At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.
The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.
NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM. This configuration should be sufficient for processing large data files up to 500,000 lines. Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.
Installation Process
Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key. A SHA256 checksum is supplied with each download. You can calculate the checksum on the files you download to verify the integrity of the files:
Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
Once installed, NP-View will automatically launch.
Allow ports for private/public network if prompted.
NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.
NP-View Desktop is a resource intensive application. For best performance, please ensure your system’s Power plan is set to High performance.
If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.
Windows control panel:
First Login
Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches. Otherwise, the session remains open and authentication is not required.
Read and accept the user agreement.
Next, you will need to enter your license key. Once input, click the “Add license key” button.
Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
Next click the get started button
User Menu
Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.
Getting Started
On the Workspaces Page, NP-View provides a demo workspace as well as the ability to start creating your own workspaces. Click here to learn more about using workspaces.
Software Version
If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.
Software Uninstall
To uninstall NP-View Desktop,
Windows 10/11: use the add or remove programs feature to remove the software
Use the add or remove programs feature to remove the software
Delete folder: ~AppData/Roaming/NP-View
Delete folder: ~AppData/Local/Programs/NP-View
Delete folder: ~AppData/Local/np-view-updater
Password Reset
Remove the file at the location listed below and restart the application to input your credentials.
Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.
License Changes / Upgrades
If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).
Upload File Size Limit
NP-View enforces a maximum file size of 200MB by default. To change it, the config.ini file must be edited and the following row added: MAX_IMPORT_SIZE=<size in bytes>. For example: MAX_IMPORT_SIZE=209715200 which corresponds to 200MB.
Windows: the config.ini file can be found at: ~AppData/Roaming/NP-View/config.ini
Windows Path/File Name Length Limit
Microsoft Windows has a MAX_PATH limit of 256 characters. If the path and filename exceed 256 characters, the file import will fail.
For example: C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>
NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:
Provisioning a server
Downloading NP-View server
Installing NP-View server
Installing a SSL Certificate
NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 10 or later, macOS 11 Big Sur or later, Ubuntu 20 or later) with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM.
Provisioning a Server
The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:
Number of network devices monitored
(firewall, router, switch) / concurrent users
Min. CPU
Memory
Disk Space
Up to 50 devices / 3 concurrent users
4-core
16GB
200GB
Up to 100 devices / 5 concurrent users*
8-core
32GB
400GB
Up to 500 devices / 10 concurrent users
16-core
64GB
2TB
Up to 1,000 devices / 20 concurrent users
32-core
128GB
4TB
Greater than 1,000 devices please contact support to discuss requirements.
Recommended as the minimum for most Professional Server users.
Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity. The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.
Network ports used by NP-View server
The following ports are used by NP-View server. Please ensure these ports are open on your firewall for proper communication.
Required ports:
TCP/22: SSH server to provide secure console access to the NP-Live server
TCP/443: access to NP-View Web UI through HTTPS
TCP/8443: access to NP-View connectors Web UI through HTTPS
Optional ports:
TCP/80: access to NP-View Web UI through HTTP
TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
TCP/445: access to NP-View SMB Connector
TCP/636: access to Active Directory / LDAPS for TLS/SSL
TCP/8080: access to NP-View connectors Web UI through HTTP
Firewall Rules
The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.
Downloading NP-View Server
Sign up on the Portal website to download the latest version of NP-View server and the license key. A SHA256 checksum is supplied with each download by clicking on the “show checksum” link. You can calculate the checksum on the files you download to verify their integrity:
Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
MACOS: shasum -a 256 /full/path/to/your/file/name/extension
Installing NP-View Server
NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:
NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed
The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.
Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.
Option 1: Using the NP-View Linux Installer
Once downloaded from the portal, follow the steps below to complete the install:
Move installer to server – This may require ssh or other user account permissions
Place the file in a location you can access from the terminal
/tmp – this is a temp folder available at the root directory
/opt/np-live – this is the default NP View server root directory
You can use the “ls” command to see what is in your current directory
Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
sudo -I
Navigate to the directory in which the NP-View Server Linux installer was placed
Use the ls command to verify file is in this directory
Run the installer with the command (Docker must be installed before this step)
Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
The installer will begin by checking for a running instance of Docker and internet connection
If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
Note: If the default directory is changed, then it will need to be edited for each new release during the installation
There will be a message once the installation is complete
Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
Load WinSCP – It should default to this screen:
Default “File Protocol:” to SFTP
Fill in Host name, User name, and Password.
