ExtraHop Explore Admin UI Guide

Introduction to the ExtraHop Explore Admin UI

The ExtraHop Trace Admin UI Guide provides detailed information about the administrator features and functionality of the ExtraHop Trace appliance. The ExtraHop Explore Admin UI Guide provides detailed information about the administrator features and functionality for the Explore appliance.

In addition, this guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the Explore Admin UI.

After you have deployed your Explore appliance, see the Explore Post-deployment Checklist.

We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.

Supported Browsers

The following browsers are compatible with all ExtraHop appliances. We recommend that you install the latest version of the browser.

  • Firefox
  • Google Chrome
  • Internet Explorer 11
  • Safari

You must allow cookies and ensure that Adobe Flash Player is installed and enabled. Visit the Adobe website to confirm that Flash Player is installed and up-to-date.

Status and Diagnostics

The Status and Diagnostics page displays metrics and logging data about the current state of the Explore appliance and enables system administrators to view the overall system health.

Health
Provides metrics to view the operating efficiency of the Explore appliance.
Audit Log
Enables you to view event logging data and to change syslog settings
Fingerprint
Provides the unique hardware fingerprint for the Explore appliance.
Support Scripts
Enables you to upload and run support scripts.
Explore Cluster Status
Provides status information about the cluster, including indices.

Health

The Health page provides a collection of metrics that enable you check the operation of the Explore appliance. If issues occur with the Explore appliance, the metrics on the Health page help you to troubleshoot the problem and determine why the appliance is not performing as expected.

Help on this page

The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected.

System
Reports the following information about the system CPU usage and disk drives.
CPU User
Specifies the percentage of CPU usage associated with the Explore appliance user
CPU System
Specifies the percentage of CPU usage associated with the Explore appliance.
CPU Idle
Identifies the CPU idle percentage associated with the Explore appliance.
CPU IO
Specifies the percentage of CPU usage associated with the Explore appliance IO functions.
Service Status
Reports the status of Explore appliance system services
exadmin
Specifies the amount of time the Explore appliance web portal service has been running.
exconfig
Specifies the amount of time the Explore appliance config service has been running
exreceiver
Specifies the amount of time the Explore appliance receiver service has been running.
exsearch
Specifies that amount of time that the Explore appliance search service has been running.
Interfaces
Reports the status of Explore appliance network interfaces.
RX packets
Specifies the number of packets received by the Explore appliance on the specified interface.
RX Errors
Specifies the number of received packet errors on the specified interface.
RX Drops
Specifies the number of received packets dropped on the specified interface.
TX Packets
Specifies the number of packets transmitted by the Explore appliance on the specified interface.
TX Errors
Specifies the number of transmitted packet errors on the specified interface.
TX Drops
Specifies the number of transmitted packets dropped on the specified interface.
RX Bytes
Specifies the number of bytes received by the Explore appliance on the specified interface.
TX Bytes
Specifies the number of bytes transmitted by the Explore appliance on the specified interface.
Partitions
Reports the status and usage of Explore appliance components. The configuration settings for these components are stored on disk and retained even when the power to the appliance is turned off.
Name
Specifies the Explore appliance settings that are stored on disk.
Options
Specifies the read-write options for the settings stored on disk.
Size
Specifies the size in gigabytes for the identified component.
Utilization
Specifies the amount of memory usage for each of the components as a quantity and as percentage of total disk space.
Record Sources
Displays metrics about the records that are sent from the Discover appliance to the Explore cluster.
Source EDA
Displays the name of the Explore appliance that is sending records to the Explore cluster.
Last Update
Displays the timestamp when record collection began. The value is reset automatically every 24 hours or whenever the Explore appliance is restarted.
RX Bytes
Displays the number of compressed record bytes received from the Discover appliance.
Record Bytes
Displays the number of bytes received from the Discover appliance.
Record Bytes Saved
Displays the number of bytes successfully saved to the Explore appliance.
Records Saved
Displays the number of records successfully saved to the Explore appliance.
Record Errors
Displays the number of individual record transfers that resulted in an error. This value indicates the number of records that did not transfer successfully from the exreceiver process.
TXN Errors
Displays the number of bulk record transactions that resulted in an error. Errors in this field might indicate missing records.
TXN Drops
Displays the number of bulk records transactions that did not complete successfully. All records in the transaction are missing.

