Background Tasks

The background task functions shows the status of each job spawned by a data import.  A parsing job will be spawned for each file imported.  The parsing job creates a normalized blueprint of each file ingested.  The merge job follows and combines the blueprints into the topology map.  Once the map is created, the analysis job reviews the paths against the active policies / requirements to identify infractions for review.

Next: Workspaces, Reports and Dashboards

Once configured, please proceed to the Workspaces, Reports and Dashboards section of the Knowledge Base to continue with you NP-Live onboarding journey.

Table of Contents