Connectors
NP-View includes a utility to automatically retrieve network device configuration files on a schedule. The list of connectors that are currently included with NP-View is as follows:
Cloud Providers
For retrieving VLAN and services configurations from cloud providers.
Provider |
Type/Model |
Configuration Information Required |
Connection Type |
|---|---|---|---|
| Amazon | AWS | AWS API Access Key, Secret Key and Region to monitor | Boto3 (HTTPS + OAuth2) |
| Google Cloud Platform | GCP ID, Service Account Credentials | HTTPS + OAuth2 | |
| Microsoft | Azure | Azure Tenant ID, Client ID, Client Secret, Subscription ID, and Resource Group Name | HTTPS |
Configuration Managers
For retrieving config files from network management systems. For each connector, the user can select the devices to be uploaded for monitoring.
Manufacturer |
Type/Model |
Configuration Information Required |
Connection Type |
|---|---|---|---|
| Check Point | R80.x/R81.x | Hostname or IP address plus login credentials See device selection and service account sections below for additional information |
HTTPS + optional SSL server verification |
| Forescout | Enterprise Manager | Install of the NP-Live Plugin for ForeScout into your ForeScout Enterprise manager. See this document for details and the additional instructions section below. | Java plugin |
| Fortinet | FortiManager (7.0.5, 6.4.8, 6.2.10, 6.0.14) | Hostname or IP address plus login credentials | HTTPS + optional SSL server verification |
| Infoblox | NetMRI | Hostname or IP address plus login credentials | HTTPS |
| Palo Alto | Panorama (9.1.x, 10.1.x) | Hostname or IP address plus login credentials See device selection section below for additional information |
HTTPS |
| SolarWinds | Network Configuration Manager (Orion Platform HF3, NCM HF1: 2020.2.6) | Hostname or IP address plus login credentials | HTTPS |
| Tripwire | Enterprise Manager | Hostname or IP address and login credentials plus a tripwire policy rule to invoke. | HTTPS + optional SSL server verification |
Direct Device Connection
For retrieving config files directly from the network device.
Manufacturer |
Type/Model |
Configuration Information Required |
Connection Type |
|---|---|---|---|
| Cisco | Adaptive Security Appliance (ASA) | Hostname or IP address plus login credentials, enabling password and optional context | SSH |
| Cisco | Internetwork Operating System (IOS) | Hostname or IP address plus login credentials, enabling password and optional context | SSH |
| Fortinet | FortiGate Firewall and NGFW | Hostname or IP address plus login credentials Note: SCP should be enabled in the configuration (instructions) |
SSH |
| Juniper | JunOS Firewall | Hostname or IP address plus login credentials | SSH |
| Palo Alto | NGFW (PAN-OS) | Hostname or IP address plus login credentials | HTTPS |
Volume Shares
For retrieving config files that are uploaded to a common collection repository.
Platform |
Connection |
Configuration Information Required |
Connection Type |
|---|---|---|---|
| Windows | SMB Share – Legacy (Samba) | Hostname or IP address, and folder path. Optionally a white list and black list can be defined. Optional. A PGP key can also be provided if the files retrieved have been encrypted. | SMB/CIFS |
| Windows | SMB Share – Date Folder Strategy (Samba) | Hostname or IP address, share name and device name.
Optional: Root folder path, recursive search, name filter and a PGP key can also be provided if the files retrieved have been encrypted. |
SMB/CIFS |
| Linux | SSH Share | Hostname or IP address and folder path. Optionally a white list and black list can be defined. Optional. A PGP key can also be provided if the files retrieved have been encrypted. | SSH |
Additional Connector Instructions
Service Account
The use of service accounts is a recommended best practice when connecting to devices through connectors. The service account can be read-only and must have API privileges. When entering credentials related to an Active Directory domain, it is recommended to enter the username using the format account@domain.xyz instead of domain.xyzaccount as the backslash can cause unexpected issues.
For R80, we recommend creating the service account in the SmartCenter (not Gaia) ensuring the account provides access to the Web API.
AWS
The fields required for the AWS connector can be found at:
- Virtual Networks
- Network Security Groups
- Subnets
- Network Interfaces
- Virtual Machines (EC2)
Azure
The fields required for the Azure connector are:
- Virtual Networks
- Network Security Groups
- Subnets
- Storage Accounts
- Network Interfaces
- Virtual Machines
CheckPoint
For the connector to work CheckPoint devices, the API setting need to be enabled in the SmartConsole. See the image below for settings and commands to restart the API.
Device Selection
CheckPoint and Palo Alto network management systems provide files with multiple devices. The connectors for these systems allow for the selection of individual devices to load into NP-View. The user can input the names of the devices, one per line, or select the "Retrieve device list" button to be provides a selection list.
Forescout
If Forescout is truncating the data imported into NP-View, use the following command on Forescout to extend the size of the retrieved file: fstool set_property fs.np.field.string.limit.def YYYY where YYYY represents the number of lines to import (e.g., fstool set_property fs.np.field.string.limit.def 25000)
Google Cloud Platform
The fields required for the GCP connector are:
- Firewall rules (`gcloud compute firewall-rules list --format=json`)
- Instances (`gcloud compute instances list --format=json`)
- Subnets (`gcloud compute networks subnets list --format=json`)
- Routes (`gcloud compute routes list --format=json`)
- VPN Gateways (`gcloud compute vpn-gateways list --format=json`)
- VPN Tunnels (`gcloud compute vpn-tunnels list --format=json`)
Samba
Network Perception suggests the following when setting up the SMB connection.
- Create a read-only user in Active Directory or on the SMB server.
- Determine the available share (Get-SMBShare" in Windows PowerShell) or create a new one.
- Share the SMB folder containing the Configuration files with the read-only user. For example:
- If selecting the SMB - Date Folder Strategy connector, clicking "See Current Date Folder" will retrieve most recent folder, in YYYYMMDD format, in the "Current Root Folder" field. For example:
Optional fields:
- Path to Root Folder - Directory you want to be the root folder relative to your default SMB root folder.
- Recursive Search - Whether or not to search recursively starting at the connector's root folder.
- Name Filter - Filters file/directory names based on given regex statements. Any file/directory that fully matches ANY given regex statement will be included in result.
- File Decryption Key - a PGP key can also be provided if the files retrieved have been encrypted.
SSH and Samba for HA Groups
NP-View has the ability to handle HA Groups.
As a best practice, if using SSH shares, it is best to erase the entire folder and replace with the config files from the current active devices. It is also a best practice to name the HA devices similarly for comparison. For example:
Pittsburgh_FW1
Pottsbirgh_FW2
etc.
For Samba shares, a similar method should be used but, the SMB connector has an extra feature of navigating date labeled folders.
Refer to the Samba section for details.
If you have a system for which you need a connector or if you encounter a technical issue, please contact support@network-perception.com.