Audit Log

The audit log provides data about the operations of your ExtraHop appliance, broken down by component. The audit log lists all known events by timestamp, in reverse chronological order.

Help on this page

Fingerprint

Fingerprints help secure appliances from man-in-the-middle attacks by providing a unique identifier that can be verified when connecting ExtraHop appliances.

Help on this page

When connecting an Explore or Trace appliance with a Discover or Command appliance, make sure that the fingerprint displayed is exactly the same as the fingerprint shown on the join or pairing page.

If the fingerprints do not match, communications between the devices might have been intercepted and altered.

Support Scripts

Support scripts are a way of collecting information about your ExtraHop system, and also a way to let ExtraHop support make adjustments to your system as part of a troubleshooting procedure.

Help on this page

Run the default support script

The default support script gathers information about the state of the ExtraHop system for analysis by ExtraHop Support.

  1. Log into the Admin UI on your ExtraHop appliance.
  2. In the Status and Diagnostics section, click Support Scripts.
  3. Click Run Default Support Script.
  4. Click Run.
    When the script completes, the Support Script Results page appears.
  5. Click the name of the diagnostic support package that you want to download. The file saves to the default download location on your computer.
    Send this file, typically named diag-results-complete.expk, to ExtraHop support.

    The .expk file is encrypted and the contents are only viewable by ExtraHop Support. However, you can download the diag-results-complete.manifest file to view a list of the files collected.

Run a custom support script

If you receive a custom support script from ExtraHop Support complete the following procedure to make a small adjustment to the system or apply enhanced settings.

  1. Log into the Admin UI on your ExtraHop appliance.
  2. In the Status and Diagnostics section, click Support Scripts.
  3. Click Run Custom Support Script.
  4. Click Choose File, navigate to the diagnostic support script you want to upload, and then click Open.
  5. Click Upload to run the file on the ExtraHop appliance.
    ExtraHop Support will confirm that the support script achieved the desired results.

Explore Cluster Status

The Explore Cluster Status page provides details about the health of the Explore appliance.

Help on this page

The metrics on this page can help you troubleshoot problems and determine why the Explore cluster is not performing as expected. In addition, you can delete a set of records by date from this page.

Cluster
Status
The following status names can appear:
Ready
The node is available to join an Explore cluster.
Green
All data is replicated across the cluster.
Yellow
The primary shard is allocated but replica shards are not.
Red
One or more shards from the index are missing.
Note:If the status never returns to a yellow or green state, you might have to restore the cluster. For more information, see Restore the cluster state
Indices
Date (UTC)
Displays the date the index was created.
ID
Displays the ID of the index. An ID other than 0 means that an index with the same date, but from a different source exists on the cluster.
Source
Displays the hostname or IP address of the Discover appliance where the record data originated.
Records
Displays the total number of records sent to the Explore appliance.
Size
Displays the size of the index.
Status
Displays the replication status of data on the cluster.
Shards
Displays the number of shards in the index.
Unassigned Shards
Displays the number of shards that have not been assigned to a node. Unassigned shards are typically replica shards that need to be kept on a different node than the node with the corresponding primary shard, but there are not enough nodes in the cluster. For example, a cluster with just one member will not have a place to store the replica shards, so with the default replication level of 1, the index will always have unassigned shards and have a yellow status.
Relocating Shards
Displays the number of shards that are moving from one node to another. Relocating shards typically occurs when an Explore node in the cluster fails.

Delete records

In certain circumstances, such as moving an Explore cluster from one network to another, you might want to delete records from the cluster.

You can delete records by index. An index is a collection of records that were created on the same day. Indexes are named according to the following pattern:

<node-id>-<date>-<index-id>

For example, an index dated 2016-5-16 indicates that the related records were created on May 16, 2016 (dates are specified in UTC). You can delete all data for a given day or span of days; for example, you might want to delete record content that you know contains sensitive information.

  1. In the Status section, click Cluster Status.
  2. Below the Indices section, select the checkbox for each index that you want to delete.
    The Source column displays the name of the Discover appliance that collected the data.
  3. Click Delete Selected.
  4. Click OK.

Restore the cluster state

In rares instances, the Explore cluster might not recover from a Red status, as seen in the Status section on the Explore Cluster Status page. When this state occurs, it is possible to restore the cluster to a Green state.

When you restore the cluster state, the Explore cluster is updated with the latest stored information about the Explore nodes in the cluster and all other connected Discover and Command appliances.

Important:If you have recently restarted your Explore cluster, it might take an hour before the cluster status Green appears, and restoring the cluster might not be necessary. If you are unsure whether you should restore the cluster state, contact ExtraHop Support.
  1. In the Explore Cluster Settings section, click Restore Cluster State.
  2. On the Restore Cluster State page, click Restore Cluster State.
  3. Click Restore Cluster to confirm.

Network Settings

The Network Settings section includes the following configurable network connectivity settings.

Connectivity
Configure network connections.
SSL Certificate
Generate and upload a self-signed certificate.
Notifications
Set up alert notifications through email and SNMP traps.

The Explore appliance has four 10/100/1000baseT network ports and two 10GbE SFP+ network ports. By default, the Gb1 port is configured as the management port and requires an IP address. The Gb2, Gb3 and Gb4 ports are disabled and not configurable.

You can configure either of the 10GbE networks ports as the management port, but you can only have one management port enabled at a time.

Before you begin configuring the network settings on an Explore appliance, verify that a network patch cable connects the Gb1 port on the Explore appliance to the management network. For more information about installing an Explore appliance, refer to the Explore appliance deployment guide or contact ExtraHop Support for assistance.

For specifications, installation guides, and more information about your appliance, refer to docs.extrahop.com.

Atlas Services

Atlas Services provide ExtraHop customers with a remote analysis report that is delivered monthly. The report contains specific recommendations for critical components across the application delivery chain.

Help on this page

Connect to Atlas services

If you have signed up for the Atlas service, you will receive monthly customized reports about your ExtraHop data. This guide shows you how to connect to the service and how to troubleshoot common connectivity issues.

Before you begin

You establish a connection to the Atlas server from the Admin UI of your ExtraHop Discover, Explore, or Trace appliance. If you have a firewall or proxy, you must first open access through those servers.
Important:The procedures in this guide require access to the appliance Admin UI and require that you modify the Running Config file. You can view and modify the code in the Running Config file, which specifies the default system configuration and saves changes to the current running configuration so the modified settings are enabled after a system restart. For more information, see the Running Config section of the ExtraHop Admin UI Guide.
Configure your firewall rules

Before you can connect to the Atlas server, you must allow access to the Atlas public IP server through any firewalls. If you do not have a firewall, you can skip this section.

Make sure that your environment meets the following conditions:
  • The ability to complete a DNS lookup of *.a.extrahop.com
  • The ability to connect to the Atlas server through HTTPS (port 443)

ExtraHop Networks can change the Atlas server IP address at any time, but you can identify the current IP address by selecting from one of the following options:

When connecting from EMEA, run the following command:

ping atlas-eu.a.extrahop.com
When connecting from all other locations, run the following command:
ping example.a.extrahop.com
Connect to Atlas through a proxy

If you want to connect to Atlas services through a proxy, configure the proxy settings in the ExtraHop Admin UI. If you do not have a proxy, you can skip this section.

  1. In the Network Settings section, click Connectivity.
  2. Click Enable ExtraHop Cloud Proxy. Click Change ExtraHop Cloud Proxy to modify an existing configuration.
  3. Click Enable ExtraHop Cloud Proxy.
  4. Type the hostname or IP address for your proxy server.
  5. Type the port number for your proxy server, such as 8080.
  6. Optional: If required, type a username and password for your proxy server.
  7. Click Save.
Bypass certificate validation

Some environments are configured so that encrypted traffic cannot leave the network without inspection by a third-party device. This device can act as an SSL/TLS endpoint, which decrypts and re-encrypts the traffic before sending the packets to the Atlas server. If your environment is not set up for inspection by third-party devices, you can skip this section.

The ExtraHop appliance cannot connect to the Atlas server if certificate validation has failed. To bypass certificate validation and connect to the Atlas server, you must modify the Running Config file.

  1. Log into the Admin UI of the ExtraHop appliance you want to connect to Atlas services.
  2. In the Appliance Settings section, click Running Config.
  3. Click Edit config.
  4. Add the entry to the Running Config file by completing the following steps:
    1. Add a comma after the second to last curly brace (}).
    2. Press ENTER to create a new line.
    3. Paste "ecm": { "atlas_verify_cert": false } on the new line before the final curly brace (}).
  5. Click Update.
  6. Click View and Save Changes.
  7. Review the changes and click Save.
  8. Click Done.
Establish a connection

After you have configured any optional firewall or proxy settings, complete the following steps to establish a connection to the Atlas server.

  1. Log into the Admin UI on the ExtraHop Discover, Explore, or Trace appliance.
  2. In the Network Settings section, click Atlas Services.
  3. If you have not already changed the default password for the setup and shell users, you will see a message prompting you to change the password. Change the default password and then proceed to the next step.
  4. On the Connect to Atlas Services page, click Terms and Conditions to read about the service agreement.
    The Atlas subscription services agreement opens in the browser or downloads the file to your computer.
  5. Return to the Connect to Atlas Services page and select the checkbox next to Terms and Conditions.
  6. Click Test Connectivity to make sure the connection is successful. If you have problems connecting to the Atlas service, see the previous sections to determine if you must open access through a firewall or connecting through a proxy.
  7. Click Connect.

Connectivity

The Connectivity page contains controls for your appliance connections and network settings.

Help on this page

Interface Status
On physical appliances, a diagram of interface connections appears, which updates dynamically based on the port status.
  • The blue Ethernet port is for management
  • A black Ethernet port indicates a licensed and enabled port that is currently down
  • A green Ethernet port indicates an active, connected port
  • A gray Ethernet port indicates a disabled or unlicensed port
Network Settings
  • Click Change to add a hostname for your ExtraHop appliance or to add DNS servers.
Proxy Settings
  • Enable a global proxy to connect to an ExtraHop Command appliance
  • Enable a cloud proxy to connect to ExtraHop Cloud Services
Bond Interface Settings
  • Create a bond interface to bond multiple interfaces together into one logical interface with a single IP address.
Interfaces
View and configure your management and monitoring interfaces. Click any interface to display setting options.

Configure an interface

  1. In the Network Settings section, click Connectivity.
  2. In the Interfaces section, click the name of the interface you want to configure.
  3. On the Network Settings for Interface <interface number> page, select one of the following options from the Interface Mode drop-down:
    Option Description
    Disabled The interface is disabled.
    Monitoring Port (receive only) Monitors network traffic. This option is not available for Interface 1.
    Management Port Manages the ExtraHop appliance.
    Management Port + Flow Target Manages the ExtraHop appliance and captures traffic forwarded from a flow network.
    Note:If you enable NetFlow on the EDA 1100 or EDA 1000v, you must disable Interface 2. These appliances cannot process NetFlow and wire data simultaneously.
    Management Port + RPCAP/ERSPAN/VXLAN Target Manages the ExtraHop appliance and captures traffic forwarded from a software tap, ERSPAN*, or VXLAN**.
    High-Performance ERSPAN/VXLAN Target Captures traffic forwarded from ERSPAN* or VXLAN**. This interface mode enables the port to handle more than 1 Gbps. Set this interface mode if the ExtraHop appliance has a 10 GbE port.
    *The ExtraHop system supports the following ERSPAN implementations:
    • ERSPAN Type I
    • ERSPAN Type II
    • ERSPAN Type III
    • Transparent Ethernet Bridging. ERSPAN-like encapsulation commonly found in virtual switch implementations such as the VMware VDS and Open vSwitch.

    **Virtual Extensible LAN (VXLAN) packets are received on UDP port 4789.

    Note:For Amazon Web Services (AWS) deployments with one interface, you must select Management Port + RPCAP/ERSPAN/VXLAN Target for Interface 1. If you are configuring two interfaces, you must select Management Port + RPCAP/ERSPAN/VXLAN Target for Interface 1 and Management Port + RPCAP/ERSPAN/VXLAN Target for Interface 2.
  4. Optional: Select an interface speed. Auto-negotiate is selected by default, however, you should manually select a speed if it is supported on your appliance, network transceiver, and network switch.
    • Auto-negotiate
    • 10 Gbps
    • 25 Gbps
    • 40 Gbps
    • 100 Gbps
    Important:When you change the interface speed to Auto-negotiate, you might need to restart the appliance before the change takes effect.
  5. DHCPv4 is enabled by default. If your network does not support DHCP, you can clear the DHCPv4 checkbox to disable DHCP and then type a static IP address, netmask, and gateway.
  6. Optional: Enable IPv6.
    For more information about configuring IPv6, see Enable IPv6 for an interface.
  7. Optional: Manually add routes.
    For more information about configuring static routes, see Set a static route.
  8. Click Save.
Interface throughput

ExtraHop appliance models EH5000, EH6000, EDA 6100, EH8000, EDA 8100 and EDA 9100 are optimized to capture traffic exclusively on 10 GbE ports.

Enabling the 1 GbE interfaces for monitoring traffic can impact performance, depending on the ExtraHop appliance. While you can optimize these appliances to capture traffic simultaneously on both the 10 GbE ports and the three non-management 1 GbE ports, we recommend that you contact ExtraHop Support for assistance to avoid reduced throughput.

ExtraHop Appliance Throughput Details
EDA 9100 Standard 40Gbps throughput If the non-management 1GbE interfaces are disabled, you can use up to four of the 10GbE interfaces for a combined throughput of up to 40Gbps.
EDA 8000/8100 Standard 20Gbps throughput If the non-management 1GbE interfaces are disabled, you can use either one or both of the 10GbE interfaces for a combined throughput of up to 20Gbps.
EDA 5000/6000/6100 Standard 10Gbps throughput If the non-management 1GbE interfaces are disabled, the maximum total combined throughput is 10Gbps.
EDA 3100 Standard 3Gbps throughput No 10GbE interface
EDA 1100 Standard 1Gbps throughput No 10GbE interface
Set a static route

Before you begin

You must disable DHCPv4 before you can add a static route.
  1. On the Edit Interface page, ensure that the IPv4 Address and Netmask fields are complete and saved, and click Edit Routes.
  2. In the Add Route section, type a network address range in CIDR notation in the Network field and IPv4 address in the Via IP field and then click Add.
  3. Repeat the previous step for each route you want to add.
  4. Click Save.
Enable IPv6 for an interface
  1. In the Network Settings section, click Connectivity.
  2. In the Interfaces section, click the name of the interface you want to configure.
  3. On the Network Settings for Interface <interface number> page, select Enable IPv6.
    IPv6 configuration options appear below Enable IPv6.
  4. Optional: Configure IPv6 addresses for the interface.
    • To automatically assign IPv6 addresses through DHCPv6, select Enable DHCPv6.
      Note:If enabled, DHCPv6 will be used to configure DNS settings.
    • To automatically assign IPv6 addresses through stateless address autoconfiguration, select one of the following options from the Stateless Address Autoconfiguration list:
      Use MAC address
      Configures the appliance to automatically assign IPv6 addresses based on the MAC address of the appliance.
      Use stable private address
      Configures the appliance to automatically assign private IPv6 addresses that are not based on hardware addresses. This method is described in RFC 7217.
    • To manually assign one or more static IPv6 addresses, type the addresses in the Static IPv6 Addresses field.
  5. To enable the appliance to configure Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) information according to router advertisements, select RDNSS/DNSSL.
  6. Click Save.

Global proxy server

If your network topology requires a proxy server to enable your ExtraHop appliance to communicate either with a Command appliance or with other devices outside of the local network, you can enable your ExtraHop appliance to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server.

Note:Only one global proxy server can be configured per ExtraHop appliance.

Complete the following fields and click Save to enable a global proxy.

Hostname: The hostname or IP address for your global proxy server.

Port: The port number for your global proxy server.

Username: The name of a user that has for access to your global proxy server.

Password: The password for the user specified above.

ExtraHop Cloud proxy

If your ExtraHop appliance does not have a direct internet connection, you can connect to the internet through a proxy server specifically designated for ExtraHop Cloud services and Atlas connectivity. Only one proxy can be configured per ExtraHop appliance.

Note:If no cloud proxy server is enabled, the ExtraHop appliance will attempt to connect through the global proxy. If no global proxy is enabled, the ExtraHop appliance will connect through an HTTP proxy to enable the services.

Complete the following fields and click Save to enable a cloud proxy.

Hostname: The hostname or IP address for your cloud proxy server.

Port: The port number for your cloud proxy server.

Username: The name of a user that has for access to your cloud proxy server.

Password: The password for the user specified above.

Bond interfaces

You can bond multiple 1GbE interfaces on your ExtraHop appliance together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address. This configuration is also known as link aggregation, port channeling, link bundling, Ethernet/network/NIC bonding, or NIC teaming. Only 1GbE interfaces are supported for bond interfaces. Bond interfaces cannot be set to monitoring mode.

Note:When you modify bond interface settings, you lose connectivity to your ExtraHop appliance. You must make changes to your network switch configuration to restore connectivity. The changes required are dependent on your switch. Contact ExtraHop Support for assistance before you create a bond interface.
Help on this page

Interfaces chosen as members of a bond interface are no longer independently configurable and are shown as Disabled (bond member) in the Interfaces section of the Connectivity page. After a bond interface is created, you cannot add more members or delete existing members. The bond interface must be destroyed and recreated.

Create a bond interface

You can create a bond interface with at least one interface member and up to the number of members that are equivalent to the number of 1GbE interfaces on your ExtraHop appliance.

  1. Click Create Bond Interface.
  2. Configure the following options:

    Members: Select the checkbox next to each interface you want to include in the bonding. Only 1GbE ports that are currently available for bond membership appear.

    Take Settings From: Select the interface that has the settings you want to apply to the bond interface. Settings for all non-selected interfaces will be lost.

    Bond Type: Specify whether to create a static bond or a dynamic bond through IEEE 802.3ad Link Aggregation (LACP).

    Hash Policy: Specify the hash policy. The Layer 3+4 policy balances the distribution of traffic more evenly across interfaces; however, this policy is not fully compliant with 802.3ad standards. The Layer 2+3 policy balances traffic less evenly and is compliant with 802.3ad standards.

  3. Click Create.
Refresh the page to display the Bond Interfaces section. Any bond interface member whose settings were not selected in the Take Settings From drop-down menu are shown as Disabled (bond member) in the Interfaces section.
Modify bond interface settings

After a bond interface is created, you can modify most settings as if the bond interface is a single interface.

  1. In the Network Settings section, click Connectivity.
  2. In the Bond Interfaces section, click the bond interface you want to modify.
  3. On the Network Settings for Bond Interface <interface number> page, modify the following settings as needed:

    Members: The interface members of the bond interface. