At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.
The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.
NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM. This configuration should be sufficient for processing large data files up to 500,000 lines. Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.
Installation Process
Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key. A SHA256 checksum is supplied with each download. You can calculate the checksum on the files you download to verify the integrity of the files:
Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
Once installed, NP-View will automatically launch.
Allow ports for private/public network if prompted.
NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.
NP-View Desktop is a resource intensive application. For best performance, please ensure your system’s Power plan is set to High performance.
If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.
Windows control panel:
First Login
Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches. Otherwise, the session remains open and authentication is not required.
Read and accept the user agreement.
Next, you will need to enter your license key. Once input, click the “Add license key” button.
Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
Next click the get started button
User Menu
Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.
Getting Started
On the Workspaces Page, NP-View provides a demo workspace as well as the ability to start creating your own workspaces. Click here to learn more about using workspaces.
Software Version
If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.
Software Uninstall
To uninstall NP-View Desktop,
Windows 10/11: use the add or remove programs feature to remove the software
Use the add or remove programs feature to remove the software
Delete folder: ~AppData/Roaming/NP-View
Delete folder: ~AppData/Local/Programs/NP-View
Delete folder: ~AppData/Local/np-view-updater
Password Reset
Remove the file at the location listed below and restart the application to input your credentials.
Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.
License Changes / Upgrades
If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).
Upload File Size Limit
NP-View enforces a maximum file size of 200MB by default. To change it, the config.ini file must be edited and the following row added: MAX_IMPORT_SIZE=<size in bytes>. For example: MAX_IMPORT_SIZE=209715200 which corresponds to 200MB.
Windows: the config.ini file can be found at: ~AppData/Roaming/NP-View/config.ini
Windows Path/File Name Length Limit
Microsoft Windows has a MAX_PATH limit of 256 characters. If the path and filename exceed 256 characters, the file import will fail.
For example: C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>
NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:
Provisioning a server
Downloading NP-View server
Installing NP-View server
Installing a SSL Certificate
NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 10 or later, macOS 11 Big Sur or later, Ubuntu 20 or later) with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.
Provisioning a Server
The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:
Number of network devices monitored
(firewall, router, switch) / concurrent users
Min. CPU
Memory
Disk Space
Up to 50 devices / 3 concurrent users
4-core
16GB
200GB
Up to 100 devices / 5 concurrent users*
8-core
32GB
400GB
Up to 500 devices / 10 concurrent users
16-core
64GB
2TB
Up to 1,000 devices / 20 concurrent users
32-core
128GB
4TB
Greater than 1,000 devices please contact support to discuss requirements.
Recommended as the minimum for most Professional Server users.
Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity. The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.
Network ports used by NP-View server
The following ports are used by NP-View server. Please ensure these ports are open on your firewall for proper communication.
Required ports:
TCP/22: SSH server to provide secure console access to the NP-Live server
TCP/443: access to NP-View Web UI through HTTPS
TCP/8443: access to NP-View connectors Web UI through HTTPS
Optional ports:
TCP/80: access to NP-View Web UI through HTTP
TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
TCP/445: access to NP-View SMB Connector
TCP/636: access to Active Directory / LDAPS for TLS/SSL
TCP/8080: access to NP-View connectors Web UI through HTTP
Firewall Rules
The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.
Downloading NP-View Server
Sign up on the Portal website to download the latest version of NP-View server and the license key. A SHA256 checksum is supplied with each download by clicking on the “show checksum” link. You can calculate the checksum on the files you download to verify their integrity:
Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
MACOS: shasum -a 256 /full/path/to/your/file/name/extension
Installing NP-View Server
NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:
NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed
The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.
Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.
Option 1: Using the NP-View Linux Installer
Once downloaded from the portal, follow the steps below to complete the install:
Move installer to server – This may require ssh or other user account permissions
Place the file in a location you can access from the terminal
/tmp – this is a temp folder available at the root directory
/opt/np-live – this is the default NP View server root directory
You can use the “ls” command to see what is in your current directory
Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
sudo -I
Navigate to the directory in which the NP-View Server Linux installer was placed
Use the ls command to verify file is in this directory
Run the installer with the command (Docker must be installed before this step)
Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
The installer will begin by checking for a running instance of Docker and internet connection
If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
Note: If the default directory is changed, then it will need to be edited for each new release during the installation
There will be a message once the installation is complete
Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
Load WinSCP – It should default to this screen:
Default “File Protocol:” to SFTP
Fill in Host name, User name, and Password.
Host name would be the same as your NP-View Server IP Address
User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
Click Ok to complete the transfer.
Option 2: Using the NP-View Virtual Appliance
Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:
Extract the .zip archive (right click on folder and choose extract all)
Import OVF into hypervisor
Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
Open README.txt from extracted folder for credentials
Launch the appliance and log into terminal using credentials in README.txt
NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
Once complete the NP menu will appear indicating the server is ready to use.
Launch a browser to navigate to the NP-View User Interface
Note: A static IP may need to be configured before utilizing the user interface.
Installing a SSL Certificate
NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder. If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.
The following command can be used to generate a valid .pem file:
To learn more about generating your own SSL certificate, please visit python documentation.
Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.
Setting the Virtual Appliance Time Zone
By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago. This file needs to be updated to reflect your local time zone. To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.
NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.
If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.
Default Disk Encryption
As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest. The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.
Personalize the Login Page
To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”
For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”
Upload File Size Limit
When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 200MB by default. To change it, a NP-View Linux administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- MAX_IMPORT_SIZE=209715200”. The value is in bytes, so 209715200 corresponds to 200MB.
Backing up the NP-View Server Database
Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
Run the new release installer, which will update the containers and then launch NP-View Server
Complete Removal of NP-View
If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:
Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)
Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:
Visualize an accurate topology of the network architecture
Identify and label critical cyber assets and critical network zones
Easily review which devices are protecting which network zones
Visualize Topology
NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.
Critical Assets and Zones
Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.
Details On-demand
Selecting a node in the topology map will interactively display an information panel with detailed data about that node.
Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:
Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
Automatic identification of configuration risks using the Risks and Warnings report.
Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.
How to Review Access Rules
An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.
Frequency: each time firewall policies are changed, and at least once a quarter
How to do it:
Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
The “Description” column captures comment, description, or justification from the device configuration
The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table
Access Rules Table
The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.
Object Groups
The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.
Risks and Warnings
As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks. The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.
Change Tracking
As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.
Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.
Exposure of Vulnerable Assets – Vulnerability Analytics
NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.
Topology Display of Vulnerabilities
When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.
Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.
Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.
Performing a regular review of your compliance metrics is important for your organization. Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:
Verify compliance with cybersecurity regulations and best practices through Policy Review.
Seamlessly store evidence for compliance review with Change Tracking.
