At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.
The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.
NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM. This configuration should be sufficient for processing large data files up to 500,000 lines. Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.
Installation Process
Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key. A SHA256 checksum is supplied with each download. You can calculate the checksum on the files you download to verify the integrity of the files:
Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
Once installed, NP-View will automatically launch.
Allow ports for private/public network if prompted.
NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.
NP-View Desktop is a resource intensive application. For best performance, please ensure your system’s Power plan is set to High performance.
If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.
Windows control panel:
First Login
Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches. Otherwise, the session remains open and authentication is not required.
Read and accept the user agreement.
Next, you will need to enter your license key. Once input, click the “Add license key” button.
Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
Next click the get started button
User Menu
Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.
Getting Started
On the Workspaces Page, NP-View provides a demo workspace as well as the ability to start creating your own workspaces. Click here to learn more about using workspaces.
Software Version
If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.
Software Uninstall
To uninstall NP-View Desktop,
Windows 10/11: use the add or remove programs feature to remove the software
Use the add or remove programs feature to remove the software
Delete folder: ~AppData/Roaming/NP-View
Delete folder: ~AppData/Local/Programs/NP-View
Delete folder: ~AppData/Local/np-view-updater
Password Reset
Remove the file at the location listed below and restart the application to input your credentials.
Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.
License Changes / Upgrades
If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).
Upload File Size Limit
NP-View enforces a maximum file size of 200MB by default. To change it, the config.ini file must be edited and the following row added: MAX_IMPORT_SIZE=<size in bytes>. For example: MAX_IMPORT_SIZE=209715200 which corresponds to 200MB.
Windows: the config.ini file can be found at: ~AppData/Roaming/NP-View/config.ini
Windows Path/File Name Length Limit
Microsoft Windows has a MAX_PATH limit of 256 characters. If the path and filename exceed 256 characters, the file import will fail.
For example: C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>
NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:
Provisioning a server
Downloading NP-View server
Installing NP-View server
Installing a SSL Certificate
NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 10 or later, macOS 11 Big Sur or later, Ubuntu 20 or later) with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.
Provisioning a Server
The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:
Number of network devices monitored
(firewall, router, switch) / concurrent users
Min. CPU
Memory
Disk Space
Up to 50 devices / 3 concurrent users
4-core
16GB
200GB
Up to 100 devices / 5 concurrent users*
8-core
32GB
400GB
Up to 500 devices / 10 concurrent users
16-core
64GB
2TB
Up to 1,000 devices / 20 concurrent users
32-core
128GB
4TB
Greater than 1,000 devices please contact support to discuss requirements.
Recommended as the minimum for most Professional Server users.
Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity. The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.
Network ports used by NP-View server
The following ports are used by NP-View server. Please ensure these ports are open on your firewall for proper communication.
Required ports:
TCP/22: SSH server to provide secure console access to the NP-Live server
TCP/443: access to NP-View Web UI through HTTPS
TCP/8443: access to NP-View connectors Web UI through HTTPS
Optional ports:
TCP/80: access to NP-View Web UI through HTTP
TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
TCP/445: access to NP-View SMB Connector
TCP/636: access to Active Directory / LDAPS for TLS/SSL
TCP/8080: access to NP-View connectors Web UI through HTTP
Firewall Rules
The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.
Downloading NP-View Server
Sign up on the Portal website to download the latest version of NP-View server and the license key. A SHA256 checksum is supplied with each download by clicking on the “show checksum” link. You can calculate the checksum on the files you download to verify their integrity:
Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
MACOS: shasum -a 256 /full/path/to/your/file/name/extension
Installing NP-View Server
NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:
NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed
The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.
Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.
