Knowledge Base

Getting Started

Configuring NP-View Server

Getting Started

Once NP-View Server is installed, the application will start automatically. Note that NP-Live has been Rebranded to NP-View Server.  Several of the instructions still correctly refer to NP-Live as we migrate the installation services to the new product names.

If the Linux Administrator wishes to start and stop the application, two helper scripts have been included to aid in these tasks:

  • Stop : sudo /opt/np-live/stop_NP-Live.sh
  • Start : sudo /opt/np-live/start_NP-Live.sh

NP-View Docker IP Conflict

+
If NP-View Docker is using IP addresses that conflict with addresses used on the local area network, the IP addresses used by Docker can be changed as follows:

Create a docker network with the subnet you would like to use:
sudo docker network create --driver overlay --subnet x.x.x.x/x NP-Live_external

Navigate to the np-live install directory (default /opt/np-live):
cd /opt/np-live

Add the following config to local-settings.yml (tab indented to reflect table below):
networks:    
  NP-Live_external:  
    external: true

Replace all instances of the default network in docker-compose.yml to NP-Live_external:
sudo sed -i 's/- default$/- NP-Live_external/g' docker-compose.yml

Stop and start the app:
sudo sh ./stop_NP-live.sh && sudo sh ./start_NP-live.sh

#Note: docker commands (and the start/stop NP-live scripts) will require sudo unless you are the root user or your user is part of the docker group

Version mismatched between two compose files : 3.4 and 3.1

+
When starting NP-View Server, if this error is received, the version number in /opt/np-live/local-settings.yml needs to be at “version: ‘3.4’”. If not at version 3.4, please replace the contents of the local-settings.yml file with the code listed in the Setting the NP-Live Virtual Appliance Time Zone section and set your application time zone accordingly. This file is sticky and will remain after future upgrades. After the update, start the server using the above command.

Upon initial start, the Welcome screen shows the configuration wizard to guide the Administrator through the remaining configuration steps which include:

  1. Authentication
  2. Licensing
  3. Users

Configure Authentication

The following authentication options are available to configure in NP-View Server.

  • Active Directory / LDAP
  • Radius
  • Local

Active Directory or LDAP

For Active Directory or LDAP authentication we use LDAPv3 TLS over port 389.  If the communication returns an exception, we attempt unencrypted communication. We do not support LDAPS.  Before starting, note that setup requires a dedicated Credential Binding Account (LDAP Administrator). The Credentials Binding Account must be included in at least one of the system groups for NP-View Server to query and link the users.

An example of a properly configured LDAP screen on NP-View is below:

The setup page will allow for the definition of three system groups using a Distinguished Name.  A Distinguished Name (often referred to as a DN or FDN) is a string that uniquely identifies an entry in the Directory Information Tree. The format of a DN is: CN=groupname,OU=grouptype,DC=subdomain,DC=example,DC=com.  Your domain needs to match the DC specified in your DN. For an example DN like above, the domain would be: ‘subdomain.example.com’.

For example:

ldap_group_admin = 'CN=NP-Live Admin, OU=Permissions, DC=ad, DC=np, DC=test'
ldap_group_write = 'CN=NP-Live WorkspaceAdmin, OU=Permissions, DC=ad, DC=np, DC=test'
ldap_group_read = 'CN=NP-Live Viewer, OU=Permissions, DC=ad, DC=np, DC=test'

group_translation = {'Administrator' : ldap_group_admin,
'WorkspaceAdmin' : ldap_group_write,
'Viewer' : ldap_group_read}

Reminder:   The three CN names must be unique or roles will be overlapped in NP-View resulting in features being disabled.

To find the DN on Windows, open a Windows command prompt on your Active Directory server and type the command: dsquery group -name "known group name".

Users assigned to NP-View must login once to get setup within the NP-View database for sharing and transferring of workspaces.  No users exist until after the first login.

Troubleshooting Active Directory Setup

If an error is returned when configuring Active Directory, the steps to troubleshoot are:

Step 1: From your Active Directory server, type the command below in a terminal after replacing the “CN=…” portion with the Distinguished Name of the group you’d like to check:

dsget group "CN=groupname,OU=grouptype,DC=subdomain,DC=example,DC=com" -members

Verify that the output shows the expected list of user(s) in that group. If it doesn’t, check your Active Directory group and user configuration.

Step 2: From your Active Directory server, type the command below in a terminal after replacing the “CN=…” portion with the Distinguished Name of the group you’d like to check, and also replacing USERNAME with your actual username:

dsquery * -Filter "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=groupname,OU=grouptype,DC=subdomain,DC=example,DC=com)(sAMAccountName=USERNAME))"

If the output is empty, verify that your user in Active Directory has the attribute sAMAccountName set. If not, set it and try the command again. Verify also that the sAMAccountName value matches your AD username value. You can also try to enter the username in the NP-View Active Directory configuration form with the format USERNAME@DOMAIN.

