Knowledge Base

Getting Started

What We Do

Are you Prepared to Defend your Critical Assets?

At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.

  • The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
  • The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
  • Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.

Compliance Verification

Verify configurations and network segmentation

1. Policy Review
  • Easily review firewall access policies and object groups
  • Identify configuration risks automatically
  • Establish configuration change review process
2. Audit Assistance
  • Verify compliance with cybersecurity regulations and best practices
  • Seamlessly store evidence for compliance review
  • Easily prepare compliance reports
Risk Assessment Grading

Cybersecurity Visibility

Visualize vulnerability and risk exposure

3. Architecture Review
  • Visualize an accurate topology of the network architecture
  • Identify and label critical cyber assets and critical network zones
  • Easily review which devices are protecting which network zones
4. Network Risk Assessment
  • Assess accuracy of network segmentation
  • Identify risky network connectivity paths
  • Understand exposure of vulnerable assets
Cybersecurity Visibility

Operational Velocity

Accelerate risk mitigation and recover faster

5. Continuous Configuration Monitoring
  • Transition from point-in-time to 24/7 risk assessment with automated notification
  • Automate change review process using ticketing system integration and sandboxing
  • Leverage a time machine to navigate through the network evolution
6. Incident Response Preparation
  • Align network architecture understanding and break silos through a single pane of glass
  • Train first responders and harden defense via realistic attack scenario simulation
  • Prioritize vulnerability mitigation faster
Operational Velocity

Installing NP-View Desktop

NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.  This configuration should be sufficient for processing large data files up to 500,000 lines.  Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.

Installation Process

  • Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key.  A SHA256 checksum is supplied with each download.  You can calculate the checksum on the files you download to verify the integrity of the files:
    • Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
    • Linux: sha256sum /the/full/path/to/your/filename.Appimage
    • macOS 11: shasum -a 256 /full/path/to/your/filename.app
  • Windows 10/11:
    • Launch the Windows installer with a double click.
      • User may need to adjust UAC (User Access Controls) depending on security settings.
    • The only dependency required on Windows is .NET framework 4
    • Once installed, NP-View will automatically launch.
    • Allow ports for private/public network if prompted.

NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.

Configuring NP-View Desktop

System Performance

NP-View Desktop is a resource intensive application.  For best performance, please ensure your system’s Power plan is set to High performance.

If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.

Windows control panel:

First Login

  • Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
    • Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches.  Otherwise, the session remains open and authentication is not required.
  • Read and accept the user agreement.
  • Next, you will need to enter your license key.  Once input, click the “Add license key” button.
  • Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
  • Next click the get started button

User Menu

Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.

Getting Started

On the Workspaces Page,  NP-View provides a demo workspace as well as the ability to start creating your own workspaces.  Click here to learn more about using workspaces.

Software Version

If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.

Software Uninstall

To uninstall NP-View Desktop,

  • Windows 10/11: use the add or remove programs feature to remove the software
    • Use the add or remove programs feature to remove the software
    • Delete folder: ~AppData/Roaming/NP-View
    • Delete folder: ~AppData/Local/Programs/NP-View
    • Delete folder: ~AppData/Local/np-view-updater

Password Reset

Remove the file at the location listed below and restart the application to input your credentials.

  • Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.

License Changes / Upgrades

If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).

Upload File Size Limit

NP-View enforces a maximum file size of 200MB by default. To change it, the config.ini file must be edited and the following row added:  MAX_IMPORT_SIZE=<size in bytes>. For example:  MAX_IMPORT_SIZE=209715200 which corresponds to 200MB.

  • Windows: the config.ini file can be found at:  ~AppData/Roaming/NP-View/config.ini

Windows Path/File Name Length Limit

Microsoft Windows has a MAX_PATH limit of 256 characters.  If the path and filename exceed 256 characters, the file import will fail.

For example:  C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>

Installing NP-View Server

NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:

  1. Provisioning a server
  2. Downloading NP-View server
  3. Installing NP-View server
  4. Installing a SSL Certificate

NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 10 or later, macOS 11 Big Sur or later, Ubuntu 20 or later) with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.

Provisioning a Server

The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:

Number of network devices monitored (firewall, router, switch) / concurrent users Min. CPU Memory Disk Space
Up to 50 devices / 3 concurrent users 4-core 16GB 200GB
Up to 100 devices / 5 concurrent users* 8-core 32GB 400GB
Up to 500 devices / 10 concurrent users 16-core 64GB 2TB
Up to 1,000 devices / 20 concurrent users 32-core 128GB 4TB

Greater than 1,000 devices please contact support to discuss requirements.

Recommended as the minimum for most Professional Server users.

Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity.  The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.

Network ports used by NP-View server

The following ports are used by NP-View server.  Please ensure these ports are open on your firewall for proper communication.

Required ports:

  • TCP/22: SSH server to provide secure console access to the NP-Live server
  • TCP/443: access to NP-View Web UI through HTTPS
  • TCP/8443: access to NP-View connectors Web UI through HTTPS

Optional ports:

  • TCP/80: access to NP-View Web UI through HTTP
  • TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
  • TCP/445: access to NP-View SMB Connector
  • TCP/636: access to Active Directory / LDAPS for TLS/SSL
  • TCP/8080: access to NP-View connectors Web UI through HTTP

Firewall Rules

The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.

Downloading NP-View Server

Sign up on the Portal website to download the latest version of NP-View server and the license key.  A SHA256 checksum is supplied with each download by clicking on the “show checksum” link.  You can calculate the checksum on the files you download to verify their integrity:

  • Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
  • Linux: sha256sum /the/full/path/to/your/file/name/extension
  • MACOS: shasum -a 256 /full/path/to/your/file/name/extension

Installing NP-View Server

NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:

  • NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
  • NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed

The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.

Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.

Option 1: Using the NP-View Linux Installer

Once downloaded from the portal, follow the steps below to complete the install:

  1. Move installer to server – This may require ssh or other user account permissions
    1. Place the file in a location you can access from the terminal
    2. /tmp – this is a temp folder available at the root directory
    3. /opt/np-live – this is the default NP View server root directory
  2. You can use the “ls” command to see what is in your current directory
  3. Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
  4. Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
    • sudo -I
  5. Navigate to the directory in which the NP-View Server Linux installer was placed
    • Use the ls command to verify file is in this directory
  6. Run the installer with the command (Docker must be installed before this step)
    • Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
  7. The installer will begin by checking for a running instance of Docker and internet connection
    • If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
    • If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
    • If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
    • If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
      • yum update
      • dnf config-manager –add-repo=https://download.docker.com/linux/centos/docker-ce.repo
      • dnf install –nobest docker-ce
      • systemctl disable firewalld
      • systemctl enable –now docker
  8. Follow the prompts during installation
    • Prompt to continue with offline installation
    • Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
      • Note: If the default directory is changed, then it will need to be edited for each new release during the installation
  9. There will be a message once the installation is complete
  10. Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
    • Load WinSCP – It should default to this screen:
    • Default “File Protocol:” to SFTP
    • Fill in Host name, User name, and Password.
      • Host name would be the same as your NP-View Server IP Address
      • User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
    • Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
    • Click Ok to complete the transfer.

Option 2: Using the NP-View Virtual Appliance

Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:

  1. Extract the .zip archive (right click on folder and choose extract all)
  2. Import OVF into hypervisor
  3. Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
  4. Open README.txt from extracted folder for credentials
  5. Launch the appliance and log into terminal using credentials in README.txt
  6. NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
  7. Once complete the NP menu will appear indicating the server is ready to use.
  8. Launch a browser to navigate to the NP-View User Interface

Note: A static IP may need to be configured before utilizing the user interface.

Installing a SSL Certificate

NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder.  If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.

The following command can be used to generate a valid .pem file:

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem

To learn more about generating your own SSL certificate, please visit python documentation.

Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.

Setting the Virtual Appliance Time Zone

By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago.  This file needs to be updated to reflect your local time zone.  To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.

Update TZ= to a value from timedatectl list-timezones

version: '3.4'

x-environment-tz: &timezone    

     TZ=America/Chicago

services:  

      manager:    

           environment:        

                 - *timezone  

      report:      

           environment:        

                 - *timezone  

     webserver:      

           environment:        

                 - *timezone  

      redis:      

            environment:        

                 - *timezone  

     monitor:      

           environment:        

                 - *timezone

Once you have set the new time zone, you can restart NP-Live with the command /opt/np-live/stop_NP-Live.sh  and then /opt/np-live/start_NP-Live.sh

Additional Installation Information

Improving NP-View Server Performance

Please reference minimum requirements, the higher the resources the better the performance.

