ExtraHop Trace Admin UI Guide
Introduction to the ExtraHop Trace Admin UI
The ExtraHop Trace Admin UI Guide provides detailed information about the administrator features and functionality of the ExtraHop Trace appliance.
In addition, this guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the Trace Admin UI.
After you have deployed your Trace appliance, see the Trace Post-deployment Checklist.
We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.
Supported Browsers
The following browsers are compatible with all ExtraHop appliances. We recommend that you install the latest version of the browser.
- Firefox
- Google Chrome
- Internet Explorer 11
- Safari
You must allow cookies and ensure that Adobe Flash Player is installed and enabled. Visit the Adobe website to confirm that Flash Player is installed and up-to-date.
Navigation
This section describes the general layout of the Admin UI on a Trace appliance.
The toolbar contains the following controls or links:
- Change default password
- Opens the Change Password page so that you can specify a new Admin UI password. For more information, see the Change the default password for the setup user section.
- Log out
- Ends the Admin UI session on the Trace appliance. For more information, see the Log in and log out of the Admin UI section.
- Help
- Opens the built-in ExtraHop Trace Admin UI Guide.
The administration page contains the following sections:
- Status and Diagnostics
- Verify how the Trace appliance is functioning on the network.
- Network Settings
- Configure the network settings for the Trace appliance.
- Access Settings
- Configure access settings to the Trace appliance.
- Appliance Settings
- Configure the system-level settings for the Trace appliance.
- Trace Cluster Settings
- View statistics about currently running packet queries, and a list of all connected Discover and Command appliances.
Status and Diagnostics
The Status and Diagnostics section includes metrics and logging data about the current state of the Trace appliance and enables system administrators to view the overall system health.
- Health
- Provides metrics about the operating efficiency of the Trace appliance.
- Audit Log
- Enables you to view event logging data and to change syslog settings
- .
- Fingerprint
- Provides the unique hardware fingerprint for the Trace appliance.
- Support Scripts
- Enables you to upload and run support scripts.
- Exception Files
- Enable or disable the Trace appliance exception files.
Health
The Health page provides a collection of metrics that enable you check the operation of the Trace appliance. If issues occur with the Trace appliance, the metrics on the Health page help you to troubleshoot the problem and determine why the appliance is not performing as expected.
Help on this page
The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected.
- System
- Reports the following information about the system CPU usage and disk drives.
-
- CPU User
- Displays the percentage of CPU usage associated with the Trace appliance user.
- CPU System
- Displays the percentage of CPU usage associated with the Trace appliance.
- CPU Idle
- Displays the CPU idle percentage associated with the Trace appliance.
- CPU IO
- Displays the percentage of CPU usage associated with the Trace appliance IO functions.
- Service Status
- Reports the status of Trace appliance system services.
-
- exadmin
- Displays the time the Trace appliance web portal service started.
- exconfig
- Displays the time the Trace appliance config service started.
- excap
- Displays the time the Trace appliance capture service started.
- Interfaces
- Reports the status of Trace appliance network interfaces.
-
- RX packets
- Displays the number of packets received by the Trace appliance on the specified interface.
- RX Errors
- Displays the number of received packet errors on the specified interface.
- RX Drops
- Displays the number of received packets dropped on the specified interface.
- TX Packets
- Displays the number of packets transmitted by the Trace appliance on the specified interface.
- TX Errors
- Displays the number of transmitted packet errors on the specified interface.
- TX Drops
- Displays the number of transmitted packets dropped on the specified interface.
- RX Bytes
- Displays the number of bytes received by the Trace appliance on the specified interface.
- TX Bytes
- Displays the number of bytes transmitted by the Trace appliance on the specified interface.
- Partitions
- Reports the status and usage of Trace appliance components. The configuration settings for these components are stored on disk and retained even when the power to the appliance is turned off.
-
- Name
- Displays the Trace appliance settings that are stored on disk.
- Options
- Displays the read-write options for the settings stored on disk.
- Size
- Displays the size in gigabytes for the identified component.
- Utilization
- Displays the amount of memory usage for each of the components as a quantity and as percentage of total disk space.
Audit log
The audit log provides data about the operations of the system, broken down by component. The log lists all known events by timestamp with the most recent events at the top of the list. You can configure where to send these logs in the Syslog Settings section.
The appliance collects the following log data and reports the results on the Audit Log page.
- Time
- Specifies the time at which the event occurred.
- User
- Identifies the user who initiated the logged event.
- Operation
- Specifies the system operation that generated the logged event.
- Details
- Specifies the outcome of the event. Common results are Success, Modified, Execute, or Failure. Each log entry also identifies the originating IP address if that address is known.
- Component
- Identifies the appliance component that is associated with the logged event.
To configure the syslog settings:
Fingerprint
The Fingerprint page displays the device fingerprint for the Trace appliance. When pairing the Trace appliance with a Discover or Command appliance, make sure that the fingerprint displayed is exactly the same as the fingerprint shown on the join or pairing page.
Run the default support script
The default support script gathers information about the state of the ExtraHop system for analysis by ExtraHop Support.
View the diagnostic support packages on the system
- In the Status and Diagnostics section, click Support Scripts.
- Click View Support Script Results.
Download a selected diagnostic support package
Note: | Support script result files are encrypted and can be decrypted only by ExtraHop Support. |
- In the Status and Diagnostics section, click Support Scripts.
- Click View Support Script Results.
- Click the name of the diagnostic support package that you want to download. The file is download to your browser's default download location.
Delete a selected diagnostic support script results package
- In the Status and Diagnostics section, click Support Scripts.
