Knowledge Base

Getting Started

What We Do

Are you Prepared to Defend your Critical Assets?

At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.

  • The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
  • The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
  • Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.

Compliance Verification

Verify configurations and network segmentation

1. Policy Review
  • Easily review firewall access policies and object groups
  • Identify configuration risks automatically
  • Establish configuration change review process
2. Audit Assistance
  • Verify compliance with cybersecurity regulations and best practices
  • Seamlessly store evidence for compliance review
  • Easily prepare compliance reports
Risk Assessment Grading

Cybersecurity Visibility

Visualize vulnerability and risk exposure

3. Architecture Review
  • Visualize an accurate topology of the network architecture
  • Identify and label critical cyber assets and critical network zones
  • Easily review which devices are protecting which network zones
4. Network Risk Assessment
  • Assess accuracy of network segmentation
  • Identify risky network connectivity paths
  • Understand exposure of vulnerable assets
Cybersecurity Visibility

Operational Velocity

Accelerate risk mitigation and recover faster

5. Continuous Configuration Monitoring
  • Transition from point-in-time to 24/7 risk assessment with automated notification
  • Automate change review process using ticketing system integration and sandboxing
  • Leverage a time machine to navigate through the network evolution
6. Incident Response Preparation
  • Align network architecture understanding and break silos through a single pane of glass
  • Train first responders and harden defense via realistic attack scenario simulation
  • Prioritize vulnerability mitigation faster
Operational Velocity

Installing NP-View Desktop

NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.  This configuration should be sufficient for processing large data files up to 500,000 lines.  Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.

Installation Process

  • Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key.  A SHA256 checksum is supplied with each download.  You can calculate the checksum on the files you download to verify the integrity of the files:
    • Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
    • Linux: sha256sum /the/full/path/to/your/filename.Appimage
    • macOS 11: shasum -a 256 /full/path/to/your/filename.app
  • Windows 10/11:
    • Launch the Windows installer with a double click.
      • User may need to adjust UAC (User Access Controls) depending on security settings.
    • The only dependency required on Windows is .NET framework 4
    • Once installed, NP-View will automatically launch.
    • Allow ports for private/public network if prompted.

NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.

Configuring NP-View Desktop

System Performance

NP-View Desktop is a resource intensive application.  For best performance, please ensure your system’s Power plan is set to High performance.

If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.

Windows control panel:

First Login

  • Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
    • Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches.  Otherwise, the session remains open and authentication is not required.
  • Read and accept the user agreement.
  • Next, you will need to enter your license key.  Once input, click the “Add license key” button.
  • Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
  • Next click the get started button

User Menu

Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.

Getting Started

On the Workspaces Page,  NP-View provides a demo workspace as well as the ability to start creating your own workspaces.  Click here to learn more about using workspaces.

Software Version

If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.

Software Uninstall

To uninstall NP-View Desktop,

  • Windows 10/11: use the add or remove programs feature to remove the software
    • Use the add or remove programs feature to remove the software
    • Delete folder: ~AppData/Roaming/NP-View
    • Delete folder: ~AppData/Local/Programs/NP-View
    • Delete folder: ~AppData/Local/np-view-updater

Password Reset

Remove the file at the location listed below and restart the application to input your credentials.

  • Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.

License Changes / Upgrades

If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).

Upload File Size Limit

NP-View enforces a maximum file size of 200MB by default. To change it, the config.ini file must be edited and the following row added:  MAX_IMPORT_SIZE=<size in bytes>. For example:  MAX_IMPORT_SIZE=209715200 which corresponds to 200MB.

  • Windows: the config.ini file can be found at:  ~AppData/Roaming/NP-View/config.ini

Windows Path/File Name Length Limit

Microsoft Windows has a MAX_PATH limit of 256 characters.  If the path and filename exceed 256 characters, the file import will fail.

For example:  C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>

Installing NP-View Server

NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:

  1. Provisioning a server
  2. Downloading NP-View server
  3. Installing NP-View server
  4. Installing a SSL Certificate

NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 10 or later, macOS 11 Big Sur or later, Ubuntu 20 or later) with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.

Provisioning a Server

The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:

Number of network devices monitored (firewall, router, switch) / concurrent users Min. CPU Memory Disk Space
Up to 50 devices / 3 concurrent users 4-core 16GB 200GB
Up to 100 devices / 5 concurrent users* 8-core 32GB 400GB
Up to 500 devices / 10 concurrent users 16-core 64GB 2TB
Up to 1,000 devices / 20 concurrent users 32-core 128GB 4TB

Greater than 1,000 devices please contact support to discuss requirements.

Recommended as the minimum for most Professional Server users.

Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity.  The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.

Network ports used by NP-View server

The following ports are used by NP-View server.  Please ensure these ports are open on your firewall for proper communication.

Required ports:

  • TCP/22: SSH server to provide secure console access to the NP-Live server
  • TCP/443: access to NP-View Web UI through HTTPS
  • TCP/8443: access to NP-View connectors Web UI through HTTPS

Optional ports:

  • TCP/80: access to NP-View Web UI through HTTP
  • TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
  • TCP/445: access to NP-View SMB Connector
  • TCP/636: access to Active Directory / LDAPS for TLS/SSL
  • TCP/8080: access to NP-View connectors Web UI through HTTP

Firewall Rules

The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.

Downloading NP-View Server

Sign up on the Portal website to download the latest version of NP-View server and the license key.  A SHA256 checksum is supplied with each download by clicking on the “show checksum” link.  You can calculate the checksum on the files you download to verify their integrity:

  • Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
  • Linux: sha256sum /the/full/path/to/your/file/name/extension
  • MACOS: shasum -a 256 /full/path/to/your/file/name/extension

Installing NP-View Server

NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:

  • NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
  • NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed

The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.

Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.

Option 1: Using the NP-View Linux Installer

Once downloaded from the portal, follow the steps below to complete the install:

  1. Move installer to server – This may require ssh or other user account permissions
    1. Place the file in a location you can access from the terminal
    2. /tmp – this is a temp folder available at the root directory
    3. /opt/np-live – this is the default NP View server root directory
  2. You can use the “ls” command to see what is in your current directory
  3. Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
  4. Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
    • sudo -I
  5. Navigate to the directory in which the NP-View Server Linux installer was placed
    • Use the ls command to verify file is in this directory
  6. Run the installer with the command (Docker must be installed before this step)
    • Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
  7. The installer will begin by checking for a running instance of Docker and internet connection
    • If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
    • If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
    • If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
    • If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
      • yum update
      • dnf config-manager –add-repo=https://download.docker.com/linux/centos/docker-ce.repo
      • dnf install –nobest docker-ce
      • systemctl disable firewalld
      • systemctl enable –now docker
  8. Follow the prompts during installation
    • Prompt to continue with offline installation
    • Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
      • Note: If the default directory is changed, then it will need to be edited for each new release during the installation
  9. There will be a message once the installation is complete
  10. Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
    • Load WinSCP – It should default to this screen:
    • Default “File Protocol:” to SFTP
    • Fill in Host name, User name, and Password.
      • Host name would be the same as your NP-View Server IP Address
      • User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
    • Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
    • Click Ok to complete the transfer.

Option 2: Using the NP-View Virtual Appliance

Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:

  1. Extract the .zip archive (right click on folder and choose extract all)
  2. Import OVF into hypervisor
  3. Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
  4. Open README.txt from extracted folder for credentials
  5. Launch the appliance and log into terminal using credentials in README.txt
  6. NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
  7. Once complete the NP menu will appear indicating the server is ready to use.
  8. Launch a browser to navigate to the NP-View User Interface

Note: A static IP may need to be configured before utilizing the user interface.