Option 1: Using the NP-View Linux Installer
Once downloaded from the portal, follow the steps below to complete the install:
Move installer to server – This may require ssh or other user account permissions
Place the file in a location you can access from the terminal
/tmp – this is a temp folder available at the root directory
/opt/np-live – this is the default NP View server root directory
You can use the “ls” command to see what is in your current directory
Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
sudo -I
Navigate to the directory in which the NP-View Server Linux installer was placed
Use the ls command to verify file is in this directory
Run the installer with the command (Docker must be installed before this step)
Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
The installer will begin by checking for a running instance of Docker and internet connection
If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
Note: If the default directory is changed, then it will need to be edited for each new release during the installation
There will be a message once the installation is complete
Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
Load WinSCP – It should default to this screen:
Default “File Protocol:” to SFTP
Fill in Host name, User name, and Password.
Host name would be the same as your NP-View Server IP Address
User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
Click Ok to complete the transfer.
Option 2: Using the NP-View Virtual Appliance
Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:
Extract the .zip archive (right click on folder and choose extract all)
Import OVF into hypervisor
Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
Open README.txt from extracted folder for credentials
Launch the appliance and log into terminal using credentials in README.txt
NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
Once complete the NP menu will appear indicating the server is ready to use.
Launch a browser to navigate to the NP-View User Interface
Note: A static IP may need to be configured before utilizing the user interface.
Installing a SSL Certificate
NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder. If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.
The following command can be used to generate a valid .pem file:
To learn more about generating your own SSL certificate, please visit python documentation.
Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.
Setting the Virtual Appliance Time Zone
By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago. This file needs to be updated to reflect your local time zone. To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.
NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.
If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.
Default Disk Encryption
As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest. The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.
Personalize the Login Page
To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”
For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”
Upload File Size Limit
When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 200MB by default. To change it, a NP-View Linux administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- MAX_IMPORT_SIZE=209715200”. The value is in bytes, so 209715200 corresponds to 200MB.
Backing up the NP-View Server Database
Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
Run the new release installer, which will update the containers and then launch NP-View Server
Complete Removal of NP-View
If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:
Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)
Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:
Visualize an accurate topology of the network architecture
Identify and label critical cyber assets and critical network zones
Easily review which devices are protecting which network zones
Visualize Topology
NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.
Critical Assets and Zones
Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.
Details On-demand
Selecting a node in the topology map will interactively display an information panel with detailed data about that node.
Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:
Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
Automatic identification of configuration risks using the Risks and Warnings report.
Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.
How to Review Access Rules
An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.
Frequency: each time firewall policies are changed, and at least once a quarter
How to do it:
Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
The “Description” column captures comment, description, or justification from the device configuration
The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table
Access Rules Table
The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.
Object Groups
The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.
Risks and Warnings
As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks. The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.
Change Tracking
As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.
Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.
Exposure of Vulnerable Assets – Vulnerability Analytics
NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.
Topology Display of Vulnerabilities
When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.
Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.
Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.
Performing a regular review of your compliance metrics is important for your organization. Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:
Verify compliance with cybersecurity regulations and best practices through Policy Review.
Seamlessly store evidence for compliance review with Change Tracking.
Easily prepare compliance reports using the Audit Assistants listed below:
Workspace Report (Standard)
The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:
Configuration assessment report including risk alerts
Ports and Interfaces
Access rules
Object groups
Path analysis
Industry Best Practice (Premium)
The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:
Parser Warnings and potential misconfigurations
Unused Object Groups
Access Rules missing a justification
Unnamed nodes
NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
ACL’s with no explicit deny by default rule
NERC CIP Compliance (Premium)
The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:
CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
Views: Segments the devices present in a workspace into multiple views
Zones: Segments the devices present in a view into multiple visual zones
This article will focus on Views and the different functionality around them.
Home View
After creating a workspace and uploading 1 or more configuration files, NP-View will automatically generate the Home View.
The Home View presents a high level overview of the primary devices within the workspace (Firewalls, Routers, and Switches). It is the starting point for all workspaces.
To view assets connected to the primary devices as well as path analysis a new view must be created. (All views other than the home view will contain all the assets connected to the selected primary devices along with path analysis data.
