5. Configuring NP-Connect and Notifications
Once logged in, users will have access to the NP-Live home page on which they can manage their workspaces. See the Workspaces section for more information on using workspaces.
Once one or more workspaces have been created, the user can configure automated data imports through NP-Connect and automated reporting through the Notification Manager. NP-Connect can be accessed through the main menu (+Import Data) and then New Connector to setup a connector group. The configuration steps for NP-Connect are:
- Create (or access) a connector group (name and password required)
- Configure device or device manager connector
- Assign workspace
- View results in workspace
NP-Connect automates the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-Connect hosts one or more connectors that securely retrieves configuration files at a specific frequency. By default, NP-Connect is accessible through HTTPS on port TCP/8443 of the NP-Live server and is isolated for security purposes.
The first time an administrator accesses NP-Connect from NP-Live (+Import Data -> New connector -> Manage connectors with NP-Connect), they are required to define a Connector group name and a secure passphrase. The Connector group name will be used to create the encrypted connector file store. Connector information is encrypted at rest and in transit using a passphrase protected PGP key. Only system administrators know the passphrase and the passphrase is never stored. Once initiated, NP-Connect runs in the background collecting network information. If the NP-Live server is restarted, the administrator has to re-authenticate to re-enable the process. Users can create multiple connector groups and each will require their own login. Once created, the user can select from the list of available connectors when logging in.
To add a new connector, select “+Add new connector” button and a list of available Devices and Network management System connectors is presented. Upon selecting the Device or Network Management System to add, the user is requested to fill in connection information. The user must enter a Connector name (no spaces), host name, and credentials. The user can then verify the credentials are correct with the “Test access” button. Additional information may also be required based on the connector selected. Finally, a refresh schedule can be selected and a list of workspace the user wishes the device to be added can be input. The user can then test the connector or add the connector to complete the operation.
Note: Workspaces must be added to the connector for data to be transferred and displayed in the workspace. If workspaces are added after a connector is setup, data will not be sent to the workspace until the next scheduled import and a configuration change is identified. Creating workspaces before connectors facilitates faster visualization of data.
Once the connector is added, a tile is added to the NP-Connect home page. From the tile, the user can:
manually activate the connector for a one time data pull, run / pause the connector, edit the connector, copy the connector, and delete the connector. To delete the connector group, the user must be logged into the connector group to select delete from the top right drop down. The tile banner will show in three colors, red – connector failed, blue – connector running, gray – connector paused. Click the start / pause button to restart a failed or paused connector, note that a connector may take several minutes to change the banner color.
Configuring Notification Manager
Notification manager is used to configure services and rules for generating and sending system notifications about Workspaces. Before rules can be configured in notification manger, the administrator is required to configure at least one notification service. Services include: e-mail, STIX/TAXII, SIEM (Syslog), and select ticketing systems.
- SMTP configuration requires a server IP address, communication port, user id and password. Note that a firewall port may need to be opened for NP-Live to communicate with your SMTP server.
- Syslog configuration requires a server IP address and a communication port.
- Information on configuring SPLUNK can be found here.
- ServiceNow configuration requires a server address, user name and password.
- TAXII configuration requires a server address, server port, data path and a destination collection name.
NP-Live can automatically send information to the configured services for changes and activities impacting your workspaces. Select the system menu (top right corner) and then “Notification management” to setup rules. Rules can be set to precisely choose which activities and events to include in notifications. When configuring the notification rule, the user will select a service to deliver the notification to, the workspace to be monitored and frequency the report should be delivered. After that, the criterion for generating the report is selected. The AND between each section is a logical AND for example: Activity Type = Warning AND Activity Status = New / open AND activity severity = Low will trigger only when all criterion are met. Additionally, the notification rule can be triggered by keywords. Finally, the output can be sanitize to remove IP addresses and saved for future viewing.
The matrix below illustrates what status and severity is possible with each activity type.
The background task functions shows the status of each job spawned by a data import. A parsing job will be spawned for each file imported. The parsing job creates a normalized blueprint of each file ingested. The merge job follows and combines the blueprints into the topology map. Once the map is created, the analysis job reviews the paths against the active policies / requirements to identify infractions for review.
Next: Workspaces, Reports and Dashboards
Once configured, please proceed to the Workspaces, Reports and Dashboards section of the Knowledge Base to continue with you NP-Live onboarding journey.