At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.
The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.
NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM. This configuration should be sufficient for processing large data files up to 500,000 lines. Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.
Installation Process
Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key. A SHA256 checksum is supplied with each download. You can calculate the checksum on the files you download to verify the integrity of the files:
Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
Once installed, NP-View will automatically launch.
Allow ports for private/public network if prompted.
NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.
NP-View Desktop is a resource intensive application. For best performance, please ensure your system’s Power plan is set to High performance.
If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.
Windows control panel:
First Login
Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches. Otherwise, the session remains open and authentication is not required.
Read and accept the user agreement.
Next, you will need to enter your license key. Once input, click the “Add license key” button.
Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
Next click the get started button
User Menu
Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.
Getting Started
On the Workspaces Page, NP-View provides a demo workspace as well as the ability to start creating your own workspaces. Click here to learn more about using workspaces.
Software Version
If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.
Software Uninstall
To uninstall NP-View Desktop,
Windows 10/11: use the add or remove programs feature to remove the software
Use the add or remove programs feature to remove the software
Delete folder: ~AppData/Roaming/NP-View
Delete folder: ~AppData/Local/Programs/NP-View
Delete folder: ~AppData/Local/np-view-updater
Password Reset
Remove the file at the location listed below and restart the application to input your credentials.
Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.
License Changes / Upgrades
If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).
Upload File Size Limit
NP-View enforces a maximum file size of 200MB by default. To change it, the config.ini file must be edited and the following row added: MAX_IMPORT_SIZE=<size in bytes>. For example: MAX_IMPORT_SIZE=209715200 which corresponds to 200MB.
Windows: the config.ini file can be found at: ~AppData/Roaming/NP-View/config.ini
Windows Path/File Name Length Limit
Microsoft Windows has a MAX_PATH limit of 256 characters. If the path and filename exceed 256 characters, the file import will fail.
For example: C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>
NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:
Provisioning a server
Downloading NP-View server
Installing NP-View server
Installing a SSL Certificate
NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 10 or later, macOS 11 Big Sur or later, Ubuntu 20 or later) with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.
Provisioning a Server
The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:
Number of network devices monitored
(firewall, router, switch) / concurrent users
Min. CPU
Memory
Disk Space
Up to 50 devices / 3 concurrent users
4-core
16GB
200GB
Up to 100 devices / 5 concurrent users*
8-core
32GB
400GB
Up to 500 devices / 10 concurrent users
16-core
64GB
2TB
Up to 1,000 devices / 20 concurrent users
32-core
128GB
4TB
Greater than 1,000 devices please contact support to discuss requirements.
Recommended as the minimum for most Professional Server users.
Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity. The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.
Network ports used by NP-View server
The following ports are used by NP-View server. Please ensure these ports are open on your firewall for proper communication.
Required ports:
TCP/22: SSH server to provide secure console access to the NP-Live server
TCP/443: access to NP-View Web UI through HTTPS
TCP/8443: access to NP-View connectors Web UI through HTTPS
Optional ports:
TCP/80: access to NP-View Web UI through HTTP
TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
TCP/445: access to NP-View SMB Connector
TCP/636: access to Active Directory / LDAPS for TLS/SSL
TCP/8080: access to NP-View connectors Web UI through HTTP
Firewall Rules
The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.
Downloading NP-View Server
Sign up on the Portal website to download the latest version of NP-View server and the license key. A SHA256 checksum is supplied with each download by clicking on the “show checksum” link. You can calculate the checksum on the files you download to verify their integrity:
Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
MACOS: shasum -a 256 /full/path/to/your/file/name/extension
Installing NP-View Server
NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:
NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed
The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.
Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.
Option 1: Using the NP-View Linux Installer
Once downloaded from the portal, follow the steps below to complete the install:
Move installer to server – This may require ssh or other user account permissions
Place the file in a location you can access from the terminal
/tmp – this is a temp folder available at the root directory
/opt/np-live – this is the default NP View server root directory
You can use the “ls” command to see what is in your current directory
Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
sudo -I
Navigate to the directory in which the NP-View Server Linux installer was placed
Use the ls command to verify file is in this directory
Run the installer with the command (Docker must be installed before this step)
Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
The installer will begin by checking for a running instance of Docker and internet connection
If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
Note: If the default directory is changed, then it will need to be edited for each new release during the installation
There will be a message once the installation is complete
Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
Load WinSCP – It should default to this screen:
Default “File Protocol:” to SFTP
Fill in Host name, User name, and Password.
Host name would be the same as your NP-View Server IP Address
User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
Click Ok to complete the transfer.
Option 2: Using the NP-View Virtual Appliance
Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:
Extract the .zip archive (right click on folder and choose extract all)
Import OVF into hypervisor
Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
Open README.txt from extracted folder for credentials
Launch the appliance and log into terminal using credentials in README.txt
NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
Once complete the NP menu will appear indicating the server is ready to use.