Installing a SSL Certificate

NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder.  If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.

The following command can be used to generate a valid .pem file:

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem

To learn more about generating your own SSL certificate, please visit python documentation.

Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.

Setting the Virtual Appliance Time Zone

By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago.  This file needs to be updated to reflect your local time zone.  To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.

Update TZ= to a value from timedatectl list-timezones

version: '3.4'

x-environment-tz: &timezone    

     TZ=America/Chicago

services:  

      manager:    

           environment:        

                 - *timezone  

      report:      

           environment:        

                 - *timezone  

     webserver:      

           environment:        

                 - *timezone  

      redis:      

            environment:        

                 - *timezone  

     monitor:      

           environment:        

                 - *timezone

Once you have set the new time zone, you can restart NP-Live with the command /opt/np-live/stop_NP-Live.sh  and then /opt/np-live/start_NP-Live.sh

Additional Installation Information

Improving NP-View Server Performance

Please reference minimum requirements, the higher the resources the better the performance.

Troubleshooting Disk Space

If a server upgrade or restart fails due to lack of disk space, please perform the following clean-up procedure:

  1. sudo rm -f /opt/np-live/db/log/system/nplive.log.*
  2. sudo docker system prune –volumes
  3. sudo rm /opt/np-live/docker-compose.yml.backup

NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.

If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.

Default Disk Encryption

As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest.  The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.

Personalize the Login Page

To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”

For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”

Upload File Size Limit

When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 200MB by default. To change it, a NP-View Linux administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- MAX_IMPORT_SIZE=209715200”.  The value is in bytes, so 209715200 corresponds to 200MB.

Backing up the NP-View Server Database

  1. Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
  2. From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
  3. Run the new release installer, which will update the containers and then launch NP-View Server

Complete Removal of NP-View

If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:

  • Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
  • Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
  • Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)

Product Tutorials

1. Network Mapping

Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:

  • Visualize an accurate topology of the network architecture
  • Identify and label critical cyber assets and critical network zones
  • Easily review which devices are protecting which network zones

Visualize Topology

NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.

Critical Assets and Zones

Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.

Details On-demand

Selecting a node in the topology map will interactively display an information panel with detailed data about that node.

2. Firewall Ruleset Review

Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:

  • Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
  • Automatic identification of configuration risks using the Risks and Warnings report.
  • Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.

How to Review Access Rules

An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.

  • Frequency: each time firewall policies are changed, and at least once a quarter
  • How to do it:
    • Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
    • Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
      • For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
    • Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
      • The “Description” column captures comment, description, or justification from the device configuration
      • The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
    • Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
    • Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
    • Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table

Access Rules Table

The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.

Object Groups

The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.

Risks and Warnings

As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks.  The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.

Change Tracking

As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.

tracking table
3. Segmentation Verification

Segmentation verification provides the Networking Team and Audit Team with capabilities that allows users to:

  • Assess correctness of network segmentation
  • Identify risky network connectivity paths
  • Understand exposure of vulnerable assets

Network Segmentation Accuracy

NP-View be used to verify the accuracy of your network segmentation.

The connectivity matrix which is available from the device info panel can be used to verify open ports between devices.

Inbound and outbound connections can be verified for each network using the highlight paths function.

Identifying Risky Connectivity Paths

Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception  Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.

organization table

Exposure of Vulnerable Assets – Vulnerability Analytics

NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.

Topology Display of Vulnerabilities

When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.

These shields can be toggled on and off using the topology settings menu.

Device Panel Display of Vulnerabilities

Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.

Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.

4. Audit Assistance

Performing a regular review of your compliance metrics is important for your organization.  Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:

  • Verify compliance with cybersecurity regulations and best practices through Policy Review.
  • Seamlessly store evidence for compliance review with Change Tracking.
  • Easily prepare compliance reports using the Audit Assistants listed below:

Workspace Report (Standard)

The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:

  • Configuration assessment report including risk alerts
  • Ports and Interfaces
  • Access rules
  • Object groups
  • Path analysis

Industry Best Practice (Premium)

The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:

  • Parser Warnings and potential misconfigurations
  • Unused Object Groups
  • Access Rules missing a justification
  • Unnamed nodes
  • NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
  • ACL’s with no explicit deny by default rule

NERC CIP Compliance (Premium)

The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:

  • CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
  • CIP-003 – Security Management Control; cyber security policy
  • CIP-005 – Electronic Security Perimeter; remote access management
  • CIP-007 – System Security Management; ports and services
  • CIP-010 – Change Management and Vulnerability; configuration change management, configuration monitoring, vulnerability assessment

A demo workspace for the NERC CIP audit assistant is included with the software.  To see the audit assistant in action, follow these steps:

  1. Click on the demo workspace to build the topology.
  2. Create a custom view by selecting all of the firewalls, right click, Create View from Selection and give it a name.
  3. Once the view is generated, select Manage Zones from the left manu and click on the Auto Generate Zones button.
    • Red zones represent your high criticality assets.
    • Orange zones represent your medium criticality assets.
    • Yellow zones represent your low criticality assets.
    • Gray zones represent your untrusted assets.
  4. On the left menu, select Summary Reports and the NERC-CIP Compliance Report
  5. Click through the wizard, the defaults will represent the selections suggested by the auto group function.
  6. Click Generate Report to view the report in a new tab.

Feature Documentation

Network Visualization - Layer 2

This section describes extended support for Layer 2 devices in NP-View. This support was added in 6.0.1

Layer 2 visibility

This feature adds baseline support for Layer 2 visibility.

Supported devices:

  • Cisco IOS
  • Cisco ASA

In addition to the layer 3 information inferred from ARP and Route tables, NP-View imports MAC and Interface tables to begin to support layer 2 interfaces. This data is automatically collected by the supported device connectors. Route and Interface data is loaded with the configuration file, while the ARP and MAC data can be added independently to views as auxiliary data.

If loading data manually, load only one configuration file at a time and include all auxiliary data on the same import for proper file association.

Layer 2 Capabilities:

  • Control the map from Topology Settings to display or hide Layer 2 Nodes / Links.
  • Control the map to expand or collapse Layer 2 Networks and attached hosts.
  • Search function to locate, highlight, and open the info panel of a Layer 2 node.
  • View VLAN information on the node info panel.
  • View Layer 2 / VLAN data in the interface table.

Layer 2 connections are represented by a blue dotted line to a gateway.

To see the Layer 2 details, enable the 'Show Layer 2 Connections' from the topology settings.

Once enabled, Layer 2 networks will be displayed as teal clouds. Hosts / endpoints will be displayed as classic hosts.

Endpoints defined from Layer 2 communications will display the MAC Address where Layer 3 hosts will display a hostname or IP address. Only Layer 2 endpoints

with and IP address will be considered verified.

Clicking on the endpoint will display the info panel with the addition of the new VLAN section.

Note that Layer 2 topologies can get very complex very quickly.

Limitations:

  • Duplicate L2 and L3 networks and endpoint may occur if there is no data tying them together.
  • Layer 2 from Layer 3 can add a lot of data to the topology making navigation and topology save slower than usual.
  • Path analysis does not apply to Layer 2.

Layer 2 connections manually-populated, user-generated files

There are cases where not all devices have a configuration file. This is common in Layer 2 switches. This feature adds baseline support for Layer 2 visibility using manually generated files.

Adding a Layer 2 Switch

The text file can be used to create a Layer 2 switch in NP-View.  This switch can be used in conjunction with the common data model file outlined below to add layer 2 devices and connected nodes to the topology.