Troubleshooting Disk Space

If a server upgrade or restart fails due to lack of disk space, please perform the following clean-up procedure:

  1. sudo rm -f /opt/np-live/db/log/system/nplive.log.*
  2. sudo docker system prune –volumes
  3. sudo rm /opt/np-live/docker-compose.yml.backup

NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.

If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.

Default Disk Encryption

As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest.  The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.

Personalize the Login Page

To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”

For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”

Upload File Size Limit

When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 200MB by default. To change it, a NP-View Linux administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- MAX_IMPORT_SIZE=209715200”.  The value is in bytes, so 209715200 corresponds to 200MB.

Backing up the NP-View Server Database

  1. Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
  2. From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
  3. Run the new release installer, which will update the containers and then launch NP-View Server

Complete Removal of NP-View

If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:

  • Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
  • Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
  • Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)

Product Tutorials

1. Network Mapping

Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:

  • Visualize an accurate topology of the network architecture
  • Identify and label critical cyber assets and critical network zones
  • Easily review which devices are protecting which network zones

Visualize Topology

NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.

Critical Assets and Zones

Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.

Details On-demand

Selecting a node in the topology map will interactively display an information panel with detailed data about that node.

2. Firewall Ruleset Review

Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:

  • Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
  • Automatic identification of configuration risks using the Risks and Warnings report.
  • Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.

How to Review Access Rules

An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.

  • Frequency: each time firewall policies are changed, and at least once a quarter
  • How to do it:
    • Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
    • Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
      • For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
    • Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
      • The “Description” column captures comment, description, or justification from the device configuration
      • The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
    • Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
    • Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
    • Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table

Access Rules Table

The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.

Object Groups

The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.

Risks and Warnings

As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks.  The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.

Change Tracking

As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.

tracking table
3. Segmentation Verification

Segmentation verification provides the Networking Team and Audit Team with capabilities that allows users to:

  • Assess correctness of network segmentation
  • Identify risky network connectivity paths
  • Understand exposure of vulnerable assets

Network Segmentation Accuracy

NP-View be used to verify the accuracy of your network segmentation.

The connectivity matrix which is available from the device info panel can be used to verify open ports between devices.

Inbound and outbound connections can be verified for each network using the highlight paths function.

Identifying Risky Connectivity Paths

Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception  Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.

organization table

Exposure of Vulnerable Assets – Vulnerability Analytics

NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.

Topology Display of Vulnerabilities

When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.

These shields can be toggled on and off using the topology settings menu.

Device Panel Display of Vulnerabilities

Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.

Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.

4. Audit Assistance

Performing a regular review of your compliance metrics is important for your organization.  Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:

  • Verify compliance with cybersecurity regulations and best practices through Policy Review.
  • Seamlessly store evidence for compliance review with Change Tracking.
  • Easily prepare compliance reports using the Audit Assistants listed below:

Workspace Report (Standard)

The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:

  • Configuration assessment report including risk alerts
  • Ports and Interfaces
  • Access rules
  • Object groups
  • Path analysis

Industry Best Practice (Premium)

The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:

  • Parser Warnings and potential misconfigurations
  • Unused Object Groups
  • Access Rules missing a justification
  • Unnamed nodes
  • NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
  • ACL’s with no explicit deny by default rule

NERC CIP Compliance (Premium)

The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:

  • CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
  • CIP-003 – Security Management Control; cyber security policy
  • CIP-005 – Electronic Security Perimeter; remote access management
  • CIP-007 – System Security Management; ports and services
  • CIP-010 – Change Management and Vulnerability; configuration change management, configuration monitoring, vulnerability assessment

A demo workspace for the NERC CIP audit assistant is included with the software.  To see the audit assistant in action, follow these steps:

  1. Click on the demo workspace to build the topology.
  2. Create a custom view by selecting all of the firewalls, right click, Create View from Selection and give it a name.
  3. Once the view is generated, select Manage Zones from the left manu and click on the Auto Generate Zones button.
    • Red zones represent your high criticality assets.
    • Orange zones represent your medium criticality assets.
    • Yellow zones represent your low criticality assets.
    • Gray zones represent your untrusted assets.
  4. On the left menu, select Summary Reports and the NERC-CIP Compliance Report
  5. Click through the wizard, the defaults will represent the selections suggested by the auto group function.
  6. Click Generate Report to view the report in a new tab.

Feature Documentation

Highlight Paths

Highlight Paths

Provides the ability to view a summary of the services that exist in a custom topology map view.

By selecting Highlight Paths from the main menu,

the service filtering function is displayed:

Usage

  1. Open the main menu
  2. Open Highlight Paths
  3. In the panel that appears select any service to view the service details, as well as highlight the paths on the topology map
  4. In the open panel, in the box titled Path Analysis, click any path’s IP address to show the rules associated with that path
  5. Clicking any rule will open the Access Rules table filtered to the selected rule

*Highlight Paths panel open, with service selected, paths on topology highlighted, and rules being shown for the selected path

*closeup of rule for selected path

*Filtered Access Rules

Identifying Risks

Risk and Warnings are generated using Policies and Requirements located in the Policy Manager.  NP policies and requirements are automatically assigned to all devices when they are imported and run when network device configuration changes are identified.

The following default policies are provided for all Compliance modules:

  • Default Parser Risk Policy – triggers from device configuration file parser log.
  • Default Access Rules Risk Policy – triggers from access rules report

CiS Benchmarks are provides as part of the Best Practices Module

  • CiS Benchmark for Check Point
  • CiS Benchmark for Cisco
  • CiS Benchmark for Juniper
  • CiS Benchmark for Palo Alto

Policy Management

Each policy is broken down into a set of requirements that are used to identify potential network risks. Review the details of the Policy Manager in this section.

Risk Assessment Grading

At any given time, a monitored device can have one or more open risks or warnings. This information is used by our Grading algorithm to provide each device with a letter grade. The quantity, criticality and type of open risks and warnings go into the calculation.

This grade informs the users which devices have the highest security or compliance risks. The lower the letter grade, the higher the risk.

The grade for each monitored device can be seen by clicking on a device on the topology map and reviewing the Risk Assessment Grading on the device menu. Clicking on the menu item displays the details that went into the grade.

An depiction of the data flow is as follows:

Calculating Device Risk Grade

+

The Device Risk Grade is calculated using the following weights:

  • High = 5
  • Medium = 3
  • Low = 1

The Device Risk Grade is calculated using a simple equation, for example: (5 high * 5) + (1 low * 1) = 26 -> 100 – 26 = 74 -> C

  • 90 -> 100 = A
  • 80 -> 89 = B
  • 70 -> 79 = C
  • 60 -> 69 = D
  • Else F

Issue Status is used to exclude both Resolved and Fixed issues from the calculation.

Importing and Exporting Data

NP View supports several different methods of importing a variety of both primary device data, such as firewall configurations, and auxiliary data, such as hostname files.

Note: The Windows API has a maximum path length of 256 characters.  When importing files into NP-View with long file names (typically > 50 characters), they may fail to import.  Reducing the length of the file name before importing tends to resolve this issue.

Importing Primary Data

Once a workspace is created, the user can begin importing configuration files from Firewalls, Routers and Switches, and/or auxiliary data, such as hostname files. Multiple supported configuration files can be loaded at a single time.

Import can be done via several methods. These methods are Drag and Drop, Main Menu Import, or Automated Import on a schedule Via 'Connectors'

Drag and Drop

A blank workspace, ready for files to be dragged onto the topology. Doing so will engage the Main Menu Import function

Main Menu Import Function

Open the Main Menu and select Import Data

The Home View, with Main Menu open and Import Data selected

The Import window will open where you may add files. For Management Systems (Ex. Panorama) and also for Auxiliary Data, a second step will be presented to the user to allow them to view the entire list of data, and select a subset for import. For Panorama, it would show a list of all the devices contained in the files uploaded and allow the user to choose a subset of these devices to actually add to the workspace.

Import Window Opened

When files have been added, devices have been selected, and the user has chosen to click next; the files will be moved to the in progress tab.

The in Progress Tab

When your files are completely processed they will move to the Uploaded tab. Users can view the history of all of their imports in the Uploaded tab at any time.

Automated and Scheduled Import via Connectors

Automatically – NP-View can also be configured to automatically retrieve files from devices, network management systems, and file shares on a schedule to keep your environments more up to date.  See the Connectors section for more information on how to get started.

Note: Import can take some time depending on the number and size of the files imported.  The import status will be displayed by the background task spinner next to your user name in the upper right corner of the map. Upon completion of Import, the Home View of the Topology Map will be displayed.

Note: Device licenses are applied on First import.  As files are loaded, the available license count goes down and the device is tracked across all workspaces.  See the licensing section for more details.

Device Identification

When  importing a device, NP-View uses a built-in device classifier to figure out what kind of device it is using device heuristics. However, because many devices can use the same configuration file, this can be tricky. For example, different Cisco hardware can run the same Cisco IOS, but the configuration file doesn’t tell you which hardware it is.

The device classifier tries to distinguish between routers and firewalls by looking for syntax differences like how static routes are expressed. But this isn’t always accurate since routers can use dynamic routing instead of static routes.

By convention, the NP-View device classifier will classify a device as a firewall if the configuration contains access lists. If the app misclassifies a device, the user can change the device type using the info panel for that device.


An open info panel with Device Type Selector

Importing Auxiliary Data

This table lays out the various types of Auxiliary Data NP-View accepts, and the order in which they should be prioritized for import. Primary Devices are considered Priority 1.

Once the relevant configuration files (priority 1) are loaded, auxiliary data may be added to a workspace to enrich and augment the analysis and topology visibility.

Each workspace can only handle one file of each auxiliary type at a time.  This was done to support change tracking of hosts on the network.  When a new file is uploaded, it completely overwrites the older file of that type regardless of the creation date of the file.

As multiple files can have similar data, we have implemented a data priority to facilitate data enrichment and prioritization of data importance within the system.

Priority File Types Content
2 Scanner: nessus CVE info (ID, severity, Exploitability, Remediation suggestion)
3 Scanner: nessus Host Discovery (IP, HW Address, status), OS and Services
4 ARP MAC Address, Host
5 hosts (user created) Text (IP / Hostname)

Please see the auxiliary data section for information on file types and structures for the file types.

Export Workspace Data

NP View allows for several different methods of exporting different types of workspace data.

Export Comments and Metadata (for enrichment and reimport)

The entire Access Rules and Object Groups table and its contents can be exported to an Excel formatted document. The export will only contain the visible columns in the report.

It is important to keep the comments columns (Comment, Comment Author, Comment Status) as well as the Object Id column visible as they are required for subsequent import.

It is recommended that at least one row of data be manually filled in with metadata before export to fully populate the template with examples of the field format.

The upper right menu of the table

For Access Rules, there are three export options:

  1. Export to Excel – Exports visible cells to an excel file (.xlxs)
  2. Export to Excel with history – Exports visible cells to an excel file with comment history.
  3. Export to Excel with expanded objects – Exports visible cells to an excel file with expanded object groups and objects.

For Object Groups, there are two export options:

  1. Export to Excel – Exports visible cells to an excel file (.xlxs)
  2. Export to Excel with history – Exports visible cells to an excel file with comment history.

Once the export button is clicked, the file (rule.xlsx, or object.xlsx) will automatically download. The file will contain all of the visible table columns plus multiple columns of comment data.

Enriching Metadata

As part of the audit process, Comments can be updated for Access Rules and Object groups as discussed here. Once the primary and secondary data is loaded, the user may want to bulk load justification data into the Access Rules and Object Groups tables.

Access Rules

The access rules export will contain four columns of data for each comment as below.

Access Rules Comment Fields exported to Excel

  • Comment field contains the user entered text.  If cleared or left blank, the comment will be updated accordingly.
  • Comment Status choices are ‘Verified’, ‘To Revise’, ‘To Review’ or can be left blank.
  • Comment Author field contains the user who entered the last change.  Upon import, this field will be automatically populated with the userid of the importer. Manual inputs into this field will be ignored.
  • Comment Date field contains the date of last change.  Upon import, this field will be automatically populated with the current date if a change has been detected. Manual inputs into this field will be ignored

Object Groups

The Object groups export works the same as the Access rules except the Comment Criticality column will accept ‘Low’, ‘Medium’, ‘High’ or can be left blank.

Importing Metadata

Once the file is updated and saved, the user can use the +Import function or simply drag and drop the file into the workspace for upload.

Only metadata fields that have been added or changed will be imported.  A time stamp and username of the importer will be applied when imported.  The results will be viewable in the report after processing is complete and the report has been refreshed.  Updates to comment and metadata history, standard NP-View fields and expanded objects will be ignored upon import.

