ExtraHop Admin UI Users Guide

Version 4.1

 

Post-Deployment Actions

After you deploy the ExtraHop system, take the following actions. Refer to the section of the ExtraHop Admin UI Users Guide specified in each action below, except where noted.

  1. Password: Maintain system security after the evaluation period.

    Change the default password. Refer to Change Password.

  2. NTP: Time is critical in the ExtraHop system, particularly when doing event correlation with time-based metrics and logs.

    Verify that the NTP settings are correct for your infrastructure, test settings, and sync NTP. Refer to System Time

  3. Time Zone: The correct time zone is critical to run scheduled reports at the correct time.

    Ensure the ExtraHop system has the correct time zone. Refer to System Time

  4. Remote Authentication: Credential sprawl is a headache. The ExtraHop system integrates with RADIUS, TACACS, and LDAP for remote integration.

    Set up remote authentication. Refer to Remote Authentication

  5. Firmware Update: ExtraHop firmware is updated often with enhancements and resolved defects.

    Verify that you have the current firmware. Refer to Firmware

  6. Audit Logging: The ExtraHop system can send events to a remote syslog collector.

    Configure the ExtraHop system to send audit logs. Refer to Audit Log

  7. SMTP Settings: The ExtraHop system can email alerts and system-health notifications.

    Set up and test notifications. Refer to Troubleshooting Email Settings

  8. System Notifications: The ExtraHop system can send email when it detects problems.

    Create an email group to receive notifications. Refer to Notifications

  9. iDRAC: Each physical ExtraHop appliance has an iDRAC port, similar to iLO or KVM over Ethernet.

    Connect and configure the iDRAC port. Refer to Configuring the iDRAC Remote Access Console on the ExtraHop Support Forum.

  10. SSL Certificate: Each ExtraHop appliance ships with a self-signed certificate. If you have a PKI deployment, generate your own certificate and upload it to each ExtraHop appliance.

    Generate and deploy an SSL certificate for each ExtraHop appliance. Refer to SSL Certificate

  11. DNS ‘A’ Record: It is easier to access ExtraHop systems by hostname than by IP address.

    Create an ‘A’ record in your DNS root ("extrahop.yourdomain.local") for each ExtraHop system in your deployment. Refer to your DNS administration manual.

  12. Customizations: The datastore is easier to restore when you periodically save customizations.

    Save the current datastore configuration settings. Refer to Save Customizations on page 1.

About This Guide

The ExtraHop Administration UI Users Guide provides detailed information about configuring the ExtraHop® platform using the settings defined in the ExtraHop Administration UI.

In this guide, the terms ExtraHop Administration UI and Admin UI are used synonymously to refer to the browser-based graphical user interface used to manage the ExtraHop system configuration settings. In addition, the terms command-line interface and CLI are used synonymously to refer to the Secure Shell interface that executes ExtraHop shell commands to manage the ExtraHop system configuration settings.

Audience

This guide is intended for ExtraHop users who are looking for a general introduction to the Administration UI component of the ExtraHop platform.

Feedback

We are working hard to improve our product, and with your feedback we can better meet your needs. As a valued ExtraHop customer, we appreciate all feedback you can provide. Please email feedback to the following addresses:

Common Acronyms

The following common computing and networking protocol acronyms are used in this guide.

Acronym Full Name

CIFS

Common Internet File System

CLI

Command Line Interface

CPU

Central Processing Unit

DHCP

Dynamic Host Configuration Protocol

DNS

Domain Name System

ERSPAN

Encapsulated Remote Switched Port Analyzer

FIX

Financial Information Exchange

FTP

File Transfer Protocol

HTTP

Hyper Text Transfer Protocol

IP

Internet Protocol

iSCSI

Internet Small Computer System Interface

L2

Layer 2

L3

Layer 3

LDAP

Lightweight Directory Access Protocol

MAC

Media Access Control

MIB

Management Information Base

NFS

Network File System

NVRAM

Non-Volatile Random Access Memory

RADIUS

Remote Authentication Dial-In User Service

RPC

Remote Procedure Call

RPCAP

Remote Packet Capture

RSS

Resident Set Size

SMPP

Short Message Peer-to-Peer Protocol

SMTP

Simple Message Transport Protocol

SNMP

Simple Network Management Protocol

SSD

Solid-State Drive

SSH

Secure Shell

SSL

Secure Socket Layer

TACACS+

Terminal Access Controller Access-Control System Plus

TCP

Transmission Control Protocol

UI

User Interface

VM

Virtual Machine

This section describes the general layout of the ExtraHop Admin UI. It focuses on navigating to the top-level sections in the user interface, changing the password, logging on and off, and other page-level toolbar controls.

The ExtraHop Admin UI is a web application that uses the features of an Internet browser to create the graphical user interface. When the ExtraHop Admin UI opens in the browser window, the main frame contains a fixed toolbar at the top of the UI page to display application-level controls and links that are relevant to all interface pages.

The application-level toolbar contains the following controls or links:

  • Change default password: Opens the Change Password page to specify a new Admin UI password. For information about changing the default password, refer to Change Password.

  • Launch Shell: Opens the ExtraHop web shell for entering admin commands to configure the ExtraHop system. For information about using the ExtraHop web shell, refer to Shell Commands.

  • Log out: Ends the ExtraHop Admin UI session. For more information about logging out, refer to Login/Logout.

  • Help: Opens the ExtraHop Administration UI Users Guide.

The main administration page includes the following sections for configuring ExtraHop system:

  • Status: Verify how the ExtraHop system is functioning on the network.

  • Network Settings: Configure the network settings for the ExtraHop system.

  • Packet Captures: View and download packet captures.

  • Cluster Memberships: Add nodes to an ECM.

  • Access Settings: Configure access settings to the ExtraHop system.

  • Configuration: Change the configuration settings of the ExtraHop system.

  • System Settings: Configure the system-level settings for the ExtraHop System.

  • Diagnostics: Troubleshoot ExtraHop system issues.

The Admin UI page name uses a breadcrumb navigation trail to show you where you are in the UI in relation to the Admin main page.

Configuration Settings

The Admin UI includes the following elements to access configuration settings or perform operations to add, modify, and update settings:

Interface Element

Description

Accesses read-only settings to view collected metrics or log pages.

 

Accesses configuration settings pages that include settings that can be modified.

 

Indicates that a configuration settings were modified and the updated configuration settings need to be saved. Other instances of operational buttons of this type in the UI include Restart, Halt, Execute, Upload, and Download.

Provides the ability to connect to an outside service, such as the Altas Remote Service.

Enables the ability to join an ECM cluster.

 

Deletes the selected element from the ExtraHop system. This icon displays in lists of users, groups, custom protocols, and other settings where elements are added to or removed from the system.

 

Opens a new page to add entries to a specific configuration setting. Other instances of add buttons in the UI include Add Module, Add Device, and Add Protocol.

 

Provides Save and Cancel controls when modifying configuration settings. Other types of operational buttons include Change, Update, Upload, Restart, Delete, and OK.

Login/Logout

The ExtraHop Web UI is a secure site that prompts you for a user name and a password to access the interface.

To log in to the ExtraHop Admin UI:

  1. In your browser, navigate to the ExtraHop web administration utility at https://[IP address]/admin, where [IP address] is the IP address displayed on the LCD at the front of the ExtraHop appliance.

  2. On the Login page, in the Username field, enter your ExtraHop Admin UI user name.

  3. In the Password field, enter your ExtraHop Admin UI password.

  4. Click Log In.

The default user name is setup and the password is the service tag number of the appliance. You can modify the default admin credentials by clicking the Change Password link under the Log In button. If the default setup password is not changed, the Change Default Password button appears in the application toolbar of the Admin UI. Clicking this button opens the Change Password page to specify a new Admin UI password. For more information, refer to Change Password.

You can also access the ExtraHop Admin UI from the Settings pop-up window of the ExtraHop Web UI. Click the Administration UI icon, and the ExtraHop Web UI redirects your browser to the Admin UI Login page.

To log out of the Admin UI, click Log out on the top-level toolbar.

Browser Compatibility

Refer to the following table of tested browsers that are compatible with the ExtraHop platform.

Browser Features Supported
Internet Explorer 10 All features
Internet Explorer 11 All features, except webshell
Chrome 35 and 36 All features
Firefox 29 and 30 All features
Safari 7 All features

Status

ExtraHop system administrators use the metrics collected on the Status page to verify the overall health of the ExtraHop system.

The Status section includes the following status pages. These pages are read-only collections of metrics and logging data that provide information about the current state of the ExtraHop system:

  • Firmware Version: Identifies the current firmware version running on the ExtraHop appliance.

  • Health: Provides metrics to view the operating efficiency of the ExtraHop system.

  • Audit Log: Allows you to view event logging data and change Syslog settings.

Firmware Version

The firmware version running on your ExtraHop system includes a Base version, which specifies the major release version number. For example, ExtraHop systems running version 3 firmware display a base number of 3.0.1. The ExtraHop version number specifies the firmware build number for the currently running version on the ExtraHop system.

To view the ExtraHop system version data on the Firmware Version page:

  1. Launch the Admin UI in your browser and provide your access credentials.

  2. Under Status, click the View icon next to Firmware Version.

In this example, the base firmware version 3.5.0 is running on the system and the specific build number for the current firmware is 12808.

Health

The Health page provides a collection of metrics to quickly check the operation of the ExtraHop system. If issues occur with the ExtraHop appliance, the metrics on the Health page helps to troubleshoot the problem to determine why the appliance is not performing as expected.

To view the data on the Health page, go to the Status section and click Health.

The ExtraHop system collects metrics on the following operational activities performed by the appliance and reports the status on the Health page.

  • System: Reports the following information about the system CPU usage and hard disk.

  • CPU User: Specifies the percentage of CPU usage associated with the ExtraHop user.

  • CPU System: Specifies the percentage of CPU usage associated with the ExtraHop system.

  • CPU Idle: Identifies the CPU Idle percentage associated with the ExtraHop system.

  • CPU IO: Specifies the percentage of CPU usage associated with the ExtraHop system IO functions.

  • Bridge Status: Reports the following information about the ExtraHop system bridge component.

  • VM RSS: Specifies the bridge process physical memory in use.

  • VM Data: Specifies the bridge process heap virtual memory in use.

  • VM Size: Specifies the bridge process total virtual memory in use.

  • Start Time: Specifies the start time for the ExtraHop bridge component.

  • Capture Status: Reports the following information about the ExtraHop system network capture status.

  • VM RSS: Specifies the network capture process physical memory in use.

  • VM Data: Specifies the network capture process heap virtual memory in use.

  • VM Size: Specifies the network capture process total virtual memory in use.

  • Start Time: Specifies the start time for the ExtraHop network capture.

  • Service Status: Reports the status of ExtraHop system services.

  • exalerts: Specifies the amount of time the ExtraHop alert service has been running.

  • extrend: Specifies the amount of time the ExtraHop trend service has been running.

  • exconfig: Specifies the amount of time the ExtraHop config service has been running.

  • exportal: Specifies the amount of time the ExtraHop web portal service has been running.

  • exshell: Specifies the amount of time the ExtraHop shell service has been running.

  • Interface: Reports the status of ExtraHop system interfaces.

  • RX packets: Specifies the number of packets received by the ExtraHop system on the specified interface.

  • RX Errors: Specifies the number of received packet errors on the specified interface.

  • RX Drops: Specifies the number of received packets dropped on the specified interface.

  • TX Packets: Specifies the number of packets transmitted by the ExtraHop system on the specified interface.

  • TX Errors: Specifies the number of transmitted packet errors on the specified interface.

  • TX Drops: Specifies the number of transmitted packets dropped on the specified interface.

  • RX Bytes: Specifies the number of bytes received by the ExtraHop system on the specified interface.

  • TX Bytes: Specifies the number of bytes transmitted by the ExtraHop system on the specified interface.

  • NVRAM: Reports the non-volatile random-access memory (NVRAM) status and usage of ExtraHop system components. It identifies and provides status for specified components that have configuration settings that remain in memory when the power to the appliance is turned off.

  • Name: Specifies the ExtraHop settings that are held in NVRAM.

  • Options: Specifies the read-write options for the settings held in NVRAM.

  • Size: Specifies the size in gigabytes for the identified component.

  • Utilization: Specifies the amount of memory utilization for each of the identified components as a quantity and as percentage of total available NVRAM.

Audit Log

The ExtraHop audit log provides data about the operations of the system, broken down by component. The log lists all known events by timestamp with the most recent events at the top of the list. You can configure where to send these logs in the Syslog settings.

To view the data on the Logs page:

  1. Go to the Status section and click Audit Log.

  2. On the Audit Log page, click View.

  3. To page through the log to view older entries, click Next.

  4. To page back to the beginning, click Previous.

  5. To jump to the last page of log entries, click Last.

The ExtraHop system collects the following log data and reports the results on the Logs page.

  • Time: Specifies the time at which the event occurred.

  • User: Identifies the ExtraHop user who initiated the logged event.

  • Operation: Specifies the ExtraHop system operation that generated the logged event.

  • Details: Specifies the outcome of the event. Common results are Success, Modified, Execute, or Failure. Each log entry also identifies the originating IP address if that address is known.

  • Component: Identifies the ExtraHop component that is associated with the logged event.

To change the Syslog settings:

  1. Go to the Status section and click Audit Log.

  2. On the Audit Log page, click Syslog Settings.

  3. In the Destination field, enter the name of the of remote syslog server.

  4. Click the Protocol drop-down list and select TCP or UDP.

  5. In the Port field, enter the port number.

Network Settings

The Network Settings section includes the following configurable network connectivity settings.

  • Atlas Services: Subscribe to monthly reports about system components.

  • Connectivity: Configure network connections.

  • Notifications: Set up alert notifications via email and SNMP traps.

  • SSL Certificate: Generate and upload a self-signed certificate.

The ExtraHop appliance has four 10/100/1000baseT network ports. The Gb1 port is used for management and requires an IP setting. The Gb2 port is used for monitoring network traffic and connects to the network tap or mirror port on your network switch. You also can use Gb3 and Gb4 for monitoring, if permitted by your license. Some appliances have two 10GbE SFP+ ports with the accompanying SFP+ SR-fiber modules. For more information, refer to your appliance specifications.

Before you begin configuring the ExtraHop system’s network settings, verify that a network patch cable connects the Gb1 port on the ExtraHop appliance to the management network. For more information about installing an ExtraHop appliance, refer to your appliance installation guide or contact ExtraHop Support for assistance.

For specifications, installation guides, and more information about your appliance, refer to the ExtraHop Support Forum.

Atlas Services

Atlas Services provide ExtraHop customers with a remote analysis report delivered monthly that contains specific recommendations for critical components across the application delivery chain. For more information and to view a sample of this report, visit Atlas Remote Analysis Reports on the ExtraHop website.

To receive monthly reports:

  1. Go to Atlas Services and click Connect.

  2. In the Connect to Atlas Services pop-up window, click Terms and Conditions.

  3. Once you have read the terms and conditions, select the checkbox and click Yes.

The Admin UI main page shows that Atlas Services are connected.

You can connect ExtraHop Central Manager (ECM) nodes to Atlas Services, but you cannot connect the ECM.

Connectivity

To connect the ExtraHop system to the host network and use the optional software tap, the following network configuration information is required:

Network Settings

  • Host Name: Specifies the name of the appliance on the network.

  • Primary DNS: Specifies the IP address of the primary domain name server for the specified domain.

  • Secondary DNS: (Optional) Specifies the IP address of the secondary domain name server for the specified domain.

Proxy Settings

  • Global Proxy: Provides the ability to enable proxy support for connection to the ExtraHop Central Manager (ECM).

  • Atlas Proxy: Provides the ability to enable proxy support for connection to the Atlas Remote UI.

Interface Settings

  • Interface Mode: Specifies whether the port is enabled or disabled and if enabled, the port assignment.

  • DHCP: Specifies whether DHCP is enabled or disabled.

  • IP address: Specifies the static IP address of the ExtraHop appliance on the network.

  • Netmask: Specifies the netmask used to divide the IP address into subnets.

  • Gateway: Specifies the IP address for the gateway node on the network.

  • MAC Address: Specifies the MAC address of the ExtraHop appliance.

The orange caution sign next to the hostname shows that the system is using the default name, "extrahop". Unless you manually set the DNS to point to "extrahop", all email and SNMP notifications use the ExtraHop appliance IP address instead of the hostname "extrahop".

In the Interface Status section, a diagram of the back of the ExtraHop physical appliance displays the following information about the current interface connections:

  • Blue Ethernet Port: Identifies the management port.

  • Black Ethernet Port: Specifies that the port is licensed and enabled but down.

  • Green Ethernet Port: Specifies that the licensed port has an active Ethernet cable connected.

  • Gray Ethernet Port: Identifies a disabled or unlicensed port.

The Interface Status section is displayed for physical appliances only.

The EH5000, EH6000, EH6100, EH8000, and EH8100 have two 10GbE interfaces and three 1GbE interfaces. The 1GbE interfaces are disabled by default, and the ExtraHop appliance operates in the standard throughput mode. Enabling one or more of the 1GbE interfaces puts the ExtraHop appliance into the reduced throughput mode. Before changing the interface settings, refer to the following table to determine which throughput mode you want to use.

ExtraHop
Appliance
Throughput
Mode
Definition
EH9100 Standard 40Gbps throughput mode If the non-management 1GbE interfaces are disabled, you can use up to four of the 10GbE interfaces for a combined throughput of up to 40Gbps.
EH9100 Reduced 23Gbps throughput mode for use of 1GbE ports If the non-management 1GbE interfaces are enabled, the maximum total combined throughput is 23Gbps.
EH8000/8100 Standard 20Gbps throughput mode If the non-management 1GbE interfaces are disabled, you can use either one or both of the 10GbE interfaces for a combined throughput of up to 20Gbps.
EH8000/8100 Reduced 13Gbps throughput mode for use of 1GbE ports If the non-management 1GbE interfaces are enabled, the maximum total combined throughput is 13Gbps.
EH5000/6000/6100 Standard 10Gbps throughput mode If the non-management 1GbE interfaces are disabled, the maximum total combined throughput is 10Gbps.
EH5000/6000/6100 Reduced 8Gbps throughput mode If the non-management 1GbE interfaces are enabled, the maximum total combined throughput is 8Gbps.
EH5000/6000/6100 Reduced 3Gbps throughput mode with 10GbE ports disabled If the 10GbE interfaces are disabled, the maximum total combined throughput is 3Gbps.