Following is an example of the data that can be in the file. The text file should be a properly formatted YAML ending with .YAML or .YML or it won’t be classified correctly and the import will fail. Note that each manually created switch will use a device license.

The imported device will be interpreted as a layer 2 switch by the system. Be sure to not use special characters within the device name or the interface names. Stick with alphanumeric characters, underscores can be used as shown below.

# This first line must be present, and the identifier must be np_custom_device 
file_identifier: np_custom_device 
# The name of the device, will be represented as such in the app 
device_name: custom_l2_switch 
# Vendor string, merely a description of the device 
vendor: netgear 
# A list of interfaces on the device, you need at least one interface 
interfaces: 
  - name: eth0 
    mac_addr: 0000:1b2b:fefe 
    ip: 192.168.1.100 
    netmask: 255.255.255.0 
  - name: eth1 
    mac_addr: 0101:acdc:80ba 
    ip: 192.168.2.100 
    netmask: 255.255.255.0 

When the above .YAML file is loaded into NP-View, the following device will displayed in NP-View.

With the following interfaces:

Adding Layer 2 Connectivity

To add layer 2 connections to any device, a Excel file, referred to as the Common Data Model or CDM can be created to add endpoints and connections to NP-View.

The format for the CDM is as follows:

Coming Soon

Limitations:

  • If the user makes input errors, the system will display what they typed.
  • Users need to verify that the topology represents the data as they expect it. There is no way for NP-View to know the data is incorrect.
  • This function allocated licenses to Layer 2 devices, if the user mistypes the device name licenses will still be used.
  • Duplicate L2 and L3 networks and endpoint may occur if there is no data tying them together.
  • No rules, objects or paths will exist for L2 switches.
Notification Manager (Server)

Notification manager is used to configure services and rules for generating and sending system notifications about Workspaces. Select the system menu (top right corner) and then “Notification manager”


to display the Notifications menu:

Configure Services

Before rules can be configured in notification manger, the administrator is required to configure at least one notification service.  Services include: e-mail, STIX/TAXII, SIEM (Syslog), and select ticketing systems.

  • SMTP configuration requires a server IP address, communication port, user id and password.  Note that a firewall port may need to be opened for NP-View to communicate with your SMTP server.
  • Syslog configuration requires a server IP address and a communication port.
  • ServiceNow configuration requires a server address, user name and password.
  • TAXII configuration requires a server address, server port, data path and a destination collection name.

Service configuration can be found under “Notification manager -> Configure Services” tab.

Additional Email Configuration Details for LDAP/AD

When connected to LDAP or Active Directory, the user’s email addresses are extracted from the authentication server. They are typically stored within the LDAP/AD email field. The test button will pull the LDAP/AD information for inspection. If a field other than email is used, the field name should be added to the LDAP setup page replacing the default “email”. If the email field is missing, please contact your system administrator to have the email field added and populated for each user who wishes to receive automated notifications.

If your email server requires authentication to send emails, we recommend using a service account with a non-expiring password or notifications will stop sending when the password expires.

Add/Edit Rules

NP-View can automatically send information to the configured services for changes and activities impacting your workspaces. Select the system menu and then “Notification manager -> Add/Edit Rule” to setup rules.

Rules can be set to choose which activities and events are included in notifications.  When configuring the notification rule, the user will select a service to deliver the notification to, the workspace(s) to be monitored and frequency the report should be delivered.

Notification frequencies are:

  • Instant
  • Hourly
  • Daily
  • Weekly
  • Monthly

After that, the criterion for generating the report is selected. Activity types include:

Activity type Activity status Activity Severity
Risk alerts New, Confirmed, Fixed, False positive, Will not resolve Low, Medium, High
Warnings New, Confirmed, Fixed, False positive, Will not resolve Low, Medium, High
Errors New
Comments New Low, Medium, High
Change events New

For each Activity type, one or more activity status or  activity severity can be selected and the notification rule can be filtered by keywords.

Finally, the output can be sanitize to remove IP addresses and saved in the database for future viewing.

Note: If the save in database box is not checked, the report will not be viewable on the Your Reports tab.

Click Save Rule to save your configuration.

Your Rules

Once rules are created, they appear on the “Your Rules” tab. This tab shows each rule created.  Workspace Admins can only see their rules and Administrators can see all users rules.  From this tab. users can edit, delete or copy a rule.

Your Reports

Once rules triggered and the the “save for future viewing” function is active, a summary of each report generated will be displayed on the  reports tab.  The Workspace Admin can see and delete their own reports and the Administrator can see and delete all users reports.

Object Groups Report

This article will focus on the Object Groups Report.

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.

Object Groups – Defined

  • Object Groups classify users, devices, or protocols into “groups” and apply those groups to Access Control Lists (ACLs), to create access control policies for those groups.
  • The Object Groups report provides a summary of Network ACL Object Groups.
  • These object groups may include: Host IP addresses, network address of group members, and nested object groups.
  • Objects consist of several types including Address, Service, Binding, Interface, and Zone.

The Object Groups Report can be accessed in two ways. Each way presents a different data set.

  1. From the main menu, the table will populate the table with all objects for all devices in the workspace, including globals.
  2. From the topology, when clicking a Firewall/ Router/ Switch – its info panel will open – and the user can select Object Groups from the Data for this Device section. Only the objects for the selected device will be displayed in this case.

*main menu

       *info panel

Network Management System:

When data is loaded from a firewall vs Network Management system, the listing of object groups for addresses may vary.

  • When viewing data from a network management system, globally defined groups may be available.
  • When the data is loaded from the firewall, the global addresses may be presented as local addresses.

What Data is Present?

The list below the image details the data types available in the Object Groups Report.

Object Groups Columns

+
  • Change Status: used in comparison mode to reflect added, unchanged and removed objects.
  • Comment: (Author, Criticality, Date) User entered comments (or justification) and criticality levels (low, medium, high).
  • ID: NP object identifier
  • Internal: NP object identifier
  • Luid: NP object identifier
  • Name: (OBJECT_NAME) Name of the object group which may include:
    • Any IP address–includes a range from 0.0.0.0 to 255.255.255.255
    • Host IP addresses
    • Hostnames
    • Other network object groups
    • Ranges of IP addresses
    • Subnets
  • Object ID: Value for linking rules to comments. This column must be displayed when exporting the object table for enrichment and reimport.
  • Origin: (OBJECT_ORIGIN) Name of the device containing the object definition
  • Type: (OBJECT_TYPE) Address, Service, Zone or Protocol
  • Unused Status: (OBJECT_STATUS) Cisco, Juniper and Fortinet status column which defines if the object is not used. True = Unused.
  • Value: (OBJECT_VALUE) Content of the object group

Table Actions

There are a number of actions that can be taken in the Object Groups report, some are specific to Object Groups, others are universal to all Reports.

  • Overflow Data: When there is more data in a Cell than can be presented in a column, the overflow data can be accessed by clicking the + icon in the cell.
  • Object Group Details: The name column will show related object data details within the + popup.
  • Columns can be displayed or hidden using the hamburger menu in the upper right corner of the report.
  • Changes to the menu are automatically saved.
  • Additionally, the table can be exported as displayed, with comment history or with object groups.
  • Only visible columns will be displayed.
  • Columns can be sorted, rearranged or resized and changes will be automatically saved.
  • Column filters can be displayed.
  • Filters applied to the table or column will automatically be saved.
  • Filters can be reset from the hamburger menu.