- Click View Support Script Results.
- Locate the diagnostic support package that you want to delete.
- In the Action column, click the X icon.
- At the prompt, click OK.
Run a custom support script
- In the Status and Diagnostics section, click Support Scripts.
- Click Run Custom Support Script.
- Click Choose File.
- Navigate to the diagnostic support script that you want to upload.
- Select the file and click Open.
- Click Upload to run the script on the ExtraHop appliance.
Run a default support script
Some support scripts only perform a function on the ExtraHop appliance, while other support scripts gather information about the state of the system for analysis by ExtraHop Support. If the support script generated a results package to send to ExtraHop Support, then the Admin UI redirects to the View Support Script Results page.
To create a diagnostic support package that can be downloaded and sent to the ExtraHop Support team:
- In the Status and Diagnostics section, click Support Scripts.
- Click Run Default Support Script.
- Click OK.
Enable writing to exception files
When you enable the Exception File setting, a core file of the data stored in memory is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.
Note: | Exception files are encrypted and can be decrypted only by ExtraHop Support. |
- In the Status and Diagnostics section, click Exception Files.
- Click Enable Exception Files.
Network settings
The Network Settings section provides the following configurable network connectivity settings.
- Connectivity
- Configure network connections.
- SSL Certificate
- Generate and upload a self-signed certificate.
- Notifications
- Set up alert notifications through email and SNMP traps.
The Trace appliance has two 10/100/1000baseT network ports and four 10 GbE SFP+ network ports. By default, the Gb3 port is configured as the management port and requires an IP address. Port 5 is the default monitor (or capture) interface.
Before you begin configuring the network settings, verify that a network patch cable connects the Gb3 port on the Trace appliance to the management network. For more information about installing a Trace appliance, see the ExtraHop Trace appliance deployment guide or contact ExtraHop Support for assistance.
For specifications, installation guides, and more information about your appliance, see the complete ExtraHop documentation set at docs.extrahop.com.
Atlas Services
Atlas Services provide ExtraHop customers with a remote analysis report that is delivered monthly. The report contains specific recommendations for critical components across the application delivery chain.
Connectivity
To connect the appliance to the host network, the following network configuration is required:
Network Settings
- Hostname
- Specifies the name of the appliance on the network.
- Primary DNS
- Specifies the IP address of the primary domain name server for the specified domain
- Secondary DNS
- (Optional) Specifies the IP address of the secondary domain name server for the specified domain.
Interfaces
- Interface
- Lists the available interfaces on the node.
- Mode
- Specifies whether the port is enabled or disabled and if enabled, the port assignment.
- DHCP
- Specifies whether DHCP is enabled or disabled.
- IP address
- Specifies the static IP address of the appliance on the network
- Netmask
- Specifies the netmask used to divide the IP address into subnets.
- Gateway
- Specifies the IP address for the gateway node on the network.
- Routes
- Specifies network route information if DHCP is disabled.
- MAC Address
- Specifies the MAC address of the appliance
- IPv6
- Specifies whether IPv6 is enabled or disabled.
Connectivity
The Connectivity page provides options that enable you to view and modify your network settings.
Interface Status
In physical ExtraHop appliances, an Interface Status section appears on the Connectivity page. This section displays a diagram of the following interface connections on the back of the appliance:
- Blue Ethernet Port:
- Identifies the management port.
- Black Ethernet Port:
- Indicates that the port is licensed and enabled but down.
- Green Ethernet Port:
- Indicates that the licensed port has an active Ethernet cable connected.
- Gray Ethernet Port:
- Identifies a disabled or unlicensed port.
Network Settings
- Hostname
- The name of the appliance on the network.
- Primary DNS
- The IP address of the primary domain name server for the specified domain.
- Secondary DNS
- (Optional) The IP address of the secondary domain name server for the specified domain.
Proxy Settings
- Enable Global Proxy:
- Provides the ability to enable proxy support for connection to the Command appliance.
- Enable ExtraHop Cloud Proxy:
- Provides the ability to enable proxy support for connection to ExtraHop Cloud services and the Atlas Remote UI.
Bond Interface Settings
- Create Bond Interface:
- Provides the ability to bond multiple interfaces together into a single logical interface that will use a single IP address for the combined bandwidth of the bond members. Only 1GbE ports are supported for bond interfaces. This is also known as link aggregation, port trunking, link bundling, Ethernet/network/NIC bonding, or NIC teaming.
Note: | Creating bond interfaces will cause you to lose connectivity to your ExtraHop appliance. You must make changes to your network switch configuration to restore that connectivity. The changes required depend on which switch you are using. Contact ExtraHop Support for assistance before you create a bond interface. |
Interfaces
- Interface
- Displays the interface number.
- Mode
- Displays whether the port is enabled or disabled and if enabled, the port assignment.
- Link Speed
- Displays the link speed for the interface on physical appliances. Virtual appliances always display N/A.
- DHCP
- Displays whether DHCP is enabled or disabled.
- IP Address
- Displays the static IP address of the ExtraHop appliance on the network.
- Netmask
- Displays the netmask configured to divide the IP address into subnets.
- Gateway
- Displays the IP address for the gateway node on the network.
- Routes
- Displays configured static route information.
- MAC Address
- Displays the MAC address of the ExtraHop appliance.
- IPv6
- Displays whether IPv6 is enabled or disabled.
Configure the RPCAP settings
After you configure an interface as an RPCAP target, configure the RPCAP settings.