Launch a browser to navigate to the NP-View User Interface
Note: A static IP may need to be configured before utilizing the user interface.
Installing a SSL Certificate
NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder. If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.
The following command can be used to generate a valid .pem file:
To learn more about generating your own SSL certificate, please visit python documentation.
Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.
Setting the Virtual Appliance Time Zone
By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago. This file needs to be updated to reflect your local time zone. To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.
NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.
If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.
Default Disk Encryption
As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest. The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.
Personalize the Login Page
To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”
For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”
Upload File Size Limit
When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 200MB by default. To change it, a NP-View Linux administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- MAX_IMPORT_SIZE=209715200”. The value is in bytes, so 209715200 corresponds to 200MB.
Backing up the NP-View Server Database
Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
Run the new release installer, which will update the containers and then launch NP-View Server
Complete Removal of NP-View
If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:
Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)
Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:
Visualize an accurate topology of the network architecture
Identify and label critical cyber assets and critical network zones
Easily review which devices are protecting which network zones
Visualize Topology
NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.
Critical Assets and Zones
Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.
Details On-demand
Selecting a node in the topology map will interactively display an information panel with detailed data about that node.
Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:
Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
Automatic identification of configuration risks using the Risks and Warnings report.
Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.
How to Review Access Rules
An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.
Frequency: each time firewall policies are changed, and at least once a quarter
How to do it:
Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
The “Description” column captures comment, description, or justification from the device configuration
The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table
Access Rules Table
The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.
Object Groups
The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.
Risks and Warnings
As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks. The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.
Change Tracking
As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.
Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.
Exposure of Vulnerable Assets – Vulnerability Analytics
NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.
Topology Display of Vulnerabilities
When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.
Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.
Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.
Performing a regular review of your compliance metrics is important for your organization. Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:
Verify compliance with cybersecurity regulations and best practices through Policy Review.
Seamlessly store evidence for compliance review with Change Tracking.
Easily prepare compliance reports using the Audit Assistants listed below:
Workspace Report (Standard)
The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:
Configuration assessment report including risk alerts
Ports and Interfaces
Access rules
Object groups
Path analysis
Industry Best Practice (Premium)
The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:
Parser Warnings and potential misconfigurations
Unused Object Groups
Access Rules missing a justification
Unnamed nodes
NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
ACL’s with no explicit deny by default rule
NERC CIP Compliance (Premium)
The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:
CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
The policy manager is used to execute predefined policies and requirements that trigger risk messages or format designated table reports, based on string matching logic. Default Policies and individual Requirements can be “Enabled or Disabled” by clicking the toggle button. Policies and Requirements are global in nature and changes made when in one workspace will apply to all workspaces. For example, if a Policy, Requirement, or Device is deactivated in one workspace, that update will apply to all workspaces. Risk Policies are run when new data is imported into NP-View. Table Highlight Policies are run when a modal report is opened.
Key Concepts
Using the policy manager requires the understanding of a few concepts:
Requirement A requirement contains Regex logic to trigger a message or formatting action for one use case.
Policy A policy is a collection of related requirements and does not have any logic associated with it, it is a means for categorization. Policies can be enabled or disabled.
Risks and Warnings Requirements Trigger alert messages based on Regex logic. Individual policies can be enabled or disabled and assigned to one or more devices.
Table Highlighting Requirements Formats the color of cells and text based on Regex logic. Highlighting is report specific.
Default Risks & Warnings Policies
Risk and Warnings messages, which can be found in the Risks & Warnings and Access Rules table reports, are generated using Policies and Requirements located in the Policy Manager. Default Policies and Requirements are automatically assigned to all devices when they are first imported, and run when network device configuration changes are identified.
The following default Risk alert Policies policies are provided for all Compliance modules:
Default Parser Risk Policy – triggers from logs generated during parsing of device configuration files
Default Access Rule Risk Policy – triggers from access rules
Default Policies and Requirements
+
Policy
Requirement
Risk Severity
Default Parser Risk Policy
Unnecessary EIGRP Network
Low
Broadcast traffic permission
Low
Traffic to multicast group
Low
Empty Field
Low
Unused ACL’s
Low
Unused group
Low
Mixed any and not any
Low
Unassigned interface
Low
Missing interfaces
Low
Rule following schedule
Low
Default Access Rule Risk Policy
Any in all fields
High
Any in source
Medium
Any source binding
Medium
Any source IP
Medium
Any destination
Medium
Any destination binding
Medium
Any in destination IP
Medium
Any TCP Service
Medium
Any UDP Service
Medium
Any Service Open
Medium
Default CiS Benchmark Risk Policies
CiS Benchmarks are provided as part of the Best Practices Module. CiS Benchmarks provide a powerful set of secondary policies to help identify risks within your network. CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted, changes to Risk related Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.
