This section describes how to update the NP-View Server application and the underlying components if the OVF was used for the initial installation.

Updating the NP-View Server Application

To update an existing NP-View Application, the steps are:

  1. Download the latest release Linux Installer Release (not the .OVF) from the Network Perception Portal and copy it onto your NP-view server using SCP (or WinSCP from a Windows client)
  2. Login onto the NP-View server using SSH (or Putty from a Windows client)
  3. Get root permissions using the command: sudo -i
  4. Prior to installing the new version, it is recommended to make a backup of your database (see below)
  5. Execute the new NP-View release file using the command: sh NP-View_installer.sh  (where NP-View_installer.sh is the name of the new release file downloaded in step 1).
  6. Follow the guided steps of the installer, which will automatically start NP-View once the update is complete.
  7. Connect to the user interface of NP-View using your web browser and check in the bottom-left corner of the home page that the version number matches the new release

Backing up the NP-View Server Database

  1. Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
  2. From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
  3. Run the new release installer, which will update the containers and then launch NP-View Server

Updating CentOS 7 and Docker

If the OVF was used for the initial installation, that package included the CentOS 7 operating system and Docker. These applications must be updated separately from the NP-View Server Application using the below instructions. The instructions cover NP-View Servers that have internet access and those that do not have internet access.

Updating when the NP-View server has internet access:

– stop NP-View
cd /opt/np-live/
./stop_NP-Live.sh

– run all updates
yum update -y

– reboot server
reboot

Updating when the NP-View server does not have internet access:

If NP-View server is installed in an environment that does not have internet access, a separate Centos 7 server with Docker that has internet access is required to create the update package. All commands below are case sensitive.

Centos 7 that is online:

– make sure you are root
sudo su -

– create packages directory
cd /root/
mkdir packages
cd packages

– download all packages
yum list installed | awk {'print $1; }' | tail -n +3 | xargs yumdownloader

– you should see docker included in the output list.

– compress archive (capital -C is important)
tar czf /root/packages.tar.gz *.rpm -C /root/packages/

– Copy packages.tar.gz to the offline server. The user can use the below command to scp:
scp packages.tar.gz root@ipAddress:/root/

Centos 7 that is offline running NP-View:

– make sure you are root
sudo su -
– stop NP-View
cd /opt/np-live/
./stop_NP-Live.sh

– create directory and extract the archive
cd /root/
mkdir packages/
mv packages.tar.gz packages/
cd packages/
tar -xf packages.tar.gz

– install all updates:
yum -y localinstall *.rpm

– reboot server
reboot

– now everything is up to date on the offline server.

If you get any docker swarm errors:

– make sure you are root
sudo su -

– leave and join swarm cluster
docker swarm leave --force && docker swarm init

The Rule Usage feature helps network admins identify rules for potential elimination due to lack of use. This feature only applies to Palo Alto NGFW (not Panorama).  Rule Usage Analysis (aka Hit Count) requests additional Access Rule usage information from firewalls using the connector. When setting up a new connector, the user will have the ability to enable the extraction of rule usage information:

Note that existing connectors will not be affected and cannot be edited to enable hit count data retrieval.

From the NGFW, we extract four values for each access rule:

  • First Hit – Timestamp of first rule usage
  • Last Hit – Timestamp of last rule usage
  • Hits Updated – Timestamp of last data refresh
  • Hits – Usage count

The information is presented as additional columns in the Access Rules Table.  The four columns are disabled by default and will need to be enabled by the user using the menu at the top right.

Once enabled, the hit count data will be displayed in the Access rules table:

Below are the currently known issues in NP-View along with the available workarounds. These issues will be addressed as part of the upcoming release. If you are experiencing an issue not covered in this document, please contact Technical Support at: support@network-perception.com

 

1. The menu does not load properly: has odd symbols or help text

  • Desktop
    • Click on “View” and “Force Reload” the page or use the hotkey (Ctrl + Shift + R)

    • Or open NP View Desktop in a browser window
      • Open a web browser (Chrome/Edge) with your NP-View still running
      • Type “localhost:8080” in the address bar to load NP-View in a browser window
    • Click the 3 dot menu at the top right and select “More Tools”, then “Developer Tools” or use the hotkey (Ctrl + Shift + i)

    • With Developer tools open, Click and hold the “Refresh” Button then click “Empty Cache and Hard Reload”

  • Server
    • In web browser (Chrome/Edge), click on the refresh symbol or use the hotkey (Ctrl + Shift + R)
    • Or
    • Click the 3 dot menu at the top right and select “More Tools”, then “Developer Tools” or use the hotkey (Ctrl + Shift + i)

    • With Developer tools open, Click and hold the “Refresh” Button then click “Empty Cache and Hard Reload”

    • NOTE: Firefox – Hold down “Ctrl + Shift + R” key or hold down Ctrl and press F5

2. Typing into a field in NP-View Desktop doesn’t register any text

Reset window focus (This may not always work)

  • Alt+Tab out of the application
  • Alt+Tab back into the application

Login to NP-View Desktop via web browser

  • Open a web browser (Chrome/Edge) with NP-View still running
  • Type “localhost:8080” in the address bar to load NP-View in a browser window

 

3. Following an update NP-View Workspace hangs on “Preparing your workspace, hang on..”

  • Desktop
    • Go to “View” drop down menu at the top of your NP-View Window
    • Select “Force Reload”

    • Or Open a web browser (Chrome/Edge) with your NP-View still running
    • Type “localhost:8080” in the address bar to load NP-View in a browser window

    • Sign into NP-View and select a workspace
    • Click the 3 dot menu at the top right and select “More Tools”, then “Developer Tools” or use the hotkey (Ctrl + Shift + i)

    • Click and hold the “Refresh” Button then click “Empty Cache and Hard Reload”

  • Server
    • In web browser (Chrome/Edge), click on the refresh symbol or use the hotkey (Ctrl + Shift + R)
    • Or
    • Click the 3 dot menu at the top right and select “More Tools”, then “Developer Tools” or use the hotkey (Ctrl + Shift + i)

    • NOTE: Firefox – Hold down “Ctrl + Shift + R” key or hold down Ctrl and press F5

4. Collapse is shown by Default in Object Menu (Expand option unavailable in right click menu)

  • Right click on the object and click on collapse

  • Right click on the object again and click on expand

 

 

 

 

System Logs

  • Data: The System Logs Table shows a detailed sequence of tasks attempted and completed.
  • Use: The System Logs Table is primarily used for system debugging and contains information, errors and warnings derived during system operation.
  • Filters: The System Logs Table has three views
    • Workspace
      • Displays all system actions for the open workspace
      • Available to the Administrator and Workspace Admin
    • User
      • Displays the actions taken by the current user on the open workspace
      • Available to the Administrator and Workspace Admin
    • System
      • Displays the overall operation of system across users and workspaces
      • Only accessible by the Administrator
  • Each view can be filtered to show only
    • Information
    • Errors
      • Errors are generated when a system operation fails to complete
    • Warnings
      • Warnings are generated during data parsing and when policy / requirement infractions are identified
    • or All.

(more…)

Overview

Network visualization via The Topology Map is the most powerful feature of NP-View.

Once you:

  1. Create a workspace
  2. Import configuration files
  3. Import supporting meta data

NP-View’s visualization engine will process your information and create a dynamic, usable network diagram, starting you at the Home View. Workspaces are broken down into views, which you can read more about here.

 

Topology Map

Based on your configurations, NP-View will create a map to connect and display:

  • Firewalls (physical and virtual)
  • Routers (physical and virtual)
  • Switches
  • Host-Routers
  • Networks
  • Hosts
  • Gateways
  • Border Gateways
  • VPN Tunnels
  • Unmapped Hosts and Networks

 

Details: Each is represented by its own individual icon on the map, and when clicked will open a details panel with information about the selected node. From each details panel devices can be assigned a name (e.g., grey text tag), a category (colored text tag) and criticality (colored ring). See the Info Panels Article for more information.

Risk Display: If a device has active alerts, the number of alerts will be displayed as a red circle on the device icon.

Comment Display: If a device has user entered comments, the number of comments will be displayed as a blue circle on the device icon.

Unmapped Gateway:

  • Unmapped hosts and networks indicate IP addresses that are external to the topology and could not be connected to primary networks.
  • For a given networking device (e.g., a firewall), primary networks constitute the IP ranges defined by its interfaces.
  • In other words, all the networks a device faces are called primary.
  • Nonetheless, the device’s ruleset can refer to arbitrary IP spaces, not necessarily those within primary ranges.
  • Consequently, NP-View identifies those external/unknown IP spaces as hosts, networks, or ranges, as defined in the config, and places them behind the Unmapped gateway.

 

 

Arranging the Map

On the Topology Map, users can rearrange any object or group of objects on the canvas by simply selecting and dragging a device to a new location. Device locations can be saved with the “Save Topology” button which can be found in the top center of the screen.

  • Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection.
  • The Ctrl key can be used to select / deselect individual devices.
  • Once selected, the devices can be assigned to a common category or criticality.
  • Alternatively, the devices can be segmented into zones. See more info on zone creation.

 

Save Topology: When objects are moved on the topology map, the ‘Save Topology’ button will become active.  Multiple objects can be moved prior to saving the topology.

If the user attempts to switch views before saving, a notification will be presented as follows:

The user can proceed to the selected view without saving by clicking “OK”,  or they can choose “cancel” to go back and ‘Save Topology’ .

 

Other Topology Functions

 

Settings: Opens a panel with user preferences that can be set for the map. See the section below for more

Collapse/ Expand Topology Nodes: Some Topology Maps may become visually overwhelming depending on how many nodes are present. This setting will hide end points and only display Primary devices and networks

Pin/ Unpin Topology:  Selecting this, moving one device will cause the map to auto arrange.  This can be helpful if when importing a large number of devices, the topology map initially displays with overlapping devices

Night Mode: Sets the map to a different color scheme

Highlight Paths: Opens the Highlight Paths menu item. See the Paths article for more.

Manage Views: Opens the Manage Views menu item. See the Views article for more.

Center Map: Centers the map on the screen

 

Topology Settings

NP-View provides a settings menu specifically for the topology. This menu can be used to show as much or as little information as you desire on the topology map. This keeps the topology map at a level of organization that suits your use.

The topology settings menu is easily accessible from the menu in the bottom right of the topology map by clicking on the gear icon.

 

This will open the topology settings dialog and allow users to show or hide different types of information on the fly.

  • Show/Hide Vulnerability Shields – this setting toggles the display of icons that show vulnerabilities on nodes when scans have been imported into the workspace.
  • Show Networks with NO IP – this setting toggles the display of networks / interfaces (white cloud icons) that are defined but have no IP address assigned. The default behavior is to hide them.
  • Show Comment Bubbles – this setting toggles the display of the blue bubble on Primary Devices that indicates the number of comments associated with that device.
  • Show Risk Bubbles – this setting toggles the display of the red bubble on Primary Devices that indicates the number of risks associated with that device.
  • Collapse Nodes By Default – this setting toggles the behavior of whether or not nodes on the topology map are collapsed.

 

 

 

Note: For very large topologies (over 200 devices), the router, firewall and switch symbols will change to circles to make the map easier to read when zoomed out.

 

 

 

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu.

This article is focused on the Background Tasks Table.

 

Background Tasks

This table displays the active and completed processes both for the current workspace, and for all workspaces. When in a workspace you have the ability to filter and view the active processes for the current workspace and to clear or cancel completed or active processes for the current workspace.

 

Access: Background Tasks can be accessed in two ways.

  1. From the main menu
  2. Clicking on the active spinner on the topology map

*main menu       *active background tasks spinner

 

Overview

The Background Tasks table shows the status of each task spawned by a data import, merge, analysis, or by running a policy.

  • Parsing tasks indicate the imported file is being normalized and hosts inferred.
  • Merge tasks combine the blueprints into the topology map.
  • Analysis tasks define all of the paths and open ports.
  • Policies review the active requirements to
    • identify potential risks for review
    • or to provide cell / text highlighting for reports

 

 

An example of the table is in the image below.

 

The report contains the following data and has the following functionality:

Report Data:

  • Task name
  • Progress
  • Workspace where the task is running
  • User who owns the task
  • The time it started or ended

Report Functions:

  • The check box allows the user to filter on the tasks pertinent to the current workspace.
  • The X allows the user to cancel a task that may be running too long or be stuck for some reason
  • The user can also cancel all tasks within a workspace using the “Cancel All for this Workspace” button

 

 

 

Performing a regular review of your compliance metrics is important for your organization.  Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (AuditorCompliance OfficerCompliance Analyst, and Consultants) with capabilities that allow users to:

  • Verify compliance with cybersecurity regulations and best practices through Policy Review.
  • Seamlessly store evidence for compliance review with Change Tracking.
  • Easily prepare compliance reports using the Audit Assistants listed below:

Workspace Report

The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:

  • Configuration assessment report including risk alerts and warnings.
  • Ports and Interfaces
  • Access rules
  • Object groups
  • Path analysis

Industry Best Practice

The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:

  • Parser Warnings and potential misconfigurations
  • Unused Object Groups
  • Access Rules missing a justification
  • Unnamed nodes
  • NP Best Practice Policies on Access Rules and CiS Benchmarks that have identified potential risks
  • ACL’s with no explicit deny by default rule

NERC CIP Compliance

The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:

  • CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
  • CIP-003 – Security Management Control; cyber security policy
  • CIP-005 – Electronic Security Perimeter; remote access management
  • CIP-007 – System Security Management; ports and services
  • CIP-010 – Change Management and Vulnerability; configuration change management, configuration monitoring, vulnerability assessment

A demo workspace for the NERC CIP audit assistant is included with the software.  To see the audit assistant in action, follow these steps:

  1. Click on the demo workspace to build the topology.
  2. Create a custom view by selecting all of the firewalls, right click, Create View from Selection and give it a name.
  3. Once the view is generated, select Manage Zones from the left manu and click on the Auto Generate Zones button.
    1. Red zones represent your high criticality assets.
    2. Orange zones represent your medium criticality assets.
    3. Yellow zones represent your low criticality assets.
    4. Gray zones represent your untrusted assets.
  4. On the left menu, select Summary Reports and the NERC-CIP Compliance Report
  5. Click through the wizard, the defaults will represent the selections suggested by the auto group function.
  6. Click Generate Report to view the report in a new tab.

Compare path history

This interactive report, accessible from the main menu, provides a network path comparison between two points in time.

When a configuration file is added to the system and is different from the previously imported file, a new “Version” is created.

The user can select two versions to compare.  The resulting table will display the changes between the two files. Removals are shown in the left column and additions are shown in the right column.

 

*Compare Path History 0pen and two versions selected

 

*Closeup on the comparison results

This article will focus on the Access Rules Report.

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.

 

Connectivity Paths

This report provides a summary of network paths and their analysis results. By clicking on a specific rule sequence, the associated access rule can be displayed for review and comment.

Connectivity Paths Columns

  • Destination: (PATH_DST_IP_BEGIN : PATH_DST_IP_END) IP address range of the destination
  • Destination Node: (PATH_DST_NODES) device name or IP address of the destination node
  • Path Number:  internally generated value used as a marker for each path.
  • Path Sequence: (PATH_SEQUENCE) List of IP address or devices traversed by the path from source to destination.
  • Port: (PATH_SRC_PORT_BEGIN ) The port that is open along the path
  • Protocol: (PATH_PROTOCOL) The protocol enabled on the path
  • Rule Sequence: (PATH_RULE_SEQUENCE) Access list sequence of rules and reference line number within the configuration file
  • Service: (PATH_SERVICE) The service that corresponds to the open port.
  • Source: (PATH_SRC_IP_BEGIN : PATH_SRC_IP_END) IP address range of the source
  • Source Node: (PATH_SRC_NODES) device name or IP address of the source node

This article will focus on the Object Groups Report.

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.

 

Object Groups – Defined

  • Object Groups classify users, devices, or protocols into “groups” and apply those groups to Access Control Lists (ACLs), to create access control policies for those groups.
  • The Object Groups report provides a summary of Network ACL Object Groups.
  • These object groups may include: Host IP addresses, network address of group members, and nested object groups.
  • Objects consist of several types including Address, Service, Binding, Interface, and Zone.

The Object Groups Report can be accessed in two ways. Each way presents a different data set.

  1. From the main menu, the table will populate the table with all objects for all devices in the workspace, including globals.
  2. From the topology, when clicking a Firewall/ Router/ Switch – its info panel will open – and the user can select Object Groups from the Data for this Device section.
    1. Only the objects for the selected device will be displayed in this case.

*main menu        *info panel

Network Management System:

When data is loaded from a firewall vs Network Management system, the listing of object groups for addresses may vary.

  • When viewing data from a network management system, globally defined groups may be available.
  • When the data is loaded from the firewall, the global addresses may be presented as local addresses.

 

What Data is Present?

The list below the image details the data types available in the Object Groups Report.