If the output shows the expected list of groups for that user, but NP-View still generates an error, then contact the NP support team.

Radius

Radius authentication requires your server address and secret. Once input, the user can test their connection using their personal login credentials for verification.  Note that for Radius authentication, all users are assigned to the Administrator group.

Welcome: How would you like to authenticate users

Local Authentication

NP-View Server provides an internal mechanism for the administration of users.  During setup, the screen will require the user to setup the Administration account by inputting a user ID and password.  This account will be assigned to the Administrator role and will have access to all system features. An example of a properly configured Local Auth screen on NP-View is below:

User Management

NP-View Server provides a User Management function for users assigned to the the Administrator role. It can be accessed in the user menu at the top right of the screen either on the workspace page or from within a workspace.

User Management – Active Directory or LDAP

Clicking User Management will open a window that shows the LDAP setup information. The left half of the screen allows the user to change the NP-View LDAP settings.  LDAP Auth credentials are required to update the information.  The optional email field override is used as the default email address for the Notification Manager if no email address is provided as part of the LDAP credentials.

The right half of the user management screen allows for the testing of each LDAP user and will retrieve their LDAP settings for review.

User Management – Local Authentication

Clicking User Management will open a window that shows the user related information associated with this account, their account details, and their account permissions.

From this window Administrators can edit (pencil icon), delete (x icon) or add user accounts (create new user button).

A user’s ID should be the user’s email address (this will be used for notifications) and an administrator-defined password.  Each user will need to be assigned to a role which will provide the user with system wide access.

  1. Administrator – Has access to all users, workspace and system administration functions including managing users and license functions.
  2. WorkspaceAdmin – Has access to all workspace administration functions.
  3. Viewer – Has read only access to the system.

Reset Authentication

The Administrator can also reset the authentication method entirely by selecting the “Reset authentication system” link. “Reset authentication” only resets the authentication and does not remove any workspaces or data.  Note that workspaces are assigned to user id’s.  If the authentication method (or user id format) is changed, the workspaces will no longer be available to users.  The administrator or workspace admin must utilize the transfer workspace function to assign the legacy workspace to the new user id’s.

Password Reset

  • Workspace Admin or Viewer user groups:  Contact your Administrator who can manually reset your password through the User Management function on the system menu (upper right corner).
  • Admins: connect through SSH to the NP-View server and remove the file db/auth_provider.cfg inside the NP-View application folder (by default: /opt/np-live).
  • Refresh the NP-View web page to show the Welcome screen and reconfigure the authentication.

License and Terms

The Administrator can Show, Upgrade or Renew their license. Licensing terms and legal disclosures are available from the system menu where user management is found.

Configure License Key

After the authentication, the Welcome screen will guide the Administrator through reviewing the EULA and adding the license key. The license key should have been sent to you by email and also posted on the Network Perception portal. If you haven’t received a key, please send a request to support@network-perception.com. Renewed or upgraded license keys can only be installed from the home screen (not from within a workspace) by members of the Administrator group.

Additional Configuration Features

Configure Automatic Updates

NP-View Server can automatically download new releases and update itself if you select “Automatically check for updates”.  Alternatively, you can select “Update NP-View” from the upper right menu or update offline using the following steps:

  1. Download the latest release from the Network Perception portal.
  2. Copy the release file to the NP-View Server using SCP or WinSCP
  3. Connect to the NP-View Server shell using SSH and execute the release file with the command sudo sh NP-View_server_installer.sh

Configure Shutdown and Startup Options

To speed performance on startup, NP-View terminates background processes that are running when the system is gracefully shutdown and clears out all tasks and jobs.  If any processes remain upon startup, they are also terminated. To change the configuration,

  • stop the NP-View Server application.
  • in the docker-compose.yml file for the manager change cancelTasksStartup=True to cancelTasksStartup=False
  • in the docker-compose.yml file for the manager change clearRqStartup=True to clearRqStartup=False Note that the previous setting must also be set to True for this operation to work.
  • start the NP-View Server application.

Configure User Timeout

The system can be configured automatically time out a user after a period of idle days.  The default is set to 30 days. To change the configuration,

  • stop the NP-View Server application.
  • in the docker-compose.yml file for the webserver\environment service, change sessionLengthDays=30 to any positive floating point number representing elapsed days. For Example:
    • 0.5 = 12 hrs
    • 1.5 = 36 hours
    • 30 = 720 hrs.
    • If set to 0, user timeout will default to 30 minutes.
  • start the NP-View Server application.

Timeout for connectors is 1 day and cannot be changed. Also, the timeout value is not static and will be overwritten by the next software update. Prior to restarting after an update, the timeout needs to be reset to the value of choice.

Configure Devices within a Custom View

The system can be configured to allow for more devices within a custom view.  The default is set to 25 devices. To change the configuration:

  • stop the NP-View Server application.
  • in the docker-compose.yml file for the
    • services : manager : environment, change devCountLimit=25 to a positive integer.
    • services : bgmanager : environment, change devCountLimit=25 to a positive integer.
    • services : webserver : environment, change devCountLimit=25 to a positive integer.
  • start the NP-View Server application.