Host name would be the same as your NP-View Server IP Address
User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
Click Ok to complete the transfer.
Option 2: Using the NP-View Virtual Appliance
Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:
Extract the .zip archive (right click on folder and choose extract all)
Import OVF into hypervisor
Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
Open README.txt from extracted folder for credentials
Launch the appliance and log into terminal using credentials in README.txt
NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
Once complete the NP menu will appear indicating the server is ready to use.
Launch a browser to navigate to the NP-View User Interface
Note: A static IP may need to be configured before utilizing the user interface.
Installing a SSL Certificate
NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder. If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.
The following command can be used to generate a valid .pem file:
To learn more about generating your own SSL certificate, please visit python documentation.
Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.
Setting the Virtual Appliance Time Zone
By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago. This file needs to be updated to reflect your local time zone. To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.
NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.
If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.
Default Disk Encryption
As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest. The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.
Personalize the Login Page
To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”
For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”
Upload File Size Limit
When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 200MB by default. To change it, a NP-View Linux administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- MAX_IMPORT_SIZE=209715200”. The value is in bytes, so 209715200 corresponds to 200MB.
Backing up the NP-View Server Database
Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
Run the new release installer, which will update the containers and then launch NP-View Server
Complete Removal of NP-View
If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:
Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)
Change Management provides the Compliance Team (Compliance Officer, Compliance Analysts) with capabilities that allow for:
Transitioning from point-in-time risk assessment to 24/7 with automated notification.
Automating the change review process using ticketing system integration and sandboxing.
Leveraging “time machine” to navigate through the network evolution and compare points in time.
Transition to 24×7 Monitoring
Connectors facilitate the configuration of connections to poll devices on a schedule, importing the latest configurations for analysis and automatically analyzing the information within selected workspaces to identify changes and potential risks.
Automated change review process
Change tracking automatically records configuration changes and provides the user with the ability to review changes made to the system and review the potential impact of the changes.
Network risks related to configuration changes are identified by best practices and user defined rules in the Policy manager. When a potential risk is identified, it is logged in the “Risks and Warnings” table and assigned a criticality (High, Medium, Low) based on the identifying policy.
Notifications allow users to setup notifications based on complex rules and to have those notifications delivered to multiple services on a schedule to email, syslog or ticketing systems. Notifications can be triggered by configuration changes or network risks.
The Network Sandbox is an isolated workspace that aids network engineers and infrastructure managers with the evaluation of proposed changes to system configurations, operating system upgrades or hardware replacement without affecting the production network. Our network modeling platform provides the ability to evaluate proposed changes to network devices by importing modified configuration files, evaluating the changes against policies, best practices, and regulations, and reporting on risks and vulnerabilities. Additionally, changes can be reviewed and compared, paths and connectivity can be analyzed, compliance reports can be run and reviewed.
Comparison Analysis
Tracking changes over time provides a rich data source for analysis. Comparison Analysis allows the user to review two points in time to identify changes across the system including assets, rules, objects, and paths.
Vulnerability Prioritization provides the Network Security Team and Compliance Team with capabilities that allow users to:
Align network architecture understanding and break silos through a single pane of glass
Train first responders and harden defenses via realistic attack scenario simulation
Prioritize vulnerability mitigation faster
Network Architecture Understanding
Monitoring for indicators of compromise allows organizations to better detect and respond to security compromises. When the security team discovers a potential compromise, NP-View can assist with incident response by quickly identifying critical paths to the compromised system.
For example, critical host H-192.168.1.103-32, a database server on the network, is experiencing increased reads.
Train First Responders
Users can be trained to use NP-View to quickly assess the situation. NP-View shows each host with the inbound and outbound paths. In this example, the inbound port, 443, is the likely target for the increased database activity.