Note that the import keys on multiple fields to match data.  The following fields are required in the file to properly import.

  • Object ID
  • Comment
  • Comment Status
  • Comment Author
Interfaces Report

When was it introduced?

  • Beginning with NP-View Version 5.0 (release notes) users will now have access to a new feature called the Interfaces Report.

What does it do?

  • View Level Interfaces Report: Displays all information available for the interfaces in the View and their connectivity
  • Device Level Interfaces Report: Displays all information available for the interfaces on the selected Device and their connectivity

Where are they located?

View Level Interfaces Report: Available from the Main Menu

Device Level Interfaces Report: Available from a selected device’s Information Panel

Supported Devices & Data

Auxiliary Data

NP-View can import auxiliary data from third party systems to enrich and augment analysis.  The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed

Host Files

Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.

Aux Data Loading Example

Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.

First, load a firewall into a workspace and create a custom view with the firewall.

Notice that four hosts are not named.  To fix this, create a host file, named hosts.txt, to enrich the information.

The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.

Let's use
172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sam
172.30.91.81 Carl

Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.

Save the host file, and import it into the workspace.

The Manage Views function displaying a user adding both devices and multiple Auxiliary data files to a single view.

Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.

Below the Select Devices box, is the Auxiliary Data box.

Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).

For our example a user would see a single file called hosts.txt that would contain the names we've added.

Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).

The view, seen here regenerated. Note the new hostnames applied to the endpoints.

To see how the previous example can be used as a repeatable process let's update those names again, with corrections.

First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:


172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sammy
172.30.91.81 Carly

Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.


The workspace, updated a second time

Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.

Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.

Network and Vulnerability Scanner Files

The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:

When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network.  Below is a list of data NP-View attempts to import.

  • hostnames
  • addresses
  • interfaces
  • local interface IP’s
  • local interface names
  • mac
  • domains
  • parent
  • operating systems
  • vlan

Multi-Home Host Files

Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.

The host named 'dual-homed' repeated 3 times on the map

To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.

The file must be named 'multi_home_host.txt' and be of the following format:

192.168.135.115 dual-homed

192.168.135.114 dual-homed

192.168.135.113 dual-homed

Where the first field is the IP address and the second field is the name of the host.

When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:

The hosts named 'dual-homed' have been consolidated

Note: The file can be named as *_multi_home_host.txt -where- *_ is anything preceding multi_home_host.txt.

For example:

tuesday_multi_home_host.txt

web_server_multi_home_host.txt

the_big_kahuna_multi_home_host.txt

Address Resolution Protocol (ARP)

ARP files can be used to add hosts as well as MAC addresses for the hosts.  The following formats are supported:

Cisco

Use commashow arp to export the ARP table.  The file format will be as follows:

<hostname># show arp  

outside 10.0.0.100 d867.da11.00c1 2  

inside 192.168.1.10 000c.295b.5aa2 21  

inside 192.168.1.12 000c.2933.561c 36  

inside 192.168.1.14 000c.2ee0.2b81 97

Cisco ARP Example

Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.

Distribution# show arp    

inside 172.30.90.50 d867.da11.00c1 2    

inside 172.30.90.51 000c.295b.5aa2 21    

inside 172.30.90.42 000c.2933.561c 36    

inside 172.30.91.80 000c.2ee0.2b81 97  

inside 172.30.91.81 000c.2ecc.2b82 95

Distribution#

Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.

Windows

Use arp -a > arp_table.txt to export the ARP table.  The file format will be:

Interface: 192.168.86.29 --- 0x6  

Internet Address      Physical Address      Type  

192.168.86.1          88-3d-24-76-49-f2     dynamic    

192.168.86.25         50-dc-e7-4b-13-40     dynamic    

192.168.86.31         1c-fe-2b-30-78-e5     dynamic    

192.168.86.33         8c-04-ba-8c-dc-4d     dynamic

Linux

Use arp -a > arp_table.txt to export the ARP table.  The file format will be:

? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d

? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160

? (172.17.0.2) at <incomplete> on docker0

? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160

Palo Alto

Use show arp all to export the ARP table.  The file format will be:

maximum of entries supported : 2500

default timeout: 1800 seconds

total ARP entries in table : 3

total ARP entries shown : 3

status: s - static, c - complete, e - expiring, i - incomplete

interface ip address hw address port status ttl

--------------------------------------------------------------------------------

ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295

ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776

ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791

Route Tables

Route files are a special case in that they provide ruleset-specific enrichment data whereas the other auxiliary files listed above provide topology-specific enrichment data.