*the Object Groups Report Menu

Comments

NP-View provides a simple and easy way for users to add comments to Object Groups, and to track the historical lineage of these comments in a workspace. Comments can be added, or viewed, but for for integrity purposes they cannot be edited or deleted by users.  If an Object Group is changed or removed from the system, the group and associated comments will be removed from the Object Group table.

Adding a Comment: Comments can be added to a row by double-clicking on the cell in the column “Comment”.  Comment text and status can be added and then saved with the save button. Once the comment is saved, the author and time stamp are automatically inserted.

*applying comment

*applying comment – closeup

Comment History: Additional comments can be added to a row to begin creating a lineage or history of comments. This history will be automatically available when more than one comment exists on a row and can be expanded by clicking the blue clock icon on the leftmost column of the table. If there is no history the icon will be disabled.

When viewing history, changes between lines are highlighted in blue.

Example: If Comment 1 is: “Check This” – ‘medium’ and Comment 2 is “Check This” – ‘low’ the criticality cell would be highlighted because there was a change – the comment text would not be highlighted because it remained the same.

*Viewing comment history

*Viewing comment history – closeup

Object Groups Hash

Object groups are uniquely tagged (Object ID) within NP-View for linkage to comments. More info in the expanded section below.

Object Group Hash

+

Object groups are uniquely tagged (Object ID) within NP-View for linkage to comments. The tag (hash) is calculated based on a combination of the following data fields. Available data varies based on manufacturer so, some fields may not apply to specific manufacturers. Most of the below fields are defined above. For the fields unique to the hash, they are documented below.

If any of the data in these fields changes, the tag will change and previously linked comments and metadata will no longer be associated with this object.

  • OBJECT_NAME
  • OBJECT_TYPE
  • OBJECT_ORIGIN
  • OBJECT_VALUE
  • OBJECT_STATUS
  • OBJECT_TAG

Additional Features

  • The Compare button invokes a time series comparison function for the report.   Additional details on this function can be found here.
  • Comments can be imported from an Excel file.  Additional details on this function can be found here.
  • Conditional formatting can be applied to this table report.  Additional details on this function can be found here.

Comparison Report

+

Access Rules and Object Groups have a Compare function to show historical differences in data that has been added or removed. The function can be engaged by clicking the “Compare” button located at the top of the page. This function is used to display changes over a period of days.

The user can select a time frame (7, 30, 90 or 356 days or a custom date range). The user can select one or more devices to include in the report and then show the history over the range. Once the parameters are selected, the “Show Comparison” button should be selected.

The comparison function will display all changes (Rule Adds, Rule Removal and Unchanged Rules) for the selected days. The data will be displayed using the column format of the selected table. The user can filter on added, removed or unchanged rules by clicking the jelly bean. Added rules will be highlighted in green, removed rules will be highlighted in red and unchanged rules will be highlighted in light blue.

Clicking the “Compare” button will revert to the normal table but will not clear the selections.

Clicking the “Reset” button will clear the selections and reset the table.

Expanded Object Groups

In the Access Rules table, Source, Destination and Service groups can be expanded to see the group details.  By clicking on the + icon within a cell, the expanded group information can be made visible.

Path Analysis

Through network access modeling, NP-View analyzes all possible connectivity paths in a network based on the firewall, router, and switch configuration files imported. The results are presented in:

  • the Connectivity Paths table,
  • the Compare Path History,
  • the Connectivity Matrix for each device, and
  • the Inbound Connectivity and Outbound Connectivity sections of the info panel for hosts, gateways, and networks.

Path analysis is only available in custom views that have been manually created using the “Manage Views” menu. This can be found in the default Home view in which only devices are shown (no network, no end points) does not include a path analysis.

NP-View provides two options for analysis; Internal and Internal + External. Internal analysis computes paths for all the devices and end points within the view. Internal + External analysis include devices and end points within the view and adds external end points that are listed as unmapped.

By default, new views are created using internal analysis. To include external hosts, select Internal + External from the dropdown.

Please note that the external path analysis will take more time to complete and will return a larger number of paths.

Why are there zero paths identified after analysis

In some workspaces customers are seeing zero paths after analysis.  To understand why, each ‘allow’ rule must be investigated.  In these cases, we found various reasons for not seeing any paths.  Some of these reasons are:

  1. IP addresses of the firewall’s interfaces and of access rules’ sources and destinations do not overlap. Firewall’s interface addresses are in 124.x.y.z IP ranges. However, the source and destination objects for access rules are in 10.x.y.z IP ranges. Therefore, the traffic is dropped at the ingress of the firewall. This could be caused by (1) incorrect config export, (2) incorrect sanitization, or (3) incomplete config.
  2. A zone contains two interfaces (tunnel.1 and tunnel.3), and it is anticipated that the intrazone paths would show up (due to default allow as well as specifically defined access rules). However, those tunnels are destined to gateways that are connected via layer-2 links (in the config). Therefore, our processing of layer-3 paths does not include those cases.

Why are there paths with no rule sequences

In some situations, the path sequence field may not be populated due to implied rules from tunnels or security levels. In these situations, the path sequence will be populated with text: ‘Access implied by tunnel or security level’

Why does Path Analysis not create paths for FWs where there are 2 defined default static routes

We use default gateways to route traffic to and from external addresses. In this context, we handle multiple default gateways differently depending on whether the paths are inbound or outbound.

For inbound paths, i.e., from external sources to the internal network, we process all default gateways. We process traffic through every default gateway and generate all paths as the access rules allow.

For outbound paths, i.e., from internal network to external sources, we select only one default gateway. We have implemented a set of rules grounded in routing principles that prioritize one route over others. However, if those rules find no clear winner, we break the tie by picking the route through the interface appearing first in alphabetical order. In any case, we end up picking one default route and generating a warning  message.

Supported Devices & Data

Firewalls, Routers, Switches

The following table is a comprehensive list of supported devices. The instructions provided in the table can be used to manually extract data from the device for import. While we do our best to support the below devices, it is impossible for us to test the parsers with every possible device configuration combination. If errors occur during device import, Network Perception is committed to working with our customers to resolve their specific parsing issues.

Note that Network Perceptions device support policy follows that of the manufacturer.  When a manufacturer ends support for a product, so does Network Perception.  End of support devices are not removed from NP-View but will not be upgraded if issues arise.

Supported Devices with Vendor Partnership

The devices in this list are actively tested in our lab to support the most current versions of the manufacturer software. Network Perception has an active partnership with these vendors for software and support.

Vendor Type/Model/OS Configuration files needed
Check Point R81 / R81.10 / R81.20 including Multi-Domain Security and Virtual Router support (VRF) We support the database loading using the NP Check Point R80 Exporter (PDF documentation, video). Zip File Shasum: 5d22b182d773c020fd2a58838498b8be8221468e Exporter Tool Shasum: cc3131da37362da1291fa4a77cd8496fcb010596
Cisco
  • ASA Firewall (9.8 and up) including multi-context and Virtual Router Forwarding (VRF).
  • FTD Firewall (7.1.x, 7.2.x)
  • IOS Switch (15.7 and up) including Virtual Router Forwarding (VRF).
  • ISR (IOS-XE 17.6.x and up)
  • We do not support Application Centric Infrastructure (ACI) or NX-OS
For a Cisco IOS device, the sequence would be:
  • enable (to log into enable mode)
  • terminal length 0 (it eliminates the message between screens)
  • show running-config
For a Cisco ASA, the sequence would be:
  • enable
  • terminal pager 0
  • show running-config
For FTD, see additional instructions below
Fortinet FortiGate Firewall, FortiSwitch (FortiOS 7.0.x, 7.2.x) To get a config capture from the CLI using Putty (or some similar SSH) client, here is the process:
  • Turn on logging of the CLI session to a file
  • In the CLI of the FortiGate, issue these commands in sequence:
  • config system console
  • set output standard
  • end
  • show full-configuration
  • Turn off logging
Palo Alto Next Gen Firewall (PanOS 10.x, 11.x) including multiple virtual firewalls (vsys) and virtual routers (vrf). We do not support SD-WAN See additional instructions below

Supported Devices with no Vendor Partnership

The devices in this list are actively tested in our lab to support the most current versions of the manufacturer software.

Vendor Type/Model/OS Configuration files needed
Dell – Edge Gateway Ubuntu Core (IP Tables) see additional instructions below
Dell – PowerSwitch OS10 show running-configuration
Dell – SonicWall SonicOS (5.9.x, 6.5.x) “From GUI, Go to Export Settings, then Export (default file name: sonicwall.exp)” see additional instructions below
FS Switch (FSOS S5800 Series; Version 7.4) show running-config Note that FS configs are Cisco like and not tagged specifically as FS. We do our best to identify the device type but may display the device as Cisco in NP-View
Nvidia Mellanox (Onyx OS) show running-config Note that Nvidia configs are Cisco like and not tagged specifically as Nvidia. We do our best to identify the device type but may display the device as Cisco in NP-View
pfSense Community Edition 2.7.2 Diagnostics > Backup & Restore > Download configuration as XML
Schweitzer Ethernet Security Gateway (SEL-3620) SEL Firmware: from “Diagnostics”, click on “Update Diagnostics” and copy the text OPNsense: from ‘System > Configuration > Backup’ export .XML backup file Note: IPTables from OPNsense are not supported in NP-View.
Siemens – RUGGEDCCOM ROX Firewall RX1000-RX5000 (2.x) admin > save-fullconfiguration. Choose format “cli” and indicate file name

Historical Devices

The devices in this list were developed based on customer provided configuration files.  We are no longer actively developing these parsers but they are supported for break/fix and require customers sanitized config files to assist with the debug of issues.

Vendor Type/Model/OS Configuration files needed
Dell PowerConnect Switch console#copy running-config startup-config (instructions)
Nokia Service Router (SR7755; TiMOS-C-12.0.Rx) admin# save ftp://test:test@192.168.x.xx/./1.cfg
↳Alcatel-Lucent Service Aggregation Router (SAR7705; TiMOS-B-8.0.R10) admin# save ftp://test:test@192.168.x.xx/./1.cfg
Berkeley Software Distribution (BSD) Firewall (Open, Free and Net; 3 series) ifconfig -a > hostname_interfaces.txt See additional instructions below
Extreme Switch (x400, x600; XOC 22.6) save configuration
Hirschmann Eagle One Firewall (One-05.3.02) copy config running-config nv [profile_name]
HP / Aruba ProCurve Switch (2600, 2800, 4100, 6108) show running-config
NetScreen Firewall (ISG, SSG) get config all
Linux BSD IP Tables Firewall iptables-save See additional instructions below
NETGEAR Smart managed Pro Switch (FS/GS-Series; 6.x) CLI: show running-config all Web UI: Maintenance > Download Configuration
Siemens ROS Switch (RSG2-300; 4.2) config.csv
↳Scalance X300-400 Switch cfgsave
Sophos Firewall (v16) Admin console: System > Backup & Firmware > Import Export
VMware NSX Firewall GET https://{nsxmgr-ip}/api/4.0/edges/ (XML format) Learn more about vCenter and VSX
WatchGuard Firewall (XTM 3300, XTM 850) Select Manage System > Import/Export Configuration

Additional Instructions

Collecting Data from the Device Console

+

Collecting configuration information from the device console can be an easy way to get the device data.

Following the below rules will help ensure success when importing the files into NP-View.

Note that not all data can be retrieved from the console. Please review the section for you specific device for additional instructions.

  1. Run the command from the console.
  2. Copy the text to a plain text editor. Do not use Word or any fancy text editor as it will inject special characters that we cannot read.
  3. Review the file and look for non text characters like percent encoded text or wingdings like characters. These will break the parser.
  4. Save the output of each command in a separate file and name it after the device so that NP-View can properly attribute the files. For example: firewall1_config.txt, firewall1_arp.txt, firewall1_route.txt
  5. For Palo Alto files, there are specific naming requirements, please see the Palo Alto section for additional information.
  6. Some config files contain very long strings. Line wrapping due to the window size of the terminal will break the parser. If using a terminal like Putty, please ensure the terminal is set to maximum width.
config system console
set output standard
end

Finally, if you encounter a parsing error when loading the files and want to upload the files to Network Perception using the portal, please sanitize all files at the same time so that we can keep the data synchroized across the files.

Berkeley Software Distribution (BSD)

+

BSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF FreeBSD

  • Packet Filtering (PF): Rules located in file /etc/pf.conf
  • IP Firewall (IPFW): Default rules are found in /etc/rc.firewall. Custom firewall rules in any file provided through # sysrc firewall_script=”/etc/ipfw.rules”
  • IP Filter also known as IPF: cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris™. Name of the ruleset file given via command ipf -Fa -f /etc/ipf.rules

OpenBSD

NetBSD

BSD and similar systems (e.g., Linux) will use the same names for interfaces (eth1, eth2, em1, em2, carp1, carp2, etc.). The parser might be confused if the user imports interface files and packet filter configs from different systems at the same time resulting in a combined system instead of individual devices. To prevent this, the user should group all files by host, making sure to name the ifconfig file after the hostname (i.e. host1_interfaces.txt).

Free BSD Example

Below is an example of a 2 host FREE BSD system containing FW1, host1 and host2. The user should import the files in each section as a separate import. fw1 – first data set import (all available files imported together)

  • pf.conf (required file) (note, can be named differently, e.g., FW1.txt’)
  • obsd_fw1_interfaces.txt (required file) (note that the parser keys on the “_interfaces” string”. Text before “_interfaces” will be used to name the device. In tis example ‘obsd_fw1’)
  • hostname.carp1
  • hostname.carp2
  • hostname.hvm2
  • hostname.hvm3
  • hostname.hvm4
  • table1
  • table2

host1 – second data set import (all available files imported together)

  • pf.conf (required file) (note, can be named differently, e.g., host1.txt’)
  • host1_interfaces.txt (required file) (note that the parser keys on the “_interfaces” string”. Text before “_interfaces” will be used to name the device. In this example ‘host1’)
  • hostname.em1
  • hostname.carp1

host2 – third data set import (all available files imported together)

  • pf.conf (required file) (note, can be named differently, e.g., Host2.txt’)
  • host2_interfaces.txt (required file) (note that the parser keys on the “_interfaces” string”. Text before “_interfaces” will be used to name the device. In this example ‘host2’)
  • table1
  • table2

The only required files are the config file (can be named something other than pf.conf) and the ifconfig file. hostname files are optional (unless they contain description of interfaces not in the ifconfig file). Table files contain a list of IP addresses that can be manipulated without reloading the entire rule set. Table files are only needed if tables are used inside the config file. For example, table persist { 198.51.100.0/27, !198.51.100.5 }

Legacy Fortinet Support

+

Support for Fortinet through 6.2 ended September 2023. Please note that no upgrades to these parsers will be made.

Palo Alto Panorama & NGFW

+

Panorama

If Panorama is used to centrally manage policies, the access rules and object groups can be retrieved from these devices in XML format (we do not support the import of unstructured text files). If using the Panorama connector, the required files will automatically be downloaded:through 6.2 ended September 2023. Please note that no upgrades to these parsers will be made.

