Admin UI Guide
Introduction to the ExtraHop Admin UI
The Admin UI Guide provides detailed information about the administrator features and functionality of the ExtraHop Discover and Command appliances. This guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the UI.
After you have deployed your Discover or Command appliance, see the Discover and Command Post-deployment Checklist.
We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.
Supported Browsers
The following browsers are compatible with all ExtraHop appliances. We recommend that you install the latest version of the browser.
- Firefox
- Google Chrome
- Internet Explorer 11
- Safari
You must allow cookies and ensure that Adobe Flash Player is installed and enabled. Visit the Adobe website to confirm that Flash Player is installed and up-to-date.
Global navigation
This section describes the general layout of the ExtraHop Admin UI on the Discover and Command appliances.
The top toolbar includes the following controls.
- Change default password
- Opens the Change Password page where you can set a new Admin UI password. For more information about changing the default password, see the Change the default password for the setup user section.
- Launch Shell
- Opens the ExtraHop web shell, which enables users with administrative privileges to configure the ExtraHop appliance. For more information about the ExtraHop web shell, see the ExtraHop Command-line Reference.
- Log out
- Ends the ExtraHop Admin UI session. For more information about logging in and out, see the Log in and log out of the Admin UI section.
- Help
- Opens the ExtraHop Admin UI Guide
The main administration page has the following sections.
- Search
- Navigate to sections in the Admin UI quickly by typing a search term and clicking the search result link.
- Status and Diagnostics
- Verify how the ExtraHop appliance is functioning on the network
- Network Settings
- Configure the network settings for the ExtraHop appliance
- Access Settings
- Configure user access settings to the ExtraHop appliance.
- ExtraHop Discover Settings
- Manage connected Discover appliances from a Command appliance.
- ExtraHop Command Settings
- Connect to a Command appliance from a Discover appliance or manage connected appliances from a Command appliance.
- ExtraHop Explore Settings
- Connect an ExtraHop Discover or Command appliance to an ExtraHop Explore appliance.
- ExtraHop Trace Settings
- Connect an ExtraHop Discover or Command appliance to an ExtraHop Trace appliance.
- System Configuration
- Change the configuration settings of the ExtraHop appliance.
- System Settings
- Configure the system-level settings for the ExtraHop appliance.
- Packet Captures
- View and download packet captures.
Status and Diagnostics
The Status and Diagnostics section provides metrics about the overall health of the ExtraHop Discover appliance and diagnostic tools that enable ExtraHop Support to troubleshoot system errors.
- Health
- Provides metrics to view the operating efficiency of the Discover appliance.
- Audit Log
- Enables you to view event logging data and to change syslog settings
- Exception Files
- Enable or disable the creation Discover appliance exception files.
- Support Scripts
- Run Discover appliance support scripts.
Health
The Health page provides a collection of metrics about the operation of the ExtraHop appliance.
If issues occur with the ExtraHop appliance, the metrics on the Health page can help you to troubleshoot the problem and determine why the ExtraHop appliance is not performing as expected.
The ExtraHop appliance system collects and reports metrics on the following operational activities that are performed by the ExtraHop appliance.
- System
- Reports the following information about the system CPU usage and hard disk.
- CPU User
- The percentage of CPU usage associated with the ExtraHop appliance user.
- CPU System
- The percentage of CPU usage associated with the ExtraHop appliance.
- CPU Idle
- The CPU Idle percentage associated with the ExtraHop appliance.
- CPU IO
- The percentage of CPU usage associated with the ExtraHop appliance IO functions.
- Bridge Status
- Reports the following information about the ExtraHop appliance bridge component.
- VM RSS
- The bridge process physical memory in use.
- VM Data
- The bridge process heap virtual memory in use.
- VM Size
- The bridge process total virtual memory in use.
- Start Time
- Specifies the start time for the ExtraHop appliance bridge component.
- Capture Status
- Reports the following information about the ExtraHop appliance network capture status.
- VM RSS
- The network capture process physical memory in use.
- VM Data
- The network capture process heap virtual memory in use.
- VM Size
- The network capture process total virtual memory in use.
- Start Time
- The start time for the ExtraHop network capture.
- Service Status
- Reports the status of ExtraHop appliance services.
- exalerts
- The amount of time the ExtraHop appliance alert service has been running.
- extrend
- The amount of time the ExtraHop appliance trend service has been running.
- exconfig
- The amount of time the ExtraHop appliance config service has been running.
- exportal
- The amount of time the ExtraHop appliance web portal service has been running.
- exshell
- The amount of time the ExtraHop appliance shell service has been running.
- Interfaces
- Reports the status of ExtraHop appliance system interfaces.
- RX packets
- The number of packets received by the ExtraHop appliance on the specified interface.
- RX Errors
- The number of received packet errors on the specified interface.
- RX Drops
- The number of received packets dropped on the specified interface.
- TX Packets
- The number of packets transmitted by the ExtraHop appliance on the specified interface.
- TX Errors
- The number of transmitted packet errors on the specified interface.
- TX Drops
- The number of transmitted packets dropped on the specified interface.
- RX Bytes
- The number of bytes received by the ExtraHop appliance on the specified interface.
- TX Bytes
- The number of bytes transmitted by the ExtraHop appliance on the specified interface.
- Partitions
- Reports the non-volatile random-access memory (NVRAM) status and usage of ExtraHop appliance
components. It identifies and provides status for specified components that have configuration
settings that remain in memory when the power to the appliance is turned off.
- Name
- The ExtraHop settings that are held in NVRAM.
- Options
- The read-write options for the settings held in NVRAM.
- Size
- The size in gigabytes for the identified component.
- Utilization
- The amount of memory utilization for each of the identified components as a quantity and as percentage of total available NVRAM.
Audit log
The ExtraHop appliance audit log provides data about the operations of the system, broken down by component. The log lists all known events by timestamp, in reverse chronological order. In addition, you can configure where to send these logs in the Syslog Settings.
The ExtraHop appliance collects the following log data and reports the results on the audit log Activity page.
- Time
- The time at which the event occurred.
- User
- The ExtraHop appliance user who initiated the logged event.
- Operation
- The ExtraHop appliance operation that generated the logged event.
- Details
- The outcome of the event. Common results are Success, Modified, Execute, or Failure. Each log entry also identifies the originating IP address, if that address is known.
- Component
- The ExtraHop appliance component that is associated with the logged event.
Configure syslog settings
You can send audit logs to a remote syslog server for long-term storage, monitoring, and advanced analysis.
Audit log events
The following events on an ExtraHop appliance generate an entry in the audit log.
| Category | Event |
| Login from Web UI or Admin UI |
|
| Login from SSH or REST API |
|
| Running Config | The running configuration file changes |
| Support Script |
|
| System and service status |
|
| System backups |
|
| Network |
|
| Browser sessions |
|
| Support account |
|
| System time |
|
| Firmware |
|
| License |
|
| Command appliance |
|
| Analysis Priorities |
|
| Agreements | A EULA or POC agreement is agreed to |
| SSL decryption | An SSL decryption key is saved |
| Appliance user |
|
| API |
|
| Triggers |
|
| Dashboards |
|
| Activity Maps |
|
| Reports |
|
| Trends | A trend is reset |
| PCAP |
|
| RPCAP |
|
| Syslog | Remote syslog settings are updated |
| Support account |
|
| Atlas |
|
| Datastore |
|
| Offline capture | An offline capture is loaded |
| Exception files | An exception file is deleted |
| Explore cluster |
|
| Explore appliance records | All Explore appliance records are deleted |
| Trace appliance |
|
| Trace appliance packetstore | A Trace appliance packetstore is reset. |
Enable writing to exception files
When you enable the Exception File setting, a core file of the data stored in memory is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.
- In the Status and Diagnostics section, click Exception Files.
- Click Enable Exception Files.
Disable writing to exception files
- In the Status and Diagnostics section, click Exception Files.
- Click Disable Exception Files.
Run a support script
Support scripts are a way of collecting information about your ExtraHop system, and also a way to let ExtraHop support make adjustments to your system as part of a troubleshooting procedure.
Network Settings
The Network Settings section has the following configurable settings:
- Atlas Services
- Connect the Discover appliance to the ExtraHop Atlas service. See the Atlas Remote Analysis page on the ExtraHop website for more information about the Atlas service.
- Connectivity
- Configure the host name, DNS, proxy, and interface settings.
- Flow Networks
- Configure settings for flow network traffic sent to your Discover appliance.
- Notifications
- Configure email, SNMP, and syslog settings to receive notifications about your ExtraHop appliance.
- SSL Certificate
- View and manage SSL certificates.
For specifications, installation guides, and more information about your ExtraHop appliance, visit docs.extrahop.com.
ExtraHop Cloud Services
ExtraHop Cloud Services provides access to ExtraHop cloud-based services through an encrypted connection.
Addy is a cloud-based service from ExtraHop that detects anomalies by applying machine-learning techniques to wire data metrics.
To learn more, see the ExtraHop Addy User Guide.
Atlas Services
Atlas Services provide ExtraHop customers with a remote analysis report that is delivered monthly. The report contains specific recommendations for critical components across the application delivery chain.
Connectivity
The Connectivity page provides options that enable you to view and modify your network settings.
Interface Status
In physical ExtraHop appliances, an Interface Status section appears on the Connectivity page. This section displays a diagram of the following interface connections on the back of the appliance:
- Blue Ethernet Port:
- Identifies the management port.
- Black Ethernet Port:
- Indicates that the port is licensed and enabled but down.
- Green Ethernet Port:
- Indicates that the licensed port has an active Ethernet cable connected.
- Gray Ethernet Port:
- Identifies a disabled or unlicensed port.
Network Settings
- Hostname:
- The name of the appliance on the network.
- Primary DNS:
- The IP address of the primary domain name server for the specified domain.
- Secondary DNS:
- (Optional) The IP address of the secondary domain name server for the specified domain.
Proxy Settings
- Enable Global Proxy:
- Provides the ability to enable proxy support for connection to the Command appliance.
- Enable ExtraHop Cloud Proxy:
- Provides the ability to enable proxy support for connection to ExtraHop Cloud services and the Atlas Remote UI.
Bond Interface Settings
- Create Bond Interface:
- Provides the ability to bond multiple interfaces together into a single logical interface that will use a single IP address for the combined bandwidth of the bond members. Only 1GbE ports are supported for bond interfaces. This is also known as link aggregation, port trunking, link bundling, Ethernet/network/NIC bonding, or NIC teaming.
| Note: | Creating bond interfaces will cause you to lose connectivity to your ExtraHop appliance. You must make changes to your network switch configuration to restore that connectivity. The changes required depend on which switch you are using. Contact ExtraHop Support for assistance before you create a bond interface. |
Interfaces
- Interface
- Displays the interface number.
- Mode
- Displays whether the port is enabled or disabled and if enabled, the port assignment.
- Link Speed
- Displays the link speed for the interface.
- DHCP
- Displays whether DHCP is enabled or disabled.
- IP address
- Displays the static IP address of the ExtraHop appliance on the network.
- Netmask
- Displays the netmask configured to divide the IP address into subnets.
- Gateway
- Displays the IP address for the gateway node on the network.
- Routes
- Displays configured static route information.
- MAC Address
- Displays the MAC address of the ExtraHop appliance.
- IPv6
- Displays whether IPv6 is enabled or disabled.
Interface throughput
ExtraHop appliance models EH5000, EH6000, EDA 6100, EH8000, EDA 8100 and EDA 9100 are optimized to capture traffic exclusively on 10 GbE ports.
Enabling the 1 GbE interfaces for monitoring traffic can impact performance, depending on the ExtraHop appliance. While you can optimize these appliances to capture traffic simultaneously on both the 10 GbE ports and the three non-management 1 GbE ports, we recommend that you contact ExtraHop Support for assistance to avoid reduced throughput.
| ExtraHop Appliance | Throughput | Details |
|---|---|---|
| EDA 9100 | Standard 40Gbps throughput | If the non-management 1GbE interfaces are disabled, you can use up to four of the 10GbE interfaces for a combined throughput of up to 40Gbps. |
| EDA 8000/8100 | Standard 20Gbps throughput | If the non-management 1GbE interfaces are disabled, you can use either one or both of the 10GbE interfaces for a combined throughput of up to 20Gbps. |
| EDA 5000/6000/6100 | Standard 10Gbps throughput | If the non-management 1GbE interfaces are disabled, the maximum total combined throughput is 10Gbps. |
| EDA 3100 | Standard 3Gbps throughput | No 10GbE interface |
| EDA 1100 | Standard 1Gbps throughput | No 10GbE interface |
Configure the RPCAP settings
After you configure an interface as an RPCAP target, configure the RPCAP settings.
| Note: | You must specify an interface address or an interface name. If you specify both, then both settings will apply. |
Configure an interface
Set a static route
Before you begin
You must disable DHCPv4 before you can add a static route.- On the Edit Interface page, ensure that the IPv4 Address and Netmask fields are complete and saved, and click Edit Routes.
- In the Add Route section, type a network address range in CIDR notation in the Network field and IPv4 address in the Via IP field and then click Add.
- Repeat the previous step for each route you want to add.
- Click Save.
Global proxy server
If your network topology requires a proxy server to enable your ExtraHop appliance to communicate either with a Command appliance or with other devices outside of the local network, you can enable your ExtraHop appliance to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server.
| Note: | Only one global proxy server can be configured per ExtraHop appliance. |
ExtraHop Cloud proxy
If your ExtraHop appliance does not have a direct internet connection, you can connect to the internet through a proxy server specifically designated for ExtraHop Cloud services and Atlas connectivity. Only one proxy can be configured per ExtraHop appliance.
| Note: | If no cloud proxy server is enabled, the ExtraHop appliance will attempt to connect through the global proxy. If no global proxy is enabled, the ExtraHop appliance will connect through an HTTP proxy to enable the services. |
Configure an ExtraHop Cloud proxy server
- In the Network Settings section, click Connectivity.
- Click Enable ExtraHop Cloud Proxy. Click Change ExtraHop Cloud Proxy to modify an existing configuration.
- Click Enable ExtraHop Cloud Proxy.
- Type the hostname or IP address for your proxy server.
- Type the port number for your proxy server, such as 8080.
- Optional: If required, type a username and password for your proxy server.
- Click Save.
Bond interfaces
You can bond multiple 1GbE interfaces on your ExtraHop appliance together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address. This configuration is also known as link aggregation, port channeling, link bundling, Ethernet/network/NIC bonding, or NIC teaming. Only 1GbE interfaces are supported for bond interfaces. Bond interfaces cannot be set to monitoring mode.
| Note: | When you modify bond interface settings, you lose connectivity to your ExtraHop appliance. You must make changes to your network switch configuration to restore connectivity. The changes required are dependent on your switch. Contact ExtraHop Support for assistance before you create a bond interface. |
Interfaces chosen as members of a bond interface are no longer independently configurable and are shown as Disabled (bond member) in the Interfaces section of the Connectivity page. After a bond interface is created, you cannot add more members or delete existing members. The bond interface must be destroyed and recreated.