Easily prepare compliance reports using the Audit Assistants listed below:
Workspace Report (Standard)
The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:
Configuration assessment report including risk alerts
Ports and Interfaces
Access rules
Object groups
Path analysis
Industry Best Practice (Premium)
The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:
Parser Warnings and potential misconfigurations
Unused Object Groups
Access Rules missing a justification
Unnamed nodes
NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
ACL’s with no explicit deny by default rule
NERC CIP Compliance (Premium)
The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:
CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
Views: Segments the devices present in a workspace into multiple views
Zones: Segments the devices present in a view into multiple visual zones
This article will focus on Views and the different functionality around them.
Home View
After creating a workspace and uploading 1 or more configuration files, NP-View will automatically generate the Home View.
The Home View presents a high level overview of the primary devices within the workspace (Firewalls, Routers, and Switches). It is the starting point for all workspaces.
To view assets connected to the primary devices as well as path analysis a new view must be created. (All views other than the home view will contain all the assets connected to the selected primary devices along with path analysis data.
Manage Views
Manage Views: All View related functions can be accessed from the main menu under Manage Views and can be opened from:
The main menu
With the shortcut key “V”
From the view navigation bar at the top of the map
Right click on a node or group and using the right-click menu
Creating a View
When opening Manage Views in a workspace that contains only the Home View, you cannot edit the Home View, so a new view will need to be created.
Open Manage Views
Select Create New View
Name the View
Choose the Devices and/or Auxiliary Data to include in the new view
Choose whether or not to include external paths (This can provide a more complete picture but significantly increases build time, and is not always necessary)
Create View
The view will be created in the background allowing continued use of the home view until the analysis has completed and the view has been built.
Once completed, the topology map will switch to the newly created view with the view details.
Note: Devices can be connected by a solid or dotted line. A solid line indicates evidence of a direct connection. A dotted path represents a connection that is inferred from the information provided (e.g., a layer 2 connection). Additional configuration data is required to convert inferred to direct connections.
Editing View
Existing views can be updated by opening Edit mode
Select the desired View
Click the kebab menu
Select Edit
From this point you can
Rename the view
Add or Remove devices from the view
Change Path Analysis used (will reprocess the view and topology)
Delete the view – Select the Trashcan from the kebab menu (only the view will be removed, not data will be deleted)
View Navigation
Navigation between views can be accessed in 2 ways
From the topology: by opening the View Navigation dropdown
From Manage Views by opening the menu navigating to manage views and selecting a View.
Now you can load and work with the details of a view without loading the view on the map
Views are only loaded on the topology if the Play button is selected
View details only are loaded if the row itself is clicked
Views build and rebuild in the background allowing you to continue work while a view is being generated
Limitations
Devices per view are limited by the product purchased as outlined below:
Desktop: 15 devices per view
Server : 25 devices per view
The above limitations also depend on the size and complexity of the configuration files and the specifications of the system. Lower powered system may reduce the capability to support the above limits. YMMV.
Views: Segments the devices present in a workspace into multiple views
Zones: Segments the devices present in a view into multiple visual zones
This article will focus on Zones and the different functionality around them.
Zones – Defined
Zones in NP-View are the most granular form of segmentation that is offered. Zones are visual markers that group nodes together. They can be created by user’s on demand, or through the Auto Generate Zones function in Manage Zones, on the main menu. Zones can be named and assigned a criticality.
Below is an example of a Zone with a High Criticality, named EMS-Backup.
Adding Zones
Adding, Editing, and Deleting Zones can be done
Manually – From the Topology
Automatically – From the Main Menu >> Manage Zones
Manually – The Topology
Hold Shift
Select a group of nodes
The Multi-Selection panel will open over the main menu
In the middle of the panel there is a Save Selection as Zone segment
Give the grouping a name and criticality
Create Zone
The Zone will appear on the Topology
Automatically – Manage Zones
From the Main Menu Manage Zones can be accessed. This is the primary place to work with Zones in NP-View. From Manage Zones you can Autogenerate Zones based on keywords found in the section below.
Autogenerate Keywords
+
Keyword
Criticality
Color
Best Practice
NERC-CIP
PCI (Future)
bcc
HIGH
light red
X
datacenter*
HIGH
light red
X
X
X
dist
HIGH
light red
X
dmz*
HIGH
light red
X
X
*ems*
HIGH
light red
X
^esp
HIGH
light red
X
pcc
HIGH
light red
X
scada
HIGH
light red
X
trust
HIGH
light red
X
backoffice
MEDIUM
light yellow
X
X
bu*
MEDIUM
light yellow
X
corp
MEDIUM
light yellow
X
X
X
office
LOW
light blue
X
X
internet
UNTRUSTED
light gray
X
X
X
remote
UNTRUSTED
light gray
X
X
X
Manage Zones from menu
Auto generate zones only available if no zones have been created.
Zones will be automatically named and color coded based on asset keywords.
Once Zones have been generated they will appear on the map and each zone will be listed in manage zones. Clicking any zone, either on the Topology or from Manage Zones will open the details for the Zone
Edit/ Delete Zones
Once created, zones can be manually reclassified or deleted by clicking inside the zone space and selecting the appropriate option from the menu. If some devices are not properly included in a zone, the devices can be selected and manually (or right clicked on and added to a zone).
Once automatic zones are created, the Auto Generate Zones function is disabled until all zones are deleted.
For manual zone creation, the user can select two or more objects from the topology map and the zone panel will display.
From the panel, the user can create a zone, name it and assign a criticality. The user can also assign tags and criticalities to the selected devices.
For existing zones, the user can add / remove nodes from zones, edit the name or criticality or delete the selected zones.
Selecting a zone name displays the details for the zone. The user can rename the zone or reassign the criticality. They can also perform a zone analysis of inbound and outbound paths.
Right clicking on any topology object will allow for the addition or removal of an object from a zone.
Network visualization is the most powerful feature of NP-View. Create a workspace, import configuration files and supporting meta data, and NP-View’s visualization function will process the information into a usable network diagram.
Home View
The Home View shows the user a high level overview of the primary devices within a workspace (Firewalls, Routers and Switches).
The home view is the starting point for all workspaces. Devices can be connected by a solid or dotted line. A solid line indicates evidence of a direct connection.
From the home view, the user can:
Select a single device (left click) to view details on the information panel.
Select multiple devices and create zones. See more info on zone creation.
Select one or more devices and create a view. See more info on view creation.
When objects are moved on the topology map, the ‘Save Topology’ button will become active. Multiple objects can be moved prior to saving the topology.
If the user attempts to switch views before saving, a notification will be presented as follows:
The user can either cancel the operation and then select ‘Save Topology’ or proceed to the selected view without saving. Selecting OK can also be used as an undo function.