Note: | You must specify an interface address or an interface name. If you specify both, then both settings will apply. |
Modify an interface
Set a static route
Before you begin
You must disable DHCPv4 before you can add a static route.- On the Edit Interface page, ensure that the IPv4 Address and Netmask fields are complete and saved, and click Edit Routes.
- In the Add Route section, type a network address range in CIDR notation in the Network field and IPv4 address in the Via IP field and then click Add.
- Repeat the previous step for each route you want to add.
- Click Save.
Global proxy server
If your network topology requires a proxy server to enable your ExtraHop appliance to communicate either with a Command appliance or with other devices outside of the local network, you can enable your ExtraHop appliance to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server.
Note: | Only one global proxy server can be configured per ExtraHop appliance. |
ExtraHop Cloud proxy
If your ExtraHop appliance does not have a direct internet connection, you can connect to the internet through a proxy server specifically designated for ExtraHop Cloud services and Atlas connectivity. Only one proxy can be configured per ExtraHop appliance.
Note: | If no cloud proxy server is enabled, the ExtraHop appliance will attempt to connect through the global proxy. If no global proxy is enabled, the ExtraHop appliance will connect through an HTTP proxy to enable the services. |
Configure an ExtraHop Cloud proxy server
- In the Network Settings section, click Connectivity.
- Click Enable ExtraHop Cloud Proxy. Click Change ExtraHop Cloud Proxy to modify an existing configuration.
- Click Enable ExtraHop Cloud Proxy.
- Type the hostname or IP address for your proxy server.
- Type the port number for your proxy server, such as 8080.
- (Optional): If required, type a username and password for your proxy server.
- Click Save.
Bond interfaces
You can bond multiple 1GbE interfaces on your ExtraHop appliance together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address. This configuration is also known as link aggregation, port channeling, link bundling, Ethernet/network/NIC bonding, or NIC teaming. Only 1GbE interfaces are supported for bond interfaces. Bond interfaces cannot be set to monitoring mode.
Note: | When you modify bond interface settings, you lose connectivity to your ExtraHop appliance. You must make changes to your network switch configuration to restore connectivity. The changes required are dependent on your switch. Contact ExtraHop Support for assistance before you create a bond interface. |
Interfaces chosen as members of a bond interface are no longer independently configurable and are shown as Disabled (bond member) in the Interfaces section of the Connectivity page. After a bond interface is created, you cannot add more members or delete existing members. The bond interface must be destroyed and recreated.
Create a bond interface
You can create a bond interface with at least one interface member and up to the number of members that are equivalent to the number of 1GbE interfaces on your ExtraHop appliance.
Modify bond interface settings
After a bond interface is created, you can modify most settings as if the bond interface is a single interface.
Destroy a bond interface
When a bond interface is destroyed, the separate interface members of the bond interface return to independent interface functionality. One member interface is selected to retain the interface settings for the bond interface and all other member interfaces are disabled. If no member interface is selected to retain the settings, the settings are lost and all member interfaces are disabled.
- In the Network Settings section, click Connectivity.
- In the Bond Interfaces section, click the red X next to the interface you want to destroy.
- On the Destroy Bond Interface <interface number> page, select the member interface to move the bond interface settings to. Only the member interface selected to retain the bond interface settings remains active, and all other member interfaces are disabled.
- Click Destroy.
Notifications
The ExtraHop appliance can send alert notifications through email and SNMP traps. If SNMP is specified, then every alert is sent as an SNMP trap to the specified SNMP server. In addition, you can send alerts to a remote server through a syslog export.
The Notifications section in the Network Settings section of the Admin UI includes the following configurable settings.
- Email Server and Sender
- Configure the email server and sender settings.
- Email Addresses
- Add individual email addresses to receive system health notifications.
- SNMP
- Set up SNMP network monitoring.
- Syslog
- Send appliance data to another system for archiving and correlation.
Email addresses
You can send system storage alerts to individual recipients. Alerts are sent under the following conditions:
- A physical disk is in a degraded state.
- A physical disk has an increasing error count.
Add a new notification email address
To add a new disk notification email address:
- In the Network Settings section, click Notifications.
- Under Notifications, click Email Addresses.
- In the Email address text box, type the recipient email address.
- Click Save.
Delete a disk notification email address
To delete a disk notification email address:
- In the Network Settings section, click Notifications.
- Under Notifications, click Email Addresses.
- Click the red delete icon (X) to the right of the email address.
- On the Delete page, click OK.
The running config changes when you add or remove an email address. To preserve your changes, click View and Save Changes. For more information, see the Running Config section.
SNMP
The state of the network is monitored through the Simple Network Management Protocol (SNMP). SNMP collects information by polling devices on the network or SNMP enabled devices send alerts to SNMP management stations. SNMP communities define the group that devices and management stations running SNMP belong to, which specifies where information is sent. The community name identifies the group.
Note: | Most organizations have an established system for collecting and displaying SNMP traps in a central location that can be monitored by their operations teams. For example, SNMP traps are sent to an SNMP manager, and the SNMP management console displays them. |
Configure SNMP settings to send notifications to an SNMP manager
Simple Network Management Protocol (SNMP) is a standard way of monitoring hardware and software on a network. SNMP collects information both by polling devices on the network and when SNMP-enabled devices send alerts to SNMP management stations. SNMP communities specify the group that devices and management stations running SNMP belong to, which specifies where information is sent. The community name identifies the group.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the Running Config file.Configure syslog notification settings
The syslog export enables you to send alerts from the ExtraHop appliance to any remote system that receives syslog input for long-term archiving and correlation with other sources.