CiS Benchmark for Check Point
CiS Benchmark for Cisco
CiS Benchmark for Juniper
CiS Benchmark for Palo Alto
CiS Benchmark for Check Point Firewall
+
The below requirements were derived from the CiS Check Point Firewall Benchmark v1.1.0 – 06-29-2020.
Requirement
Risk Severity
Ensure ‘Login Banner’ is set
Low
Ensure CLI session timeout is set to less than or equal to 10 minutes
Low
Ensure Check for Password Reuse is selected and History Length is set to 12 or more
Low
Ensure DHCP is disabled
Low
Ensure DNS server is configured
Low
Ensure Deny access after failed login attempts is selected
Low
Ensure Deny access to unused accounts is selected
Low
Ensure Disk Space Alert is set
Low
Ensure force users to change password at first login after password was changed from Users page is selected
Low
Ensure Host Name is set
Low
Ensure IPv6 is disabled if not used
Low
Ensure Maximum number of failed attempts allowed is set to 5 or fewer
Low
Ensure Minimum Password Length is set to 14 or higher
Low
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP server
Low
Ensure Password Complexity is set to 3
Low
Ensure Password Expiration is set to 90 days or less
Low
Ensure Telnet is disabled
Low
Ensure Warn users before password expiration is set to 7 days or less
Low
Ensure Web session timeout is set to less than or equal to 10 minutes
Low
Ensure Radius or TACACS+ server is configured
Low
Logging should be enabled for all Firewall Rules
Low
CiS Benchmark for Cisco ASA 8.x, 9.x Firewall
+
The below requirements were derived from the CiS Cisco Firewall Benchmark v4.1.0 – 01-16-2018. Supporting ASA 8.x and 9.x.
Requirement
Risk Severity
Ensure ‘Domain Name’ is set
Low
Ensure ‘Failover’ is enabled
Low
Ensure ‘HTTP session timeout’ is less than or equal to ‘5’ minutes
Low
Ensure ‘Host Name’ is set
Low
Ensure ‘LOGIN banner’ is set
Low
Ensure ‘MOTD banner’ is set
Low
Ensure ‘NTP authentication key’ is configured correctly
Low
Ensure ‘Password Policy’ is enabled
Low
Ensure ‘Password Recovery’ is disabled
Low
Ensure ‘SNMP community string’ is not the default string
Low
Ensure ‘SSH session timeout’ is less than or equal to ‘5’ minutes
Low
Ensure ‘TACACS+RADIUS’ is configured correctly
Low
Ensure ‘console session timeout’ is less than or equal to ‘5’ minutes
Low
Ensure ‘local username and password’ is set
Low
Ensure ‘logging with timestamps’ is enabled
Low
Ensure ‘logging’ is enabled
Low
Ensure ActiveX filtering is enabled
Low
Ensure DHCP services are disabled for untrusted interfaces
Low
Ensure DOS protection is enabled for untrusted interfaces
Low
Ensure Master Key Passphrase is set
Low
Ensure email logging is configured for critical to emergency
Low
Ensure explicit deny in access lists is configured correctly
Low
Ensure ‘trusted NTP server’ exists
Low
Ensure Enable Password is set
Low
Ensure Java applet filtering is enabled
Low
Ensure Logon Password is set
Low
Ensure known default accounts do not exist
Low
CiS Benchmark for Juniper JunOS 15.1 Firewall
+
The below requirements were derived from the CiS Cisco Juniper Benchmark v2.1.0 – 11-23-2020. Supporting JunOS v15.1.
Requirement
Risk Severity
Forbid Dial in Access
Low
Ensure VRRP authentication-key is set
Low
Ensure proxy-arp is disabled
Low
Ensure EBGP peers are set to use GTSM
Low
Ensure authentication check is not suppressed
Low
Ensure loose authentication check is not configured
Low
Ensure RIP authentication is set to MD5
Low
Ensure BFD Authentication is Set
Low
Ensure BFD Authentication is Not Set to Loose-Check
Low
Ensure SNMPv1/2 are set to Read Only
Low
Ensure “Default Restrict” is set in all client lists
Low
Ensure AES128 is set for all SNMPv3 users
Low
Ensure SHA1 is set for SNMPv3 authentication
Low
Ensure Accounting of Logins
Low
Ensure Accounting of Configuration Changes
Low
Ensure Archive on Commit
Low
Ensure NO Plain Text Archive Sites are configured
Low
Ensure external AAA is used
Low
Ensure TCP SYN/FIN is Set to Drop
Low
Ensure TCP RST is Set to Disabled
Low
Ensure Minimum Session Time of at least 20 seconds
Low
Ensure Lockout-period is set to at least 30 minutes
Low
Ensure login message is set
Low
Ensure local passwords require multiple character sets
Low
Ensure at least 4 set changes in local passwords
Low
Ensure local passwords are at least 10 characters
Low
Ensure External NTP Servers are set
Low
Ensure Strong Ciphers are set for SSH
Low
Ensure Web-Management is not Set to HTTP
Low
Ensure Web-Management is Set to use HTTPS
Low
Ensure Web-Management is Set to use PKI Certificate for HTTPS
Low
Ensure Session Limited is Set for Web-Management
Low
Ensure Telnet is Not Set
Low
Ensure Reverse Telnet is Not Set
Low
Ensure Finger Service is Not Set
Low
Ensure Log-out-on-disconnect is Set for Console
Low
Ensure Autoinstallation is Set to Disabled
Low
Ensure Hostname is Not Set to Device Make or Model
Low
Ensure Password is Set for PIC-Console-Authentication
Low
CiS Benchmark for Palo Alto 9
+
The below requirements were derived from the CiS Palo Alto Firewall 9 Benchmark v1.0.0 – 03-23-2020.