Manage Views
Manage Views: All View related functions can be accessed from the main menu under Manage Views and can be opened from:
The main menu
With the shortcut key “V”
From the view navigation bar at the top of the map
Right click on a node or group and using the right-click menu
Creating a View
When opening Manage Views in a workspace that contains only the Home View, you cannot edit the Home View, so a new view will need to be created.
Open Manage Views
Select Create New View
Name the View
Choose the Devices and/or Auxiliary Data to include in the new view
Choose whether or not to include external paths (This can provide a more complete picture but significantly increases build time, and is not always necessary)
Create View
The view will be created in the background allowing continued use of the home view until the analysis has completed and the view has been built.
Once completed, the topology map will switch to the newly created view with the view details.
Note: Devices can be connected by a solid or dotted line. A solid line indicates evidence of a direct connection. A dotted path represents a connection that is inferred from the information provided (e.g., a layer 2 connection). Additional configuration data is required to convert inferred to direct connections.
Editing View
Existing views can be updated by opening Edit mode
Select the desired View
Click the kebab menu
Select Edit
From this point you can
Rename the view
Add or Remove devices from the view
Change Path Analysis used (will reprocess the view and topology)
Delete the view – Select the Trashcan from the kebab menu (only the view will be removed, not data will be deleted)
View Navigation
Navigation between views can be accessed in 2 ways
From the topology: by opening the View Navigation dropdown
From Manage Views by opening the menu navigating to manage views and selecting a View.
Now you can load and work with the details of a view without loading the view on the map
Views are only loaded on the topology if the Play button is selected
View details only are loaded if the row itself is clicked
Views build and rebuild in the background allowing you to continue work while a view is being generated
Limitations
Devices per view are limited by the product purchased as outlined below:
Desktop: 15 devices per view
Server : 25 devices per view
The above limitations also depend on the size and complexity of the configuration files and the specifications of the system. Lower powered system may reduce the capability to support the above limits. YMMV.
Views: Segments the devices present in a workspace into multiple views
Zones: Segments the devices present in a view into multiple visual zones
This article will focus on Zones and the different functionality around them.
Zones – Defined
Zones in NP-View are the most granular form of segmentation that is offered. Zones are visual markers that group nodes together. They can be created by user’s on demand, or through the Auto Generate Zones function in Manage Zones, on the main menu. Zones can be named and assigned a criticality.
Below is an example of a Zone with a High Criticality, named EMS-Backup.
Adding Zones
Adding, Editing, and Deleting Zones can be done
Manually – From the Topology
Automatically – From the Main Menu >> Manage Zones
Manually – The Topology
Hold Shift
Select a group of nodes
The Multi-Selection panel will open over the main menu
In the middle of the panel there is a Save Selection as Zone segment
Give the grouping a name and criticality
Create Zone
The Zone will appear on the Topology
Automatically – Manage Zones
From the Main Menu Manage Zones can be accessed. This is the primary place to work with Zones in NP-View. From Manage Zones you can Autogenerate Zones based on keywords found in the section below.
Autogenerate Keywords
+
Keyword
Criticality
Color
Best Practice
NERC-CIP
PCI (Future)
bcc
HIGH
light red
X
datacenter*
HIGH
light red
X
X
X
dist
HIGH
light red
X
dmz*
HIGH
light red
X
X
*ems*
HIGH
light red
X
^esp
HIGH
light red
X
pcc
HIGH
light red
X
scada
HIGH
light red
X
trust
HIGH
light red
X
backoffice
MEDIUM
light yellow
X
X
bu*
MEDIUM
light yellow
X
corp
MEDIUM
light yellow
X
X
X
office
LOW
light blue
X
X
internet
UNTRUSTED
light gray
X
X
X
remote
UNTRUSTED
light gray
X
X
X
Manage Zones from menu
Auto generate zones only available if no zones have been created.
Zones will be automatically named and color coded based on asset keywords.