Note: | To send syslog messages to your remote server, you must first configure the syslog notification settings. Only one remote syslog server can be configured for each ExtraHop appliance. |
SSL certificate
SSL provides secure authentication to the Admin UI of the ExtraHop appliance. To enable SSL, a SSL certificate must be uploaded to the appliance.
A self-signed certificate can be used in place of a certificate signed by a Certificate Authority. However, be aware that a self-signed certificate generates an error in the client browser reporting that the signing certificate authority is unknown. The browser provides a set of confirmation pages to allow the use of the certificate, even though the certificate is self-signed.
Upload an SSL certificate
You must upload a .pem file that includes both a private key and either a self-signed certificate or a certificate-authority certificate.
Note: | The .pem file must not be password protected. |
- In the Network Settings section, click SSL Certificate.
- Click Manage certificates to expand the section.
- Click Choose File and navigate to the certificate that you want to upload.
- Click Open.
- Click Upload.
Create a certificate signing request from your ExtraHop appliance
A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority (CA) when you apply for an SSL certificate. The CSR is generated on the ExtraHop appliance where the SSL certificate will be installed and contains information that will be included in the certificate such as the common name (domain name), organization, locality, and country. The CSR also contains the public key that will be included in the certificate. The CSR is created with the private key from the ExtraHop appliance, making a key pair.
Next steps
Send the CSR file to your certificate authority (CA) to have the CSR signed. When you receive the SSL certificate from the CA, return to the SSL Certificate page in the Admin UI and upload the certificate to the ExtraHop system.Add a trusted certificate to your ExtraHop appliance
Your ExtraHop appliance only trusts peers who present a TLS certificate that is signed by one of the built-in system certificates or any certificates that you upload. Only SMTP and LDAP connections are validated through these certificates.
Before you begin
You must be a user with unlimited privileges to add or remove trusted certificates.Important: | To trust the built-in system certificates and any uploaded certificates, you must also enable SSL certificate validation on the LDAP Settings page or Email Settings page. |
- Log into the Admin UI.
- In the Network Settings section, click Trusted Certificates.
- The ExtraHop appliance ships with a set of built-in certificates. Select Trust System Certificates if you want to trust these certificates, and then click Save.
- To add your own certificate, click Add Certificate and then paste the contents of the PEM-encoded certificate chain into the Certificate field
- Type a name into the Name field and click Add.
Important: | ExtraHop appliances only accept modern SSL configurations, which
includes TLS 1.2 and the cipher suites listed below. Note that the ExtraHop Web UI
will not display in Internet Explorer 11 unless TLS 1.0, TLS 1.1, and TLS 1.2 are
turned on in the advanced settings for Internet Explorer 11.
|
Next steps
Configure LDAP and SMTP settings to validate outbound connections with the trusted certificates.Access Settings
In the Access Settings section, you can change passwords, enable the support account, and specify users in the ExtraHop appliances for remote authentication. The Access Settings section has the following configurable settings:
- Password
- Change the password for user accounts.
- Support Account
- Enable troubleshooting assistance from ExtraHop Support.
- Users
- Add and delete users, and modify user privileges.
- Sessions
- View and terminate user sessions on the Admin UI.
- Remote Authentication
- Enable users to log on to the Admin UI with their existing credentials.
- API Access
- Manage the settings that enable you to perform operations through the ExtraHop REST API.
- User Groups
- View and manage user groups imported from a configured LDAP server. The User Groups page appears only on ExtraHop Discover and Command appliances.
Change password
Users with administrative privileges to the Admin UI on the appliance can change the password for any user that has an account stored locally in the appliance. For more information about privileges for specific Admin UI users and groups, see the Users section.
Change the default password for the setup user
It is recommended that you change the default password for the setup user on the ExtraHop appliance after you log in for the first time. To remind administrators to make this change, there is a blue Change Password button at the top of the page while the setup user is accessing the Admin UI. After the setup user password is changed, the button at the top of the page no longer appears.
Note: | The password must be a minimum of 5 characters. |
Support account
Support accounts provide access for the ExtraHop Support team to help customers troubleshoot issues with the ExtraHop appliance and to provide remote analysis reports through Atlas Services.
These settings should be enabled only if the ExtraHop system administrator requests hands-on assistance from the ExtraHop Support team or if your organization is subscribed to Atlas Services.
Users
The Users page provides controls to add and delete users, and to change a user's access privileges in the ExtraHop appliance. Users with administrator-level privileges can add other users.
User accounts can be locally or remotely authenticated and authorized. For more information, see the Remote Authentication section.
- setup
- The setup account provides full system read and write privileges on the Web UI, Admin UI, and Shell, which is the ExtraHop command-line interface (CLI). For physical appliances, the default password for this account is the service tag number on the right-front bracket of the ExtraHop appliance. For virtual appliances, the password is default.
- shell
- The shell account permits access to non-administrative shell commands in the ExtraHop command-line interface (CLI). When accessing the privileged system configuration shell commands, the user types in enable and authenticates with the setup user password. For physical appliances, the default password for this account is the service tag number on the right-front bracket of the ExtraHop appliance. For virtual appliances, the password is default.
Note: | The default ExtraHop password for Amazon Web Services (AWS) users is the string of numbers after the -i in the instance ID. |
- When a user is authenticated and authorized locally, the user appears immediately in the managed users list. User privileges are managed in the ExtraHop appliance.
- When user is authenticated remotely but its authorization is managed locally, the user appears in the managed users list after the first login. The user's permissions are managed in the ExtraHop appliance.
- When a user is both authenticated and authorized remotely, the user does not appear in the managed users list. The user's permissions are managed in the remote server.
Note: | The local user account overrides all remote user account settings. |
User privileges
Administrators determine the level of access and functionality users have with the ExtraHop Web and Admin UIs. In addition to setting the privilege level for the user, you can add certain options that can apply to any user privilege level.
For information about user privileges for the REST API, see the REST API Guide.
Privilege Levels
Set the privilege level for your user to determine which areas of the ExtraHop appliance they can access.
Unlimited | Full Write | Limited Write | Personal Write | Full Read-Only | Restricted Read-Only | |
Activity Maps | ||||||
Create, view, and load shared activity maps | Y | Y | Y | Y | Y | N |
Save activity maps | Y | Y | Y | Y | N | N |
Share activity maps | Y | Y | Y | N | N | N |
Alerts | ||||||
View alert history | Y | Y | Y | Y | Y | N |
Create and modify alerts | Y | Y | N | N | N | N |
Custom Pages | ||||||
Create and modify custom pages | Y | Y | N | N | N | N |
Dashboards | ||||||
View and organize dashboards | Y | Y | Y | Y | Y | Y |
Create and modify dashboards | Y | Y | Y | Y | N | N |
Share dashboards | Y | Y | Y | N | N | N |
Detections | ||||||
View detections and provide feedback | Y | Y | Y | Y | Y | N |
Analysis Priorities | ||||||
View Analysis Priorities page | Y | Y | Y | Y | Y | N |
Add and modify analysis levels for groups | Y | Y | N | N | N | N |
Add devices to a watchlist | Y | Y | N | N | N | N |
Transfer priorities management | Y | Y | N | N | N | N |
Device Groups | ||||||
Create and modify device groups | Y | Y | N | N | N | N |
Metrics | ||||||
View metrics | Y | Y | Y | Y | Y | N |
Records (Explore appliance) | ||||||
View record queries | Y | Y | Y | Y | Y | N |
View record formats | Y | Y | Y | Y | Y | N |
Create, modify, and save record queries | Y | Y | N | N | N | N |
Create, modify, and save record formats | Y | Y | N | N | N | N |
Scheduled Reports (Command appliance) | ||||||
Create, view, and manage scheduled reports | Y | Y | Y | N | N | N |
Triggers | ||||||
Create and modify triggers | Y | Y | N | N | N | N |
Administrative Privileges | ||||||
Access the ExtraHop Admin UI | Y | N | N | N | N | N |
Connect to other appliances | Y | N | N | N | N | N |
Manage other appliances (Command appliance) | Y | N | N | N | N | N |
Sessions
The ExtraHop system provides controls to view and delete user connections to the web interface. The Sessions list is sorted by expiration date, which corresponds to the date the sessions were established. If a session expires or is deleted, the user must log in again to access the web interface.
Delete active sessions
When you delete an active session for a user, the user is logged out of the Admin UI. You can not delete the current user session.
- In the Access Settings section, click Sessions.
-
Select the users that you want to delete.
- To delete a specific user, in the sessions table, click the red x at the end of the row for the specific user.
- To delete all active user sessions, click Delete All and then click OK.
Remote authentication
ExtraHop appliances supports remote authentication for user authentication. Remote authentication enables organizations that have authentication systems such as LDAP (such as OpenLDAP or Active Directory), RADIUS, or TACACS+ to enable all or a subset of their users to log on to the appliance with their existing credentials.
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on LDAP groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Next steps
LDAP
The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. ExtraHop LDAP authentication only queries for user accounts; it does not use any other entities that might be in the LDAP directory.
Users whose credentials are not stored locally are authenticated against the remote LDAP server by their username and password when they attempt to log onto the ExtraHop system. When a user attempts to log onto the ExtraHop UI, the ExtraHop system:
-
Attempts to authenticate the user locally.
-
Attempts to authenticate the user through the LDAP server if the user does not exist locally and the ExtraHop system is configured to use LDAP for remote authentication.
-
Logs the user on to the ExtraHop system if the user exists and the password is validated through LDAP. The LDAP password is not stored locally on the ExtraHop system.
If the user does not exist or an incorrect password is used, an error message appears with the login page.
Ensure that each user to be remotely authorized is in a permission-specific group on the LDAP server before beginning this procedure.
RADIUS
The ExtraHop appliance supports Remote Authentication Dial In User Service (RADIUS) for remote authentication and local authorization only. For remote authentication, the ExtraHop appliance supports unencrypted RADIUS and plaintext formats.
TACACS+
The ExtraHop appliance supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.
Ensure that each user to be remotely authorized has the ExtraHop service configured on the TACACS+ server before beginning this procedure.
API access
The API Access page provides controls to generate, view, and manage access for the API keys that are required to perform operations through the ExtraHop REST API. This page also provides a link to the REST API Explorer.
Administrators, or users with unlimited privileges, control whether users can generate API keys. For example, you can prevent remote users from generating keys or you can disable API key generation entirely. When this functionality is enabled, API keys are generated by users, listed in the Keys section, and can be viewed only by the user who generated the key.
Note: | Administrators set up user accounts, and then users generate their own API key. Users can delete API keys for their own account, and users with unlimited privileges can delete API keys for any user. For more information, see the Users section. |
Click the REST API Explorer link to open a web-based tool that enables you to try API calls directly on your ExtraHop appliance. The ExtraHop REST API Explorer also provides information about each resource and samples in cURL, Python 2.7, and Ruby.
See the ExtraHop REST API Guide for more information.
Manage API access
You can manage which users are able to generate API keys on the ExtraHop appliance.