Note: The limit is not static and will be overwritten by the next software update. Prior to restarting after an update, the limit needs to be reset to the value of choice. Note: NP has only tested the system to the default limit. Raising the limit is at the user’s risk as unintended consequences including data loss and the system exhausting system resources may occur.

Configure A Static IP Address on your Linux Server

To set a static IP address for your NP-View Server, follow the instructions in this document.

Updating NP-View Server

This section describes how to update the NP-View Server application and the underlying components if the OVF was used for the initial installation.

Updating the NP-View Server Application

To update an existing NP-View Application, the steps are:

  1. Download the latest release Linux Installer Release (not the .OVF) from the Dragos Portal and copy it onto your NP-view server using SCP (or WinSCP from a Windows client)
  2. Login onto the NP-View server using SSH (or Putty from a Windows client)
  3. Get root permissions using the command: sudo -i
  4. Prior to installing the new version, it is recommended to make a backup of your database (see below)
  5. Execute the new NP-View release file using the command: sh NP-View_installer.sh  (where NP-View_installer.sh is the name of the new release file downloaded in step 1).
  6. Follow the guided steps of the installer, which will automatically start NP-View once the update is complete.
  7. Connect to the user interface of NP-View using your web browser and check in the bottom-left corner of the home page that the version number matches the new release

Updating the NP-View Application to version 5 and above

Prerequisites

  • Please update your current version of NP-View to version 4.3.5. Both Server and Desktop must be on this version before starting your upgrade.

For NP-View Server:

  • Verify there is sufficient disk space for the upgrade (3x size of Redis db).
  • If not follow log cleanup procedure listed in KB (~250MB possible).
  • If still insufficient space, disk space will need to be added before upgrade.
  • Verify all users are logged out of the system to not lose data during update.

Back-Up NP-View database

NP-View Desktop

  1. Copy the 4.3.5 database folder to a safe location. This will allow you to keep a back up 4.3.5 in the case you would want to revert back to 4.3.5some text
    • C:\Users\<name>\AppData\Roaming\NP-View\db
  2. Download NP-View from the portal and install.
  3. Starting the application may take longer than usual as a one-time database maintenance operation is being performed.

NP-View Server

Option 1:

  1. SSH as the root user to Terminal of NP-View server
    • ssh root@<ip-of-guest-os>
    • If needed sudo -i or sudo su will give you admin privileges once you are logged in.
  2. Move to the NP-View (np-live) app directory
    • cd /opt/np-live
  3. Stop NP-View
    • sh ./stop_NP-Live.sh
  4. The db directory contains all of the NP-View data. Create a tarball of the directory
    • tar -czf np-view-v4.3.5-db-backup.tar.gz db
  5. Move the file to a safe location.
    • Note: This file will allow you to revert back to 4.3.5.

Option 2 (This option is only available if your server is a VM):

  • Your server admin can take a snapshot image of the server as a restore instance. This tends to be easier and quicker for most of the customers that we have worked with.

Once you have a back up and have updated to 4.3.5, please download version 5+ and follow the instructions listed in the above section "Updating the NP-View Server Application".

NP-View Server Migration

Prerequisites

  • Follow the instructions above to update the NP-View CentOS server to the latest NP-View version.
  • Create a VM using the latest version of the NP-View Server OVF.
  • Both Servers need to be running to perform the migration.
  • Users should be logged out of NP-View and close any active session before restoring.

CentOS Migration to Ubuntu for NP-View Server

  1. Use backup and restore script.
    • sudo -i (This should take you to the root folder)
      • Enter credentials if prompted.
    • To run shell script: /opt/NP-Live/NP-View_backupand_restore.sh
      • There will be 3 options when using the script.
        • Backup
        • Restore
        • Exit
    • The script will check disk space when creating the backup.
    • The script will notify you if the storage is full and stop running.
  2. Move the CentOS tar file to the Ubuntu server’s root directory.
    • sudo -i (This should take you to the root folder)
    • Enter credentials if prompted.
    • To run shell script: /opt/NP-Live/NP-View_backupand_restore.sh
      • Select restore
      • The script gives a final warning before running.
      • The script checks if the docker containers are running.
  3. Once the script is completed it will notify you.
    • Connect to the web interface and verify data is transferred.
    • If you are unable to connect to the web interface restart NP-View service once the upgrade is complete.

Get Version API call

To check the version update your server URL to the following

https://<np-view_server_address>/version

Backing up the NP-View Server Database Manually

  1. Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
  2. From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
  3. Run the new release installer, which will update the containers and then launch NP-View Server

Updating Linux Ubuntu and Docker

(Version 5 and up installation with the OVF)

We will be providing update packages for Ubuntu and Docker. Please go to the following page for more information:

https://www.network-perception.com/kb/ubuntu-and-docker-update-packages

Updating Linux CentOS Ubuntu and Docker

CentOS is now EOL as of June 30, 2024. We highly recommend customers to transition to Ubuntu.