Create a bond interface
You can create a bond interface with at least one interface member and up to the number of members that are equivalent to the number of 1GbE interfaces on your ExtraHop appliance.
Modify bond interface settings
After a bond interface is created, you can modify most settings as if the bond interface is a single interface.
Destroy a bond interface
When a bond interface is destroyed, the separate interface members of the bond interface return to independent interface functionality. One member interface is selected to retain the interface settings for the bond interface and all other member interfaces are disabled. If no member interface is selected to retain the settings, the settings are lost and all member interfaces are disabled.
- In the Network Settings section, click Connectivity.
- In the Bond Interfaces section, click the red X next to the interface you want to destroy.
- On the Destroy Bond Interface <interface number> page, select the member interface to move the bond interface settings to. Only the member interface selected to retain the bond interface settings remains active, and all other member interfaces are disabled.
- Click Destroy.
Flow networks
You must configure network interface and port settings on the ExtraHop Discover appliance before you can collect NetFlow or sFlow data from remote flow networks (flow exporters). The ExtraHop system supports the following flow technologies: Cisco NetFlow Version 5 (v5) and Version 9 (v9), AppFlow, IPFIX, and sFlow.
In addition to configuring your Discover appliance, you must configure your network devices to send sFlow or NetFlow traffic. Refer to your vendor documentation or see sample Cisco configurations in the appendix.
Configure the Discover appliance to collect traffic from NetFlow and sFlow devices
Before you begin
You must have full system privileges to configure flow networks in the Admin UI.Next, configure the flow type and the UDP port over which the flow data is collected.
- In the Network Settings section, click Flow Networks.
- In the Ports section, type the UDP port number in the Port field. The default port for Net Flow is 2055 and the default port for sFlow is 6343. You can add additional ports as needed for your environment.
- From the Flow Type drop-down menu, select NetFlow or sFlow. For AppFlow traffic, select NetFlow.
- Click the plus (+) icon to add the port.
- Save the running configuration file to preserve your changes by clicking View and Save Changes at the top of the Flow Networks page, and then click Save.
Finally, add the pending flow networks on the Discover appliance so the flow data can be seen in the ExtraHop Web UI.
- In the Network Settings section, click Flow Networks.
- In the Pending Flow Networks section click Add Flow Network.
- Type a name to identify this flow network in the Flow Network ID field.
- Select the Automatic records checkbox to send records from this flow network to a connected Explore appliance.
- Select the Enable SNMP polling checkbox to enable SNMP polling.
-
If you enable SNMP polling, select one of the following
options from the SNMP credentials drop-down menu:
- Inherit from CIDR. If you select this option, the SNMP credentials are applied based on the Shared SNMP Credentials settings.
- Custom credentials. Select v1, v2, or v3 from the SNMP version drop-down list and then configure the remaining settings for the specific polling type.
- Click Save.
- The flow network appears in the Approved Flow Networks table. If you do not see the flow network, you might have to manually add it by clicking Add Flow Network in the Approved Flow Networks section.
Set up shared SNMP credentials for your NetFlow or sFlow networks
If you enable SNMP polling on your flow network configuration, you must specify the credentials that allow you to poll the network device. The SNMP authentication credentials apply to all flow networks in a CIDR block and are automatically applied to every discovered flow network unless custom credentials are configured.
- Log into the Admin UI on your Discover appliance.
- In the Network Settings section, click Flow Networks.
- In the Shared SNMP Credentials section, click Add SNMP Credentials.
- Type the IPv4 CIDR block in the CIDR field.
- Select v1, v2c, or v3 from the SNMP version drop-down list and then complete the remaining fields.
- Click Save.
Manually refresh SNMP information
You can poll and retrieve data on demand from the SNMP agent on the flow network device. Instead of waiting for automatic polling to occur after each configuration change to confirm that the change is correct (automatic polling occurs every 24 hours), you can poll immediately.
The ExtraHop system polls for the following information:
- The system name of the SNMP agent. This identifier is assigned by SNMP to the flow network.
- The interface name of each interface on the SNMP agent. These identifiers are for each flow interface on the flow network.
- The interface speed of each interface on the SNMP agent.
- Log into the Admin UI on your Discover appliance.
- In the Actions column for the approved flow network, click Poll.
Notifications
The ExtraHop appliance can send alert notifications through email and SNMP traps. If SNMP is specified, then every alert is sent as an SNMP trap to the specified SNMP server. If an email notification group is specified, then emails are sent to the groups assigned to the alert.
In addition, you can send alerts to a remote server through a syslog export.
Configure email settings
You must configure an email server and sender before the ExtraHop appliance can send notifications about system alerts by email.
Configure an email notification group
Email notification groups are assigned to alerts to designate who should receive an email when that alert fires. Although you can specify individual email addresses to receive emails for alerts, email groups are the most effective way to manage your alert recipient list.
Delete an email notification group
If you want to delete an existing email notification group, it is a best practice to first unassign it from any alerts it is assigned to.
| Note: | When you delete an email group, the group and all of its associated email addresses are deleted. |
- In the Network Settings section, click Notifications.
- Click Email Notification Groups.
- On the Email Groups page, click the red X to the left of the group name.
- Click OK.
Configure SNMP notifications
Simple Network Management Protocol (SNMP) is used to monitor the state of the network. SNMP collects information both by polling devices on the network and when SNMP-enabled devices send alerts to SNMP management stations. SNMP communities specify the group that devices and management stations running SNMP belong to, which specifies where information is sent. The community name identifies the group.
| Note: | Most organizations have an established system for collecting and displaying SNMP traps in a central location that can be monitored by their operations teams. For example, SNMP traps are sent to an SNMP manager, and the SNMP management console displays them. |
Configure syslog notification settings
The syslog export enables you to send alerts from the ExtraHop appliance to any remote system that receives syslog input for long-term archiving and correlation with other sources.
| Note: | To send syslog messages to your remote server, you must first configure the syslog notification settings. Only one remote syslog server can be configured for each ExtraHop appliance. |
SSL certificates
SSL provides secure authentication to the Web UI and Admin UI of the ExtraHop appliance. To enable SSL, a SSL certificate must be uploaded to the ExtraHop appliance.
A self-signed certificate can be used in place of a certificate signed by a certificate authority. However, be aware that a self-signed certificate generates an error in the client browser and the browser reports that the signing certificate authority is unknown. The browser provides a set of confirmation pages to allow the use of the certificate, even though the certificate is self-signed.
| Important: | When replacing an SSL certificate, the webserver service is restarted. On a Command appliance, tunneled connections from Discover appliances are lost but are re-established automatically. |
Upload an SSL certificate
You must upload a .pem file that includes both a private key and either a self-signed certificate or a certificate-authority certificate.
| Note: | The .pem file must not be password protected. |
- In the Network Settings section, click SSL Certificate.
- Click Manage certificates to expand the section.
- Click Choose File and navigate to the certificate that you want to upload.
- Click Open.
- Click Upload.
Add a trusted certificate to your ExtraHop appliance
Your ExtraHop appliance only trusts peers who present a TLS certificate that is signed by one of the built-in system certificates or any certificates that you upload. Only SMTP and LDAP connections are validated through these certificates.
Before you begin
You must be a user with full system privileges to add or remove trusted certificates.| Important: | To trust the built-in system certificates and any uploaded certificates, you must also enable SSL certificate validation on the LDAP Settings page or Email Settings page. |
- Log into the Admin UI.
- In the Network Settings section, click Trusted Certificates.
- The ExtraHop appliance ships with a set of built-in certificates. Select Trust System Certificates if you want to trust these certificates, and then click Save.
- To add your own certificate, click Add Certificate and then paste the contents of the PEM-encoded certificate chain into the Certificate field
- Type a name into the Name field and click Add.
| Important: | ExtraHop appliances only accept modern SSL configurations, which
includes TLS 1.2 and the cipher suites listed below. Note that the ExtraHop Web UI
will not display in Internet Explorer 11 unless TLS 1.0, TLS 1.1, and TLS 1.2 are
turned on in the advanced settings for Internet Explorer 11.
|
Next steps
Configure LDAP and SMTP settings to validate outbound connections with the trusted certificates.Access Settings
In the Access Settings section, you can change passwords, enable the support account, and specify users in the ExtraHop appliances for remote authentication. The Access Settings section has the following configurable settings:
- Password
- Change the password for user accounts.
- Support Account
- Enable troubleshooting assistance from ExtraHop Support.
- Users
- Add and delete users, and modify user privileges.
- Sessions
- View and terminate user sessions on the Admin UI.
- Remote Authentication
- Enable users to log on to the Admin UI with their existing credentials.
- API Access
- Manage the settings that enable you to perform operations through the ExtraHop REST API.
- User Groups
- View and manage user groups imported from a configured LDAP server. The User Groups page appears only on ExtraHop Discover and Command appliances.
Change the default password for the setup user
It is recommended that you change the default password for the setup user on the ExtraHop appliance after you log in for the first time. To remind administrators to make this change, there is a blue Change Password button at the top of the page while the setup user is accessing the Admin UI. After the setup user password is changed, the button at the top of the page no longer appears.
| Note: | The password must be a minimum of 5 characters. |
Change a user password
Admin UI users may change their own passwords. Admin UI administrators may change the password for any local user accounts.
| Note: |
|
- In the Access Settings section, click Change Password.
- In the User field, select a user from the drop-down.
- In the New password field, type the new password.
- In the Confirm password field, type the same password again.
- Click Save.
- Click OK.
Support account
Support accounts provide access for the ExtraHop Support team to help customers troubleshoot issues with the ExtraHop appliance and to provide remote analysis reports through Atlas Services.
These settings should be enabled only if the ExtraHop system administrator requests hands-on assistance from the ExtraHop Support team or if your organization is subscribed to Atlas Services.
Enable the Atlas Remote UI account
The Atlas Remote UI account enables the ExtraHop Support team to provide remote analysis reports through Atlas Services.
- In the Access Settings section, click Support Account.
- Click Atlas Remote UI Account.
- Click Enable Atlas Remote UI Account.
- Copy the encrypted key from the text box and email the key to support@extrahop.com.
- Click Done.
Disable the Atlas Remote UI account
- In the Access Settings section, click Support Account.
- Click Atlas Remote UI Account.
- Click Disable Atlas Remote UI Account.
Local users
This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.
- setup
- This account provides full system read and write privileges on the Web UI, Admin UI, and Shell, which is the ExtraHop command-line interface (CLI). On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
- shell
- The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
| Note: | The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) is the string of numbers after the -i in the instance ID. |
Next steps
Add a local user account
By adding a local user account, you can provide users with direct access to your ExtraHop appliances and restrict their access as needed by their role in your organization.
| Tip: |
|
User privileges
Administrators determine the level of access and functionality users have with the ExtraHop Web and Admin UIs. In addition to setting the privilege level for the user, you can add certain options that can apply to any user privilege level.
For information about user privileges for the REST API, see the REST API Guide.
Privilege Levels
Set the privilege level for your user to determine which areas of the ExtraHop appliance they can access.
| Full System | Full Write | Limited Write | Personal Write | Full Read-Only | Restricted Read-Only | |
| Activity Maps | ||||||
| Create, view, and load shared activity maps | Y | Y | Y | Y | Y | N |
| Save activity maps | Y | Y | Y | Y | N | N |
| Share activity maps | Y | Y | Y | N | N | N |
| Alerts | ||||||
| View alert history | Y | Y | Y | Y | Y | N |
| Create and modify alerts | Y | Y | N | N | N | N |
| Custom Pages | ||||||
| Create and modify custom pages | Y | Y | N | N | N | N |
| Dashboards | ||||||
| View and organize dashboards | Y | Y | Y | Y | Y | Y |
| Create and modify dashboards | Y | Y | Y | Y | N | N |
| Share dashboards | Y | Y | Y | N | N | N |
| Anomalies | ||||||
| View anomalies and provide feedback | Y | Y | Y | Y | Y | N |
| Analysis Priorities | ||||||
| View Analysis Priorities page | Y | Y | Y | Y | Y | N |
| Add and modify analysis levels for groups | Y | Y | N | N | N | N |
| Add devices to a watchlist | Y | Y | N | N | N | N |
| Transfer priorities management | Y | Y | N | N | N | N |
| Device Groups | ||||||
| Create and modify device groups | Y | Y | N | N | N | N |
| Metrics | ||||||
| View metrics | Y | Y | Y | Y | Y | N |
| Records (Explore appliance) | ||||||
| View record queries | Y | Y | Y | Y | Y | N |
| View record formats | Y | Y | Y | Y | Y | N |
| Create, modify, and save record queries | Y | Y | N | N | N | N |
| Create, modify, and save record formats | Y | Y | N | N | N | N |
| Scheduled Reports (Command appliance) | ||||||
| Create, view, and manage scheduled reports | Y | Y | Y | N | N | N |
| Triggers | ||||||
| Create and modify triggers | Y | Y | N | N | N | N |
| Administrative Privileges | ||||||
| Access the ExtraHop Admin UI | Y | N | N | N | N | N |
| Connect to other appliances | Y | N | N | N | N | N |
| Manage other appliances (Command appliance) | Y | N | N | N | N | N |
Sessions
The ExtraHop system provides controls to view and delete user connections to the web interface. The Sessions list is sorted by expiration date, which corresponds to the date the sessions were established. If a session expires or is deleted, the user must log in again to access the web interface.
Delete active sessions
When you delete an active session for a user, the user is logged out of the Admin UI. You can not delete the current user session.
- In the Access Settings section, click Sessions.
-
Select the users that you want to delete.
- To delete a specific user, in the sessions table, click the red x at the end of the row for the specific user.
- To delete all active user sessions, click Delete All and then click OK.
Remote authentication
ExtraHop appliances supports remote authentication for user authentication. Remote authentication enables organizations that have authentication systems such as LDAP (such as OpenLDAP or Active Directory), RADIUS, or TACACS+ to enable all or a subset of their users to log on to the appliance with their existing credentials.
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on LDAP groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Next steps
LDAP
The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. ExtraHop LDAP authentication only queries for user accounts; it does not use any other entities that might be in the LDAP directory.
Users whose credentials are not stored locally are authenticated against the remote LDAP server by their username and password when they attempt to log onto the ExtraHop system. When a user attempts to log onto the ExtraHop UI, the ExtraHop system:
-
Attempts to authenticate the user locally.
-
Attempts to authenticate the user through the LDAP server if the user does not exist locally and the ExtraHop system is configured to use LDAP for remote authentication.
-
Logs the user on to the ExtraHop system if the user exists and the password is validated through LDAP. The LDAP password is not stored locally on the ExtraHop system.
If the user does not exist or an incorrect password is used, an error message appears with the login page.
Ensure that each user to be remotely authorized is in a permission-specific group on the LDAP server before beginning this procedure.
Configure LDAP authentication
| Important: | If you change LDAP authentication at a later time to a different remote authentication method, users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected. |
Next steps
Continue to the Configure remote user permissions section.Configure remote user permissions
Determine whether you want to allow local or remote authentication.
For information about user permissions, see the User privileges section.
-
Choose one of the following options from the Permission assignment
options drop-down list:
- Obtain permissions level from remote server
If you want to obtain a permissions level from a remote server, select the Obtain permissions level from remote server option and complete at least one of the following fields to specify the remote permissions:
- Full access DN
- Read-write DN
- Limited DN
- Personal DN
- Node connection privileges DN
Note: This field is visible only on the Command appliance. - Read-only DN
- Read-limited DN
- Packet access full DN
These fields must be groups (not organizational units) that are pre-specified on the LDAP Server. A user account with access must be a direct member of a specified group. User accounts that are a member of a group that is a member of a group specified above will not have access. If the groups are not present, they will not be authenticated on the ExtraHop appliance.
The ExtraHop appliance supports the following types of group membership:- Active Directory: memberOf
- Posix: posixGroups, groupofNames, and groupofuniqueNames
- Remote users have full write access
This option allows remote users to have full write access to the ExtraHop Web UI. To allow remote users to view and download packet captures, select the Remote users can view and download packets checkbox.
- Remote users have read-only accessThis option allows remote users to have read-only privileges to the ExtraHop Web UI. To allow remote users to view and download packet captures, select the Remote users can view and download packets checkbox.
Note: You can add read-write permissions on a per-user basis later through the Users page in the Admin UI.
- Obtain permissions level from remote server
- Click Save and Finish.
- Click Done.
RADIUS
The ExtraHop appliance supports Remote Authentication Dial In User Service (RADIUS) for remote authentication and local authorization only. For remote authentication, the ExtraHop appliance supports unencrypted RADIUS and plaintext formats.
TACACS+
The ExtraHop appliance supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.
Ensure that each user to be remotely authorized has the ExtraHop service configured on the TACACS+ server before beginning this procedure.
Configure remote authentication through TACACS+
The ExtraHop appliance supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.
-
Choose one of the following options from the Permission assignment
options drop-down list:
- Obtain permissions level from remote
server
This option allows remote users to obtain permission levels from the remote server.
You must also configure the TACACS+ server with two attributes, one for the ExtraHop service and one for the permission level.- For the Attribute, add service.
- For the Value, add extrahop.
- For the Attribute, add the permission level, such as readwrite.
- For the Value, add 1.
For example, the following figure shows a configured permission level of readwrite.
The following list shows the different permission levels and the access they provide to users.
- setup = 1, which allows the user to create and modify all objects and settings on the ExtraHop Web UI and Admin UI
- readwrite = 1, which allows the user to create and modify all objects and settings on the ExtraHop Web UI
- limited = 1, which allows the user to create, modify, and share dashboards
- readonly = 1, which allows the user to view objects in the ExtraHop Web UI
- personal = 1, which allows the user to create dashboards for themselves and modify any dashboards that have been shared with them
- limited_metrics = 1, which allows the user to view shared dashboards
- packetsfull = 1, which allows the user to view and download packets for any of the above user permission levels
- Remote users have full write access
This option allows remote users to have full write access to the ExtraHop Web UI.
- Remote users have full read-only access
This option allows remote users to have read-only permissions to the ExtraHop Web UI.
Note: You can add read-write permissions on a per-user basis later through the Users page in the Admin UI. - Remote users have command cluster access
This option, which only appears on the Command appliance, allows remote users to log into the Admin UI on the Command appliance and view any connected Discover, Explore, and Trace appliances.
- Obtain permissions level from remote
server
API access
The API Access page provides controls to generate, view, and manage access for the API keys that are required to perform operations through the ExtraHop REST API. This page also provides a link to the REST API Explorer.
Administrators, or users with full system privileges, control whether users can generate API keys. For example, you can prevent remote users from generating keys or you can disable API key generation entirely. When this functionality is enabled, API keys are generated by users, listed in the Keys section, and can be viewed only by the user who generated the key.
| Note: | Administrators set up user accounts, and then users generate their own API key. Users can delete API keys for their own account, and users with full system privileges can delete API keys for any user. For more information, see the Users section. |
Click the REST API Explorer link to open a web-based tool that enables you to try API calls directly on your ExtraHop appliance. The ExtraHop REST API Explorer also provides information about each resource and samples in cURL, Python 2.7, and Ruby.
See the ExtraHop REST API Guide for more information.
Manage API access
You can manage which users are able to generate API keys on the ExtraHop appliance.
- In the Access Settings section, click API Access.
-
In the Manage Access section, select one of the following
options:
- Allow all users to generate an API key
Local and remote users can generate API keys.
- Only local users can generate an API key
Only users created on the appliance can generate API keys.
- No users can generate an API key
API keys cannot be generated. Selecting this option will delete any
- Allow all users to generate an API key
- Click Save Settings, then click OK, and then click Done.
Next steps
Save the changes to the running config file.Enable CORS for the ExtraHop REST API
Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server.
You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users with full system privileges can view and edit CORS settings.
Add an allowed origin
You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin.
- In the Access Settings section, click API Access.
-
In the CORS Settings section, specify one of the following
access configurations.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
The URL must include a scheme, such as HTTP or HTTPS, and the exact domain name. You cannot append a path; however, you can provide a port number.
- To allow access from any URL, select the Allow API requests
from any Origin checkbox.
Note: Allowing REST API access from any origin is less secure than providing a list of explicit origins.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
- Click Save Settings and then click Done.
Delete an allowed origin
You can delete a URL from the list of allowed origins or disable access from all origins.
- In the Access Settings section, click API Access.
-
In the CORS Settings section, modify one of the following access
configurations.
- To delete a specific URL, click the delete (X) icon next to the origin you want to delete.
- To disable access from any URL, clear the Allow API requests from any Origin checkbox.
- Click Save Settings.
Generate an API key
After you log into the ExtraHop appliance, if API key generation is enabled, you can generate an API key.
- In the Access Settings section, click API Access.
- In the API Keys section, enter a description for the key, and then click Generate.
Delete an API key
- In the Access Settings section, click API Access.
- In the Keys section, click the X next to the API key you want to delete.
- Click OK.
API privileges
The privilege level that is set for a user dictates what that user can do through the REST API.
| Privilege level | Actions allowed |
|---|---|
| Full system privileges |
|
| Full write privileges |
|
| Limited write privileges |
|
| Personal write privileges Read-only privileges |
|
| View and download packets privileges |
This additional privilege can be granted to a user with full write, limited write, personal write, or read-only privileges. |
User Groups
The User Groups page provides controls to view, enable, and disable user groups that are imported from a configured LDAP server.
User groups allow for easier sharing of dashboards to all members in the group. Only remote user accounts and groups can be members of remote user groups.
Remote user groups are automatically discovered in the distinguished name (DN) specified as part of the remote authentication settings. See the Remote authentication section about configuring LDAP authentication.
- Group Name
- Displays the name of the remote LDAP group. To view the members in the group, click the group name.
- Members
- Displays the number of users in the group that are associated with a dashboard and that have logged into the ExtraHop Discover or Command appliance.
- Associations
- Displays the number of dashboards that are shared with the group.
- Status
- Displays whether the group is enabled or disabled on the appliance. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing a dashboard.
- Last Refresh
- Displays the amount of time elapsed since the group membership was refreshed. User groups
are refreshed under the following conditions:
- Once per hour, by default. The refresh interval setting can be modified on the page.
- An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
- A remote user logs into the ExtraHop Web UI or Admin UI for the first time.
- A user attempts to load a shared dashboard that they do not have access to.
Next steps
Manage imported LDAP user groupsView the members of a user group
The Member List page provides controls to view the members in a user group that are imported from a configured LDAP server. You can also reset, disable, and refresh the user group from within the Member List page.
Enable or disable a user group
You can share custom dashboards with a remote user group so that every member of the group can view the associated dashboard. If a user group is disabled, no group member can view the associated dashboard, even if the dashboard is still shared with the group.
| Tip: | Select more than one user group to enable or disable multiple groups at one time. |
- In the Access Settings section, click User Groups.
-
Select the checkbox next to the name in the group list and click one of the
following:
- To enable a user group, click Enable User Group.
- To disable a user group, click Disable User Group.
Reset a user group
When you reset a user group, all shared dashboard associations are removed from the group. If the group no longer exists on the remote LDAP server, the group is removed from the user group list.
| Tip: | Select more than one user group to reset multiple groups at one time. |
- In the Access Settings section, click User Groups.
- Select the checkbox next to the group name in the list.
- Click Reset User Group.
- Click Yes to confirm the reset action.
Refresh users and user groups
You can manually refresh LDAP user groups (or all users within a specific group) to ensure that the users and groups are synchronized with the users and groups on the LDAP server.
| Tip: | Select more than one user group to refresh multiple users at one time. |
- In the Access Settings section, click User Groups.
-
Choose one of the following options:
- To refresh all user groups, click Refresh All User Groups.
- To refresh users in a user group, select the checkbox next to the group name and then click Refresh Users in Group.
System Configuration
The System Configuration section contains ExtraHop appliance configuration settings that can be changed through the Admin UI.
- Capture
- Configure the network capture settings on the Discover appliance.
- Datastore and Customizations
- Reset the datastore and modify customizations. Datastore configuration settings are not available on the Command appliance.
- Geomap Datasource
- Modify the information in geomaps.
- Open Data Streams
- Send log data from the Discover appliance to another system such as a syslog system, MongoDB database, or HTTP server.
- Trends
- Reset all trends and trend-based alerts on the Discover appliance.
Capture
The Admin UI provides an interface to manage the ExtraHop appliance network capture settings. For example, by default the ExtraHop appliance is configured to discover devices by their MAC address, maintaining a one-to-one correspondence between the MAC address and the discovered device. Using the Capture Configuration settings, this method of discovery can be changed so that devices are discovered by IP address.
The network capture settings give ExtraHop appliance administrators the ability to fine-tune the network capture so that the Discover appliance discovers devices in the best and most complete method possible, based on the host networking environment.
| Note: | Capture settings are not configurable through the Command appliance. |
The ExtraHop Admin UI includes controls to manage the following network capture settings:
- Excluded Protocol Modules:
- Specify protocols and associated devices that should be excluded from the network capture.
- MAC Address Filters
- Determine which devices are discovered by MAC address.
- IP Address Filters
- Determine which devices are discovered by IP address.
- Port Filters
- Enable TCP and UDP ports.
- Pseudo Devices
- Identify individual devices (that have IP addresses outside the monitored domains) that normally are shown in the capture only as the router address.
- Protocol Classification
- Add custom protocols to the capture and associate these custom protocols with ExtraHop module protocols.
- Discover by IP
- Enable or disable the discovery of devices on the network capture by IP address rather than by MAC address.
- SSL Decryption
- Add and manage SSL decryption keys to decrypt SSL traffic on the network.
- Open Data Context API
- Access the session table with the ExtraHop system acting as a memcache server.
- Software Tap
- Capture traffic through a high-speed packet forwarder (RPCAP).
- Network Overlay Decapsulation
- Enable or disable the network overlay decapsulation for NVGRE and VXLAN protocols.
Excluded protocol modules
The Excluded Protocol Modules page provides an interface to manage the protocols that you want to include in the network capture. By default, all supported modules on the ExtraHop appliance are included in the capture unless you manually exclude them.
| Note: | Capture settings are not configurable through the Command appliance. |
Exclude protocol modules
To exclude a protocol module from the network capture:
- Click .
- Click Excluded Protocol Modules.
- Add Module to Exclude.
- On the Select Protocol Module to Exclude page, from the Module Name dropdown, select the module that you want to exclude from the capture.
- Click Add.
- On the Excluded Protocol Modules page, click Restart Capture.
- After the capture restarts, click OK.
Re-include excluded protocol modules
To re-include a previously excluded protocol module:
- Click .
- Click Excluded Protocol Modules.
- On the Excluded Protocol Modules page, click Delete next to the module name for each module you want to re-include.
- Click Restart Capture.
- After the capture restarts, click OK.
MAC address filters
You can add filters to exclude specific MAC addresses or vendor device traffic from the network capture on the Discover appliance.
| Note: | Capture settings are not configurable through the Command appliance. |
IP address filters
You can use filters to exclude specific IP addresses and IP ranges from the network capture on the ExtraHop appliance.
| Note: | Capture settings are not configurable through the Command appliance. |
Port filters
You can use filters to exclude traffic from specific ports from the network capture on the Discover appliance.
| Note: | Capture settings are not configurable through the Command appliance. |
Exclude a port
- Go to the Configuration section and click Capture.
- On the Capture Configuration page, click Port Filters.
- Click Add Filter.
-
On the Port Address Filters page, enter the port you want
to include.
- To specify a source port you want to exclude, enter the port in the Source Port field.
- To specify a destination port you want to exclude, enter the port in the Destination Port field.
- From the IP Protcol drop-down list, select the protocol you want to exclude on the indicated port.
- Click Add.
Filtering and deduplication
Refer to the following table to view the effects of filtering and deduplication on metrics, packet capture, and device discovery. Deduplication is enabled by default on the appliance.
| Packet Dropped by | MAC address filter | IP address filter | Port filter | L2 dedup | L3 dedup |
|---|---|---|---|---|---|
| Network VLAN L2 Metrics | Not collected | Not collected | Not fragmented*: Not collected Fragmented: Collected |
Not collected | Collected |
| Network VLAN L3 Metrics | Not collected | Not collected | Not fragmented: Not collected Fragmented: Collected |
Not collected | Collected |
| Device L2/L3 Metrics | Not collected | Not collected | Not fragmented: Not collected Fragmented, top-level: Collected Fragmented, detail: Not collected |
Not collected | Collected |
| Global PCAP Packets | Captured | Captured | Captured | Captured | Captured |
| Precision PCAP Packets | Not captured | Not captured | Not captured | Not captured | Captured |
| L2 Device Discovery | No discovery | Discovery | Discovery | -- | -- |
| L3 Device Discovery | No discovery | No discovery | Not fragmented: No discovery Fragmented: Discovery |
-- | -- |
*For port filters, when IP fragments are present in the data feed, a port number is not determined during fragment reassembly. The ExtraHop appliance might collect metrics, capture packets, or discover a device even if the port filtering rule otherwise precludes it.
L2 duplicates are identical Ethernet frames. The duplicate frames do not usually exist on the wire, but are an artifact of the data feed configuration. L3 duplicates are frames that differ only in L2 header and IP TTL. These frames usually result from tapping on both sides of a router. Because these frames exist on the monitored network, they are counted at L2 and L3 in the locations referenced above. L3 deduplication is targeted toward L4 and above, for example, to avoid counting the L3 duplicates as TCP retransmissions.