Route table – Cisco

The output of the command show route on Cisco devices can be imported into NP-View with associated configuration files.  For VRF’s, use the command show ip route vrf *. Cisco route files are handled a bit differently than the rest of the aux data as they are integrated upon import and are not considered as aux data when creating a view. Naming of the route files are not important as long as they are unique. The first row of the route file contains the <device name># command to link the route table with the correct device.

PCAP

IN V6.0 and later, PCAP and PCAPng files can be used to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a view. The max PCAP size is 200 MB per file.

Reference

Configuration Sanitizer

The linked .html file runs a self contained config file sanitizer in a standard web browser. The configuration sanitizer will change IP addresses within the file to mask them. This sanitizer will maintain integrity across the masked IP addresses so that we can properly test the file in the test lab. Please do not manually change the file after running through the sanitizer. To use the sanitizer file, click the link below to run in your browser.

Run from here

Known Software Issues

Below are the currently known issues in NP-View along with the available workarounds. These issues will be addressed as part of the upcoming release. If you are experiencing an issue not covered in this document, please contact Technical Support at: support@network-perception.com.

1. Typing into a field in NP-View Desktop doesn’t register any text

Reset window focus (This may not always work)

  • Alt+Tab out of the application
  • Alt+Tab back into the application

Login to NP-View Desktop via web browser

  • Open a web browser (Chrome/Edge) with NP-View still running
  • Type “localhost:8080” in the address bar to load NP-View in a browser window
Licensing

NP-View is licensed on an annual basis. The cost of the license depends on the number of configuration files imported from primary network devices (firewalls, routers, and switches).

How Licensing Works

When importing devices (manual or automated), a reminder notice is provided stating: “Importing new devices requires available licenses. Devices are activated in the order they are imported. If the total license count is exceeded, importing of additional unlicensed devices will be prohibited.

To determine the available number of devices licenses, see the summary at the bottom of Licenses and Terms.

418 of 500 licensees are allocated

Supported Devices and Connectors

The knowledge base contains a list of actively supported devices (link) and connectors (link). These lists change over time as manufacturer end of life support and as we add support for new devices. These lists are referred to in our terms of service and used to define what is in scope of the NP-View license agreement.    Network Perception reserves the right to alter this list at any time without customer notice.

When Device Licenses are Activated

Device licenses are activated when a device is first imported.  When the device limit is reached, import of additional devices (manual or automated) will be prohibited and a message will be issued in the help center and system logs.

Device licensing is permanent.  Once a license is allocated to a device it cannot be re-assigned to another device.

Palo Alto NGFW and Virtual Systems (VSYS)

Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple physical firewalls, IT departments can use a single firewall and enable virtual systems on them to independently separate traffic.

The default is vsys1. You cannot delete vsys1 because it is relevant to the internal hierarchy on the firewall; vsys1 appears even on firewall models that don’t support multiple virtual systems.

When using multiple virtual systems, if a configured vsys has an interface with access rules, NP-View will represent the vsys as a separate firewall and a device license is allocated. If a vsys has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.

FortiGate and Virtual Domains (VDOM)

Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network. If a VDOM has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.

Hiding Devices

If a device is no longer required in any workspace, the Administrator can hide the device from all workspaces by unchecking the “Visible in Workspace” check box and selecting the “Submit” button.

visible in workspace

The licensed device will remain in “license and Terms” and displayed as follows:

workspace table

The data is not deleted from the workspaces. If the Administrator wishes to restore the device to all workspaces, they can by importing new data for the device or by rechecking the checkbox and clicking “Submit”.

Note: NP provided demo devices in the demo workspace are excluded from display in the license manager and device counts.

User Deleted Devices

If the user deletes a device from all workspaces, the device still remains licensed but as it has no system association will not be displayed in License and Terms.  The device can be restored in the future by importing new data for the device into any workspace.

Expired Licenses

When the license expires, workspaces for all users will be disabled along with manual data imports. A message will be displayed stating that the license has expired and to contact sales to renew. Connectors will continue to collect data and deliver the updates to workspaces and demo workspaces will continue to function.