If the OVF was used for the initial installation, that package included the CentOS 7 operating system and Docker. These applications must be updated separately from the NP-View Server Application using the below instructions. The instructions cover NP-View Servers that have internet access and those that do not have internet access.

Updating when the NP-View server has internet access:

– stop NP-View
cd /opt/np-live/
./stop_NP-Live.sh

– run all updates
yum update -y

– reboot server
reboot

Updating when the NP-View server does not have internet access:

If NP-View server is installed in an environment that does not have internet access, a separate Centos 7 server with Docker that has internet access is required to create the update package. All commands below are case sensitive.

Network-Perception uses this mirror for CentOS updates and this mirror for Docker updates

Centos 7 that is online:

– make sure you are root
sudo su -

– create packages directory
cd /root/
mkdir packages
cd packages

– download all packages
yum list installed | awk {'print $1; }' | tail -n +3 | xargs yumdownloader

– you should see docker included in the output list.

– compress archive (capital -C is important)
tar czf /root/packages.tar.gz *.rpm -C /root/packages/

– Copy packages.tar.gz to the offline server. The user can use the below command to scp:
scp packages.tar.gz root@ipAddress:/root/

Centos 7 that is offline running NP-View:

– make sure you are root
sudo su -
– stop NP-View
cd /opt/np-live/
./stop_NP-Live.sh

– create directory and extract the archive
cd /root/
mkdir packages/
mv packages.tar.gz packages/
cd packages/
tar -xf packages.tar.gz

– install all updates:
yum -y localinstall *.rpm

– reboot server
reboot

– now everything is up to date on the offline server.

If you get any docker swarm errors:

– make sure you are root
sudo su -

– leave and join swarm cluster
docker swarm leave --force && docker swarm init

Product Tutorials

1. Network Mapping

Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:

  • Visualize an accurate topology of the network architecture
  • Identify and label critical cyber assets and critical network zones
  • Easily review which devices are protecting which network zones

Visualize Topology

NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.

Critical Assets and Zones

Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.

Details On-demand

Selecting a node in the topology map will interactively display an information panel with detailed data about that node.

2. Firewall Ruleset Review

Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:

  • Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
  • Automatic identification of configuration risks using the Risks and Warnings report.
  • Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.

How to Review Access Rules

An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.

  • Frequency: each time firewall policies are changed, and at least once a quarter
  • How to do it:
    • Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
    • Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
      • For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
    • Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
      • The “Description” column captures comment, description, or justification from the device configuration
      • The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
    • Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
    • Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
    • Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table

Access Rules Table

The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.

Object Groups

The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.

Risks and Warnings

As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks.  The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.

Change Tracking

As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.

tracking table
3. Segmentation Verification

Segmentation verification provides the Networking Team and Audit Team with capabilities that allows users to:

  • Assess correctness of network segmentation
  • Identify risky network connectivity paths
  • Understand exposure of vulnerable assets

Network Segmentation Accuracy

NP-View be used to verify the accuracy of your network segmentation.

The connectivity matrix which is available from the device info panel can be used to verify open ports between devices.

Inbound and outbound connections can be verified for each network using the highlight paths function.

Identifying Risky Connectivity Paths

Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception  Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.

organization table

Exposure of Vulnerable Assets – Vulnerability Analytics

NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.

Topology Display of Vulnerabilities

When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.

These shields can be toggled on and off using the topology settings menu.

Device Panel Display of Vulnerabilities

Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.

Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.

4. Audit Assistance

Performing a regular review of your compliance metrics is important for your organization.  Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:

  • Verify compliance with cybersecurity regulations and best practices through Policy Review.
  • Seamlessly store evidence for compliance review with Change Tracking.
  • Easily prepare compliance reports using the Audit Assistants listed below:

Workspace Report (Standard)

The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:

  • Configuration assessment report including risk alerts
  • Ports and Interfaces
  • Access rules
  • Object groups
  • Path analysis

Industry Best Practice (Premium)

The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:

  • Parser Warnings and potential misconfigurations
  • Unused Object Groups
  • Access Rules missing a justification
  • Unnamed nodes
  • NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
  • ACL’s with no explicit deny by default rule

NERC CIP Compliance (Premium)

The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:

  • CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
  • CIP-003 – Security Management Control; cyber security policy
  • CIP-005 – Electronic Security Perimeter; remote access management
  • CIP-007 – System Security Management; ports and services
  • CIP-010 – Change Management and Vulnerability; configuration change management, configuration monitoring, vulnerability assessment

A demo workspace for the NERC CIP audit assistant is included with the software.  To see the audit assistant in action, follow these steps:

  1. Click on the demo workspace to build the topology.
  2. Create a custom view by selecting all of the firewalls, right click, Create View from Selection and give it a name.
  3. Once the view is generated, select Manage Zones from the left manu and click on the Auto Generate Zones button.
    • Red zones represent your high criticality assets.
    • Orange zones represent your medium criticality assets.
    • Yellow zones represent your low criticality assets.
    • Gray zones represent your untrusted assets.
  4. On the left menu, select Summary Reports and the NERC-CIP Compliance Report
  5. Click through the wizard, the defaults will represent the selections suggested by the auto group function.
  6. Click Generate Report to view the report in a new tab.

