Connectors (Server)

The use of service accounts is a recommended best practice when connecting to devices through connectors. The service account can be read-only and must have API privileges.  When entering credentials related to an Active Directory domain, it is recommended to enter the username using the format account@domain.xyz instead of domain.xyzaccount as the backslash can cause unexpected issues.

For R80, we recommend creating the service account in the SmartCenter (not Gaia) ensuring the account provides access to the Web API.

The fields required for the AWS connector can be found at:

1. Access Key ID & Secret Access Key

The fields required for the Azure connector are:

1. Tenant ID
2. Client ID & Client Secret
3. Subscription ID
4. Resource Group Name

For the connector to work CheckPoint devices, the API setting need to be enabled in the SmartConsole.  See the image below for settings and commands to restart the API.

CheckPoint and Palo Alto network management systems provide files with multiple devices. The connectors for these systems allow for the selection of individual devices to load into NP-View. The user can input the names of the devices, one per line, or select the “Retrieve device list” button to be provides a selection list.

If Forescout is truncating the data imported into NP-View, use the following command on Forescout to extend the size of the retrieved file:  fstool set_property fs.np.field.string.limit.def YYYY where YYYY represents the number of lines to import (e.g., fstool set_property fs.np.field.string.limit.def 25000)

The fields required for the GCP connector are:

1. GCP ID
2. Service Account Credentials

Network Perception suggests the following when setting up the SMB connection.

1. Create a read-only user in Active Directory or on the SMB server.
2. Determine the available share (Get-SMBShare” in Windows PowerShell) or create a new one.
3. Share the SMB folder containing the Configuration files with the read-only user. For example:
4. If using the date folder and recursive search feature, clicking “See Current Date Folder” will retrieve most recent folder, in YYYYMMDD format, in the “Current Root Folder” f field. For example:

Optional fields:

1. Path to Root Folder – Directory you want to be the root folder relative to your default SMB root folder.
2. Recursive Search – Whether or not to search recursively starting at the connector’s root folder.
3. Name Filter – Filters file/directory names based on given regex statements. Any file/directory that fully matches ANY given regex statement will be included in result.
4. File Decryption Key – a PGP key can also be provided if the files retrieved have been encrypted.

If during the connector test, access is denied, the following settings should be verified and may need to be changed for the SMB to work as expected.

Running PowerShell as administrator

Input command Get-SmbServerConfiguration

Verify that EncryptData is set to false

If set to true, run command “Set-SmbServerConfiguration -EncryptData 0”

Verify  SmbServerHardeningLevel is set to 0

If not set to 0, run command “Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0”

Microsoft recommended default is off (0). More information about these settings can be found on the Microsoft website.

NP-View has the ability to handle HA Groups.

As a best practice, if using SSH shares, it is best to erase the entire folder and replace with the config files from the current active devices.  It is also a best practice to name the HA devices similarly for comparison.  For example:

Pittsburgh_FW1

Pottsbirgh_FW2

etc.

For Samba shares, a similar method should be used but, the SMB connector has an extra feature of navigating date labeled folders.

Refer to the Samba section for details.