Admin UI Guide
Introduction to the ExtraHop Admin UI
The Admin UI Guide provides detailed information about the administrator features and functionality of the ExtraHop Discover and Command appliances. This guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the UI.
After you have deployed your Discover or Command appliance, see the Discover and Command Post-deployment Checklist.
We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.
Supported Browsers
The following browsers are compatible with all ExtraHop appliances. We recommend that you install the latest version of the browser.
- Firefox
- Google Chrome
- Internet Explorer 11
- Safari
You must allow cookies and ensure that Adobe Flash Player is installed and enabled. Visit the Adobe website to confirm that Flash Player is installed and up-to-date.
Status and Diagnostics
The Status and Diagnostics section provides metrics about the overall health of your ExtraHop appliance.
Health
The Health page provides a collection of metrics that helps you to monitor the operation of your ExtraHop appliance and enables ExtraHop Support to troubleshoot system errors if necessary.
- System
- Reports the following information about the system CPU usage and hard disk.
- CPU User
- The percentage of CPU usage associated with the ExtraHop appliance user.
- CPU System
- The percentage of CPU usage associated with the ExtraHop appliance.
- CPU Idle
- The CPU Idle percentage associated with the ExtraHop appliance.
- CPU IO
- The percentage of CPU usage associated with the ExtraHop appliance IO functions.
- Bridge Status
- Reports the following information about the ExtraHop appliance bridge component.
- VM RSS
- The bridge process physical memory in use.
- VM Data
- The bridge process heap virtual memory in use.
- VM Size
- The bridge process total virtual memory in use.
- Start Time
- Specifies the start time for the ExtraHop appliance bridge component.
- Capture Status
- Reports the following information about the ExtraHop appliance network capture status.
- VM RSS
- The network capture process physical memory in use.
- VM Data
- The network capture process heap virtual memory in use.
- VM Size
- The network capture process total virtual memory in use.
- Start Time
- The start time for the ExtraHop network capture.
- Service Status
- Reports the status of ExtraHop appliance services.
- exalerts
- The amount of time the ExtraHop appliance alert service has been running.
- extrend
- The amount of time the ExtraHop appliance trend service has been running.
- exconfig
- The amount of time the ExtraHop appliance config service has been running.
- exportal
- The amount of time the ExtraHop appliance web portal service has been running.
- exshell
- The amount of time the ExtraHop appliance shell service has been running.
- Interfaces
- Reports the status of ExtraHop appliance system interfaces.
- RX packets
- The number of packets received by the ExtraHop appliance on the specified interface.
- RX Errors
- The number of received packet errors on the specified interface.
- RX Drops
- The number of received packets dropped on the specified interface.
- TX Packets
- The number of packets transmitted by the ExtraHop appliance on the specified interface.
- TX Errors
- The number of transmitted packet errors on the specified interface.
- TX Drops
- The number of transmitted packets dropped on the specified interface.
- RX Bytes
- The number of bytes received by the ExtraHop appliance on the specified interface.
- TX Bytes
- The number of bytes transmitted by the ExtraHop appliance on the specified interface.
- Partitions
- Reports the memory that has been allocated to system components for the ExtraHop appliance.
- Name
- The system components that have a memory partition in NVRAM.
- Options
- The read-write options for the system components.
- Size
- The partition size in gigabytes that is allocated for the system component.
- Utilization
- The amount of memory that is currently consumed by the system components, as a quantity and as a percentage of the total partition.
Audit Log
The audit log provides data about the operations of your ExtraHop appliance, broken down by component. The audit log lists all known events by timestamp, in reverse chronological order.
Send audit log data to a remote syslog server
The ExtraHop appliance audit log provides 90 days of lookback data about the operations of the system, broken down by component. You can view the audit log entries in the Admin UI or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the Audit log events table below.
The following steps show you how to configure the ExtraHop appliance to send audit log data to a remote syslog server.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes by saving the Running Config file.Audit log events
The following events on an ExtraHop appliance generate an entry in the audit log.
| Category | Event |
|---|---|
| Agreements |
|
| API |
|
| Appliance Migration |
|
| Appliance user |
|
| Atlas |
|
| Browser sessions |
|
| Command appliance |
|
| Dashboards |
|
| Datastore |
|
| Detections |
|
| EDA Remote Access |
|
| Exception files |
|
| Explore appliance records |
|
| Explore cluster |
|
| ExtraHop Update Service |
|
| Firmware |
|
| License |
|
| Login from Web UI or Admin UI |
|
| Login from SSH or REST API |
|
| Network |
|
| Offline capture |
|
| PCAP |
|
| RPCAP |
|
| Running Config |
|
| SAML Identity Provider |
|
| SAML login |
|
| SSL decryption |
|
| SSL session keys |
|
| Support account |
|
| Support Script |
|
| Syslog |
|
| System and service status |
|
| System time |
|
| Trace appliance |
|
| Trace appliance packetstore |
|
| Trends |
|
| Triggers |
|
| User Groups |
|
Fingerprint
Fingerprints help secure appliances from man-in-the-middle attacks by providing a unique identifier that can be verified when connecting ExtraHop appliances.
When connecting an Explore or Trace appliance with a Discover or Command appliance, make sure that the fingerprint displayed is exactly the same as the fingerprint shown on the join or pairing page.
If the fingerprints do not match, communications between the devices might have been intercepted and altered.
Exception Files
Exception files are a core file of the data stored in memory. When you enable the Exception File setting, the core file is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.
- Click Enable Exception Files or Disable Exception Files to enable or disable the saving of exception files.
Support Scripts
ExtraHop Support might provide a support script that can apply a special setting, make a small adjustment to the ExtraHop appliance, or provide help with remote support or enhanced settings. The Admin UI enables you to upload and run support scripts.
Network Settings
The Network Settings section provides configuration settings for your ExtraHop appliance. These settings enable you to set a hostname, configure notifications, and manage connections to your appliance.
Connect to ExtraHop Cloud Services (Command appliance only)
ExtraHop Cloud Services provides access to ExtraHop cloud-based services through an encrypted connection. By enabling the Command appliance for remote access, you can allow designated ExtraHop staff to connect to your ExtraHop appliances for configuration help.
Connect to ExtraHop Cloud Services
ExtraHop Cloud Services provides access to ExtraHop cloud-based services through an encrypted connection. The services you are connected to are determined by your appliance license.
- ExtraHop Machine Learning Service (formerly Addy) enables Detections for your ExtraHop system. In Reveal(x) systems, you can enable security-only or security and performance detections.
- ECA Remote Access and EDA Remote Access enables you to allow designated ExtraHop designated staff, ExtraHop analysts, and ExtraHop Support to connect to your ExtraHop appliances for configuration help.
- ExtraHop Update Service enables automatic updates of resources such as ransomware packages on Command and Discover appliances.
Before you begin
- You must apply the relevant license on the ExtraHop appliance before you can connect to ExtraHop Cloud Services. See the License FAQ for more information.
- You must have unlimited privileges to access the ExtraHop Admin UI and to connect to ExtraHop Cloud Services.
Next steps
Learn how to navigate and interpret detections in DetectionsTroubleshoot your connection to ExtraHop Cloud Services
You must establish a connection to ExtraHop Cloud Services to enable the Machine Learning Service (formerly Addy) and access the Detections page. However, if the connection fails or you do not have a direct internet connection, you can connect to the internet through a proxy server specifically designated for ExtraHop Cloud Services and Atlas connectivity. This guide explains how to troubleshoot common connectivity issues.
Before you begin
- You must have a valid license to connect to the ExtraHop Machine Learning Service. See the License FAQ for additional information. Note that it can take up to 24 hours for a license update to be available for your ExtraHop appliance after your request for a valid license is enabled.
- You must have unlimited privileges to access the ExtraHop Admin UI and to connect to ExtraHop Cloud Services.
- You must have familiarity with modifying the Running Config file. The Running Config file manages default system configurations and must be saved if you want the modified settings to be preserved after a system restart.
Configure your firewall rules
Before you can connect to the Machine Learning Service, you must allow access to the ExtraHop Cloud Services through any firewalls.
Connection to ExtraHop Cloud Services requires that your environment is able to meet the following conditions:
- The ability to perform a DNS lookup of *.extrahop.com
- The ability to connect to ExtraHop Cloud Services through HTTPS (port 443)
The server IP address for ExtraHop Cloud Services might change periodically, but you can identify the current IP address by running one of the following commands, based on your geographic location.
Portland, U.S.A.:
nslookup pdx.hopcloud.extrahop.com
Sydney, Australia:
nslookup syd.hopcloud.extrahop.com
Frankfurt, Germany:
nslookup fra.hopcloud.extrahop.com
Connect to the Machine Learning Service through a proxy
If the connection fails or you do not have a direct internet connection, try connecting to the Machine Learning Service through an explicit proxy.
- Log into the Admin UI on the Discover appliance.
- In the Network Settings section, click Connectivity.
- Click Enable ExtraHop Cloud Proxy.
- Type the hostname for your proxy server, such as proxyhost.
- Type the port for your proxy server, such as 8080.
- (Optional): If required, type a username and password for your proxy server.
- Click Save.
Bypass certificate validation
Some environments are configured so that encrypted traffic cannot leave the network without inspection by a third-party device. This device can act as an SSL/TLS endpoint, which decrypts and re-encrypts the traffic before sending the packets to ExtraHop Cloud Services.
If the ExtraHop appliance cannot connect to the proxy server because the certificate validation has failed, you can bypass certificate validation and connect to ExtraHop Cloud Services.
Atlas Services
Atlas Services provide ExtraHop customers with a remote analysis report that is delivered monthly. The report contains specific recommendations for critical components across the application delivery chain.
| Important: | The Atlas Services page is deprecated on the Discover appliance. To allow ExtraHop analysts access to the Discover appliance, configure access through ExtraHop Cloud Services. |
Connect to Atlas services
If you have signed up for the Atlas service, you will receive monthly customized reports about your ExtraHop data. This guide shows you how to connect to the service and how to troubleshoot common connectivity issues.
Before you begin
You can establish a connection to the Atlas server from the Admin UI of your ExtraHop Explore or Trace appliance. If you have a firewall or proxy, you must first open access through those servers.| Important: | The procedures in this guide require access to the appliance Admin UI and require that you modify the Running Config file. You can view and modify the code in the Running Config file, which specifies the default system configuration and saves changes to the current running configuration so the modified settings are enabled after a system restart. For more information, see the Running Config section of the ExtraHop Admin UI Guide. |
| Note: | For Discover appliances, see Connect to ExtraHop Cloud Services. |
Configure your firewall rules
Before you can connect to the Atlas server, you must allow access to the Atlas public IP server through any firewalls. If you do not have a firewall, you can skip this section.
- The ability to complete a DNS lookup of *.a.extrahop.com
- The ability to connect to the Atlas server through HTTPS (port 443)
ExtraHop Networks can change the Atlas server IP address at any time, but you can identify the current IP address by selecting from one of the following options:
When connecting from EMEA, run the following command:
ping atlas-eu.a.extrahop.com
ping example.a.extrahop.com
Connect to Atlas through a proxy
If you want to connect to Atlas services through a proxy, configure the proxy settings in the ExtraHop Admin UI. If you do not have a proxy, you can skip this section.
- In the Network Settings section, click Connectivity.
- Click Enable ExtraHop Cloud Proxy. Click Change ExtraHop Cloud Proxy to modify an existing configuration.
- Click Enable ExtraHop Cloud Proxy.
- Type the hostname or IP address for your proxy server.
- Type the port number for your proxy server, such as 8080.
- (Optional): If required, type a username and password for your proxy server.
- Click Save.
Bypass certificate validation
Some environments are configured so that encrypted traffic cannot leave the network without inspection by a third-party device. This device can act as an SSL/TLS endpoint, which decrypts and re-encrypts the traffic before sending the packets to the Atlas server. If your environment is not set up for inspection by third-party devices, you can skip this section.
The ExtraHop appliance cannot connect to the Atlas server if certificate validation has failed. To bypass certificate validation and connect to the Atlas server, you must modify the Running Config file.
- Log into the Admin UI on the ExtraHop appliance you want to connect to Atlas services.
- In the Appliance Settings section, click Running Config.
- Click Edit config.
-
Add the entry to the Running Config file by completing the following
steps:
- Add a comma after the second to last curly brace (}).
- Press ENTER to create a new line.
- Paste "ecm": { "atlas_verify_cert": false } on the new line before the final curly brace (}).
- Click Update.
- Click View and Save Changes.
- Review the changes and click Save.
- Click Done.
Connectivity
The Connectivity page contains controls for your appliance connections and network settings.
- Interface Status
- On physical appliances, a diagram of interface connections appears, which updates
dynamically based on the port status.
- The blue Ethernet port is for management
- A black Ethernet port indicates a licensed and enabled port that is currently down
- A green Ethernet port indicates an active, connected port
- A gray Ethernet port indicates a disabled or unlicensed port
- Network Settings
-
- Click Change Settings to add a hostname for your ExtraHop appliance or to add DNS servers.
- Proxy Settings
-
- Enable a global proxy to connect to an ExtraHop Command appliance
- Enable a cloud proxy to connect to ExtraHop Cloud Services
- Bond Interface Settings
-
- Create a bond interface to bond multiple interfaces together into one logical interface with a single IP address.
- Interfaces
- View and configure your management and monitoring interfaces. Click any interface to display setting options.
Configure an interface
Interface throughput
ExtraHop appliance models EDA 6100, EDA 8100 and EDA 9100 are optimized to capture traffic exclusively on 10GbE ports.
Enabling the 1GbE interfaces for monitoring traffic can impact performance, depending on the ExtraHop appliance. While you can optimize these appliances to capture traffic simultaneously on both the 10GbE ports and the three non-management 1GbE ports, we recommend that you contact ExtraHop Support for assistance to avoid reduced throughput.
| Note: | EDA 6200, EDA 8200, EDA 9200, and EDA 10200 appliances are not susceptible to reduced throughput if you enable 1GbE interfaces for monitoring traffic. |
| ExtraHop Appliance | Throughput | Details |
|---|---|---|
| EDA 9100 | Standard 40Gbps throughput | If the non-management 1GbE interfaces are disabled, you can use up to four of the 10GbE interfaces for a combined throughput of up to 40Gbps. |
| EDA 8100 | Standard 20Gbps throughput | If the non-management 1GbE interfaces are disabled, you can use either one or both of the 10GbE interfaces for a combined throughput of up to 20Gbps. |
| EDA 6100 | Standard 10Gbps throughput | If the non-management 1GbE interfaces are disabled, the maximum total combined throughput is 10Gbps. |
| EDA 3100 | Standard 3Gbps throughput | No 10GbE interface |
| EDA 1100 | Standard 1Gbps throughput | No 10GbE interface |
Set a static route
Before you begin
You must disable DHCPv4 before you can add a static route.- On the Edit Interface page, ensure that the IPv4 Address and Netmask fields are complete and saved, and click Edit Routes.
- In the Add Route section, type a network address range in CIDR notation in the Network field and IPv4 address in the Via IP field and then click Add.
- Repeat the previous step for each route you want to add.
- Click Save.
Global proxy server
If your network topology requires a proxy server to enable your ExtraHop appliance to communicate either with a Command appliance or with other devices outside of the local network, you can enable your ExtraHop appliance to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server.
| Note: | Only one global proxy server can be configured per ExtraHop appliance. |
Complete the following fields and click Save to enable a global proxy.
Hostname: The hostname or IP address for your global proxy server.
Port: The port number for your global proxy server.
Username: The name of a user that has for access to your global proxy server.
Password: The password for the user specified above.
ExtraHop Cloud proxy
If your ExtraHop appliance does not have a direct internet connection, you can connect to the internet through a proxy server specifically designated for ExtraHop Cloud services and Atlas connectivity. Only one proxy can be configured per ExtraHop appliance.
| Note: | If no cloud proxy server is enabled, the ExtraHop appliance will attempt to connect through the global proxy. If no global proxy is enabled, the ExtraHop appliance will connect through an HTTP proxy to enable the services. |
Complete the following fields and click Save to enable a cloud proxy.
Hostname: The hostname or IP address for your cloud proxy server.
Port: The port number for your cloud proxy server.
Username: The name of a user that has for access to your cloud proxy server.
Password: The password for the user specified above.
Bond interfaces
You can bond multiple 1GbE interfaces on your ExtraHop appliance together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address. This configuration is also known as link aggregation, port channeling, link bundling, Ethernet/network/NIC bonding, or NIC teaming. Only 1GbE interfaces are supported for bond interfaces. Bond interfaces cannot be set to monitoring mode.
| Note: | When you modify bond interface settings, you lose connectivity to your ExtraHop appliance. You must make changes to your network switch configuration to restore connectivity. The changes required are dependent on your switch. Contact ExtraHop Support for assistance before you create a bond interface. |
Interfaces chosen as members of a bond interface are no longer independently configurable and are shown as Disabled (bond member) in the Interfaces section of the Connectivity page. After a bond interface is created, you cannot add more members or delete existing members. The bond interface must be destroyed and recreated.
Create a bond interface
You can create a bond interface with at least one interface member and up to the number of members that are equivalent to the number of 1GbE interfaces on your ExtraHop appliance.
Modify bond interface settings
After a bond interface is created, you can modify most settings as if the bond interface is a single interface.
Destroy a bond interface
When a bond interface is destroyed, the separate interface members of the bond interface return to independent interface functionality. One member interface is selected to retain the interface settings for the bond interface and all other member interfaces are disabled. If no member interface is selected to retain the settings, the settings are lost and all member interfaces are disabled.
- In the Network Settings section, click Connectivity.
- In the Bond Interfaces section, click the red X next to the interface you want to destroy.
- On the Destroy Bond Interface <interface number> page, select the member interface to move the bond interface settings to. Only the member interface selected to retain the bond interface settings remains active, and all other member interfaces are disabled.
- Click Destroy.
Flow Networks
You must configure network interface and port settings on the ExtraHop Discover appliance before you can collect NetFlow or sFlow data from remote flow networks (flow exporters). The ExtraHop system supports the following flow technologies: Cisco NetFlow Version 5 (v5) and Version 9 (v9), AppFlow, IPFIX, and sFlow.
In addition to configuring your Discover appliance, you must configure your network devices to send sFlow or NetFlow traffic. Refer to your vendor documentation or see sample Cisco configurations in the appendix.
Configure the Discover appliance to collect traffic from NetFlow and sFlow devices
You must configure network interface and port settings on the ExtraHop Discover appliance before you can collect NetFlow or sFlow data from remote flow networks (flow exporters). The ExtraHop system supports the following flow technologies: Cisco NetFlow v5 and v9, AppFlow, IPFIX, and sFlow.
Before you begin
You must log in as a user with unlimited privileges to complete the following steps.Configure the interface on your Discover appliance
Configure the flow type and the UDP port over which flow data is collected
- In the Network Settings section, click Flow Networks.
- In the Ports section, type the UDP port number in the Port field. The default port for Net Flow is 2055 and the default port for sFlow is 6343. You can add additional ports as needed for your environment.