Feature Documentation

Access Rules Report

This article will focus on the Access Rules Report.

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.

Access Rules – Defined

The Access Rules Report can be accessed in two ways. Each way presents a different filtered data set.

  1. From the main menu, the table will populate the table with all rules for all devices in the workspace.
  2. From the topology, when clicking a Firewall/ Router/ Switch – its info panel will open – and the user can select Access Rules from the Data for this Device section. Only the rules for the selected device will be displayed in this case.

*main menu

       *info panel

What Data is Present?

The list below the image details the data types available in the Access Rules Report.

Access rules column details

+
  • Action: (RULE_ACTION) Permit, Allow or Deny.
  • Application: (RULE_APPLICATION) Filtered application name associated with the rule (only for next-gen firewall).
  • Bindings (ACL): (RULE_ACL) Name of the access list under which the rule is defined. This is a normalized zone representation of [src zone]:[dst zone] or interfaces if zones are not used [src binding]:[dst binding]
  • Change Status: used in comparison mode to reflect added, unchanged and removed rules.
  • Comment (Author, Date Status): User entered comments (or justification) and associated status (verified, to review, to revise).
  • Description: (RULE_DESCRIPTION) Remarks from configs associated with rules. Typically found in Cisco and SonicWall devices.
  • Destination: (RULE_DESTINATION) Object group destination for the rule.
  • Device: (RULE_DEVICE) Device host name as defined in a configuration file.
  • Dst Binding: (RULE_DST_BINDING) Outbound interface to which the rule is bound.
  • Dst Criticality: (RULE_DST_CRIT) Criticality of the object group destination (or the parent zone containing the object group destination) as defined by the user on the topology map.
  • Enabled: (RULE_ENABLED) Rule is enabled (True / False). The enabled column gets its value from the firewall config. The parser then decides if the rule is supported (True) or not (False). Disabled rules (value from firewall config) are displayed in the table as False and may have a green or gray text color.
  • First Hit: Timestamp of when rule was first accessed (Palo Alto NGFW Only).
  • Hit Count: (RULE_ACL_HITS) Number of times the ACL was accessed (Palo Alto NGFW Only).
  • Hit Updated: Timestamp of last hits import. (Palo Alto NGFW Only).
  • First Hit: Timestamp of when rule was last accessed (Palo Alto NGFW Only).
  • Line #: Line number(s) in the configuration text file where the rule can be found.
  • Object ID: Value for linking rules to comments. This column must be displayed when exporting the rule table for enrichment and reimport.
  • Risk: (RULE_RISK) Highest risk text for associated Risk Criticality.
  • Risk Criticality: (RULE_RISK_CRIT) Highest criticality assigned by the triggered risk rule.
  • Rule: (RULE_NAME) Name of the rule found in the configuration. If the rule doesn’t have a name (e.g., Cisco devices), the value is populated by NP-View as RULE_X where X is the rule index.
  • Rule Tag: Palo Alto Only – rule tags from firewall.
  • Rule UUID: Palo Alto Only – rule UUID from firewall.
  • Service: (RULE_SERVICE) Object group service(s) associated with the rule. Alternatively, the field may be represented in a protocol/port-x to port-y format. For example, TCP/any to 53 (meaning TCP protocol, any to port 53), IP/any to 50 (meaning protocol 50). For ICMP we store the ICMP types in those fields. For example: “any to 11” or “any to 3” represent Type 3 — Destination Unreachable, Type 11 — Time Exceeded.
  • Source: (RULE_SOURCE) Object group source for the rule.
  • Src Binding: (RULE_SRC_BINDING) Inbound interface to which the rule is bound.
  • Src Criticality: (RULE_SRC_CRIT) Criticality of the object group source (or the parent zone containing the object group source) as defined by the user on the topology map.
  • Type: (RULE_TYPE) Type of rule (regular or VPN).
  • User: (RULE_USER) Filtered user name associated with the rule.

SRC and DST Criticality Calculations

+

Note that this feature was removed from v5.0 and up due to performance issues. It may return in the future.

The source and destination criticalities are calculated based on the higher of the criticalities assigned to the device, network, and zone (aka. binding) that the device is in.