Stepping stones are hosts in a network which could be compromised and used by malicious attackers to perform lateral movements. Attackers hop from one compromised host to another to form a chain of stepping stones before launching an attack on the actual target host.
Using the stepping stone analysis, the security team can quickly identify the paths of concern and the number of steps away from the compromised system or other important assets and can quickly prioritize a remediation plan.
This article will focus on the Access Rules Report.
NP-View uses reports to present network information related to the open workspace. These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.
Access Rules – Defined
The Access Rules Report can be accessed in two ways. Each way presents a different filtered data set.
From the main menu, the table will populate the table with all rules for all devices in the workspace.
From the topology, when clicking a Firewall/ Router/ Switch – its info panel will open – and the user can select Access Rules from the Data for this Device section. Only the rules for the selected device will be displayed in this case.
*main menu
*info panel
What Data is Present?
The list below the image details the data types available in the Access Rules Report.
Access rules column details
+
Action: (RULE_ACTION) Permit, Allow or Deny.
Application: (RULE_APPLICATION) Filtered application name associated with the rule (only for next-gen firewall).
Bindings (ACL): (RULE_ACL) Name of the access list under which the rule is defined. This is a normalized zone representation of [src zone]:[dst zone] or interfaces if zones are not used [src binding]:[dst binding]
Change Status: used in comparison mode to reflect added, unchanged and removed rules.
Comment (Author, Date Status): User entered comments (or justification) and associated status (verified, to review, to revise).
Description: (RULE_DESCRIPTION) Remarks from configs associated with rules. Typically found in Cisco and SonicWall devices.
Destination: (RULE_DESTINATION) Object group destination for the rule.
Device: (RULE_DEVICE) Device host name as defined in a configuration file.
Dst Binding: (RULE_DST_BINDING) Outbound interface to which the rule is bound.
Dst Criticality: (RULE_DST_CRIT) Criticality of the object group destination (or the parent zone containing the object group destination) as defined by the user on the topology map.
Enabled: (RULE_ENABLED) Rule is enabled (True / False). The enabled column gets its value from the firewall config. The parser then decides if the rule is supported (True) or not (False). Disabled rules (value from firewall config) are displayed in the table as False and may have a green or gray text color.
First Hit: Timestamp of when rule was first accessed (Palo Alto NGFW Only).
Hit Count: (RULE_ACL_HITS) Number of times the ACL was accessed (Palo Alto NGFW Only).
Hit Updated: Timestamp of last hits import. (Palo Alto NGFW Only).
First Hit: Timestamp of when rule was last accessed (Palo Alto NGFW Only).
Line #: Line number(s) in the configuration text file where the rule can be found.
Object ID: Value for linking rules to comments. This column must be displayed when exporting the rule table for enrichment and reimport.
Risk: (RULE_RISK) Highest risk text for associated Risk Criticality.
Risk Criticality: (RULE_RISK_CRIT) Highest criticality assigned by the triggered risk rule.
Rule: (RULE_NAME) Name of the rule found in the configuration. If the rule doesn’t have a name (e.g., Cisco devices), the value is populated by NP-View as RULE_X where X is the rule index.
Rule Tag: Palo Alto Only – rule tags from firewall.
Rule UUID: Palo Alto Only – rule UUID from firewall.
Service: (RULE_SERVICE) Object group service(s) associated with the rule. Alternatively, the field may be represented in a protocol/port-x to port-y format. For example, TCP/any to 53 (meaning TCP protocol, any to port 53), IP/any to 50 (meaning protocol 50). For ICMP we store the ICMP types in those fields. For example: “any to 11” or “any to 3” represent Type 3 — Destination Unreachable, Type 11 — Time Exceeded.
Source: (RULE_SOURCE) Object group source for the rule.
Src Binding: (RULE_SRC_BINDING) Inbound interface to which the rule is bound.
Src Criticality: (RULE_SRC_CRIT) Criticality of the object group source (or the parent zone containing the object group source) as defined by the user on the topology map.
Type: (RULE_TYPE) Type of rule (regular or VPN).
User: (RULE_USER) Filtered user name associated with the rule.
SRC and DST Criticality Calculations
+
Note that this feature was removed from v5.0 and up due to performance issues. It may return in the future.