- From the Flow Type drop-down menu, select NetFlow or sFlow. For AppFlow traffic, select NetFlow.
- Click the plus icon (+) to add the port.
- Save the running configuration file to preserve your changes by clicking View and Save Changes at the top of the Flow Networks page, and then click Save.
View configured flow networks
After you configure your flow networks, log into the Web UI on the Discover appliance to view built-in charts and modify settings and configurations.
Configure Cisco NetFlow devices
The following examples of basic Cisco router configuration for NetFlow. NetFlow is configured on a per-interface basis. When NetFlow is configured on the interface, IP packet flow information will be exported to the Discover appliance.
| Important: | NetFlow takes advantage of the SNMP ifIndex value to represent ingress and egress interface information in flow records. To ensure consistency of interface reporting, enable SNMP ifIndex persistence on devices sending NetFlow to the Discover appliance. For more information on how to enable SNMP ifIndex persistence on your network devices, refer the configuration guide provided by the device manufacturer. |
For more information on configuring NetFlow on Cisco switches, see your Cisco router documentation or the Cisco website at www.cisco.com.
Set up shared SNMP credentials for your NetFlow or sFlow networks
If you enable SNMP polling on your flow network configuration, you must specify the credentials that allow you to poll the network device. The SNMP authentication credentials apply to all flow networks in a CIDR block and are automatically applied to every discovered flow network unless custom credentials are configured.
- Log into the Admin UI on your Discover appliance.
- In the Network Settings section, click Flow Networks.
- In the Shared SNMP Credentials section, click Add SNMP Credentials.
- Type the IPv4 CIDR block in the CIDR field. For example, type 10.0.0.0/8 to match any IP address that starts with 10 or 10.10.0.0/16 to match any IP address that starts with 10.10. You cannot configure an IP address to match all traffic.
- Select v1, v2c, or v3 from the SNMP version drop-down list and then complete the remaining fields.
- Click Save.
Manually refresh SNMP information
Notifications
The ExtraHop appliance can send notifications about configured alerts through email, SNMP traps, and syslog exports to remote servers. If an email notification group is specified, then emails are sent to the groups assigned to the alert.
Configure email settings for notifications
You must configure an email server and sender before the ExtraHop appliance can send notifications about system alerts by email or send scheduled reports from a Command appliance.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the Running Config file.Configure an email notification group on a Discover or Command appliance
Email notification groups can be designated to receive an email when a configured alert is generated or a scheduled report is configured (Command appliance only). Although you can specify individual email addresses to receive emails, email groups are the most effective way to manage your recipient list.
Configure settings to send notifications to an SNMP manager
The state of the network can be monitored through the Simple Network Management Protocol (SNMP). SNMP collects information by polling devices on the network or SNMP enabled devices send alerts to SNMP management stations. SNMP communities define the group that devices and management stations running SNMP belong to, which specifies where information is sent. The community name identifies the group.
| Note: | Most organizations have an established system for collecting and displaying SNMP traps in a central location that can be monitored by their operations teams. For example, SNMP traps are sent to an SNMP manager, and the SNMP management console displays them. |
Send system notifications to a remote syslog server
The syslog export option enables you to send alerts from an ExtraHop appliance to any remote system that receives syslog input for long-term archiving and correlation with other sources.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the Running Config file.SSL Certificate
SSL provides secure authentication to the Admin UI of the ExtraHop appliance. To enable SSL, an SSL certificate must be uploaded to the appliance.
You can designate a self-signed certificate for authentication instead of a certificate signed by a Certificate Authority. However, be aware that a self-signed certificate generates an error in the client browser, which reports that the signing certificate authority is unknown. The browser provides a set of confirmation pages to trust the certificate, even though the certificate is self-signed. We recommend that you create a certificate signing request from your ExtraHop appliance and upload the signed certificate instead.
| Important: | When replacing an SSL certificate, the web server service is restarted. On a Command appliance, tunneled connections from Discover appliances are lost but are re-established automatically. |
Upload an SSL certificate
You must upload a .pem file that includes both a private key and either a self-signed certificate or a certificate-authority certificate.
| Note: | The .pem file must not be password protected. |
| Note: | You can also automate this task through the REST API. |
- In the Network Settings section, click SSL Certificate.
- Click Manage certificates to expand the section.
- Click Choose File and navigate to the certificate that you want to upload.
- Click Open.
- Click Upload.
Create a certificate signing request from your ExtraHop appliance
A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority (CA) when you apply for an SSL certificate. The CSR is generated on the ExtraHop appliance where the SSL certificate will be installed and contains information that will be included in the certificate such as the common name (domain name), organization, locality, and country. The CSR also contains the public key that will be included in the certificate. The CSR is created with the private key from the ExtraHop appliance, making a key pair.
Next steps
Send the CSR file to your certificate authority (CA) to have the CSR signed. When you receive the SSL certificate from the CA, return to the SSL Certificate page in the Admin UI and upload the certificate to the ExtraHop system.Trusted Certificates
Trusted certificates enable you to validate SMTP and LDAP connections from your ExtraHop appliance.
Add a trusted certificate to your ExtraHop appliance
Your ExtraHop appliance only trusts peers who present a Transport Layer Security (TLS) certificate that is signed by one of the built-in system certificates and any certificates that you upload. Only SMTP and LDAP connections are validated through these certificates.
Before you begin
You must log in as a user with unlimited privileges to add or remove trusted certificates.| Important: | To trust the built-in system certificates and any uploaded certificates, you must also enable SSL certificate validation on the LDAP Settings page or Email Settings page. |
- Log into the Admin UI on the ExtraHop appliance.
- In the Network Settings section, click Trusted Certificates.
- (Optional): The ExtraHop appliance ships with a set of built-in certificates. Select Trust System Certificates if you want to trust these certificates, and then click Save.
- To add your own certificate, click Add Certificate and then paste the contents of the PEM-encoded certificate chain into the Certificate field
- Type a name into the Name field and click Add.
Next steps
Configure LDAP and SMTP settings to validate outbound connections with the trusted certificates.Access Settings
In the Access Settings section, you can configure the global password policy, change user passwords, enable the support account, configure remote authentication, and manage API access.
Password
Users with administrative privileges to the Admin UI can change the password for local user accounts. On Discover and Command appliances, a global password policy can also be configured.
- Select any user and change their password
- You can only change passwords for local users. You cannot change passwords for users authenticated through LDAP or other remote authentication servers.
- Set a global password policy (Discover and Command appliances only)
- You can choose between two password policies; the default password policy of 5 or
more characters or a more secure password policy that has the following
restrictions:
- 8 or more characters
- Upper and lowercase characters
- At least one number
- At least one symbol
Note: If you select the strict password policy of 8 or more characters, passwords will expire every 60 days.
- You can choose between two password policies; the default password policy of 5 or
more characters or a more secure password policy that has the following
restrictions:
For more information about privileges for specific Admin UI users and groups, see the Users section.
Change the default password for the setup user
It is recommended that you change the default password for the setup user on the ExtraHop appliance after you log in for the first time. To remind administrators to make this change, there is a blue Change Password button at the top of the page while the setup user is accessing the Admin UI. After the setup user password is changed, the button at the top of the page no longer appears.
| Note: | The password must be a minimum of 5 characters. |
Support Account
Support accounts provide access for the ExtraHop Support team to help customers troubleshoot issues with the ExtraHop appliance. For the Discover appliance only, the Support UI Account also provides remote analysis reports through Atlas Services.
These settings should be enabled only if the ExtraHop system administrator requests hands-on assistance from the ExtraHop Support team or if your organization is subscribed to Atlas Services.
Enable the Support SSH account
By enabling the Support SSH account, you allow the ExtraHop Support team to connect to your ExtraHop appliance and provide remote troubleshooting and configuration assistance.
- In the Access Settings section, click Support Account.
- (Discover appliance only) Click Support SSH Account.
- Click Enable Support SSH Account.
- Copy the encrypted key from the text box and email the key to support@extrahop.com.
- Click Done.
Enable the Support UI account
By enabling the Support UI account, you allow the ExtraHop Support team to connect to your Discover appliance and provide remote troubleshooting and configuration assistance.
- In the Access Settings section, click Support Account.
- Click Support UI Account.
- Click Enable Support UI Account.
- Copy the encrypted key from the text box and email the key to support@extrahop.com.
- Click Done.
Users
The Users page enables you to control local access to the ExtraHop appliance.
Users and user groups
Users can access the ExtraHop appliance in three ways: through a set of pre-configured user accounts, through local user accounts configured on the appliance, or through remote user accounts configured on existing authentication servers, such as LDAP, SAML, Radius, and TACACS+.
Local users
This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.
- setup
- This account provides full system read and write privileges on the Web UI, Admin UI, and Shell, which is the ExtraHop command-line interface (CLI). On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
- shell
- The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
| Note: | The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) is the string of numbers after the -i in the instance ID. |
Next steps
Remote Authentication
ExtraHop appliances supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example), SAML, RADIUS, or TACACS+ to enable all or a subset of their users to log into the appliance with their existing credentials. SAML single sign-on authentication is only available on Command and Discover appliances.
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on user groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Remote users
If your ExtraHop appliance is configured for SAML or LDAP remote authentication, you can create an account for those remote users. Preconfiguring accounts on the ExtraHop appliance for remote users enables you to share dashboards and other system customizations with those users before they log in.
If you choose to auto-provision users when you configure SAML authentication, then the user is automatically added to the list of local users when they log in for the first time. However, you can create a remote SAML user account on the ExtraHop appliance when you want to provision a remote user before that user has logged into the appliance. Privileges are assigned to the user by the provider. After the user is created, you can add them to local user groups.
Next steps
User groups
User groups enable you to manage access to shared content by group instead of by individual user. Dashboards and activity maps can be shared with a user group, and any user who is added to the group automatically has access. You can create a local user group—which can include remote and local users. Alternatively, if your appliance is configured for remote authentication through LDAP, you can configure settings to import your LDAP user groups.
- Click Create User Group to create a local group. The user group appears in the list. Then, select the checkbox next to the user group name and select users from the Filter users... drop-down list. Click Add Users to Group.
- (LDAP only) Click Refresh All User Groups or select multiple LDAP user groups and click Refresh Users in Groups.
- Click Reset User Group to remove all shared content from a selected user group. If the group no longer exists on the remote LDAP server, the group is removed from the user group list.
- Click Enable User Group or Disable User Group to control whether any group member can access shared content for the selected user group.
- Click Delete User Group to remove the selected user group from the appliance.
- View the following properties for listed user groups:
- Group Name
- Displays the name of the group. To view the members in the group, click the group name.
- Type
- Displays Local or Remote as the type of user group.
- Members
- Displays the number of users in the group.
- Shared Content
- Displays the number of user-created dashboards and activity maps that are shared with the group.
- Status
- Displays whether the group is enabled or disabled on the appliance. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing content.
- Members Refreshed (LDAP only)
- Displays the amount of time elapsed since the group membership was refreshed. User
groups are refreshed under the following conditions:
- Once per hour, by default. The refresh interval setting can be modified on the page.
- An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
- A remote user logs into the ExtraHop Web UI or Admin UI for the first time.
- A user attempts to load a shared dashboard that they do not have access to.
User privileges
Administrators determine the level of access and functionality users have with the ExtraHop Web and Admin UIs. In addition to setting the privilege level for the user, you can add certain options that can apply to any user privilege level.
For information about user privileges for the REST API, see the REST API Guide.
Privilege Levels
Set the privilege level for your user to determine which areas of the ExtraHop appliance they can access.
| Unlimited | Full Write | Limited Write | Personal Write | Full Read-Only | Restricted Read-Only | |||
| Activity Maps | ||||||||
| Create, view, and load shared activity maps | Y | Y | Y | Y | Y | N | ||
| Save activity maps | Y | Y | Y | Y | N | N | ||
| Share activity maps | Y | Y | Y | N | N | N | ||
| Alerts | ||||||||
| View alerts | Y | Y | Y | Y | Y | N | ||
| Create and modify alerts | Y | Y | N | N | N | N | ||
| Bundles | ||||||||
| Create a bundle | Y | Y | N | N | N | N | ||
| Upload and apply a bundle | Y | Y | N | N | N | N | ||
| View list of bundles | Y | Y | Y | Y | Y | N | ||
| Custom Pages | ||||||||
| Create and modify custom pages | Y | Y | N | N | N | N | ||
| Dashboards | ||||||||
| View and organize dashboards | Y | Y | Y | Y | Y | Y | ||
| Create and modify dashboards | Y | Y | Y | Y | N | N | ||
| Share dashboards | Y | Y | Y | N | N | N | ||
| Detections |
|
|||||||
| View detections and provide feedback | Y | Y | Y | Y | Y | N | ||
| Analysis Priorities | ||||||||
| View Analysis Priorities page | Y | Y | Y | Y | Y | N | ||
| Add and modify analysis levels for groups | Y | Y | N | N | N | N | ||
| Add devices to a watchlist | Y | Y | N | N | N | N | ||
| Transfer priorities management | Y | Y | N | N | N | N | ||
| Device Groups | ||||||||
| Create and modify device groups | Y | Y | N | N | N | N | ||
| Metrics | ||||||||
| View metrics | Y | Y | Y | Y | Y | N | ||
| Records (Explore appliance) | ||||||||
| View record queries | Y | Y | Y | Y | Y | N | ||
| View record formats | Y | Y | Y | Y | Y | N | ||
| Create, modify, and save record queries | Y | Y | N | N | N | N | ||
| Create, modify, and save record formats | Y | Y | N | N | N | N | ||
| Scheduled Reports (Command appliance) | ||||||||
| Create, view, and manage scheduled reports | Y | Y | Y | N | N | N | ||
| Triggers | ||||||||
| Create and modify triggers | Y | Y | N | N | N | N | ||
| Administrative Privileges | ||||||||
| Access the ExtraHop Admin UI | Y | N | N | N | N | N | ||
| Connect to other appliances | Y | N | N | N | N | N | ||
| Manage other appliances (Command appliance) | Y | N | N | N | N | N | ||
Add a local user account
By adding a local user account, you can provide users with direct access to your ExtraHop appliances and restrict their access as needed by their role in your organization.
| Tip: |
|
Add an account for a remote user
Add a user account for LDAP or SAML users when you want to provision the remote user before that user logs into the appliance. After the user is added to the appliance, you can add them to local groups or share items directly with them before they log in through the LDAP or SAML provider.
Sessions
The ExtraHop system provides controls to view and delete user connections to the web interface. The Sessions list is sorted by expiration date, which corresponds to the date the sessions were established. If a session expires or is deleted, the user must log in again to access the web interface.
Remote Authentication
ExtraHop appliances supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example), SAML, RADIUS, or TACACS+ to enable all or a subset of their users to log into the appliance with their existing credentials. SAML single sign-on authentication is only available on Command and Discover appliances.
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on user groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Next steps
Configure remote authentication through LDAP
The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. Instead of storing user credentials locally, you can configure your ExtraHop appliance to authenticate users remotely with an existing LDAP server. Note that ExtraHop LDAP authentication only queries for user accounts; it does not query for any other entities that might be in the LDAP directory.
Before you begin
- This procedure requires familiarity with configuring LDAP.
- Ensure that each user is in a permission-specific group on the LDAP server before beginning this procedure.
- If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help.
When a user attempts to log onto an ExtraHop appliance, the ExtraHop system tries to authenticate the user in the following ways:
- Attempts to authenticate the user locally.
- Attempts to authenticate the user through the LDAP server if the user does not exist locally and if the ExtraHop system is configured for remote authentication with LDAP.
- Logs the user onto the ExtraHop system if the user exists and the password is validated either locally or through LDAP. The LDAP password is not stored locally on the ExtraHop system. Note that you must enter the username and password in the format that your LDAP server is configured for. The ExtraHop appliance only forwards the information to the LDAP server.
- If the user does not exist or an incorrect password is entered, an error message appears on the login page.
| Important: | If you change LDAP authentication at a later time to a different remote authentication method, the users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected. |
- Log into the Admin UI on the ExtraHop appliance.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select LDAP and then click Continue.
-
On the LDAP Settings page, complete the following server
information fields:
-
Configure the following user settings:
-
To configure user group settings, select the Import user groups from
LDAP server checkbox and configure the following settings:
- Click Test Settings. If the test succeeds, a status message appears near the bottom of the page. If the test fails, click Show details to see a list of errors. You must resolve any errors before you continue.
- Click Save and Continue.
Configure user privileges for remote authentication
You can assign user privileges to individual users on your ExtraHop appliance or configure and manage privileges through your LDAP server.
The ExtraHop appliance supports both Active Directory and Posix group memberships. For Active Directory, memberOf is supported. For Posix, memberuid, posixGroups, groupofNames, and groupofuniqueNames are supported.
Here is some information about the available fields:
Full access DN: Create and modify all objects and settings on the ExtraHop Web UI and Admin UI.
Read-write DN: Create and modify objects on the ExtraHop Web UI.
Limited DN: Create, modify, and share dashboards.
Personal DN: Create personal dashboards and modify dashboards shared with the logged-in user.
Node connection privileges DN: (Visible only on the Command appliance.): View a list of ExtraHop appliances that are connected to this Command appliance.
Full read-only DN: View objects in the ExtraHop Web UI.
Restricted read-only DN: View dashboards shared with the logged-in user.
Packet access full DN: View and download packets captured through the ExtraHop Trace appliance.
Packet and session key access full DN: View and download packets and any associated SSL session keys captured through the ExtraHop Trace appliance.
-
Choose one of the following options from the Permission assignment
options drop-down list:
- Obtain privileges level from remote server
This option assigns privileges through your remote authentication server. You must complete at least one distinguished name (DN) field. To enable a user to download packet captures and session keys, configure the Packet access full DN or Packet and session keys access full DN field.
- Remote users have full write access
This option allows remote users to have full write access to the ExtraHop Web UI.
- Remote users have full read-only access
This option allows remote users to have read-only privileges to the ExtraHop Web UI.
- Remote users can view connected appliances
This option, which only appears on the Command appliance, allows remote users to log into the Admin UI on the Command appliance and view any connected Discover, Explore, and Trace appliances.
- Obtain privileges level from remote server
-
Select one of the following options to allow remote users to download packet
captures and SSL session keys.
- No access
- Packets only
- Packets and session keys
- Click Save and Finish.
- Click Done.
Configure remote authentication through SAML
You can configure secure, single sign-on (SSO) authentication to the Command and Discover appliances through one or more security assertion markup language (SAML) identity providers.
When a user logs into a Command or Discover appliance that is configured as a service provider (SP) for SAML SSO authentication, the ExtraHop appliance requests authorization from the appropriate identity provider (IdP). The identity provider authenticates the user's credentials and then returns the authorization for the user to the ExtraHop appliance. The user is then able to access the ExtraHop system.
Configuration guides for specific identity providers are linked below. If your provider is not listed, apply the settings required by the ExtraHop appliance to your identity provider.