Requirement
Risk Severity
Ensure ‘Idle timeout’ is less than or equal to 10 minutes for device management’ is set
Low
Ensure ‘Login Banner’ is set
Low
Ensure ‘Minimum Length’ is greater than or equal to 12
Low
Ensure ‘Minimum Lowercase Letters’ is greater than or equal to 1
Low
Ensure ‘Minimum Numeric Letters’ is greater than or equal to 1
Low
Ensure ‘Minimum Password Complexity’ is enabled
Low
Ensure ‘Minimum Special Characters’ is greater than or equal to 1
Low
Ensure ‘Minimum Uppercase Letters’ is greater than or equal to 1
Low
Ensure ‘New Password Differs By Characters’ is greater than or equal to 3
Low
Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled
Low
Ensure ‘Permitted IP Addresses’ is set to those necessary for device management
Low
Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwords
Low
Ensure ‘Required Password Change Period’ is less than or equal to 90 days
Low
Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not exist
Low
Ensure HTTP and Telnet options are disabled for all management profiles
Low
Ensure HTTP and Telnet options are disabled for the management interface
Low
Ensure System Logging to a Remote Host
Low
Ensure alerts are enabled for malicious files detected by WildFire
Low
Ensure redundant NTP servers are configured appropriately
Low
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
Low
Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones
Low
Ensure that the Certificate used for Decryption is Trusted
Low
Ensure valid certificate is set for browser-based administrator interface
Low
Syslog logging should be configured
Low
Risks Walkthrough
To better understand how to use the policy manager, let’s walk through an example using Risks & Warnings Policies and Requirements.
In the above image we can see the policy manager window open. The Risks & Warnings Policies tab has been selected. Below there is a dropdown that contains all the default policies available. The Default Access Rule Risk Policy has been selected.
Policy Details
When a Policy is selected we see its details on the right side of the window. Risks & Warnings Policies are device-specific and it is on this page where we can change what devices the policy applies to. If we change whether or not the Policy is enabled, or the devices included, the Policy will run on next data import or by resetting and rerunning all risk policies. Resetting and rerunning will clear all existing risks and run all the enabled Requirements within that Policy.
Requirement Details
On the left hand side, below our chosen Policy, we can see the Requirements that are included in this Policy and an icon indicating whether or not they are enabled.
In the above image we can see then information for a default Requirement, “Any Service Open”. looking at the details for this requirement we can see its name, its details, and the logic being used to trigger the Risk alert message. This requirement is an example of compound logic being used. This risk will only trigger if all three conditions are met. Conditions have four elements.
Requirement Conditions
Apply To This is the Table_Column that the logic test will be applied
Apply When If the string is found or not found
String What information the requirement is looking for in the specified table_column
Operator Used to build compound logic using and/or
Risks & Warnings Output
When a risk requirement is met, a risk alert will be generated and posted to the Risks & Warnings table as shown below:
The Access Rules table report will also display the highest criticality risk for each access rule as shown below:
Now that we know where the text comes from – let’s find out where the coloring comes from.
Table Highlighting Walkthrough
Table Highlighting Policies and Requirements work in almost the same way as Risks & Warnings, with a few key differences. The main being that it formats cells and texts instead of producing an alert message.