The source and destination criticalities are calculated based on the higher of the criticalities assigned to the device, network, and zone (aka. binding) that the device is in.
if device A is in network N1 and bound to zone Z1 and A is Low, N1 is Medium, and Z1 is High, then the criticality of A will be High (highest criticality based on zone)
if A is Medium, N1 is Low, and Z1 is Low, then the criticality of A will be Medium (highest criticality based on device)
if A is Low, N1 is High, and Z1 is Medium, then the criticality of A will be High (highest criticality based on network)
Table Actions
There are a number of actions that can be taken in the Access Rules report, some are specific to Access Rules, others are universal to all Reports.
Cells with more data then can be shown within the width of the column will display a + icon, which will show the additional data when clicked.
The source, destination and service columns will show related object groups and object data within the + popup.
Columns can be displayed or hidden using the hamburger menu in the upper right corner of the report.
Changes to the menu are automatically saved.
Additionally, the table can be exported as displayed, with comment history or with object groups.
Only visible columns will be displayed.
Columns can be sorted, rearranged or resized and changes will be automatically saved.
Column filters can be displayed.
Filters applied to the table or column will automatically be saved.
Filters can be reset from the hamburger menu.
*the Access Rules Report Menu
Comments
+
NP-View provides a simple and easy way for users to add comments and other metadata to rows in Access Rules, and to track the historical lineage of these comments in a workspace. Comments can be added, or viewed, for integrity purposes they cannot be edited or deleted.
Adding a Comment: Comments can be added to a row by double-clicking on the cell in the column “Comment”. Comment text and status can be added and then saved with the save button. Once the comment is saved, the author and time stamp are automatically inserted.
*applying comment
*applying comment – closeup
Comment History: Additional comments can be added to a row to begin creating a lineage or history of comments. This history will be automatically available when more than one comment exists on a row and can be expanded by clicking the blue clock icon on the leftmost column of the table. If there is no history the icon will be disabled.
When viewing history, changes between lines are highlighted in blue.
Example: If Comment 1 is: “rule comment 1” – ‘verified’ and Comment 2 is “rule comment 1a” – ‘to revise’ the status cell would be highlighted because there was a change – the comment text would not be highlighted if the text remained the same.
*Viewing comment history
Access Rules Hash
Access Rules are uniquely tagged (Object ID) within NP-View for linkage to comments and risks.
Access Rules Hash
+
Access rules are uniquely tagged (Object ID) within NP-View for linkage to comments and risks. The tag (hash) is calculated based on a hex converted combination of the following data fields. Available data varies based on manufacturer so, some fields may not apply to specific manufacturers. Most of the fields are defined above. For the fields unique to the hash, they are documented below.
If any of the data in these fields changes, the tag will change and previously linked comments and risks will no longer be associated with this rule.
‘Destination’ (group contents excluding group names*)
‘Service’ (group contents excluding group names)
‘Source’ (group contents excluding group names)
‘Application’ (group contents excluding group names*)
Vendor-specific Variables:
‘Action’
‘direction’ – is used to set some rules to isolate guests from LAN so that rules in the VLAN section of the firewall be set. Each specific network is going to have a set of rules. Depending on the rules created, each traffic will be labeled in, or out, or both.
‘Enabled’
‘scope’ – is for the traffic zones used in their networks. Rules can be created based on the parameters of interzone, intrazone, and universal.
‘Type’
*If the group name changes but the contents stay the same, the object_id will not change.
Additional Features
The Compare button invokes a time series comparison function for the report. Additional details on this function can be found here.
Comments can be imported from an Excel file. Additional details on this function can be found here.
Conditional formatting can be applied to this table report. Additional details on this function can be found here.
Comparison Report
+
Access Rules and Object Groups have a Compare function to show historical differences in data that has been added or removed. The function can be engaged by clicking the “Compare” button located at the top of the page. This function is used to display changes over a period of days.
The user can select a time frame (7, 30, 90 or 356 days or a custom date range). The user can select one or more devices to include in the report and then show the history over the range. Once the parameters are selected, the “Show Comparison” button should be selected.