- SAML 2.0
- Support SP-initiated login flows
- Support signed SAML Responses
Enable SAML remote authentication
- Log into the Admin UI on the Discover or Command appliance.
- In the Access Settings section, click Remote Authentication.
- Select SAML from the remote authentication method drop-down list and then click Continue.
- Click View SP Metadata to view the Assertion Consumer Service (ACS)
URL and Entity ID of the ExtraHop appliance. These strings are required by your identity
provider to configure SSO authentication. You can also download a complete XML metadata file
that you can import into your identity provider configuration.
Note: You might need to manually edit the ACS URL if the URL contains an unreachable hostname, such as the default appliance hostname "extrahop". We recommend that you specify the fully qualified domain name for the ExtraHop appliance in the URL. - Click Add Identity Provider to add the following information:
Provider Name: Type a name to identify your specific identity provider. This name appears on the ExtraHop appliance log in page after the Log in with text.
Entity ID: Paste the entity ID provided by your identity provider into this field.
SSO URL: Paste the single sign-on URL provided by your identity provider into this field.
Signing Certificate: Paste the X.509 certificate provided by your identity provider into this field.
Auto-provision users: When this option is selected, ExtraHop user accounts are automatically created when the user logs in through the identity provider. To manually control which users can log in, clear this checkbox and manually configure new remote users through the ExtraHop Admin UI or REST API. Any manually-created remote username should match the username configured on the identity provider.
Enable this identity provider: This option is selected by default and allows users to log into the appliance. To prevent users from logging in through this identity provider, clear the checkbox.
After the identity provider is configured, a table of all configured identity providers appears in a table. You can edit or delete the identity provider as needed.
Required attributes
You must configure the following set of user attributes before users can connect to the ExtraHop appliance through an identity provider. These attributes identify the user and allow ExtraHop-specific privileges.
The packetslevel attribute is only required if you have a connected Trace appliance.
| Attribute | Friendly Name | Category | Description |
|---|---|---|---|
| urn:oid:0.9.2342.19200300.100.1.3 | Standard Attribute | Primary email address | |
| urn:oid:2.5.4.4 | sn | Standard Attribute | Last name |
| urn:oid:2.5.4.42 | givenName | Standard Attribute | First name |
| urn:extrahop:saml:2.0:writelevel | Web UI and API Privileges | ExtraHop Attribute | Web UI, Admin UI, and REST API privileges |
| urn:extrahop:saml:2.0:packetslevel | Packet and Session Key Access | ExtraHop Attribute | Packet and session key access |
Privilege levels
Write level and packet level privileges must be assigned to each user to control their access to the Web UI, Admin UI, and REST API. If you have a connected Trace appliance, you can also assign access to packets and session keys. For more information about privilege levels, see Users and user groups.
| writelevel Attribute Privileges |
|---|
| unlimited |
| full_write |
| limited_write |
| personal_write |
| full_readonly |
| restricted_readonly |
| none |
| packetslevel Attribute Privileges |
|---|
| full |
| full_with_keys |
| none |
Configure SAML single sign-on with Okta
You can configure your ExtraHop Command and Discover appliances to enable users to log into the appliance through the Okta identity management service.
Before you begin
- You should be familiar with administrating Okta. These procedures are based on the Okta Classic UI. If you are configuring Okta through the Developer Console, the procedure might be slightly different.
- You should be familiar with administrating ExtraHop appliances.
These procedures require you to copy and paste information between the ExtraHop Admin UI and the Okta Classic UI, so it is helpful to have each UI open side-by-side.
Enable SAML on the ExtraHop appliance
- Log into the Admin UI on the Discover or Command appliance.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select SAML.
- Click Continue.
- Click View SP Metadata. You will need to copy the ACS URL and Entity ID to paste into the Okta configuration in the next procedure.
Configure SAML settings in Okta
This procedure requires you to copy and paste information between the ExtraHop Admin UI and the Okta Classic UI, so it is helpful to have each UI open side-by-side.
-
In the upper-right corner of the page, change the view from
Developer Console to Classic
UI.
-
In the Attribute Statements section, add the following statements exactly as
shown. The first four attributes are required. The
user.packetsLevel attribute is optional and is only
required if you have connected Trace appliances. If you have a Trace appliance
and you do not configure the user.packetsLevel attribute, users
will be unable to view or download packet captures in the ExtraHop Web UI.
Name Name format Value urn:oid:0.9.2342.19200300.100.1.3 URI Reference user.email urn:oid:2.5.4.4 URI Reference user.lastName urn:oid:2.5.4.42 URI Reference user.firstName urn:extrahop:saml:2.0:writelevel URI Reference user.writeLevel urn:extrahop:saml:2.0:packetslevel URI Reference user.packetsLevel The following figure shows a completed example.
Add identity provider information on the ExtraHop appliance
-
Type a unique name in the Provider Name field. This name appears on the
ExtraHop appliance login page.
Configure user privilege attributes in Okta
You must add ExtraHop privilege attributes to Okta. These attributes enable you to assign write-level and packet-level access to your Okta users. You only need to configure user privilege attributes once in your Okta environment. These attributes can then be assigned to any Okta user profile.
-
In the Actions column, click Profile.
-
In the Variable name field, type writeLevel.
-
In the Variable name field, type packetsLevel.
Assign the ExtraHop appliance to Okta users
We assume that you already have users configured in Okta. If you do not, refer to the Okta documentation to add new users.
- (Optional):
If you configured the user.packetsLevel attribute in the first
procedure, configure the Packets Level field by typing one of the following user
types:
- full
- full_with_keys
- none
Configure SAML single sign-on with Google
You can configure your ExtraHop Command and Discover appliances to enable users to log into the appliance through the Google identity management service.
Before you begin
- You should be familiar with administrating Google Admin.
- You should be familiar with administrating ExtraHop appliances.
These procedures require you to copy and paste information between the ExtraHop Admin UI and the Google Admin UI, so it is helpful to have each UI open side-by-side.
Enable SAML on the ExtraHop appliance
- Log into the Admin UI on the Discover or Command appliance.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select SAML.
- Click Continue.
- Click View SP Metadata.
- Copy the ACS URL and Entity ID to a text file. You will paste this information into the Google configuration in a later procedure.
Add user custom attributes
- Log into the Google Admin console.
- Click Users.
-
Click the Manage custom attributes icon
.
- Click Add Custom Attribute.
- In the Category field, type ExtraHop.
- (Optional): Type a description in the Description field.
-
In the Custom fields section, enter the following
information.
- In the Name field, type writelevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- (Optional):
If you have connected Trace appliances, configure a second custom field with
the following information.
- In the Name field, type packetslevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- Click Add.
Add identity provider information from Google to the ExtraHop appliance
-
In the Google Admin console, click the Main menu icon
and select .
-
Click the Enable SSO for a SAML application icon
.
- Click SETUP MY OWN CUSTOM APP.
- On the Google IdP Information screen, click the Download button to download the certificate (GoogleIDPCertificate.pem).
- Return to the Admin UI on the ExtraHop appliance.
- Click Add Identity Provider.
- Type a unique name in the Provider Name field. This name appears on the ExtraHop appliance login page.
- From the Google IdP Information screen, copy the SSO URL and paste it into the SSO URL field on the ExtraHop appliance.
- From the Google IdP Information screen, copy the Entity ID and paste into the Entity ID field on the ExtraHop appliance.
- Open the GoogleIDPCertificate in a text editor, copy the contents and paste into the Public Certificate field on the ExtraHop appliance.
-
Choose how you would like to provision users from one of the following
options.
- Select Auto-provision users to create a new remote SAML user account on the ExtraHop appliance when the user first logs into the appliance.
- Clear the Auto-provision users checkbox and manually configure new remote users through the ExtraHop Admin UI or REST API. Access and privilege levels are determined by the user configuration in Google.
- The Enable this identity provider option is selected by default and allows users to log into the appliance. To prevent users from logging in, clear the checkbox.
- Click Save.
- Save the Running Config.
Add ExtraHop service provider information to Google
-
Return to the Google Admin console and click Next on
the Google Idp Information page to continue to step 3
of 5.
Configure remote authentication through RADIUS
The ExtraHop appliance supports Remote Authentication Dial In User Service (RADIUS) for remote authentication and local authorization only. For remote authentication, the ExtraHop appliance supports unencrypted RADIUS and plaintext formats.
Configure remote authentication through TACACS+
The ExtraHop appliance supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.
Configure the TACACS+ server
In addition to configuring remote authentication on your ExtraHop appliance, you must configure your TACACS+ server with two attributes, one for the ExtraHop service and one for the permission level. If you have a Trace appliance, you can optionally add a third attribute for packet capture and session key logging.
-
For the second value, add 1.
For example, the following figure shows the extrahop attribute and a permission level of readwrite.
Here is a list of available permission attributes, values, and descriptions:- setup = 1, which allows the user to create and modify all objects and settings on the ExtraHop Web UI and Admin UI
- readwrite = 1, which allows the user to create and modify all objects and settings on the ExtraHop Web UI
- limited = 1, which allows the user to create, modify, and share dashboards
- readonly = 1, which allows the user to view objects in the ExtraHop Web UI
- personal = 1, which allows the user to create dashboards for themselves and modify any dashboards that have been shared with them
- limited_metrics = 1, which allows the user to view shared dashboards
API Access
The API Access page enables you to generate, view, and manage access for the API keys that are required to perform operations through the ExtraHop REST API.
Manage API key access
Users with unlimited privileges can configure whether users can generate API keys for the ExtraHop system. You can allow only local users to generate keys, or you can also disable API key generation entirely.
Configure cross-origin resource sharing (CORS)
Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server.
- In the Access Settings section, click API Access.
-
In the CORS Settings section, specify one of the following
access configurations.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
The URL must include a scheme, such as HTTP or HTTPS, and the exact domain name. You cannot append a path; however, you can provide a port number.
- To allow access from any URL, select the Allow API requests
from any Origin checkbox.
Note: Allowing REST API access from any origin is less secure than providing a list of explicit origins.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
- Click Save Settings and then click Done.
Generate an API key
You must generate an API key before you can perform operations through the ExtraHop REST API. Keys can be viewed only by the user who generated the key or by system administrators with unlimited privileges. After you generate an API key, add the key to your request headers or the ExtraHop REST API Explorer.
Before you begin
Make sure the ExtraHop appliance is configured to allow API key generation.- In the Access Settings section, click API Access.
- In the Generate an API Key section, type a description for the new key, and then click Generate.
- Scroll down to the API Keys section, and copy the API key that matches your description.
Privilege levels
User privilege levels determine which ExtraHop Web UI and ExtraHop Admin UI tasks the user can perform through the ExtraHop REST API.
You can view the privilege levels for users through the granted_roles and effective_roles properties. The granted_roles property shows you which privilege levels are explicitly granted to the user. The effective_roles property shows you all privilege levels for a user, including those received outside of the granted role, such as through a user group.
The granted_roles and effective_roles properties are returned by the following operations:
- GET /users
- GET /users/{username}
The granted_roles and effective_roles properties support the following privilege levels. Note that the type of tasks for each ExtraHop appliance vary by the available resources listed in the REST API Explorer.
| Privilege level | Actions allowed |
|---|---|
| "system": "full" |
|
| "write": "full" |
|
| "write": "limited" |
|
| "write": "personal" |
|
| "metrics": "full" |
|
| "metrics": "restricted" |
|
| "packets": "full" |
This is an add-on privilege that can be granted to a user with one of the following privilege levels:
|
| "packets": "full_with_keys" |
This is an add-on privilege that can be granted to a user with one of the following privilege levels:
|
System Configuration
In the System Configuration section, you can modify ExtraHop appliance configuration settings for data capture and management.
- Capture
- Configure the network capture settings on the Discover appliance.
- Datastore and Customizations
- Reset the datastore and modify customizations. Datastore configuration settings are not available on the Command appliance.
- Geomap Datasource
- Modify the information in geomaps.
- Open Data Streams
- Send log data from the Discover appliance to another system such as a syslog system, MongoDB database, or HTTP server.
- Trends
- Reset all trends and trend-based alerts on the Discover appliance.
Capture
The Capture page provides controls to adjust how the ExtraHop Discover appliance collects your network traffic for analysis.
Exclude protocol modules
By default, all supported modules on the ExtraHop appliance are included in the capture unless you manually exclude them.
- Click .
- Click Excluded Protocol Modules.
- Add Module to Exclude.
- On the Select Protocol Module to Exclude page, from the Module Name dropdown, select the module that you want to exclude from the capture.
- Click Add.
- On the Excluded Protocol Modules page, click Restart Capture.
- After the capture restarts, click OK.
Exclude MAC addresses
Add filters to exclude specific MAC addresses or vendor device traffic from the network capture
Exclude an IP address or range
Add filters to exclude specific IP addresses and IP ranges from the network capture on the Discover appliance.
- Click .
- Click IP Address Filters.
- Click Add Filter.
- On the IP Address Filters page, enter either a single IP address you want to exclude, or an IP address mask in CIDR format for a range of IP addresses you want to exclude.
- Click Add.
Exclude a port
Add filters to exclude traffic from specific ports from the network capture on the Discover appliance.
- In the System Configuration section,click Capture.
- Click Port Filters.
- Click Add Filter.
-
On the Add Port Filter page, type the port you want to
exclude.
- To specify a source port you want to exclude, type the port number in the Source Port field.
- To specify a destination port you want to exclude, type the port number in the Destination Port field.
- From the IP Protocol drop-down list, select the protocol you want to exclude on the indicated port.
- Click Add.
Filtering and deduplication
Refer to the following table to view the effects of filtering and deduplication on metrics, packet capture, and device discovery. Deduplication is enabled by default on the appliance.
| Packet Dropped by | MAC address filter | IP address filter | Port filter | L2 dedup | L3 dedup |
|---|---|---|---|---|---|
| Network VLAN L2 Metrics | Not collected | Not collected | Not fragmented*: Not collected Fragmented: Collected |
Not collected | Collected |
| Network VLAN L3 Metrics | Not collected | Not collected | Not fragmented: Not collected Fragmented: Collected |
Not collected | Collected |
| Device L2/L3 Metrics | Not collected | Not collected | Not fragmented: Not collected Fragmented, top-level: Collected Fragmented, detail: Not collected |
Not collected | Collected |
| Global PCAP Packets | Captured | Captured | Captured | Captured | Captured |
| Precision PCAP Packets | Not captured | Not captured | Not captured | Not captured | Captured |
| L2 Device Discovery | No discovery | Discovery | Discovery | -- | -- |
| L3 Device Discovery | No discovery | No discovery | Not fragmented: No discovery Fragmented: Discovery |
-- | -- |
*For port filters, when IP fragments are present in the data feed, a port number is not determined during fragment reassembly. The ExtraHop appliance might collect metrics, capture packets, or discover a device even if the port filtering rule otherwise precludes it.
L2 duplicates are identical Ethernet frames. The duplicate frames do not usually exist on the wire, but are an artifact of the data feed configuration. L3 duplicates are frames that differ only in L2 header and IP TTL. These frames usually result from tapping on both sides of a router. Because these frames exist on the monitored network, they are counted at L2 and L3 in the locations referenced above. L3 deduplication is targeted toward L4 and above, for example, to avoid counting the L3 duplicates as TCP retransmissions.
Pseudo devices
Pseudo devices are deprecated as of ExtraHop version 6.0. If you have upgraded your system from a previous version with this functionality, you still can access the configuration page to migrate existing pseudo devices to custom devices. By default, all IP addresses outside of locally-monitored broadcast domains are aggregated at an incoming router. To identify the devices behind these routers for reporting, you can create custom devices. Unlike with pseudo devices, you do not need Admin UI privileges to configure a custom device.
| Note: | Any pseudo devices created on a previous version of ExtraHop firmware will remain on your Discover appliance until you migrate the pseudo device to a custom device. |
Protocol classification
Protocol classification relies on specific payloads to identify custom protocols over specific ports. These protocols are Layer 7 (application-layer) protocols that sit above the Layer 4 (TCP or UDP) protocol. These applications have their own custom protocol, and they also use the TCP protocol.
The Protocol Classification page provides an interface to perform the following functions:
- List applications and ports for the following network entities:
- Widely-known applications that are mapped to non-standard ports.
- Lesser-known and custom networking applications.
- Unnamed applications that use TCP and UDP (for example, TCP 1234).
- Add custom protocol-to-application mapping that includes the following information:
- Name
- The user-specified protocol name.
- Protocol
- The selected Layer 4 protocol (TCP or UDP).
- Source
- (Optional) The specified source port. Port 0 indicates any source port.
- Destination
- The destination port or range of ports.
- Loose Initiation
- Select this checkbox if you want the classifier to attempt to categorize the connection
without seeing the connection open. ExtraHop recommends selecting loose initiation for
long-lived flows.
By default, the ExtraHop appliance uses loosely-initiated protocol classification, so it attempts to classify flows even after the connection was initiated. You can turn off loose initiation for ports that do not always carry the protocol traffic (for example, the wildcard port 0).
- Delete protocols with the selected application name and port mapping from the list.
The application name and port do not display in the ExtraHop Web UI or in reports based on any future data capture. The device will appear in reports that use historical data, if the device was active and discoverable within the reported time period.
- Restart the network capture.
- You must restart the network capture before any protocol classification changes take effect.
- Previously-collected capture data is preserved.
The ExtraHop appliance recognizes most protocols on their standard ports. Exceptions include HTTP, SSH, and SSL, which are recognized on any port. In some cases, if a protocol is using a non-standard port, it is necessary to add the non-standard port in the Admin UI. In these cases, it is important to properly name the non-standard port. The table below lists the standard ports for each of the protocols, along with the protocol name that must be used when adding the custom port numbers in the Admin UI.
In most cases, the name you enter is the same as the name of the protocol. The most common exceptions to this rule are Oracle (where the protocol name is TNS) and Microsoft SQL (where the protocol name is TDS).