To change the network settings:

  1. Go to the Network Settings section and click Connectivity.

  2. In the Network Settings section, click the Change button.

    The Edit Hostname page appears with the following editable fields:

    • Hostname: Specifies the descriptive device name for the ExtraHop appliance on the network. Devices on the network can be identified by their IP address, MAC address, or by the descriptive name defined in this setting.

    • Primary DNS: Specifies the computer that stores the record of the network’s domain name, which is used to translate domain names specified in alpha-numeric characters into IP addresses. Each domain requires a primary domain name server and at least one secondary domain name server.

    • Secondary DNS: Functions as the backup server to the primary DNS.

  3. Change the settings as needed and click Save.

To change interface 1:

  1. Go to the Network Settings section and click Connectivity.

  2. In the Interface 1 section, click the Change button.

    The Network Settings for Interface 1 page appears with the following editable fields:

    • Interface Mode: You can use interface 1 as a management port only.

    • DHCP: DHCP is enabled by default. When you turn on the system, interface 1 attempts to acquire an IP address using DHCP. After the DHCP server assigns an IP address to a physical appliance, the ExtraHop system displays it on the LCD at the front of the appliance.

      If your network does not support DHCP, you can disable DHCP and configure a static IP address.

      To disable DHCP, uncheck the DHCP checkbox and click Save. When the browser changes to the new network address, log on to the Admin UI again.

      If you are changing from a static IP address to a DHCP-acquired IP address, the changes occur immediately after clicking Save, which results in a loss of connection to the Admin UI web page. After the system acquires an IP address, log on to the Admin UI again.

    • IP Address: The ExtraHop system provides configuration settings to acquire an IP address automatically or to configure a static IP address manually. The ExtraHop system displays the assigned IP address on the LCD at the front of the appliance. If your network does not support DHCP, you can configure a static IP address using the ExtraHop Admin UI.

      To configure the IP Address network setting manually, disable DHCP, enter a static IP address, and click Save.

    • Netmask: Devices on a local network have unique IP addresses, but this unique address can be thought of as having two parts: The shared network part that is common to all devices on the network, and a unique host part. Both the shared and unique parts of the IP address are used by the TCP/IP stack for routing.

      The shared network parts of the address and host parts are determined by the netmask, which looks like this: 255.255.0.0. In this example, the masked part of the network is represented by 255.255, and the unmasked host part is represented by 0.0, where the number of unique device addresses that can be supported on the network is approximately 65,000.

    • Gateway: The network's gateway address is the IP address of the device that is used by other devices on the network to access another network or a public network like the Internet. The address for the gateway is often a router with a public IP address.

    • MAC Address: The Media Access Control (MAC) address is a unique identifier assigned to network devices for communication on the network. MAC addresses are assigned by the device manufacturer. The ExtraHop appliance's MAC address is printed on the label that is affixed to the bottom of the appliance. The unique MAC address for the appliance is set automatically and it cannot be changed in the Admin UI.

  3. Change the settings as needed and click Save.

If you are using the ECM, you must change interface 1 settings from the ECM and not the node. You can change the rest of the interfaces at the node.
If you are using the ExtraHop Discovery Edition, refer to your installation documentation for more information about using the software tap.
If you are using Amazon Web Services (AWS) with one interface, you must select Management + RPCAP/ERSPAN for interface 1. If you are using two interfaces, you must select Management for interface 1 and Management + RPCAP/ERSPAN for interface 2.

If you do not have DHCP enabled, you can manually set a route to determine where the traffic goes.

To manually set a route:

  1. On the Network Settings for Interface X page, ensure that the IP Address and Netmask fields are complete and saved, and click Edit Routes.

  2. In the Add Route section, complete the Network and Via IP fields, and click Add.

  3. Repeat the previous step for each route you want to add.

  4. Click Save. The Admin UI redirects to the Network Settings for Interface X page.

To change the software tap settings:

  1. Go to the RPCAP Settings section and click Change.

    The Add RPCAP Port Definition page appears with the following editable fields:

    • Port: Specifies the listening port on the ExtraHop system. Each port must be unique for each interface subnet on the same server. Different subnets across servers can use the same port. This is both a TCP and UDP port. If you are configuring multiple software taps and multiple software tap listeners, the payload may traverse a range of UDP ports. The range consists 16 ports starting with the port defined.

    • Interface Address: Specifies a subnet on the software tap server. If the server has multiple interfaces that match the interface address, the first interface on the server sends traffic to the ExtraHop system unless the interface name is specified.

    • Interface Name: Indicates the interface on the packet-forwarding server from which to forward packets.

    • Filter: Specifies the traffic to forward using Berkeley Packet Filter syntax. For example, tcp port 80 forwards only TCP traffic on port 80, and not tcp port 80 forwards only non-TCP traffic on port 80.

      You must specify an interface address or an interface name. If you specify both, then both settings will apply.
  2. Change the settings as needed and click Save.

To change the remaining interfaces:

  1. Go to the Network Settings section and click Connectivity.

  2. In the Interface 2 section, click the Change button.

    The Network Settings for Interface 2 page appears with the following interface mode options:

    • Disabled: The interface is disabled by default.

    • Monitoring Port (receive only): Monitor network traffic on this interface.

    • Management Port: Use this interface for management.

    • Management Port+RPCAP/ERSPAN Target: Use this interface as the management port and as the capture port for traffic forwarded from the software tap or ERSPAN.

  3. Change the settings as needed and click Save.

  4. To change interfaces 3 and 4, repeat the previous steps.

    Interfaces 3 and 4 are disabled by default on the following appliances: EH2000, EH2000v, EH3000, EH5000, EH6000, EH6100, EH8000, EH8100, and EH9100.

  5. To change interfaces 5 and 6 in order to use the 10 GbE ports, select one of the following interface mode options:

    • Disabled: The interface is disabled by default.

    • Monitoring Port (receive only): Monitor network traffic on this interface.

    • ERSPAN Target: Use this interface as the capture port for traffic forwarded from ERSPAN.

      Interfaces 5 and 6 are disabled by default on the following appliances: EH5000, EH6000, EH6100, EH8000, EH8100, and EH9100.

Notifications

Alerts are useful only if someone is notified about the alert when it is triggered. The ExtraHop system uses two types of alert notifications: email and SNMP traps. If SNMP is specified, then every alert will be sent as an SNMP trap to the defined SNMP server. If an email notification group is specified, then emails will be sent to the groups assigned to the alert.

The Notifications section in the Network Settings section of the Admin UI includes the following configurable settings.

  • Email Server & Sender: Configure the email server and sender settings.

  • Email Notification Groups: Set up email notification groups.

  • SNMP: Set up SNMP network monitoring. If you are using an ECM, this is configured at each node. Alerts fire on a node, which then sends notifications. After an alert fires, the event is visible on the ECM Web UI.

  • Syslog: Send ExtraHop data to another system for archiving and correlation.

The functions on this page are disabled in the ExtraHop Discovery Edition.

Email Server & Sender

Configuring Email Settings

To configure the Email Server & Sender settings:

  1. Go to the Network Settings section and click Notifications.

  2. Under Notifications, click Email Server & Sender.

  3. On the Email Settings page, in the SMTP Server field, enter the IP address for the outgoing SMTP mail server.

    The SMTP server should be the FQDN or IP address of an outgoing mail server that is accessible from the ExtraHop management network. If the DNS server is set, then the SMTP server can be a FQDN, otherwise it needs to be an IP address.
  4. In the Sender Address field, enter the email address for the notification sender.

  5. In the Report Sender Address field, enter the email address for the report sender.

  6. Click Save.

Testing Email Settings

To test the that the ExtraHop system can communicate with the SMTP server:

  1. Select Launch Shell in the upper right corner of the Admin UI.

  2. In the webshell, verify that the SMTP server is resolved and accessible by pinging the name. If DNS is not configured, then ping the IP address only.

  3. When the SMTP server configuration is confirmed, log in to the ExtraHop system and configure an alert.

Troubleshooting Email Settings

Refer to the following sample code to help troubleshoot communication issues.

  • Successful pings by hostname: This proves the DNS server is accessible and has the resolution information for the host.

  • Unsuccessful DNS lookup: This shows that either the DNS server is not accessible, or that the hostname is incorrect. To verify that the DNS server is accessible, ping the DNS server IP address.

  • Successful ping by IP address: This shows that the network is reachable by the ExtraHop system.

  • Unsuccessful ping by IP address: This shows that the network is unreachable by the ExtraHop system.

Email Notification Groups

To modify existing Email Notification Group settings:

  1. Go to the Network Settings section and click Notifications.

  2. Under Notifications, click Email Notification Groups.

  3. On the Email Groups page, click the Change icon next to the email group that you want to update.

  4. Under Group Info, in the Name field, enter a new descriptive name for the email group.

  5. Select the System Health Notifications checkbox if you want to send system storage alerts to the email group. These alerts will fire under the following conditions:

    • The virtual disk is in a degraded state.

    • The physical disk is in a degraded state.

    • The physical disk has an increasing error count.

    • A necessary role is missing, such as firmware, datastore, or packet capture.

  6. In the Email Addresses text box, enter the recipient email addresses for the team members that you want to receive the alert emails for this group.

    Email addresses can be entered one per line or separated by a comma, semicolon, or space. Email addresses are checked only for [name]@[company].[domain] format validation. There must be at least one email address in this text box for the group to be valid.

  7. Click Save.

    The Email Groups page lists the new group and the number of email addresses in the group.

To add a new Email Notification Group:

  1. Go to the Network Settings section and click Notifications.

  2. Under Notifications, click Email Notification Groups.

  3. On the Email Groups page, click Add Group.

  4. Under Group Info, in the Name field, enter a name for the email group.

  5. In the Email Addresses text box, enter the recipient email addresses for this group.

  6. Click Save.

To delete an Email Notification Group:

  1. Go to the Network Settings section and click Notifications.

  2. Under Notifications, click Email Notification Groups.

  3. On the Email Groups page, click the red delete icon to the left of the group name.

    When you delete an email group, the group and all of its associated email addresses are deleted.

SNMP

Simple Network Management Protocol (SNMP) is used to monitor the state of the network. SNMP collects information by polling devices on the network or SNMP enabled devices send alerts to SNMP management stations. SNMP communities define the group that devices and management stations running SNMP belong to, which specifies where information is sent. The community name identifies the group.

Most organizations have an established system for collecting and displaying SNMP traps in a central location that can be monitored by their operations teams. For example, SNMP traps are sent to an SNMP manager, and the SNMP management console displays them.

Configure SNMP Settings

To configure the SNMP settings:

  1. Go to the Network Settings section and click Notifications.

  2. Under Notifications, click SNMP.

  3. On the SNMP Settings page, in the SMTP Monitor field, enter the hostname for the SNMP trap receiver. Multiple names can be entered, separated by commas.

  4. In the SNMP Community field, enter the SNMP community name.

  5. In the SNMP Port field, enter the SNMP port number for your network that is used by the SNMP agent to respond back to the source port on the SNMP manager.

    The default response port is 162.
  6. Click Save.

Download the ExtraHop SNMP MIB

SNMP does not provide a database of information that an SNMP monitored network reports. SNMP uses information defined by third-party management information bases (MIBs) that describe the structure of the collected data.

To download the ExtraHop SNMP MIB:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under Network Settings, click the Change icon next to Email & SNMP Notifications.

  3. Under Notifications, click the Change icon next to SNMP.

  4. Under SNMP MIB, click the Download icon next to ExtraHop SNMP MIB.

  5. At the prompt, specify a location to save the downloaded file.

  6. Click Save.

Syslog

The Syslog export enables you to send alerts from the ExtraHop system to any system that receives Syslog input (e.g., Splunk, ArcSight, Q1 Labs, etc.) for long-term archiving and correlation with other sources.

To configure the Syslog notification settings for alerts:

  1. Go to the Network Settings section and click Notifications.

  2. Under Notifications, click Syslog.

  3. In the Destination field, enter the IP address of the remote syslog server.

  4. Click the Protocol drop-down list and select TCP or UDP.

  5. In the Port field, enter the port number. The port is set to 514 by default.

SSL Certificate

A self-signed certificate can be used in place of a certificate signed by a Certificate Authority. However, be aware that a self-signed certificate generates an error in the client browser reporting that the signing certificate authority is unknown. The browser provides a set of confirmation pages to allow the use of the certificate, even though the certificate is self-signed.

Generate a Self-Signed Certificate

To configure the SSL Certificate settings:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under Network Settings, click the Change icon next to SSL Certificate.

  3. Under Self-Signed Certificate, click the Generate icon next to Build SSL self-signed certificate based on hostname.

  4. On the Generate Certificate page, click OK to regenerate the SSL self-signed certificate based on the hostname.

    The default hostname is extrahop.

The ExtraHop system generates the self-signed certificate and private key that can be uploaded to the server. Under Certificate Information, you can view the self-signed certificate information generated for the specified host.

Upload the SSL Certificate

To upload an SSL certificate:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under Network Settings, click the Change icon next to SSL Certificate.

  3. Under Upload Certificate, click Choose File and navigate to the certificate that you want to upload.

    The certificate must be a PEM file that contains both the certificate and private key.

  4. Click Open, and then click Upload.

Packet Captures

When packet capture is enabled through the Admin UI, you can write triggers to define and deploy targeted packet captures from the ExtraHop system. You must have access to the ExtraHop Admin UI and write permission to the ExtraHop Web UI in order to complete these steps.

  • View & Download Packet Captures: View packet captures and download them to your workstation.

  • Global Packet Capture: Save every packet on every flow, up to the specified limits.

Enable Packet Capture

Ensure that your ExtraHop license has packet capture enabled:

  1. Go to the System Settings section and click License.

  2. Scroll down to the Features section and verify that packet capture is enabled. If your license does not have packet capture enabled, contact ExtraHop Support.

    If you are using a virtual machine, the packet capture license is labeled Enabled (Unrestricted). This means the packet capture data will be written to a regular disk drive instead of an SSD.

Ensure that the SSD is installed on your ExtraHop appliance.

  1. In the Admin UI, go to System Settings and click Disk. If the Drive Map shows the last slot in red, refer to Disk to install and enable the drive.

  2. If the Drive Map shows the SSD drive as green and the Status is Online, it is ready to use for packet capture. The EH5000 Drive Map is pictured below.

    If the SSD drive is dislodged and reinserted, you can re-enable it. This process requires reformatting the disk, which erases all data.

Define the Packet Capture

(Skip this section if you are doing a global packet capture.) The ExtraHop system uses Application Inspection Triggers to gather custom metrics. These metrics are stored internally and can be used by other features, such as packet capture. Triggers are user-defined scripts that perform additional actions during well-defined events.

For information about writing triggers, refer to the following related documentation on the ExtraHop Support Forum:

To create a trigger, complete the following steps:

  1. In the Web UI, click Settings, click Triggers, and then click New.

  2. Enter a name for the trigger and select the event(s) that will activate the trigger, then click the Editor tab and write your trigger source code.

    Once you have tested the trigger to ensure it works, uncheck Enable Debugging to avoid excessive debug messages in the Runtime Log.
  3. Assign the trigger to a device or group of devices.

  4. Click Save.

View & Download Packet Captures

Once you have written a trigger to define the targeted packet capture, you can view and download packet captures in the Admin UI.

  1. Go to the Packet Captures section and click View & Download Packet Captures.

  2. On the Packet Captures page, select one or more packet captures and click Download Selected Captures.

    To filter packet captures, click the Listing Options drop-down list, and select the search criteria. You can also filter by the date of capture.

    To sort packet captures, click a column heading in the table and click the arrow to the right of the heading to sort in ascending or descending order.

  3. Open the downloaded packet captures in a packet analyzer such as Wireshark.

Global Packet Capture

You can use global packet capture to save every packet on every flow. Global packet capture is limited to 96 bytes per packet. Global packet capture occurs in the Admin UI and does not require added configuration.

  1. Go to the Packet Captures section and click Global Packet Capture.

  2. In the Start Global Packet Capture section, name the capture, specify the maximum number of packets, bytes, and milliseconds, optionally change the snaplen value, and then click Start.

    Global packet capture defaults to a snaplen, or maximum bytes copied per frame, of 96 bytes. You can change the default snaplen value from 0 to 65536.

  3. (Optional) Click Stop to stop the packet capture before any of the maximum limits are reached.

    To view the packets, refer to View & Download Packet Captures.

Cluster Settings (ECM)

If your organization uses the ExtraHop Central Manager to manage multiple network capture points, you can use the Admin UI to manage the nodes.

On the ECM, the Cluster Settings section includes the following configurable settings:

  • Set ECM Name: Define a name for the ECM.

  • Nodes: View and modify the cluster and its individual nodes.

For more information about how the ECM works, refer to the ExtraHop website.

Set ECM Name

To set the ECM name:

  1. Go to the Cluster Settings section and click Set ECM Name.

  2. In the Set ECM Name pop-up window, enter a name and click Save.

Nodes

On the Nodes page of the ExtraHop Central Manager Admin UI, you can view and modify the ECM cluster and its individual nodes.

Cluster Activity

In the Cluster Activity section, you can view the history, update the firmware, and run a support pack.

View the History

To view historical information about the ECM cluster, click the History button and view the Cluster Activity History pop-up window.

Update the Firmware

To update the firmware on the cluster or specific nodes:

  1. Click the Update Firmware button.

  2. Click Choose File to select the firmware on your workstation. Click the Retrieve from URL link if you received a URL from ExtraHop Support.

  3. Click the All nodes radio button to update the firmware on all nodes, or click the Matching nodes radio button and enter search criteria to update specific nodes at a time.

  4. Click Upload.

Run a Support Pack

To run a support pack on the cluster or specific nodes:

  1. Click the Run Support Pack button.

  2. Click the Default Support Pack radio button to run the support pack from the current firmware, or click the Upload Support Pack radio button and Choose File to select a support pack on your workstation.

