Skip to main content

5. Connectors and Notifications

You are here:
< All Topics

Overview

Once logged in, users will have access to the NP-Live home page on which they can manage their workspaces. See the Workspaces section for more information on using workspaces. Once one or more workspaces have been created, the user can configure automated data imports through NP-Connect and automated reporting through the Notification Manager.

NP-Connect

NP-Connect automates the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-Connect hosts one or more connectors that securely retrieves configuration files at the specified frequency. By default, NP-Connect is accessible through HTTPS on port TCP/8443 of the NP-Live server and is isolated for security purposes.

Creating Connectors

The first time an administrator accesses NP-Connect from NP-Live (+Import Data -> New connector -> Manage connectors with NP-Connect), they are required to define a Connector group name and a secure passphrase. The Connector group name will be used to create the encrypted connector file store. Connector information is encrypted at rest and in transit using a passphrase protected PGP key. Only the connector owners know the passphrase and the passphrase is never stored. Once initiated, NP-Connect runs in the background collecting network information.  If the NP-Live server is restarted, the connector owner is required to re-authenticate and restart the connectors. Connector owners can create multiple connector groups and each will require their own login. Once created, the user can select from the list of available connectors when logging in.

The connector page contains five main options options.

  • add a new connector
  • bulk start all connectors (see bulk start parameters below)
  • bulk stop all connectors
  • delete the connector (user must be logged into the connector group to delete)
  • exit the connector group.

To add a new connector, select “+Add New Connector”  button and a list of available Devices and Network management System connectors is presented. Upon selecting the Device or Network Management System to add, the user is requested to fill in connection information. The user must enter a Connector name (no spaces), host name, and credentials.  The user can then verify the credentials are correct with the “Test access” button.  Additional information may also be required based on the connector selected.  Finally, a refresh schedule can be selected and a list of workspace the user wishes the device to be added can be input. The user can then test the connector or add the connector to complete the operation.

Note:  Workspaces must be added to the connector for data to be transferred and displayed in the workspace.  If workspaces are added after a connector is setup, data will not be sent to the workspace until the next scheduled import and a configuration change is identified.  Creating workspaces before connectors facilitates faster visualization of data.

Once the connector is added, a tile is added to the NP-Connect home page.  From the tile, the user can:

  • manually activate the connector for a one time data pull
  • run / pause the connector
  • edit the connector
  • copy the connector
  • delete the connector.

The tile banner will show in three colors:

  • red – connector failed
  • blue – connector running
  • gray – connector paused

Click the start / pause button to restart a failed or paused connector, note that a connector may take several minutes to change the banner color.

NP-Connect fails to initiate connection to outside devices

In some instances, the Linux distribution is preventing NP-Connect (Docker) from initiating connections to outside devices. The solution is to update the firewall settings on the Linux distribution using the following commands:

# firewall-cmd --zone=public --add-masquerade --permanent
# firewall-cmd --reload
# systemctl restart docker
Configuring Read-only Access to Cisco
The NP-Live Connector for Cisco uses a read-only SSH connection to collect the output of the show running-config command. It is best practice to create a dedicated read-only user on your Cisco devices when configuring NP-Connect. Here are the commands to only give the minimum permissions needed for this user:

conf t
aaa authorization command LOCAL
privilege show level 2 mode exec command running-config
privilege cmd level 2 mode exec command terminal
username $USERNAME password $PASSWORD priv 2
end
NP-Live Connector for Forescout
The NP-Live Connector for Forescout 8.1 and later enables integration between CounterACT and NP-Live such that network device configuration files managed by CounterACT can be automatically imported into NP-Live and aggregated into specific workspaces. Currently, Cisco switches are supported through the Forescout Switch Plugin.

  • Download the Forescout Extended Module for NP-Live from https://updates.forescout.com.
  • Start your Forescout Console and login into Enterprise Manager.
  • Then open “Options”, select “Modules”, and install the fpi.
  • Detailed instruction can be Found Here.

To request additional support for this connector or to request support for other devices, please contact support@network-perception.com.

NP-Connect + Samba (SMB) Access Error

When connecting NP-Connect to a Windows Server using SMB, an error message may occur.

This error can be caused by two communication scenarios between Linux and Window.  Either SMB encryption is enabled on the Server or SPN target name validation level is enabled (or both).  To check which of these features is causing the issue, Run PowerShell on the Windows Server as administrator and run the following command:

Get-SmbServerConfiguration

If EncryptData = True, it can be disabled using:

Set-SmbServerConfiguration -EncryptData 0

If SmbServerNameHardeningLevel is set to any value other than the default of 0 run:

Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0 

to restore the default.

Bulks Start Parameters

To help balance the processing load of managing multiple connectors and improve user experience on the topology map, the bulk start function can be scheduled to off hours using system parameters.  The docker-compose.yml file contains two parameters for the bulk system start function in the monitor: environment: section

  • connBulkStartTime=21:00:00 # defines the start time for the connectors, format is Hours:Minutes:Seconds, 24 hour clock.
  • connBulkStartSpread=00:15:00 # defines the connector start stagger, format is Hours:Minutes:Seconds

Notification Manager

Notification manager is used to configure services and rules for generating and sending system notifications about Workspaces. Select the system menu (top right corner) and then “Notification manager to begin setup.

Configuring Notification Services

Before rules can be configured in notification manger, the administrator is required to configure at least one notification service.  Services include: e-mail, STIX/TAXII, SIEM (Syslog), and select ticketing systems.

  • SMTP configuration requires a server IP address, communication port, user id and password.  Note that a firewall port may need to be opened for NP-Live to communicate with your SMTP server.
  • Syslog configuration requires a server IP address and a communication port.
  • ServiceNow configuration requires a server address, user name and password.
  • TAXII configuration requires a server address, server port, data path and a destination collection name.

Service configuration can be found under “Notification manager -> Configure Services” tab.

Creating Notification Rules

NP-Live can automatically send information to the configured services for changes and activities impacting your workspaces. Select the system menu and then “Notification manager -> Add/Edit Rules” to setup rules. Rules can be set to precisely choose which activities and events to include in notifications.  When configuring the notification rule, the user will select a service to deliver the notification to, the workspace(s) to be monitored and frequency the report should be delivered.

After that, the criterion for generating the report is selected. Activity types include: Risk alerts, Warnings, Errors, Comments and Change events.  For each Activity type, one or more activity status can be selected.  The matrix below illustrates what status and severity is possible with each activity type.

Some notifications allow for multi selection and compounding with the AND function.  The AND between each section is a logical AND for example: Activity Type = Warning AND Activity Status = New / open AND activity severity = Low will trigger only when all criterion are met.

Additionally, the notification rule can be filtered by keywords.  Finally, the output can be sanitize to remove IP addresses and saved for future viewing.

Viewing Notification Rules and Reports

Once rules are created, they appear on the “Your Rules” tab and when rules are activated the reports display on the “Your Reports” tab if the “save for future viewing” box was checked.

Additional Email Configuration Details for LDAP/AD
When connected to LDAP or Active Directory, the user’s email addresses are extracted from the authentication server. They are typically stored within the LDAP/AD email field. The test button will pull the LDAP/AD information for inspection. If a field other than email is used, the field name should be added to the LDAP setup page replacing the default “email”. If the email field is missing, please contact your system administrator to have the email field added and populated for each user who wishes to receive automated notifications.
Table of Contents