  • if device A is in network N1 and bound to zone Z1 and A is Low, N1 is Medium, and Z1 is High, then the criticality of A will be High (highest criticality based on zone)
  • if A is Medium, N1 is Low, and Z1 is Low, then the criticality of A will be Medium (highest criticality based on device)
  • if A is Low, N1 is High, and Z1 is Medium, then the criticality of A will be High (highest criticality based on network)

Table Actions

There are a number of actions that can be taken in the Access Rules report, some are specific to Access Rules, others are universal to all Reports.

  1. Cells with more data then can be shown within the width of the column will display a + icon, which will show the additional data when clicked.
  2. The source, destination and service columns will show related object groups and object data within the + popup.
  3. Columns can be displayed or hidden using the hamburger menu in the upper right corner of the report.
  4. Changes to the menu are automatically saved.
  5. Additionally, the table can be exported as displayed, with comment history or with object groups.
  6. Only visible columns will be displayed.
  7. Columns can be sorted, rearranged or resized and changes will be automatically saved.
  8. Column filters can be displayed.
  9. Filters applied to the table or column will automatically be saved.
  10. Filters can be reset from the hamburger menu.

*the Access Rules Report Menu

Comments

+

NP-View provides a simple and easy way for users to add comments and other metadata to rows in Access Rules, and to track the historical lineage of these comments in a workspace. Comments can be added, or viewed, for integrity purposes they cannot be edited or deleted.

Adding a Comment: Comments can be added to a row by double-clicking on the cell in the column “Comment”.  Comment text and status can be added and then saved with the save button. Once the comment is saved, the author and time stamp are automatically inserted.

*applying comment


*applying comment – closeup


Comment History: Additional comments can be added to a row to begin creating a lineage or history of comments. This history will be automatically available when more than one comment exists on a row and can be expanded by clicking the blue clock icon on the leftmost column of the table. If there is no history the icon will be disabled.

When viewing history, changes between lines are highlighted in blue.

Example: If Comment 1 is: “rule comment 1” – ‘verified’ and Comment 2 is “rule comment 1a” – ‘to revise’ the status cell would be highlighted because there was a change – the comment text would not be highlighted if the text remained the same.

*Viewing comment history

Access Rules Hash

Access Rules are uniquely tagged (Object ID) within NP-View for linkage to comments and risks.

Access Rules Hash

+

Access rules are uniquely tagged (Object ID) within NP-View for linkage to comments and risks. The tag (hash) is calculated based on a hex converted combination of the following data fields. Available data varies based on manufacturer so, some fields may not apply to specific manufacturers. Most of the fields are defined above. For the fields unique to the hash, they are documented below.

If any of the data in these fields changes, the tag will change and previously linked comments and risks will no longer be associated with this rule.

Universal Variables:

  • ‘Binding (ACL)’ (Source binding : Destination binding)
  • ‘Destination’ (group contents excluding group names*)
  • ‘Service’ (group contents excluding group names)
  • ‘Source’ (group contents excluding group names)
  • ‘Application’ (group contents excluding group names*)

Vendor-specific Variables:

  • ‘Action’
  • ‘direction’ – is used to set some rules to isolate guests from LAN so that rules in the VLAN section of the firewall be set. Each specific network is going to have a set of rules. Depending on the rules created, each traffic will be labeled in, or out, or both.
  • ‘Enabled’
  • ‘scope’ – is for the traffic zones used in their networks. Rules can be created based on the parameters of interzone, intrazone, and universal.
  • ‘Type’

*If the group name changes but the contents stay the same, the object_id will not change.

Additional Features

  • The Compare button invokes a time series comparison function for the report.   Additional details on this function can be found here.
  • Comments can be imported from an Excel file.  Additional details on this function can be found here.
  • Conditional formatting can be applied to this table report.  Additional details on this function can be found here.

Comparison Report

+

Access Rules and Object Groups have a Compare function to show historical differences in data that has been added or removed. The function can be engaged by clicking the “Compare” button located at the top of the page. This function is used to display changes over a period of days.

The user can select a time frame (7, 30, 90 or 356 days or a custom date range). The user can select one or more devices to include in the report and then show the history over the range. Once the parameters are selected, the “Show Comparison” button should be selected.

The comparison function will display all changes (Rule Adds, Rule Removal and Unchanged Rules) for the selected days. The data will be displayed using the column format of the selected table. The user can filter on added, removed or unchanged rules by clicking the jelly bean. Added rules will be highlighted in green, removed rules will be highlighted in red and unchanged rules will be highlighted in light blue.

Clicking the “Compare” button will revert to the normal table but will not clear the selections.

Clicking the “Reset” button will clear the selections and reset the table.

Asset Inventory Report

This article will focus on the Asset Inventory Report.

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.

Asset Inventory

This report provides a summary of all assets loaded into the workspace including: Firewalls, Routers, Switches, Gateways and Hosts.