License Downgrade

If a customer downgrades their device count, the Administrator will need to select the devices to remain active after inputting the new license key. If the Administrator does not select the devices to remain, the system will allocate the devices in the order they are used. All remaining unlicensed devices will be removed from all workspaces.

Compliance Module Downgrade

If a customer downgrades their compliance module license, all workspaces associated with that module will be disabled. The user can manually delete these workspaces.

Existing Customer Upgrades

For existing customers upgrading from a previous version of software to version 3.1.0 or later, devices that are imported and active in the license manager (check box marked) will remain licensed.  Devices that are unlicensed (check box unmarked) will be removed from all existing workspaces. If a customer needs to replace one or more devices, please contact support.

Auditors and NP Certification

Auditors and NP Certification members working project style engagements using NP-View Desktop are provided with a special feature to reset the system to its original state after an engagement so that no customer data is retained.

Adding a license to NP-View Desktop and NP-View Server

  • Step 1: Create an account on the Portal website
  • Step 2: If you don’t see an active license in the Portal home page, select “Request License” or contact support@network-perception.com
  • Step 3: Once a license key has been generated for you, make sure the format is correct. It should be a JSON structure similar to:

{
"email": "email address",
"type": "License type",
"expiration": "date",
"max_rulesets": "purchased device",
"max_users": "purchased user",
"module_np": if purchased,
"module_nerccip": if purchased,
"key": "secret key"
}

  • Step 4a: For New Installations, upon system installation, the Administrator will input the NP license key into the setup screen which will set the maximum limit on the number of devices that can be imported (manually or automated) into the system.
  • Step 4b: For existing customers, launch NP-View and select “License & terms” from the user menu (top right corner).
  • Then scroll down and select “Upgrade or renew your license” followed by “Input license manually”. You can then copy/paste the license JSON structure (including opening and closing curly brackets) into the text field area.
  • Note: the licensing function is available only to the Administrator role in NP-View Server and the must logout and re-login for the license to take affect.

HA Device Licensing

NP-View Professional server support the licensing of active / passive high availability (HA) groups for firewalls. HA Group definitions are only required if the device name of the primary and secondary devices are different. Once the active firewalls are loaded into NP-View, the HA definition file can be exported using postman or a tool of your choice using:

GET /license/ha-groups?file-export=true and a file will be downloaded.

The file export will be a text file. Column 1 will be the HA Group name and will be initially empty. Column 2 will be the firewall name.

HA Group Name, Device Name
, asaDMZ-fw1
, asaUCCtoBA1
, asaUCCtoSub-A
, asaBA
, firewallSub

The administrator will then update the text file to add unique group names as well as the name of the passive firewall. The updated file can look as follows. Devices without group names will remain as individual firewalls.

HA Group Name, Device Name
A-Group, asaDMZ-fw1
A-Group, asaDMZ-fw2
B-Group, asaUCCtoBA1
B-Group, asaUCCtoBA2
C-Group, asaUCCtoSub-A
C-Group, asaUCCtoSub-B
, asaBA
, firewallSub

Once the file is updated, the file can be posted using postman or the tool of your choice:

POST /license/ha-groups

When new firewalls are added or groups need to be redefined, the above GET / POST process can be repeated.

HA Groups will share one device license. If firewalls are ungrouped and there are not enough free device licenses, the user will be asked to remove firewalls from NP-View that are to be unlicensed and deleted from the system.

Shortcut Keys

NP-View has a series of shortcut keys to quickly access commonly used functions.  This section describes some of the frequently used shortcut keys. Note the the list of shortcut keys is available from the upper right menu or by using the “K” key

AShow the Asset inventory
BShow the Search bar help
CShow Track changes
HShow the Support center
IShow the Import data panel
KShow the list of available shortcut keys
LShow Logs
OShow the Object Groups
PShow the Connectivity Paths
QReturn to the home page
RShow the Access Rules
SSave the topology
TShow Background tasks
MShow Policy Management
VShow Custom topology views
WShow Risk & Warnings
ZShow Manage zones
SHIFTHold SHIFT key, then click and drag to draw a rectangle to select multiple nodes from the topology
CtrlHold Ctrl key, then click to select / deselect individual nodes from the topology