Topology Network Map
From the topology view, the user can rearrange the objects on the canvas by selecting and dragging a device to a new location. Device location can be saved with the “Save Topology” button.
Devices can be assigned a category (colored text tag) and criticality (colored ring).
If a device has active alerts, the number of alerts is displayed in the top-right corner (red circle).
If a device has user entered comments pertaining to this device, the number of comments is displayed in the top-left corner (blue circle).
Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection. The Ctrl key can be used to select / deselect individual devices. Once selected, the devices can be assigned to a common category or criticality. Alternatively, the devices can be assigned to a of zone. See more info on zone creation.
Unmapped hosts and networks indicate IP addresses that are external to the topology and could not be connected to primary networks. For a given networking device (e.g., a firewall), primary networks constitute the IP ranges defined by its interfaces. In other words, all the networks a device faces are called primary. Nonetheless, the device’s ruleset can refer to arbitrary IP spaces, not necessarily those within primary ranges. Consequently, NP-View identifies those external/unknown IP spaces as hosts, networks, or ranges, as defined in the config, and places them behind the Unmapped gateway.
Additional topology features include expand / collapse a node, auto arrange peers in a circle and pin / unpin a specific node. These features are available when clicking on a node and using the kebab menu on the info panel.
Tip: When importing a devices, the topology map attempts to place each node in an unused slot but may overlap nodes and paths. By selecting unpin, moving one device, selecting center and then pin, the map will auto arrange. For topologies with over 100 nodes, the hosts will automatically be collapsed to make the map easier to read. Each collapsed network can be individually expanded or the entire map can be expanded but for very large workspaces, this may take some time to expand.
Firewall Device Information
For Firewalls, Routers and Switches, when selecting a device, the device attributes will be displayed on the left device information menu.
The device panel will be displayed with the appropriate label. The device type is defined by heuristics. If the device is misclassified, clicking on the drop down allows the user to reclassify the device as a firewall, router or switch.
The user can also assign a category and a device criticality. Additional information includes being able to review multiple version of configuration files and compare them with the diff viewer. Configuration files must have the same name for the diff viewer to identify and compare files.
A risk assessment grade is assigned for each firewall based on the number of open risks and warnings and their associated criticality.
The connectivity matrix shows all of the connections for the selected firewall and the IP rules for each connection. This is only available from within a custom view.
Risks and Warnings shows the active risks, warnings and the criticality for the selected device.
Access Rules shows the rules for the selected device with the ability to compare two sets of rules and display the differences.
Object groups shows the object groups for the selected device.
A summary of the number of routes and a table of the interfaces are also displayed.
Administrators and Workspace Admin’s can delete devices from the workspace using the delete option under the tree dot menu.
Host Information
For hosts, the following is displayed:
Users can assign a host icon, category and a criticality.
Display inbound / outbound connectivity paths as well as displaying stepping stone analysis. Inbound and outbound connections are filtered to show the exact match for a given path. In some cases, no inbound or outbound paths will be displayed. (See below)
Custom views are used to organize devices and analyze the paths between the devices. Path analysis and stepping stone analysis is only available from within a custom view. Additional information on custom view creation can be found here.
Network & Gateway Information
For networks and gateways, the panel to the left will be displayed.
Users can assign a category and a criticality.
Additional information includes being able to review the IP address of the connected hosts.
The user can also search the config file for the device.
Display inbound connectivity / outbound paths as well as displaying stepping stone analysis. When selecting Inbound or Outbound, all paths are highlighted in gray, selecting a specific protocol will highlight the path in orange.
Connectivity Paths
When displaying the device menu for a specific device, clicking on the arrow (>) will expand the inbound and outbound connections. Clicking on any service or IP will highlight the path on the topology map. Source objects are designated by blue circles (Src) and destination objects are highlighted by red circles (Dest).
Additional path information is shown including the rule associated with the path. Clicking on the blue text will invoke the access rules with the associated information. The user can also add a comment if required.
Stepping Stone Analysis
Stepping Stone Analysis is available on custom views for Networks and Endpoints. Click any node that is not a Firewall/ Router/ Switch and open the info panel.
Find the Accordion section named "Stepping Stone Analysis" and open to reveal options.
Run as Source or Run as Destination.
The colors reflect how many hops a way another node is from communicating with the analyzed node. The pie slices on the analyzed node show the distribution of nodes per number of hops.
The above sections describe the different types of Path Analysis available in NP-View that will give information about connections in the Topology. But what if we want to confirm that a connection is blocked? For this NP-View offers Path Block Analysis.
Path Block Analysis allows a user to take two hosts/ two networks/ or one host and one network and to troubleshoot if the connection between is blocked, and if so why.
Open a Topology View that is not the Home View and select two nodes you wish to Troubleshoot Path Blocks on. When the two nodes are selected, right click on one of them and select “Troubleshoot Path Blocking Issue”
A dialog will slide out of the right side of the screen. The Source and Destination of the selected nodes will be entered and can be swapped. Protocol and Port are pre-populated and cannot be changed. Path Block analysis always searches using IP/any. Clicking Start will begin the analysis.
Path Block Found
When a Path Block is found the dialog will have a red notification, and the Blocked Paths window on the left side of the screen will be populated with the block information, including the reason why traffic is blocked. This information is not stored and will be erased as soon as ESC is pressed.
Path Block Not Found
When a Path Block is not found the dialog will present a green notification. The Blocked Paths window on the left side of the screen will be populated with a message that no blocks were found.
The following table is a comprehensive list of supported devices. The instructions provided in the table can be used to manually extract data from the device for import. While we do our best to support the below devices, it is impossible for us to test the parsers with every possible device configuration combination. If errors occur during device import, Network Perception is committed to working with our customers to resolve their specific parsing issues.
Note that Network Perceptions device support policy follows that of the manufacturer. When a manufacturer ends support for a product, so does Network Perception. End of support devices are not removed from NP-View but will not be upgraded if issues arise.
Supported Devices with Vendor Partnership
The devices in this list are actively tested in our lab to support the most current versions of the manufacturer software. Network Perception has an active partnership with these vendors for software and support.
Vendor
Type/Model/OS
Configuration files needed
Check Point
R81 / R81.10 / R81.20 including Multi-Domain Security and Virtual Router support (VRF)
We support the database loading using the NP Check Point R80 Exporter (PDF documentation, video).
Zip File Shasum:
5d22b182d773c020fd2a58838498b8be8221468e
Exporter Tool Shasum:
cc3131da37362da1291fa4a77cd8496fcb010596
Cisco
ASA Firewall (9.8 and up) including multi-context and Virtual Router Forwarding (VRF).