  3. Click the All nodes radio button to run the support pack on all nodes, or click the Matching nodes radio button and enter search criteria to run the support pack on specific nodes at a time.

  4. Click Submit.

Cluster Nodes

In the Cluster Nodes section, you can add, delete, and assign tags to nodes in the cluster.

Mouse over the node name to see more information about the node.

Mouse over the date or time added to see the full date and time the node was added.

Mouse over the status of a disabled node to view the last sync time.

Mouse over the gear icon to edit the cluster node, launch the shell, view the node in the Web UI, or view the node in the Admin UI.

Add a Node

To add a node:

  1. Click the Add Node button.

  2. In the Add Cluster Node pop-up window, enter the host IP address of the node, the setup password, optional product key, and nickname.

  3. Select the Reset Configuration checkbox only if you want to remove customizations, such as device groups, alerts, and triggers.

  4. Click Save.

The node appears in the list.

Delete a Node

To delete a node:

  1. Select the checkbox next to the node you want to delete.

  2. Click the Delete button.

  3. In the Delete Cluster Nodes pop-up window, click OK.

The node is removed from the list.

Add a Tag

To add a tag to a node:

  1. Select the checkbox next to the node to add the tag.

  2. Click the Tags button and select Add New Tag.

  3. In the Add Tag pop-up window, enter a name for the tag and select the radio button next to a color.

  4. Click Save.

Edit a Tag

To edit a tag:

  1. Click the Tags button and select the pencil icon next to the tag.

  2. In the Edit Tag pop-up window, rename the tag and/or select the radio button next to a new color.

  3. Click Save.

Delete a Tag

To delete a tag:

  1. Click the Tags button and select the red delete icon next to the tag.

  2. Click OK.

The tag is removed from the list.

Register the License

To force license registration on the nodes:

  1. Select the checkbox next to the node(s) to be registered.

  2. Click the More drop-down list and select License Register.

  3. In the Nodes License Registration pop-up window, click OK.

Enable a Node

To enable a node:

  1. Select the checkbox next to the node you want to enable.

  2. Click the More drop-down list and select Enable Nodes.

  3. In the Enable Nodes pop-up window, click OK.

The status light next to the node turns green.

Disable a Node

To disable a node:

  1. Select the checkbox next to the node you want to disable.

  2. Click the More drop-down list and select Disable Nodes.

  3. In the Disable Nodes pop-up window, click OK.

The status light next to the node turns blue.

Cluster Memberships

If your organization uses the ExtraHop Central Manager to manage multiple network capture points, you can use the Admin UI to connect your ExtraHop system to an ECM cluster.

To join a cluster:

  1. Go to the Cluster Memberships section and click Join a Cluster.

  2. In the Join a Cluster pop-up window, complete the fields and select the Reset Configuration checkbox if you want to remove local customizations. This checkbox is selected by default.

  3. Click Save.

    For more information about how the ECM works, refer to the ExtraHop website.

Access Settings

In the Access Settings section, you can change passwords, enable the support account, and define users in the ExtraHop system for remote authentication.

  • Change Password: Change the password for user accounts.

  • Support Account: Enable troubleshooting assistance from ExtraHop Support.

  • Users: Add and delete users, and modify user privileges.

  • Sessions: View and terminate user sessions on the ExtraHop system.

  • Remote Authentication: Enable users to log on to the ExtraHop system using their existing credentials.

  • API Keys: Generate and delete API keys.

Change Password

Admin UI users have privileges to change the password to their personal ExtraHop system account. ExtraHop system Admin UI administrators have privileges to change the password for any user that has an account stored locally in the ExtraHop Admin database. For more information about privileges for specific Admin UI users and groups, refer to Users.

The default password for Amazon Web Services (AWS) users is the string of numbers after the -i in the instance ID.

Change the Password Settings

You can only change passwords for local users, not users authenticated with LDAP.
  1. Go to the Access Settings section and click Change Password.

  2. On the Change Password page, select the user for which you want to set the password. Enter the password and click Save.

  3. Click OK.

Change the Default Password

ExtraHop recommends changing the default password for the setup account as soon as the evaluation period is complete. To remind administrators to make this change, there is a green button at the top of the page while the setup user is accessing the Admin UI. You can also change the password from the ExtraHop Login page.

  1. In the Admin UI, click the green Change default password button.

  2. The Change Password page displays without the drop-down menu for accounts. The password will change for the setup user only. Enter the password and click Save.

  3. Click OK.

Support Account

The support account provides access for the ExtraHop Support team to help customers troubleshoot issues with the ExtraHop system and Atlas Services remote analysis reports. This setting should be enabled only if your organization’s ExtraHop system administrator requests hands-on assistance from the ExtraHop Support team.

To enable the support account:

  1. Go to the Access Settings section and click Support Account.

  2. Click Support Account.

  3. To enable the support account, click Enable Support Account.

  4. The next page contains an encrypted key used by ExtraHop Support to access the ExtraHop appliance. Select the contents of the text box and send it to support@extrahop.com.

  5. Click Done to return to the main menu.

To enable the Atlas Remote UI account:

  1. Go to the Access Settings section and click Support Account.

  2. Click Atlas Remote UI Account.

  3. To enable the Atlas Remote UI account, click Enable Atlas Remote UI Account.

  4. The next page contains an encrypted key used by ExtraHop Support to access the ExtraHop appliance. Select the contents of the text box and send it to support@extrahop.com.

  5. Click Done to return to the main menu.

To disable the support account:

  1. On the Support Account page, click the type of account to disable.

  2. Click the Disable Support Account button.

To disable the Atlas UI account:

  1. On the Support Account page, click the type of account to disable.

  2. Click the Disable Atlas UI Account button.

Users

The Users page provides controls to add and delete users, and to change a user's access privileges in the ExtraHop system. Users with administrator-level privileges can add other users.

User accounts can be locally or remotely authenticated and authorized. For more information, refer to Remote Authentication.

  • When a user is authenticated and authorized locally, the user appears immediately in the managed users list. The user's permissions are managed in the ExtraHop system.

  • When user is authenticated remotely but its authorization is managed locally, the user appears in the managed users list after the first login. The user's permissions are managed in the ExtraHop system.

  • When a user is both authenticated and authorized remotely, the user does not appear in the managed users list. The user's permissions are managed in the remote server.

    The local user account overrides all remote user account settings.

Add a User

To add a user to the ExtraHop system:

  1. Go to the Access Settings section and click Users.

  2. The current users and their permissions are listed. Click the Add User button.

  3. Fill in the New User form. All fields are required. Enter the personal information, select the correct permission for the user, and then select the Enabled checkbox. Each enabled user must have a permission selected.

  4. Click Save.

The Users page displays the newly created user in the list.

Modify an Account

To change the account settings for a selected user:

  1. Go to the Access Settings section and select Users.

  2. The current users and their permissions are listed. Click the Change link next to the account to be modified.

  3. On the User:[User] page, modify the permissions or change the full name and then click Save.

The Users page displays with the changes shown.

To remove an account from the system, click Delete next to the name of the account on the Users page. Remote user records are removed from the ExtraHop system only when they are manually deleted.

Default Accounts

The following accounts are preconfigured in the system. All accounts except shell are accessible at https://[IP address]/admin, where [IP address] is the IP address displayed on the LCD at the front of the ExtraHop appliance.

The shell account allows access to the ExtraHop command line interface (CLI). This user only allows access to the non-administrative shell commands. When accessing the privileged system configuration shell commands the user types in enable and authenticates with the setup user password. The default password for this account is the service tag number on the right-front bracket of the appliance.

The setup account has full access privileges. The default password for this account is the service tag number on the right-front bracket of the appliance.

The admin account has read/write access to the ExtraHop Web UI. The default password for this account is admin.

The operator account has limited access to the ExtraHop Web UI. It is disabled by default but can be enabled and given the appropriate set of privileges. It does not have a preset password, so a password needs to be set manually prior to use.

The readonly account has read-only access to the ExtraHop Web UI. It does not have a preset password, so a password needs to be set manually prior to use.

The default password for Amazon Web Services (AWS) users is the string of numbers after the -i in the instance ID.

For a quick reference of the default accounts, refer to the following table.

Account Privileges
shell Full Access (CLI, Admin UI, and Web UI)
setup Full Access (CLI, Admin UI, and Web UI)
admin Read/Write
operator Limited
readonly Read-Only

Permissions

An administrator can give users the following permissions.

Permission Description
Full System Privileges

Manage the ExtraHop system through the Admin UI.

Access system configuration commands in the ExtraHop command line interface (CLI) by securing the "enable" command.

Create and modify objects in the Web UI, such as devices and alerts.

Connect an ECM to one or more nodes.

Full Write Privileges Create and modify objects in the Web UI, such as devices and alerts.
Limited Write Privileges Create and modify summary widgets on the dashboard.
Read-Only Privileges Cannot make changes.
No Privileges Cannot view the UI.
Cluster Node UI Privileges Use the ECM to add and remove nodes.

Sessions

The ExtraHop system provides controls to view the active user connections and terminate user sessions. This list is sorted by expiry date, which corresponds to the date they were created.

To view active sessions, go to the Access Settings section and click Sessions.

Remote Authentication

The ExtraHop system supports remote authentication for user authentication. It enables organizations that have authentication systems such as LDAP, RADIUS, or TACACS+ to allow all or a subset of their users to log on to the ExtraHop system using their existing credentials.

Centralized authentication provides the following benefits:

  • User password synchronization

  • Automatic creation of ExtraHop accounts for users without administrator intervention

  • Management of ExtraHop privileges based on LDAP groups

To use remote authentication, you must have a remote server with one of the following configurations:

  • LDAP (such as OpenLDAP or Active Directory)

  • RADIUS

  • TACACS+

Administrators can grant access to ExtraHop systems to all known users or restrict access by using LDAP filters.

LDAP

The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. ExtraHop authentication only queries for user accounts; it does not use any other entities that may be in the LDAP directory.

Users whose credentials are not stored locally are authenticated against the remote LDAP server using their username and password when they attempt to log on to the ExtraHop system. When a user attempts to log on to the ExtraHop UI, the ExtraHop system:

  • Attempts to authenticate the user locally.

  • Attempts to authenticate the user through the LDAP server if the user does not exist locally and the ExtraHop system is configured to use LDAP for remote authentication.

  • Logs the user on to the ExtraHop system if the user exists and the password is validated through LDAP. The LDAP password is not stored locally on the ExtraHop system.

If the user does not exist or an incorrect password is used, an error message appears with the login page.

Ensure that each user to be remotely authorized is in a permission-specific group on the LDAP server before beginning this procedure.

To authenticate with LDAP on the ExtraHop system:

  1. Go to the Access Settings section and click the Change icon next to Remote Authentication.

  2. In the Methods section, select the LDAP option and click Continue.

  3. On the LDAP Settings page, complete the following fields:

    • Hostname (required): Specifies the hostname or IP address of the LDAP server. Make sure that the ExtraHop system's DNS is properly configured when using hostnames.

    • Port (required): Specifies the port on which the LDAP server is listening. Port 389 is the standard cleartext LDAP server port. Port 636 is the standard port for secure LDAP (ldaps/tls ldap).

    • Base DN (required): Specifies the base of the LDAP search used to find users. The base DN must contain all user accounts that will have access to the ExtraHop system. The users can be direct members of the base DN or nested within an OU within the base DN if the Whole Subtree option is selected for the Search Scope defined below. Consult your LDAP administrator to learn what your organization uses. Examples include:

      • Active directory canonical name: example.com/people

        LDAP base DN: ou=people,dc=example,dc=com

      • Active directory canonical name: example.com/people/employees/portland

        LDAP base DN: ou=portland,ou=employees,ou=people,dc=example,dc=com

    • Login Attribute (required): Specifies the login attribute that holds the user's username attribute in the LDAP database. Examples include:

      • uid: A username attribute typically used in Unix LDAP environments.

      • sAMAccountName: An account name attribute typically used in Active Directory (AD) environments.

    • Search Filter: Specifies the criteria used when searching the LDAP directory for user accounts. Examples include:

      objectclass=person
      objectclass=*
      &(objectclass=person)(ou=webadmins)
      

      A search filter of objectclass=* matches all entities and is the default wildcard.

    • Search Scope: Specifies the scope of the directory search when looking for user entities. Options include:

      • Single level: This option looks for users that exist in the base DN; not any subtrees.

        For example, with a Base DN value of dc=example,dc=com, it would find a user uid=jdoe,dc=example,dc=com, but would not find uid=jsmith,ou=seattle,dc=example,dc=com.

      • Whole subtree: This option looks recursively under the base DN for matching users.

        For example, with a Base DN value of dc=example,dc=com, it would find both the user uid=jdoe,dc=example,dc=com and uid=jsmith,ou=seattle,dc=example,dc=com.

    • Bind DN: If set, this specifies the Distinguished Name (DN) used by the ExtraHop system to authenticate with the LDAP server to perform the user search. The bind DN must have list access to the base DN and any OU, groups, or user account required for LDAP authentication. If this value is not set, then an anonymous bind is performed. Note that anonymous binds are not enabled on all LDAP servers. Using the active directory canonical name example.com/people, Bind DN examples include:

      cn=admin, ou=users, dc=example,dc=com
      uid=nobody,ou=people,dc=example,dc=com

      To verify whether anonymous binds are enabled, contact your LDAP administrator.

    • Bind Password: Specifies the password used when authenticating with the LDAP server as the bind DN specified above. If you are using an anonymous bind, leave this setting blank. In some cases, an unauthenticated bind is possible, where you supply a Bind DN value but no bind password. Again, consult your LDAP administrator for the proper settings.

    • SSL: Specifies if encryption should be used when making LDAP requests. Options include:

      • None: This options specifies the use of cleartext TCP sockets, typically port 389. Warning: All passwords are sent across the network in cleartext in this mode.

      • LDAPS: This option specifies LDAP wrapped inside SSL, typically on port 636.

      • StartTLS: This option specifies the use of TLS LDAP, typically on port 389. (SSL is negotiated before any passwords are sent.)

      If you are not sure which options are available, consult your LDAP administrator.

      Clicking your browser’s Back button during this process could result in lost changes.
  4. Click Test Settings. If the settings test succeeded, a message in green text appears near the top of the page. If the settings test failed, a message in red text lists the errors.

  5. Click Save & Continue.

  6. Determine whether you want to do local or remote authentication.

    1. Local authorization: By default, remote users have full write access. If you wish to grant all remote users read-only privileges by default, select Remote users have Read Only access.

      You can add read-write permissions on a per-user basis later through the Users page in the Admin UI.

    2. Remote authorization: You may also choose to obtain a permissions level from a remote server. When you select the Obtain permissions… option, you must complete at least one of the following fields to define the remote permissions:

      These must be groups (not organizational units) that are pre-defined on the LDAP Server. A user account with access must be a direct member of a defined group. User accounts that are a member of a group that is a member of a group defined above will not have access. If the groups are not present, they will not be authenticated on the ExtraHop system.

      The ExtraHop system supports the following types of group membership:

      • Active Directory: memberOf

      • Posix: posixGroups, groupofNames, and groupofuniqueNames

      Examples:

      Given the base DN:

      ou=seattle,ou=washington,dc=usa,dc=example,dc=com

      and the bind DN:

      cn=ehaccess,ou=admins,ou=seattle,ou=Washington,dc=usa,dc=example,dc=com

      and the Search Scope set to Whole Subtree, any user account in the usa.example.com domain that is a member of:

      cn=extrahop-readonly,ou=groups,ou=seattle,ou=washington,dc=usa,dc=example,dc=com

      and is nested within:

      ou=seattle,ou=washington,dc=usa,dc=example,dc=com

      would have read-only access on the ExtraHop system.

      Examples of accounts with access:

      cn=JDoe,ou=users,ou=seattle,ou=Washington,dc=usa,dc=example,dc=com

      cn=admin,ou=seattle,ou=washington,dc=usa,dc=example,dc=com

      Examples of accounts without access:

      cn=JaneD,ou=users,dc=usa,dc=example,dc=com

      cn=Administrator,dc=usa,dc=example,dc=com

  7. Click Save & Finish.

  8. Click Done.

The Remote Authentication page appears with the new settings.

RADIUS

The ExtraHop system supports Remote Authentication Dial In User Service (RADIUS) for remote authentication and local authorization only.

To configure RADIUS authentication for the ExtraHop system:

  1. Go to the Access Settings section and click Remote Authentication.

  2. In the Methods section, select RADIUS and click Continue.

  3. On the Add RADIUS Server page, enter the host, secret, and timeout information and click Add Server.

  4. Add multiple servers as needed.

  5. Click Continue to enable remote authentication.

  6. By default, remote users have full write access. If you wish to grant all remote users read-only privileges by default, select Remote users have Read Only access.

  7. Click Save & Finish.

  8. Click Done.

The Remote Authentication page appears with the new settings.

TACACS+

The ExtraHop system supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.

Ensure that each user to be remotely authorized has the ExtraHop service configured on the TACACS+ server before beginning this procedure.

To configure TACACS+ authentication for the ExtraHop system:

  1. Go to the Access Settings section and click Remote Authentication.

  2. In the Methods section, select TACACS+ and click Continue.

  3. On the Add TACACS+ Server page, enter the host, secret, and timeout information and click Add Server.

  4. Add multiple servers as needed.

  5. Click Continue.

  6. Determine whether you want to do local or remote authentication.

    1. Local Authorization: By default, remote users have full write access. If you wish to grant all remote users read-only privileges by default, select Remote users have Read Only access.

    2. Remote Authorization: On the TACACS+ server, set up the ExtraHop service by adding the attribute service=extrahop and setting one of the following permissions.

      readonly=1
      readwrite=1
      limited=1
      setup=1

      Example:

      user = dave {
         ...
         service = extrahop {
         readonly=1
         }
      }
  7. Click Save & Finish.

  8. Click Done.

The Remote Authentication page appears with the new settings.

API Keys

You can generate API keys in the ExtraHop system for authenticating a user to the REST API. API keys are similar to passwords, so ensure that all generated keys remain private.

To generate an API key in the ExtraHop system:

  1. Go to the Access Settings section and click API Keys.

  2. Enter a description for your key and click Generate New.

    The API key appears in the list.

Configuration

This section contains ExtraHop system configuration settings that can be changed using the Admin UI.

  • Running Config: Download and modify the running configuration file.

  • Geomap Datasource: Modify the information in geomaps.

  • Datastore & Customizations: Reset the datastore and modify customizations.

  • Open Data Streams: Send log data to another system.

  • Capture: Configure the network capture settings.

  • Trends: Reset all trends and trend-based alerts.

Running Config

The Running Config settings let you make changes to the default ExtraHop system configuration settings and then save those settings to disk. The Running Config page provides an interface to view and modify the code that defines the default system configuration and save changes to the current running configuration so the modified settings are enabled after a system restart.

The ExtraHop Admin UI includes the following controls to manage the default running system configuration settings:

  • Save: Save changes to the current default system configuration.

  • Edit: View and edit the underlying code that defines the ExtraHop default system configuration.

  • Download as a File: Download the system configuration to your workstation.

    Making configuration changes to the code on the Edit page is not recommended. You can make most modifications using other pages in the Admin UI.

Save

When you modify any of the ExtraHop default system configuration settings, you need to confirm the updates by saving the new settings.

To save any modified system configuration settings:

  1. Go to the Configuration section and click Running Config.

  2. On the Running Config page, click Save.

  3. In the confirmation dialog box, click OK.

The Save page includes a diff feature that displays the changes. This feature provides a final review step before you write the new configuration changes to the default system configuration settings.

When you make a change to the running configuration, either from the View/Modify page, or from another system settings page in the Admin UI, changes are saved in memory and take effect immediately, but they are not usually saved to disk. If the system is restarted before the running configuration changes are saved to disk, these changes will be lost.

For example, if you make a change to a protocol classification setting on the Protocol Classification page, the change (in memory) takes effect immediately, but it does not permanently change the running configuration until you save the changes. As a reminder that the running configuration has changed, the Admin UI provides the following three notifications:

  • Save Configuration button: The Admin UI displays a button on the specific page that you modified to remind you to save the change to disk. When you click the View & Save Changes button, the UI redirects to the Save page described above.

  • Running Config*: The Admin UI adds a red asterisk (*) next to the Running Config entry on the Admin UI main page. This asterisk indicates that the running configuration has been changed, but it has not been saved to disk.

  • Save*: The Admin UI adds a red asterisk (*) next to the Save entry on the Running Config page. This asterisk indicates that the running configuration has been changed, but it has not been saved to disk.

After you make changes to the running configuration, the Running Config page displays another entry through which you can revert the changes.

To revert your changes without saving them to disk:

  1. On the Running Config page, click Revert.

  2. Click Revert again.

  3. Click OK to confirm the action.

Edit

The ExtraHop Admin UI provides an interface to view and modify the code that defines the default system configuration. In addition to making changes to the running configuration through the settings pages in the Admin UI, changes can also be made on the Running Config page.

Do not modify the code on the Running Config page unless instructed by ExtraHop Support.

Download as a File

You can download the Running Config settings to your workstation in text file format. Click Download as a File and open the text file to make changes locally before copying them into the Running Config window.

Geomap Data Source

This section enables you to download specific settings related to geomaps.

  • GeoIP Database: Upload a user-defined database.

  • IP Location Override: Override missing or incorrect IPs in the database.

GeoIP Database

The GeoIP Database specifies the current database being used by the ExtraHop system and enables you to choose between a default or user-uploaded database.

To modify the GeoIP Database:

  1. Go to the Configuration section and click Geomap Data Source.

  2. Click GeoIP Database.

  3. Click Choose File to upload a database in .dat format from your workstation. Select the radio button next to one of the options and click Save.

IP Location Override

The IP Location Override page enables you to override missing or incorrect IPs that are in the database. From an Excel file, copy and paste a tab or comma-delimited list of overrides in the text box. The columns are IP Address (a CIDR block), Latitude, Longitude, City, State/Region, Country Name, and ISO Country Code. You may edit and delete items as necessary, but you must ensure there is data present for each of the seven columns. For more information about ISO country codes, refer to https://www.iso.org/obp/ui/#search and click Country Codes.

To use IP location override:

  1. Enter seven columns of data for each entry and click Save.

  2. Go to the Geomaps interface and mouse over the location.

Datastore and Customizations

The ExtraHop system includes a self-contained, streaming datastore for recording and retrieving performance and health metrics in real time. The datastore bypasses the OS file system and accesses the underlying block devices directly rather than using conventional relational databases.

The ExtraHop Admin UI includes the following datastore configuration settings:

  • Local Datastore: Remove all devices and device metrics from the datastore.

  • Extended Datastore Settings: Configure an external NFS or CIFS mount for long term storage of 5-minute, 1-hour, and 24-hour metrics.

  • View Saved Customizations: View, restore, or download saved customizations. Datastore configuration settings from one ExtraHop appliance can be uploaded to another ExtraHop appliance in a multiple-appliance deployment.

  • Save Customizations: Save the current set of datastore configuration settings.

  • Upload & Restore Customizations: Upload and restore datastore configuration settings so that datastore configuration settings can be consistent across multiple ExtraHop appliances. The ExtraHop system stores the last three user-saved datastore configurations.

Local Datastore Settings

The local datastore maintains records for all devices discovered by the ExtraHop system. Device metrics are collected and stored in the datastore to provide quick access to the latest network capture as well as historic and trend-based information about selected devices.

Resetting the ExtraHop datastore deletes device IDs and device metrics from the ExtraHop system. Do not perform this operation unless you want to erase all device information from the system.

The ExtraHop system is provisioned to retain metrics for 30 days. Access to historical metrics is essential for performance tuning, troubleshooting, and capacity planning. Additionally, historical metrics are used internally for trend analysis.

In certain circumstances such as moving the ExtraHop system from one network to another, you might need to clear the metrics in the datastore. Resetting the datastore removes all metrics, baselines, trend analyses, and discovered devices. Alerts that have been configured are retained, but they must be reapplied to the correct network, device, or device group. System settings and user accounts are unaffected.

You can reset the datastore using either the Admin UI or the command line interface (CLI). Before you reset the datastore, you may want to save device and network customizations. Saved customizations are applied only to devices that have been discovered by the ExtraHop system, which typically takes a few minutes after resetting the datastore. For more information about saving customizations, refer to Save.

To reset the datastore in the Admin UI:

  1. Go to the Configuration section, click Datastore and Customizations, and click Local Datastore.

  2. On the confirmation page, select the Save Customizations checkbox, select the checkbox to remove older packet captures (optional), type YES, and click Reset Datastore.

  3. Wait approximately one minute. When the datastore reset is complete, the browser prompts you to restore customizations.

  4. If you chose to restore customizations, the browser redirects to a detailed list of imported customizations. For more information, refer to Upload & Restore Customizations.

  5. Click OK.

  6. Go to the Web UI to view the devices that were discovered after the datastore reset. Wait approximately one minute for the system to discover and display new devices.

To reset the datastore in the CLI:

  1. Access the ExtraHop CLI using one of the following three methods:

    • From a USB keyboard and SVGA monitor directly connected to the appliance

    • Using an RS-232 serial cable and a terminal-emulator program. The terminal emulator must be set to 115200 bps with 8 data bits, no parity, and 1 stop bit (8N1). Hardware flow control must be disabled.

    • Secure shell (SSH)

  2. Connect to the ExtraHop system. The login is shell and the password is the service tag number on the pullout tab on the front of the appliance.

  3. Enable the administration controls. The password is the service tag number on the right-front bracket of the appliance.

    extrahop>enable

  4. Reset the datastore.

    extrahop#reset datastore

Extended Datastore Settings

The ExtraHop system enables you to write and store metrics externally on your own storage.

By default, the ExtraHop system automatically collects fast (30-second), medium (5-minute), and slow (1-hour) metrics locally. You can configure the ExtraHop system to collect 24-hour metrics in addition to 5-minute and 1-hour metrics on an extended datastore. The ExtraHop system supports NFS version 4, NFS version 4 with Kerberos, and CIFS (with optional authentication).

To set up an extended datastore, you must have administrative access and a licensed system. Setting up an extended datastore involves configuring Kerberos authentication settings (if applicable), adding mounts, and configuring the datastores.

Once you have added a mount, you can configure the extended datastore to do one of the following:

Configure Kerberos Authentication Settings (NFS Only)

Before adding an NFS mount that requires Kerberos authentication, configure the Kerberos authentication settings.

To configure the Kerberos authentication settings:

  1. Go to the Configuration section and click Datastore & Customizations.

  2. Go to the Extended Datastore Settings section and click Configure Mounts.

  3. Click Add Kerberos Config.

  4. Complete the following fields:

    • Admin Server: Master Kerberos server that issues Kerberos tickets.

    • Key Distribution Center (KDC): Server that holds the keys. (This server can be the same as the admin server.)

    • Realm: Name of the Kerberos realm for your configuration.

    • Domain: Kerberos domain for your configuration.

  5. For Keytab File, click the Choose File button, and navigate to the keytab file. Select the keytab file, and click Open.

Add Mounts

You can add NFS mounts, CIFS mounts, or both.

If a mount goes off the network, the ExtraHop system buffers metrics until the allocated memory is full. Once the memory is full, the system sheds off older blocks in memory until the connection is restored. When the mount is reconnected, all of the items in memory are written.

If an extended datastore file is lost or corrupted, metrics from the time period contained in that file are unavailable for display. Other files in the extended datastore remain intact.

NFS Mounts

To add an NFS mount:

  1. Go to the Configuration section and click Datastore & Customizations.

  2. Go to the Extended Datastore Settings section and click Configure Mounts.

  3. Click Add NFSv4 Mount.

  4. Under Configure NFSv4 Mount, complete the following fields:

    • Mount Name: A name for the mount; for example, EXDS.

    • Remote Share Path: The path for the mount in the following format:

      host:/mountpoint

      For example, herring:/mnt/extended-datastore

  5. Click the Authentication drop-down list and select an authentication type:

    • None

    • Kerberos: For krb5 security.

    • Kerberos (Secure Auth and Data Integrity): For krb5i security.

    • Kerberos (Secure Auth, Data Integrity, Privacy): For krb5p security.

      The settings look similar to the following:

  6. Click Save.

    A new section appears under NFSv4 Mounts with the mount's information auto-populated. The data is preserved on the remote storage.

CIFS Mounts

To add a CIFS mount:

  1. Go to the Configuration section and click Datastore & Customizations.

  2. Go to the Extended Datastore Settings section and click Configure Mounts.

  3. Click Add CIFS Mount.

  4. Under Configure CIFS Mount, complete the following fields:

    • Share Name: A name for the share; for example, EXDS_CIFS

    • Remote Share Path: The path for the share in the following format:

      \\host\mountpoint

      For example, \\herring\extended-datastore

    • Domain: The site domain.

  5. If password protection is required, complete the following:

    1. Click the Authentication drop-down list, and select password.

    2. Complete the User and Password fields.

      The settings look similar to the following:

  6. Click Save.

    A new section appears under CIFS Mounts with the mount's information auto-populated. The data is preserved on the remote storage.

Configure the Datastores

You can configure up to three active datastores—one for each cycle—and organize them as desired. For example, you can have three datastores on one share, or two datastores on one share plus a third datastore on a second share.

Once you have added a mount, you can configure the extended datastore to do one of the following:

When you configure the datastore, keep in mind the following:

  • If one ExtraHop system is writing to an external datastore, then no other system can write to it. If no ExtraHop is writing to an external datastore, then multiple ExtraHop systems can read from it.

  • If an extended datastore contains multiple files with overlapping time stamps, metrics will be incorrect.

  • The ExtraHop system cannot read metrics committed to the extended datastore by a later ExtraHop firmware version.

Add Storage Space

Follow this procedure after you have added an NFS or CIFS mount. To add storage that you plan to actively use:

  1. On the Configure Extended Datastore page, select the mount name and complete the Datastore Directory field.

  2. By default, the system records 24-hour metrics. Click the checkbox to also record 5-minute and 1-hour metrics.

  3. Select the Move existing radio button.

  4. Select Overwrite to overwrite older data when the drive is full.

  5. Click Configure.

    Once the storage is added, the Status reads "Nominal".

Upgrade Your System

Follow this procedure after you have added an NFS or CIFS mount. To upgrade to a new ExtraHop system:

  1. On the old ExtraHop system (ExtraHop A), write the metrics to an external store using the previous procedure, "Add Storage Space" on the previous page.

  2. On the Configure Extended Datastore page of ExtraHop A, click Disconnect Extended Datastore.

  3. Type YES and OK to confirm.

  4. On the new ExtraHop system (ExtraHop B), click Import Metrics from External Datastore.

  5. Enter the name for the datastore directory that you configured for ExtraHop A and click Import Metrics.

  6. Type YES and OK to confirm the datastore reset on ExtraHop B.

    The Import Metrics screen on ExtraHop B shows no mounts configured. The 5-minute and 1-hour metrics are now on the internal datastore of ExtraHop B.

Archive Data

Follow this procedure after you have added an NFS or CIFS mount. This procedure assumes you have an extended datastore that is full and you want to archive it. To back up ExtraHop data for long-term archiving:

  1. On the Configure Extended Datastore page, select the mount name and complete the Datastore Directory field.

  2. In the Configure as section click Archive (Read Only).

  3. Click Configure.

  4. Once the data is archived, the Status reads "Nominal" and the Mode reads "Archive (Read Only)".

Disconnect an Extended Datastore

You can disconnect or unmount an extended datastore at any time. The data is preserved on remote storage. Disconnecting a datastore removes it from the configuration.

To disconnect an extended datastore:

  1. Under the datastore you want to remove, click Unmount and Remove from Config.

  2. Type YES to confirm the removal.

  3. Click OK.

If you are migrating 5-minute and 1-hour metrics from one ExtraHop appliance to another, you must perform a system reset on the ExtraHop appliance that you are migrating data to so its internal datastore is empty before data is imported from the external datastore.

Monitor Storage Space

When the datastore is almost full, a warning appears in the errors area at the top of the Settings page:

A detailed message appears in the Status row for each extended datastore that is almost full. There are three levels of warnings. Refer to the Status Messages section below for more information.

You can configure the system to send email messages regarding the status of the extended datastores when space is becoming limited. Messages indicate the level of severity (1, 2, or 3). For instructions, refer to Notifications.

Status Messages

The Status row for each mount and external datastore displays a message regarding the state of the device or connection.

Mounts

Status Description User Action
Mounted Mount configuration successful None required
NOT MOUNTED Mount configuration unsuccessful Verify the configuration information for accuracy and correct spelling.
Verify that the remote system is available.
Make sure that the server is a supported type and version.
If using authentication, verify credentials.
NOT READABLE The mount has permissions or network-related issues that prevent reading. Check permissions.
Check network connection and availability.
NO SPACE AVAILABLE The mount has no space remaining. Detach the mount and create a new one.
INSUFFICIENT SPACE

First appearance: The system anticipates that not enough space is available.

Second appearance: Less than 128MB of space is available.

Detach the mount and create a new one.
AVAILABLE SPACE WARNING Less than 1GB of space is available. Detach the mount and create a new one.
NOT WRITEABLE The mount has permissions or network-related issues that prevent writing. Check permissions.
Check network connection and availability.

Datastores

Status Description User Action
Nominal The datastore is in a normal state. None required
INSUFFICIENT SPACE on: <MOUNT NAME> The datastore has insufficient space on the named mount to continue writing. Create a new datastore. For the new datastore, consider using the Overwrite option if appropriate.
NOT READABLE The datastore has permissions or network-related issues that prevent reading. Check permissions.
Check network connection and availability.
NOT WRITEABLE The datastore has permissions or network-related issues that prevent writing. Check permissions.
Check network connection and availability.

Customizations

View Saved Customizations

On this page, you can restore the configuration settings of a previous datastore and download configuration settings to your workstation.

Restore Datastore Customizations

Datastore configuration settings can be saved and, if necessary, saved settings can be used to restore the datastore to the last saved state.

Restoring customizations does not create new devices; it associates the customized names to the devices found by the ExtraHop system. If a device has not been found, then the customized name is not restored. You can select Restore Customizations again to restore those same customizations. Restoring customizations does not overwrite any new customizations, but it overwrites any modified customized values.

To restore the ExtraHop datastore:

  1. Go to the Configuration section, click Datastore & Customizations, and click View Saved Customizations.

  2. Find the saved customizations in the list that you want to restore and click the Restore link to the right of the entry.

  3. In the confirmation dialog box, click OK to restore the datastore.

Download Datastore Customizations

You can download the current datastore configuration settings into a .json archive file that can be stored on your workstation. This archive file can be used to restore the datastore settings on the originating ExtraHop system, if problems occur. In addition, these settings can be uploaded to define the datastore configuration settings in a new ExtraHop system.

To download the ExtraHop datastore customization settings to an external file:

  1. Go to the Configuration section, click Datastore & Customizations, and click View Saved Customizations.

  2. Find the saved customizations in the list that you want to download and click the Download link to the right of the entry.

Save Customizations

The ExtraHop system lets you save the current datastore configuration settings and store them in memory. These saved configuration settings can be used at a later date to restore the datastore to the saved state.

To save the current ExtraHop datastore customizations:

  1. Go to the Configuration section, click Datastore and Customizations, and click Save Customizations.

  2. On the confirmation page, click OK.

Upload & Restore Customizations

ExtraHop system datastore configuration can be exported and saved as a .json archive file. The datastore customization file can be uploaded into the ExtraHop system to restore customization settings on the original system or install datastore customization settings on a new ExtraHop system.

Restoring customizations does not create new devices; it associates the customized names to the devices found by the ExtraHop system. If a device has not yet been found, then the customized name is not restored. Restoring customizations does not overwrite any new customizations, but it overwrites any modified customized values.

To upload and restore ExtraHop datastore customizations:

  1. Go to the Configuration section, click Datastore and Customizations, and click Upload & Restore Customizations.

  2. Click Choose File.

  3. Navigate to the datastore customization file that you want to upload.

  4. Select it and click OK.

  5. Click Restore.

  6. When the file is finished uploading, click OK.

Open Data Streams

The Open Data Streams page provides an interface to send data to external systems.