Access rules Default Policies and Requirements
+
Rule Name
Text Match
Action
Action – Allow or Permit or Accept or Trust
Action = Allow or Permit or Accept or Trust
‘Action’ cell = None, Text = Green
Action – Deny or Drop
Action = Deny or Drop
‘Action’ cell = None, Text = Red
Binding (ACL) – Any
ACL = Any and Action = not (deny, drop, false, ignored)
‘Action’ cell = None, Text = Red
Destination – Any
Destination = any and Action = not (deny, drop, false, ignored)
‘Destination’ cell = None, Text = Red
Destination Binding – Any
Dst Binding = any and Action = not (deny, drop, false, ignored)
‘Dst Binding’ cell = None, Text = Red
Enabled – True
Enabled = True
‘Enabled’ cell = None, Text = Green
Enabled – False
Enabled = False
‘Enabled’ cell = None, Text = Red
Enabled – Not Analyzed
Enabled = Ignored
‘Enabled’ cell = None, Text = Gray
Risk – High
Risk Criticality = High
‘Risk’ cell = White, Text = Red
Risk – Medium
Risk Criticality = Medium
‘Risk’ cell = White, Text = Yellow
Risk – Low
Risk Criticality = Low
‘Risk’ cell = White, Text = Blue
Risk – None
Risk Criticality = not (High, Medium, Low)
‘Risk’ cell = None, Text = Gray
Risk Criticality – High
Risk Criticality = High
‘Risk Criticality’ cell = Red, Text = White
Risk Criticality – Medium
Risk Criticality = Medium
‘Risk Criticality’ cell = Yellow, Text = Black
Risk Criticality – Low
Risk Criticality = Low
‘Risk Criticality’ cell = Blue, Text = White
Risk Criticality – N/A
Risk Criticality = not (High, Medium, Low)
‘Risk Criticality’ cell = None, Text = Gray
Service – Any
Enabled = true, Action = not (deny, drop), Service = ‘any to any’ and not (Ping, ICMP)
‘Source’ cell = None, Text = Red
Source – Any
Source = Any, Action not (deny, drop), Enabled = not (true, ignored)
‘Source’ cell = None, Text = Red
Source Binding – Any
Src Binding = Any, Action not (deny, drop), Enabled = not (true, ignored)
‘Src Binding’ cell = None, Text = Red
Connectivity Paths (Interactive Service Ports)
+
Rule Name
Text Match
Action
Apple Remote Desktop (ARD)
Port = 3283
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (Microsoft SQL)
Port = 1433
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (MySQL)
Port = 3306
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (Oracle SQL)
Port = 1521 : 1525
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (PostgreSQL)
Port = 5432
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
File Explorer (NFS)
Port = 2049
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
File Explorer (SMB)
Port = 445
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
File Transfer Protocol (FTP)
Port = 20 : 21
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
MIB Browser (SNMP)
Port = 161 : 162
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Microsoft Endpoint Mapper (EPMAP)
Port = 135
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Remote Desktop (RDP)
Port = 3389
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Secure Shell (SSH)
Port = 22
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Team Viewer Client
Port = 5938
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Terminal Emulator (Telnet)
Port = 23
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Trivial File Transfer Protocol (TFTP)
Port = 69
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
UNIX r-commands (rlogin, rcp, rsh)
Port = 512 : 514
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Virtual Network Computing (VNC)
Port = 5900 : 5901
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Web Browser (HTTP, HTTPS)
Port = 80, 443, 8000, 8080
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Windows Remote Management Service (WinRM-HTTP)
Port = 5985 : 5986
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
X-Server
Port = 6000 : 6063
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Any
Port = Any
‘Port’ cell = None, Text = Red ‘Protocol’ cell = None, Text = Red
Policy Details
On the default Policy page for Table Highlighting we can see that these Policies do not require device selection.
Requirement Details
Selecting a default Requirement for this Policy shows us the requirement details.
For a Table Highlight requirement there are a few more options that are used to target the logic for the action. First, we choose the target Table and Column that will receive the Highlighting Action. Then we choose the table and column where we want the logic to run.
Requirement Conditions
Compliance Type Table Highlighting requirements can be set to run only on certain compliance frameworks
Table The target table that the highlighting will be applied to if the logic is found.
Column The target column within the previously chosen target table, that the highlighting will be applied to if the logic is found
When String The string the requirement is searching for
Is found or not found
In Column Table_Column where the requirement is searching for the designated string
Operator And/ or for building compound logic
Highlighting Action If the conditions for the logic are met this is how the cell will be colored and how the text will be colored.
Highlighting Output
When the modal report is opened that contains a highlight policy, the rules will be automatically applied and the table highlighted accordingly.
Risk Alert Reset
Sometimes there may be a reason to need to reset the risk alerts. For this, Administrator or Workspace Admins have access to a rest function on the Risks & Warnings Policies Overview page. This action will reset all Risks and Warnings information for this workspace. After, all enabled risk policies and requirements for this workspace will be rerun.
Because Policies will be rerun after reset, at least one policy must be enabled at time of reset. Only Risks and Warnings data will be affected.
This article will focus on the Risks & Warnings Report.
NP-View uses reports to present network information related to the open workspace. These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.