Asset Inventory Columns

+
  • Alias: List of alternative names identified in configuration(s) or auxiliary data, separated by “:”.
  • Annotation: Comments addes using the Topology annotation feature. Each field contains a complete history of added annotation text.
  • Annotation Author: User Id of the annotation creator.
  • Annotation Date: Date the annotation was created.
  • Annotation Type: Tag added to the annotation.
  • Category: User assigned category from the topology map.
  • Created At: Time and date when the device was added to the workspace.
  • Created By: Files used to create the device or host.
  • Criticality: User assigned criticality from the topology map.
  • Description: Description from the configuration file if available.
  • IP address: IP address of the device, gateway, or host.
  • Label: Initially mirroring the Name field but can be changed by the user on the topology map and represented in this field.
  • MAC Address: The MAC addresses assigned to the devices, typically from auxiliary data.
  • Name: Device host name as defined in a configuration file.
  • OS: Host operating system derived from third-party data files.
  • Object ID: Internal asset ID used for table display purposes.
  • Security Zone: The security zone assigned from the configuration file.
  • Services: Host services derived from third-party data files.
  • Type: Device type; firewall, router, switch, gateway, host, unmapped host.
  • Updated At: Time and date when the device was last updated (configuration change).
  • Updated By: Type of file used to update the device.
  • Verified: Applied by gthe asset verification function, True, False or NA.
  • Zone: The zone assigned from the topology map.

Unmapped – What is it?

For some devices there may be a large number of hosts defined in the Asset Inventory but less shown on the Topology Map. These “missing hosts” are not actually missing on the map, they are hidden in a Gateway node titled ‘Unmapped’.

If an IP address is displayed as 0.0.0.0 this device has an IP address assigned by DHCP and while the device was detected, an IP address could not be extracted, and it would be said to be an Unmapped Host. Unmapped hosts have enough information for identification but not for mapping purposes on the topology map.  These ‘invisible’ hosts are located behind the Unmapped, or other, gateways and can be seen in a given gateway’s peer list.

Background Tasks

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu.

This article is focused on the Background Tasks Table.

Background Tasks

This table displays the active and completed processes both for the current workspace, and for all workspaces. When in a workspace you have the ability to filter and view the active processes for the current workspace and to clear or cancel completed or active processes for the current workspace.

Access: Background Tasks can be accessed in three ways.

  1. From the main menu
  2. Using the hotkey ‘T’
  3. Clicking on the active spinner on the topology map

*main menu

     *active background tasks spinner

Overview

The Background Tasks table shows the status of each task spawned by a data import, merge, analysis, or by run policies.

  • Parsing tasks indicate the imported file is being normalized and hosts inferred.
  • Merge tasks combine the normalized data into the topology map.
  • Analysis tasks define all of the paths and open ports.
  • Policies review the active requirements to identify potential risks for review.

An example of the background tasks table is in the image below.

The report contains the following data and has the following functionality:

Report Data:

  • Task name
  • Progress
  • Workspace where the task is running
  • User who owns the task
  • The time it started or ended

Report Functions:

  • The check box allows the user to filter on the tasks pertinent to the current workspace.
  • The X allows the user to cancel a task that may be running too long or be stuck for some reason.
  • The user can also cancel all tasks within a workspace using the “Cancel All for this Workspace” button
Change Tracking Report

Change Tracking

Overview

  • The Change Tracking Report logs modifications that are made to the network and the updated configuration files that are imported.
  • It can be accessed from the main menu
  • For every change, the timestamp, action, device, and description are recorded.
  • Changes are displayed and can be filtered by calendar day.
  • At the top of the table is a drop down that allows the user to select which day to review.
    • The default is the current day.

Functionality

The Change Tracking Report can be:

  • searched
  • sorted by any column
  • switched to a list view
  • exported
  • and configured with alternate columns if required

These functions are available in the upper right corner of the table.

Change Types

The types of change actions that are logged are:

  1. File import – for each file uploaded, of the following statuses will be displayed:
    • successful import” – file imported successfully”
    • ignored file: <filename> – unknown file type, ignored
    • failed import” – file failed to import, review help center for reason
  2. Topology map – for each file uploaded, of the following statuses will be displayed for the topology map
    • device path information” – triggered if the connectivity matrix changes
      • Paths can be added or removed
      • Assets refers to destination IP addresses
      • Services refers to the unique ports (or any) associated with the imported device
      • Details on the above can be viewed in the Connectivity paths
    • topology updated” – indicates the topology map has been successfully updated
    • topology failure” – indicates the topology map has failed, review help center for reason
  3. Connectivity Paths – for each file uploaded, of the following statuses will be displayed for the workspace
    • workspace analysis updated” – all other tables have been successfully updated

Supported Devices & Data

Auxiliary Data

NP-View can import auxiliary data from third party systems to enrich and augment analysis.  The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed

Host Files

Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.

Aux Data Loading Example

Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.

First, load a firewall into a workspace and create a custom view with the firewall.

Notice that four hosts are not named.  To fix this, create a host file, named hosts.txt, to enrich the information.

The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.

Let's use
172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sam
172.30.91.81 Carl

Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.