The ExtraHop Admin UI includes the following controls to manage open data streams:

  • Syslog Systems: Send data to a specified syslog.

  • MongoDB: Send data to a MongoDB database.

Open Data Stream for Syslog Systems

Open data streams for syslog systems enables you to send data from the ExtraHop system to any system that receives syslog input (e.g., Splunk, ArcSight, Q1 Labs, etc.) for long-term archiving and correlation with other sources.

To configure open data streams for syslog systems:

  1. Go to the Configuration section and click Open Data Streams.

  2. Under Open Data Streams, click Syslog Systems.

  3. Enter the Host name of the syslog server.

  4. Click the Protocol drop-down list and select TCP or UDP.

  5. In the Port field, enter the port number.

  6. Click Save.

Open Data Stream for MongoDB

The MongoDB export enables you to send data from the ExtraHop system to any system that receives MongoDB input for long-term archiving and correlation with other sources.

To configure open data streams for MongoDB:

  1. Go to the Configuration section and click Open Data Streams.

  2. Under Open Data Streams, click MongoDB.

  3. Enter the Host name of the remote MongoDB server.

  4. In the Port field, enter the port number. The port is set to 514 by default.

  5. In the Maximum Message Size (KB) field, enter the size.

  6. Select the Encryption drop-down menu and select your encryption choice.

  7. Click Test Settings.

  8. Click Done.

  9. If the settings are correct, click Save.

To configure a user:

  1. Click Add User.

  2. Under Add MongoDB User, enter the Username, Password, and Database to send the data.

  3. Click Add. The new user appears in the list.

Open Data Stream for HTTP

The Open Data Stream (ODS) for HTTP export enables you to send data from the ExtraHop system to a remote HTTP server for long-term archiving and correlation with other sources.

HTTP requests from triggers are queued for processing by an ODS HTTP client. Note that the ODS HTTP client does not return the result of a request to the trigger that originated it.

The following values are recorded for diagnostic purposes:

  • Requests: The number of requests the ODS HTTP client attempted to send.

  • Queue Full: The number of requests the ODS HTTP client was unable to accept from triggers because its incoming request queue was full.

  • Discarded Headers: The ODS HTTP client does not allow triggers to specify the following headers:

    • Connection

    • Authorization

    • Proxy-Connection

    • Content-Length

    • X-Forwarded-For

    • Transfer-Encoding

    If any of these headers are set, the ODS HTTP client will discard them.

  • I/O Errors: The number of times the ODS HTTP client attempted to send a request to the specified target, but the connection was refused, the target did not respond, or the target did not respond in a way that an HTTP server is expected to respond.

  • Response Status: The count of each response status code received.

To configure open data streams for HTTP:

  1. Go to the Configuration section and click Open Data Streams.

  2. Under Open Data Streams, click HTTP.

  3. Enter the following configuration information:

    • Name: The name of the HTTP server.

    • Type: The type of protocol to use.

    • Host: The host name of the server.

    • Port: The port to receive data.

    • Skip Certificate Verification: Determine whether to trust certificates from unrecognized certificate authorities.

    • Pipeline Requests: Use pipeline client requests to improve performance.

    • Use Basic Authentication: Select this checkbox to use authentication and complete the following fields:

      • User: The name of the user.

      • Password: The user's password.

    • Additional HTTP Header: Include an additional HTTP header.

    • Signing Method: Select an optional signing method, either Microsoft Azure or Amazon Web Services.

  4. (Optional) Click the information icon in the top right corner of the configuration dialog to view diagnostics.

  5. (Optional) Click Add New at the bottom of the page to send data to another server. You can add up to 16 servers.

  6. (Optional) Click Test Settings. The Settings dialog opens with connection information.

  7. Click Save to send the settings to the Running Config.

    To remove a configuration, click the red icon next to the information icon in the top right corner of the configuration dialog.

Capture

The Admin UI provides an interface to manage the ExtraHop system network capture settings. For example, by default the ExtraHop system is configured to discover devices by their MAC address, maintaining a one-to-one correspondence between the MAC address and the discovered device. Using the Capture Configuration settings, this method of discovery can be changed so that devices are discovered by IP address.

The network capture settings give ExtraHop system administrators the ability to fine-tune the network capture so that the ExtraHop system discovers devices in the best and most complete method possible based on the host networking environment.

Capture settings are not configurable when using the ExtraHop Central Manager (ECM).

The ExtraHop Admin UI includes controls to manage the following network capture settings:

  • Excluded Protocol Modules: Specify protocols and associated devices that should be excluded from the network capture.

  • MAC Address Filters: Determine which devices are discovered by MAC address.

  • IP Address Filters: Determine which devices are discovered by IP address.

  • Port Filters: Enable TCP and UDP ports.

  • Pseudo Devices: Identify individual devices (that have IP addresses outside the monitored domains) that normally are shown in the capture only as the router address.

  • Protocol Classification: Add custom protocols to the capture and associate these custom protocols with ExtraHop module protocols.

  • Discover by IP: Enable or disable the discovery of devices on the network capture by IP address rather than by MAC address.

  • SSL Decryption: Add and manage SSL decryption keys to decrypt SSL traffic on the network.

  • Open Data Context API: Access the session table with the ExtraHop system acting as a memcache server.

  • Software Tap: Capture traffic using a high-speed packet forwarder (RPCAP).

Excluded Protocol Modules

The Excluded Protocol Modules page provides an interface to manage the protocols that you want to include in the network capture. By default, all supported modules on the ExtraHop system are included in the capture unless you manually exclude them.

To configure the excluded protocol modules settings:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click Excluded Protocol Modules.

  3. To add modules to the Excluded Protocol Modules list:

    1. Click Add Module.

    2. On the Add Modules page, select the module that you want to exclude from the capture.

    3. Click Add.

    4. On the Excluded Protocol Modules page, click Restart Capture.

  4. To remove modules from the Excluded Protocol Modules list:

    1. On the Excluded Protocol Modules page, click the Delete icon next to the module name for each module that you want to remove from the Excluded Protocol Modules list.

    2. Click Restart Capture.

MAC Address Filters

You can use filters to exclude specific MAC addresses or vendor device traffic from the network capture on the ExtraHop system.

To exclude a MAC address:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click MAC Address Filters.

  3. On the MAC Address Filters page, click Add Filter.

  4. Enter the MAC address and mask, and then click Add.

    The MAC address appears in the list.

    For more information, refer to Filtering and Deduplication on page 89.

IP Address Filters

You can use filters to exclude specific IP addresses and IP ranges from the network capture on the ExtraHop system.

To exclude an IP address:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click IP Address Filters.

  3. On the IP Address Filters page, click Add Filter.

  4. Enter the IP address and mask in CIDR format, and then click Add.

    The IP address appears in the list.

    For more information, refer to Filtering and Deduplication on page 89.

Port Filters

You can use filters to exclude traffic from specific ports from the network capture on the ExtraHop system.

To exclude a port:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click Port Filters.

  3. On the Port Filters page, click Add Filter.

  4. Enter the port, and then click Add.

    The port appears in the list.

    For more information, refer to Filtering and Deduplication on page 89.

Filtering and Deduplication

Refer to the following table to view the effects of filtering and deduplication on metrics, packet capture, and device discovery.

Packet Dropped by

Network VLAN L2 Metrics

Network VLAN L3 Metrics

Device L2/L3 Metrics

Global PCAP Packets

Precision PCAP Packets

L2 Device Discovery

L3 Device Discovery

MAC address filter

Not collected

Not collected

Not collected

Captured

Not captured

No discovery

No discovery

IP address filter

Not collected

Not collected

Not collected

Captured

Not captured

Discovery

No discovery

Port filter

Not fragmented*: Not collected

Fragmented: Collected

Not fragmented: Not collected

Fragmented: Collected

Not fragmented: Not collected

Fragmented, top-level: Collected

Fragmented, detail: Not collected

Captured

Not captured

Discovery

Not fragmented: No discovery

Fragmented: Discovery

L2 dedup

Not collected

Not collected

Not collected

Captured

Not captured

--

--

L3 dedup

Collected

Collected

Collected

Captured

Not captured

--

--

*For port filters, when IP fragments are present in the data feed, a port number is not determined during fragment reassembly. The ExtraHop system may collect metrics, capture packets, or discover a device even if the port filtering rule otherwise precludes it.

L2 duplicates are identical Ethernet frames. The duplicate frames do not usually exist on the wire, but are an artifact of the data feed configuration. L3 duplicates are frames that differ only in L2 header and IP TTL. These frames usually result from tapping on both sides of a router. Because these frames exist on the monitored network, they are counted at L2 and L3 in the locations referenced above. L3 deduplication is targeted toward L4 and above, for example, to avoid counting the L3 duplicates as TCP retransmissions.

Deduplication is enabled by default in newly installed ExtraHop systems (firmware version 4.0.21268+). You can enable deduplication in earlier versions by adding capture settings to the Running Config. Contact your ExtraHop representative for more information.

Pseudo Devices

By default, all IP addresses outside the locally-monitored broadcast domains are aggregated at one of the incoming routers. To identify the devices behind these routers, you can use the psuedo devices settings in the capture to enable reporting on these devices.

Custom devices in version 4.0 and later take the place of pseudo devices. Unlike pseudo devices, you do not need Administrator privileges to configure custom devices. If you have previously created pseudo devices, they will remain on your ExtraHop system until you migrate them to custom devices. For more information, go to the ExtraHop Web UI, click Help, and refer to the ExtraHop Web UI Users Guide.

To configure the pseudo devices settings:

  1. Go to the System Settings section and click Capture.

  2. On the Capture Configuration page, click the Change icon next to Psuedo Devices.

  3. To add devices to the Psuedo Devices list:

    1. Click Add Device.

    2. On the Add Modules page, in the MAC Address text box, specify a dummy MAC address for the device.

    3. In the IP address text box, specify the IP address range for the device (in CIDR notation).

      IP Address/subnet prefix length

      For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.

    4. Click Add.

  4. To remove devices from the Psuedo Devices list:

    1. On the Psuedo Devices page, click the Delete icon next to the device IP address that you want to remove from the list.

    2. Repeat for each device that you want to remove from the capture.

      To monitor remote locations with multiple, non-contiguous subnets, define the pseudo device multiple times with the same dummy MAC but with different IP subnets. For example, in the figure below, all traffic relating to any of the IP subnets assigned is attributed to the pseudo device with the MAC address 22:22:00:00:00:01.

Protocol Classification

Protocol classification relies on specific payload to identify custom protocols that use specific ports. These protocols are Layer 7 (application-layer) protocols that sit above the Layer 4 (TCP or UDP) protocol. These applications have their own custom protocol, and they also use the TCP protocol.

The Protocol Classification page provides an interface to perform the following functions:

  • List applications and ports for the following network entities:

    • Widely-known applications that are mapped to non-standard ports.

    • Lesser-known and custom networking applications.

    • Unnamed applications that use TCP and UDP (for example, TCP 1234).

  • Add custom protocol-to-application mapping that includes the following information:

    • Name: The user-defined protocol name.

    • Protocol: The selected Layer 4 protocol (TCP or UDP).

    • Source: (Optional) The specified source port. Port 0 indicates any source port.

    • Destination: The destination port or range of ports.

  • Delete protocols with the selected application name and port mapping from the list.

    The application name and port do not display in the ExtraHop Web UI or in reports based on any future data capture. The device will appear in reports that use historical data, if the device was active and discoverable within the reported time period.

  • Restart the network capture.

    • You must restart the network capture before any protocol classification changes take effect.

    • Previously-collected capture data is preserved.

The ExtraHop system recognizes protocols on their standard ports (one exception is HTTP, which is recognized on any port). In some cases, if a protocol is using a non-standard port, it is necessary to add the non-standard port in the Admin UI. In these cases, it is important to properly name the non-standard port. The table below lists the standard ports for each of the protocols, along with the protocol name that must be used when adding the custom port numbers in the Admin UI.

In most cases, the name you use is the same as the name of the protocol. The most common exceptions to this rule are Oracle (where the protocol name is TNS) and Microsoft SQL (where the protocol name is TDS).

Canonical Name

Protocol Name

Transport

Default Source Port

Default Destination Port

CIFS

CIFS

TCP

0

139, 445

DB2

DB2

TCP

0

50000, 60000

Diameter

AAA

TCP

0

3868

FIX

FIX

TCP

0

0

FTP

FTP

TCP

0

21

FTP-DATA

FTP-DATA

TCP

0

20

HL7

HL7

TCP

0

2575

HL7

HL7

UDP

0

2575

IBM MQ

IBMMQ

TCP

0

1414

IBM MQ

IBMMQ

UDP

0

1414

ICA

ICA

TCP

0

1494, 2598

Informix

Informix

TCP

0

1526, 1585

iSCSI

iSCSI

TCP

0

3260

LDAP

LDAP

TCP

0

389, 390

LLDP

LLDP

Link Level

N/A

N/A

Memcache

Memcache

TCP

0

11210, 11211

MongoDB

MongoDB

TCP

0

27017

MS SQL Server

TDS

TCP

0

1433

MSRPC

MSRPC

TCP

0

135

MySQL

MySQL

TCP

0

3306

NFS

NFS

TCP

0

2049

NFS

NFS

UDP

0

2049

Oracle

TNS

TCP

0

1521

PCoIP

PCoIP

UDP

0

4172

PostgreSQL

PostgreSQL

TCP

0

5432

RADIUS

AAA

TCP

0

1812, 1813

RADIUS

AAA

UDP

0

1645, 1646, 1812, 1813

SMPP

SMPP

TCP

0

2775

SMTP

SMTP

TCP

0

25

Sybase

Sybase

TCP

0

10200

SybaseIQ

SybaseIQ

TCP

0

2638

The name specified in the Protocol Name column in the table is used on the Add Protocol page to classify a common protocol that uses non-standard ports.

Protocols in the ExtraHop Web UI that do not appear in this table include the following:

  • DNS: The standard port for DNS is 53. DNS does not run on non-standard ports.

  • HTTP: The ExtraHop system classifies HTTP on all ports.

  • HTTP-AMF: This protocol runs on top of HTTP and is automatically classified.

Protocols in this table that do not appear in the ExtraHop Web UI include the following:

  • FTP-DATA: The ExtraHop system does not handle FTP-DATA on non-standard ports.

  • LLDP: This is a link-level protocol, so port-based classification does not apply.

The following procedure describes how to add custom protocol classification labels using the TDS (MS SQL Server) protocol as an example. By default, the ExtraHop system looks for TDS traffic on TCP port 1533.

To add MS SQL Server TDS parsing on another port:

  1. Go to the System Settings section and click Capture.

  2. On the Capture Configuration page, click Protocol Classification.

  3. Click Add Protocol.

  4. In the Name drop-down list and select Add custom label.

  5. Enter TDS for the custom protocol name.

  6. Click the Protocol drop-down list and specify an L4 protocol to associate with the custom protocol (TCP in this example).

  7. In the Source text box, specify the source port for the custom protocol. (The default value of 0 specifies any source port.)

  8. In the Destination text box, specify the destination port for the custom protocol. To specify a range of ports, put a hyphen between the first and last port in the range. For example, 3400-4400.

  9. Select the Loose Initiation checkbox if you want the classifier to attempt to categorize the connection without seeing the connection open. ExtraHop recommends using loose initiation for long-lived flows.

    By default, the ExtraHop system uses loosely-initiated protocol classification, so it attempts to classify flows even after the connection was initiated. You can turn off loose initiation for ports that do not always carry the protocol traffic (for example, the wildcard port 0).

  10. Click Add.

  11. Confirm the setting change, and then click Restart Capture for the change to take effect. This briefly interrupts collection of data.

  12. Once the capture restarts, a confirmation message appears. Click Done.

  13. This change has been applied to the running config. When you save the change, it will be reapplied when the ExtraHop system restarts. Click View & Save Changes at the top of the screen.

  14. Click Save to write the change to the default configuration.

  15. After the configuration is saved, a confirmation message appears. Click Done.

Database statistics now appear for any devices running TDS on the added port (in this example, 65000). This setting is applied across the capture, so you do not need to add it on a per-device basis.

To remove custom protocols from the list:

  1. On the Protocol Classification page, click the Delete icon next to the protocol that you want to remove from the list.

  2. Repeat for each protocol that you want to remove from the capture.

  3. Click Restart Capture to save the updated settings.

Discover by IP

The ExtraHop system analyzes its incoming data feed to identify the devices that are communicating on the monitored network. This identification process is known as device discovery.

You can configure the ExtraHop system to approach device discovery in one of two ways:

  • Discovery by L3, or IP address (Default)

  • Discovery by L2, or MAC address

L3 Discovery Mode

In the default L3 discovery mode, the ExtraHop system recognizes a new device for each observed IP address that meets the following criteria:

  • A device responds to an Address Resolution Protocol (ARP) request for the IP address, allowing the ExtraHop system to associate the IP address with an L2 (MAC) address.

  • The associated MAC address is not the MAC address of an L3-routing device. ExtraHop uses heuristics for determining whether traffic having a particular MAC is a routing device.

In cases where multiple IP addresses meet the above criteria while sharing a MAC address (e.g., multi-homed NICs), each IP is discovered as a separate device.

When L3 discovery mode is used, in addition to the discovered L3 Devices, the ExtraHop system also creates L2 Devices for each unique MAC address. The following characteristics apply to these L2 devices:

  • When an L2 and L3 address are associated with the same device, a parent-child relationship is shown in the detail page for each device.

  • Any L2 traffic metrics that cannot be associated with a particular child L3 device (for example, L2 broadcast traffic) are associated with the parent L2 device.

  • In the device list view, you can filter the full device list for L2 devices only, L3 devices only, or all devices.

  • L2 devices that exist solely as parents to L3 devices do not count against licensed device count limits.

IP addresses in the data feed that do not appear to have an associated MAC address are generally located remotely beyond an L3-routing device and are not auto-discovered. However, discovery of a new device can be forced in the Remote Networks section.

The following diagram shows L3 device discovery in three common server NIC configurations.

L3 Discovery on Remote Networks

Remote networks are subnets visible to ExtraHop only via L3-routing devices. By default, the ExtraHop system does not discover and monitor devices on these networks. Adding these networks in the Remote Networks section configures the ExtraHop system to treat individual devices on remote networks as if they were part of the local network.