- In the Access Settings section, click API Access.
-
In the Manage Access section, select one of the following
options:
- Allow all users to generate an API key
Local and remote users can generate API keys.
- Only local users can generate an API key
Only users created on the appliance can generate API keys.
- No users can generate an API key
API keys cannot be generated. Selecting this option will delete any
- Allow all users to generate an API key
- Click Save Settings, then click OK, and then click Done.
Next steps
Save the changes to the running config file.Enable CORS for the ExtraHop REST API
Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server.
You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users with unlimited privileges can view and edit CORS settings.
Add an allowed origin
You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin.
- In the Access Settings section, click API Access.
-
In the CORS Settings section, specify one of the following
access configurations.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
The URL must include a scheme, such as HTTP or HTTPS, and the exact domain name. You cannot append a path; however, you can provide a port number.
- To allow access from any URL, select the Allow API requests
from any Origin checkbox.
Note: Allowing REST API access from any origin is less secure than providing a list of explicit origins.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
- Click Save Settings and then click Done.
Delete an allowed origin
You can delete a URL from the list of allowed origins or disable access from all origins.
- In the Access Settings section, click API Access.
-
In the CORS Settings section, modify one of the following access
configurations.
- To delete a specific URL, click the delete (X) icon next to the origin you want to delete.
- To disable access from any URL, clear the Allow API requests from any Origin checkbox.
- Click Save Settings.
Appliance Settings
You can configure the following components of the ExtraHop appliance in the Appliance Settings section.
- Running Config
- Download and modify the running configuration file.
- Services
- Enable or disable the Web Shell, management GUI, SNMP service, and SSH access. The Services page appears only on ExtraHop Discover and Command appliances.
- Firmware
- Upgrade the ExtraHop system firmware.
- System Time
- Configure the system time.
- Shutdown or Restart
- Halt and restart system services.
- License
- Update the license to enable add-on modules.
- Disks
- Provides information about the disks in the appliance.
- Reset Packetstore
- Delete all packets stored on the ExtraHop Trace appliance. The Reset Packetstore page appears only on the Trace appliance.
Running config
The Running Config page provides an interface to view and modify the code that specifies the default system configuration and save changes to the current running configuration so the modified settings are preserved after a system restart.
The following controls are available to manage the default running system configuration settings:
- Save config or Revert config
- Save changes to the current default system configuration. The Revert config option appears when there are unsaved changes.
- Edit config
- View and edit the underlying code that specifies the default ExtraHop appliance configuration.
- Download config as a file
- Download the system configuration to your workstation.
Note: | Making configuration changes to the code on the Edit page is not recommended. You can make most system modifications through other pages in the Admin UI. |
Saving running config changes
When you modify any of the ExtraHop appliance default system configuration settings, you need to confirm the updates by saving the new settings. If you do not save the new settings, they will be lost when your ExtraHop appliance is rebooted.
The Save page includes a diff feature that displays the changes. This feature provides a final review step before you write the new configuration changes to the default system configuration settings.
When you make a change to the running configuration, either from the Edit Running Config page, or from another system settings page in the Admin UI, changes are saved in memory and take effect immediately, but they are not usually saved to disk. If the system is restarted before the running configuration changes are saved to disk, those changes will be lost.
As a reminder that the running configuration has changed, the Admin UI provides the following three notifications:
- Save Configuration
- The Admin UI displays a button on the specific page that you modified to remind you to save the change to disk. When you click View and Save Changes, the UI redirects to the Save page described above.
- Running Config*
- The Admin UI adds a red asterisk (*) next to the Running Config entry on the Admin UI main page. This asterisk indicates that the running configuration has been changed, but it has not been saved to disk.
- Save*
- The Admin UI adds a red asterisk (*) next to the Save entry on the Running Config page. This asterisk indicates that the running configuration has been changed, but it has not been saved to disk.
After you make changes to the running configuration, the Running Config page displays another entry through which you can revert the changes.
Edit running config
The ExtraHop Admin UI provides an interface to view and modify the code that specifies the default system configuration. In addition to making changes to the running configuration through the settings pages in the Admin UI, changes can also be made on the Running Config page.
Note: | Do not modify the code on the Running Config page unless instructed by ExtraHop Support. |
Download the running config as a text file
You can download the running config file as a text file to your workstation. We recommend that you save a copy of this file in case of an unexpected system failure. The saved running config file can be uploaded to an ExtraHop appliance to restore system customizations and settings.
- Log into the Admin UI on the ExtraHop appliance.
- In the Appliance Settings section, click Running Config.
- Click Download config as a file.
Firmware
The Admin UI provides an interface to upload and delete the firmware on ExtraHop appliances.
The Admin UI includes the following firmware configuration settings:
- Upgrade
- Upload and install new ExtraHop appliance firmware versions.
- Delete
- Select and delete installed firmware versions from the ExtraHop appliance.
You can download the latest firmware at the ExtraHop Customer Portal. A checksum of the uploaded firmware is usually available in the same download location as the .tar firmware file. If there is an error during firmware installation, ExtraHop Support might ask you to verify the checksum of the firmware file.
Firmware images that you want to upload must be accessible from the computer on which you are running the web browser.
Note: | If you are upgrading the firmware on a Command appliance, first upgrade the Command appliance, next update all Discover appliances, and finally upgrade each Explore and Trace appliance individually. To function correctly, the Command appliance and Discover appliances must have the same minor version of ExtraHop firmware. |
Upgrade the firmware on your ExtraHop appliance
The following procedure shows you how to upgrade your ExtraHop appliance to the latest firmware release. While the firmware upgrade process is similar across all ExtraHop appliances, some appliances have additional considerations or steps that you must address before you install the firmware in your environment. If you need assistance with your upgrade, contact ExtraHop Support.