Accessing the Table
The Risks & Warnings Report can be accessed in two ways. with each way presenting a different data set.
From the main menu: All Risks & Warnings for all devices in the current view.
From the topology: Only Risks & Warnings for the selected device in the current view. Found by clicking a Firewall/ Router/ Switch > its info panel will open > and the user can select Risks Or Warnings from the Data for this Device section.
*From the main menu
*From the info panel
What are Risks & Warnings?
Risk and Warnings are messages generated by default Policies and Requirements in NP-View. These messages are a way of automatically detecting and notifying users of risky or problematic situations on your network. They look for certain criteria, and when found trigger the designated alert. Policies and Requirements are located in the Policy Manager (accessed from the main menu).
NP-View provides sets of default Policies and Requirements that are automatically assigned to all devices when they are imported, and run when network device configuration changes are identified.
Understanding Risks & Warnings Messages
When a potential risk or warning is identified, it will be logged logged in the Risks and Warnings report with a time and date stamp.
Status (New, Confirmed, Resolved, False Positive, Will Not Fix or Fixed). Status definitions are below.
Risk Triage, Status, and Life Cycle
For new risks or warnings, users are expected to
Review each item
Determine if the issue needs to be addressed
Then manually change the status accordingly. To change the status, double click on the status bean, change the status and click the save button.
Status Definitions:
new: new risk or warning identified in the most recent data load.
confirmed: risks or warnings that are acknowledged by the user as a valid problem to address.
resolved: risks or warnings that are closed by the user because the problem has been addressed.
false positive: risks or warnings that are closed by the user because they are not a valid problem to address.
will not fix: risks or warnings that are closed by the user because it was decided to not address them.
Example: Upon subsequent data updates, the system will adjust the status if required. For example:
If the user marks a risk as Resolved and on the next network update the risk is still identified, the status will automatically be changed to Confirmed.
If upon the next update the risk is no longer identified, the status will be changed to Fixed. Fixed items are removed from the list after a period of 7 days.
Commenting on Rules from Risks & Warnings Table
New in NP-View 5.0, the Risks table connects Risks and Warnings directly with the applicable Access Rule. Not only can the status of the Risk be updated, but a comment or justification can be left on the associated rule without ever leaving the Risks & Warnings table.
1. Open the Risks & Warnings table
2. Navigate to the Risk or Waring of your choice
3. In the “Description” column click the plus sign and open the popover for the full description
4. Click the link that says see rule
5. A filtered rules table displaying the relevant rule will open at the bottom of the window for you to investigate and/or make comments on
Risks & Warnings Columns
Time: (RISKWARNING_TIMESTAMP) Date and Time the potential risk was identified and logged.
Type: (RISKWARNING_TYPE) Risk or Warning.
Criticality: (RISKWARNING_CRITICALITY) High, Medium or Low as defined by the identifying policy and requirements.
Workspace: (RISKWARNING_WORKSPACE) Name of the workspace containing the potential risk or warning.
Device: (RISKWARNING_DEVICE) Name of the device containing the potential risk or warning.
Description: (RISKWARNING_DESCRIPTION) Description of the potential risk or warning from the policy manager
Status: (RISKWARNING_STATUS) Current status as defined above.
The Rule Usage feature helps network admins identify rules for potential elimination due to lack of use. This feature only applies to Palo Alto NGFW (not Panorama). Rule Usage Analysis (aka Hit Count) requests additional Access Rule usage information from firewalls using the connector. When setting up a new connector, the user will have the ability to enable the extraction of rule usage information:
Note that existing connectors will not be affected and cannot be edited to enable hit count data retrieval.
From the NGFW, we extract four values for each access rule:
First Hit – Timestamp of first rule usage
Last Hit – Timestamp of last rule usage
Hits Updated – Timestamp of last data refresh
Hits – Usage count
The information is presented as additional columns in the Access Rules Table. The four columns are disabled by default and will need to be enabled by the user using the menu at the top right.
Once enabled, the hit count data will be displayed in the Access rules table:
NP-View can import auxiliary data from third party systems to enrich and augment analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed
Host Files
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Aux Data Loading Example
Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. To fix this, create a host file, named hosts.txt, to enrich the information.
The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
Let's use 172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sam 172.30.91.81 Carl Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, and import it into the workspace.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.
Below the Select Devices box, is the Auxiliary Data box.
Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).
For our example a user would see a single file called hosts.txt that would contain the names we've added.
Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).
To see how the previous example can be used as a repeatable process let's update those names again, with corrections.
First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sammy 172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.
Network and Vulnerability Scanner Files
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
hostnames
addresses
interfaces
local interface IP’s
local interface names
mac
domains
parent
operating systems
vlan
Multi-Home Host Files
Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.
To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.