The Panorama file will only contain centrally managed access rules and object groups.

Locally defined access rules and object groups cannot be retrieved from Panorama and must be retrieved from each NGFW. Please follow the instructions below to export directly from the Next Gen FireWall using API.

Palo Alto Firewalls will ALWAYS have a V-sys even if one has not been configured it will default to vsys1.

The “mapping_config” file is required which can only be retrieved through the API using the “show devices connected” command.  The name of the file is “named_mapping_config.xml” where the named prefix needs to match the device name as shown in the UI when the running_config.xml is imported alone. All files should be imported at the same time. Please see instructions below:

The below links are to the Panorama documentation for the required commands with examples. The links provide you with commands to run directly in the Panorama CLI. The images we provided are for using Postman or web browser use.

Get API Key


Get Panorama and device bundle Configuration



Get device mapping config


Once both the “<panorama_server>_running_config.xml” and <panorama_server >_mapping_config.xml” are gathered, please import them together in NP-View.

Next Gen Firewall (NGFW)

If using the PanOS connector is used to download files, the required files will automatically be downloaded:

The configuration information from the NGFW may be contained in several .xml files, <device-name>_merged_config.xml and <device-name>.vsys(n)_pushed_policy.xml.  There can be one vsys file per virtual interface. The naming of these files is important for the parser to merge them during import.  All files from a single firewall must be imported at the same time and in .xml format (we do not support the import of unstructured text files).  If any of the files are missing, improperly named or formatted, an error message will state that ‘File parsed but ruleset and topology were empty, aborting’ meaning they could not be linked to the other associated files.

An example of properly named files is below:

  • Chicago-IL-100-FW1_merged_config.xml
  • Chicago-IL-100-FW1.vsys1_pushed_policy.xml
  • Chicago-IL-100-FW1.vsys2_pushed_policy.xml

NOTE: If the NGFW is an unmanaged/standalone Palo Alto device it will not have a pushed_policy file. In this situation, the configuration .xml file can be downloaded directly from the firewall and loaded into NP-View.  The file name need not be changed when loading the file from a standalone firewall.

To manually export configuration files from an unmanaged firewall:

If the NGFW is managed by a Panorama, the API will be required to secure the necessary files:

Get API Key



Get PANos Firewall full configuration



Get Managed Firewall configuration

Virtual Routers (vrf) – Experimental Support

Virtual router (vrf) is a software-based routing framework in Palo Alto NGFW that allows the host machine to perform as a typical hardware router over a local area network. NP-View has added the experimental capability to detect Virtual Routers from Palo Alto devices (NGFW or Panorama) and present them in the Connector or Manual Import device selection screens. Virtual Routers will be treated the same as physical routers and will require a device license.

This feature is disabled by default and must be enabled prior to importing configurations containing virtual routers.

To enable the feature the NP-View Server admin will need to make a change to a system variable.

  • Stop the NP-View Server application.
  • in the docker-compose.yml file, change the enableVirtualRouters=False to enableVirtualRouters=True in three places within the file.
  • start the NP-View Server application.

For Desktop

  • Close the NP-View application.
  • In the file C:\Users\<username >\AppData\Roaming\NP-View\config.ini add enableVirtualRouters=True
  • Restart the NP-View application

Once enabled, the user will be presented with the option to select virtual routers from the connector in the device selection or upon manual import.

Legacy Palo Alto PanOS Support

+

Support for Palo Alto PanOS prior to V9.1 are no longer supported. Please note that no upgrades to parsers will be made for unsupported devices.

Dell Edge Gateway

+

The Dell Edge Gateway runs Ubuntu Core OS. The gateway uses IP tables to configure the local firewall. NP-View uses the following 4 files extracted from the Ubuntu server to generate the topology. This device is not a firewall but more of an application running device. It does have some security features but we suspect it would be behind a real firewall. The following data is needed to import this device.

  • iptables_rules → to get a device created, containing interfaces and rules
  • hostname_interfaces → associated with config above
  • arp_table → to get external hosts (ip + mac)
  • active_connections → to get routes

This is not a simple device to get data from, the following process must be followed:

1. Capture the iptables Filter Rules

To capture the iptables filter rules (the firewall rules that are active on the system), you can use the following command:

Show Command:

sudo iptables -L -v -n

Description:

Lists the currently active iptables firewall rules (filter rules). Includes details about chains (INPUT, OUTPUT, FORWARD), protocols, sources, destinations, and ports.

Save Command:

sudo iptables-save > ~/iptables_rules.conf

This will save the firewall (filter) rules in a file called iptables_rules.conf in your home directory.

2. Capture the Network Interface List

To capture the list of network interfaces (with IPs, MAC addresses, etc.):

Show Command:

ip addr show

Description:

Displays the list of all network interfaces on the system. Includes details about interface names (eth1, eth2, etc.), IP addresses, MAC addresses, and other interface attributes.

Save Command:

ip addr show > ~/hostname_interfaces.txt

This will save the interface details in a file called hostname_interfaces.txt in your home directory.

3. Show ARP Table

Show Command:

ip neigh show

Description:

Displays the ARP table, showing which MAC addresses correspond to which IP addresses on the network.

Save Command:

ip neigh show > ~/arp_table.txt

4. View Routing Table

Command:

ip route show

Description:

Displays the current routing table, showing default gateways, specific routes, and the interfaces used to reach specific networks.

Save Command:

ip route show > ~/routing_table.txt

5. Loading files into NP-View

Once all of the files have been retrieved, they need to be loaded into NP-View together and without any other files so they are properly associated.

Legacy Check Point R80 Support

+

Support for Check Point R80 through R80.40 ended April of 2024. Please note that no upgrades to these parsers will be made.

Cisco FTD

+

NP-View supports Cisco FTD through the output of “show running-config”command. However, it is important to note that Cisco FTD includes network filtering policies documented outside of the running configuration. This section explains where to find those policies.

As of version 6.1, Cisco FTD includes a Prefilter Policy feature that serves three main purposes:

  • Match traffic based on both inner and outer headers
  • Provide early Access Control which allows a flow to bypass Snort engine completely
  • Work as a placeholder for Access Control Entries (ACEs) that are migrated from Adaptive Security Appliance (ASA) migration tool.

The feature has 2 primary use cases:

  • For use with Tunnel Rule Types
  • For bypassing the Snort engine

These prefilter rules are part of the FTD configuration and are displayed via the “show running-config” command on the FTD. They manifest in the NP-View Access Rule table as a Permit IP with:

  • Source = any
  • Destination = any
  • Service = IP/any to any

As a result, the NP-View Rule Policy engine flags these rules as a high risk alert.

In the operation of the FTD, if a packet meets the prefilter policy, it is then evaluated by a secondary set of rules in the Snort engine or applied directly to the tunnel. The Snort rules are not part of the output of the of the “show running-config” output from the FTD. These rules are established, maintained and viewed on the FMC (management server), but are not readily available via the FTD CLI interface.

In the context of an audit during which evidence around these prefilter rules is requested, we recommend documenting that these rules are a default configuration for the system and we also recommend generating a FMC PDF Policy report to explain the flows of traffic within the FTD configuration. For more information, please refer to the Cisco FTD Prefilter Policies documentation.

SonicWall

+

We support .exp files as the default SonicWall file format for v5.9 and v6.X of the SonicOS.

The main UI allows for export of the encoded .exp file as such:

To extract the file via command line, then the command to export is

export current-config sonicos ftp ftp://[USERNAME]:[PASSWORD]@[FTP IP/URL]/sonicwall.exp

Where the username/password/FTP IP or URL must be changed. The file “sonicwall.exp” will then be saved at the FTP location. As this file is encoded, there’s no way to echo or cat the data.