FTD Firewall (7.1.x, 7.2.x)
IOS Switch (15.7 and up) including Virtual Router Forwarding (VRF).
ISR (IOS-XE 17.6.x and up)
We do not support Application Centric Infrastructure (ACI) or NX-OS
For a Cisco IOS device, the sequence would be:
enable (to log into enable mode)
terminal length 0 (it eliminates the message between screens)
The devices in this list are actively tested in our lab to support the most current versions of the manufacturer software.
Vendor
Type/Model/OS
Configuration files needed
Dell – Edge Gateway
Ubuntu Core (IP Tables)
see additional instructions below
Dell – PowerSwitch
OS10
show running-configuration
Dell – SonicWall
SonicOS (5.9.x, 6.5.x)
“From GUI, Go to Export Settings, then Export (default file name: sonicwall.exp)”
see additional instructions below
FS
Switch (FSOS S5800 Series; Version 7.4)
show running-config
Note that FS configs are Cisco like and not tagged specifically as FS. We do our best to identify the device type but may display the device as Cisco in NP-View
Nvidia
Mellanox (Onyx OS)
show running-config
Note that Nvidia configs are Cisco like and not tagged specifically as Nvidia. We do our best to identify the device type but may display the device as Cisco in NP-View
pfSense
Community Edition 2.7.2
Diagnostics > Backup & Restore > Download configuration as XML
Schweitzer
Ethernet Security Gateway (SEL-3620)
SEL Firmware: from “Diagnostics”, click on “Update Diagnostics” and copy the text
OPNsense: from ‘System > Configuration > Backup’ export .XML backup file
Note: IPTables from OPNsense are not supported in NP-View.
Siemens – RUGGEDCCOM
ROX Firewall RX1000-RX5000 (2.x)
admin > save-fullconfiguration. Choose format “cli” and indicate file name
Historical Devices
The devices in this list were developed based on customer provided configuration files. We are no longer actively developing these parsers but they are supported for break/fix and require customers sanitized config files to assist with the debug of issues.
Select Manage System > Import/Export Configuration
Additional Instructions
Collecting Data from the Device Console
+
Collecting configuration information from the device console can be an easy way to get the device data.
Following the below rules will help ensure success when importing the files into NP-View.
Note that not all data can be retrieved from the console. Please review the section for you specific device for additional instructions.
Run the command from the console.
Copy the text to a plain text editor. Do not use Word or any fancy text editor as it will inject special characters that we cannot read.
Review the file and look for non text characters like percent encoded text or wingdings like characters. These will break the parser.
Save the output of each command in a separate file and name it after the device so that NP-View can properly attribute the files. For example: firewall1_config.txt, firewall1_arp.txt, firewall1_route.txt
For Palo Alto files, there are specific naming requirements, please see the Palo Alto section for additional information.
Some config files contain very long strings. Line wrapping due to the window size of the terminal will break the parser. If using a terminal like Putty, please ensure the terminal is set to maximum width.
config system console set output standard end
Finally, if you encounter a parsing error when loading the files and want to upload the files to Network Perception using the portal, please sanitize all files at the same time so that we can keep the data synchroized across the files.
Berkeley Software Distribution (BSD)
+
BSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF FreeBSD
IP Firewall (IPFW): Default rules are found in /etc/rc.firewall. Custom firewall rules in any file provided through # sysrc firewall_script=”/etc/ipfw.rules”
IP Filter also known as IPF: cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris™. Name of the ruleset file given via command ipf -Fa -f /etc/ipf.rules
IP Filter (IPF): Use /etc/ipf.conf to allow the IPFilter firewall
BSD and similar systems (e.g., Linux) will use the same names for interfaces (eth1, eth2, em1, em2, carp1, carp2, etc.). The parser might be confused if the user imports interface files and packet filter configs from different systems at the same time resulting in a combined system instead of individual devices. To prevent this, the user should group all files by host, making sure to name the ifconfig file after the hostname (i.e. host1_interfaces.txt).
Free BSD Example
Below is an example of a 2 host FREE BSD system containing FW1, host1 and host2. The user should import the files in each section as a separate import. fw1 – first data set import (all available files imported together)
pf.conf (required file) (note, can be named differently, e.g., FW1.txt’)
obsd_fw1_interfaces.txt (required file) (note that the parser keys on the “_interfaces” string”. Text before “_interfaces” will be used to name the device. In tis example ‘obsd_fw1’)
hostname.carp1
hostname.carp2
hostname.hvm2
hostname.hvm3
hostname.hvm4
table1
table2
host1 – second data set import (all available files imported together)
pf.conf (required file) (note, can be named differently, e.g., host1.txt’)
host1_interfaces.txt (required file) (note that the parser keys on the “_interfaces” string”. Text before “_interfaces” will be used to name the device. In this example ‘host1’)
hostname.em1
hostname.carp1
host2 – third data set import (all available files imported together)
pf.conf (required file) (note, can be named differently, e.g., Host2.txt’)
host2_interfaces.txt (required file) (note that the parser keys on the “_interfaces” string”. Text before “_interfaces” will be used to name the device. In this example ‘host2’)
table1
table2
The only required files are the config file (can be named something other than pf.conf) and the ifconfig file. hostname files are optional (unless they contain description of interfaces not in the ifconfig file). Table files contain a list of IP addresses that can be manipulated without reloading the entire rule set. Table files are only needed if tables are used inside the config file. For example, table persist { 198.51.100.0/27, !198.51.100.5 }
Legacy Fortinet Support
+
Support for Fortinet through 6.2 ended September 2023. Please note that no upgrades to these parsers will be made.
Palo Alto Panorama & NGFW
+
Panorama
If Panorama is used to centrally manage policies, the access rules and object groups can be retrieved from these devices in XML format (we do not support the import of unstructured text files). If using the Panorama connector, the required files will automatically be downloaded:through 6.2 ended September 2023. Please note that no upgrades to these parsers will be made.
The Panorama file will only contain centrally managed access rules and object groups.
Locally defined access rules and object groups cannot be retrieved from Panorama and must be retrieved from each NGFW. Please follow the instructions below to export directly from the Next Gen FireWall using API.
Palo Alto Firewalls will ALWAYS have a V-sys even if one has not been configured it will default to vsys1.
The “mapping_config” file is required which can only be retrieved through the API using the “show devices connected” command. The name of the file is “named_mapping_config.xml” where the named prefix needs to match the device name as shown in the UI when the running_config.xml is imported alone. All files should be imported at the same time. Please see instructions below:
The below links are to the Panorama documentation for the required commands with examples. The links provide you with commands to run directly in the Panorama CLI. The images we provided are for using Postman or web browser use.
Once both the “<panorama_server>_running_config.xml” and <panorama_server >_mapping_config.xml” are gathered, please import them together in NP-View.