Once Zones have been generated they will appear on the map and each zone will be listed in manage zones. Clicking any zone, either on the Topology or from Manage Zones will open the details for the Zone
Edit/ Delete Zones
Once created, zones can be manually reclassified or deleted by clicking inside the zone space and selecting the appropriate option from the menu. If some devices are not properly included in a zone, the devices can be selected and manually (or right clicked on and added to a zone).
Once automatic zones are created, the Auto Generate Zones function is disabled until all zones are deleted.
For manual zone creation, the user can select two or more objects from the topology map and the zone panel will display.
From the panel, the user can create a zone, name it and assign a criticality. The user can also assign tags and criticalities to the selected devices.
For existing zones, the user can add / remove nodes from zones, edit the name or criticality or delete the selected zones.
Selecting a zone name displays the details for the zone. The user can rename the zone or reassign the criticality. They can also perform a zone analysis of inbound and outbound paths.
Right clicking on any topology object will allow for the addition or removal of an object from a zone.
Network visualization is the most powerful feature of NP-View. Create a workspace, import configuration files and supporting meta data, and NP-View’s visualization function will process the information into a usable network diagram.
Home View
The Home View shows the user a high level overview of the primary devices within a workspace (Firewalls, Routers and Switches).
The home view is the starting point for all workspaces. Devices can be connected by a solid or dotted line. A solid line indicates evidence of a direct connection.
From the home view, the user can:
Select a single device (left click) to view details on the information panel.
Select multiple devices and create zones. See more info on zone creation.
Select one or more devices and create a view. See more info on view creation.
When objects are moved on the topology map, the ‘Save Topology’ button will become active. Multiple objects can be moved prior to saving the topology.
If the user attempts to switch views before saving, a notification will be presented as follows:
The user can either cancel the operation and then select ‘Save Topology’ or proceed to the selected view without saving. Selecting OK can also be used as an undo function.
Topology Network Map
From the topology view, the user can rearrange the objects on the canvas by selecting and dragging a device to a new location. Device location can be saved with the “Save Topology” button.
Devices can be assigned a category (colored text tag) and criticality (colored ring).
If a device has active alerts, the number of alerts is displayed in the top-right corner (red circle).
If a device has user entered comments pertaining to this device, the number of comments is displayed in the top-left corner (blue circle).
Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection. The Ctrl key can be used to select / deselect individual devices. Once selected, the devices can be assigned to a common category or criticality. Alternatively, the devices can be assigned to a of zone. See more info on zone creation.
Unmapped hosts and networks indicate IP addresses that are external to the topology and could not be connected to primary networks. For a given networking device (e.g., a firewall), primary networks constitute the IP ranges defined by its interfaces. In other words, all the networks a device faces are called primary. Nonetheless, the device’s ruleset can refer to arbitrary IP spaces, not necessarily those within primary ranges. Consequently, NP-View identifies those external/unknown IP spaces as hosts, networks, or ranges, as defined in the config, and places them behind the Unmapped gateway.
Additional topology features include expand / collapse a node, auto arrange peers in a circle and pin / unpin a specific node. These features are available when clicking on a node and using the kebab menu on the info panel.
Tip: When importing a devices, the topology map attempts to place each node in an unused slot but may overlap nodes and paths. By selecting unpin, moving one device, selecting center and then pin, the map will auto arrange. For topologies with over 100 nodes, the hosts will automatically be collapsed to make the map easier to read. Each collapsed network can be individually expanded or the entire map can be expanded but for very large workspaces, this may take some time to expand.
Firewall Device Information
For Firewalls, Routers and Switches, when selecting a device, the device attributes will be displayed on the left device information menu.
The device panel will be displayed with the appropriate label. The device type is defined by heuristics. If the device is misclassified, clicking on the drop down allows the user to reclassify the device as a firewall, router or switch.
The user can also assign a category and a device criticality. Additional information includes being able to review multiple version of configuration files and compare them with the diff viewer. Configuration files must have the same name for the diff viewer to identify and compare files.
A risk assessment grade is assigned for each firewall based on the number of open risks and warnings and their associated criticality.