The file must be named 'multi_home_host.txt' and be of the following format:
192.168.135.115 dual-homed
192.168.135.114 dual-homed
192.168.135.113 dual-homed
Where the first field is the IP address and the second field is the name of the host.
When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:
Note: The file can be named as *_multi_home_host.txt -where-*_ is anything preceding multi_home_host.txt.
For example:
tuesday_multi_home_host.txt
web_server_multi_home_host.txt
the_big_kahuna_multi_home_host.txt
Address Resolution Protocol (ARP)
ARP files can be used to add hosts as well as MAC addresses for the hosts. The following formats are supported:
Cisco
Use commashow arp to export the ARP table. The file format will be as follows:
<hostname># show arp
outside 10.0.0.100 d867.da11.00c1 2
inside 192.168.1.10 000c.295b.5aa2 21
inside 192.168.1.12 000c.2933.561c 36
inside 192.168.1.14 000c.2ee0.2b81 97
Cisco ARP Example
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp
inside 172.30.90.50 d867.da11.00c1 2
inside 172.30.90.51 000c.295b.5aa2 21
inside 172.30.90.42 000c.2933.561c 36
inside 172.30.91.80 000c.2ee0.2b81 97
inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Windows
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
Interface: 192.168.86.29 --- 0x6
Internet Address Physical Address Type
192.168.86.1 88-3d-24-76-49-f2 dynamic
192.168.86.25 50-dc-e7-4b-13-40 dynamic
192.168.86.31 1c-fe-2b-30-78-e5 dynamic
192.168.86.33 8c-04-ba-8c-dc-4d dynamic
Linux
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Palo Alto
Use show arp all to export the ARP table. The file format will be:
maximum of entries supported : 2500
default timeout: 1800 seconds
total ARP entries in table : 3
total ARP entries shown : 3
status: s - static, c - complete, e - expiring, i - incomplete
ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295
ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776
ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791
Route Tables
Route files are a special case in that they provide ruleset-specific enrichment data whereas the other auxiliary files listed above provide topology-specific enrichment data.
Route table – Cisco
The output of the command show route on Cisco devices can be imported into NP-View with associated configuration files. For VRF’s, use the command show ip route vrf *. Cisco route files are handled a bit differently than the rest of the aux data as they are integrated upon import and are not considered as aux data when creating a view. Naming of the route files are not important as long as they are unique. The first row of the route file contains the <device name># command to link the route table with the correct device.
PCAP
IN V6.0 and later, PCAP and PCAPng files can be used to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a view. The max PCAP size is 200 MB per file.
The linked .html file runs a self contained config file sanitizer in a standard web browser. The configuration sanitizer will change IP addresses within the file to mask them. This sanitizer will maintain integrity across the masked IP addresses so that we can properly test the file in the test lab. Please do not manually change the file after running through the sanitizer. To use the sanitizer file, click the link below to run in your browser.
Below are the currently known issues in NP-View along with the available workarounds. These issues will be addressed as part of the upcoming release. If you are experiencing an issue not covered in this document, please contact Technical Support at: support@network-perception.com.
1. Typing into a field in NP-View Desktop doesn’t register any text
Reset window focus (This may not always work)
Alt+Tab out of the application
Alt+Tab back into the application
Login to NP-View Desktop via web browser
Open a web browser (Chrome/Edge) with NP-View still running
Type “localhost:8080” in the address bar to load NP-View in a browser window
NP-View is licensed on an annual basis. The cost of the license depends on the number of configuration files imported from primary network devices (firewalls, routers, and switches).
How Licensing Works
When importing devices (manual or automated), a reminder notice is provided stating: “Importing new devices requires available licenses. Devices are activated in the order they are imported. If the total license count is exceeded, importing of additional unlicensed devices will be prohibited.
To determine the available number of devices licenses, see the summary at the bottom of Licenses and Terms.
Supported Devices and Connectors
The knowledge base contains a list of actively supported devices (link) and connectors (link). These lists change over time as manufacturer end of life support and as we add support for new devices. These lists are referred to in our terms of service and used to define what is in scope of the NP-View license agreement. Network Perception reserves the right to alter this list at any time without customer notice.
When Device Licenses are Activated
Device licenses are activated when a device is first imported. When the device limit is reached, import of additional devices (manual or automated) will be prohibited and a message will be issued in the help center and system logs.
Device licensing is permanent. Once a license is allocated to a device it cannot be re-assigned to another device.
Palo Alto NGFW and Virtual Systems (VSYS)
Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple physical firewalls, IT departments can use a single firewall and enable virtual systems on them to independently separate traffic.
The default is vsys1. You cannot delete vsys1 because it is relevant to the internal hierarchy on the firewall; vsys1 appears even on firewall models that don’t support multiple virtual systems.
When using multiple virtual systems, if a configured vsys has an interface with access rules, NP-View will represent the vsys as a separate firewall and a device license is allocated. If a vsys has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.
FortiGate and Virtual Domains (VDOM)
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network. If a VDOM has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.
Hiding Devices
If a device is no longer required in any workspace, the Administrator can hide the device from all workspaces by unchecking the “Visible in Workspace” check box and selecting the “Submit” button.
The licensed device will remain in “license and Terms” and displayed as follows:
The data is not deleted from the workspaces. If the Administrator wishes to restore the device to all workspaces, they can by importing new data for the device or by rechecking the checkbox and clicking “Submit”.
Note: NP provided demo devices in the demo workspace are excluded from display in the license manager and device counts.
User Deleted Devices
If the user deletes a device from all workspaces, the device still remains licensed but as it has no system association will not be displayed in License and Terms. The device can be restored in the future by importing new data for the device into any workspace.
Expired Licenses
When the license expires, workspaces for all users will be disabled along with manual data imports. A message will be displayed stating that the license has expired and to contact sales to renew. Connectors will continue to collect data and deliver the updates to workspaces and demo workspaces will continue to function.
License Downgrade
If a customer downgrades their device count, the Administrator will need to select the devices to remain active after inputting the new license key. If the Administrator does not select the devices to remain, the system will allocate the devices in the order they are used. All remaining unlicensed devices will be removed from all workspaces.
Compliance Module Downgrade
If a customer downgrades their compliance module license, all workspaces associated with that module will be disabled. The user can manually delete these workspaces.
Existing Customer Upgrades
For existing customers upgrading from a previous version of software to version 3.1.0 or later, devices that are imported and active in the license manager (check box marked) will remain licensed. Devices that are unlicensed (check box unmarked) will be removed from all existing workspaces. If a customer needs to replace one or more devices, please contact support.
Auditors and NP Certification
Auditors and NP Certification members working project style engagements using NP-View Desktop are provided with a special feature to reset the system to its original state after an engagement so that no customer data is retained.
Adding a license to NP-View Desktop and NP-View Server
Step 4a: For New Installations, upon system installation, the Administrator will input the NP license key into the setup screen which will set the maximum limit on the number of devices that can be imported (manually or automated) into the system.
Step 4b: For existing customers, launch NP-View and select “License & terms” from the user menu (top right corner).
Then scroll down and select “Upgrade or renew your license” followed by “Input license manually”. You can then copy/paste the license JSON structure (including opening and closing curly brackets) into the text field area.
Note: the licensing function is available only to the Administrator role in NP-View Server and the must logout and re-login for the license to take affect.
HA Device Licensing
NP-View Professional server support the licensing of active / passive high availability (HA) groups for firewalls. HA Group definitions are only required if the device name of the primary and secondary devices are different. Once the active firewalls are loaded into NP-View, the HA definition file can be exported using postman or a tool of your choice using:
GET /license/ha-groups?file-export=true and a file will be downloaded.
The file export will be a text file. Column 1 will be the HA Group name and will be initially empty. Column 2 will be the firewall name.
HA Group Name, Device Name , asaDMZ-fw1 , asaUCCtoBA1 , asaUCCtoSub-A , asaBA , firewallSub
The administrator will then update the text file to add unique group names as well as the name of the passive firewall. The updated file can look as follows. Devices without group names will remain as individual firewalls.
HA Group Name, Device Name A-Group, asaDMZ-fw1 A-Group, asaDMZ-fw2 B-Group, asaUCCtoBA1 B-Group, asaUCCtoBA2 C-Group, asaUCCtoSub-A C-Group, asaUCCtoSub-B , asaBA , firewallSub
Once the file is updated, the file can be posted using postman or the tool of your choice:
POST /license/ha-groups
When new firewalls are added or groups need to be redefined, the above GET / POST process can be repeated.
HA Groups will share one device license. If firewalls are ungrouped and there are not enough free device licenses, the user will be asked to remove firewalls from NP-View that are to be unlicensed and deleted from the system.
NP-View has a series of shortcut keys to quickly access commonly used functions. This section describes some of the frequently used shortcut keys. Note the the list of shortcut keys is available from the upper right menu or by using the “K” key
A
Show the Asset inventory
B
Show the Search bar help
C
Show Track changes
H
Show the Support center
I
Show the Import data panel
K
Show the list of available shortcut keys
L
Show Logs
O
Show the Object Groups
P
Show the Connectivity Paths
Q
Return to the home page
R
Show the Access Rules
S
Save the topology
T
Show Background tasks
M
Show Policy Management
V
Show Custom topology views
W
Show Risk & Warnings
Z
Show Manage zones
SHIFT
Hold SHIFT key, then click and drag to draw a rectangle to select multiple nodes from the topology
Ctrl
Hold Ctrl key, then click to select / deselect individual nodes from the topology