Pre-upgrade checklist
Here are some important considerations and requirements about upgrading ExtraHop appliances.
- If you have multiple types of ExtraHop appliances, you must upgrade them in
the following order:
- Command appliance
- Discover appliances
- Explore appliances
- Trace appliances
- If you have a Command appliance, apply the following guidance:
- For large Command appliance deployments (managing 50,000 devices or more), reserve a minimum of one hour to perform the upgrade.
- The Command appliance firmware version must be greater than or equal to the firmware version of all connected appliances.
- If you have Explore appliances, apply the following guidance:
- You must halt the ingest of records from Command and Discover appliances before upgrading. Temporarily remove any connected Explore appliances, or alternatively, disable triggers that commit records and disable the automatic flow records setting. You can re-enable these settings after the Explore cluster status returns to green.
- You must upgrade all Explore nodes in an Explore cluster. Note that during the upgrade, any nodes on different firmware versions might be unable to communicate with each other. During the upgrade process, the message "Error determining cluster state" might appear in the Explore Cluster settings section in the Admin UI of any node. After all of the nodes in the cluster are upgraded, the message no longer appears.
Delete firmware versions
The ExtraHop appliance stores every firmware image that has been uploaded to the system. For maintenance purposes, these firmware images can be deleted from the system.
System time
When capturing data, it is helpful to have the time on the ExtraHop appliance match the local time of the router. The ExtraHop appliance can set time locally or synchronize time with a time server. By default, system time is set locally, but we recommend that you change this setting and set time through a time server.
The System Time page displays the current configuration and the status of all configured NTP servers.
- Time Zone. Displays the currently selected time zone.
- System Time. Displays the current system time.
- Time Servers. Displays a comma-separated list of configured time servers.
- remote
- The host name or IP address of the remote NTP server you have configured to synchronize with.
- st
- The stratum level, 0 through 16.
- t
- The type of connection. This value can be u for unicast or manycast, b for broadcast or multicast, l for local reference clock, s for symmetric peer, A for a manycast server, B for a broadcast server, or M for a multicast server
- when
- The last time when the server was queried for the time. The default value is seconds, or m is displayed for minutes, h for hours, and d for days.
- poll
- How often the server is queried for the time, with a minimum of 16 seconds to a maximum of 36 hours.
- reach
- Value that shows the success and failure rate of communicating with the remote server. Success means the bit is set, failure means the bit is not set. 377 is the highest value.
- delay
- The round trip time (RTT) of the ExtraHop appliance communicating with the remote server, in milliseconds.
- offset
- Indicates how far off the ExtraHop appliance clock is from the reported time the server gave you. The value can be positive or negative, displayed in milliseconds.
- jitter
- Indicates the difference, in milliseconds, between two samples.
Shutdown or restart the system
You can shut down or restart the Trace appliance in the Admin UI.
- In the Appliance Settings section, click Shutdown or Restart.
-
In the Actions column, select one of the following options:
- Click Restart and then on the confirmation page, click Restart to restart the appliance.
- Click Shutdown, and then on the confirmation page, click Shut down to shut down the system and power off the appliance.
License
The Admin UI provides an interface to add and update licenses for add-in modules and other features available in the ExtraHop appliance. The License Administration page includes the following licensing information and settings:
- Manage license
- Provides an interface to add and update the ExtraHop appliance
- System Information
- Displays the identification and expiration information about the ExtraHop appliance.
- Features
- Displays the list of licensed features and whether the licensed features are enabled or disabled.
View the licensing system information
- In the Appliance Settings section, click License.
- On the License Administration page, under System Information, view the Extra Hop appliance information.
Update a license
If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license.
Note: | If you want to update the product key for your appliance, you must register your ExtraHop appliance. |
Disks
The Disks page provides information about the configuration and status of the disks in your Trace appliance as well the disks in any attached storage units.
Note: | We recommend that you configure the settings to receive email notifications about your system health. If a disk is beginning to experience problems, you will be alerted. For more information, see the Notifications section. |
The following information displays on the page:
- Drive Map
- Provides a visual representation of the front of the Trace appliance. The drive map does not appear in the Admin UI on the virtual Trace appliance.
- RAID Disk Details
- Provides access to detailed information about all the disks in the node.
- Datastore
- Displays information about disks reserved for data storage and the option to encrypt the datastore disk. For more information, see the Encrypt the packetstore disk section.
- Direct Connect Disk
- Displays information about the SD memory cards. The memory cards have the following roles:
-
- Firmware
- Displays information about disks reserved for the firmware.
- Utility
- Displays information about disks reserved for system files.
- External Packestore Disks
- Displays information about ExtraHop extended storage units.
Encrypt the packetstore disk
You can encrypt the disk that packet captures are stored on for increased security. The disk is secured with 128-bit AES keys.
Warning: | You cannot decrypt a packet capture disk after it is encrypted. You can reformat an encrypted disk; however, all data stored on the disk will be lost. To perform a secure delete (secure wipe) of all system data, see the ExtraHop Rescue Media Guide. |
- In the Appliance Settings section, click Disks.
- In the Datastore section, click Disk Encryption Settings.
- Click Encrypt Disk.
-
Specify a disk encryption key by choosing on of the following options.
- To encrypt the disk with a passphrase, type a passphrase into the Passphrase and Confirm fields.
- To encrypt the disk with a key file, click Choose File, and then browse to an encryption key file.