The following scenarios use the remote networks setting to discover devices:

  • An organization has a remote office without an on-site ExtraHop appliance but users at that site access central datacenter resources that are directly monitored by an ExtraHop system. The IP addresses at the remote site can be discovered as devices.

  • A cloud service or other type of off-site service hosts remote applications and has a known IP address range. The remote servers within this IP range can be individually tracked.

In the ExtraHop Administration UI, remote networks are designated by network addresses specified in CIDR notation (network IP address / subnet prefix length). For example, for IPv4 networks, the network identifier is written as 192.168.0.0/16. For IPv6 networks, the network identifier is written as 2001:db8::/32.

The following characteristics apply to remote network discovery:

  • The Local Network checkbox must be selected on the Discover by IP page to make remote networks available.

  • Remote networks are configured manually so the ExtraHop system does not require ARP traffic for their discovery.

  • Every actively communicating remote IP that matches a remote network's CIDR block will result in the discovery of one device in the ExtraHop system. Specifying wide subnet prefixes such as /16 may result in the discovery of a large number of devices. A /32 subnet prefix may be used to match a single remote IP.

  • Devices discovered by remote networks discovery count against licensed device count limits.

The following limitations apply to remote network discovery:

  • Private IP addresses, such as those on a private subnet (behind a router) or those that are behind a NAT device, are not visible. Only the public-facing IP addresses are discovered and visible in the ExtraHop system.

  • L2 information, such as the device's MAC address and L2 traffic, is not available if the device is on a different network from the one being monitored by the ExtraHop system. This information is not forwarded by routers, and therefore it is not visible to the ExtraHop system.

L2 Discovery Mode

You can also configure the ExtraHop system to discover devices using L2 discovery mode. In this mode, instead of an IP address acting as the basis for defining a new device, a MAC address is used. All IP addresses associated with a given MAC address are aggregated into a single device.

L2 discovery mode was once the default, but it is no longer common. If you feel that your ExtraHop deployment may benefit from the use of L2 discovery mode, contact ExtraHop Support at support@extrahop.com for further assistance.

Configuring the Discovery Mode

To select the discovery mode and optionally configure remote network discovery:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click Discover by IP.

  3. Under Local Network, do one of the following:

    • Select the Enable checkbox to turn on device discovery by IP address (L3 discovery).

      OR

    • Deselect the Enable checkbox to turn on device discovery by MAC address (L2 discovery).

  4. To configure remote network discovery, in the Remote Networks text box, specify the remote network address in CIDR format and click Add.

  5. Click Save and Restart Capture.

    ExtraHop recommends performing a datastore reset after enabling or disabling Discover by IP. Clearing the datastore protects against potential problems, such as redundant data.

SSL Decryption

The ExtraHop system supports real-time decryption of SSL traffic for analysis. In order to use this feature, private keys associated with the SSL server certificate must be provided. The server certificate and private keys are uploaded over an HTTPS connection from a web browser to the ExtraHop system.

You can add the following keys to the ExtraHop system to facilitate SSL traffic decryption.

  • PEM certificates and RSA private keys

  • PKCS#12/PFX files with passwords

    The PKCS#12/PFX files are archived in a secure container that contains both public and private certificate pairs and requires a password to access.

After upload, the private keys are stored on the internal USB flash media. All file systems on the internal USB flash media are obfuscated and cannot be mounted using standard tools. The private keys are stored in an encrypted format. To ensure that the keys are not transferable to other systems, they are encrypted with an internal key that is seeded with information specific to the system to which it was uploaded.

Separation of privileges is enforced such that only the SSL decryption process can access the private key material. The ExtraHop web administration utility can store new private keys and list the keys in the store for key management purposes, but cannot access the private key material once it is stored.

To export a password-protected key, use a utility such as OpenSSL:

openssl rsa -in yourcert.pem -out new.key

The Add Encrypted Protocol section specifies the protocols that handle decrypted SSL traffic. For example, for DNS traffic, you must create an entry for the DNS protocol on port 53. Port 0 represents any port.

Configure SSL Decryption

To configure the SSL decryption settings:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click the Change icon next to SSL Decryption.

  3. In the SSL Decryption Keys section, click Add Keys.

  4. To add PEM certificate and RSA Private Keys to the ExtraHop system:

    1. Under Add PEM Certificate and RSA Private Key, in the Description text box, enter a name for the added key.

    2. In the Certificate text box, add the public key certificate information.

    3. In the Private Key text box, add the RSA private key information.

    4. Click Add.

  5. To add PKCS#12/PFX files with passwords to the ExtraHop system:

    1. Under Add PKCS#12/PFX File with Password, in the Description text box, enter a name for the added key.

    2. In the PKCS#12/PFX file text box, enter the fully qualified path to the archive file, or click Browse, navigate to the file, select it, and click OK to identify the fully qualified path to the file.

    3. In the Password text box, enter the password for the PKCS#12/PFX file.

    4. Click Add.

The new SSL decryption key is added to the SSL Decryption Keys page.

Add Encrypted Protocols

To add encrypted protocols to the ExtraHop system:

  1. Go to the Configuration section and click Capture.

  2. On the Capture Configuration page, click the Change icon next to SSL Decryption.

  3. In the Encrypted Protocols section, click Add Protocol.

  4. Click the Protocol drop-down list and select the protocol.

  5. Click the Key drop-down list and select a previously set key.

  6. In the Port text box, specify the source port for the protocol. The default value of 443 specifies HTTP traffic.

  7. Click Add.

The protocol is added to the list.

Open Data Context API

The Open Data Context API allows external access to the global session table. Clients can store and retrieve key-value pairs using the memcache protocol.

For example, a script running on an external host inserts CPU load information into the ExtraHop session table. Triggers commit this information and other HTTP transactions as custom metrics. The script running on the external host can use any memcache client, and then use memcache commands, such as GET, SET, and INCREMENT, to communicate with the ExtraHop system.

When using the Open Data Context API, remember the following:

  • Committing large values to the session table causes performance degradation. Values can be almost unlimited in size. However, metrics committed to the datastore must be 4096 bytes or fewer.

  • All data must be inserted as strings in order to be readable by the ExtraHop system.

  • Keys expire at 30-second intervals. For example, if a key is set to expire in 50 seconds, it may take anywhere from 50 to 79 seconds to expire.

  • All keys set in the Open Data Context API are exposed via the SESSION_EXPIRE trigger event as they expire. This behavior is in contrast to the Application Inspection Triggers API, where the default behavior is not to expose expiring keys via SESSION_EXPIRE.

This connection is not encrypted and should not be used to exchange sensitive information.

To enable the open data context API on the ExtraHop system:

  • Go to the Configuration section and click Capture.

  • On the Capture Configuration page, click Open Data Context API.

Enabling the Open Data Context API opens TCP/UDP port 11211 by default, so ensure that the firewall rules allow access to these ports from any external host that will use the API.

Supported Memcache Client Libraries

You can use any standard memcache client library with the Open Data Context API. The ExtraHop system acts as a memcache version 1.4 server. For a list of client libraries, refer to http://code.google.com/p/memcached/wiki/Clients.

All memcache commands are supported, but the following actions are not supported:

Flush. Setting item expiration when adding or updating items is supported, but bulk expiration is not.

Detailed statistics by item size or key prefix. Basic statistics reporting is supported.

Insert Data as a String

Some memcache clients attempt to store type information in the values. For example, the python memcache library stores floats as pickled values, which cause invalid results when using Session.lookup in triggers.

Incorrect:

// python:

>>> mc.set("my_float", 1.5)

// triggers:

Session.lookup("my_float") // returns "F1.5\n."

Correct:

// python:

>>> mc.set("my_float", str(1.5))

// triggers:

Session.lookup("my_float") // returns "1.5"

Change the Session Table Size

The default session table size is 32768 entries. You can modify the Running Config to change the session table size, but increasing the session table size may impact memory consumption on the system and cause other issues. You must restart the capture to see these changes.

To change the session table size, add the following line to the "capture" section of the Running Config:

"jssession_table_size": 32768

For more information, refer to Running Config or contact ExtraHop Support.

Software Tap on a Linux Server

You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. You can retrieve the commands from the procedures in this section or the ExtraHop Admin UI: https://<extrahop_ip>/admin/capture/rpcapd/linux/. The bottom of the ExtraHop Admin UI page contains links to automatically download the software tap.

Debian-Based Systems

To download and install the software tap on Debian-based systems:

  1. In the ExtraHop Admin UI, go to the Configuration section, click Capture, and click Software Tap.

  2. Go to the section for your Linux system to copy and paste the commands into your terminal.

  3. At the prompt, enter the ExtraHop IP address, confirm the default connection to port 2003, and press Enter.

  4. (Optional) Run the following commands to verify the ExtraHop system is receiving traffic:

    sudo dpkg --get-selections | grep rpcapd
    sudo service rpcapd status
  5. (Optional) Run the following command to change the ExtraHop IP address, port number, or arguments to the service:

    >sudo dpkg-reconfigure rpcapd

RPM-Based Systems

To download and install the software tap on RPM-based systems:

  1. In the ExtraHop Admin UI, go to the Configuration section, click Capture, and click Software Tap.

  2. Go to the section for your Linux system to copy and paste the commands into your terminal.

  3. Run one of the following configuration commands:

    vim /opt/extrahop/etc/rpcapd.ini
    nano /opt/extrahop/etc/rpcapd.ini

    Example output:

    cat /opt/extrahop/etc/rpcapd.ini
    #ActiveClient = <TARGETIP>,<TARGETPORT>
    NullAuthPermit = YES

    Replace <TARGETIP> with your ExtraHop system's IP address and <TARGETPORT> with 2003, and uncomment the line.

    Example output:

    cat /opt/extrahop/etc/rpcapd.ini
    ActiveClient = 10.10.10.10,2003
    NullAuthPermit = YES
  4. Run the following command to start sending traffic to the ExtraHop system:

    sudo /etc/init.d/rpcapd start
  5. (Optional) Run the following command to verify the ExtraHop system is receiving traffic:

    sudo service rpcapd status

Generic/Other Linux Systems

To download and install the software tap on another Linux system:

  1. In the ExtraHop Admin UI, go to the Configuration section, click Capture, and click Software Tap.

  2. Go to the section for your Linux system to copy and paste the commands into your terminal.

  3. (Optional) Run the following command to verify the ExtraHop system is receiving traffic:

    sudo /etc/init.d/rpcapd status

Software Tap on a Windows Server

You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. To download and install the software tap:

  1. In the ExtraHop Admin UI, go to the Configuration section, click Capture, and click Software Tap.

  2. Click the Windows rpcapd installer to begin the download.

  3. When the file is finished downloading, click it to open the installer.

  4. In the wizard, select the components to install.

  5. Complete the ExtraHop IP and ExtraHop Port fields and click Next. The default port is 2003.

  6. (Optional) Enter additional arguments in the text box and click Next.

  7. Browse to and select the destination folder to install RPCAP Service.

  8. (Optional) If RPCAP Service was previously installed, click Yes to delete the previous service.

  9. When the installation is complete, click Close.

This section enables you to reset all trends and trend-based alerts. Click Reset Trends to erase all trend data from the ExtraHop system.

The functions on this page are disabled in the ExtraHop Discovery Edition.

System Settings

You can configure the following components of the ExtraHop system in the System Settings section:

  • Services: Enable management, SNMP, and SSH services.

  • Firmware: Update the Extrahop system firmware.

  • System Time: Configure the system time.

  • Shutdown/Restart: Halt and restart status times.

  • License: Update the license to enable add-on modules.

  • Disk: View information about the disks in the ExtraHop appliance.

    If you are using the ExtraHop Central Manager (ECM), Scheduled Reports appears instead of Disk. The scheduled reports functionality allows you to view reports for troubleshooting purposes.

Services

Services run in the background and perform functions that do not require user input. The Admin UI provides the following settings to manage the services used by the ExtraHop system. These services can be started and stopped through the Admin UI:

  • Web Shell: Enable or disable the Launch Shell button in the upper right corner of the Admin UI screen.

  • Management GUI: Enable or disable the ExtraHop GUI service. This service enables support for the browser-based ExtraHop Web UI and Admin UI interfaces.

  • SNMP Service: Enable or disable the ExtraHop system SNMP service.

  • SSH Access: Enable or disable SSH access. This service enables support for the ExtraHop command-line interface (CLI).

Management GUI

Management GUI setting controls the status of the Apache Web Server that runs the ExtraHop UI web application. By default, this service is enabled so that ExtraHop users have access to the ExtraHop Web UI and Admin UI. If this service is disabled, it terminates the Apache Web Server session, turning off web browser access to the ExtraHop UIs.

Warning: Do not disable this service unless you are an experienced ExtraHop administrator and you are familiar with the ExtraHop Command-Line Interface (CLI) commands to restart the Management GUI service.

To enable or disable the Management GUI service, click the Management GUI checkbox and click Save Changes.

SNMP Service

Simple Network Management Protocol (SNMP) is used to monitor the state of the network. SNMP collects information by polling devices on the network. SNMP-enabled devices can send alerts to SNMP management stations.

The SNMP service needs to be enabled to use SNMP notification in the ExtraHop system. For more information about configuring SNMP notifications, refer to SNMP.

To enable or disable the SNMP service, click the SNMP Service checkbox and click Save Changes.

The SNMP community string is an identifier used to poll SNMP service. To configure the SNMP service:

  1. Next to SNMP, click Configure.

  2. On the SNMP Service Configuration page, click the Enabled checkbox.

  3. Enter a name in the SNMP Community field, a valid name or email address in the SNMP System Contact field, and a location in the SNMP System Location field.

  4. Click Save Settings.

SSH Access

The SSH Service setting controls the status of the Secure Shell protocol that manages the ExtraHop command-line interface (CLI). By default, this service is enabled so that ExtraHop users have access to the ExtraHop system functionality through the CLI. If this service is disabled, it terminates SSH, turning off CLI access to the ExtraHop system.

The SSH Service and the Management GUI Service cannot be disabled at the same time. At least one of these services must be enabled on the ExtraHop system at all times to provide interface functionality to the system.

To enable or disable the SSH service, click the SSH Service checkbox and click Save Changes.

Web Shell

The Admin UI provides access to the Extrahop web shell by default. Click the Launch Shell button in the top right corner of the screen to launch the web shell. To disable this button, uncheck the Web Shell checkbox.

Firmware

The Admin UI provides an interface to upload and delete the firmware on the ExtraHop appliance.

The ExtraHop Admin UI includes the following firmware configuration settings:

  • Upload: Upload and install new ExtraHop system firmware versions.

  • Delete: Select and delete installed firmware versions from the ExtraHop system.

You can download the latest firmware at the ExtraHop Support Portal. A checksum of the uploaded firmware is usually available in the same download location as the .tar firmware file. If there is an error during firmware installation then ExtraHop Support may ask you to verify the checksum of the firmware file.

If you are upgrading an ECM, make sure to upgrade the ECM first and then upgrade the nodes. To function correctly, the ECM and nodes must use the same minor version of ExtraHop firmware.

Uploading New Firmware Versions

Firmware images that you want to upload must be accessible from the computer on which you are running the web browser.

To upload a new ExtraHop system firmware version:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click the Change icon next to Firmware.

  3. On the Firmware page, click the Change icon next to Upload.

  4. To specify the firmware file:

    • Click Choose File, navigate to the .tar file that you want to upload, and click Open.

      OR

    • Click Retrieve from URL and enter the URL.

    If the device has less than 300MB of space remaining, a warning message appears with a link to clean up the disk. ExtraHop strongly recommends performing a disk cleanup before uploading new firmware to ensure continued device functionality.

  5. Click Upload.

    The system initiates the firmware update. You can monitor the progress of the update with the Updating progress bar.

  6. After the firmware update is installed successfully, the ExtraHop system displays the version number of the new firmware image. Click Reboot to restart the system.

  7. After restarting, on the Admin UI main page, go to Status and click the View icon next to Firmware Version.

  8. Verify that the firmware version number displayed matches the version that you downloaded from ExtraHop.

Uploading New Firmware Versions (ECM)

Firmware images that you want to upload must be accessible from the computer on which you are running the web browser.

Make sure to upgrade the ECM first and then upgrade the nodes.

To upload a new ExtraHop system firmware version:

  1. Launch the ECM Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click the Change icon next to Firmware.

  3. On the Firmware page, click the Change icon next to Upload.

  4. To specify the firmware file:

    • Click Choose File, navigate to the .tar file that you want to upload, and click OK.

      OR

    • Click Retrieve from URL and enter the URL.

  5. Click Upload.

    The system initiates the firmware update. You can monitor the progress of the update with the Updating progress bar.

  6. After the firmware update is installed successfully, the ExtraHop system displays the version number of the new firmware image. Click Reboot to restart the system.

  7. Go to the Cluster Settings section and click Nodes.

  8. On the Nodes page, click Update Firmware.

  9. Click Choose File to select the .tar file on your workstation. Click the Retrieve from URL link if you received a URL from ExtraHop Support.

  10. Click the All nodes radio button to update the firmware on all nodes, or click the Matching nodes radio button and enter search criteria to update specific nodes at a time.

  11. Click Upload.

Deleting Firmware Versions

The ExtraHop system makes available every installed firmware image that has been uploaded on the system. For maintenance purposes, these uploaded firmware images can be deleted from the system to reduce the number of available versions.

To delete firmware images from the ExtraHop system:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click the Change icon next to Firmware.

  3. On the Firmware page, click the Change icon next to Delete.

  4. On the Installed Firmware Images page, click the checkbox next to the firmware image that you want to delete.

    You can select multiple versions.
  5. If you want to delete all installed firmware images, click the All checkbox.

    Selecting the All option does not allow you to select and delete the active firmware version.
  6. Scroll to the bottom of the page and click Delete Selected.

The selected firmware images are removed from the ExtraHop appliance.

Updating the Firmware Using the Command Line Interface

Follow these steps to update the firmware for the ExtraHop system using the ExtraHop command line interface (CLI).

  1. Access the ExtraHop CLI using one of the following three methods:

    • From a USB keyboard and SVGA monitor directly connected to the appliance

    • Using an RS-232 serial cable and a terminal-emulator program. The terminal emulator must be set to 115200 bps with 8 data bits, no parity, and 1 stop bit (8N1). Hardware flow control should be disabled.

    • Secure shell (SSH)

      When changing the network settings, it is recommended that you use a serial cable or directly connected keyboard and monitor. This approach ensures that access to the ExtraHop system will not be disrupted if the settings are configured improperly.
  2. Connect to the ExtraHop System. The login is shell and the password is the service tag number on the right-front bracket of the appliance.

  3. Enable the administration controls. The password is the same as above.

    extrahop>enable
  4. Enter configuration mode.

    extrahop#configure term
  5. Download the firmware update using the FTP account credentials that you received from your ExtraHop support representative.

    extrahop(config)#download ftp://[login]:[password]@[FTP IP address]:/[firmware image]
  6. The system downloads and applies the upgrade.

    Connecting to ipaddr ... connected.
    Logging in as login ... Logged in!
    ==> SYST ... done.    ==> PWD ... done.
    ==> TYPE I ... done.  ==> CWD not needed.
    ==> PASV ... done.    ==> LIST ... done.
    [ <=>                       ] 1,591       --.-K/s   in 0s
    ==> CWD not required.
    ==> PASV ... done.    ==> RETR firmware-image-version ... done.
    Length: 10045440 (9.6M)
    100%[=====================>] 10,045,440  --.-K/s   in 0.09s
    FINISHED --2009-03-10 12:28:59--
    Downloaded: 2 files, 9.6M in 0.09s (112 MB/s)
    Applying update. Please wait...
    Update succeeded. Would you like to reboot now [Y/n]?:
  7. Restart the ExtraHop system.

  8. After the ExtraHop system restarts, verify the version by connecting to the CLI and running the show version command.

    extrahop>show version
    extrahop-1.0.7238
    The version number displayed should match the version of the firmware image you downloaded in step 6 above.

System Time

When capturing data, it is helpful to have the time on the ExtraHop system match the local time of the router. The ExtraHop system can rely on setting time locally, or it can keep the system time accurate by using time servers. You can use the default time server setting, pool.ntp.org, or you can configure the system time manually.

To configure the system time:

  1. Go to the System Settings section and click System Time.

  2. Click the Configure Time button.

  3. Click the Time Zone drop-down list and select a time zone. Click Save & Continue.

  4. Select the Use NTP server to set time radio button and click Select.

  5. To set the NTP servers, enter the IP addresses for the time servers and click Save.

The default time server setting is pool.ntp.org.

If needed, select the Set clock manually radio button to adjust the date and time. Set the date and time values, and then click Save. The System Clock time setting is not UTC, but it reflects the time zone currently set in the Time Zone section.

The NTP Status table displays a list of NTP servers that are used to keep the system clock in sync. To sync a remote server to the current system time, click the Sync Now button.

Shutdown/Restart

The Admin UI provides an interface to halt, shutdown, and restart the ExtraHop system. The ExtraHop Admin UI includes restart controls for the following system components:

  • System: Pause the operation of the ExtraHop system or shut down and restart the system.

  • Bridge Status: Shut down and restart the ExtraHop bridge component.

  • Capture Status: Shut down and restart the ExtraHop capture component.

  • Portal Status: Shut down and restart the ExtraHop web portal.

For each ExtraHop system component, the table includes a time stamp to show the start time.

System

To halt the ExtraHop system:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click Shutdown/Restart.

  3. On the Restart page, under System, click the Halt icon.

  4. At the prompt, click Halt.

To shutdown and restart the ExtraHop system:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click Shutdown/Restart.

  3. On the Restart page, under System, click the Restart icon.

  4. At the prompt, click Restart.

Bridge Status

To shut down and restart the ExtraHop bridge:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click Shutdown/Restart.

  3. On the Restart page, under Bridge Status, click the Restart icon.

  4. At the prompt, click OK.

Capture Status

To shut down and restart the ExtraHop capture:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click Shutdown/Restart.

  3. On the Restart page, under Capture Status, click the Restart icon.

  4. At the prompt, click OK.

Portal Status

To shut down and restart the ExtraHop web portal:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click Shutdown/Restart.

  3. On the Restart page, under Portal Status, click the Restart icon.

  4. At the prompt, click OK.

License

The Admin UI provides an interface to add and update licenses for add-in modules and other features available in the ExtraHop system. The License Administration page includes the following licensing information and settings:

  • System Information: Displays the identification and expiration information about the ExtraHop appliance.

  • Modules: Displays the list of modules on the ExtraHop system and whether they are enabled or disabled.

  • Interfaces: Displays the list of licensed Interfaces (such as 10G) and whether the specified interface is active.

  • Features: Displays the list of licensed ExtraHop system features (such as Activity Mapping) and whether the licensed features are enabled or disabled.

  • Manage License: Provides an interface to add and update licenses for ExtraHop system features and modules.

To view the licensing system information and the status of licensed modules on the ExtraHop system:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click License.

  3. On the License Administration page, under Modules, check the status column to verify that the add-in modules are enabled.

To register an existing license:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click the Change icon next to License.

  3. On the License Administration page, under Manage License, click Register.

  4. (Optional) On the Register Appliance page, click the Test Connectivity button.

    The ExtraHop license server uses DNS records to determine whether a connection is possible.

    If the test does not pass, open DNS server port 53 to make a connection or contact your system administrator.

  5. Click the Register button.

  6. Wait for the license server to finish processing, and then click Done.

To update a module license or add new licenses to the ExtraHop system:

  1. Launch the Admin UI in your browser and enter your access credentials.

  2. On the Admin page under System Settings, click License.

  3. On the License Administration page, under Manage License, click Update.

  4. In the Enter License text box, enter the licensing information for the module.

    License information must include the dossier and service tag number for the ExtraHop system as well as key-value pairs to enable the module licenses and other ExtraHop system features. In the license information, a key-value pair with a value of 1 enables the feature or module; a key-value pair with a value of 0 disables the feature or module. For example:

    -----BEGIN EXTRAHOP LICENSE-----
    serial=ABC123D;
    dossier=1234567890abcdef1234567890abcdef;
    mod_cifs=1;
    mod_nfs=1;
    mod_amf=0;
    live_capture=1;
    capture_upload=1;
    10G=1;
    triggers=0;
    poc=0;
    early_access_3.1=0;
    activity_map=1;
    ssl_acceleration=0;
    ssl_decryption=0;
    +++;
    ABCabcDE/FGHIjklm12nopqrstuvwXYZAB12345678abcde901abCD;
    12ABCDEFG1HIJklmnOP+1aA=;
    =abcd;
    -----END EXTRAHOP LICENSE-----
  5. Click Update.

Disk

The Disk page displays a map of the drives on your ExtraHop appliance and lists their statuses. This information can help you determine whether drives need to be installed or replaced. Automatic system health checks and email notifications (if enabled) can provide timely notice about a disk that is in a degraded state. System health checks display disk errors at the top of the Settings page.

For information about configuring and repairing RAID10 functionality on the EH8000 appliance, refer to the guides on the ExtraHop Support Forum.

For help replacing a RAID 0 disk or installing an SSD drive, refer to the instructions below. The RAID 0 instructions apply to the following types of disks:

  • Datastore (EH2000/3000/5000/6000/8000)

  • Packet Capture (EH3000/6000/8000)

  • Firmware (EH3000/6000/8000)

Do not attempt to install or replace the drive in Slot 0 unless instructed by ExtraHop Support.

To ensure that system health checks and email notifications are running, mouse over the Settings button in the Web UI navigation bar.

  • If the message "System Health Checks Not Running" appears, contact ExtraHop Support at support@extrahop.com for instructions. This message also appears at the top of the Settings page.

  • If the message "System Health Notifications Not Configured" appears, refer to Email Notification Groups to set up email notifications for system health. Alternatively, click the Settings button, and then click View Admin Notifications page for more details at the top of the Settings page.

Ensure that your device has a RAID controller before attempting the following procedure. If unsure, contact ExtraHop Support at support@extrahop.com. This procedure uses the EH5000 appliance as an example. A persistently damaged disk may not be replaceable with this procedure.

To replace a RAID 0 disk:

  1. In the system health email notification, note which machine has the problematic disk.

  2. In the ExtraHop Web UI for the identified machine, click the Settings button in the navigation bar, and go to the Disk page by doing either of the following:

    • Click Administration. Then, under System Settings, click Disk.

    • Click the Disk Error link at the top of the page.

  3. Under the section for the disk type (for example, Datastore), find the problematic disk and note the Slot Number.

    In the following example, the Media Error Count is increasing on the disk, and the Slot Number is 0. The Drive Map shows the disk in yellow.

    You can click RAID Disk Details at the bottom of the section to display more details.

  4. Insert an identical disk into an available slot.

    The system detects the new disk and adds a new row (Disk Error Action) with a link to replace the bad disk.

  5. Verify the new disk's information:

    • Under Unused Disks on the Disk Details page, verify that the new disk is the same size, speed, and type as the disk being replaced.

    • Mouse over the old and new disks in the Drive Map. The new disk displays the message "Unconfigured(good), Spun Up."

  6. Under the section for the disk type, click Replace with Disk in slot #n in the Disk Error Action row.

    The data begins copying over. The Copy Status row shows the progress. Mousing over the disk in the Drive Map shows the status.

  7. After copying is complete, make sure that the copy process was successful:

    • Settings button and Settings page no longer display error messages.

    • Disk page shows the old disk under the Unused Disk section.

  8. Remove the old disk.

    The Drive Map now shows the new disk in green.

    If you want to move the disk to the old disk's slot, you can power off the ExtraHop appliance, move the disk, and then power on the appliance.

To install a new SSD drive:

  1. Ensure that your ExtraHop license has packet capture enabled. For more information, refer to Packet Captures.

  2. Go to the System Settings section and click Disk. If the Drive Map shows the last slot (Disk #5 on the EH2000, Disk #7 on the EH5000) in red, you must replace the SSD drive.

  3. Insert the SSD drive into the last slot and wait for the LED on the drive to turn green.

  4. In the Admin UI, refresh the browser. The Drive Map shows the last slot in yellow because the drive is not configured.

  5. Next to SSD Assisted Packet Capture, click Enable.

  6. Wait about 1 minute for the drive to be configured and brought online.

  7. The browser automatically refreshes. The Drive Map shows the SSD drive as green and the Status changes to Online.

If the SSD drive is dislodged and reinserted, you can re-enable it. This process requires reformatting the disk, which erases all data.

Scheduled Reports (ECM)

This page displays a list of scheduled reports are in the process of being generated by the ExtraHop Central Manager (ECM). This list contains only reports that are presently being processed or were halted during generation due to an error, not reports to be processed in the future. Refer to this page if you stop receiving the scheduled reports that you created in the Reports section of the ExtraHop Web UI.

For more information about creating a report, refer to the Reports section of the Web UI Users Guide.

For more information about configuring email server settings and creating email groups, refer to Notifications.

To view scheduled reports:

  1. In the ExtraHop Web UI, click Settings, click Reports, click a report, and click the Email Schedule tab to ensure the report has been scheduled.

  2. In the Admin UI, go to the System Settings section and click Scheduled Reports.

  3. View the list of reports. If the report was scheduled to be sent less than 10 minutes in the past, it may be in the process of generating. If the first report was scheduled to be sent more than 10 minutes in the past, an error may have occurred while generating the report and is delaying subsequent reports from being sent.

  4. Click the red delete symbol next to the report to remove it from the list.

    If all reports are generating without errors, reports remain in the queue while they are generating and then leave the queue when sent. Reports typically remain in the queue for less than 1 minute.

Diagnostics

The Diagnostics section includes the following pages:

Exception Files: Enable or disable the ExtraHop system exception files.

Support Packs: Upload and execute ExtraHop system support packages.

Offline Capture File: Configure the ExtraHop system live (online) or offline capture mode.

Exception Files

The Admin UI provides a page to enable or disable writing exceptions to the ExtraHop exception files.

To configure the Exception Files setting:

  1. On the Admin page under Diagnostics, click the Change icon next to Exception Files.

  2. On the Enable/Disable Exception Files page, click Enable Exception Files to turn on the setting to write exceptions to the exception files.

To turn off writing exceptions to the exception files, click Disable Exception Files.

Support Packs

When you receive assistance from ExtraHop support, you might need to load an ExtraHop-provided support pack to apply a special setting, make a small adjustment to the system, or get help with remote support or enhanced settings. The ExtraHop Admin UI includes the following configuration settings to manage support packages:

  • Support Pack Results: View, download, or delete selected support packages.

  • Upload Support Pack: Upload diagnostic support packages on the ExtraHop system.

  • System Support Pack: Execute a selected diagnostic support package.

Support Pack Results

You can view, download, or delete the diagnostic support packages that have been uploaded to the ExtraHop system.

To view the diagnostic support packages on the system:

  1. Go to the Diagnostics section and click Support Packs.

  2. Under Support Pack, click the View icon next to Support Pack Results.

To download a selected diagnostic support package:

  1. Go to the Diagnostics section and click Support Packs.

  2. Under Support Pack, click the View icon next to Support Pack Results.

  3. Locate the diagnostic support package that you want to download.

  4. Click the Download icon next to the support package create date.

  5. At the prompt, click the Save File option, and then click OK.

To delete a selected diagnostic support package:

  1. Go to the Diagnostics section and click Support Packs.

  2. Under Support Pack, click the View icon next to Support Pack Results.

  3. Locate the diagnostic support package that you want to delete.

  4. Click the Delete icon next to the support package create date.

  5. At the prompt, click OK.

Upload Support Pack

To upload a selected diagnostic support package:

  1. Go to the Diagnostics section and click Support Packs.

  2. Under Support Pack, click the Upload icon next to Upload Support Pack.

  3. Click Browse.

  4. Navigate to the diagnostic support package that you want to upload.

  5. Select the file and click OK.

  6. Click Upload to add the file to the ExtraHop system.

System Support Pack

Some support packs only perform a function on the ExtraHop appliance, while others gather information about the state of the system for analysis by the ExtraHop Support team. If the support pack generated a results package to send to the ExtraHop Support team, then the Admin UI redirects to the Support Pack Results page. If it does not, you can go to the Support Pack Results page from the Support Pack page.

To create a diagnostic support package that can be downloaded and sent to the ExtraHop Product Support team:

  1. Go to the Diagnostics section and click Support Packs.

  2. Under Support Pack, click the Execute icon next to System Support Pack.

  3. Click OK.

Offline Capture File

By default, the ExtraHop system is configured to obtain network data in Live Network Traffic (Online) Capture mode. You can turn off this setting if you want to capture data using an uploaded capture file.

The Offline Capture mode in the ExtraHop system enables an ExtraHop administrator to upload a capture file (recorded by packet sniffers, such as Wireshark or tcpdump) to the ExtraHop datastore for analysis. When the system is set to Offline mode, the offline file upload feature is enabled, allowing a capture file to be uploaded to the datastore. In Offline mode, no metrics are collected from the capture interface until the system is set to online mode again.

When the capture is set to Offline mode, the ExtraHop datastore is reset. All previously recorded performance metrics are deleted from the datastore. When the system is set to online mode, the datastore is reset again.

Offline Capture mode is not configurable when using the ExtraHop Central Manager (ECM) or ExtraHop Discovery Edition.

Set the Offline Capture Mode

To configure the capture mode setting:

  1. Go to the Diagnostics section and click Offline Capture File.

  2. Click Offline - Upload Capture File to turn on the setting to set the capture mode to offline.

    The capture process is stopped, the capture state is set to offline, and the datastore is cleared of all data.

  3. Click Save to activate the new setting.

    When the system has set the capture to offline mode, the Upload a Capture File page is displayed.

  4. To upload a capture file:

    1. Click Choose File.

    2. Browse to the capture file that you want to upload.

    3. Select the file and click OK.

    4. On the Offline Capture page, click Upload.

      The ExtraHop system displays the Offline Capture Results page when the capture file uploads successfully.

To verify that the system is in offline mode, access the Health page in the Admin UI to see the Capture Status values. Each metric should have a value of offline. When you check the capture status, the status shown for VM RSS, VM Data, VM Size, and Start Time should indicate that the system is in offline mode.

For more information about the Health page, refer to Health.

To load a new capture file:

  1. Go to the Diagnostics section and click Offline Capture File.

  2. Under Offline Capture, click Offline - Upload Capture File.

  3. Click Save to open the Offline Capture page.

  4. To upload the new capture file:

    1. Click Choose File.

    2. Browse to the capture file that you want to upload.

    3. Select the file and click OK.

    4. On the Offline Capture page, click Upload.

Reset the Online Capture Mode

The Capture mode settings in the Admin UI are also used to return the system to online capture mode. When you choose to restart the ExtraHop online capture, the data loaded into the datastore from the offline capture file is deleted as soon as you save the online capture setting.

To turn on Online Capture mode:

  1. Go to the Diagnostics section and click Offline Capture File.

  2. Under Offline Capture, click Online - Live Traffic.

  3. Click Save to implement the new setting.

  4. At the prompt to restart the excap, click OK.

The ExtraHop system removes the performance metrics collected from the previous capture file and prepares the datastore for real-time analysis from the capture interface.

Shell

The ExtraHop shell provides a command-line interface (CLI) for managing configuration settings in the ExtraHop system. The CLI can be used as a stand-alone interface, or as an supplemental interface that is accessible through the Admin UI.

The CLI is used as the primary management interface when using the appliance’s USB connection to attach a keyboard and monitor to the appliance itself, or when using the IDRAC interface that is available on the latest ExtraHop appliance models.

When the Admin UI is enabled and you are logged on, you can open the ExtraHop shell from the Admin UI application toolbar.

To open a shell window from the Admin UI, go to the application toolbar, click Launch Shell, locate the Firmware Version setting, and click View.

The ExtraHop Web Shell opens in a separate browser window.

The command syntax includes the ExtraHop system hostname to specify the appliance that will process the commands. For example, the following enable command is executed on the ExtraHop appliance on the network that has a hostname of extrahop.

extrahop>enable

You can type a question mark (?) at any prompt to generate a list of available commands. For example, if you type show ? at the prompt, the CLI will list all supported show commands and provide a brief description of each command.

The question mark (?) does not print in the CLI display, and you do not have to press the Enter key after typing the question mark. The CLI displays the sub-commands (or parameters) associated with the current command.

Privileged and Non-Privileged Modes

The CLI distinguishes between two user modes to determine the access privileges to specific commands:

Privileged. Has read-write privileges which provides access to all commands. In privileged mode, the elevated-privileged prompt is a hash symbol (#) instead of a greater than symbol (>).

Non-Privileged. Has read-only privileges which provides access to a limited set of commands. In non-privileged mode, the prompt is a greater than symbol (>).

Users that log on in non-privileged mode have access to the following four commands and their sub-commands:

enable. Enables privileged mode. When this command is executed, it prompts for a password to authorize privileged mode.

ping. Sends a ping request to a specified device.

show. Shows the ExtraHop system configuration settings in view-only mode.

traceroute. Sends a traceroute request to a specified device.

Users that enable privileged mode are granted access to all the CLI commands. The top-level commands that are enabled in privileged mode are:

configure. Enables configuration mode.

delete. Allows delete operations.

disable. Disables privileged mode.

enable. Enables privileged mode.

ping. Sends a ping request.

reload. Allows reload services operations.

reset. Allows reset services operations.

restart. Allows restart services operations.

show. Shows the current system configuration settings.

shutdown. Shuts down the Extrahop system.

stop. Stops ExtraHop services.

support. Enables (or disables) the ExtraHop support account.

traceroute. Sends a traceroute request.

Shell Commands

The following shell commands are supported by the ExtraHop system. Note that you need to be in Privileged mode to execute commands that change ExtraHop system configuration settings.

configure

Puts the ExtraHop system into Configuration mode. After the configure command executes and the system is in Configuration mode, you can pass in any of the sub-commands listed below.

Syntax

extrahop#configure

Example

The following command sequence opens Configuration mode, enables the interface sub-commands, sets a static IP address, DNS servers, and hostname for the ExtraHop system, and then exits Configuration mode:

extrahop#configure

extrahop(config)#interface

extrahop(config-if)#ip ipaddr <ipaddr> <netmask> <gateway>

extrahop(config-if)#ip dnsservers <ipaddr> <ipaddr 2>

extrahop(config-if)#ip hostname <name>

extrahop(config-if)#exit

extrahop(config)#exit

The configure command supports the following sub-commands:

current

Enables the user to change the firmware version to any version that is installed on the system.
After specifying a new firmware version, the CLI will prompt you to reboot the ExtraHop system.

Syntax

extrahop#configure

extrahop(config)#current <version>

Parameters

  • version. Specifies the version number of the ExtraHop firmware that you want to upload as the current firmware on the appliance.

diagnostics

Downloads and executes a signed diagnostics script.

Syntax

extrahop#configure

extrahop(config)#diagnostics <URI>

Parameters

  • URI. Specifies the URI of a downloaded diagnostic script from ExtraHop Support to run on the ExtraHop appliance.

eula_reset

Reset the POC and EUSL/TOS license agreements. Note that this command is intended for use by ExtraHop Support only.

Syntax

extrahop#configure

extrahop(config)#eula_reset

install

Retrieves and uploads a firmware update from ExtraHop.

Syntax

extrahop#configure

extrahop(config)#install <uri>

Parameters

  • URI. Specifies the URI of a firmware update from ExtraHop Support that is uploaded to the ExtraHop system.

interface

Puts the CLI in Interface mode and provides sub-commands to specify how the system acquires an IP address and the hostname for the ExtraHop system.

Syntax

extrahop#configure

extrahop(config)#interface

extrahop(config-if)#ip ipaddr <addr> <netmask> <gateway>

Parameters

The interface command includes the following sub-commands and parameters:

  • ip dhcp. Configures the system to use the DHCP option.

  • enable. Enables the DHCP setting.

  • ip dnsserver. Configures the system DHCP servers. This parameter requires the following values:

  • primary addr. Specifies the primary IP address of the DNS Server.

  • secondary addr. Specifies the secondary IP address of the DNS server. This parameter is optional.

  • ip hostname. Specifies the system hostname. This parameter is optional.

  • name. Specifies the hostname for the ExtraHop appliance.

  • ip ipaddr. Configures the static IP address for the system. This parameter requires the following values:

  • addr. A static IP address.

  • netmask. An address that specifies the subnet mask.

  • gateway. The IP address of the computer that is used by devices on the network to access another network or a public network.

license

Provides sub-commands to enter the license string to update the ExtraHop license. The license key text is sent by ExtraHop Support, and it is pasted into the CLI at the Enter license text prompt.

Syntax

extrahop#configure

extrahop(config)#license update

Enter license text: <license>

Parameters

The license command includes the following sub-commands and parameters:

  • update. Updates the ExtraHop system license. This parameter requires the following parameter values:

  • license. Specifies the license key.

reformat

Provides sub-commands to schedule or cancel a reformat.

Syntax

extrahop#configure

extrahop(config)#reformat

Parameters

The reformat command performs a reformat on the next boot and includes the following sub-command:

  • reformat cancel. Cancels the scheduled reformat.

remote_auth

Provides sub-commands to enable or disable remote authentication of users on the ExtraHop system. Note that the sub-commands ldap, radius, and tacacs put the CLI in the specific mode to accept parameters for the specified remote authentication method.

Syntax

extrahop#configure

extrahop(config)#remote_auth disabled

Parameters

The remote_auth command includes the following sub-commands and parameters:

  • disabled. Disables remote authentication.

  • ldap. Specifies configuration parameters to enable the LDAP remote authentication method. This command puts the CLI in ldap mode and requires the following parameter values:

  • basedn. Specifies the base of the LDAP search used to find users.

  • binddn. Specifies the Distinguished Name (DN) used by the ExtraHop system to authenticate with the LDAP server.

  • port. Specifies the listening port number of the LDAP server.

  • search. Specifies the search filter used when searching the LDAP directory for user accounts.

  • server. Specifies the hostname or IP address of the LDAP server (or servers).

  • show. Displays the current LDAP settings.

  • radius. Specifies configuration parameters to enable the RADIUS remote authentication method. This command puts the CLI in radius mode and requires requires the following parameter values:

  • delete_server. Deletes a specified RADIUS server host.

  • server. Specifies the hostname or IP address of the RADIUS server (or servers), the shared secret password, and an optional timeout value.

  • show. Displays the current RADIUS settings.

  • tacacs. Specifies configuration parameters to enable the TACACS remote authentication method. This command puts the CLI in tacacs mode and requires requires the following parameter values:

  • delete_server. Deletes a specified TACACS server host.

  • server. Specifies the hostname or IP address of the TACACS server (or servers), the shared secret password, and an optional timeout value.

  • show. Displays the current TACACS settings.

running_config

Provides commands to update the running configuration settings and save changes made to the running configuration to disk. The update command generates a prompt in the CLI to provide the updated configuration text. For more information about modifying the running config code, refer to Running Config.

Syntax

extrahop#configure

extrahop(config)#running_config edit

Enter configuration:

Parameters

The running_config command includes the following sub-commands and parameters:

  • edit. Provides an interface to make changes to sections of the running configuration.

  • update. Provides an interface to make changes to the entire running configuration. You are prompted to enter the running config text by the CLI.

  • save. Saves the changes made to the running configuration to disk.

  • revert. Reverts to the saved running configuration.

services

Provides commands to enable or disable the Admin UI, enable or disable the SSH service that supports the CLI interface, and enable or disable SNMP services.

Syntax

extrahop#configure

extrahop(config)#services gui <enable/disable>

The services command includes the following sub-commands and parameters:

  • gui. Enables or disables the web service that supports the Admin UI. This command supports the parameter values enable to turn on the service and disable to turn off the service.

  • snmp. Enables or disables the SNMP service that supports SNMP monitoring. This command supports the parameter values enable to turn on the service and disable to turn off the service.

  • ssh. Enables or disables the SSH service that supports the command-line interface. This command supports the parameter values enable to turn on the service and disable to turn off the service.

systemsettings

Provides commands to work with ExtraHop system core files.

Syntax

extrahop#configure

extrahop(config)#systemsettings corefiles lifetime <value>

Parameters

The systemsettings command includes the following sub-commands and parameters:

  • corefiles enable. Enables the ExtraHop system core files.

  • corefiles disable. Disables the ExtraHop system core files.

  • lifetime. Sets the value for the core files lifetime.

  • value. Specifies the lifetime value.

time

Provides commands to set the ExtraHop system time, specified using the following date-time syntax: <MMM DD YYYY H:M:S>.

Syntax

extrahop#configure

extrahop(config-time)#time <time>

Parameters

  • time. Specifies the time in the following format: MMM DD YYYY H:M:S.

delete

Puts the ExtraHop system into Delete mode. After the delete command executes and the system is in delete mode, you can pass in any of the sub-commands listed below to remove files from the system.

Syntax

extrahop#delete

Example

The following command sequence opens delete mode and removes a specified firmware version from the system:

extrahop#delete firmware <version>

The delete command supports the following sub-commands:

core

Provides commands to delete core files from the system. This command requires that you specify at least one core file name.

Syntax

extrahop#delete core <file>

Parameters

  • file. Specifies the name of the core file to delete.

firmware

Provides commands to delete firmware versions from the system. This command requires that you specify at least one firmware version name.

Syntax

extrahop#delete firmware <version>

Parameters

  • version. Specifies the firmware version that you want to delete from the ExtraHop system.

disable

Removes the ExtraHop system from Enable mode. After the disable command executes and the system is disabled, you will need to execute the enable command to perform any operations that modify settings using the command-line interface.

Syntax

extrahop#disable

Example

The following command sequence disables the command-line interface:

extrahop#disable

enable

Puts the ExtraHop system in Privileged mode. After the enable command executes and the system is fully enabled, you can enter and execute other commands to perform operations using the command-line interface. At the start of a session, this command is usually the first command issued. If you are prompted to enter a username and password, use the following credentials:

  • Type shell as the logon user name.

  • Type the number displayed on the service tag

    The service tag is on pullout tab located on the front of the appliance below the video connector on the 610 and below the power button on the 710.

Syntax

extrahop>enable

Example

The following command sequence enables the command-line interface and prompts for the appliance password:

extrahop>enable

password:

ping

Executes a command to ping a selected target to verify the ability to contact the specified host. Ping results specify the response packets received and the round-trip time.

Syntax

extrahop#ping <addr>

Parameters

  • addr. Specifies the IP address of the device to ping.

Example

The following command sequence pings a device at the specified IP address:

extrahop#ping 192.164.111.10

reload

Executes a reload operation for the specified ExtraHop system component. After the reload command is invoked, you can reload any of the supported components identified by their sub-commands.

Syntax

extrahop#reload

Example

The following command sequence activates Reload mode and reloads the ExtraHop bridge service:

extrahop#reload exbridge

The reload command supports the following sub-commands:

exbridge

Specifies the ExtraHop bridge as the component service to reload.

Syntax

extrahop#reload exbridge

excap

Specifies the ExtraHop capture as the component service to reload.

Syntax

extrahop#reload excap

reset

Executes a reset operation for the specified ExtraHop system component. After the reset command is invoked, you can reset the ExtraHop Datastore, which clears all current data from the Datastore.

Syntax

extrahop#reset

Example

The following command sequence activates Reset mode and clears data from the ExtraHop datastore:

extrahop#reset datastore

The reset command supports the following sub-commands:

datastore

Clears the saved data from the ExtraHop Datastore.

Syntax

extrahop#reset datastore

restart

Executes a restart operation for the specified ExtraHop system component. After the restart command is invoked, you can restart the ExtraHop component services identified by the following sub-commands.

Syntax

extrahop#restart

Example

The following command sequence activates Restart mode and restarts the ExtraHop bridge service:

extrahop#restart exbridge

The restart command supports the following sub-commands:

exbridge

Specifies the ExtraHop bridge as the component service to restart.

Syntax

extrahop#restart exbridge

excap

Specifies the ExtraHop capture as the component service to restart.

Syntax

extrahop#restart excap

exportal

Specifies the ExtraHop web portal as the component service to restart.

Syntax

extrahop#restart exportal

webserver

Specifies the ExtraHop web server as the component service to restart.

Syntax

extrahop#restart webserver

system

Specifies the ExtraHop system as the component to restart. This operation reboots the entire ExtraHop system.

Syntax

extrahop#restart system

show

Puts the CLI in View mode so that you can see the settings and parameter values associated with the ExtraHop system components. After the show command executes and the system is in View mode, you can look at the settings associated with every aspect of the ExtraHop system.

Syntax

extrahop#show

Example

The following command sequence puts the interface in View mode and shows the ExtraHop system time:

extrahop#show clock

The show command supports the following sub-commands:

clock

Specifies the ExtraHop computer current clock time as the setting to show.

Syntax

extrahop#show clock

controllers

Shows the settings for all the ExtraHop system active interfaces.

Syntax

extrahop#show controllers

cores

Shows the settings for the ExtraHop system core files.

Syntax

extrahop#show cores

dhcp

Shows whether DHCP is enabled or disabled on the ExtraHop system.

Syntax

extrahop#show dhcp

diskmon

Shows the hard disk monitor statistics for the hard drive on the ExtraHop system appliance.

Syntax

extrahop#show diskmon

dnsservers

Shows the DNS server configuration settings for the ExtraHop system.

Syntax

extrahop#show dnsservers

eula_accepted

Shows shows whether the EUSL/TOS and POC agreements have been accepted for the ExtraHop system.

Syntax

extrahop#show eula_accepted

firmware

Shows the current firmware version running on the ExtraHop system.

Syntax

extrahop#show firmware

flash

Shows the content of the flash key for the ExtraHop system.

Syntax

extrahop#show flash

gateway

Shows the gateway configuration settings for the ExtraHop system.

Syntax

extrahop#show gateway

history

Shows the session command history for the current CLI session.

Syntax

extrahop#show history

hostname

Shows the system hostname for the ExtraHop system.

Syntax

extrahop#show hostname

inventory

Shows the firmware version, service tag, dossier ID, and hostname for the ExtraHop system.

Syntax

extrahop#show inventory

ip

Provides sub-commands to show IP address configuration settings for the ExtraHop system.

Syntax

extrahop#show ip arp

Parameters

The ip command includes the following parameters:

  • arp. Shows ARP resolution for the device and any computers connected to the device.

  • interface. Shows information for every IP interface on the connected computer.

  • sockets. Shows all active Internet connections for the device.

  • traffic. Shows the IP, ICMP, ICMP msg, TCP, UDP, UDP lite, TCP Ext, and IP Ext traffic for the device.

ipaddr

Shows the IP address and netmask for the ExtraHop system management port.

Syntax

extrahop#show ipaddr

ldap

Shows the LDAP configuration settings for the ExtraHop system.

Syntax

extrahop#show ldap

license

Shows the licensed modules for the ExtraHop system and which ones are enabled or disabled.

Syntax

extrahop#show license

log

Provides sub-commands to show the logs for the ExtraHop system.

Syntax

extrahop#show log

Parameters

The log command includes the following parameters:

  • exbridge. Shows the ExtraHop system bridge component logs.

  • excap. Shows the Extrahop system capture logs.

  • exportal. Shows the ExtraHop system web portal logs.

macaddr

Shows the MAC address for the ExtraHop appliance.

Syntax

extrahop#show macaddr

memory

Shows the total, used, free, shared, buffers, and cached memory as well as Swap information for the ExtraHop appliance.

Syntax

extrahop#show memory

nics

Shows all NICs (network interface controllers) as well as their link status and link speed for the ExtraHop system.

Syntax

extrahop#show nics

processes

Shows the status of all ExtraHop system processes.

Syntax

extrahop#show processes

radius

Shows the RADIUS configuration settings for the ExtraHop system.

Syntax

extrahop#show radius

remote_auth

Shows the remote authentication configuration settings for the ExtraHop system.

Syntax

extrahop#show remote_auth

running_config

Shows the running configuration settings for the ExtraHop system.

Syntax

extrahop#show running_config

systemsettings

Shows whether the core files are enabled and if the offline capture setting is enabled for the ExtraHop system.

Syntax

extrahop#show systemsettings

tacacs

Shows the TACACS configuration settings for the ExtraHop system.

Syntax

extrahop#show tacacs

users

Shows the defined user accounts for the ExtraHop system.

Syntax

extrahop#show users

version

Shows the base firmware version and the currently running firmware version on the ExtraHop system.

Syntax

extrahop#show version

shutdown

Initiates the system shutdown operation for the ExtraHop system.

Syntax

extrahop#shutdown

Example

The following command sequence initiated the ExtraHop system shutdown:

extrahop#shutdown

stop

Stops the specified ExtraHop system components. After the stop command is invoked, you can halt the operation of specific system component services without shutting down the entire ExtraHop system.

Syntax

extrahop#stop

Example

The following command sequence puts the interface in Stop mode and halts the operation of the ExtraHop bridge component service:

extrahop#stop exbridge

The stop command supports the following sub-commands:

exbridge

Specifies the ExtraHop bridge as the system component service to stop.

Syntax

extrahop#stop exbridge

excap

Specifies the ExtraHop capture as the system component service to stop.

Syntax

extrahop#stop excap

exportal

Specifies the ExtraHop web portal as the system component service to stop.

Syntax

extrahop#stop exportal

webserver

Specifies the ExtraHop web server as the system component service to stop.

Syntax

extrahop#stop webserver

support

Provides commands to enable or disable the ExtraHop system support account. After the support command is invoked, you can enable or disable the support account.

Syntax

extrahop#support

Example

The following command sequence puts the interface in Support mode and it activates the support account:

extrahop#support enable

The support command includes the following sub-commands:

enable

Turns on the ExtraHop system support account.

Syntax

extrahop#support enable

disable

Turns off the ExtraHop system support account.

Syntax

extrahop#support disable

traceroute

Executes the traceroute command on the ExtraHop system to measure packet delays across the network.

Syntax

extrahop#traceroute <addr>

Parameters

  • addr. Specifies the IP address of a network device.

Example

The following command executes the traceroute command to measure network packet loss for the route to and from the specified IP address:

extrahop#traceroute <addr>

Published 2017-07-18 20:31