Connectors

Connectors

Updated

November 5, 2024

NP-View includes a utility to automatically retrieve network device configuration files on a schedule. The connector types supported in NP-View Server are below:

Configuration Managers

For retrieving config files from network management systems. For each connector, the user can select the devices to be uploaded for monitoring.

Manufacturer	Type/Model	Configuration Information Required	Connection Type
Fortinet	FortiManager (6.4.x, 7.0.x)	Hostname or IP address plus login credentials	HTTPS + optional SSL server verification
Palo Alto	Panorama (10.x, 11.x)	Hostname or IP address plus login credentials See device selection section below for additional information	HTTPS
SolarWinds	Network Configuration Manager (Orion Platform HF3, NCM HF1: 2020.2.6)	Hostname or IP address plus login credentials	HTTPS

Direct Device Connection

For retrieving config files directly from the network device.

Manufacturer	Type/Model	Configuration Information Required	Connection Type
Check Point	R81.x	Hostname or IP address plus login credentials See device selection and service account sections below for additional information	HTTPS + optional SSL server verification
Cisco	Adaptive Security Appliance (ASA 9.19)	Hostname or IP address plus login credentials, enabling password and optional context	SSH
Cisco	Internetwork Operating System (IOS 15.9)	Hostname or IP address plus login credentials, enabling password and optional context	SSH
Fortinet	FortiGate (FortiOS 7.0, 7.2)	Hostname or IP address plus login credentials Note: SCP should be enabled in the configuration (instructions)	SSH
Palo Alto	NGFW (PanOS 10.x, 11.x)	Hostname or IP address plus login credentials	HTTPS

Volume Shares

For retrieving config files that are uploaded to a common collection repository.

Platform	Connection	Configuration Information Required	Connection Type
Windows	SMB Share (Samba)	Hostname or IP address, share name, device name and root folder path	SMB/CIFS
Linux	SSH Share (Server Only)	Hostname or IP address and folder path. Optionally an include list and exclude list can be defined.	SSH

‍

Additional Connector Information‍

Service Account

The use of service accounts is a recommended best practice when connecting to devices through connectors. The service account can be read-only and must have API privileges. When entering credentials related to an Active Directory domain, it is recommended to enter the username using the format account@domain.xyz instead of domain.xyzaccount as the backslash can cause unexpected issues.

Checkpoint

For the connector to work CheckPoint devices, the API setting need to be enabled in the SmartConsole. See the image below for settings and commands to restart the API.

Device Selection from Multi Config Systems

CheckPoint, Palo Alto Panorama, Fortinet FortiGate connectors provide files with multiple devices. The connectors for these systems allow for the selection of individual devices to load into NP-View. The user can select the “Retrieve device list” button to be provides a selection list. Cisco ASA with Multi Context and FortiManager are still a work in progress.

Collecting Auxiliary Data from Devices

Auxiliary data will automatically be downloaded by the connectors for Cisco ASA and Cisco IOS devices. If the data is manually collected, use the following commands and file naming conventions.

Cisco ASA

show running-config → 'devicename'_'contextname'.txt
show arp → 'devicename'_'contextname'_arp_table.txt
show route → 'devicename'_'contextname'_route_table.txt
show interface → 'devicename'_'contextname'_interface_table.txt

Cisco IOS

show running-config → 'devicename'.txt
show ip arp → 'devicename'_arp_table.txt
show ip interface brief → 'devicename'_interface_table.txt

Once all of the files are collected, manually load the files from each device together and separately from other devices for proper file association.

Samba

Network Perception suggests the following when setting up the SMB connection.

Create a read-only user in Active Directory or on the SMB server.
Determine the available share (Get-SMBShare” in Windows PowerShell) or create a new one.
Share the SMB folder containing the Configuration files with the read-only user. For example:

Configuration:

Lets assume that the server is at \\192.168.140.14\

the shared folder is named 'share'
and the files are in a sub folder of share called \test\NERC-CIP-EMS
a UNC would look like this: \\192.168.140.14\share\test\NERC-CIP-EMS
Per the above, the device name was set to LAB-SMB

When configuring the SMB connector, the screen would look like this:

If during the connector test, access is denied, the following settings should be verified and may need to be changed for the SMB to work as expected.

Running PowerShell as administrator

Input command Get-SmbServerConfiguration

Verify that EncryptData is set to false

If set to true, run command “Set-SmbServerConfiguration -EncryptData 0”

Verify SmbServerHardeningLevel is set to 0

If not set to 0, run command “Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0”

Microsoft recommended default is off (0). More information about these settings can be found on the Microsoft website.

SSH and Samba for HA Groups

NP-View has the ability to handle HA Groups.

As a best practice, if using SSH or SNB shares, it is best to overwrite the entire folder with updated config files from the current active devices. It is also a best practice to name the HA devices similarly for comparison. For example:

Pittsburgh_FW1

Pottsbirgh_FW2

etc.

For Samba shares, a similar method should be followed.

Refer to the Samba section for details.

‍

If you have a system for which you need a connector or if you encounter a technical issue, please contact support@network-perception.com.