If you add a protocol name that has multiple destination ports, add the entire port range separated by a dash (-). For example, if your protocol requires adding ports 1434, 1467, and 1489 for database traffic, type 1434-1489 in the Destination Port field. Alternatively, add each of the three ports in three separate protocol classifications with the same name.
| Canonical Name | Protocol Name | Transport | Default Source Port | Default Destination Port |
|---|---|---|---|---|
| ActiveMQ | ActiveMQ | TCP | 0 | 61616 |
| AJP | AJP | TCP | 0 | 8009 |
| CIFS | CIFS | TCP | 0 | 139, 445 |
| DB2 | DB2 | TCP | 0 | 50000, 60000 |
| Diameter | AAA | TCP | 0 | 3868 |
| DHCP | DHCP | TCP | 68 | 67 |
| DICOM | DICOM | TCP | 0 | 3868 |
| DNS | DNS | TCP, UDP | 0 | 53 |
| FIX | FIX | TCP | 0 | 0 |
| FTP | FTP | TCP | 0 | 21 |
| FTP-DATA | FTP-DATA | TCP | 0 | 20 |
| HL7 | HL7 | TCP, UDP | 0 | 2575 |
| HTTPS | HTTPS | TCP | 0 | 443 |
| IBM MQ | IBMMQ | TCP, UDP | 0 | 1414 |
| ICA | ICA | TCP | 0 | 1494, 2598 |
| IKE | IKE | UDP | 0 | 500 |
| IMAP | IMAP | TCP | 0 | 143 |
| IMAPS | IMAPS | TCP | 0 | 993 |
| Informix | Informix | TCP | 0 | 1526, 1585 |
| IPSEC | IPSEC | TCP, UDP | 0 | 1293 |
| IPX | IPX | TCP, UDP | 0 | 213 |
| IRC | IRC | TCP | 0 | 6660-6669 |
| ISAKMP | ISAKMP | UDP | 0 | 500 |
| iSCSI | iSCSI | TCP | 0 | 3260 |
| Kerberos | Kerberos | TCP, UDP | 0 | 88 |
| LDAP | LDAP | TCP | 0 | 389, 390, 3268 |
| LLDP | LLDP | Link Level | N/A | N/A |
| L2TP | L2TP | UDP | 0 | 1701 |
| Memcache | Memcache | TCP | 0 | 11210, 11211 |
| MongoDB | MongoDB | TCP | 0 | 27017 |
| MS SQL Server | TDS | TCP | 0 | 1433 |
| MSMQ | MSMQ | TCP | 0 | 1801 |
| MSRPC | MSRPC | TCP | 0 | 135 |
| MySQL | MySQL | TCP | 0 | 3306 |
| NetFlow | NetFlow | UDP | 0 | 2055 |
| NFS | NFS | TCP | 0 | 2049 |
| NFS | NFS | UDP | 0 | 2049 |
| NTP | NTP | UDP | 0 | 123 |
| OpenVPN | OpenVPN | UDP | 0 | 1194 |
| Oracle | TNS | TCP | 0 | 1521 |
| PCoIP | PCoIP | UDP | 0 | 4172 |
| POP3 | POP3 | TCP | 0 | 143 |
| POP3S | POP3S | TCP | 0 | 995 |
| PostgreSQL | PostgreSQL | TCP | 0 | 5432 |
| RADIUS | AAA | TCP | 0 | 1812, 1813 |
| RADIUS | AAA | UDP | 0 | 1645, 1646, 1812, 1813 |
| RDP | RDP | TCP | 0 | 3389 |
| Redis | Redis | TCP | 0 | 6397 |
| SIP | SIP | TCP | 0 | 5060, 5061 |
| SMPP | SMPP | TCP | 0 | 2775 |
| SMTP | SMTP | TCP | 0 | 25 |
| SNMP | SNMP | UDP | 0 | 162 |
| SSH | SSH | TCP | 0 | 0 |
| SSL | SSL | TCP | 0 | 443 |
| Sybase | Sybase | TCP | 0 | 10200 |
| SybaseIQ | SybaseIQ | TCP | 0 | 2638 |
| Syslog | Syslog | UDP | 0 | 514 |
| Telnet | Telnet | TCP | 0 | 23 |
| VNC | VNC | TCP | 0 | 5900 |
| WebSocket | WebSocket | TCP | 0 | 80, 443 |
The name specified in the Protocol Name column in the table is used on the Protocol Classification page to classify a common protocol that uses non-standard ports.
Protocols in the ExtraHop Web UI that do not appear in this table include the following:
- DNS
- The standard port for DNS is 53. DNS does not run on non-standard ports.
- HTTP
- The ExtraHop appliance classifies HTTP on all ports.
- HTTP-AMF
- This protocol runs on top of HTTP and is automatically classified.
- SSL
- The ExtraHop appliance classifies SSL on all ports.
Protocols in this table that do not appear in the ExtraHop Web UI include the following:
- FTP-DATA
- The ExtraHop appliance does not handle FTP-DATA on non-standard ports.
- LLDP
- This is a link-level protocol, so port-based classification does not apply.
Add a custom protocol classification
The following procedure describes how to add custom protocol classification labels with the TDS (MS SQL Server) protocol as an example.
By default, the ExtraHop appliance looks for TDS traffic on TCP port 1533. To add MS SQL Server TDS parsing on another port, complete the following steps.
Discover new devices by IP address
The ExtraHop Discover appliance automatically discovers devices that are communicating on the locally monitored network. This identification process is known as device discovery. After a device is discovered, you can search for the device and analyze device metrics in the Discover or Command appliances.
By default, Discover by IP is enabled, which means that devices are discovered when the ExtraHop system detects a response to an Address Resolution Protocol (ARP) request for an IP address. This method is also known as L3 discovery mode.
| Note: | Packet brokers can filter ARP requests. The ExtraHop system relies on ARP requests to associate L3 IP addresses with L2 MAC addresses. |
If the ExtraHop system detects an IP address that does not have associated ARP traffic, that device is considered a remote device. Remote devices are not automatically discovered, but you can configure a remote range of IP addresses for discovery.
| Note: | Learn more about finding devices in the ExtraHop system. |
| Diagram | Enabled | Disabled |
|---|---|---|
 |
2 devices discovered:
|
1 device discovered:
|
 |
6 devices discovered:
|
3 devices discovered:
|
 |
4 devices discovered:
|
1 device discovered:
|
When Discover by IP is enabled, L2 devices are considered parents of their L3 devices. You can view metrics associated with each IP address by L3 device. When Discover by IP is disabled, only L2 devices are discovered, and metrics associated with those IP addresses are merged into the L2 device.
Remote discovery
The ExtraHop system automatically discovers local L3 devices based on observed ARP traffic that is associated with IP addresses. If the ExtraHop system detects an IP address that does not have ARP traffic, the ExtraHop system considers that IP address to be a remote device. Remote devices are not automatically discovered unless you configure a remote IP address range for remote discovery. When the ExtraHop system sees traffic associated with the range of remote IP addresses, it will discover those devices.
| Note: | If you have a proxy ARP configured in your network, the ExtraHop system might automatically discover remote devices. For more information, see this ExtraHop forum post. |
- Your organization has a remote office without an on-site ExtraHop appliance but users at that site access central data center resources that are directly monitored by an ExtraHop appliance. The IP addresses at the remote site can be discovered as devices.
- A cloud service or other type of off-site service hosts your remote applications and has a known IP address range. The remote servers within this IP address range can be individually tracked.
| Important: | Devices discovered through remote discovery count towards your licensed device limit. |
Add a remote IP address range
You can configure the ExtraHop system to automatically discover devices on remote subnets by adding a range of IP addresses.
Important considerations about remote discovery:
- Only public-facing IP addresses are discovered and visible in the ExtraHop appliance. Private IP addresses, such as those on a private subnet, behind a router, or behind a NAT device, are not visible to the ExtraHop system.
- Additionally, L2 information, such as device MAC address and L2 traffic, is not available if the device is on a different network from the one being monitored by the ExtraHop appliance. This information is not forwarded by routers, and therefore is not visible to the ExtraHop appliance.
- Exercise caution when specifying CIDR notation. A /24 subnet prefix might result in 255 new devices discovered by the ExtraHop system. A wide /16 subnet prefix might result in 65,535 new devices discovered, which might exceed your device limit.
| Important: | The capture must be restarted when removing IP address ranges before the changes take effect. We recommend deleting all entries before restarting the capture. The capture does not need to be restarted when adding IP address ranges. |
SSL decryption
The Discover appliance supports real-time decryption of SSL traffic for analysis. Before the ExtraHop system can decrypt your traffic, you must configure the appliance for session key forwarding or upload an SSL server certificate and private key. The server certificate and private keys are uploaded over an HTTPS connection from a web browser to the Discover appliance.
| Note: | Your server traffic must be encrypted through one of these supported cipher suites. |
Help on this page
- Decrypt SSL traffic with session key forwarding without private keys.
- Clear the checkbox for Require Private Keys.
- Install session key forwarding software on your Linux or Windows servers.
- Add a global port to protocol mapping for each protocol you want to decrypt.
- Decrypt SSL traffic by uploading a certificate and private key.
| Note: | SSL decryption requires a license. However, if you have a license for MS SQL, you can also upload an SSL certificate to decrypt MS SQL traffic from these settings. |
Upload a PEM certificate and RSA private key
| Tip: | You can export a password-protected key to add to your ExtraHop
appliance by running the following command on a program such as
OpenSSL:openssl rsa -in yourcert.pem -out new.key |
Next steps
Add the encrypted protocols you want to decrypt with this certificate.Upload a PKCS#12/PFX file
PKCS#12/PFX files are archived in a secure container on the appliance that contain both public and private key pairs and that can only be accessed with a password.
| Tip: | To export private keys from a Java KeyStore to a PKCS#12 file, run the
following command on your server, where javakeystore.jks is the path of your Java
KeyStore:keytool -importkeystore -srckeystore javakeystore.jks -destkeystore pkcs.p12 -srcstoretype jks -deststoretype pkcs12 |
Next steps
Add the encrypted protocols you want to decrypt with this certificate.Add encrypted protocols
You must add each protocol that you want to decrypt for each uploaded certificate.
Add a global port to protocol mapping
Add each protocol for the traffic that you want to decrypt with your session key forwarders.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Decryption.
- In the Private Key Decryption section, clear the Require Private Keys checkbox.
- In the Global Protocol to Port Mapping section, click Add Global Protocol.
- From the Protocol drop-down list, select the protocol for the traffic that you want to decrypt.
- In the Port field, type the number of the port. Type 0 to add all ports.
- Click Add.
Install the ExtraHop session key forwarder on a Windows server
Perfect Forward Secrecy (PFS) is a property of secure communication protocols that enables short-term, completely private session key exchanges between clients and servers. When the session keys are only shared between the client and server, the Discover appliance is unable to decrypt this traffic, even when the Discover appliance has a copy of the server private key. The only way for the Discover appliance to decrypt this traffic is to get a copy of the session key from the server.
ExtraHop offers session key forwarding software for Windows and Linux that you can install on your servers that are sending SSL-encrypted traffic. The forwarder sends the SSL sessions keys to your ExtraHop Discover appliance. The session keys then enable the Discover appliance to decrypt those SSL/TLS sessions in your data feed. The ExtraHop session key forwarder decrypts sessions through the Microsoft Secure Channel (Schannel) security package, Java SSL/TLS (Java versions 6 through 10), and dynamically linked OpenSSL (1.0.x) libraries. OpenSSL is only supported on Linux with kernel versions 4.4 and later or RHEL 7.6 and later.
Depending on your environment, you can configure the Discover appliance for session key forwarding with or without a server certificate and private keys.
- (Recommended) If your environment does not require a server certificate, you can disable the private key requirement and configure global port mappings for the protocol traffic you want to decrypt.
- If your environment requires a server certificate, first complete the steps in the Decrypt SSL traffic with certificates and private keys guide, and then complete the steps below to install the forwarder software.
- Review the list of supported cipher suites that can be decrypted by the Discover appliance when session key forwarding is configured.
- Make sure that the Discover appliance is licensed for SSL Decryption and SSL Shared Secrets.
- Install the session key forwarder on one or more Windows 2008 R2, Windows 2012 R2, or Windows 2016 servers running SSL-based services with the native Windows SSL framework. OpenSSL on Windows is not currently supported.
| Important: | After you install the session key forwarder software on Windows 2012 R2 or
Windows 2016 systems, applications that include SSL-enabled features, such as Microsoft Edge and
Windows Store applications that incorporate sandboxing features, might fail to function
correctly. Validate the compatibility of the session key forwarder in your Windows test environment before deploying in your production environment. |
Install the software with the installation wizard
| Warning: | The installation requires a restart of the server. Do not start the installation unless you are able to restart the server after the installation completes. |
- Log into the Windows server.
- Download the latest version of the session key forwarder software.
- Double-click the ExtraHopSessionKeyForwarder.msi file and click Next.
- Select the box to accept the terms of the license agreement and then click Next.
- Type the name of the Discover appliance where you want to forward session keys.
- Accept the default TCP listen port value of 598 (recommended), or type a custom port value and then click Next.
- Click Install.
- When the installation completes, click Finish, and then click Yes to reboot the server.
The following steps show you how to install the session key forwarder from a Windows command prompt or Windows PowerShell.
| Warning: | The installation requires a restart of the server. Do not start the installation unless you are able to restart the server after the installation completes. |
Enable the SSL session key receiver service
You must enable the session key receiver service on the Discover appliance before the appliance can receive and decrypt sessions keys from the session key forwarder. By default, this service is disabled.
Add a global port to protocol mapping
Add each protocol for the traffic that you want to decrypt with your session key forwarders.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Decryption.
- In the Private Key Decryption section, clear the Require Private Keys checkbox.
- In the Global Protocol to Port Mapping section, click Add Global Protocol.
- From the Protocol drop-down list, select the protocol for the traffic that you want to decrypt.
- In the Port field, type the number of the port. Type 0 to add all ports.
- Click Add.
View connected session key forwarders
You can view recently connected session key forwarders after you install the session key forwarder on your server and enable the SSL session key receiver service on the Discover appliance. Note that this page only displays session key forwarders that have connected over the last few minutes, not all session key forwarders that are currently connected.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Shared Secrets.
Validate session key forwarding
Perform these steps to make sure that the installation was successful and the session key forwarder is forwarding the keys to the Discover appliance.
- Log into the Windows server.
-
Open the Services MMC snap-in. Ensure both services, "ExtraHop Secret Agent"
and ExtraHop Registry Service" show the status as "Running".
-
If either service is not running, troubleshoot the issue
by completing the following steps.
- Open the Event Viewer MMC snap-in and navigate to Windows Logs > Application.
- Locate the most recent entries for the ExtraHopAgent source. Common reasons for failure and their associated error messages are listed in the Troubleshoot common error messages section below.
- If the Services and Event Viewer snap-in do not indicate any issues, apply a workload to the monitored services and go to the Discover appliance to verify that secret-based decryption is working.
Integrate the forwarder with the Java-based SSL application
As an example, Apache Tomcat supports customization of Java options in the Tomcat service manager properties. In the following example, adding the -javaagent option to the Java Options section causes the Java runtime to share SSL session secrets with the key forwarder process, which then relays the secrets to the Discover appliance so that the secrets can be decrypted.
-javaagent:C:\Program Files\ExtraHop\exagent.jar
Troubleshoot common error messages
The following table shows common error messages that you can troubleshoot. If you see a different error or the proposed solution does not resolve your issue, contact ExtraHop Support.
| Message | Cause | Solution |
|---|---|---|
| connect: dial tcp <IP address>:4873: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond | The monitored server cannot route any traffic to the Discover appliance. | Ensure firewall rules allow connections to be initiated by the monitored server to TCP port 4873 on the Discover appliance. |
| connect: dial tcp <IP address>:4873: connectex: No connection could be made because the target machine actively refused it | The monitored server can route traffic to the Discover appliance, but the receiving process is not listening. | Ensure that the Discover appliance is licensed for both the SSL Decryption and SSL Shared Secrets features. |
| connect: x509: certificate signed by unknown authority | The monitored server is not able to chain up the Discover appliance certificate to a trusted Certificate Authority (CA). | Ensure that the Windows certificate store for the computer account has trusted root certificate authorities that establish a chain of trust for the Discover appliance. |
| connect: x509: cannot validate certificate for <IP address> because it doesn't contain any IP SANs | An IP address was supplied as the EDA_HOSTNAME parameter when installing the forwarder, but the SSL certificate presented by the Discover appliance does not include an IP address as a Subject Alternate Name (SAN). | Select from the following three solutions.
|
|
||
|
Uninstall the software
If you no longer want the ExtraHop session key forwarder software installed, or if any of the original installation parameters have changed (Discover appliance hostname or certificate) and you need to reinstall the software with new parameters, do the following:
| Important: | You must restart the server for the configuration changes to take effect. |
- Log into the Windows server.
- (Optional): If you integrated the session key forwarder with Apache Tomcat, remove the -javaagent:C:\Program Files\ExtraHop\exagent.jar entry from Tomcat to prevent the web service from stopping.
-
Choose one of the following options to remove the software:
- Open the Control Panel and click Uninstall a program. Select ExtraHop Session Key Forwarder from the list and then click Uninstall.
- Run the following command to remove the software and associated registry
entries:
msiexec /x C:\ExtraHopSessionKeyForwarder.msi
Where C:\ExtraHopSessionKeyForwarder.msi is the path to the installer file.
- Click Yes to confirm.
- After the software is removed, click Yes to restart the system
Installation parameters
The session key forwarder software is provided as an MSI package. A complete installation of the forwarder requires specifying the EDA_HOSTNAME parameter. Three additional parameters, EDA_CERTIFICATEPATH, SERVERNAMEOVERRIDE, or TCPLISTENPORT might be required and are described in the tables below.
| MSI Installation Parameter | EDA_HOSTNAME |
| Registry Entry | HKEY_LOCAL_MACHINE\SOFTWARE\ExtraHop\EDAHost |
| Description | The Discover appliance hostname or IP address where SSL session keys will be
sent. This parameter is required. |
| MSI Installation Parameter | EDA_CERTIFICATEPATH |
| Registry Entry | N/A |
| Description |
The monitored server must trust the issuer of the Discover appliance SSL certificate through the server's certificate store. In some environments, the Discover appliance works with the self-signed certificate that the ExtraHop firmware generates upon installation. In this case, the certificate must be added to the certificate store. The EDA_CERTIFICATEPATH parameter enables a file-based PEM-encoded certificate to be imported into the Windows certificate store at installation. If the parameter is not specified at installation and a self-signed or other CA certificate must be placed into the certificate store manually, the administrator must import the certificate to Certificates (Computer Account) > Trusted Root Certification Authorities on the monitored system. This parameter is optional if the monitored server was previously configured to trust the SSL certificate of the Discover appliance through the Windows certificate store. |
| MSI Installation Parameter | SERVERNAMEOVERRIDE |
| Registry Entry | HKEY_LOCAL_MACHINE\SOFTWARE\ExtraHop\ServerNameOverride |
| Description | If there is a mismatch between the Discover appliance hostname that the forwarder knows (EDA_HOSTNAME) and the common name (CN) that is presented in the SSL certificate of the Discover appliance, then the forwarder must be configured with the correct CN. This parameter is optional. We recommend that you regenerate the SSL self-signed certificate based on the hostname from the SSL Certificate section of the Admin UI instead of specifying this parameter. |
| MSI Installation Parameter | SET_REBOOT_PENDING="0" |
| Registry Entry | N/A |
| Description | A system restart is required for the install to complete. If you specify this
parameter you will not be prompted to restart the system. This parameter is not recommended. |
| MSI Installation Parameter | TCPLISTENPORT |
| Registry Entry | HKEY_LOCAL_MACHINE\SOFTWARE\ExtraHop\TCPListenPort |
| Description | The key forwarder receives session keys locally from the Java environment
through a TCP listener on localhost (127.0.0.1) and the port specified in the
TCPListenPort entry. We recommended that this port remain set to
the default of 598. This parameter is optional. |
Supported SSL cipher suites
To decrypt SSL traffic in real time, you must configure your server applications to encrypt traffic with supported ciphers. The following information provides a list of supported cipher suites and the best practices you should consider when implementing SSL encryption.
- Turn off SSLv2 to reduce security issues at the protocol level.
- Turn off SSLv3, unless required for compatibility with older clients.
- Turn off SSL compression to avoid the CRIME security vulnerability.
- Turn off session tickets unless you are familiar with the risks that might weaken Perfect Forward Secrecy.
- Configure the server to select the cipher suite in order of the server preference.
The following cipher suites can be decrypted by the ExtraHop appliance and are listed in from strongest to weakest and by server preference:
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- AES256-SHA256
- AES128-SHA256
- AES256-SHA
- AES128-SHA
- DES-CBC3-SHA
The following list includes some common cipher suites that support Perfect Forward Secrecy (PFS) and can be decrypted by the ExtraHop appliance when session key forwarding is configured. To configure session key forwarding, see Install the ExtraHop session key forwarder on a Windows server or Install the ExtraHop session key forwarder on a Linux server.
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
Install the ExtraHop session key forwarder on a Linux server
Perfect Forward Secrecy (PFS) is a property of secure communication protocols that enables short-term, completely private session key exchanges between clients and servers. When the session keys are only shared between the client and server, the Discover appliance is unable to decrypt this traffic, even when the Discover appliance has a copy of the server private key. The only way for the Discover appliance to decrypt this traffic is to get a copy of the session key from the server.
ExtraHop offers session key forwarding software for Windows and Linux that you can install on your servers that are sending SSL-encrypted traffic. The forwarder sends the SSL sessions keys to your ExtraHop Discover appliance. The session keys then enable the Discover appliance to decrypt those SSL/TLS sessions in your data feed. The ExtraHop session key forwarder decrypts sessions through the Microsoft Secure Channel (Schannel) security package, Java SSL/TLS (Java versions 6 through 10), and dynamically linked OpenSSL (1.0.x) libraries. OpenSSL is only supported on Linux with kernel versions 4.4 and later or RHEL 7.6 and later.
Depending on your environment, you can configure the Discover appliance for session key forwarding with or without a server certificate and private keys.
- (Recommended) If your environment does not require a server certificate, you can disable the private key requirement and configure global port mappings for the protocol traffic you want to decrypt.
- If your environment requires a server certificate, first complete the steps in the Decrypt SSL traffic with certificates and private keys guide, and then complete the steps below to install the forwarder software.
- Review the list of supported cipher suites that can be decrypted by the Discover appliance when session key forwarding is configured.
- Make sure that the Discover appliance is licensed for SSL Decryption and SSL Shared Secrets.
- Install the session key forwarder on RHEL, CentOS, Fedora, or Debian-Ubuntu Linux distributions. The session key forwarder might not function correctly on other distributions.
Enable the SSL session key receiver service
You must enable the session key receiver service on the Discover appliance before the appliance can receive and decrypt sessions keys from the session key forwarder. By default, this service is disabled.
Add a global port to protocol mapping
Add each protocol for the traffic that you want to decrypt with your session key forwarders.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Decryption.
- In the Private Key Decryption section, clear the Require Private Keys checkbox.
- In the Global Protocol to Port Mapping section, click Add Global Protocol.
- From the Protocol drop-down list, select the protocol for the traffic that you want to decrypt.
- In the Port field, type the number of the port. Type 0 to add all ports.
- Click Add.
Install the software
As an example, many Tomcat environments support customization of Java options in the /etc/default/tomcat7 file. In the following example, adding the -javaagent option to the JAVA_OPTS line causes the Java runtime to share SSL session secrets with the key forwarder process, which then relays the secrets to the Discover appliance so that the secrets can be decrypted.
JAVA_OPTS="... -javaagent:/opt/extrahop/lib/exagent.jar
Validate and troubleshoot your installation
If your Linux server has network access to the Discover appliance and the server SSL configuration trusts the certificate presented by the Discover appliance that you specified when you installed the session key forwarder, then the configuration is complete.
In cases where you might have problems with the configuration, the session key forwarder binary includes a test mode you can access from the command-line to test your configuration.
If there is a mismatch between the Discover appliance hostname that the forwarder knows (SERVER) and the common name (CN) that is presented in the SSL certificate of the Discover appliance, then the forwarder must be configured with the correct CN.
When the Discover appliance receives session keys and applies them to decrypted sessions, the Shared Secret metric counter (in ) is incremented. Create a dashboard chart with this metric to see if the Discover appliance is successfully receiving session keys from the monitored servers.
View connected session key forwarders
You can view recently connected session key forwarders after you install the session key forwarder on your server and enable the SSL session key receiver service on the Discover appliance. Note that this page only displays session key forwarders that have connected over the last few minutes, not all session key forwarders that are currently connected.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Shared Secrets.
Uninstall the software
If you no longer want the ExtraHop session key forwarder software installed, complete the following steps.
- Log into the Linux server.
-
Open a terminal application and choose one of the following options to remove
the software.
- For RPM-based servers, run the following
command:
sudo rpm --erase extrahop-key-forwarder
- For Debian and Ubuntu servers, run the following
command:
sudo apt-get --purge remove extrahop-key-forwarder
Type Y at the prompt to confirm the software removal and then press ENTER.
- For RPM-based servers, run the following
command:
- Click Yes to confirm.
- After the software is removed, click Yes to restart the system
Common error messages
Errors created by the session key forwarder are logged to the Linux system log file.
| Message | Cause | Solution |
|---|---|---|
| connect: dial tcp <IP address>:4873: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond | The monitored server cannot route any traffic to the Discover appliance. | Ensure firewall rules allow connections to be initiated by the monitored server to TCP port 4873 on the Discover appliance. |
| connect: dial tcp <IP address>:4873: connectex: No connection could be made because the target machine actively refused it | The monitored server can route traffic to the Discover appliance, but the receiving process is not listening. | Ensure that the Discover appliance is licensed for both the SSL Decryption and SSL Shared Secrets features. |
| connect: x509: certificate signed by unknown authority | The monitored server is not able to chain up the Discover appliance certificate to a trusted Certificate Authority (CA). | Ensure that the Linux certificate store for the computer account has trusted root certificate authorities that establish a chain of trust for the Discover appliance. |
| connect: x509: cannot validate certificate for <IP address> because it doesn't contain any IP SANs | An IP address was supplied as the SERVER parameter when installing the forwarder, but the SSL certificate presented by the Discover appliance does not include an IP address as a Subject Alternate Name (SAN). | Select from the following three solutions.
|
|
||
|
Supported SSL cipher suites
To decrypt SSL traffic in real time, you must configure your server applications to encrypt traffic with supported ciphers. The following information provides a list of supported cipher suites and the best practices you should consider when implementing SSL encryption.
- Turn off SSLv2 to reduce security issues at the protocol level.
- Turn off SSLv3, unless required for compatibility with older clients.
- Turn off SSL compression to avoid the CRIME security vulnerability.
- Turn off session tickets unless you are familiar with the risks that might weaken Perfect Forward Secrecy.
- Configure the server to select the cipher suite in order of the server preference.
The following cipher suites can be decrypted by the ExtraHop appliance and are listed in from strongest to weakest and by server preference:
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- AES256-SHA256
- AES128-SHA256
- AES256-SHA
- AES128-SHA
- DES-CBC3-SHA
The following list includes some common cipher suites that support Perfect Forward Secrecy (PFS) and can be decrypted by the ExtraHop appliance when session key forwarding is configured. To configure session key forwarding, see Install the ExtraHop session key forwarder on a Windows server or Install the ExtraHop session key forwarder on a Linux server.
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
Session key forwarder options
You can configure the session key forwarder by editing the extrahop-key-forwarder.conf file.
| Important: | If you add
options to extrahop-key-forwarder.conf that do not have dedicated
variables, they must be in the ADDITIONAL_ARGS field. For
example:ADDITIONAL_ARGS="-v=true -libcrypto=/some/path/libcrypto.so -libcrypto=/some/other/path/libcrypto.so" |
| Option | Description |
|---|---|
| -cert <path> | Specifies the path to the server certificate. Only specify this option if the server certificate is not signed by a trusted certificate authority. |
| -docker-enable | Enables the enumeration of Docker containers. The default value is "false". |
| -docker-go-binary <value> | Specifies glob patterns to find Go binaries within Docker containers. This option can be specified multiple times. |
| -docker-libcrypto <path> | Specifies the path to libcrypto within Docker containers. This option can be specified multiple times. |
| -elevated | Runs the key forwarder with elevated privileges. |
| -go-binary <value> | Specifies glob patterns to find Go binaries. This option can be specified multiple times. |
| -hearbeat-interval | Specifies the time interval in seconds between heartbeat messages. The default interval is 30 seconds. |
| -ldconfig-cache <path> | The path to the ldconfig cache, ld.so.cache, within Docker containers. This option can be specified multiple times. The default path is /etc/ld.so.cache. |
| -libcrypto <path> | Specifies the path to the OpenSSL library, libcrypto. This option can be specified multiple times if you have multiple installations of OpenSSL. |
| -openssl-discover | Automatically discovers libcrypto implementations. The default value is "true". You must type -openssl-discover=false to disable OpenSSL decryption. |
| -pidfile <path> | Specifies the file where this server records its process ID (PID). |
| -port <value> | Specifies the TCP port that the Discover appliance is listening on for forwarded session keys. The default port is 4873. |
| -server <string> | Specifies the fully qualified domain name of the ExtraHop Discover appliance. |
| -server-name-override <value> | Specifies the subject name from the Discover appliance certificate. Specify this option if this server can only connect to the Discover appliance by IP address. |
| -syslog <facility> | Specifies the facility sent by the key forwarder. The default facility is local3. |
| -t | Perform a connectivity test. You must type -t=true to run with this option. |
| -tcp-listen-port <value> | Specifies the TCP port that the key forwarder is listening on for forwarded session keys. |
| -username <string> | Specifies the user that the session key forwarder runs under after the forwarder software is installed. |
| -v | Enable verbose logging. You must type -v=true to run with this option. |
Supported SSL cipher suites
To decrypt SSL traffic in real time, you must configure your server applications to encrypt traffic with supported ciphers. The following information provides a list of supported cipher suites and the best practices you should consider when implementing SSL encryption.
- Turn off SSLv2 to reduce security issues at the protocol level.
- Turn off SSLv3, unless required for compatibility with older clients.
- Turn off SSL compression to avoid the CRIME security vulnerability.
- Turn off session tickets unless you are familiar with the risks that might weaken Perfect Forward Secrecy.
- Configure the server to select the cipher suite in order of the server preference.
The following cipher suites can be decrypted by the ExtraHop appliance and are listed in from strongest to weakest and by server preference:
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- AES256-SHA256
- AES128-SHA256
- AES256-SHA
- AES128-SHA
- DES-CBC3-SHA
The following list includes some common cipher suites that support Perfect Forward Secrecy (PFS) and can be decrypted by the ExtraHop appliance when session key forwarding is configured. To configure session key forwarding, see Install the ExtraHop session key forwarder on a Windows server or Install the ExtraHop session key forwarder on a Linux server.
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
Store SSL session keys on connected Trace appliances
This procedure shows you how to enable the storage of SSL session keys on connected Trace appliances. Keys are stored for all sessions that the Discover appliance can decrypt. These keys include SSL session keys derived from SSL decryption keys you upload on the SSL Decryption Keys page, and keys received from PFS session key forwarders.
| Note: | To ensure end to end security, the session keys are encrypted when moving between appliances as well as when the keys are stored on disk. |
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Session Key Storage.
- Select Enable SSL Session Key Storage.
- Click Save.
Next steps
For more information about downloading session keys, see Download session keys with packet captures.
View connected session key forwarders
You can view recently connected session key forwarders after you install the session key forwarder on your server and enable the SSL session key receiver service on the Discover appliance. Note that this page only displays session key forwarders that have connected over the last few minutes, not all session key forwarders that are currently connected.
- Log into the Admin UI on the Discover appliance.
- In the System Configuration section, click Capture.
- Click SSL Shared Secrets.
Import external data to your Discover appliance
The ExtraHop Open Data Context API enables you to import data from an external host into the session table on your Discover appliance. That data can then be accessed to create custom metrics that you can add to ExtraHop charts, store in records on an Explore appliance, or export to a external analysis tool.
After you enable the Open Data Context API on your Discover appliance, you can import data by running a Python script from a memcached client on an external host. That external data is stored in key-value pairs, and can be accessed by writing a trigger.
For example, you might run a memcached client script on an external host to import CPU load data into the session table on your Discover appliance. Then, you can write a trigger that accesses the session table and commits the data as custom metrics.
| Warning: | The connection between the external host and the ExtraHop appliance is not encrypted and should not transmit sensitive information. |
Enable the Open Data Context API
You must enable the Open Data Context API on your Discover appliance before it can receive data from an external host.
Before you begin
- You must have unlimited privileges to access the Admin UI on your Discover appliance.
- If you have a firewall, your firewall rules must allow external hosts to access the specified TCP and UDP ports. The default port number is 11211.
Write a Python script to import external data
Before you can import external data into the session table on your Discover appliance, you must write a Python script that identifies your Discover appliance and contains the data you want to import into the session table. The script is then run from a memcached client on the external host.
This topic provides syntax guidance and best practices for writing the Python script. A complete script example is available at the end of this guide.
Before you begin
Ensure that you have a memcached client on the external host machine. You can install any standard memcached client library, such as http://libmemcached.org/ or https://pypi.python.org/pypi/pymemcache. The Discover appliance acts as a memcached version 1.4 server.
Here are some important considerations about the Open Data Context API:- The Open Data Context API supports most memcached commands, such as get, set, and increment.
- All data must be inserted as strings that are readable by the Discover
appliance. Some memcached clients attempt to store type information in the
values. For example, the Python memcache library stores floats as pickled
values, which cause invalid results when calling Session.lookup
in triggers. The following Python syntax correctly inserts a float as a
string:
mc.set("my_float", str(1.5)) - Although session table values can be almost unlimited in size, committing large values to the session table might cause performance degradation. In addition, metrics committed to the datastore must be 4096 bytes or fewer, and oversized table values might result in truncated or imprecise metrics.
- Basic statistics reporting is supported, but detailed statistics reporting by item size or key prefix is not supported.
- Setting item expiration when adding or updating items is supported, but bulk expiration through the flush command is not supported.
- Keys expire at 30-second intervals. For example, if a key is set to expire in 50 seconds, it can take from 50 to 79 seconds to expire.
- All keys set with the Open Data Context API are exposed through the SESSION_EXPIRE trigger event as they expire. This behavior is in contrast to the Trigger API, which does not expose expiring keys through the SESSION_EXPIRE event.
Write a trigger to access imported data
You must write a trigger before you can access the data in the session table.
Before you begin
This topic assumes experience with writing triggers. If you are unfamiliar with triggers, check out the following topics:-
Click the System Settings icon
and then click Triggers.
Next steps
You must assign the trigger to a device or device group. The trigger will not run until it has been assigned.Open Data Context API example
In this example, you will learn how to check the reputation score and potential risk of domains that are communicating with devices on your network. First, the example Python script shows you how to import domain reputation data into the session table on your Discover appliance. Then, the example trigger script shows you how to check IP addresses on DNS events against that imported domain reputation data and how to create a custom metric from the results.
Example Python script
This Python script contains a list of 20 popular domain names and can reference domain reputation scores obtained from a source such as DomainTools.
This script is a REST API that accepts a POST operation where the body is the domain name. Upon a POST operation, the memcached client updates the session table with the domain information.
#!/usr/bin/python
import flask
import flask_restful
import memcache
import sqlite3
top20 = { "google.com", "facebook.com", "youtube.com", "twitter.com",
"microsoft.com", "wikipedia.org", "linkedin.com",
"apple.com","adobe.com", "wordpress.org", "instagram.com",
"wordpress.com", "vimeo.com", "blogspot.com", "youtu.be",
"pinterest.com", "yahoo.com", "goo.gl", "amazon.com", "bit.ly}
dnsnames = {}
mc = memcache.Client(['10.0.0.115:11211'])
for dnsname in top20:
dnsnames[dnsname] = 0.0
dbc = sqlite3.Connection('./dnsreputation.db')
cur = dbc.cursor()
cur.execute('select dnsname, score from dnsreputation;')
for row in cur:
dnsnames[row[0]] = row[1]
dbc.close()
app = flask.Flask(__name__)
api = flask_restful.Api(app)
class DnsReputation(flask_restful.Resource):
def post(self):
dnsname = flask.request.get_data()
#print dnsname
mc.set(dnsname, str(dnsnames.get(dnsname, 50.0)), 120)
return 'added to session table'
api.add_resource(DnsReputation, '/dnsreputation')
if __name__ == '__main__':
app.run(debug=True,host='0.0.0.0')
Example trigger script
This example trigger script canonicalizes (or converts) IP addresses that are returned on DNS events into domain names, and then checks for the domain and its reputation score in the session table. If the score value is greater than 75, the trigger adds the domain to an application container called "DNSReputation" as a detail metric called "Bad DNS reputation".
//Configure the following trigger settings:
//Name: DNSReputation
//Debugging: Enabled
//Events: DNS_REQUEST, DNS_RESPONSE
if (DNS.errorNum != 0 || DNS.qname == null
|| DNS.qname.endsWith("in-addr.arpa") || DNS.qname.endsWith("local")
|| DNS.qname.indexOf('.') == -1 ) {
// error or null or reverse lookup, or lookup of local namereturn
return;
}
//var canonicalname = DNS.qname.split('.').slice(-2).join('.');
var canonicalname = DNS.qname.substring(DNS.qname.lastIndexOf('.', DNS.qname.lastIndexOf('.')-1)+1)
//debug(canonicalname);
//Look for this DNS name in the session table
var score = Session.lookup(canonicalname)
if (score === null) {
// Send to the service for lookup
Remote.HTTP("dnsrep").post({path: "/dnsreputation", payload: canonicalname});
} else {
debug(canonicalname + ':' +score);
if (parseFloat(score) > 75) {
//Create an application in the Web UI and add custom metrics
//Note: The application is not displayed in the Web UI after the
//initial request, but is displayed after subsequent requests.
Application('DNSReputation').metricAddDetailCount('Bad DNS reputation', canonicalname + ':' + score, 1);
}
}
Install the software tap on a Linux server
You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. You can retrieve the commands from the procedures in this section or the ExtraHop Admin UI: https://<discover_ip_address>/admin/capture/rpcapd/linux/. The bottom of the ExtraHop Admin UI page contains links to automatically download the software tap.
Download and install on RPM-based systems
To download and install the software tap on RPM-based systems:
Download and install on other Linux systems
Install the software tap on a Windows server
You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system.
-
In the wizard, select the components to install.
-
Complete the ExtraHop IP and ExtraHop
Port fields and click Next. The default
port is 2003.
- (Optional):
Enter additional arguments in the text box and click
Next.
-
Browse to and select the destination folder to install RPCAP Service.