Next Gen Firewall (NGFW)
If using the PanOS connector is used to download files, the required files will automatically be downloaded:
The configuration information from the NGFW may be contained in several .xml files, <device-name>_merged_config.xml and <device-name>.vsys(n)_pushed_policy.xml. There can be one vsys file per virtual interface. The naming of these files is important for the parser to merge them during import. All files from a single firewall must be imported at the same time and in .xml format (we do not support the import of unstructured text files). If any of the files are missing, improperly named or formatted, an error message will state that ‘File parsed but ruleset and topology were empty, aborting’ meaning they could not be linked to the other associated files.
An example of properly named files is below:
Chicago-IL-100-FW1_merged_config.xml
Chicago-IL-100-FW1.vsys1_pushed_policy.xml
Chicago-IL-100-FW1.vsys2_pushed_policy.xml
NOTE: If the NGFW is an unmanaged/standalone Palo Alto device it will not have a pushed_policy file. In this situation, the configuration .xml file can be downloaded directly from the firewall and loaded into NP-View. The file name need not be changed when loading the file from a standalone firewall.
To manually export configuration files from an unmanaged firewall:
If the NGFW is managed by a Panorama, the API will be required to secure the necessary files:
Virtual router (vrf) is a software-based routing framework in Palo Alto NGFW that allows the host machine to perform as a typical hardware router over a local area network. NP-View has added the experimental capability to detect Virtual Routers from Palo Alto devices (NGFW or Panorama) and present them in the Connector or Manual Import device selection screens. Virtual Routers will be treated the same as physical routers and will require a device license.
This feature is disabled by default and must be enabled prior to importing configurations containing virtual routers.
To enable the feature the NP-View Server admin will need to make a change to a system variable.
Stop the NP-View Server application.
in the docker-compose.yml file, change the enableVirtualRouters=False to enableVirtualRouters=True in three places within the file.
start the NP-View Server application.
For Desktop
Close the NP-View application.
In the file C:\Users\<username >\AppData\Roaming\NP-View\config.ini add enableVirtualRouters=True
Restart the NP-View application
Once enabled, the user will be presented with the option to select virtual routers from the connector in the device selection or upon manual import.
Legacy Palo Alto PanOS Support
+
Support for Palo Alto PanOS prior to V9.1 are no longer supported. Please note that no upgrades to parsers will be made for unsupported devices.
Dell Edge Gateway
+
The Dell Edge Gateway runs Ubuntu Core OS. The gateway uses IP tables to configure the local firewall. NP-View uses the following 4 files extracted from the Ubuntu server to generate the topology. This device is not a firewall but more of an application running device. It does have some security features but we suspect it would be behind a real firewall. The following data is needed to import this device.
iptables_rules → to get a device created, containing interfaces and rules
hostname_interfaces → associated with config above
arp_table → to get external hosts (ip + mac)
active_connections → to get routes
This is not a simple device to get data from, the following process must be followed:
1. Capture the iptables Filter Rules
To capture the iptables filter rules (the firewall rules that are active on the system), you can use the following command:
Show Command:
sudo iptables -L -v -n
Description:
Lists the currently active iptables firewall rules (filter rules).
Includes details about chains (INPUT, OUTPUT, FORWARD), protocols, sources, destinations, and ports.
Save Command:
sudo iptables-save > ~/iptables_rules.conf
This will save the firewall (filter) rules in a file called iptables_rules.conf in your home directory.
2. Capture the Network Interface List
To capture the list of network interfaces (with IPs, MAC addresses, etc.):
Show Command:
ip addr show
Description:
Displays the list of all network interfaces on the system.
Includes details about interface names (eth1, eth2, etc.), IP addresses, MAC addresses, and other interface attributes.
Save Command:
ip addr show > ~/hostname_interfaces.txt
This will save the interface details in a file called hostname_interfaces.txt in your home directory.
3. Show ARP Table
Show Command:
ip neigh show
Description:
Displays the ARP table, showing which MAC addresses correspond to which IP addresses on the network.
Save Command:
ip neigh show > ~/arp_table.txt
4. View Routing Table
Command:
ip route show
Description:
Displays the current routing table, showing default gateways, specific routes, and the interfaces used to reach specific networks.
Save Command:
ip route show > ~/routing_table.txt
5. Loading files into NP-View
Once all of the files have been retrieved, they need to be loaded into NP-View together and without any other files so they are properly associated.
Legacy Check Point R80 Support
+
Support for Check Point R80 through R80.40 ended April of 2024. Please note that no upgrades to these parsers will be made.
Cisco FTD
+
NP-View supports Cisco FTD through the output of “show running-config”command. However, it is important to note that Cisco FTD includes network filtering policies documented outside of the running configuration. This section explains where to find those policies.
As of version 6.1, Cisco FTD includes a Prefilter Policy feature that serves three main purposes:
Match traffic based on both inner and outer headers
Provide early Access Control which allows a flow to bypass Snort engine completely
Work as a placeholder for Access Control Entries (ACEs) that are migrated from Adaptive Security Appliance (ASA) migration tool.
The feature has 2 primary use cases:
For use with Tunnel Rule Types
For bypassing the Snort engine
These prefilter rules are part of the FTD configuration and are displayed via the “show running-config” command on the FTD. They manifest in the NP-View Access Rule table as a Permit IP with:
Source = any
Destination = any
Service = IP/any to any
As a result, the NP-View Rule Policy engine flags these rules as a high risk alert.
In the operation of the FTD, if a packet meets the prefilter policy, it is then evaluated by a secondary set of rules in the Snort engine or applied directly to the tunnel. The Snort rules are not part of the output of the of the “show running-config” output from the FTD. These rules are established, maintained and viewed on the FMC (management server), but are not readily available via the FTD CLI interface.
In the context of an audit during which evidence around these prefilter rules is requested, we recommend documenting that these rules are a default configuration for the system and we also recommend generating a FMC PDF Policy report to explain the flows of traffic within the FTD configuration. For more information, please refer to the Cisco FTD Prefilter Policies documentation.
SonicWall
+
We support .exp files as the default SonicWall file format for v5.9 and v6.X of the SonicOS.
The main UI allows for export of the encoded .exp file as such:
To extract the file via command line, then the command to export is
Where the username/password/FTP IP or URL must be changed. The file “sonicwall.exp” will then be saved at the FTP location. As this file is encoded, there’s no way to echo or cat the data.
Requesting Support for New Devices
The above list of supported hardware has been lab and field tested. Newer versions generally work unless their is a major platform or API upgrade. Please contact support@network-perception.com if you wish to get more information on parsers, request support for a particular device or are interested on co-developing a solution.
NP-View includes a utility to automatically retrieve network device configuration files on a schedule. The connector types supported in NP-View Server are below:
Configuration Managers
For retrieving config files from network management systems. For each connector, the user can select the devices to be uploaded for monitoring.
Manufacturer
Type/Model
Configuration Information Required
Connection Type
Fortinet
FortiManager (6.4.x, 7.0.x)
Hostname or IP address plus login credentials
HTTPS + optional SSL server verification
Palo Alto
Panorama (10.x, 11.x)
Hostname or IP address plus login credentials
See device selection section below for additional information
For retrieving config files directly from the network device.
Manufacturer
Type/Model
Configuration Information Required
Connection Type
Check Point
R81.x
Hostname or IP address plus login credentials
See device selection and service account sections below for additional information
HTTPS + optional SSL server verification
Cisco
Adaptive Security Appliance (ASA 9.19)
Hostname or IP address plus login credentials, enabling password and optional context
SSH
Cisco
Internetwork Operating System (IOS 15.9)
Hostname or IP address plus login credentials, enabling password and optional context
SSH
Fortinet
FortiGate (FortiOS 7.0, 7.2)
Hostname or IP address plus login credentials
Note: SCP should be enabled in the configuration (instructions)
SSH
Palo Alto
NGFW (PanOS 10.x, 11.x)
Hostname or IP address plus login credentials
HTTPS
Volume Shares
For retrieving config files that are uploaded to a common collection repository.
Platform
Connection
Configuration Information Required
Connection Type
Windows
SMB Share (Samba)
Hostname or IP address, share name, device name and root folder path
SMB/CIFS
Linux
SSH Share
Hostname or IP address and folder path. Optionally an include list and exclude list can be defined.
SSH
Additional Connector Information
Service Account
+
The use of service accounts is a recommended best practice when connecting to devices through connectors. The service account can be read-only and must have API privileges. When entering credentials related to an Active Directory domain, it is recommended to enter the username using the format account@domain.xyz instead of domain.xyzaccount as the backslash can cause unexpected issues.
Checkpoint
+
For the connector to work CheckPoint devices, the API setting need to be enabled in the SmartConsole. See the image below for settings and commands to restart the API.
Device Selection
+
CheckPoint and Palo Alto network management systems provide files with multiple devices. The connectors for these systems allow for the selection of individual devices to load into NP-View. The user can select the “Retrieve device list” button to be provides a selection list.
Collecting Layer 2 Data from Devices
+
Layer 2 data will automatically be downloaded by the connectors for Cisco ASA and Cisco IOS devices. If the data is manually collected, use the following commands and file naming conventions.
Cisco ASA
show running-config → 'device_name'.'context_name'.txt
show arp → 'device_name'_arp_table.'context_name'.txt
show route → 'device_name'_route_table.'context_name'.txt
show interface → 'device_name'.'context_name'.interface_table.txt
show access-list → 'device_name'.'context_name'.access_list.txt
Cisco IOS
show running-config → 'device_name'.txt
show ip arp → 'device_name'_arp_table.txt
show ip interface brief → 'device_name'_interface_table.txt
Once all of the files are collected, manually load the files from each device together and separately from other devices for proper file association.
Samba
+
Network Perception suggests the following when setting up the SMB connection.
Create a read-only user in Active Directory or on the SMB server.
Determine the available share (Get-SMBShare” in Windows PowerShell) or create a new one.
Share the SMB folder containing the Configuration files with the read-only user. For example:
If using the date folder and recursive search feature, clicking “See Current Date Folder” will retrieve most recent folder, in YYYYMMDD format, in the “Current Root Folder” f field. For example:
Optional fields:
Path to Root Folder – Directory you want to be the root folder relative to your default SMB root folder.
Recursive Search – Whether or not to search recursively starting at the connector’s root folder.
Name Filter – Filters file/directory names based on given regex statements. Any file/directory that fully matches ANY given regex statement will be included in result.
File Decryption Key – a PGP key can also be provided if the files retrieved have been encrypted.
If during the connector test, access is denied, the following settings should be verified and may need to be changed for the SMB to work as expected.
Running PowerShell as administrator
Input command Get-SmbServerConfiguration
Verify that EncryptData is set to false
If set to true, run command “Set-SmbServerConfiguration -EncryptData 0”
Verify SmbServerHardeningLevel is set to 0
If not set to 0, run command “Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0”
Microsoft recommended default is off (0). More information about these settings can be found on the Microsoft website.
SSH and Samba for HA Groups
+
NP-View has the ability to handle HA Groups.
As a best practice, if using SSH shares, it is best to erase the entire folder and replace with the config files from the current active devices. It is also a best practice to name the HA devices similarly for comparison. For example:
Pittsburgh_FW1
Pottsbirgh_FW2
etc.
For Samba shares, a similar method should be followed.
Refer to the Samba section for details.
If you have a system for which you need a connector or if you encounter a technical issue, please contact support@network-perception.com.
This document relates to NP-View Desktop and Server version 6.0 and later.
Connectors automate the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-View Desktop and Server can host one or more connectors that securely retrieves configuration files manually (desktop and server) or at the specified frequency (server only).
To access the connector function, use the system menu in the upper right corner of NP-View and select 'Manage connectors'
The connector function consists of several key features.
Password manager to reuse and manage passwords across multiple connectors.
Workflow for creating groups and connectors.
Automated data collection and download.
Flexible scheduling (Server only).
Runtime and scheduling status (Server Only).
The connector function supports the files devices listed on the connectors page.
Add Credentials
To get started, the user must first create one or more credentials. Credentials are used to access the devices and can be used for one or more devices. This provides for the ability to manage multiple devices with one set of credentials. Click the 'Add New Credential button to display the input section. Credentials are segregated by device type. Select the device type and input the required fields.
Once filled in, select the save button and the credential will be saved and displayed in the 'Credentials' box. Clicking on the credential will allow the user to edit the credential.
At this time, Deleting a credential is not supported.
Create Groups
Once credentials have been created, the user can proceed to creating a Connector Group.
Select the '+' in the 'Groups' section to display the add groups function. Fill in the group name, notes and select a schedule (server only). For desktop, only the 'On Demand' function will be displayed.
Once saved, the user can click on the connector group name in the 'Groups' panel to enter edit mode or select the three dots to the right of the name for individual group options.
Pull to run all associated connectors and delete to remove the group. Note that only empty group can be deleted.
Scheduling Groups
Groups can retrieve data on a schedule, when setting up or editing a connector group, the user can set a schedule.
The user has multiple options for scheduling the connector; monthly, weekly, and daily with flexible day of week and time options. We recommend that connectors be run at night to provide maximum resources for processing the data. When a connector group is scheduled, the next run status will be presented in the 'Groups' panel
and on the 'Processes' tab
Add Connectors
Once a group has been created, the user can add connectors to the group. In the connectors section, select the '+' to present the add connector function.