Save the host file, and import it into the workspace.

The Manage Views function displaying a user adding both devices and multiple Auxiliary data files to a single view.

Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.

Below the Select Devices box, is the Auxiliary Data box.

Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).

For our example a user would see a single file called hosts.txt that would contain the names we've added.

Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).

The view, seen here regenerated. Note the new hostnames applied to the endpoints.

To see how the previous example can be used as a repeatable process let's update those names again, with corrections.

First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:


172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sammy
172.30.91.81 Carly

Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.


The workspace, updated a second time

Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.

Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.

Network and Vulnerability Scanner Files

The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:

When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network.  Below is a list of data NP-View attempts to import.

  • hostnames
  • addresses
  • interfaces
  • local interface IP’s
  • local interface names
  • mac
  • domains
  • parent
  • operating systems
  • vlan

Multi-Home Host Files

Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.

The host named 'dual-homed' repeated 3 times on the map

To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.

The file must be named 'multi_home_host.txt' and be of the following format:

192.168.135.115 dual-homed

192.168.135.114 dual-homed

192.168.135.113 dual-homed

Where the first field is the IP address and the second field is the name of the host.

When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:

The hosts named 'dual-homed' have been consolidated

Note: The file can be named as *_multi_home_host.txt -where- *_ is anything preceding multi_home_host.txt.

For example:

tuesday_multi_home_host.txt

web_server_multi_home_host.txt

the_big_kahuna_multi_home_host.txt

Address Resolution Protocol (ARP)

ARP files can be used to add hosts as well as MAC addresses for the hosts.  The following formats are supported:

Cisco

Use commashow arp to export the ARP table.  The file format will be as follows:

<hostname># show arp  

outside 10.0.0.100 d867.da11.00c1 2  

inside 192.168.1.10 000c.295b.5aa2 21  

inside 192.168.1.12 000c.2933.561c 36  

inside 192.168.1.14 000c.2ee0.2b81 97

Cisco ARP Example

Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.

Distribution# show arp    

inside 172.30.90.50 d867.da11.00c1 2    

inside 172.30.90.51 000c.295b.5aa2 21    

inside 172.30.90.42 000c.2933.561c 36    

inside 172.30.91.80 000c.2ee0.2b81 97  

inside 172.30.91.81 000c.2ecc.2b82 95

Distribution#

Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.

Windows

Use arp -a > arp_table.txt to export the ARP table.  The file format will be:

Interface: 192.168.86.29 --- 0x6  

Internet Address      Physical Address      Type  

192.168.86.1          88-3d-24-76-49-f2     dynamic    

192.168.86.25         50-dc-e7-4b-13-40     dynamic    

192.168.86.31         1c-fe-2b-30-78-e5     dynamic    

192.168.86.33         8c-04-ba-8c-dc-4d     dynamic

Linux

Use arp -a > arp_table.txt to export the ARP table.  The file format will be:

? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d

? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160

? (172.17.0.2) at <incomplete> on docker0

? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160

Palo Alto

Use show arp all to export the ARP table.  The file format will be:

maximum of entries supported : 2500

default timeout: 1800 seconds

total ARP entries in table : 3

total ARP entries shown : 3

status: s - static, c - complete, e - expiring, i - incomplete

interface ip address hw address port status ttl

--------------------------------------------------------------------------------

ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295

ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776

ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791

Route Tables

Route files are a special case in that they provide ruleset-specific enrichment data whereas the other auxiliary files listed above provide topology-specific enrichment data.

Route table – Cisco

The output of the command show route on Cisco devices can be imported into NP-View with associated configuration files.  For VRF’s, use the command show ip route vrf *. Cisco route files are handled a bit differently than the rest of the aux data as they are integrated upon import and are not considered as aux data when creating a view. Naming of the route files are not important as long as they are unique. The first row of the route file contains the <device name># command to link the route table with the correct device.

PCAP

IN V6.0 and later, PCAP and PCAPng files can be used to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a view. The max PCAP size is 200 MB per file.

Reference

Help Center

Help Center

The Help Center can be found on the system menu on the upper right corner of the topology.

The Help Center will display warnings or errors identified during the import of device files.

The information in the help center is designed to provide information for the tech support team to help diagnose the issues.

There are many types of possible errors including:

  1. Invalid file formats (e.g., .gif or .png)
  2. Improperly formatted files (files exported as text but loaded into a word processors where extra characters are added before saving).
  3. Incomplete set of files (many devices require more than one file for import this includes Palo Alto and IP tables)
  4. Misconfigured files where rules or objects are undefined.

As every customer has a different environment and possible device configurations are endless.  We sometimes run into a situation where the parser cannot handle the device as configured.  When this happens, we request the customer to sanitize the config file on the NP Poral and upload the file for debug purposes.  Support from our customers is important for us to quickly remediate parsing issues unique to a device or specific file.

The Help Center provides a download for the error log which can be submitted to technical support through the support portal.