-
If RPCAP Service was previously installed, click Yes to
delete the previous service.
Monitoring multiple interfaces on a Linux server
For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.
To edit the configuration file, complete the following steps.
Monitoring multiple interfaces on a Windows server
For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.
To edit the configuration file, complete the following steps.
Enable network overlay decapsulation
Network overlay encapsulation wraps standard network packets in outer protocol headers to perform specialized functions, such as smart routing and virtual machine networking management. Network overlay decapsulation enables the ExtraHop appliance to remove these outer encapsulating headers and then process the inner packets.
| Note: | Enabling NVGRE and VXLAN decapsulation on your ExtraHop appliance can increase your device count as virtual appliances are discovered on the network. Discovery of these virtual devices can affect Advanced Analysis and Standard Analysis capacity and the additional metrics processing can cause performance to degrade in extreme cases. |
MPLS, TRILL, and Cisco FabricPath protocols are automatically decapsulated by the ExtraHop system.
Analyze a packet capture file on the Discover appliance
The offline capture mode in the Discover appliance enables an ExtraHop administrator to upload a capture file recorded by packet analyzer software, such as Wireshark or tcpdump, to the ExtraHop datastore for analysis.
Here are some important considerations before enabling offline capture mode:
- When the capture is set to offline mode, the ExtraHop datastore is reset. All previously recorded metrics are deleted from the datastore. When the system is set to online mode, the datastore is reset again.
- In offline mode, no metrics are collected from the capture interface until the system is set to online mode again.
Set the offline capture mode
Return the appliance to live capture mode
- In the System Configuration section, click Capture (offline).
- Click Restart Capture.
- Select Live, and then click Save.
Datastore
The Discover appliance includes a self-contained, streaming datastore for storing and retrieving performance and health metrics in real time. This local datastore bypasses the operating system and accesses the underlying block devices directly, rather than going through a conventional relational database.
Local and extended datastores
The Discover appliance includes a self-contained, streaming datastore for storing and retrieving performance and health metrics in real time. This local datastore bypasses the operating system and accesses the underlying block devices directly, rather than going through a conventional relational database.
The local datastore maintains entries for all devices discovered by the Discover appliance as well as metrics for those devices. By storing this information on the Discover appliance, the ExtraHop system provides both quick access to the latest network capture and historic and trend-based information about selected devices.
Extended datastore
The Discover appliance can connect to an external storage device to expand your metric storage. By default, the Discover appliance stores fast (30-second), medium (5-minute), and slow (1-hour) metrics locally. However, you can store 5-minute, 1-hour, and 24-hour metrics on an extended datastore.
To store metrics externally, you must first mount an external datastore, and then configure the Discover appliance to store data in the mounted directory. You can mount an external datastore through NFS v4 (with optional Kerberos authentication) or CIFS (with optional authentication).
Note that you can configure only one active extended datastore at a time to collect all configured metric cycles. For example, if you configure your extended datastore to collect 5-minute, 1-hour, and 24-hour metrics, all three metric cycles are stored in the same extended datastore. In addition, you can archive an extended datastore and those metrics are available for read-only requests from multiple Discover appliances.
Here are some important things to know about configuring an external datastore:
- If an extended datastore contains multiple files with overlapping timestamps, the metrics will be incorrect.
- If an extended datastore has metrics committed by a later ExtraHop appliance firmware version, the appliance with the older firmware cannot read those metrics.
- If an extended datastore becomes unreachable, the Discover appliance buffers metrics until the allocated memory is full. After the memory is full, the system overwrites older blocks until the connection is restored. When the mount reconnects, all of the metrics stored in memory are written to the mount.
- If an extended datastore file is lost or corrupted, metrics contained in that file are lost. Other files in the extended datastore remain intact.
- As a security measure, the system does not allow access to the stored plaintext password for the datastore.
Calculate the size needed for your extended datastore
The extended datastore must have enough space to contain the amount of data generated by the Discover appliance. The following procedure explains how you can calculate approximately how much free space you need for your extended datastore.
Before you begin
Familiarize yourself with ExtraHop datastore concepts.-
In the Metric Data Lookback Estimates chart, note the
Rate and Estimated Lookback for each metric cycle (or
time period) that you want to store on the external datastore. The rate for
5-minute metrics in our example figure below is 55.4 KB/s.
Next steps
Configure an extended CIFS or NFS datastore.Configure an extended CIFS or NFS datastore
The following procedures show you how to configure an external datastore for the Discover appliance.
Before you begin
Calculate the size needed for your extended datastore- First, you mount the NFS or CIFS share where you want to store data.
- For NFS, optionally configure Kerberos authentication before you add the NFS mount.
- Finally, specify the newly added mount as the active datastore.
(Optional) Configure Kerberos for NFS
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
-
Click Add Kerberos Config, then complete the
following information.
- In the Admin Server field, type the IP address or hostname of the master Kerberos server that issues tickets.
- In the Key Distribution Center (KDC) field, type the IP address or hostname of the server that holds the keys.
- In the Realm field, type the name of the Kerberos realm for your configuration.
- In the Domain field, type the name of the Kerberos domain for your configuration.
- In the Keytab File section, click Choose File, select a saved keytab file, and then click Open.
- Click Upload.
Add an NFS mount
Before you begin
- Configure any applicable Kerberos authentication before you add an NFS mount.
- Either allow read/write access for all users on the share or assign the 'extrahop' user as the owner of the share and allow read/write access.
- You must have NFS version 4.
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- Click Add NFSv4 Mount.
-
On the Configure NFSv4 Mount page, complete the
following information:
- In the Mount Name field, type a name for the mount, such as EXDS.
- In the Remote Share Point field, type the path for the mount in the following format: host:/mountpoint, such as herring:/mnt/extended-datastore.
-
From the Authentication drop-down, select from the following options:
- None, For no authentication
- Kerberos, For krb5 security.
- Kerberos (Secure Auth and Data Integrity), for krb5i security.
- Kerberos (Secure Auth, Data Integrity, Privacy), for krb5p security
- Click Save.
Specify a mount as an active extended datastore
| Note: | If you decide to store 5-minute and 1-hour metrics on the extended datastore, this option causes the appliance to migrate any 5-minute and 1-hour metrics that the appliance collected from the local Discover appliance datastore to the extended datastore. Migrating 5-minute and 1-hour metrics to an extended datastore leaves more room to store 30-second metrics on the local datastore, which increases the amount of high-resolution lookback available. |
Archive an extended datastore for read-only access
By disconnecting an active datastore from a Discover appliance, you can create a read-only archive of the stored metrics data. Any number of Discover appliances can read from an archived datastore.
- Log into the Admin UI on your Discover appliance.
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- Click the name of the mount that contains the datastore you want to archive.
- In the row of that datastore, click Disconnect Extended Datastore.
- Type YES to confirm and then click OK.
Connect your Discover appliances to the archived datastore
| Warning: | To connect to an archived datastore, a Discover appliance must
scan through the data contained in the datastore. Depending on the amount of
data stored in the archived datastore, connecting to the archived datastore
might take a long time. While the appliance is connecting to the archived
datastore, the appliance does not collect data and system performance is
degraded. The connection process takes more time under the following
circumstances:
|
- In the System Configuration, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- Click the name of the mount that contains the archived datastore.
- In the Datastore Directory field, type the path of the archived datastore directory.
- Click Archive (Read Only).
- Click Configure.
Import metrics from an extended datastore
If you stored metric data on an extended datastore that is connected to your Discover appliance, you can move that data to a new ExtraHop appliance as part of a system upgrade or if you plan to reset the datastore on an existing ExtraHop appliance.
Reset the local datastore and remove all device metrics from the Discover appliance
In certain circumstances, such as moving a Discover appliance from one network to another, you might need to clear the metrics in the local and extended datastores. Resetting the local datastore removes all metrics, baselines, trend analyses, and discovered devices—and affects any customizations on your appliance.
Before you begin
Familiarize yourself with ExtraHop database concepts.If your device IDs are stored on the extended datastore, and that datastore is disconnected when the local datastore is reset and then later reconnected, those device IDs are restored to the local datastore and you do not need to reassign your restored customizations.
Configured alerts are retained on the system, but they are disabled and must be enabled and reapplied to the correct network, device, or device group. System settings and user accounts are unaffected.
| Warning: | This procedure deletes device IDs and device metrics from the Discover appliance. |
Troubleshoot issues with the extended datastore
To view the status for your mounts and datastores, and identify applicable troubleshooting steps, complete the following steps.
- Log into the Admin UI on your Discover appliance.
- In the System Configuration section, click Datastore and Customizations.
- In the Extended Datastore Settings section, click Configure Extended Datastore.
- In the Extended Datastores table, view the entry in the Status column for each mount or datastore. The following table provides guidance on each entry and identifies any applicable action.
| Status | Description | User Action |
|---|---|---|
| Mounted | The mount configuration was successful. | None required |
| NOT MOUNTED | The mount configuration was unsuccessful. |
|
| NOT READABLE | The mount has permissions or network-related issues that prevent reading. |
|
| NO SPACE AVAILABLE | The mount has no space remaining. | Detach the mount and create a new one. |
| INSUFFICIENT SPACE |
|
Detach the mount and create a new one. |
| AVAILABLE SPACE WARNING | Less than 1GB of space is available. | Detach the mount and create a new one. |
| NOT WRITEABLE | The mount has permissions or network-related issues that prevent writing. |
|
| Status | Description | User Action |
|---|---|---|
| Nominal | The datastore is in a normal state. | None required |
| INSUFFICIENT SPACE on: <MOUNT NAME> | The datastore has insufficient space on the named mount and it cannot be written to. | Create a new datastore. For the new datastore, consider selecting the Overwrite option, if appropriate. |
| NOT READABLE | The datastore has permissions or network-related issues that prevent reading. |
|
| NOT WRITEABLE | The datastore has permissions or network-related issues that prevent writing. |
|
Ticket Tracking
ExtraHop detections identify when unusual behavior is discovered on your network. By configuring ticket tracking, you can create tickets in a third-party ticket tracking system and link them to your ExtraHop detections. Linked tickets display the associated ticket status and ticket assignee in the detection.
Before you begin
While you can enable ticket tracking and configure a URL template through the Admin UI, ticket tracking requires further configuration through ExtraHop Triggers and REST API.| Note: | Machine learning detections require a connection to ExtraHop Cloud Services. |
- To enable ticket tracking, select the Enable ticket tracking
checkbox and then click Save.
Note: You must enable ticket tracking on all connected Discover and Command appliances. - To disable ticket tracking, clear the Enable ticket tracking checkbox. When ticket tracking is disabled, previously stored ticket information is preserved. However, users can no longer view ticket information from detections in the ExtraHop Web UI.
- To create an HTML link from the detection to the ticket in your ticket tracking system,
specify a URL template.
Type the URL in the template field for your ticketing system and add the $ticket_id variable at the appropriate location. Type a complete URL, such as https://jira.example.com/browse/$ticket_id. The $ticket_id variable is replaced with the ticket ID associated with the detection.
After the URL template is configured, you can click the ticket ID in a detection to open the ticket in a new browser tab.
Next steps
For more information about ticket tracking, see Configure ticket tracking for detections.Geomap Data Source
Geomaps and triggers reference a GeoIP database to identify the approximate location of an IP address.
Change the GeoIP database
You can upload your own GeoIP database to the ExtraHop system to ensure that you have the latest version of the database or if your database contains internal IP addresses that only you or your company know the location of.
- Log into the Admin UI on the Command or Discover appliance.
- In the System Configuration section, click Geomap Data Source.
- Click GeoIP Database.
- In the City-level Database section, select Upload New Database.
- Click Choose File and navigate to the new city-level database file on your computer.
- (Optional): In the Country-level Database section, select Upload New Database. The country-level database is subset of the city-level database.
- (Optional): Click Choose File and navigate to the new country-level database file on your computer.
- Click Save.
Next steps
For more information about geomaps, see the following resources:Override an IP location
You can override missing or incorrect IP addresses that are in the GeoIP database. You can enter a comma-delimited list or tabbed list of overrides into the text box.
- IP address (a single IP address or CIDR notation)
- Latitude
- Longitude
- City
- State or region
- Country name
- ISO alpha-2 country code
You can edit and delete items as necessary, but you must ensure that there is data present for each of the seven columns. For more information about ISO country codes, refer to https://www.iso.org/obp/ui/#search and click Country Codes.
Open Data Streams
By configuring an open data stream, you can send the data collected by your ExtraHop system to an external third-party system, such as syslog systems, MongoDB databases, HTTP servers, Kafka servers. In addition, you can send raw data to any external server by configuring the target with port and protocol specifications.
You can configure up to 16 open data stream targets of each external system type.
| Important: | After you configure an open data stream (ODS) for an external system, you
must create a trigger that specifies what data to manage through the stream. Similarly, if you delete an open data stream, you should also delete the associated trigger to avoid needlessly consuming system resources. For more information, see Open data stream classes in the ExtraHop Trigger API Reference. |
Configure an HTTP target for an open data stream
You can export data on an ExtraHop Discover appliance to a remote HTTP server for long-term archiving and comparison with other sources.
Next steps
Create a trigger that specifies what HTTP message data to send and initiates the transmission of data to the target. For more information, see the Remote.HTTP class in the ExtraHop Trigger API Reference.Configure a Kafka target for an open data stream
You can export data on an ExtraHop Discover appliance to any Kafka server for long-term archiving and comparison with other sources.
Next steps
Create a trigger that specifies what Kafka message data to send and initiates the transmission of data to the target. For more information, see the Remote.Kafka class in the ExtraHop Trigger API Reference.Configure a MongoDB target for an open data stream
You can export data on an ExtraHop Discover appliance to any system that receives MongoDB input for long-term archiving and comparison with other sources.
Next steps
Create a trigger that specifies what MongoDB message data to send and initiates the transmission of data to the target. For more information, see the Remote.MongoDB class in the ExtraHop Trigger API Reference.Configure a raw data target for an open data stream
You can export raw data on an ExtraHop Discover appliance to any server for long-term archiving and comparison with other sources. In addition, you can select an option to compress the data through GZIP.
Next steps
Create a trigger that specifies what raw message data to send and initiates the transmission of data to the target. For more information, see the Remote.Raw class in the ExtraHop Trigger API Reference.Configure a syslog target for an open data stream
You can export data on an ExtraHop Discover appliance to any system that receives syslog input (such as Splunk, ArcSight, or Q1 Labs) for long-term archiving and comparison with other sources.
Next steps
Create a trigger that specifies what syslog message data to send and initiates the transmission of data to the target. For more information, see the Remote.Syslog class in the ExtraHop Trigger API Reference.ODS Details
The Open Data Stream (ODS) details page provides information about the amount of data that has been sent to the ODS target and how many errors have occurred.
| Note: | The ODS Details page is currently available only for HTTP ODS targets. |
- Connection attempts
- The number of times the ExtraHop appliance attempted to connect to the ODS target.
- Connection errors
- The number of errors that occurred during attempts to connect to the ODS target.
- IPC errors
- The number of errors that occurred during data transfer between triggers and the exremote process. If IPC errors occur, contact ExtraHop Support for help.
- Bytes sent to target
- The number of bytes that were forwarded by the exremote process to the ODS target.
- Messages sent to target
- The number of messages that were forwarded by the exremote process to the ODS target.
- Bytes sent from triggers
- The number of bytes that triggers sent to the exremote process to be forwarded to the ODS target.
- Messages sent from triggers
- The number of messages that triggers sent to the exremote process to be forwarded to the ODS target.
- Messages dropped by exremote
- The number of messages that triggers sent to the exremote process but were never forwarded to the ODS target.
- Error Details
-
- Time
- The time that the error occurred.
- URL
- The URL of the ODS target.
- Status
- The HTTP status code returned by the ODS target.
- Request Headers
- The headers of the HTTP request sent to the ODS target.
- Request Body
- The body of the HTTP request sent to the ODS target.
- Response Headers
- The headers of the HTTP response sent by the ODS target.
- Response Body
- The body of the HTTP response sent by the ODS target.
Trends
Trend-based alerts are generated when a monitored metric deviates from the normal trends observed by the system. If needed, you can delete all configured trends and trend-based alerts from the appliance.
- Click Reset Trends to erase all trend data from the ExtraHop appliance.
Backup and restore a Discover or Command appliance
After you have configured your Command and Discover appliances with customizations such as bundles, triggers, and dashboards or administrative changes such as adding new users, ExtraHop recommends that you periodically back up your appliance settings to make it easier to recover from a system failure.
Back up a Discover or Command appliance
Create a system backup and store the backup file to a secure location.
- User customizations such as bundles, triggers, and dashboards.
- Appliance configuration settings made in the Admin UI, such as locally-created users and remote imported user groups, running configuration file settings, appliance SSL certificates, and connections to Explore and Trace appliances.
- License information for the appliance. If you are restoring settings to a new target appliance, you must manually license the new appliance.
- Precision packet captures. You can download saved packet captures manually by following the steps in View and download packet captures.
- When restoring a Command appliance that has a tunneled connection from a Discover appliance, the tunnel must be reestablished after the restore is complete and any customizations on the Command appliance for that Discover appliance must be manually recreated.
- User-uploaded SSL keys for traffic decryption.
- Secure keystore data, which contains passwords. If you are restoring a
backup file to the same appliance that created the backup, and the keystore is intact,
you do not need to re-enter credentials. However, if you are restoring a backup file to
a new appliance or migrating to a new appliance, you must re-enter the following
credentials:
- Any SNMP community strings provided for SNMP polling of flow networks.
- Any bind password provided to connect with LDAP for remote authentication purposes.
- Any password provided to connect to an SMTP server where SMTP authentication is required.
- Any password provided to connect to an external datastore.
- Any password provided to access external resources through the configured global proxy.
- Any password provided to access ExtraHop Cloud services and Atlas services through the configured ExtraHop cloud proxy.
- Any secret key provided to configure Microsoft Azure and Amazon AWS Open Data Stream targets.
Restore a Discover or Command appliance from a system backup
You can restore the ExtraHop system from the user-saved or automatic backups stored on the system. You can perform two types of restore operations; you can restore only customizations (changes to alerts, dashboards, triggers, custom metrics, for example), or you can restore both customizations and system resources.
Before you begin
The target appliance must be running a firmware version that is the same major version as the firmware version that generated the backup file. For example, a backup created from an appliance running firmware 7.1.0 can be restored to an appliance running firmware 7.1.1, but the reverse is not allowed.- Log into the Admin UI on the Discover or Command appliance.
- In the System Configuration section, click Backup and Restore.
- Click View or Restore System Backups.
- Click Restore next to the user backup or automatic backup that you want to restore.
-
Select one of the following restore options:
Option Description Restore system customizations Select this option if, for example, a dashboard was accidentally deleted or any other user setting needs to be restored. Any customizations that were made after the backup file was created are not overwritten when the customizations are restored. Restore system customizations and resources Select this option if you want to restore the system to the state it was in when the backup was created. Warning: Any customizations that were made after the backup file was created are overwritten when the customizations and resources are restored. - Click OK.