Proceed to select the connector type and fill in the required fields.
Next fill in the optional fields.
Filling in the name of a context will only fetch the data for that one context, leaving blank will fetch all contexts.
Selecting one ore more worspaces to deliver the fetched data. If left blank, the data will be retrieved for manual download.
The user can then test the connector to verify the credentials and/or save the connector.
Once saved, the user can click on the connector name in the 'Connectors' panel to invoke edit mode. Clicking on the tree dots next to the connector name provides individual connector options.
Manual Data Pull
Data from individual connectors can be retrieved manually by selecting the 'pull' option from the menu above. When selecting pull, the connector status will proceed to 'in progress'
and the processes tab will also display the progress status.
Once data has been pulled, the user can selectively download the most current data set from the connector panel.
Deleting Workspaces
If a connector is designated to deliver data to workspace and a user deletes the workspace, the connector will automatically be updated to reflect the workspace deletion.
In version 6.0, a new connector function was introduced. for new connector users, it is recommended to use the new connector function. The connector access has been moved from the +Import function to the system menu.
Connectors automate the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-View Server can host one or more connectors that securely retrieves configuration files at the specified frequency. By default, connectors are accessible through HTTPS on port TCP/8443 of the NP-View server and is isolated for security purposes.
The first time an administrator accesses the connectors, they are required to define a Connector group name and a secure passphrase. The Connector group name will be used to create the encrypted connector file store. Connector information is encrypted at rest and in transit using a passphrase protected PGP key. Only the connector owners know the passphrase and the passphrase is never stored. Once initiated, connectors run in the background collecting network information. If the NP-View server is restarted, the connector owner is required to re-authenticate and restart the connectors. Connector owners can create multiple connector groups and each will require their own login. Once created, the user can select from the list of available connectors when logging in.
The connector page contains five main options.
The buttons from left to right are:
+ Add New Connector
bulk start all connectors (see bulk start parameters below)
bulk stop all connectors
delete the connector (user must be logged into the connector group to delete)
exit the connector group.
Add Connector
To add a new connector, select “+Add New Connector” button and a list of available connectors is presented. Connector options are: Cloud Providers, Configuration Managers, Direct Devices and Volume Shares
Upon selecting the Connector type to add, the user is requested to fill in connection information. Connector information varies by vendor. The connector configuration for a Palo Alto device is as follows:
The user must enter a Connector name (no spaces), host name, and credentials. The user can then verify the credentials are correct with the “Test credentials” button. The user can setup the polling cycle and provide the workspaces to deliver the resultant information.
Polling Cycles are:
On demand
Daily
Weekly
Bi-Weekly
Monthly
Configuration Management Systems
For Configuration Management Systems and file Shares, additional information may be required. The user can retrieve a list of files from the device and filter the results. To include specific files, put them in the include list field. To exclude files, put them in the exclude list field. If both lists are used, include list filter will be applied first and the exclude list filter to the results of the include list filter. If the share is PGP encrypted, a PGP Public key will be required.
Workspaces must be added to the connector for data to be transferred and displayed in the workspace. If workspaces are added after a connector is setup, data will not be sent to the workspace until the next scheduled import and a configuration change is identified. Creating workspaces before connectors facilitates faster visualization of data.
Connector Tile
Once the connector is added, a tile is added to the connectors home page.
Connector tiles are sorted by the characters in their names using standard Linux conventions:
whitespace
integer
special char
uppercase [A-Z]
underscore (possibly other special chars)
lowercase [a-z]
From the tile, the user can:
manually activate the connector for a one time data pull
run / pause the connector
edit the connector
copy the connector
delete the connector.
The tile banner will show in three colors:
red – connector failed
blue – connector scheduled to run
gray – connector paused
Click the start / pause button to restart a failed or paused connector, note that a connector may take several minutes to change the banner color.
Connector for Forescout
+
The Connector for Forescout 8.1 and later enables integration between CounterACT and NP-View such that network device configuration files managed by CounterACT can be automatically imported into NP-View and aggregated into specific workspaces. Currently, Cisco switches are supported through the Forescout Switch Plugin.
Download the Forescout Extended Module for NP-Vie from https://updates.forescout.com.
Start your Forescout Console and login into Enterprise Manager.
Then open “Options”, select “Modules”, and install the fpi.
To request additional support for this connector or to request support for other devices, please contact support@network-perception.com.
Connectors + Samba (SMB) Access Error
+
This error can be caused by two communication scenarios between Linux and Window. Either SMB encryption is enabled on the Server or SPN target name validation level is enabled (or both). To check which of these features is causing the issue, Run PowerShell on the Windows Server as administrator and run the following command:
Get-SmbServerConfiguration
If EncryptData = True, it can be disabled using:
Set-SmbServerConfiguration -EncryptData 0
If SmbServerNameHardeningLevel is set to any value other than the default of 0 run:
Connectors fails to initiate connection to outside devices
+
In some instances, the Linux distribution is preventing the connectors (Docker) from initiating connections to outside devices. The solution is to update the firewall settings on the Linux distribution using the following commands:
The NP-View Connector for Cisco uses a read-only SSH connection to collect the output of the show running-config command. It is best practice to create a dedicated read-only user on your Cisco devices when configuring connectors. Here are the commands to only give the minimum permissions needed for this user:
conf t aaa authorization command LOCAL privilege show level 2 mode exec command running-config privilege cmd level 2 mode exec command terminal username $USERNAME password $PASSWORD priv 2 end
Bulks Start Parameters
+
To help balance the processing load of managing multiple connectors and improve user experience on the topology map, the bulk start function can be scheduled to off hours using system parameters. The docker-compose.yml file contains two parameters for the bulk system start function in the monitor: environment: section
connBulkStartTime=21:00:00 # defines the start time for the connectors, format is Hours:Minutes:Seconds, 24 hour clock.
connBulkStartSpread=00:15:00 # defines the connector start stagger, format is Hours:Minutes:Seconds
Deleting Connectors
+
Connectors can be deleted by entering the connector group name and passphrase to gain access to the connector. The connector can be deleted by selecting the trash can in the upper right corner.
If the passphrase is forgotten, the connector can be forcefully deleted by the Linux Admin by removing the connector file from the folder
The linked .html file runs a self contained config file sanitizer in a standard web browser. The configuration sanitizer will change IP addresses within the file to mask them. This sanitizer will maintain integrity across the masked IP addresses so that we can properly test the file in the test lab. Please do not manually change the file after running through the sanitizer. To use the sanitizer file, click the link below to run in your browser.