Pseudo devices
Pseudo devices are deprecated as of ExtraHop version 6.0. If you have upgraded your system from a previous version with this functionality, you still can access the configuration page to migrate existing pseudo devices to custom devices. By default, all IP addresses outside of locally-monitored broadcast domains are aggregated at an incoming router. To identify the devices behind these routers for reporting, you can create custom devices. Unlike with pseudo devices, you do not need Admin UI privileges to configure a custom device.
| Note: | Any pseudo devices created on a previous version of ExtraHop firmware will remain on your Discover appliance until you migrate the pseudo device to a custom device. |
| Note: | Capture settings are not configurable through the Command appliance. |
Specify a pseudo device
| Note: | To monitor remote locations with multiple, non-contiguous subnets, specify the pseudo device multiple times with the same dummy MAC but with different IP subnets. For example, in the figure below, all traffic relating to any of the IP subnets assigned is attributed to the pseudo device with the MAC address 22:22:00:00:00:01. |
Protocol classification
Protocol classification relies on specific payloads to identify custom protocols over specific ports. These protocols are Layer 7 (application-layer) protocols that sit above the Layer 4 (TCP or UDP) protocol. These applications have their own custom protocol, and they also use the TCP protocol.
The Protocol Classification page provides an interface to perform the following functions:
- List applications and ports for the following network entities:
- Widely-known applications that are mapped to non-standard ports.
- Lesser-known and custom networking applications.
- Unnamed applications that use TCP and UDP (for example, TCP 1234).
- Add custom protocol-to-application mapping that includes the following information:
- Name
- The user-specified protocol name.
- Protocol
- The selected Layer 4 protocol (TCP or UDP).
- Source
- (Optional) The specified source port. Port 0 indicates any source port.
- Destination
- The destination port or range of ports.
- Loose Initiation
- Select this checkbox if you want the classifier to attempt to categorize the connection
without seeing the connection open. ExtraHop recommends selecting loose initiation for
long-lived flows.
By default, the ExtraHop appliance uses loosely-initiated protocol classification, so it attempts to classify flows even after the connection was initiated. You can turn off loose initiation for ports that do not always carry the protocol traffic (for example, the wildcard port 0).
- Delete protocols with the selected application name and port mapping from the list.
The application name and port do not display in the ExtraHop Web UI or in reports based on any future data capture. The device will appear in reports that use historical data, if the device was active and discoverable within the reported time period.
- Restart the network capture.
- You must restart the network capture before any protocol classification changes take effect.
- Previously-collected capture data is preserved.
The ExtraHop appliance recognizes protocols on their standard ports (one exception is HTTP, which is recognized on any port). In some cases, if a protocol is using a non-standard port, it is necessary to add the non-standard port in the Admin UI. In these cases, it is important to properly name the non-standard port. The table below lists the standard ports for each of the protocols, along with the protocol name that must be used when adding the custom port numbers in the Admin UI.
In most cases, the name you use is the same as the name of the protocol. The most common exceptions to this rule are Oracle (where the protocol name is TNS) and Microsoft SQL (where the protocol name is TDS).
If you add a protocol name that has multiple destination ports, add the entire port range separated by a dash (-). For example, if your protocol requires adding ports 1434, 1467, and 1489 for database traffic, type 1434-1489 in the Destination Port field. Alternatively, add each of the three ports in three separate protocol classifications with the same name.
| Canonical Name | Protocol Name | Transport | Default Source Port | Default Destination Port |
|---|---|---|---|---|
| ActiveMQ | ActiveMQ | TCP | 0 | 61616 |
| AJP | AJP | TCP | 0 | 8009 |
| CIFS | CIFS | TCP | 0 | 139, 445 |
| DB2 | DB2 | TCP | 0 | 50000, 60000 |
| Diameter | AAA | TCP | 0 | 3868 |
| DHCP | DHCP | TCP | 68 | 67 |
| DICOM | DICOM | TCP | 0 | 3868 |
| DNS | DNS | TCP, UDP | 0 | 53 |
| FIX | FIX | TCP | 0 | 0 |
| FTP | FTP | TCP | 0 | 21 |
| FTP-DATA | FTP-DATA | TCP | 0 | 20 |
| HL7 | HL7 | TCP, UDP | 0 | 2575 |
| HTTPS | HTTPS | TCP | 0 | 443 |
| IBM MQ | IBMMQ | TCP, UDP | 0 | 1414 |
| ICA | ICA | TCP | 0 | 1494, 2598 |
| IKE | IKE | UDP | 0 | 500 |
| IMAP | IMAP | TCP | 0 | 143 |
| IMAPS | IMAPS | TCP | 0 | 993 |
| Informix | Informix | TCP | 0 | 1526, 1585 |
| IPSEC | IPSEC | TCP, UDP | 0 | 1293 |
| IPX | IPX | TCP, UDP | 0 | 213 |
| IRC | IRC | TCP | 0 | 6660-6669 |
| ISAKMP | ISAKMP | UDP | 0 | 500 |
| iSCSI | iSCSI | TCP | 0 | 3260 |
| Kerberos | Kerberos | TCP, UDP | 0 | 88 |
| LDAP | LDAP | TCP | 0 | 389, 390, 3268 |
| LLDP | LLDP | Link Level | N/A | N/A |
| L2TP | L2TP | UDP | 0 | 1701 |
| Memcache | Memcache | TCP | 0 | 11210, 11211 |
| MongoDB | MongoDB | TCP | 0 | 27017 |
| MS SQL Server | TDS | TCP | 0 | 1433 |
| MSMQ | MSMQ | TCP | 0 | 1801 |
| MSRPC | MSRPC | TCP | 0 | 135 |
| MySQL | MySQL | TCP | 0 | 3306 |
| NetFlow | NetFlow | UDP | 0 | 2055 |
| NFS | NFS | TCP | 0 | 2049 |
| NFS | NFS | UDP | 0 | 2049 |
| NTP | NTP | UDP | 0 | 123 |
| OpenVPN | OpenVPN | UDP | 0 | 1194 |
| Oracle | TNS | TCP | 0 | 1521 |
| PCoIP | PCoIP | UDP | 0 | 4172 |
| POP3 | POP3 | TCP | 0 | 143 |
| POP3S | POP3S | TGCP | 0 | 995 |
| PostgreSQL | PostgreSQL | TCP | 0 | 5432 |
| RADIUS | AAA | TCP | 0 | 1812, 1813 |
| RADIUS | AAA | UDP | 0 | 1645, 1646, 1812, 1813 |
| RDP | RDP | TCP | 0 | 3389 |
| Redis | Redis | TCP | 0 | 6397 |
| SIP | SIP | TCP | 0 | 5060, 5061 |
| SMPP | SMPP | TCP | 0 | 2775 |
| SMTP | SMTP | TCP | 0 | 25 |
| SNMP | SNMP | UDP | 0 | 162 |
| SSH | SSH | TCP | 0 | 22 |
| SSL | SSL | TCP | 0 | 443 |
| Sybase | Sybase | TCP | 0 | 10200 |
| SybaseIQ | SybaseIQ | TCP | 0 | 2638 |
| Syslog | Syslog | UDP | 0 | 514 |
| Telnet | Telnet | TCP | 0 | 23 |
| VNC | VNC | TCP | 0 | 5900 |
| WebSocket | WebSocket | TCP | 0 | 80, 443 |
The name specified in the Protocol Name column in the table is used on the Protocol Classification page to classify a common protocol that uses non-standard ports.
Protocols in the ExtraHop Web UI that do not appear in this table include the following:
- DNS
- The standard port for DNS is 53. DNS does not run on non-standard ports.
- HTTP
- The ExtraHop appliance classifies HTTP on all ports.
- HTTP-AMF
- This protocol runs on top of HTTP and is automatically classified.
- SSL
- The ExtraHop appliance classifies SSL on all ports.
Protocols in this table that do not appear in the ExtraHop Web UI include the following:
- FTP-DATA
- The ExtraHop appliance does not handle FTP-DATA on non-standard ports.
- LLDP
- This is a link-level protocol, so port-based classification does not apply.
Add a custom protocol classification
The following procedure describes how to add custom protocol classification labels using the TDS (MS SQL Server) protocol as an example. By default, the ExtraHop appliance looks for TDS traffic on TCP port 1533.
To add MS SQL Server TDS parsing on another port:
Remove a custom protocol classification
- Click .
- Click Protocol Classification.
- On the Protocol Classification page, click Delete next to the protocol that you want to remove from the list.
- Click OK.
- This change has been applied to the running config. When you save the change to the running config, it will be reapplied when the ExtraHop system restarts. Click View and Save Changes at the top of the screen.
- Click Save to write the change to the default configuration.
- After the configuration is saved, a confirmation message appears. Click Done.
Discover new devices by IP address
The ExtraHop Discover appliance automatically discovers devices that are communicating on the locally monitored network. This identification process is known as device discovery. After a device is discovered, you can search for the device and analyze device metrics in the Discover or Command appliances.
By default, Discover by IP is enabled, which means that devices are discovered when the ExtraHop system detects a response to an Address Resolution Protocol (ARP) request for an IP address. This method is also known as L3 discovery mode.
| Note: | Packet brokers can filter ARP requests. The ExtraHop system relies on ARP requests to associate L3 IP addresses with L2 MAC addresses. |
If the ExtraHop system detects an IP address that does not have associated ARP traffic, that device is considered a remote device. Remote devices are not automatically discovered, but you can configure a remote range of IP addresses for discovery.
| Note: | Learn more about finding devices in the ExtraHop system. |
| Diagram | Enabled | Disabled |
|---|---|---|
 |
2 devices discovered:
|
1 device discovered:
|
 |
6 devices discovered:
|
3 devices discovered:
|
 |
4 devices discovered:
|
1 device discovered:
|
When Discover by IP is enabled, L2 devices are considered parents of their L3 devices. You can view metrics associated with each IP address by L3 device. When Discover by IP is disabled, only L2 devices are discovered, and metrics associated with those IP addresses are merged into the L2 device.
Next steps
Remote discovery
The ExtraHop system automatically discovers local L3 devices based on observed ARP traffic that is associated with IP addresses. If the ExtraHop system detects an IP address that does not have ARP traffic, the ExtraHop system considers that IP address to be a remote device. Remote devices are not automatically discovered unless you configure a remote IP address range for remote discovery. When the ExtraHop system sees traffic associated with the range of remote IP addresses, it will discover those devices.
| Note: | If you have a proxy ARP configured in your network, the ExtraHop system might automatically discover remote devices. For more information, see this ExtraHop forum post. |
- Your organization has a remote office without an on-site ExtraHop appliance but users at that site access central data center resources that are directly monitored by an ExtraHop appliance. The IP addresses at the remote site can be discovered as devices.
- A cloud service or other type of off-site service hosts your remote applications and has a known IP address range. The remote servers within this IP address range can be individually tracked.
| Important: | Devices discovered through remote discovery count towards your licensed device limit. |
Add a remote IP address range
You can configure the ExtraHop system to automatically discover devices on remote subnets by adding a range of IP addresses.
Important considerations about remote discovery:
- Only public-facing IP addresses are discovered and visible in the ExtraHop appliance. Private IP addresses, such as those on a private subnet, behind a router, or behind a NAT device, are not visible to the ExtraHop system.
- Additionally, L2 information, such as device MAC address and L2 traffic, is not available if the device is on a different network from the one being monitored by the ExtraHop appliance. This information is not forwarded by routers, and therefore is not visible to the ExtraHop appliance.
- Exercise caution when specifying CIDR notation. A /24 subnet prefix might result in 255 new devices discovered by the ExtraHop system. A wide /16 subnet prefix might result in 65,535 new devices discovered, which might exceed your device limit.
Next steps
| Important: | The capture must be restarted when removing IP address ranges before the changes will take effect. ExtraHop recommends deleting all entries before restarting the capture. The capture does not need to be restarted when adding IP address ranges. |
SSL decryption
The ExtraHop appliance supports real-time decryption of SSL traffic for analysis. Before you can decrypt your traffic, you must provide private keys associated with the SSL server certificate. The server certificate and private keys are uploaded over an HTTPS connection from a web browser to the ExtraHop appliance.
You can decrypt SSL traffic that is encrypted with a supported ciphersuite by adding the following keys to the ExtraHop appliance to facilitate SSL traffic decryption.
- PEM certificates and RSA private keys
- PKCS#12/PFX files with passwords
| Note: | The PKCS#12/PFX files are archived in a secure container that contains both public and private certificate pairs and requires a password to access. |
You can also decrypt SSL traffic that is encrypted with Perfect Forward Secrecy (PFS) ciphers when you configure session key forwarding. For more information, see Install the ExtraHop session key forwarder on a Windows server or Install the ExtraHop session key forwarder on a Linux server.
After upload, the private keys are stored on the internal USB flash media. All file systems on the internal USB flash media are obfuscated and cannot be mounted with standard tools. The private keys are stored in an encrypted format. To ensure that the keys are not transferable to other systems, they are encrypted with an internal key that is seeded with information specific to the system to which it was uploaded.
Separation of privileges is enforced such that only the SSL decryption process can access the private key material. The ExtraHop web administration utility can store new private keys and list the keys in the store for key management purposes, but cannot access the private key material after it is stored.
To export a password-protected key, run a program such as OpenSSL:
openssl rsa -in yourcert.pem -out new.key
The Add Encrypted Protocol section specifies the protocols that handle decrypted SSL traffic. For example, for DNS traffic, you must create an entry for the DNS protocol on port 53. Port 0 represents any port.
| Note: | You must have a license for SSL decryption. If you do not have a license for SSL decryption, but you do have a license for MS SQL, you will see "For MS SQL Auth Only" in the ExtraHop Admin UI. This configuration only allows you to decrypt MS SQL traffic after you upload an SSL certificate. |
Configure the SSL decryption settings with a PEM certificate and private key
Before you can decrypt forwarded traffic, you must upload the private keys that are associated with your SSL server certificate. The certificate and keys are uploaded over an HTTPS connection from a web browser to the Discover appliance.
View connected session key forwarders
You can view recently connected session key forwarders after you install the session key forwarder on your server and enable the SSL session key receiver service on the Discover appliance. Note that this page only displays session key forwarders that have connected over the last few minutes, not all session key forwarders that are currently connected.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Shared Secrets.
Open data context API
The Open Data Context API allows external access to the global session table. Clients can store and retrieve key-value pairs using the memcache protocol.
For example, a script running on an external host inserts CPU load information into the ExtraHop session table. Triggers commit this information and other HTTP transactions as custom metrics. The script running on the external host can use any memcache client, and then use memcache commands, such as GET, SET, and INCREMENT, to communicate with the ExtraHop appliance.
When using the Open Data Context API, remember the following:
- Committing large values to the session table causes performance degradation. Values can be almost unlimited in size. However, metrics committed to the datastore must be 4096 bytes or fewer.
- All data must be inserted as strings to be readable by the ExtraHop appliance.
- Keys expire at 30-second intervals. For example, if a key is set to expire in 50 seconds, it might take anywhere from 50 to 79 seconds to expire.
- All keys set in the Open Data Context API are exposed via the SESSION_EXPIRE trigger event as they expire. This behavior is in contrast to the Application Inspection Triggers API, where the default behavior is not to expose expiring keys via SESSION_EXPIRE.
| Note: | This connection is not encrypted and should not be used to exchange sensitive information. |
Enable the open data context API
| Note: | Enabling the Open Data Context API opens TCP/UDP port 11211 by default, so ensure that the firewall rules allow access to these ports from any external host that will use the API. |
Supported memcache client libraries
You can use any standard memcache client library with the Open Data Context API. The ExtraHop appliance acts as a memcache version 1.4 server.
All memcache commands are supported, but the following actions are not supported:
- Flush. Setting item expiration when adding or updating items is supported, but bulk expiration is not.
- Detailed statistics by item size or key prefix. Basic statistics reporting is supported.
Insert data as a string
Some memcache clients attempt to store type information in the values. For example, the python memcache library stores floats as pickled values, which cause invalid results when using Session.lookup in triggers.
Change the session table size
The default session table size is 32768 entries. You can modify the running config to change the session table size, but increasing the session table size might impact memory consumption on the system and cause other issues. You must restart the capture to see these changes.
"jssession_table_size": 32768
For more information, see the Running Config section or contact ExtraHop Support.
Install the software tap on a Linux server
You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. You can retrieve the commands from the procedures in this section or the ExtraHop Admin UI: https://<discover_ip_address>/admin/capture/rpcapd/linux/. The bottom of the ExtraHop Admin UI page contains links to automatically download the software tap.
Download and install on RPM-based systems
To download and install the software tap on RPM-based systems:
Download and install on other Linux systems
Install the software tap on a Windows server
You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system.
-
In the wizard, select the components to install.
-
Complete the ExtraHop IP and ExtraHop
Port fields and click Next. The default
port is 2003.
- Optional:
Enter additional arguments in the text box and click
Next.
-
Browse to and select the destination folder to install RPCAP Service.
-
If RPCAP Service was previously installed, click Yes to
delete the previous service.
Monitoring multiple interfaces on a Linux server
For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.
To edit the configuration file, complete the following steps.
Monitoring multiple interfaces on a Windows server
For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.
To edit the configuration file, complete the following steps.
Network overlay decapsulation
Network overlay encapsulation wraps standard network packets in outer protocol headers to perform specialized functions, such as smart routing and virtual machine networking management.
Network overlay decapsulation enables the ExtraHop appliance to remove these outer encapsulating headers and then process the inner packets.
| Note: | Enabling NVGRE and VXLAN decapsulation on your ExtraHop appliance can increase your device count as virtual appliances are discovered on the network. Discovery of these virtual devices can affect Advanced Analysis and Standard Analysis capacity and the additional metrics processing can cause performance to degrade in extreme cases. |
MPLS, TRILL, and Cisco FabricPath protocols are automatically decapsulated by the ExtraHop system.
Analyze a packet capture file on the Discover appliance
The offline capture mode in the Discover appliance enables an ExtraHop administrator to upload a capture file recorded by packet analyzer software, such as Wireshark or tcpdump, to the ExtraHop datastore for analysis.
Here are some important considerations before enabling offline capture mode:
- When the capture is set to offline mode, the ExtraHop datastore is reset. All previously recorded metrics are deleted from the datastore. When the system is set to online mode, the datastore is reset again.
- In offline mode, no metrics are collected from the capture interface until the system is set to online mode again.
Set the offline capture mode
Return the appliance to live capture mode
- In the System Configuration section, click Capture (offline).
- Click Restart Capture.
- Select Live, and then click Save.
Datastore
The Discover appliance includes a self-contained, streaming datastore for storing and retrieving performance and health metrics in real time. This local datastore bypasses the operating system and accesses the underlying block devices directly, rather than going through a conventional relational database.
Local and extended datastores
The Discover appliance includes a self-contained, streaming datastore for storing and retrieving performance and health metrics in real time. This local datastore bypasses the operating system and accesses the underlying block devices directly, rather than going through a conventional relational database.
The local datastore maintains entries for all devices discovered by the Discover appliance as well as metrics for those devices. By storing this information on the Discover appliance, the ExtraHop system provides both quick access to the latest network capture and historic and trend-based information about selected devices.
Extended datastore
The Discover appliance can connect to an external storage device to expand your metric storage. By default, the Discover appliance stores fast (30-second), medium (5-minute), and slow (1-hour) metrics locally. However, you can store 5-minute, 1-hour, and 24-hour metrics on an extended datastore.
To store metrics externally, you must first mount an external datastore, and then configure the Discover appliance to store data in the mounted directory. You can mount an external datastore through NFS v4 (with optional Kerberos authentication) or CIFS (with optional authentication).
Note that you can configure only one active extended datastore at a time to collect all configured metric cycles. For example, if you configure your extended datastore to collect 5-minute, 1-hour, and 24-hour metrics, all three metric cycles are stored in the same extended datastore. In addition, you can archive an extended datastore and those metrics are available for read-only requests from multiple Discover appliances.
Here are some important things to know about configuring an external datastore:
- If an extended datastore contains multiple files with overlapping timestamps, the metrics will be incorrect.
- If an extended datastore has metrics committed by a later ExtraHop appliance firmware version, the appliance with the older firmware cannot read those metrics.
- If an extended datastore becomes unreachable, the Discover appliance buffers metrics until the allocated memory is full. After the memory is full, the system overwrites older blocks until the connection is restored. When the mount reconnects, all of the metrics stored in memory are written to the mount.
- If an extended datastore file is lost or corrupted, metrics contained in that file are lost. Other files in the extended datastore remain intact.
- As a security measure, the system does not allow access to the stored plaintext password for the datastore.
Calculate the size needed for your extended datastore
The extended datastore must have enough space to contain the amount of data generated by the Discover appliance. The following procedure explains how you can calculate approximately how much free space you need for your extended datastore.
Before you begin
Familiarize yourself with ExtraHop datastore concepts.-
In the Store Lookback chart, note the Rate and
Estimated Lookback for each metric cycle (or time period) that
you want to store on the external datastore. The rate for 5-minute metrics in
our example figure below is 27.85 KB/s.
Next steps
Configure an extended CIFS or NFS datastore.Configure an extended CIFS or NFS datastore
The following procedures show you how to configure an external datastore for the Discover appliance.
Before you begin
Calculate the size needed for your extended datastore- First, you mount the NFS or CIFS share where you want to store data.
- For NFS, optionally configure Kerberos authentication before you add the NFS mount.
- Finally, specify the newly added mount as the active datastore.
(Optional) Configure Kerberos for NFS
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
-
Click Add Kerberos Config, then complete the
following information.
- In the Admin Server field, type the IP address or hostname of the master Kerberos server that issues tickets.
- In the Key Distribution Center (KDC) field, type the IP address or hostname of the server that holds the keys.
- In the Realm field, type the name of the Kerberos realm for your configuration.
- In the Domain field, type the name of the Kerberos domain for your configuration.
- In the Keytab File section, click Choose File, select a saved keytab file, and then click Open.
- Click Upload.
Add an NFS mount
Before you begin
- Configure any applicable Kerberos authentication before you add an NFS mount.
- Either allow read/write access for all users on the share or assign the 'extrahop' user as the owner of the share and allow read/write access.
- You must have NFS version 4.
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- Click Add NFSv4 Mount.
-
On the Configure NFSv4 Mount page, complete the
following information:
- In the Mount Name field, type a name for the mount, such as EXDS.
- In the Remote Share Point field, type the path for the mount in the following format: host:/mountpoint, such as herring:/mnt/extended-datastore.
-
From the Authentication drop-down, select from the following options:
- None, For no authentication
- Kerberos, For krb5 security.
- Kerberos (Secure Auth and Data Integrity), for krb5i security.
- Kerberos (Secure Auth, Data Integrity, Privacy), for krb5p security
- Click Save.
Specify a mount as an active extended datastore
| Note: | If you decide to store 5-minute and 1-hour metrics on the extended datastore, this option causes the appliance to migrate any 5-minute and 1-hour metrics that the appliance collected from the local Discover appliance datastore to the extended datastore. Migrating 5-minute and 1-hour metrics to an extended datastore leaves more room to store 30-second metrics on the local datastore, which increases the amount of high-resolution lookback available. |
Reset the local datastore and remove all device metrics from the Discover appliance
In certain circumstances, such as moving a Discover appliance from one network to another, you might need to clear the metrics in the local and extended datastores. Resetting the local datastore removes all metrics, baselines, trend analyses, and discovered devices—and affects any customizations on your appliance.
Before you begin
Familiarize yourself with ExtraHop database concepts.If your device IDs are stored on the extended datastore, and that datastore is disconnected when the local datastore is reset and then later reconnected, those device IDs are restored to the local datastore and you do not need to reassign your restored customizations.
Configured alerts are retained on the system, but they are disabled and must be enabled and reapplied to the correct network, device, or device group. System settings and user accounts are unaffected.
| Warning: | This procedure deletes device IDs and device metrics from the Discover appliance. |
Import metrics from an extended datastore
If you stored metric data on an extended datastore that is connected to your Discover appliance, you can move that data to a new ExtraHop appliance as part of a system upgrade or if you plan to reset the datastore on an existing ExtraHop appliance.
Archive an extended datastore for read-only access
By disconnecting an active datastore from a Discover appliance, you can create a read-only archive of the stored metrics data. Any number of Discover appliances can read from an archived datastore.
- Log into the Admin UI on your Discover appliance.
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- Click the name of the mount that contains the datastore you want to archive.
- In the row of that datastore, click Disconnect Extended Datastore.
- Type YES to confirm and then click OK.
Connect your Discover appliances to the archived datastore
| Warning: | To connect to an archived datastore, a Discover appliance must
scan through the data contained in the datastore. Depending on the amount of
data stored in the archived datastore, connecting to the archived datastore
might take a long time. While the appliance is connecting to the archived
datastore, the appliance does not collect data and system performance is
degraded. The connection process takes more time under the following
circumstances:
|
- In the System Configuration, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- Click the name of the mount that contains the archived datastore.
- In the Datastore Directory field, type the path of the archived datastore directory.
- Click Archive (Read Only).
- Click Configure.
Troubleshoot issues with the extended datastore
To view the status for your mounts and datastores, and identify applicable troubleshooting steps, complete the following steps.
- Log into the Admin UI on your Discover appliance.
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- In the Extended Datastores table, view the entry in the Status column for each mount or datastore. The following table provides guidance on each entry and identifies any applicable action.
| Status | Description | User Action |
|---|---|---|
| Mounted | The mount configuration was successful. | None required |
| NOT MOUNTED | The mount configuration was unsuccessful. |
|
| NOT READABLE | The mount has permissions or network-related issues that prevent reading. |
|
| NO SPACE AVAILABLE | The mount has no space remaining. | Detach the mount and create a new one. |
| INSUFFICIENT SPACE |
|
Detach the mount and create a new one. |
| AVAILABLE SPACE WARNING | Less than 1GB of space is available. | Detach the mount and create a new one. |
| NOT WRITEABLE | The mount has permissions or network-related issues that prevent writing. |
|
| Status | Description | User Action |
|---|---|---|
| Nominal | The datastore is in a normal state. | None required |
| INSUFFICIENT SPACE on: <MOUNT NAME> | The datastore has insufficient space on the named mount and it cannot be written to. | Create a new datastore. For the new datastore, consider selecting the Overwrite option, if appropriate. |
| NOT READABLE | The datastore has permissions or network-related issues that prevent reading. |
|
| NOT WRITEABLE | The datastore has permissions or network-related issues that prevent writing. |
|
Geomap data source
This section enables you to download specific settings related to geomaps.
- GeoIP Database
- Upload a user-specified database.
- IP Location Override
- Override missing or incorrect IPs in the database.
GeoIP database
The GeoIP Database specifies the current database being used by the ExtraHop appliance and enables you to choose between a default or user-uploaded database.
Change the GeoIP database
You can upload your own GeoIP database to the ExtraHop system when you want to ensure that you have the latest version of the database or if your database contains internal IP addresses that only you or your company know the location of.
- Log into the Admin UI on the Command or Discover appliance.
- In the System Configuration section, click Geomap Data Source.
- Click GeoIP Database.
- In the City-level Database section, select Upload New Database.
- Click Choose File and navigate to the new city-level database file on your computer.
- Optional: In the Country-level Database section, select Upload New Database. The country-level database is subset of the city-level database.
- Optional: Click Choose File and navigate to the new country-level database file on your computer.
- Click Save.
Next steps
For more information about geomaps, see the following resources:IP location override
The IP Location Override page enables you to override missing or incorrect IPs that are in the GeoIP database. You can type a comma-delimited list or copy and paste a tab or commadelimited list of overrides into the text box. Each override must include an entry in the following seven columns:
- IP address (a single IP address or CIDR notation)
- Latitude
- Longitude
- City
- State or region
- Country name
- ISO alpha-2 country code
You can edit and delete items as necessary, but you must ensure there is data present for each of the seven columns. For more information about ISO country codes, refer to https://www.iso.org/obp/ui/#search and click Country Codes.
Open Data Streams
The Open Data Streams page enables you to configure an interface through which you can send data to an external third-party system.
The following external systems are supported:
- Syslog Systems
- Send data to a specified syslog.
- MongoDB
- Send data to a MongoDB database.
- HTTP
- Send data to a remote HTTP server.
- Kafka
- Send data to a Kafka server.
- Raw
- Send raw data to an external server.
| Note: | You can configure up to 16 open data stream targets of each external system type. |
After you configure an open data stream (ODS) for an external system, you must create a trigger that specifies what data to manage through the stream. For more information, see Open data stream classes in the ExtraHop Trigger API Reference.
Configure an open data stream for syslog
You can export data on ExtraHop Discover appliances to any system that receives syslog input (such as Splunk, ArcSight, or Q1 Labs) for long-term archiving and comparison with other sources.
Next steps
After you configure a syslog target for an open data stream, you must create a trigger that initiates a Remote.Syslog class object that specifies what syslog message data to send through the stream. For more information, see the Remote.Syslog class in the ExtraHop Trigger API Reference.Configure an open data stream for MongoDB
You can export data on ExtraHop Discover appliances to any system that receives MongoDB input for long-term archiving and comparison with other sources.
Next steps
After you configure a MongoDB target for an open data stream, you must create a trigger that initiates a Remote.MongoDB class object that specifies what MongoDB message data to send through the stream. For more information, see the Remote.MongoDB class in the ExtraHop Trigger API Reference.Configure an open data stream for HTTP
You can export data on ExtraHop Discover appliances to a remote HTTP server for long-term archiving and comparison with other sources.
HTTP requests from triggers are queued for processing by an open data stream HTTP client. Note that triggers do not receive results from requests sent to clients because the architecture of the trigger subsystem prevents clients from receiving the results of the requests from servers.
Next steps
After you configure an HTTP target for an open data stream, you must create a trigger that initiates a Remote.HTTP class object that specifies what HTTP message data to send through the stream. For more information, see the Remote.HTTPclass in the ExtraHop Trigger API Reference.Configure an open data stream for Kafka
You can export data on ExtraHop Discover appliances to any Kafka server for long-term archiving and comparison with other sources.