  • Change Status: used in comparison mode to reflect added, unchanged and removed objects.
  • Comment: (Author, Criticality, Date) User entered comments (or justification) and criticality levels (low, medium, high).
  • ID: NP object identifier
  • Internal: NP object identifier
  • Luid: NP object identifier
  • Name: (OBJECT_NAME) Name of the object group which may include:
    • Any IP address–includes a range from 0.0.0.0 to 255.255.255.255
    • Host IP addresses
    • Hostnames
    • Other network object groups
    • Ranges of IP addresses
    • Subnets
  • Object ID: Value for linking rules to comments.  This column must be displayed when exporting the object table for enrichment and reimport.
  • Origin: (OBJECT_ORIGIN) Name of the device containing the object definition
  • Type: (OBJECT_TYPE) Address, Service, Zone or Protocol
  • Unused Status: (OBJECT_STATUS) Cisco, Juniper and Fortinet status column which defines if the object is not used.  True = Unused.
  • Value: (OBJECT_VALUE) Content of the object group

Table Actions

There are a number of actions that can be taken in the Object Groups report, some are specific to Object Groups, others are universal to all Reports.

  • Overflow Data: When there is more data in a Cell than can be presented in a column, the overflow data can be accessed by clicking the + icon in the cell.
  • Object Group Details: The name column will show related object data details within the + popup.
  • Columns can be displayed or hidden using the hamburger menu in the upper right corner of the report.
  • Changes to the menu are automatically saved.
  • Additionally, the table can be exported as displayed, with comment history or with object groups.
  • Only visible columns will be displayed.
  • Columns can be sorted, rearranged or resized and changes will be automatically saved.
  • Column filters can be displayed.
  • Filters applied to the table or column will automatically be saved.
  • Filters can be reset from the hamburger menu.

*the Object Groups Report Menu

Comments

NP-View provides a simple and easy way for users to add comments to Object Groups, and to track the historical lineage of these comments in a workspace. Comments can be added, or viewed, but for for integrity purposes they cannot be edited or deleted by users.  If an Object Group is changed or removed from the system, the group and associated comments will be removed from the Object Group table.

Adding a Comment: Comments can be added to a row by double-clicking on the cell in the column “Comment”.  Comment text and status can be added and then saved with the save button. Once the comment is saved, the author and time stamp are automatically inserted.

*applying comment

*applying comment – closeup

Comment History: Additional comments can be added to a row to begin creating a lineage or history of comments. This history will be automatically available when more than one comment exists on a row and can be expanded by clicking the blue clock icon on the leftmost column of the table. If there is no history the icon will be disabled.

When viewing history, changes between lines are highlighted in blue.

Example: If Comment 1 is: “Check This” – ‘medium’ and Comment 2 is “Check This” – ‘low’ the criticality cell would be highlighted because there was a change – the comment text would not be highlighted because it remained the same.

*Viewing comment history

*Viewing comment history – closeup

Object Groups Hash

Object groups are uniquely tagged (Object ID) within NP-View for linkage to comments. More info in the expanded section below.

Object groups are uniquely tagged (Object ID) within NP-View for linkage to comments. The tag (hash) is calculated based on a combination of the following data fields.  Available data varies based on manufacturer so, some fields may not apply to specific manufacturers.  Most of the below fields are defined above. For the fields unique to the hash, they are documented below.

If any of the data in these fields changes, the tag will change and previously linked comments and metadata will no longer be associated with this object.

  • OBJECT_NAME
  • OBJECT_TYPE
  • OBJECT_ORIGIN
  • OBJECT_VALUE
  • OBJECT_STATUS
  • OBJECT_TAG –

Additional Features

  • The Compare button invokes a time series comparison function for the report.   Additional details on this function can be found here.
  • Comments can be imported from an Excel file.  Additional details on this function can be found here.
  • Conditional formatting can be applied to this table report.  Additional details on this function can be found here.

Access Rules and Object Groups have a Compare function to show historical differences in data that has been added or removed. The function can be engaged by clicking the “Compare” button located at the top of the page. This function is used to display changes over a period of days.

The user can select a time frame (7, 30, 90 or 356 days or a custom date range). The user can select one or more devices to include in the report and then show the history over the range. Once the parameters are selected, the “Show Comparison” button should be selected.

The comparison function will display all changes (Rule Adds, Rule Removal and Unchanged Rules) for the selected days. The data will be displayed using the column format of the selected table. The user can filter on added, removed or unchanged rules by clicking the jelly bean. Added rules will be highlighted in green, removed rules will be highlighted in red and unchanged rules will be highlighted in light blue.

Clicking the “Compare” button will revert to the normal table but will not clear the selections.

Clicking the “Reset” button will clear the selections and reset the table.

 

Expanded Object Groups

In the Access Rules table, Source, Destination and Service groups can be expanded to see the group details.  By clicking on the + icon within a cell, the expanded group information can be made visible.