The connectivity matrix shows all of the connections for the selected firewall and the IP rules for each connection. This is only available from within a custom view.
Risks and Warnings shows the active risks, warnings and the criticality for the selected device.
Access Rules shows the rules for the selected device with the ability to compare two sets of rules and display the differences.
Object groups shows the object groups for the selected device.
A summary of the number of routes and a table of the interfaces are also displayed.
Administrators and Workspace Admin’s can delete devices from the workspace using the delete option under the tree dot menu.
Host Information
For hosts, the following is displayed:
Users can assign a host icon, category and a criticality.
Display inbound / outbound connectivity paths as well as displaying stepping stone analysis. Inbound and outbound connections are filtered to show the exact match for a given path. In some cases, no inbound or outbound paths will be displayed. (See below)
Custom views are used to organize devices and analyze the paths between the devices. Path analysis and stepping stone analysis is only available from within a custom view. Additional information on custom view creation can be found here.
Network & Gateway Information
For networks and gateways, the panel to the left will be displayed.
Users can assign a category and a criticality.
Additional information includes being able to review the IP address of the connected hosts.
The user can also search the config file for the device.
Display inbound connectivity / outbound paths as well as displaying stepping stone analysis. When selecting Inbound or Outbound, all paths are highlighted in gray, selecting a specific protocol will highlight the path in orange.
Connectivity Paths
When displaying the device menu for a specific device, clicking on the arrow (>) will expand the inbound and outbound connections. Clicking on any service or IP will highlight the path on the topology map. Source objects are designated by blue circles (Src) and destination objects are highlighted by red circles (Dest).
Additional path information is shown including the rule associated with the path. Clicking on the blue text will invoke the access rules with the associated information. The user can also add a comment if required.
Stepping Stone Analysis
Stepping Stone Analysis is available on custom views for Networks and Endpoints. Click any node that is not a Firewall/ Router/ Switch and open the info panel.
Find the Accordion section named "Stepping Stone Analysis" and open to reveal options.
Run as Source or Run as Destination.
A user has clicked a node, opened its info panel, and selected Run as Destination for the Host in the bottom center of the map.
The colors reflect how many hops a way another node is from communicating with the analyzed node. The pie slices on the analyzed node show the distribution of nodes per number of hops.
Up close on a node with stepping stone analysis run
The above sections describe the different types of Path Analysis available in NP-View that will give information about connections in the Topology. But what if we want to confirm that a connection is blocked? For this NP-View offers Path Block Analysis.
Path Block Analysis allows a user to take two hosts/ two networks/ or one host and one network and to troubleshoot if the connection between is blocked, and if so why.
Open a Topology View that is not the Home View and select two nodes you wish to Troubleshoot Path Blocks on. When the two nodes are selected, right click on one of them and select “Troubleshoot Path Blocking Issue”
A dialog will slide out of the right side of the screen. The Source and Destination of the selected nodes will be entered and can be swapped. Protocol and Port are pre-populated and cannot be changed. Path Block analysis always searches using IP/any. Clicking Start will begin the analysis.
Path Block Found
When a Path Block is found the dialog will have a red notification, and the Blocked Paths window on the left side of the screen will be populated with the block information, including the reason why traffic is blocked. This information is not stored and will be erased as soon as ESC is pressed.
Path Block Not Found
When a Path Block is not found the dialog will present a green notification. The Blocked Paths window on the left side of the screen will be populated with a message that no blocks were found.
NP-View can import auxiliary data from third party systems to enrich and augment analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed
Host Files
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Aux Data Loading Example
Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. To fix this, create a host file, named hosts.txt, to enrich the information.
The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
Let's use 172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sam 172.30.91.81 Carl Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, and import it into the workspace.
The Manage Views function displaying a user adding both devices and multiple Auxiliary data files to a single view.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.
Below the Select Devices box, is the Auxiliary Data box.
Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).
For our example a user would see a single file called hosts.txt that would contain the names we've added.
Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).