Requesting Support for New Devices

The above list of supported hardware has been lab and field tested.  Newer versions generally work unless their is a major platform or API upgrade.  Please contact support@network-perception.com if you wish to get more information on parsers, request support for a particular device or are interested on co-developing a solution.

Connectors

NP-View includes a utility to automatically retrieve network device configuration files on a schedule. The connector types supported in NP-View Server are below:

Configuration Managers

For retrieving config files from network management systems. For each connector, the user can select the devices to be uploaded for monitoring.

Manufacturer Type/Model Configuration Information Required Connection Type
Fortinet FortiManager (6.4.x, 7.0.x) Hostname or IP address plus login credentials HTTPS + optional SSL server verification
Palo Alto Panorama (10.x, 11.x) Hostname or IP address plus login credentials See device selection section below for additional information HTTPS
SolarWinds Network Configuration Manager (Orion Platform HF3, NCM HF1: 2020.2.6) Hostname or IP address plus login credentials HTTPS

Direct Device Connection

For retrieving config files directly from the network device.

Manufacturer Type/Model Configuration Information Required Connection Type
Check Point R81.x Hostname or IP address plus login credentials See device selection and service account sections below for additional information HTTPS + optional SSL server verification
Cisco Adaptive Security Appliance (ASA 9.19) Hostname or IP address plus login credentials, enabling password and optional context SSH
Cisco Internetwork Operating System (IOS 15.9) Hostname or IP address plus login credentials, enabling password and optional context SSH
Fortinet FortiGate (FortiOS 7.0, 7.2) Hostname or IP address plus login credentials Note: SCP should be enabled in the configuration (instructions) SSH
Palo Alto NGFW (PanOS 10.x, 11.x) Hostname or IP address plus login credentials HTTPS

Volume Shares

For retrieving config files that are uploaded to a common collection repository.

Platform Connection Configuration Information Required Connection Type
Windows SMB Share (Samba) Hostname or IP address, share name, device name and root folder path SMB/CIFS
Linux SSH Share Hostname or IP address and folder path. Optionally an include list and exclude list can be defined. SSH

Additional Connector Information

Service Account

+

The use of service accounts is a recommended best practice when connecting to devices through connectors. The service account can be read-only and must have API privileges. When entering credentials related to an Active Directory domain, it is recommended to enter the username using the format account@domain.xyz instead of domain.xyzaccount as the backslash can cause unexpected issues.

Checkpoint

+

For the connector to work CheckPoint devices, the API setting need to be enabled in the SmartConsole.  See the image below for settings and commands to restart the API.

Device Selection (Palo Alto and CheckPoint)

+

CheckPoint and Palo Alto network management systems provide files with multiple devices. The connectors for these systems allow for the selection of individual devices to load into NP-View. The user can select the “Retrieve device list” button to be provides a selection list.

Collecting Layer 2 Data from Devices

+

Layer 2 data will automatically be downloaded by the connectors for Cisco ASA and Cisco IOS devices. If the data is manually collected, use the following commands and file naming conventions.

Cisco ASA
  1. show running-config → 'device_name'.'context_name'.txt
  2. show arp → 'device_name'_arp_table.'context_name'.txt
  3. show route → 'device_name'_route_table.'context_name'.txt
  4. show interface → 'device_name'.'context_name'.interface_table.txt
  5. show access-list → 'device_name'.'context_name'.access_list.txt

Cisco IOS
  1. show running-config → 'device_name'.txt
  2. show ip arp → 'device_name'_arp_table.txt
  3. show ip interface brief → 'device_name'_interface_table.txt

Once all of the files are collected, manually load the files from each device together and separately from other devices for proper file association.

Samba

+

Network Perception suggests the following when setting up the SMB connection.

  1. Create a read-only user in Active Directory or on the SMB server.
  2. Determine the available share (Get-SMBShare” in Windows PowerShell) or create a new one.
  3. Share the SMB folder containing the Configuration files with the read-only user. For example:

Configuration:

Lets assume that the server is at \\192.168.140.14\
  • the shared folder is named 'share'
  • and the files are in a sub folder of share called \test\NERC-CIP-EMS
  • a UNC would look like this: \\192.168.140.14\share\test\NERC-CIP-EMS
  • Per the above, the device name was set to LAB-SMB
When configuring the SMB connector, the screen would look like this:

If during the connector test, access is denied, the following settings should be verified and may need to be changed for the SMB to work as expected.

Running PowerShell as administrator

Input command Get-SmbServerConfiguration

Verify that EncryptData is set to false

If set to true, run command “Set-SmbServerConfiguration -EncryptData 0

Verify SmbServerHardeningLevel is set to 0

If not set to 0, run command “Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0

Microsoft recommended default is off (0). More information about these settings can be found on the Microsoft website.

SSH and Samba for HA Groups

+

NP-View has the ability to handle HA Groups.

As a best practice, if using SSH or SNB shares, it is best to overwrite the entire folder with updated config files from the current active devices. It is also a best practice to name the HA devices similarly for comparison. For example:

Pittsburgh_FW1

Pottsbirgh_FW2

etc.

For Samba shares, a similar method should be followed.

Refer to the Samba section for details.

If you have a system for which you need a connector or if you encounter a technical issue, please contact support@network-perception.com.

Configure Connectors (new)

This document relates to NP-View Desktop and Server version 6.0 and later.

Connectors automate the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-View Desktop and Server can host one or more connectors that securely retrieves configuration files manually (desktop and server) or at the specified frequency (server only).

To access the connector function, use the system menu in the upper right corner of NP-View and select 'Manage connectors'

The connector function consists of several key features.

  • Password manager to reuse and manage passwords across multiple connectors.
  • Workflow for creating groups and connectors.
  • Automated data collection and download.
  • Flexible scheduling (Server only).
  • Runtime and scheduling status (Server Only).

The connector function supports the files devices listed on the connectors page.

Add Credentials

To get started, the user must first create one or more credentials. Credentials are used to access the devices and can be used for one or more devices. This provides for the ability to manage multiple devices with one set of credentials. Click the 'Add New Credential button to display the input section. Credentials are segregated by device type. Select the device type and input the required fields.

Once filled in, select the save button and the credential will be saved and displayed in the 'Credentials' box. Clicking on the credential will allow the user to edit the credential.

At this time, Deleting a credential is not supported.

Create Groups

Once credentials have been created, the user can proceed to creating a Connector Group.

Select the '+' in the 'Groups' section to display the add groups function. Fill in the group name, notes and select a schedule (server only). For desktop, only the 'On Demand' function will be displayed.

Once saved, the user can click on the connector group name in the 'Groups' panel to enter edit mode or select the three dots to the right of the name for individual group options.

Pull to run all associated connectors and delete to remove the group. Note that only empty group can be deleted.

Scheduling Groups

Groups can retrieve data on a schedule, when setting up or editing a connector group, the user can set a schedule.

The user has multiple options for scheduling the connector; monthly, weekly, and daily with flexible day of week and time options. We recommend that connectors be run at night to provide maximum resources for processing the data. When a connector group is scheduled, the next run status will be presented in the 'Groups' panel

and on the 'Processes' tab

Add Connectors

Once a group has been created, the user can add connectors to the group. In the connectors section, select the '+' to present the add connector function.

Proceed to select the connector type and fill in the required fields.

Next fill in the optional fields.