The comparison function will display all changes (Rule Adds, Rule Removal and Unchanged Rules) for the selected days. The data will be displayed using the column format of the selected table. The user can filter on added, removed or unchanged rules by clicking the jelly bean. Added rules will be highlighted in green, removed rules will be highlighted in red and unchanged rules will be highlighted in light blue.
Clicking the “Compare” button will revert to the normal table but will not clear the selections.
Clicking the “Reset” button will clear the selections and reset the table.
This article will focus on the Asset Inventory Report.
NP-View uses reports to present network information related to the open workspace. These reports are available to all users and can be accessed from the main menu. For more information visit the Workspace Reports Overview article.
Asset Inventory
This report provides a summary of all assets loaded into the workspace including: Firewalls, Routers, Switches, Gateways and Hosts.
Asset Inventory Columns
+
Alias: List of alternative names identified in configuration(s) or auxiliary data, separated by “:”.
Annotation: Comments addes using the Topology annotation feature. Each field contains a complete history of added annotation text.
Annotation Author: User Id of the annotation creator.
Annotation Date: Date the annotation was created.
Annotation Type: Tag added to the annotation.
Category: User assigned category from the topology map.
Created At: Time and date when the device was added to the workspace.
Created By: Files used to create the device or host.
Criticality: User assigned criticality from the topology map.
Description: Description from the configuration file if available.
IP address: IP address of the device, gateway, or host.
Label: Initially mirroring the Name field but can be changed by the user on the topology map and represented in this field.
MAC Address: The MAC addresses assigned to the devices, typically from auxiliary data.
Name: Device host name as defined in a configuration file.
OS: Host operating system derived from third-party data files.
Object ID: Internal asset ID used for table display purposes.
Security Zone: The security zone assigned from the configuration file.
Services: Host services derived from third-party data files.
Updated At: Time and date when the device was last updated (configuration change).
Updated By: Type of file used to update the device.
Verified: Applied by gthe asset verification function, True, False or NA.
Zone: The zone assigned from the topology map.
Unmapped – What is it?
For some devices there may be a large number of hosts defined in the Asset Inventory but less shown on the Topology Map. These “missing hosts” are not actually missing on the map, they are hidden in a Gateway node titled ‘Unmapped’.
If an IP address is displayed as 0.0.0.0 this device has an IP address assigned by DHCP and while the device was detected, an IP address could not be extracted, and it would be said to be an Unmapped Host. Unmapped hosts have enough information for identification but not for mapping purposes on the topology map. These ‘invisible’ hosts are located behind the Unmapped, or other, gateways and can be seen in a given gateway’s peer list.
NP-View uses reports to present network information related to the open workspace. These reports are available to all users and can be accessed from the main menu.
This article is focused on the Background Tasks Table.
Background Tasks
This table displays the active and completed processes both for the current workspace, and for all workspaces. When in a workspace you have the ability to filter and view the active processes for the current workspace and to clear or cancel completed or active processes for the current workspace.
Access: Background Tasks can be accessed in three ways.
From the main menu
Using the hotkey ‘T’
Clicking on the active spinner on the topology map
*main menu
*active background tasks spinner
Overview
The Background Tasks table shows the status of each task spawned by a data import, merge, analysis, or by run policies.
Parsing tasks indicate the imported file is being normalized and hosts inferred.
Merge tasks combine the normalized data into the topology map.
Analysis tasks define all of the paths and open ports.
Policies review the active requirements to identify potential risks for review.
An example of the background tasks table is in the image below.
The report contains the following data and has the following functionality:
Report Data:
Task name
Progress
Workspace where the task is running
User who owns the task
The time it started or ended
Report Functions:
The check box allows the user to filter on the tasks pertinent to the current workspace.
The X allows the user to cancel a task that may be running too long or be stuck for some reason.
The user can also cancel all tasks within a workspace using the “Cancel All for this Workspace” button
NP-View can import auxiliary data from third party systems to enrich and augment analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed
Host Files
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Aux Data Loading Example
Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. To fix this, create a host file, named hosts.txt, to enrich the information.
The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
Let's use 172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sam 172.30.91.81 Carl Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, and import it into the workspace.
The Manage Views function displaying a user adding both devices and multiple Auxiliary data files to a single view.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.
Below the Select Devices box, is the Auxiliary Data box.
Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).
For our example a user would see a single file called hosts.txt that would contain the names we've added.
Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).
The view, seen here regenerated. Note the new hostnames applied to the endpoints.
To see how the previous example can be used as a repeatable process let's update those names again, with corrections.
First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sammy 172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
The workspace, updated a second time
Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.
Network and Vulnerability Scanner Files
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
hostnames
addresses
interfaces
local interface IP’s
local interface names
mac
domains
parent
operating systems
vlan
Multi-Home Host Files
Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.
The host named 'dual-homed' repeated 3 times on the map
To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.
The file must be named 'multi_home_host.txt' and be of the following format:
192.168.135.115 dual-homed
192.168.135.114 dual-homed
192.168.135.113 dual-homed
Where the first field is the IP address and the second field is the name of the host.
When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:
The hosts named 'dual-homed' have been consolidated
Note: The file can be named as *_multi_home_host.txt -where-*_ is anything preceding multi_home_host.txt.
For example:
tuesday_multi_home_host.txt
web_server_multi_home_host.txt
the_big_kahuna_multi_home_host.txt
Address Resolution Protocol (ARP)
ARP files can be used to add hosts as well as MAC addresses for the hosts. The following formats are supported:
Cisco
Use commashow arp to export the ARP table. The file format will be as follows:
<hostname># show arp
outside 10.0.0.100 d867.da11.00c1 2
inside 192.168.1.10 000c.295b.5aa2 21
inside 192.168.1.12 000c.2933.561c 36
inside 192.168.1.14 000c.2ee0.2b81 97
Cisco ARP Example
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp
inside 172.30.90.50 d867.da11.00c1 2
inside 172.30.90.51 000c.295b.5aa2 21
inside 172.30.90.42 000c.2933.561c 36
inside 172.30.91.80 000c.2ee0.2b81 97
inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Windows
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
Interface: 192.168.86.29 --- 0x6
Internet Address Physical Address Type
192.168.86.1 88-3d-24-76-49-f2 dynamic
192.168.86.25 50-dc-e7-4b-13-40 dynamic
192.168.86.31 1c-fe-2b-30-78-e5 dynamic
192.168.86.33 8c-04-ba-8c-dc-4d dynamic
Linux
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Palo Alto
Use show arp all to export the ARP table. The file format will be:
maximum of entries supported : 2500
default timeout: 1800 seconds
total ARP entries in table : 3
total ARP entries shown : 3
status: s - static, c - complete, e - expiring, i - incomplete
ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295
ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776
ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791
Route Tables
Route files are a special case in that they provide ruleset-specific enrichment data whereas the other auxiliary files listed above provide topology-specific enrichment data.
Route table – Cisco
The output of the command show route on Cisco devices can be imported into NP-View with associated configuration files. For VRF’s, use the command show ip route vrf *. Cisco route files are handled a bit differently than the rest of the aux data as they are integrated upon import and are not considered as aux data when creating a view. Naming of the route files are not important as long as they are unique. The first row of the route file contains the <device name># command to link the route table with the correct device.
PCAP
IN V6.0 and later, PCAP and PCAPng files can be used to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a view. The max PCAP size is 200 MB per file.
The Help Center can be found on the system menu on the upper right corner of the topology.
The Help Center will display warnings or errors identified during the import of device files.
The information in the help center is designed to provide information for the tech support team to help diagnose the issues.
There are many types of possible errors including:
Invalid file formats (e.g., .gif or .png)
Improperly formatted files (files exported as text but loaded into a word processors where extra characters are added before saving).
Incomplete set of files (many devices require more than one file for import this includes Palo Alto and IP tables)
Misconfigured files where rules or objects are undefined.
As every customer has a different environment and possible device configurations are endless. We sometimes run into a situation where the parser cannot handle the device as configured. When this happens, we request the customer to sanitize the config file on the NP Poral and upload the file for debug purposes. Support from our customers is important for us to quickly remediate parsing issues unique to a device or specific file.
The Help Center provides a download for the error log which can be submitted to technical support through the support portal.
.svg)