The view, seen here regenerated. Note the new hostnames applied to the endpoints.
To see how the previous example can be used as a repeatable process let's update those names again, with corrections.
First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sammy 172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
The workspace, updated a second time
Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.
Network and Vulnerability Scanner Files
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
hostnames
addresses
interfaces
local interface IP’s
local interface names
mac
domains
parent
operating systems
vlan
Multi-Home Host Files
Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.
The host named 'dual-homed' repeated 3 times on the map
To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.
The file must be named 'multi_home_host.txt' and be of the following format:
192.168.135.115 dual-homed
192.168.135.114 dual-homed
192.168.135.113 dual-homed
Where the first field is the IP address and the second field is the name of the host.
When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:
The hosts named 'dual-homed' have been consolidated
Note: The file can be named as *_multi_home_host.txt -where-*_ is anything preceding multi_home_host.txt.
For example:
tuesday_multi_home_host.txt
web_server_multi_home_host.txt
the_big_kahuna_multi_home_host.txt
Address Resolution Protocol (ARP)
ARP files can be used to add hosts as well as MAC addresses for the hosts. The following formats are supported:
Cisco
Use commashow arp to export the ARP table. The file format will be as follows:
<hostname># show arp
outside 10.0.0.100 d867.da11.00c1 2
inside 192.168.1.10 000c.295b.5aa2 21
inside 192.168.1.12 000c.2933.561c 36
inside 192.168.1.14 000c.2ee0.2b81 97
Cisco ARP Example
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp
inside 172.30.90.50 d867.da11.00c1 2
inside 172.30.90.51 000c.295b.5aa2 21
inside 172.30.90.42 000c.2933.561c 36
inside 172.30.91.80 000c.2ee0.2b81 97
inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Windows
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
Interface: 192.168.86.29 --- 0x6
Internet Address Physical Address Type
192.168.86.1 88-3d-24-76-49-f2 dynamic
192.168.86.25 50-dc-e7-4b-13-40 dynamic
192.168.86.31 1c-fe-2b-30-78-e5 dynamic
192.168.86.33 8c-04-ba-8c-dc-4d dynamic
Linux
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Palo Alto
Use show arp all to export the ARP table. The file format will be:
maximum of entries supported : 2500
default timeout: 1800 seconds
total ARP entries in table : 3
total ARP entries shown : 3
status: s - static, c - complete, e - expiring, i - incomplete
ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295
ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776
ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791
Route Tables
Route files are a special case in that they provide ruleset-specific enrichment data whereas the other auxiliary files listed above provide topology-specific enrichment data.
Route table – Cisco
The output of the command show route on Cisco devices can be imported into NP-View with associated configuration files. For VRF’s, use the command show ip route vrf *. Cisco route files are handled a bit differently than the rest of the aux data as they are integrated upon import and are not considered as aux data when creating a view. Naming of the route files are not important as long as they are unique. The first row of the route file contains the <device name># command to link the route table with the correct device.
PCAP
IN V6.0 and later, PCAP and PCAPng files can be used to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a view. The max PCAP size is 200 MB per file.
The Help Center can be found on the system menu on the upper right corner of the topology.
The Help Center will display warnings or errors identified during the import of device files.
The information in the help center is designed to provide information for the tech support team to help diagnose the issues.
There are many types of possible errors including:
Invalid file formats (e.g., .gif or .png)
Improperly formatted files (files exported as text but loaded into a word processors where extra characters are added before saving).
Incomplete set of files (many devices require more than one file for import this includes Palo Alto and IP tables)
Misconfigured files where rules or objects are undefined.
As every customer has a different environment and possible device configurations are endless. We sometimes run into a situation where the parser cannot handle the device as configured. When this happens, we request the customer to sanitize the config file on the NP Poral and upload the file for debug purposes. Support from our customers is important for us to quickly remediate parsing issues unique to a device or specific file.
The Help Center provides a download for the error log which can be submitted to technical support through the support portal.
.svg)
.png)