Filling in the name of a context will only fetch the data for that one context, leaving blank will fetch all contexts.

Selecting one ore more worspaces to deliver the fetched data. If left blank, the data will be retrieved for manual download.

The user can then test the connector to verify the credentials and/or save the connector.

Once saved, the user can click on the connector name in the 'Connectors' panel to invoke edit mode. Clicking on the tree dots next to the connector name provides individual connector options.

Manual Data Pull

Data from individual connectors can be retrieved manually by selecting the 'pull' option from the menu above. When selecting pull, the connector status will proceed to 'in progress'

and the processes tab will also display the progress status.

Once data has been pulled, the user can selectively download the most current data set from the connector panel.

Deleting Workspaces

If a connector is designated to deliver data to workspace and a user deletes the workspace, the connector will automatically be updated to reflect the workspace deletion.

Configuring Connectors (legacy)

In version 6.0, a new connector function was introduced. for new connector users, it is recommended to use the new connector function. The connector access has been moved from the +Import function to the system menu.

Connectors automate the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-View Server can host one or more connectors that securely retrieves configuration files at the specified frequency. By default, connectors are accessible through HTTPS on port TCP/8443 of the NP-View server and is isolated for security purposes.

The first time an administrator accesses the connectors, they are required to define a Connector group name and a secure passphrase. The Connector group name will be used to create the encrypted connector file store. Connector information is encrypted at rest and in transit using a passphrase protected PGP key. Only the connector owners know the passphrase and the passphrase is never stored. Once initiated, connectors run in the background collecting network information.  If the NP-View server is restarted, the connector owner is required to re-authenticate and restart the connectors. Connector owners can create multiple connector groups and each will require their own login. Once created, the user can select from the list of available connectors when logging in.

The connector page contains five main options.

Add New Connector

The buttons from left to right are:

  • + Add New Connector
  • bulk start all connectors (see bulk start parameters below)
  • bulk stop all connectors
  • delete the connector (user must be logged into the connector group to delete)
  • exit the connector group.

Add Connector

To add a new connector, select “+Add New Connector”  button and a list of available connectors is presented. Connector options are: Cloud Providers, Configuration Managers,  Direct Devices and Volume Shares

Upon selecting the Connector type to add, the user is requested to fill in connection information. Connector information varies by vendor.  The connector configuration for a Palo Alto device is as follows:

The user must enter a Connector name (no spaces), host name, and credentials.  The user can then verify the credentials are correct with the “Test credentials” button.  The user can setup the polling cycle and provide the workspaces to deliver the resultant information.

Polling Cycles are:

  • On demand
  • Daily
  • Weekly
  • Bi-Weekly
  • Monthly

Configuration Management Systems

For Configuration Management Systems and file Shares, additional information may be required.  The user can retrieve a list of files from the device and filter the results.  To include specific files, put them in the include list field.  To exclude files, put them in the exclude list field.  If both lists are used, include list filter will be applied first and the exclude list filter to the results of the include list filter. If the share is PGP encrypted, a PGP Public key will be required.

Workspaces must be added to the connector for data to be transferred and displayed in the workspace.  If workspaces are added after a connector is setup, data will not be sent to the workspace until the next scheduled import and a configuration change is identified.  Creating workspaces before connectors facilitates faster visualization of data.

Connector Tile

Once the connector is added, a tile is added to the connectors home page.

Connector tiles are sorted by the characters in their names using standard Linux conventions:

  1. whitespace
  2. integer
  3. special char
  4. uppercase [A-Z]
  5. underscore (possibly other special chars)
  6. lowercase [a-z]

From the tile, the user can:

  • manually activate the connector for a one time data pull
  • run / pause the connector
  • edit the connector
  • copy the connector
  • delete the connector.

The tile banner will show in three colors:

  • red – connector failed
  • blue – connector scheduled to run
  • gray – connector paused

Click the start / pause button to restart a failed or paused connector, note that a connector may take several minutes to change the banner color.

Connector for Forescout

+

The Connector for Forescout 8.1 and later enables integration between CounterACT and NP-View such that network device configuration files managed by CounterACT can be automatically imported into NP-View and aggregated into specific workspaces. Currently, Cisco switches are supported through the Forescout Switch Plugin.

  • Download the Forescout Extended Module for NP-Vie from https://updates.forescout.com.
  • Start your Forescout Console and login into Enterprise Manager.
  • Then open “Options”, select “Modules”, and install the fpi.

To request additional support for this connector or to request support for other devices, please contact support@network-perception.com.

Connectors + Samba (SMB) Access Error

+

This error can be caused by two communication scenarios between Linux and Window. Either SMB encryption is enabled on the Server or SPN target name validation level is enabled (or both). To check which of these features is causing the issue, Run PowerShell on the Windows Server as administrator and run the following command:

Get-SmbServerConfiguration

If EncryptData = True, it can be disabled using:

Set-SmbServerConfiguration -EncryptData 0

If SmbServerNameHardeningLevel is set to any value other than the default of 0 run:

Set-SmbServerConfiguration -SmbServerNameHardeningLevel 0

to restore the default.

Connectors fails to initiate connection to outside devices

+

In some instances, the Linux distribution is preventing the connectors (Docker) from initiating connections to outside devices. The solution is to update the firewall settings on the Linux distribution using the following commands:

# firewall-cmd --zone=public --add-masquerade --permanent
# firewall-cmd --reload
# systemctl restart docker

Configuring Read-only Access to Cisco

+

The NP-View Connector for Cisco uses a read-only SSH connection to collect the output of the show running-config command. It is best practice to create a dedicated read-only user on your Cisco devices when configuring connectors. Here are the commands to only give the minimum permissions needed for this user:

conf t
aaa authorization command LOCAL
privilege show level 2 mode exec command running-config
privilege cmd level 2 mode exec command terminal
username $USERNAME password $PASSWORD priv 2
end

Bulks Start Parameters

+

To help balance the processing load of managing multiple connectors and improve user experience on the topology map, the bulk start function can be scheduled to off hours using system parameters. The docker-compose.yml file contains two parameters for the bulk system start function in the monitor: environment: section

  • connBulkStartTime=21:00:00 # defines the start time for the connectors, format is Hours:Minutes:Seconds, 24 hour clock.
  • connBulkStartSpread=00:15:00 # defines the connector start stagger, format is Hours:Minutes:Seconds

Deleting Connectors

+

Connectors can be deleted by entering the connector group name and passphrase to gain access to the connector. The connector can be deleted by selecting the trash can in the upper right corner.

If the passphrase is forgotten, the connector can be forcefully deleted by the Linux Admin by removing the connector file from the folder

/var/lib/docker/volumes/NP-Live_np-connect/_data.

Reference

Help Center

Help Center

The Help Center can be found on the system menu on the upper right corner of the topology.

The Help Center will display warnings or errors identified during the import of device files.

The information in the help center is designed to provide information for the tech support team to help diagnose the issues.

There are many types of possible errors including:

  1. Invalid file formats (e.g., .gif or .png)
  2. Improperly formatted files (files exported as text but loaded into a word processors where extra characters are added before saving).
  3. Incomplete set of files (many devices require more than one file for import this includes Palo Alto and IP tables)
  4. Misconfigured files where rules or objects are undefined.

As every customer has a different environment and possible device configurations are endless.  We sometimes run into a situation where the parser cannot handle the device as configured.  When this happens, we request the customer to sanitize the config file on the NP Poral and upload the file for debug purposes.  Support from our customers is important for us to quickly remediate parsing issues unique to a device or specific file.

The Help Center provides a download for the error log which can be submitted to technical support through the support portal.