Next steps
After you configure a Kafka target for an open data stream, you must create a trigger that initiates a Remote.Kafka class object that specifies what Kafka message data to send through the stream. For more information, see the Remote.Kafkaclass in the ExtraHop Trigger API Reference.Configure an open data stream for raw data
You can export raw data on ExtraHop Discover appliances can be exported to any server for long-term archiving and comparison with other sources. In addition, you can select an option to compress the data through GZIP.
Next steps
After you configure a raw data target for an open data stream, you must create a trigger that initiates a Remote.Raw class object that specifies what raw message data to send through the stream. For more information, see the Remote.Raw class in the ExtraHop Trigger API Reference.Delete a data stream configuration
- In the System Configuration section, click Open Data Streams.
- In the row for the data stream configuration that you want to delete, click the delete (X) icon.
Next steps
After you delete an open data stream configuration, you should disable the trigger associated with the data stream to prevent unnecessary consumption of system resources. See Delete a trigger in the ExtraHop Web UI Guide.View diagnostic information about open data streams
You can view diagnostic information about open data stream configurations.
- In the System Configuration section, click Open Data Streams.
- In the row for the data stream configuration, hover over the dot in the Status column to view diagnostic information.
Trends
This section enables you to reset all trends and trend-based alerts.
To reset trends:
- Click .
- Click Reset Trends to erase all trend data from the ExtraHop appliance.
Backup and Restore
The ExtraHop Discover and Command appliances have the ability to save user customizations and system resources. This feature gives you the ability to restore an existing appliance in case of a failure (a total appliance loss or any failure of the Discover or Command appliance firmware disk), or migrate the saved settings to a new appliance.
Back up a Discover or Command appliance
While daily backups are automatically saved on the local datastore, we recommend that you manually create a system backup prior to upgrading firmware, or before making a major change in your environment (changing the data feed to the appliance, for example). Then, download the backup file and save it to a secure location.
Restore a Discover or Command appliance from a system backup
You can restore the ExtraHop system from the user-saved or automatic backups stored on the system. You can perform two types of restore operations; you can restore only customizations (changes to alerts, dashboards, triggers, custom metrics, for example), or you can restore both customizations and system resources.
- Log into the Admin UI on the Discover or Command appliance.
- In the System Configuration section, click Backup and Restore.
- Click View or Restore System Backups.
- Click Restore next to the user backup or automatic backup that you want to restore.
-
Select one of the following restore options:
Option Description Restore system customizations Select this option if, for example, a dashboard was accidentally deleted or any other user setting needs to be restored. Any customizations that were made after the backup file was created are not overwritten when the customizations are restored. Restore system customizations and resources Select this option if you want to restore the system to the state it was in when the backup was created. Warning: Any customizations that were made after the backup file was created are overwritten when the customizations and resources are restored. - Click OK.
- Optional: If you selected Restore system customizations, click View import log to see which customizations were restored.
-
Restart the system.
- Return to the main Admin UI page.
- In the Appliance Settings section, click Shutdown or Restart.
- In the Actions column for the System entry, click Restart.
- Click Restart to confirm.
Restore a Discover or Command appliance from a backup file
You can restore the ExtraHop system from the user-saved or automatic backups stored on the system. You are able to perform two types of restore operations; you can choose to restore customizations (changes to alerts, dashboards, triggers, custom metrics, for example), or you can choose to restore customizations and system resources.
Before you begin
The target appliance must be running a firmware version that is the same major version as the firmware version that generated the backup file. For example, a backup created from an appliance running firmware 7.1.0 can be restored to an appliance running firmware 7.1.1, but the reverse is not allowed.- Log into the Admin UI on the Discover or Command appliance.
- In the System Configuration section, click Backup and Restore.
- Click View or Restore System Backups.
- Click Restore next to the user backup or automatic backup that you want to restore.
-
Select one of the following restore options:
Option Description Restore system customizations Select this option if, for example, a dashboard was accidentally deleted or any other user setting needs to be restored. Any customizations that were made after the backup file was created are not overwritten when the customizations are restored. Restore system customizations and resources Select this option if you want to restore the system to the state it was in when the backup was created. Warning: Any customizations that were made after the backup file was created are overwritten when the customizations and resources are restored. - Click Restore.
- Optional: If you selected Restore system customizations, click View import log to see which customizations were restored.
-
Restart the system.
- Return to the main Admin UI page.
- In the Appliance Settings section, click Shutdown or Restart.
- In the Actions column for the System entry, click Restart.
- Click Restart to confirm.
Migrate settings to a new Command or Discover appliance
If you are planning on replacing your ExtraHop Command or Discover appliance, you can migrate the settings from the source appliance to the target appliance.
Before you begin
- The target and source appliance cannot be active on the network at the same time.
- The target appliance must be the same size or larger (maximum throughput on the Discover appliance; CPU, RAM, and disk capacity on the Command appliance) as the source appliance.
- The target appliance must be running a firmware version that is the same major version as the firmware version that generated the backup file. For example, a backup created from an appliance running firmware 7.1.0 can be restored to an appliance running firmware 7.1.1, but the reverse is not allowed.
- The target appliance must be the same type of appliance, physical or virtual, as the source appliance.
- The target appliance requires an ExtraHop license.
In this procedure, you will backup your source appliance, disconnect the source appliance from the network, deploy the new appliance, and then restore the backup to the new appliance.
| Note: | When you restore from a backup that was created on a different appliance, the target appliance is disconnected from Atlas before restoring. You must manually reconnect to Atlas after the restore is complete. |
Appliance Settings
You can configure the following components of the ExtraHop Discover and Command appliance in the Appliance Settings section:
- Running Config
- View and modify the code that specifies the default system configuration.
- Services
- Enable management, SNMP, and SSH services.
- Firmware
- Update the ExtraHop appliance firmware.
- System Time
- Configure the system time.
- Shutdown or Restart
- Halt and restart system services.
- License
- Update the license to enable add-on modules.
- Disks
- View information about the disks in the ExtraHop appliance.
- Command Nickname
- Assign a nickname to the Command appliance. This setting is available only on the Command appliance.
Running config
The Running Config page provides an interface to view and modify the code that specifies the default system configuration and save changes to the current running configuration so the modified settings are preserved after a system restart.
The following controls are available to manage the default running system configuration settings:
- Save config or Revert config
- Save changes to the current default system configuration. The Revert config option appears when there are unsaved changes.
- Edit config
- View and edit the underlying code that specifies the default ExtraHop appliance configuration.
- Download config as a file
- Download the system configuration to your workstation.
| Note: | Making configuration changes to the code on the Edit page is not recommended. You can make most system modifications through other pages in the Admin UI. |
Saving running config changes
When you modify any of the ExtraHop appliance default system configuration settings, you need to confirm the updates by saving the new settings. If you do not save the new settings, they will be lost when your ExtraHop appliance is rebooted.
The Save page includes a diff feature that displays the changes. This feature provides a final review step before you write the new configuration changes to the default system configuration settings.
When you make a change to the running configuration, either from the Edit Running Config page, or from another system settings page in the Admin UI, changes are saved in memory and take effect immediately, but they are not usually saved to disk. If the system is restarted before the running configuration changes are saved to disk, those changes will be lost.
As a reminder that the running configuration has changed, the Admin UI provides the following three notifications:
- Save Configuration
- The Admin UI displays a button on the specific page that you modified to remind you to save the change to disk. When you click View and Save Changes, the UI redirects to the Save page described above.
- Running Config*
- The Admin UI adds a red asterisk (*) next to the Running Config entry on the Admin UI main page. This asterisk indicates that the running configuration has been changed, but it has not been saved to disk.
- Save*
- The Admin UI adds a red asterisk (*) next to the Save entry on the Running Config page. This asterisk indicates that the running configuration has been changed, but it has not been saved to disk.
After you make changes to the running configuration, the Running Config page displays another entry through which you can revert the changes.
Edit running config
The ExtraHop Admin UI provides an interface to view and modify the code that specifies the default system configuration. In addition to making changes to the running configuration through the settings pages in the Admin UI, changes can also be made on the Running Config page.
| Note: | Do not modify the code on the Running Config page unless instructed by ExtraHop Support. |
Download the running config as a text file
You can download the running config file as a text file to your workstation. We recommend that you save a copy of this file in case of an unexpected system failure. The saved running config file can be uploaded to an ExtraHop appliance to restore system customizations and settings.
- Log into the Admin UI on the ExtraHop appliance.
- In the Appliance Settings section, click Running Config.
- Click Download config as a file.
Disable ICMPv6 Destination Unreachable messages
You can prevent ExtraHop appliances from generating ICMPv6 Destination Unreachable messages. You might want to disable ICMPv6 Destination Unreachable messages for security reasons per RFC 4443.
To disable ICMPv6 Destination Unreachable messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running config file incorrectly might cause the appliance to become unavailable or stop collecting data. You can contact ExtraHop Support at support@extrahop.com.
Disable specific ICMPv6 Echo Reply messages
You can prevent ExtraHop appliances from generating Echo Reply messages in response to ICMPv6 Echo Request messages that are sent to an IPv6 multicast or anycast address. You might want to disable these messages to reduce unnecessary network traffic.
To disable specific ICMPv6 Echo Reply messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running config file incorrectly might cause the appliance to become unavailable or stop collecting data. You can contact ExtraHop Support at support@extrahop.com.
Services
Services run in the background and perform functions that do not require user input. The Admin UI provides the following settings to manage the services used by the ExtraHop appliance. These services can be started and stopped through the Admin UI:
- Web Shell
- Enable or disable the Launch Shell button in the upper right corner of the Admin UI screen.
- Management GUI
- Enable or disable the ExtraHop GUI service. This service enables support for the browser-based ExtraHop Web UI and Admin UI interfaces.
- SNMP Service
- Enable or disable the ExtraHop system SNMP service.
- SSH Access
- Enable or disable SSH access. This service enables support for the ExtraHop command-line interface (CLI).
- SSL Session Key Receiver
- Enable or disable the SSL session key receiver service. You must enable the session key receiver service on the Discover appliance before the appliance can receive and decrypt sessions keys from the session key forwarder.
Management GUI
Management GUI setting controls the status of the Apache Web Server that runs the ExtraHop web interface application. By default, this service is enabled so that ExtraHop users have access to the ExtraHop Web UI and Admin UI. If this service is disabled, it terminates the Apache Web Server session, turning off web browser access to the ExtraHop UIs.
| Warning: | Do not disable this service unless you are an experienced ExtraHop administrator and you are familiar with the ExtraHop Command-Line Interface (CLI) commands to restart the Management GUI service. |
To enable or disable the Management GUI service:
- Click .
- Select or clear the Management GUI checkbox.
- Click Save.
SNMP service
The state of the network is monitored through the Simple Network Management Protocol (SNMP). SNMP collects information by polling devices on the network. SNMP agents can send alerts to SNMP managers. For example, you could configure an agent to determine how much free space is available on an ExtraHop appliance and send an alert if the appliance is over 95% full.
The SNMP service must be enabled for SNMP notification in the ExtraHop appliance. For more information about configuring SNMP notifications, see the Notifications section.
Download the ExtraHop SNMP MIB
SNMP does not provide a database of information that an SNMP monitored network reports. SNMP uses information defined by third-party management information bases (MIBs) that describe the structure of the collected data.
To download the ExtraHop SNMP MIB:
SSH access
The SSH Service setting controls the status of the Secure Shell protocol that manages the ExtraHop command-line interface (CLI). By default, this service is enabled so that ExtraHop users have access to the ExtraHop appliance functionality through the CLI. If this service is disabled, it terminates SSH, turning off CLI access to the ExtraHop appliance.
| Note: | The SSH Service and the Management GUI Service cannot be disabled at the same time. At least one of these services must be enabled on the ExtraHop appliance at all times to provide interface functionality to the system. |
To enable or disable the SSH:
- Click .
- Select or clear the SSH Service checkbox.
- Click Save.
Firmware
The Admin UI provides an interface to upload and delete the firmware on ExtraHop appliances.
The Admin UI includes the following firmware configuration settings:
- Upgrade
- Upload and install new ExtraHop appliance firmware versions.
- Delete
- Select and delete installed firmware versions from the ExtraHop appliance.
You can download the latest firmware at the ExtraHop Customer Portal. A checksum of the uploaded firmware is usually available in the same download location as the .tar firmware file. If there is an error during firmware installation, ExtraHop Support might ask you to verify the checksum of the firmware file.
Firmware images that you want to upload must be accessible from the computer on which you are running the web browser.
| Note: | If you are upgrading the firmware on a Command appliance, first upgrade the Command appliance, next update all Discover appliances, and finally upgrade each Explore and Trace appliance individually. To function correctly, the Command appliance and Discover appliances must have the same minor version of ExtraHop firmware. |
Upgrade to a new firmware version
Firmware images that you want to upload must be accessible from the computer on which you are running the web browser.
Upload new firmware versions (Command appliance)
Firmware images that you want to upload must be accessible from the computer on which you are running the web browser.
| Note: | Make sure to upgrade the Command appliance first and then upgrade the connected appliances. |
Delete firmware versions
The ExtraHop appliance stores every firmware image that has been uploaded to the system. For maintenance purposes, these firmware images can be deleted from the system.
System time
When capturing data, it is helpful to have the time on the ExtraHop appliance match the local time of the router. The ExtraHop appliance can set time locally or synchronize time with a time server. By default, system time is set locally, but we recommend that you change this setting and set time through a time server.
The System Time page displays the current configuration and the status of all configured NTP servers.
- Time Zone. Displays the currently selected time zone.
- System Time. Displays the current system time.
- Time Servers. Displays a comma-separated list of configured time servers.
- remote
- The host name or IP address of the remote NTP server you have configured to synchronize with.
- st
- The stratum level, 0 through 16.
- t
- The type of connection. This value can be u for unicast or manycast, b for broadcast or multicast, l for local reference clock, s for symmetric peer, A for a manycast server, B for a broadcast server, or M for a multicast server
- when
- The last time when the server was queried for the time. The default value is seconds, or m is displayed for minutes, h for hours, and d for days.
- poll
- How often the server is queried for the time, with a minimum of 16 seconds to a maximum of 36 hours.
- reach
- Value that shows the success and failure rate of communicating with the remote server. Success means the bit is set, failure means the bit is not set. 377 is the highest value.
- delay
- The round trip time (RTT) of the ExtraHop appliance communicating with the remote server, in milliseconds.
- offset
- Indicates how far off the ExtraHop appliance clock is from the reported time the server gave you. The value can be positive or negative, displayed in milliseconds.
- jitter
- Indicates the difference, in milliseconds, between two samples.
Configure the system time
The default time server setting is pool.ntp.org. If you want to maintain the default setting, skip this procedure and go to the next section.
The NTP Status table displays a list of NTP servers that keep the system clock in sync. To sync the current system time a remote server, click the Sync Now button.