- (Optional): If you selected Restore system customizations, click View import log to see which customizations were restored.
-
Restart the system.
- Return to the main Admin UI page.
- In the Appliance Settings section, click Shutdown or Restart.
- In the Actions column for the System entry, click Restart.
- Click Restart to confirm.
Restore a Discover or Command appliance from a backup file
- Log into the Admin UI on the Discover or Command appliance.
- In the System Configuration section, click Backup and Restore.
- Click Upload Backup File to Restore System.
-
Select one of the following restore options:
Option Description Restore system customizations Select this option if, for example, a dashboard was accidentally deleted or any other user setting needs to be restored. Any customizations that were made after the backup file was created are not overwritten when the customizations are restored. Restore system customizations and resources Select this option if you want to restore the system to the state it was in when the backup was created. Warning: Any customizations that were made after the backup file was created are overwritten when the customizations and resources are restored. - Click Choose File and navigate to a backup file that you saved previously.
- Click Restore.
- (Optional): If you selected Restore system customizations, click View import log to see which customizations were restored.
-
Restart the system.
- Return to the main Admin UI page.
- In the Appliance Settings section, click Shutdown or Restart.
- In the Actions column for the System entry, click Restart.
- Click Restart to confirm.
Transfer settings to a new Command or Discover appliance
This procedure describes the steps required to restore a backup file to a new Command or Discover appliance. Only system settings from your existing Discover or Command appliance to a new appliance are transferred. Metrics on the local datastore are not transferred.
- The target appliance must be the same type of appliance, physical or virtual, as the source appliance.
- The target appliance must be the same size or larger (maximum throughput on the Discover appliance; CPU, RAM, and disk capacity on the Command appliance) as the source appliance.
- The target appliance must be running a firmware version that is the same major version as the firmware version that generated the backup file. For example, a backup created from an appliance running firmware 7.1.0 can be restored to an appliance running firmware 7.1.1, but the reverse is not allowed.
- After transferring settings to a target Command appliance, you must manually reconnect all Discover appliances and Atlas Services.
- When transferring settings to a target Command appliance that is configured for a tunneled connection to the Discover appliances, we recommend that you configure the target Command appliance with the same hostname and IP address as the source Command appliance.
Before you begin
Reconnect Discover appliances to the Command appliance
Before you begin
| Important: | If your Command and Discover appliances are configured for a tunneled connection, we recommend that you configure the source and target Command appliances with the same IP address and hostname. If you cannot set the same IP address and hostname, skip this procedure and create a new tunneled connection to the new IP address or hostname of the Command appliance. |
-
In the Actions column for the first Discover appliance, click
Reconnect.
-
Repeat steps 3-5 for any remaining disconnected Discover appliances.
All disconnected Discover appliances are now online.
Appliance Settings
You can configure the following components of the ExtraHop appliance in the Appliance Settings section.
All appliances have the following components:
- Running Config
- Download and modify the running configuration file.
- Firmware
- Upgrade the ExtraHop system firmware.
- System Time
- Configure the system time.
- Shutdown or Restart
- Halt and restart system services.
- License
- Update the license to enable add-on modules.
- Disks
- Provides information about the disks in the appliance.
The following components only appear on the specified appliances:
- Services
- Enable or disable the Web Shell, management GUI, SNMP service, and SSH access. The Services page appears only on ExtraHop Discover and Command appliances.
- Command Nickname
- Assign a nickname to the Command appliance. This setting is available only on the Command appliance.
- Reset Packetstore
- Delete all packets stored on the ExtraHop Trace appliance. The Reset Packetstore page appears only on the Trace appliance.
Running Config
The running configuration file specifies the default system configuration. When you modify system settings, you must save the running configuration file to preserve those modifications after a system restart.
| Note: | Making configuration changes to the code from the Edit page is not recommended. You can make most system modifications through other pages in the Admin UI. |
Save system settings to the running config file
When you modify any of the system configuration settings on an ExtraHop appliance, you must confirm the updates by saving the running config file. If you do not save the settings, the changes are lost when your ExtraHop appliance restarts.
- Click View and Save Changes.
-
Review the comparison between the old running config and the current running
config (not yet saved) and then select from the following options:
- If the changes are correct, click Save.
- If the changes are not correct, click Cancel and then revert the changes by clicking Revert config.
Edit the running config
The ExtraHop Admin UI provides an interface to view and modify the code that specifies the default system configuration. In addition to making changes to the running configuration through the settings pages in the Admin UI, changes can also be made on the Running Config page.
| Note: | Making configuration changes to the code from the Edit page is not recommended. You can make most system modifications through other settings pages in the Admin UI. |
Download the running config as a text file
You can download the Running Config settings to your workstation in text file format. You can open this text file and make changes to it locally, before copying those changes into the Running Config window.
- Click Running Config.
- Click Download config as a File.
Disable ICMPv6 Destination Unreachable messages
You can prevent ExtraHop appliances from generating ICMPv6 Destination Unreachable messages. You might want to disable ICMPv6 Destination Unreachable messages for security reasons per RFC 4443.
To disable ICMPv6 Destination Unreachable messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running config file incorrectly might cause the appliance to become unavailable or stop collecting data. You can contact ExtraHop Support at support@extrahop.com.
Disable specific ICMPv6 Echo Reply messages
You can prevent ExtraHop appliances from generating Echo Reply messages in response to ICMPv6 Echo Request messages that are sent to an IPv6 multicast or anycast address. You might want to disable these messages to reduce unnecessary network traffic.
To disable specific ICMPv6 Echo Reply messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running config file incorrectly might cause the appliance to become unavailable or stop collecting data. You can contact ExtraHop Support at support@extrahop.com.
Services
These services run in the background and perform functions that do not require user input. These services can be started and stopped through the Admin UI.
- Enable or disable the Web Shell
- The Web Shell provides access to the ExtraHop command-line interface (CLI). By default this service is enabled so that ExtraHop users can click the Launch Shell button in the upper right corner of the Admin UI screen and type commands. For more information, see the ExtraHop Command-line Reference.
- Enable or disable the Management GUI
- The Management GUI provides browser-based access to the ExtraHop appliance. By default,
this service is enabled so that ExtraHop users can access the ExtraHop Web UI and Admin UI. If
this service is disabled, the Apache Web Server session is terminated and all browser-based
access is disabled.
Warning: Do not disable this service unless you are an experienced ExtraHop administrator and you are familiar with the ExtraHop CLI. - Enable or disable the SNMP Service
- Enable the SNMP service on the ExtraHop appliance when you want your network device
monitoring software to collect information about the ExtraHop appliance. This service is
disabled by default.
- Enable the SNMP service from the Services page by selecting the Disabled checkbox and then clicking Save. After the page refreshes, the Enabled checkbox appears.
- Configure the SNMP service and download the ExtraHop MIB file
- Enable or disable SSH Access
- SSH access is enabled by default to enable users to securely log into the ExtraHop
command-line interface (CLI).
Note: The SSH Service and the Management GUI Service cannot be disabled at the same time. At least one of these services must be enabled to provide access to the appliance. - Enable or disable the SSL Session Key Receiver
- You must enable the session key receiver service on the Discover appliance before the
appliance can receive and decrypt sessions keys from the session key forwarder. By default,
this service is disabled.
Note: If you do not see this checkbox, and you have purchased the SSL Decryption license, contact ExtraHop Support to update your license.
Configure the SNMP service
Configure the SNMP service on your Extrahop appliance so that you can configure your network device monitoring software to collect information about your ExtraHop appliance through the Simple Network Management Protocol (SNMP). For example, you can configure your monitoring software to determine how much free space is available on an ExtraHop appliance and send an alert if the appliance is over 95% full. Import the ExtraHop SNMP MIB file into your monitoring software to monitor all ExtraHop-specific SNMP objects.
Next steps
Download the ExtraHop MIB file from the SNMP Service Configuration page.Firmware
The Admin UI provides an interface to upload and delete the firmware on ExtraHop appliances. The firmware file must be accessible from the computer where you will perform the upgrade.
Before you begin
Be sure to read the release notes for the firmware version that you want to install. Release notes contain upgrade guidance as well as known issues that might affect critical workflows in your organization.Upgrade the firmware on your ExtraHop appliance
The following procedure shows you how to upgrade your ExtraHop appliance to the latest firmware release. While the firmware upgrade process is similar across all ExtraHop appliances, some appliances have additional considerations or steps that you must address before you install the firmware in your environment. If you need assistance with your upgrade, contact ExtraHop Support.
Pre-upgrade checklist
Here are some important considerations and requirements about upgrading ExtraHop appliances.
- If you have multiple types of ExtraHop appliances, you must upgrade them in
the following order:
- Command appliance
- Discover appliances
- Explore appliances
- Trace appliances
- If you have a Command appliance, apply the following guidance:
- For large Command appliance deployments (managing 50,000 devices or more), reserve a minimum of one hour to perform the upgrade.
- The Command appliance firmware version must be greater than or equal to the firmware version of all connected appliances.
- If you have Explore appliances, apply the following guidance:
- Do not upgrade Explore appliances to a firmware version that is newer than the version installed on connected Command and Discover appliances.
- After upgrading the Command and Discover appliances, halt the ingest
of records from the Command and Discover appliances before upgrading
the Explore appliance. If you are upgrading from a firmware version
prior to 7.4, temporarily remove any
connected Explore appliances, or alternatively, disable triggers that commit records and disable the
automatic flow records setting. If you are upgrading
from firmware version 7.4 or later, after upgrading the Command
Discover appliances disable record
ingest on the Explore cluster, before upgrading the
Explore appliance.
You must re-enable these settings after all nodes in the Explore cluster are upgraded.
- You must upgrade all Explore nodes in an Explore cluster. The
cluster will not function correctly if nodes are on dissimilar
firmware versions.
Important: The message Could not determine ingest status on some nodes and Error appear on the Cluster Data Management page in the Admin UI of the upgraded nodes until all nodes in the cluster are upgraded. These errors are expected and can be ignored.
- If you have Trace appliances, apply the following guidance:
- Do not upgrade Trace appliances to a firmware version that is newer than the version installed on connected Command and Discover appliances.
System Time
The System Time page displays the current configuration and the status of all configured NTP servers. When capturing data, it is helpful to have the time on the ExtraHop appliance match the local time of the router. The ExtraHop appliance can set time locally or synchronize time with a time server. By default, system time is set locally, but we recommend that you change this setting and set time through a time server.
- Configure the system time.
- View information about the appliance settings in the System Time section:
- Time Zone
- Displays the currently selected time zone
- System Time
- Displays the current system time.
- Time Servers
- Displays a comma-separated list of configured time servers.
- View information for each configured NTP server in the NTP Status table:
- remote
- The host name or IP address of the remote NTP server you have configured to synchronize with.
- st
- The stratum level, 0 through 16.
- t
- The type of connection. This value can be u for unicast or manycast, b for broadcast or multicast, l for local reference clock, s for symmetric peer, A for a manycast server, B for a broadcast server, or M for a multicast server.
- when
- The last time when the server was queried for the time. The default value is seconds, or m is displayed for minutes, h for hours, and d for days.
- poll
- How often the server is queried for the time, with a minimum of 16 seconds to a maximum of 36 hours.
- reach
- Value that shows the success and failure rate of communicating with the remote server. Success means the bit is set, failure means the bit is not set. 377 is the highest value.
- delay
- The round trip time (RTT) of the ExtraHop appliance communicating with the remote server, in milliseconds.
- offset
- Indicates how far off the ExtraHop appliance clock is from the reported time the server gave you. The value can be positive or negative, displayed in milliseconds.
- jitter
- Indicates the difference, in milliseconds, between two samples.
Configure the system time
By default, ExtraHop appliances synchronize the system time through the *.extrahop.pool.ntp.org network time protocol (NTP) servers. If your network environment prevents the ExtraHop appliance from communicating with these time servers, you must configure an alternate time server source.
The NTP Status table displays a list of NTP servers that keep the system clock in sync. To sync the current system time a remote server, click the Sync Now button.
Shutdown or Restart
The Admin UI provides an interface to halt, shutdown, and restart the ExtraHop appliance and its system components. For each ExtraHop appliance component, the table includes a time stamp to show the start time.
- Restart or shutdown System to pause or shut down and restart the ExtraHop appliance.
- Restart Bridge Status (Discover appliance only) to restart the ExtraHop bridge component.
- Restart Capture (Discover appliance only) to restart the ExtraHop capture component.
- Restart Portal Status to restart the ExtraHop web portal.
- Restart Scheduled Reports (Command appliance only) to restart the ExtraHop scheduled reports component.
Appliance Migration
You can migrate your stored metrics, customizations and system resources on your existing physical Discover appliance to a new Discover appliance.
Migrate a Discover appliance
When you are ready to upgrade your existing Discover appliance, you can easily migrate to new hardware without losing business critical metrics and time-consuming system configurations.
- License information for the appliance. If you are restoring settings to a new target appliance, you must manually license the new appliance.
- Precision packet captures. You can download saved packet captures manually by following the steps in View and download packet captures.
- When restoring a Command appliance that has a tunneled connection from a Discover appliance, the tunnel must be reestablished after the restore is complete and any customizations on the Command appliance for that Discover appliance must be manually recreated.
- User-uploaded SSL keys for traffic decryption.
- Secure keystore data, which contains passwords. If you are restoring a
backup file to the same appliance that created the backup, and the keystore is intact,
you do not need to re-enter credentials. However, if you are restoring a backup file to
a new appliance or migrating to a new appliance, you must re-enter the following
credentials:
- Any SNMP community strings provided for SNMP polling of flow networks.
- Any bind password provided to connect with LDAP for remote authentication purposes.
- Any password provided to connect to an SMTP server where SMTP authentication is required.
- Any password provided to connect to an external datastore.
- Any password provided to access external resources through the configured global proxy.
- Any password provided to access ExtraHop Cloud services and Atlas services through the configured ExtraHop cloud proxy.
- Any secret key provided to configure Microsoft Azure and Amazon AWS Open Data Stream targets.
Before you begin
| Important: | If the source appliance has an external datastore and the datastore is configured on a CIFS (SMB) server requiring password authentication, contact ExtraHop Support to assist you with your migration. |
- Source and target appliances must be running the same firmware version.
- Migrate only to same-edition appliances, such as Reveal(x). If you need to migrate between editions, contact your ExtraHop sales team for assistance.
- Migration between physical and virtual appliances is not supported.
- Supported migration paths are listed in the following table.
| Source Appliance | Target Appliance | |||
|---|---|---|---|---|
| EDA 6200 | EDA 8200 | EDA 9200 | EDA 10200 | |
| EH3000 | YES | YES | YES | YES |
| EH6000 | YES | YES | YES | YES |
| EH8000 | NO | YES | YES | YES |
| EDA 1100 | YES | YES | YES | YES |
| EDA 3100 | YES | YES | YES | YES |
| EDA 6100 | YES | YES | YES | YES |
| EDA 8100 | NO | YES | YES | YES |
| EDA 9100 | NO | NO | YES | YES |
| EDA 6200 | NO | YES | YES | YES |
| EDA 8200 | NO | NO | NO | YES |
| EDA 9200 | NO | NO | NO | YES |
| EDA 10200 | NO | NO | NO | NO |
Prepare the source and target appliances
- Follow the instructions in the deployment guide for your appliance model to deploy the target appliance.
- Register the target appliance.
- Make sure that the target and the source appliance are running the exact same firmware version. You can download current and previous firmware from the ExtraHop Customer Portal.
-
Choose one of the following networking methods to migrate to the target
appliance.
- (Recommended) To complete the migration in the fastest time possible, directly connect the appliances with 10G management interfaces.
- Create a bond interface (optional) of available 1G
management interfaces. With the appropriate network cables, directly connect
the available port or ports on the source appliance to similar ports on the
target appliance. The figure below shows an example configuration with
bonded 1G interfaces.
Important: Make sure that your IP address and subnet configuration on both appliances route management traffic to your management workstation and migration traffic to the direct link. - Migrate the appliance over your existing network. The source and target appliance must be able to communicate with each other over your network. Note that migration might take significantly longer with this configuration.
Create a bond interface (optional)
Follow the instructions below to bond 1G interfaces. Creating a bond interface decreases the amount of time it takes to complete the migration over 1G interfaces.
- In the Network Settings section on the source appliance, click Connectivity.
- In the Bond Interface Settings section, click Create Bond Interface.
- In the Members section, Select the members of the bond interface depending on the appliance type. Do not include the current management interface, typically interface 1 or interface 3, in the bond interface.
- From the Take Settings From drop-down list, select one of the members of the new bond interface.
- For Bond Type, select Static.
- Click Create.
- On the Connectivity page, in the Bond Interfaces section, click Bond Interface 1.
- From the Interface Mode drop-down menu, select Management Port.
- Type the IPv4 Address, Netmask, and Gateway for your migration network.
- Click Save.
- Repeat this procedure on the Target appliance.
Start the migration
Migration can take several hours to complete. During this time, neither the source nor the target appliance can collect data. The migration process cannot be paused or canceled.
Configure the target appliance
If appliance networking is not configured through DHCP, make sure connectivity settings are updated, including any assigned IP addresses, DNS servers, and static routes. Connections to Command, Explore, and Trace appliances on the source appliance are automatically established on the target appliance when network settings are configured.
- Log into the Admin UI on the target appliance.
- In the Network Settings section, click Connectivity.
- In the Interfaces section, click the management interface (typically interface 1 or interface 3, depending on the appliance type).
- Type the IP address of the source appliance in the IPv4 Address field.
- If static routes were configured on the source appliance, click Edit Routes, add any required route information, and then click Save.
- Click Save to save the interface settings.
- If you had to change any interface settings to perform the migration with bonded interfaces, make sure that the interface modes are configured as you expect them to be.
- Restore any additional settings that are not automatically restored.
License
The License Administration page enables you to view and manage licenses for your ExtraHop appliance. You must have an active license to access the ExtraHop Web UI, and your appliance must be able to connect to the ExtraHop licensing server for periodic updates and check-ins about your license status.
To learn more about ExtraHop licenses, see the License FAQ.
Register your ExtraHop appliance
When you purchase an appliance, you will receive an email with a new product key that must be added to your appliance from the ExtraHop Admin UI. This guide provides instructions on how to apply the new product key and activate all of your purchased modules. You must have administrator privileges on the ExtraHop appliance to access the Admin UI.
Register the appliance
Before you begin
| Note: | If you are registering a Discover or Command appliance, you can optionally enter the product key from the ExtraHop Web UI, (https://<extrahop_ip_address>/) after you accept the EULA and log in. |
Next steps
Have more questions about ExtraHop licensing works? See the License FAQ.Troubleshoot license server connectivity
Your ExtraHop appliance must be able to resolve the *.d.extrahop.com domain from the DNS server settings that you configured on your ExtraHop appliance. Communication with the licensing server through DNS is required for license updates and check-ins.
nslookup -type=NS d.extrahop.com
Non-authoritative answer: d.extrahop.com nameserver = ns0.use.d.extrahop.com. d.extrahop.com nameserver = ns0.usw.d.extrahop.com.If the name resolution is not successful, make sure that your DNS server is properly configured to lookup the extrahop.com domain.