Below are the currently known issues in NP-View along with the available workarounds. These issues will be addressed as part of the upcoming release. If you are experiencing an issue not covered in this document, please contact Technical Support at: support@network-perception.com.
1. Typing into a field in NP-View Desktop doesn’t register any text
Reset window focus (This may not always work)
Alt+Tab out of the application
Alt+Tab back into the application
Login to NP-View Desktop via web browser
Open a web browser (Chrome/Edge) with NP-View still running
Type “localhost:8080” in the address bar to load NP-View in a browser window
NP-View is licensed on an annual basis. The cost of the license depends on the number of configuration files imported from primary network devices (firewalls, routers, and switches).
How Licensing Works
When importing devices (manual or automated), a reminder notice is provided stating: “Importing new devices requires available licenses. Devices are activated in the order they are imported. If the total license count is exceeded, importing of additional unlicensed devices will be prohibited.
To determine the available number of devices licenses, see the summary at the bottom of Licenses and Terms.
Supported Devices and Connectors
The knowledge base contains a list of actively supported devices (link) and connectors (link). These lists change over time as manufacturer end of life support and as we add support for new devices. These lists are referred to in our terms of service and used to define what is in scope of the NP-View license agreement. Network Perception reserves the right to alter this list at any time without customer notice.
When Device Licenses are Activated
Device licenses are activated when a device is first imported. When the device limit is reached, import of additional devices (manual or automated) will be prohibited and a message will be issued in the help center and system logs.
Device licensing is permanent. Once a license is allocated to a device it cannot be re-assigned to another device.
Palo Alto NGFW and Virtual Systems (VSYS)
Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple physical firewalls, IT departments can use a single firewall and enable virtual systems on them to independently separate traffic.
The default is vsys1. You cannot delete vsys1 because it is relevant to the internal hierarchy on the firewall; vsys1 appears even on firewall models that don’t support multiple virtual systems.
When using multiple virtual systems, if a configured vsys has an interface with access rules, NP-View will represent the vsys as a separate firewall and a device license is allocated. If a vsys has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.
FortiGate and Virtual Domains (VDOM)
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network. If a VDOM has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.
Hiding Devices
If a device is no longer required in any workspace, the Administrator can hide the device from all workspaces by unchecking the “Visible in Workspace” check box and selecting the “Submit” button.
The licensed device will remain in “license and Terms” and displayed as follows:
The data is not deleted from the workspaces. If the Administrator wishes to restore the device to all workspaces, they can by importing new data for the device or by rechecking the checkbox and clicking “Submit”.
Note: NP provided demo devices in the demo workspace are excluded from display in the license manager and device counts.
User Deleted Devices
If the user deletes a device from all workspaces, the device still remains licensed but as it has no system association will not be displayed in License and Terms. The device can be restored in the future by importing new data for the device into any workspace.
Expired Licenses
When the license expires, workspaces for all users will be disabled along with manual data imports. A message will be displayed stating that the license has expired and to contact sales to renew. Connectors will continue to collect data and deliver the updates to workspaces and demo workspaces will continue to function.
License Downgrade
If a customer downgrades their device count, the Administrator will need to select the devices to remain active after inputting the new license key. If the Administrator does not select the devices to remain, the system will allocate the devices in the order they are used. All remaining unlicensed devices will be removed from all workspaces.
Compliance Module Downgrade
If a customer downgrades their compliance module license, all workspaces associated with that module will be disabled. The user can manually delete these workspaces.
Existing Customer Upgrades
For existing customers upgrading from a previous version of software to version 3.1.0 or later, devices that are imported and active in the license manager (check box marked) will remain licensed. Devices that are unlicensed (check box unmarked) will be removed from all existing workspaces. If a customer needs to replace one or more devices, please contact support.
Auditors and NP Certification
Auditors and NP Certification members working project style engagements using NP-View Desktop are provided with a special feature to reset the system to its original state after an engagement so that no customer data is retained.
Adding a license to NP-View Desktop and NP-View Server
Step 4a: For New Installations, upon system installation, the Administrator will input the NP license key into the setup screen which will set the maximum limit on the number of devices that can be imported (manually or automated) into the system.
Step 4b: For existing customers, launch NP-View and select “License & terms” from the user menu (top right corner).
Then scroll down and select “Upgrade or renew your license” followed by “Input license manually”. You can then copy/paste the license JSON structure (including opening and closing curly brackets) into the text field area.
Note: the licensing function is available only to the Administrator role in NP-View Server and the must logout and re-login for the license to take affect.
HA Device Licensing
NP-View Professional server support the licensing of active / passive high availability (HA) groups for firewalls. HA Group definitions are only required if the device name of the primary and secondary devices are different. Once the active firewalls are loaded into NP-View, the HA definition file can be exported using postman or a tool of your choice using:
GET /license/ha-groups?file-export=true and a file will be downloaded.
The file export will be a text file. Column 1 will be the HA Group name and will be initially empty. Column 2 will be the firewall name.
HA Group Name, Device Name , asaDMZ-fw1 , asaUCCtoBA1 , asaUCCtoSub-A , asaBA , firewallSub
The administrator will then update the text file to add unique group names as well as the name of the passive firewall. The updated file can look as follows. Devices without group names will remain as individual firewalls.
HA Group Name, Device Name A-Group, asaDMZ-fw1 A-Group, asaDMZ-fw2 B-Group, asaUCCtoBA1 B-Group, asaUCCtoBA2 C-Group, asaUCCtoSub-A C-Group, asaUCCtoSub-B , asaBA , firewallSub
Once the file is updated, the file can be posted using postman or the tool of your choice:
POST /license/ha-groups
When new firewalls are added or groups need to be redefined, the above GET / POST process can be repeated.
HA Groups will share one device license. If firewalls are ungrouped and there are not enough free device licenses, the user will be asked to remove firewalls from NP-View that are to be unlicensed and deleted from the system.
NP-View has a series of shortcut keys to quickly access commonly used functions. This section describes some of the frequently used shortcut keys. Note the the list of shortcut keys is available from the upper right menu or by using the “K” key
A
Show the Asset inventory
B
Show the Search bar help
C
Show Track changes
H
Show the Support center
I
Show the Import data panel
K
Show the list of available shortcut keys
L
Show Logs
O
Show the Object Groups
P
Show the Connectivity Paths
Q
Return to the home page
R
Show the Access Rules
S
Save the topology
T
Show Background tasks
M
Show Policy Management
V
Show Custom topology views
W
Show Risk & Warnings
Z
Show Manage zones
SHIFT
Hold SHIFT key, then click and drag to draw a rectangle to select multiple nodes from the topology
Ctrl
Hold Ctrl key, then click to select / deselect individual nodes from the topology