Shutdown or restart
The Admin UI provides an interface to halt, shutdown, and restart the ExtraHop appliance. The ExtraHop Admin UI includes restart controls for the following system components:
- System
- Pause the operation of the ExtraHop appliance or shut down and restart the ExtraHop appliance.
- Bridge Status
- Shut down and restart the ExtraHop bridge component.
- Capture
- Shut down and restart the ExtraHop capture component.
- Portal Status
- Shut down and restart the ExtraHop web portal.
For each ExtraHop appliance component, the table includes a time stamp to show the start time.
Shutdown or restart the ExtraHop appliance
- Click .
-
Select whether to restart or shut down the system.
- Click Shutdown, and then at the prompt, click Shut down.
- Click Restart, and then at the prompt, click Restart.
Shut down and restart the ExtraHop bridge
- Click .
- On the Shutdown or Restart page, under Bridge Status, click Restart.
- At the prompt, click OK.
- Click Done.
License
The License Administration page enables you to view and manage licenses for your ExtraHop appliance. You must have an active license to access the ExtraHop WebUI, and your appliance must be able to connect to the ExtraHop licensing server for periodic updates and check-ins about your license status.
To learn more about ExtraHop licenses, see the License FAQ.
View license information
The License Administration page provides information about your license, such as the list of modules included in your license and the license expiration date.
Register your ExtraHop appliance
When you purchase an appliance, you will receive an email with a new product key that must be added to your appliance from the ExtraHop Admin UI. This guide provides instructions on how to apply the new product key and activate all of your purchased modules. You must have administrator privileges on the ExtraHop appliance to access the Admin UI.
Register the appliance
-
Click Test Connectivity to ensure that your ExtraHop
appliance can connect to the ExtraHop licensing server. The following output
should appear indicating that all of the tests passed.
Next steps
Have more questions about ExtraHop licensing works? See the License FAQ.Troubleshoot license server connectivity
Your ExtraHop appliance must be able to resolve the *.d.extrahop.com domain from the DNS server settings that you configured on your ExtraHop appliance. Communication with the licensing server through DNS is required for license updates and check-ins.
nslookup -type=NS d.extrahop.com
Non-authoritative answer: d.extrahop.com nameserver = ns0.use.d.extrahop.com. d.extrahop.com nameserver = ns0.usw.d.extrahop.com.If the name resolution is not successful, make sure that your DNS server is properly configured to lookup the extrahop.com domain.
Apply an updated license
When you purchase a new protocol module, service, or feature, your updated license is automatically available on your appliance. However you must apply your updated license to your appliance through the Admin UI for the new changes to take effect.
-
In the Appliance Settings section, click License. A message appears about the
availability of your new license, as shown in the following figure.
Update a license
If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license.
| Note: | If you want to update the product key for your appliance, you must register your ExtraHop appliance. |
Disks
The Disks page displays a map of the drives on your ExtraHop appliance and lists their statuses. This information can help you determine whether drives need to be installed or replaced. Automatic system health checks and email notifications (if enabled) can provide timely notice about a disk that is in a degraded state. System health checks display disk errors at the top of the Settings page.
For information about configuring and repairing RAID10 functionality on the EH8000 and EDA 6100 appliances, see Upgrade from RAID 0 to RAID 10.
For help replacing a RAID 0 disk or installing an SSD drive, refer to the instructions below. The RAID 0 instructions apply to the following types of disks:
- Datastore (EH2000/3000/5000/6000/8000)
- Packet Capture (EH3000/6000/8000)
- Firmware (EH3000/6000/8000)
Do not attempt to install or replace the drive in Slot 0 unless instructed by ExtraHop Support.
To ensure that system health checks and email notifications are running, mouse over the Settings button in the Web UI navigation bar.
- If the message "System Health Checks Not Running" appears, contact ExtraHop Support at support@extrahop.com for instructions. This message also appears at the top of the Settings page.
- If the message "System Health Notifications Not Configured" appears, refer to Email Notification Groups to set up email notifications for system health. Alternatively, click the Settings button, and then click View Admin Notifications page for more details at the top of the Settings page.
| Note: | Ensure that your device has a RAID controller before attempting the following procedure. If unsure, contact ExtraHop Support at support@extrahop.com. This procedure configures the EDA 5000 appliance as an example. A persistently damaged disk might not be replaceable with this procedure. |
Replace a RAID 0 disk
-
Verify the new disk information:
- Under Unused Disks on the Disk Details page, verify that the new disk is the same size, speed, and type as the disk being replaced.
Mouse over the old and new disks in the Drive Map. The new disk displays the message "Unconfigured(good), Spun Up."
-
Under the section for the disk type, click Replace with Disk in slot
#n in the Disk Error Action row.
The data begins copying over. The Copy Status row displays the progress. Mousing over the disk in the Drive Map shows the status.
-
Remove the old disk.
The Drive Map now shows the new disk in green.
Install a new SSD drive
-
In the Appliance Settings section, click Disks.
If the Drive Map shows the last slot (Disk #5 on the EDA 2000, Disk #7 on the EDA 5000) in red, you must replace the SSD drive.
-
In the Admin UI, refresh the browser.
The Drive Map shows the last slot in yellow because the drive is not configured.
-
The browser automatically refreshes.
The Drive Map shows the SSD drive as green and the Status changes to Online.
Packet Captures
When packet capture is enabled through the Admin UI, you can write triggers to specify and deploy targeted packet captures from the ExtraHop Discover appliance to an SSD installed on your ExtraHop appliance or, in the case of a virtual machine, to a regular disk drive. You must have access to the ExtraHop Admin UI and write privileges to the ExtraHop Web UI to complete these steps.
Enable packet capture
Before you can perform packet captures through triggers, you must first ensure you are licensed for packet capture on your ExtraHop appliance and your SSD is installed if you are not using a virtual machine.
Identify metrics for packet capture
(Skip this section if you are doing a global packet capture.) The ExtraHop appliance uses Application Inspection Triggers to gather custom metrics. These metrics are stored internally and can be used by other features, such as packet capture. Triggers are user-specified scripts that perform additional actions during well-defined events.
For information about writing triggers, refer to the ExtraHop Trigger API Reference.
-
Click the System Settings icon
and then click
Triggers.
Configure global packet capture
You can configure global packet capture through the Admin UI to save every packet on every flow.
| Note: | Global packet capture is limited to 96 bytes per packet. |
View and download packet captures
After you have written a trigger to specify the targeted packet capture and the trigger has collected data, you can view and download packet captures in the Admin UI.
Configure automatic deletion of packet capture files
You can configure the Discover appliance to automatically delete packet capture (PCAP) files after a specified number of minutes to prevent the precision PCAP drive from filling to capacity and causing errors.
- In the Packet Captures section, click View and Download Packet Captures.
- Click Configure packet capture settings.
- Type a value in the Automatically delete PCAP files (in minutes) field.
- Click Save.
Encrypt the packet capture disk
You can encrypt the disk that packet captures are stored on for increased security. The disk is secured with 128-bit AES keys.
| Warning: | You cannot decrypt a packet capture disk after it is encrypted. You can reformat an encrypted disk; however, all data stored on the disk will be lost. |
- In the Appliance Settings section, click Disks.
-
Navigate to the Packet Capture Disk Configuration page.
Option Description For virtual appliances In the Direct Connected Disks table, in the row of a Packet Capture disk, click Configure. For physical appliances Under Packet Capture, next to SSD Assisted Packet Capture, click Configure. - Click Encrypt Disk.
-
Specify a disk encryption key.
Option Description To enter an encryption passphrase Type a passphrase into the Passphrase and Confirm fields. To select an encryption key file Click Choose File, and then browse to an encryption key file. - Click Encrypt.
Remove the packet capture disk
You can remove the disk that packet captures are stored on if you no longer wish to store packet capture data.
| Warning: | Removing the packet capture disk causes all data on the disk to be deleted. |
- In the Appliance Settings section, click Disks.
-
On the Disks page, choose one of the following options based on your appliance
platform.
Option Description For virtual appliances In the Direct Connected Disks table, in the row of a Packet Capture disk, click Configure. For physical appliances In the Packet Capture section, next to SSD Assisted Packet Capture, click Configure. -
Select one of the following format options:
- Quick Format.
- Secure Erase.
- Click Remove.
Next steps
After this procedure is complete, it is safe for you to remove the disk from the physical appliance.Lock a packet capture disk
You can lock a packet capture disk to prevent read access to captured packets. Locking a packet capture disk will disable packet capture until the disk is unlocked.
| Warning: | If you lock a packet capture disk, you will not be able to unlock the disk without the disk encryption key. |
- Under Appliance Settings, click Disks.
-
Navigate to the Packet Capture Disk Configuration page.
Option Description For virtual appliances In the Direct Connected Disks table, in the row of a Packet Capture disk, click Configure. For physical appliances Under Packet Capture, next to SSD Assisted Packet Capture, click Configure. - Click Lock Disk.
- Click OK.
Unlock a packet capture disk
- Under Appliance Settings, click Disks.
-
Navigate to the Packet Capture Disk Configuration page.
Option Description For virtual appliances In the Direct Connected Disks table, in the row of a Packet Capture disk, click Configure. For physical appliances Under Packet Capture, next to SSD Assisted Packet Capture, click Configure. - Click Unlock Disk.
-
Specify the disk encryption key.
Option Description If you entered an encryption passphrase Type the passphrase into the Passphrase field. If you entered an encryption key file Click Choose File, and then browse to the encryption key file. - Click Unlock.
Clear the packet capture disk encryption
You can format the packet capture disk to delete all packet captures contained on the disk and return the disk to an unencrypted state.
| Warning: | This action is not reversible. |
- In the Appliance Settings section, click Disks.
-
Navigate to the Packet Capture Disk Configuration page.
Option Description For virtual appliances In the Direct Connected Disks table, in the row of a Packet Capture disk, click Configure. For physical appliances Under Packet Capture, next to SSD Assisted Packet Capture, click Configure. - Click Clear Disk Encryption.
- Click Format.
Change the packet capture disk encryption key
- In the Appliance Settings, click Disks.
-
Navigate to the Packet Capture Disk Configuration page.
Option Description For virtual appliances In the Direct Connected Disks table, in the row of a Packet Capture disk, click Configure. For physical appliances Under Packet Capture, next to SSD Assisted Packet Capture, click Configure. - Click Change Disk Encryption Key.
-
Specify a new disk encryption key.
Option Description If you entered an encryption passphrase Type a passphrase into the Passphrase field. If you selected an encryption key file Click Choose File, and then browse to an encryption key file. - Click Change Key.
ExtraHop Command Settings
The ExtraHop Command Settings section on the Discover appliance enables you to connect the Discover appliance to a Command appliance.
Depending on your network configuration, you can establish a connection from the Discover appliance (tunneled connection) or from the Command appliance (direct connection).
If your Discover appliance is behind a firewall, a tunneled connection can be made from the Discover appliance through an SSH tunnel. This configuration requires access privileges from your firewall.
Direct connections are made from the Command appliance over HTTPS on port 443 and do not require special access.
Connect to a Command appliance from a Discover appliance
You can connect the Discover appliance to the Command appliance through an SSH tunnel.
Before you begin
- You can connect a Discover appliance to multiple Command appliances.
- You can only establish a connection to a Command appliance that is licensed for the same system edition as the Discover appliance.
Remove a Discover appliance from a Command appliance
If you no longer want to have a Command appliance manage a Discover appliance, you can remove the Discover appliance from one or more Command appliances.
- Log into the ExtraHop Admin UI on the Discover appliance.
- Click Connect Command Appliances .
- Click Remove.
- Click Yes to confirm.
Set a nickname for a Command appliance
You can assign a custom name to the Command appliance. This custom name appears in the Web UI and Admin UI of connected appliances instead of displaying the Command appliance hostname.
- Log into the Admin UI on the Command appliance.
- In the Appliance Settings section, click Command Nickname.
- Select Display custom nickname and then type a name in the field.
- Click Save.
Manage connected appliances from a Command appliance
The Manage Connected Appliances page in the Command appliance enables you to perform administrative tasks on multiple Discover, Explore, and Trace appliances.
Connect a Command appliance to Discover appliances
You can manage multiple Discover appliances from a Command appliance. After you connect the appliances, you can view and edit the appliance properties, assign a nickname, upgrade firmware, check the license status, create a diagnostic support package, and connect to the ExtraHop Web UI, Admin UI, and Web Shell.
The Command appliance connects directly to the Discover appliance over HTTPS on port 443. If it is not possible to establish a direct connection because of firewall restrictions in your network environment, you can connect to the Command appliance through a tunneled connection from the Discover appliance.
Before you begin
- You can connect a Command appliance to multiple Discover appliances.
- You can only establish a connection to a Discover appliance that is licensed for the same system edition as the Command appliance.
- The Command appliance and Discover appliances must have the same version of ExtraHop firmware to function correctly together.
View connected Discover appliances
After you connect a Discover appliance from a Command appliance, the Discover appliance is listed in a table that displays the following information:
- Name
- The following entries appear in the Name field:
- The IP address or hostname of the Discover appliance. Click the hostname link to open the Properties window.
- The appliance nickname if the Nickname field in the node Properties window is configured. If a nickname is not configured, only the hostname appears. To assign a nickname, click the appliance hostname or IP address link, type a name in the Nickname field and then click Save.
- The connection type. Displays Direct if the connection to the managed appliance is established from the Command appliance or Tunneled if the connection to the Command appliance is established from the Discover appliance.
- The ExtraHop license key.
- ID
- Displays a numeric number which identifies the Discover appliance.
- Version
- Displays the ExtraHop firmware version number.
- Date Added
- Displays the date and time the Discover appliance was added.
- Status
- Displays one of the following connection states:
- Online
- Connection to the appliance is active.
- Disabled
- Connection to the appliance is disabled.
- Offline
- Connection to the appliance has timed out.
- License
- Displays one of the following license states:
- Valid
- The license is valid.
- Expiring Soon
- The license will expire shortly. Read access to the appliance will be lost if the license is not renewed.
- License Check Pending
- The node cannot connect to the ExtraHop license server.
- Disconnected
- The node cannot connect to the ExtraHop license server, and the capture has stopped.
- Invalid
- The license is invalid or has expired.
- Reset
- All configuration, software, and data has been deleted from this appliance.
- NTP
- Displays one of the following time states:
- Time Synced
- The time on the Discover appliance is synced to the configured time server.
- Large Time Delta
- The time on the Discover appliance does not match the time of the Command appliance.
- Not Configured
- NTP is not configured on the Discover appliance.
- Actions
- Displays a drop-down menu with links to open the Web UI, Admin UI, and Web Shell of the connected Discover appliance. The drop-down menu also includes the following appliance actions: Check License, Run Support Script, Upgrade Firmware, Disable, and Remove Appliance.
| Tip: | You can search for specific Discover appliance by typing in the filter appliances field. |
Check the license status of managed Discover appliances
If your Command appliance is unable to access data from a connected Discover appliance, check the license status for the Discover appliance.
Next steps
- If the Discover license status is invalid, the license might have expired or you might have lost connectivity with the ExtraHop licensing server for over 7 days. Contact your ExtraHop representative about renewing your license. Then, apply the renewed license.