Apply an updated license
When you purchase a new protocol module, service, or feature, your updated license is automatically available on your appliance. However you must apply your updated license to your appliance through the Admin UI for the new changes to take effect.
-
In the Appliance Settings section, click License. A message appears about the
availability of your new license, as shown in the following figure.
Update a license
If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license.
| Note: | If you want to update the product key for your appliance, you must register your ExtraHop appliance. |
Disks
The Disks page displays a map of the drives on your ExtraHop appliance and lists their statuses. This information can help you determine whether drives need to be installed or replaced. Automatic system health checks and email notifications (if enabled) can provide timely notice about a disk that is in a degraded state. System health checks display disk errors at the top of the Settings page.
For information about configuring and repairing RAID10 functionality on the EH8000, EDA 6100, and EDA 6200 appliances, see Upgrade from RAID 0 to RAID 10.
For help replacing a RAID 0 disk or installing an SSD drive, refer to the instructions below. The RAID 0 instructions apply to the following types of disks:
- Datastore
- Packet Capture
- Firmware
Do not attempt to install or replace the drive in Slot 0 unless instructed by ExtraHop Support.
| Note: | Ensure that your device has a RAID controller before attempting the following procedure. If unsure, contact ExtraHop Support at support@extrahop.com. This procedure configures the EDA 5000 appliance as an example. A persistently damaged disk might not be replaceable with this procedure. |
Replace a RAID 0 disk
-
Verify the new disk information:
- Under Unused Disks on the Disk Details page, verify that the new disk is the same size, speed, and type as the disk being replaced.
Mouse over the old and new disks in the Drive Map. The new disk displays the message "Unconfigured(good), Spun Up."
-
Under the section for the disk type, click Replace with Disk in slot
#n in the Disk Error Action row.
The data begins copying over. The Copy Status row displays the progress. Mousing over the disk in the Drive Map shows the status.
-
Remove the old disk.
The Drive Map now shows the new disk in green.
Install a new packet capture disk
-
In the Admin UI, refresh the browser.
The Drive Map shows the SSD slot in yellow because the drive is not configured.
-
Next to SSD Assisted Packet Capture, click
Enable.
-
Click OK to add the packet capture drive.
The page refreshes and the Drive Map shows the SSD as green and the Status changes to Online, Spun Up.
| Tip: | If the SSD drive is dislodged and reinserted, you can re-enable it. This process requires reformatting the disk, which erases all data. |
Command Nickname
By default, your Command appliance is identified by its hostname on connected Discover appliances. However, you can optionally configure a custom name to identify your Command appliance.
Choose from the following options to configure the display name for your Command appliance:
- Select Display custom nickname and type the name in the field you want to display for this Command appliance.
- Select Display hostname to display the hostname configured for this Command appliance.
Configure packet capture for the Discover appliance
Packet capture enables you to collect, store, and retrieve data packets from your network traffic. You can download a packet capture file for analysis in a third-party tool, such as Wireshark. Packets can be inspected to diagnose and resolve network problems and to verify that security policies are being followed.
By adding a packet capture disk to the Discover appliance, you can store the raw payload data sent to your Discover appliance. This disk can be added to your virtual appliance or an SSD that is installed in your physical appliance.
These instructions only apply to the Discover appliance and Reveal(x) systems. To store packet captures to a dedicated appliance, see the deployment guides for the ExtraHop Trace appliance and the Packets concepts.
Enable packet capture
Your Discover appliance must be licensed for packet capture and be configured with a dedicated SSD storage disk for a physical appliance or a disk configured on your hypervisor for a virtual appliance.
Before you begin
- Verify that your Discover appliance is licensed for Packet Capture by logging into the Admin UI and clicking License. Packet Capture is listed under Features and should display Enabled.
- Log into the Admin UI on your Discover appliance.
- In the Appliance Settings section, click Disks.
-
Depending on your appliance type and menu options, configure the following
settings.
- For physical appliances click Enable next to SSD Assisted Packet Capture, and then click OK.
- For virtual appliances, verify that running appears in the Status column and that the disk size you configured for packet capture appears in the Size column. Click Enable next to Triggered Packet Capture, and then click OK.
Next steps
Your packet capture disk is now enabled and ready to store packets. Click Configure if you want to encrypt the disk, or configure global or precision packet captures.Encrypt the packet capture disk
Packet capture disks can be secured with 256-bit AES encryption.
- You cannot decrypt a packet capture disk after it is encrypted. You can clear the encryption, but the disk is formatted, and all data is deleted.
- You can lock an encrypted disk to prevent any read or write access to stored packet capture files. If the Discover appliance is restarted, encrypted disks are automatically locked and remain locked until they are unlocked with the passphrase. Unencrypted disks cannot be locked.
- You can reformat an encrypted disk, but all data is permanently deleted. You can reformat a locked disk without unlocking the disk first.
- You can perform a secure delete (or system wipe) of all system data. For instructions, see the ExtraHop Rescue Media Guide.
- In the Appliance Settings section, click Disks.
-
On the Disks page, select one of the following options based on your appliance
type.
- For virtual appliances, click Configure next to Triggered Packet Capture.
- For physical devices, click Configure next to SSD Assisted Packet Capture.
- Click Encrypt Disk.
-
Specify a disk encryption key from one of the following options:
- Type a passphrase into the Passphrase and Confirm fields.
- Click Choose File and select an encryption key file.
- Click Encrypt.
Next steps
You can change the disk encryption key by returning to the Disks page and clicking Configure and then Change Disk Encryption Key.Format the packet capture disk
You can format an encrypted packet capture disk to permanently remove all packet captures. Formatting an encrypted disk removes the encryption. If you want to format an unencrypted packet capture disk, you must remove the disk, and then enable the disk again.
| Warning: | This action cannot be reversed. |
- In the Appliance Settings section, click Disks.
-
On the Disks page, choose one of the following options based on your appliance
platform.
- For virtual appliances, click Configure next to Triggered Packet Capture.
- For physical devices, click Configure next to SSD Assisted Packet Capture.
- Click Clear Disk Encryption.
- Click Format.
Remove the packet capture disk
If you want to replace a packet capture disk, you must first remove the disk from the system. When a packet capture disk is removed from the system, all of the data on the disk is permanently deleted.
- In the Appliance Settings section, click Disks.
-
On the Disks page, choose one of the following options based on your appliance
platform.
- For virtual appliances, click Configure next to Triggered Packet Capture.
- For physical devices, click Configure next to SSD Assisted Packet Capture.
- Click Remove Disk.
-
Select one of the following format options:
- Quick Format
- Secure Erase
- Click Remove.
Configure a global packet capture
A global packet capture collects every packet that is sent to the ExtraHop appliance for the duration that matches the criteria.
- For Discover appliances, log into the Admin UI, and click View and Download Packet Captures.
- For Reveal(x) systems, log into the Web UI, and click Packets from the top menu.
Configure a precision packet capture
Precision packet captures require ExtraHop Triggers, which enable you to capture only the packets that meet your specifications. Triggers are highly customizable user-defined code that run upon defined system events.
Before you begin
Packet capture must be licensed and enabled on your Discover appliance or Reveal(x) system.- Trigger concepts
- Build a trigger
- Trigger API Reference
- Walkthough: Initiate precision packet captures to analyze zero window conditions
In the following example, the trigger captures an HTTP flow with the name HTTP host <hostname> and stops the capture after a maximum of 10 packets are collected.
-
Click the System Settings icon and then click
Triggers.
Next steps
Download the packet capture file.- For Discover appliances, log into the Admin UI, and click View and Download Packet Captures.
- For Reveal(x) systems, log into the Web UI, and click
Records from the top menu. Select Packet
Capture from the Record Type drop-down
list. After the records associated with your packet capture appear, click the
Packets icon
, and then click Download
PCAP.
View and download packet captures
If you have packet captures stored on a virtual disk or on an SSD disk in your Discover appliance, you can manage those files from the View Packet Captures page in the Admin UI. For Reveal(x) systems and on Trace appliances, view the Packets page in the Web UI.
- Click Configure packet capture settings to automatically delete stored packet captures after the specified duration (in minutes).
- View statistics about your packet capture disk.
- Specify criteria to filter packet captures and limit the number of files displayed in the Packet Capture List.
- Select a file from the Packet Capture list and then download or delete the file.
ExtraHop Command Settings
The ExtraHop Command Settings section on the Discover appliance enables you to connect the Discover appliance to a Command appliance. Depending on your network configuration, you can establish a connection from the Discover appliance (tunneled connection) or from the Command appliance (direct connection).
- We recommend that you log into the Admin UI on your Command appliance, and create a direct connection to the Discover appliance. Direct connections are made from the Command appliance over HTTPS on port 443 and do not require special access. For instructions, see Connect to a Discover appliance from a Command appliance.
- If your Discover appliance is behind a firewall, you can create an SSH tunnel connection from this Discover appliance to your Command appliance. For instructions, see Connect to a Command appliance from a Discover appliance.
Connect to a Command appliance from a Discover appliance
You can connect the Discover appliance to the Command appliance through an SSH tunnel.
Before you begin
- You can connect a Discover appliance to multiple Command appliances.
- You can only establish a connection to a Command appliance that is licensed for the same system edition as the Discover appliance.
Connect a Command appliance to Discover appliances
You can manage multiple Discover appliances from a Command appliance. After you connect the appliances, you can view and edit the appliance properties, assign a nickname, upgrade firmware, check the license status, create a diagnostic support package, and connect to the ExtraHop Web UI, Admin UI, and Web Shell.
The Command appliance connects directly to the Discover appliance over HTTPS on port 443. If it is not possible to establish a direct connection because of firewall restrictions in your network environment, you can connect to the Command appliance through a tunneled connection from the Discover appliance.
Before you begin
- You can connect a Command appliance to multiple Discover appliances.
- You can only establish a connection to a Discover appliance that is licensed for the same system edition as the Command appliance.
- The Command appliance and Discover appliances must have the same version of ExtraHop firmware to function correctly together.
Manage Discover Appliances
From the Command appliance, you can view connected Discover appliances and manage some administrative tasks.
Select the checkbox for one or more connected Discover appliances. Then, select from the following administrative tasks.
- Click Check License to connect to the ExtraHop licensing server and retrieve the latest status for the selected Discover appliances. If your Command appliance is unable to access data from a connected Discover appliance, the license might be invalid.
- Click Run Support Script and then select from the following
options:
- Click Run Default Support Script to collect information about the selected Discover appliances. You can send this diagnostics file to ExtraHop Support for analysis.
- Click Run Custom Support Script to upload a file from ExtraHop Support that provides small system changes or enhancements.
- Click Upgrade Firmware to upgrade the selected Discover appliance. You can enter a URL to the firmware on the Customer Portal website or upload the firmware file from your computer. With either option, we strongly recommend you read the firmware release notes and the firmware upgrade guide.
- Click Disable or Enable to temporarily alter the connection between Discover and Command appliances. When this connection is disabled, the Command appliance does not display the Discover appliance and cannot access the Discover appliance data.
- Click Remove Appliance to permanently disconnect selected Discover appliances.
ExtraHop Explore Settings
This section contains the following configuration settings for the ExtraHop Explore appliance.
- Configure automatic flow records (Discover appliance only)
- Connect to an Explore appliance
- Manage an Explore appliance (Command appliance only)
Connect the Discover and Command appliances to Explore appliances
After you deploy an Explore appliance, you must establish a connection from all ExtraHop Discover and Command appliances to the Explore appliance before you can query for stored records.
| Important: | If you have an Explore cluster of three or more Explore nodes, connect the Discover appliance to each Explore node so that the Discover appliance can distribute the workload across the entire Explore cluster. |
| Note: | If the Explore appliance connections are managed from a Command appliance, you must perform this procedure from the Command appliance instead of from each Discover appliance. |
-
For each additional Explore appliance in the cluster, click Add
New and enter the individual hostname or IP address in the
corresponding Explore node field.
Next steps
| Important: | If you only deployed a single Explore appliance, after you connect to your Discover or Command appliance, you must log into the Admin UI on the Explore appliance and set the to 0. |
Disconnect the Explore appliances
To halt the ingest of records to the Explore appliance, disconnect all Explore appliances from the Command and Discover appliances.
| Note: | If appliance connections are managed by a Command appliance, you can only perform this procedure on the Command appliance. |
-
Click the red X next to every node in the Explore
cluster.
Manage Explore Appliances
From the Command appliance, you can view connected Explore appliances and manage some administrative tasks.
View information about connected Explore appliances as individual appliances or as part of a cluster.
- Click Explore Cluster in the Name field to open the Cluster Properties. You can add a custom nickname for the Explore appliance and view the Cluster ID.
- Click any appliance to open the node properties. By clicking Open Admin UI, you can access the Admin UI for the specific Explore appliance.
- View the date and time that the appliance was added to this Command appliance.
- View the license status for your appliances.
- View the list of actions that you can perform on this appliance.
- View the Job column to see the status of any running support scripts.
Select an Explore node or one or more connected Explore clusters. Then, select from the following administrative tasks.
- Click Run Support Script and then select from the following
options:
- Click Run Default Support Script to collect information about the selected Explore appliance. You can send this diagnostics file to ExtraHop Support for analysis.
- Click Run Custom Support Script to upload a file from ExtraHop Support that provides small system changes or enhancements.
- Click Upgrade Firmware to upgrade the selected Explore appliance. You can enter a URL to the firmware on the Customer Portal website or upload the firmware file from your computer. With either option, we strongly recommend you read the firmware release notes and the firmware upgrade guide.
- Click Remove Cluster to permanently disconnect the selected Explore appliance. This option only prevents you from performing the administrative tasks on this page from the Command appliance. The Explore appliance remains connected to your Discover appliance and continues to collect records.
Collect flow records
You can automatically collect all flow records, which are network-layer communications between two devices over an IP protocol. If you enable this feature, but do not add any IP addresses or port ranges, all detected flow records are captured.
Before you begin
- You must connect your Command or Discover appliance to your Explore appliances or configure a third-party recordstore before you can collect flow records.
- You must have unlimited privileges to configure automatic flow record collection.
ExtraHop Explore Status
If you have connected an Explore appliance to your Discover or Command appliances, you can access information about the Explore appliance.
The table on this page provides the following information about any connected Explore appliances.
- Activity since
- Displays the timestamp when record collection began. This value is automatically reset every 24 hours.
- Record Sent
- Displays the number of records sent to the Explore appliance from a Discover appliance.
- I/O Errors
- Displays the number of errors generated.
- Queue Full (Records Dropped)
- Displays the number of records dropped when records are created faster than they can be sent to the Explore appliance.
ExtraHop Trace Settings
ExtraHop Trace appliances continuously collect and store raw packet data from your Discover appliance. Connect the appliances to begin storing packets on a Trace appliance.
Connect the Discover and Command appliances to the Trace appliance
After you deploy the Trace appliance, you must establish a connection from all ExtraHop Discover and Command appliances to the Trace appliance before you can query for packets.
Connected to Discover Appliance
Connected to Discover and Command Appliance
Manage Trace Appliances
From the Command appliance, you can view connected Trace appliances and manage some administrative tasks.
View information about connected Trace appliances.
- Click Trace Cluster in the Name field to open the Cluster Properties. You can add a custom nickname for the Trace appliance and view the Cluster ID.
- Click any appliance to view the properties. By clicking Open Admin UI, you can access the Admin UI for the specific Trace appliance.
- View the date and time that the appliance was added to this Command appliance.
- View the license status for your appliances.
- View the list of actions that you can perform on this appliance.
- View the Job column to see the status of any running support scripts.
Select a Trace appliance. Then, select from the following administrative tasks.
- Click Run Support Script and then select from the following
options:
- Click Run Default Support Script to collect information about the selected Trace appliance. You can send this diagnostics file to ExtraHop Support for analysis.
- Click Run Custom Support Script to upload a file from ExtraHop Support that provides small system changes or enhancements.
- Click Upgrade Firmware to upgrade the selected Trace appliance. You can enter a URL to the firmware on the Customer Portal website or upload the firmware file from your computer. With either option, we strongly recommend you read the firmware release notes and the firmware upgrade guide.
- Click Remove Appliance to permanently disconnect the selected Trace appliance. This option only prevents you from performing the administrative tasks on this page from the Command appliance. The Trace appliance remains connected to your Discover appliance and continues to collect packets.
Appendix
Common acronyms
The following common computing and networking protocol acronyms are used in this guide.
| Acronym | Full Name |
|---|---|
| AAA | Authentication, authorization, and accounting |
| AMF | Action Message Format |
| CIFS | Common Internet File System |
| CLI | Command Line Interface |
| CPU | Central Processing Unit |
| DB | Database |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain Name System |
| ERSPAN | Encapsulated Remote Switched Port Analyzer |
| FIX | Financial Information Exchange |
| FTP | File Transfer Protocol |
| HTTP | Hyper Text Transfer Protocol |
| IBMMQ | IBM Message Oriented Middleware |
| ICA | Independent Computing Architecture |
| IP | Internet Protocol |
| iSCSI | Internet Small Computer System Interface |
| L2 | Layer 2 |
| L3 | Layer 3 |
| L7 | Layer 7 |
| LDAP | Lightweight Directory Access Protocol |
| MAC | Media Access Control |
| MIB | Management Information Base |
| NFS | Network File System |
| NVRAM | Non-Volatile Random Access Memory |
| RADIUS | Remote Authentication Dial-In User Service |
| RPC | Remote Procedure Call |
| RPCAP | Remote Packet Capture |
| RSS | Resident Set Size |
| SMPP | Short Message Peer-to-Peer Protocol |
| SMTP | Simple Message Transport Protocol |
| SNMP | Simple Network Management Protocol |
| SPAN | Switched Port Analyzer |
| SSD | Solid-State Drive |
| SSH | Secure Shell |
| SSL | Secure Socket Layer |
| TACACS+ | Terminal Access Controller Access-Control System Plus |
| TCP | Transmission Control Protocol |
| UI | User Interface |
| VLAN | Virtual Local Area Network |
| VM | Virtual Machine |
Configure Cisco NetFlow devices
The following are examples of basic Cisco router configuration for NetFlow. NetFlow is configured on a per-interface basis. When NetFlow is configured on the interface, IP packet flow information will be exported to the Discover appliance.
| Important: | NetFlow takes advantage of the SNMP ifIndex value to represent ingress and egress interface information in flow records. To ensure consistency of interface reporting, enable SNMP ifIndex persistence on devices sending NetFlow to the Discover appliance. For more information on how to enable SNMP ifIndex persistence on your network devices, refer the configuration guide provided by the device manufacturer. |
For more information on configuring NetFlow on Cisco switches, see your Cisco router documentation or the Cisco website at www.cisco.com.
Thank you for your feedback. Can we contact you to ask follow up questions?