- Click Encrypt.
Change the packet capture disk encryption key
- In the Status section, click Disks.
- In the Datastore section, click Disk Encryption Settings.
- Click Change Disk Encryption Key.
-
Specify the existing encryption key.
Option Description If you entered an encryption passphrase Type a passphrase into the Passphrase field. If you selected an encryption key file Click Choose File, and then browse to an encryption key file. -
Specify a new disk encryption key.
Option Description To enter an encryption passphrase Type a passphrase into the Passphrase and Confirm fields. To select an encryption key file Click Choose File, and then browse to an encryption key file. - Click Change Key.
Add storage capacity to the ExtraHop Trace appliance
Adding additional storage capacity to your Trace appliance enables you to store more packets and extend the amount of lookback available when running packet queries.
Compatibility
ExtraHop Trace Appliance | Extended Storage Unit |
---|---|
ETA 6150 |
You can attach a mix of 72 TB and 96 TB ESUs to the ETA 6150. |
ETA 8250 |
|
You can attach up to four ESUs to a Trace appliance. |
Installation prerequisites
- ExtraHop Trace appliance with firmware release 6.2.0 or later. If you have not deployed the Trace appliance, follow the instructions in the Deploy the ExtraHop Trace 6150 Appliance or Deploy the ExtraHop Trace 8250 Appliance guides.
- ExtraHop licence for the extended packetstore feature
- ExtraHop extended storage unit for the ExtraHop Trace appliance
- 2U of rack space and 2 x 600W power
- Power cables
- SAS cables
- Rail kit
Set up the extended storage unit
- Install the extended storage unit in your data center with the included rack-mounting kit. The mounting kit supports most four-post racks with either round or square holes.
- Connect the power cables to the power supply units (PSUs).
Shut down the Trace appliance
- Log into the Admin UI on the Trace appliance.
- In the Appliance Settings section, click Shutdown or Restart.
- In the Actions column, click Shutdown.
- On the confirmation page, click Shut down.
Connect the extended storage unit
The extended storage unit connects to the Trace appliance through both of the two enclosure management modules (EMMs). Each EMM has four ports for connecting the SAS cables.
In a redundant configuration, the storage units are linked together in a series, with one of the extended storage units connected to both host bus adapter (HBA) ports on the Trace appliance, as shown in the following figure.

Managing extended storage units with a foreign packetstore status
When an extended storage unit with an existing RAID configuration is connected to a RAID controller on the Trace appliance, the extended storage unit is designated as “foreign”. This status can occur when an extended storage unit was previously connected and then disconnected from the RAID controller on the Trace appliance and when the extended storage unit was configured on a RAID controller other than the Trace appliance it was originally connected to.
Reset the packetstore
In certain circumstances, you might want to reset the packetstore on the Trace appliance. For example, if you accidentally collected packets with sensitive data or from the wrong data feed, you can reset the datastore so the packets do not appear in any packet queries.
Warning: |
If you reset the packetstore, all existing packets stored on the Trace appliancewill be inaccessible to packet queries. |
- In the Appliance Settings section, click Reset Packetstore.
- Type YES in the confirmation field and then click Reset Packetstore.
Trace cluster settings
The Trace Cluster Settings section includes the following sections:
- Managers and Connected Appliances
- View the hostname of the Command appliance that is configured to manage the Trace appliance as well as a list of all Discover appliances and Command appliances connected to the Trace appliance.
- Packet Query Status
- View a list of all packet queries generated from connected Command and Discover appliances.
- Connect to a Command Appliance
- Configure settings to enable a Command appliance to remotely run support scripts and upgrade firmware on theTrace appliance.
Manager and Connected Appliances
The Manager and Connected Appliances page contains the following information and controls:
- Manager
- Displays the hostname of the Command appliance that is configured to manage the Trace appliance. To connect a Command appliance
through a tunneled connection, click Connect to a Command Appliance. A
tunneled connection might be required if a direct connection cannot be established through the
Command appliance.Click Remove Manager to remove the Command appliance as the manager.
Note: The Trace appliance can be managed by only one Command appliance. - Connected Appliances
- Displays a table of all Discover appliances and Command appliances connected to the Trace appliance. The table includes the hostname of the connected client and the client product key.
Packet Query Status
The Packet Query Status page provides a collection of metrics about the Trace appliance.
Help on this page
The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected.
- Packet Query Status
- Displays statistics about packet queries run in the ExtraHop Web UI.
If the number of simultaneous packet queries exceeds the maximum allotted system memory, errors might occur and you must delete in-progress or completed queries by clicking the Remove or Remove All button before you can create new queries. Queries are cached until you navigate away from the Packet Query page in the Web UI.
- Packetstore Disks
- Displays statistics about packet storage disks.
- SSL Session Key Storage
- Displays statistics about session keys stored on the Trace appliance. For information about session key storage, see Store SSL session keys on connected Trace appliances.
Remove packet queries
You can remove one or more packet queries to clear query memory and disk cache.
- In the Trace Cluster Settings section, click Packet Query Status.
-
Do one of the following:
- To remove a single query, click Remove in the Actions column of the query you want to remove.
- To remove all listed queries, click Remove All.
Connect to a Command appliance
Connect the Trace appliance to a Command appliance to remotely run support scripts and upgrade firmware on the Trace appliance.
The Trace appliance connects to the Command appliance through a tunneled connection. Tunneled connections are required in network environments where a direct connection from the Command appliance is not possible because of firewalls or other network restrictions.
Thank you for your feedback. Can we contact you to ask follow up questions?