- Test license server connectivity, and then contact ExtraHop Support for assistance.
Run a default or custom support script on a managed appliance
You can run a support script on any ExtraHop appliance that is managed by a Command appliance.
Upgrade Discover appliance firmware from a Command appliance
You can upgrade the firmware on any Discover appliance that is connected to a Command appliance.
| Note: | You should always update Command appliances first, and then update the Discover appliances. |
Disable a Discover appliance
You can disable the connection to a Discover appliance from the Command appliance. When you disable a Discover appliance, the Discover appliance is removed from theCommand appliance and you can no longer view data from that node in the ExtraHop Web UI on the Command appliance.
- Log into the Admin UI on the Command appliance.
- In the ExtraHop Discover Settings section, click Manage Discover Appliances.
- On the Discover tab, select the checkbox next to each Discover appliance that you want to disable.
- Click Disable.
Enable a Discover appliance
You can enable the connection to a Discover appliance in the Command appliance if the Discover appliance is disabled for administrative purposes. When the status returns to Online, you can view the data from the Discover appliance in the ExtraHop Web UI on the Command appliance.
- Log into the Admin UI on the Command appliance.
- In the ExtraHop Discover Settings section, click Manage Discover Appliances.
- On the Discover tab, select the checkbox next to each Discover appliance that you want to enable.
- Click Enable.
Remove a managed Discover appliance from a Command appliance
If you no longer want to manage an Discover Appliance through a Command appliance, remove the node through the Manage Connected Appliances page.
Add an Explore appliance to a Command appliance
You can manage multiple Explore appliances from a Command appliance. After you connect the Explore appliances, you can view the Explore appliance properties, assign a nickname, create a diagnostic support package, and connect to the Admin UI on the Explore appliance though the Command appliance.
| Note: | A managed node only enables you to perform administrative tasks. To enable record queries from the Command appliance, see the ExtraHop Explore Settings section. |
- Log into the ExtraHop Admin UI on the Command appliance.
- In the ExtraHop Explore Settings section, click Manage Explore Appliances.
- Click Add Appliance.
- Type the hostname or IP address of the Explore appliance in the Host field.
- Click Confirm Fingerprint.
- Note the information listed for Fingerprint. Verify that the fingerprint listed on this page matches the fingerprint of the Explore appliance listed on the page in the Admin UI on the Explore appliance.
- Type the password for the Explore appliance setup user in the Setup Password field.
- Click Connect.
- Repeat steps 2 through 8 for each additional Explore appliance (including multiple appliances that are members of a single Explore cluster) that you want to manage.
View Explore node information
After you add an Explore node, the node is listed in a table that has the following information:
- Name
- The following entries appear in the Name field:
- The unique Explore cluster ID. Click the link to open the Cluster Properties window and add or modify the cluster nickname.
- The IP address or hostname of the Explore node. Click the link to open the Properties window.
- The Explore cluster nickname if the Nickname field in the Properties window is configured. If a nickname is not configured, only the hostname appears. To assign a nickname, click the cluster ID link, type a name in the Nickname field and then click Save.
- The connection type. Displays Direct when the connection to the Explore appliance is established from the Command appliance or Tunneled when the connection is established from the Explore appliance.
- Date Added
- Displays the date and time the node was added as a managed appliance.
- License
- Displays one of the following license states:
- Valid
- The license is valid.
- Expiring Soon
- The license will expire shortly. Read access to the appliance will be lost if the license is not renewed.
- License Check Pending
- The node cannot connect to the ExtraHop license server.
- Disconnected
- The node cannot connect to the ExtraHop license server, and the capture has stopped. ExtraHop ExtraHop Discover and Command appliances cannot query any stored records.
- Invalid
- The license is invalid or has expired. ExtraHop ExtraHop Discover and Command appliances cannot query any stored records.
- Reset
- All configuration, software, and data has been deleted from this appliance.
- Actions
- Displays a list of actions that you can perform on the Explore cluster.
- Job
- Displays the status of any currently running support pack job.
Remove an Explore cluster from a Command appliance
You can remove a connected Explore cluster from the list of managed Explore clusters on a Command appliance. The cluster will remain connected, collecting record data, but you will no longer be able to manage administrative functions for the Explore cluster through the Command appliance.
Add a Trace appliance to a Command appliance
You can manage multiple Trace appliances from a Command appliance. After you add the nodes, you can view the Trace appliance properties, assign a nickname, create a diagnostic support package, and connect to the Admin UI on the Trace appliance.
| Note: | A managed node only enables you to perform administrative tasks. To enable packet queries from the Command appliance, see the ExtraHop Trace Settings section. |
- Log into the ExtraHop Admin UI on the Command appliance.
- In the ExtraHop Trace Settings section, click Manage Trace Appliances.
- Click Add Appliance.
- Type the hostname or IP address of the Trace appliance.
- Click Confirm Fingerprint.
- Note the information listed for Fingerprint. Verify that the fingerprint listed on this page matches the fingerprint of the Trace appliance listed on the page in the Admin UI on the Trace appliance.
- Type the password for the Trace appliance setup user in the Setup Password field
- Click Connect.
View Trace appliance information
After you add a Trace appliance, the appliance is listed in a table that has the following information:
- Name
- The following entries appear in the Name field:
- The unique Trace cluster ID. Click the link to open the Properties window and add or modify the cluster nickname.
- The IP address or hostname of the Trace appliance. Click the link to open the Properties window.
- The Trace appliance nickname if the Nickname field in the Properties window is configured. If a nickname is not configured, only the hostname appears. To assign a nickname, click the cluster ID link, type a name in the Nickname field and then click Save.
- The connection type. Displays Direct if the connection is established from the Command appliance or Tunneled if the connection to the Command appliance is established from the Trace appliance.
- Date Added
- Displays the date and time the node was added as a managed appliance.
- License
- Displays one of the following license states:
- Valid
- The license is valid.
- Expiring Soon
- The license will expire shortly. Read access to the appliance will be lost if the license is not renewed.
- License Check Pending
- The node cannot connect to the ExtraHop license server.
- Disconnected
- The node cannot connect to the ExtraHop license server, and the capture has stopped.
- Invalid
- The license is invalid or has expired.
- Reset
- All configuration, software, and data has been deleted from this appliance.
- Remote Interfaces
- Displays a link to the Admin UI on the Trace appliance. Click the link to open the Admin UI in a new browser window.
- Job
- Displays the status of any currently running support pack job.
Upgrade Trace appliance firmware
You can upgrade the firmware on any Trace appliance that is managed by a Command appliance. You can only upgrade nodes that are connected from the Command appliance (direct connection). Firmware upgrades through tunneled connections are not supported.
| Note: | You should always upgrade firmware on the Command appliance first, and then upgrade the Trace appliance. |
Remove a Trace appliance from a Command appliance
You can remove a connected Trace appliance from the list of managed Trace appliances on a Command appliance. The Trace appliance will remain connected, collecting packet capture data, but you will no longer be able to manage administrative functions for the Trace appliance through the Command appliance.
ExtraHop Explore Settings
This section contains the following configuration settings for the ExtraHop Explore appliance.
- Automatic Flow Records
- Specify the automatic flow record settings.
- Connect Explore Appliances
- Specify Explore appliances to store and retrieve records.
- Manage Explore Appliances
- View the properties of managed Explore cluster nodes.
Connect to Explore appliances
When you deploy an ExtraHop Explore appliance in your environment, you must establish a connection from an ExtraHop Discover appliance to the Explore appliance before you can query records. For the best performance, data redundancy, and stability, you must configure at least three Explore appliances in an Explore cluster.
| Important: | If you have an Explore cluster, connect the Discover appliance to each Explore node in the cluster so that the Discover appliance can distribute the workload across the entire Explore cluster. |
| Note: | If your Discover appliance is managed by an ExtraHop Command appliance, you must perform this procedure from the Admin UI on the Command appliance. |
-
For each additional Explore appliance in the
cluster, click Add New and enter the unique hostname or
IP address in the corresponding Node field. Your
Connect Explore Appliances page should look similar to
the following figure.
Configure automatic flow record settings
Flow records show communication between two devices over an (L3) IP protocol. Automatic flow records are sent when a flow terminates, or periodically for flows that remain active for an extended period of time.
Flow records are captured across all IP addresses and port ranges when Enabled is selected. You can restrict capture activity to specific devices or traffic by adding IP addresses or ports in the settings below. If you add both IP addresses and ports, capture activity is restricted to the ports for the IP addresses that you specify.
- Log into the Admin UI on the Discover appliance.
- In the ExtraHop Explore Settings section, click Automatic Flow Records.
- Select the Enabled checkbox.
- Type the number of seconds after which a flow record is sent to the Explore appliance if the flow is still active in the Publish Interval field. The minimum value is 60 and the maximum value is 21600.
- Type a single IP address or a range of IP addresses in the IP Addresses field and then click the green plus (+) icon. IP address ranges need to be separated by a hyphen (-). To remove an IP address, click the red delete (x) icon next to the IP address.
- Type a single port number or a range of port numbers in the Port Ranges field and then click the green plus (+) icon. Port ranges need to be separated by a hyphen (-). To remove port ranges, click the red delete (x) icon next to the port .
- Click Save.
ExtraHop Explore appliance status
The ExtraHop Explore Status section displays the following status information for the Explore appliance:
- Activity since
- Displays the timestamp when record collection began. This value is automatically reset every 24 hours.
- Record Sent
- Displays the number of records sent to the Explore appliance from a Discover appliance.
- I/O Errors
- Displays the number of errors generated.
- Queue Full (Records Dropped)
- Displays the number of records dropped when records are created faster than they can be sent to the Explore appliance.
ExtraHop Trace Settings
Specify ExtraHop Trace appliances to continuously collect and store raw packet data.
Connect a Trace appliance
When you deploy a Trace appliance in your environment, you must establish a connection from an ExtraHop Discover appliance and Command appliance to the Trace appliance before you can query packets.
| Note: | A Discover appliance can only be connected to four or fewer Trace appliances, whereas a Command appliance can be connected to more than four Trace appliances. |
To connect a Discover appliance or Command appliance to a Trace appliance:
- Log into the Admin UI on the Discover or Command appliance.
- In the ExtraHop Trace Settings section, click Connect Trace Appliances.
- Type the hostname of the Trace appliance in the Appliance hostname field.
- Click Connect.
- Note the information listed for Fingerprint. Verify that the fingerprint listed on this page matches the fingerprint of the Trace appliance listed on the page in the Admin UI on the Trace appliance.
- Type the password for the Trace appliance setup user in the Trace Setup Password field
- Click Connect.
- Repeat steps 3-7 for each additional Trace appliance.
Appendix
Decrypting SSL traffic
To decrypt SSL traffic in real time, you must configure your server applications to encrypt traffic with supported ciphers. The following information provides a list of supported cipher suites and the best practices you should consider when implementing SSL encryption.
Implement the following recommendations to optimize security:
- Turn off SSLv2 to reduce security issues at the protocol level.
- Turn off SSLv3, unless required for compatibility with older clients.
- Turn off SSL compression to avoid the CRIME security vulnerability.
- Turn off session tickets unless you are familiar with the risks that might weaken Perfect Forward Secrecy.
- Configure the server to select the cipher suite in order of the server preference.
The following cipher suites can be decrypted by the ExtraHop appliance and are listed in order from strongest to weakest and by server preference:
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- AES256-SHA256
- AES128-SHA256
- AES256-SHA
- AES128-SHA
- DES-CBC3-SHA
The following list includes some common cipher suites that support Perfect Forward Secrecy (PFS) and can be decrypted by the ExtraHop appliance when session key forwarding is configured. To configure session key forwarding, see Install the ExtraHop session key forwarder on a Windows server or Install the ExtraHop session key forwarder on a Linux server.
- DHE_RSA_WITH_3DES_EDE_CBC_SHA
- DHE_RSA_WITH_AES_128_CBC_SHA
- DHE_RSA_WITH_AES_256_CBC_SHA
- DHE_RSA_WITH_AES_128_CBC_SHA256
- DHE_RSA_WITH_AES_256_CBC_SHA256
- DHE_RSA_WITH_AES_128_GCM_SHA256
- DHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_RSA_WITH_RC4_128_SHA
- ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- ECDHE_RSA_WITH_AES_128_CBC_SHA
- ECDHE_RSA_WITH_AES_256_CBC_SHA
- ECDHE_RSA_WITH_AES_128_SHA256
- ECDHE_RSA_WITH_AES_256_SHA384
- ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
Common acronyms
The following common computing and networking protocol acronyms are used in this guide.
| Acronym | Full Name |
|---|---|
| AAA | Authentication, authorization, and accounting |
| AMF | Action Message Format |
| CIFS | Common Internet File System |
| CLI | Command Line Interface |
| CPU | Central Processing Unit |
| DB | Database |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain Name System |
| ERSPAN | Encapsulated Remote Switched Port Analyzer |
| FIX | Financial Information Exchange |
| FTP | File Transfer Protocol |
| HTTP | Hyper Text Transfer Protocol |
| IBMMQ | IBM Message Oriented Middleware |
| ICA | Independent Computing Architecture |
| IP | Internet Protocol |
| iSCSI | Internet Small Computer System Interface |
| L2 | Layer 2 |
| L3 | Layer 3 |
| L7 | Layer 7 |
| LDAP | Lightweight Directory Access Protocol |
| MAC | Media Access Control |
| MIB | Management Information Base |
| NFS | Network File System |
| NVRAM | Non-Volatile Random Access Memory |
| RADIUS | Remote Authentication Dial-In User Service |
| RPC | Remote Procedure Call |
| RPCAP | Remote Packet Capture |
| RSS | Resident Set Size |
| SMPP | Short Message Peer-to-Peer Protocol |
| SMTP | Simple Message Transport Protocol |
| SNMP | Simple Network Management Protocol |
| SPAN | Switched Port Analyzer |
| SSD | Solid-State Drive |
| SSH | Secure Shell |
| SSL | Secure Socket Layer |
| TACACS+ | Terminal Access Controller Access-Control System Plus |
| TCP | Transmission Control Protocol |
| UI | User Interface |
| VLAN | Virtual Local Area Network |
| VM | Virtual Machine |
Configure Cisco NetFlow devices
The following are examples of basic Cisco router configuration for NetFlow. NetFlow is configured on a per-interface basis. When NetFlow is configured on the interface, IP packet flow information will be exported to the Discover appliance.
| Important: | NetFlow takes advantage of the SNMP ifIndex value to represent ingress and egress interface information in flow records. To ensure consistency of interface reporting, enable SNMP ifIndex persistence on devices sending NetFlow to the Discover appliance. For more information on how to enable SNMP ifIndex persistence on your network devices, refer the configuration guide provided by the device manufacturer. |
For more information on configuring NetFlow on Cisco switches, see your Cisco router documentation or the Cisco website at www.cisco.com.
Thank you for your feedback. Can we contact you to ask follow up questions?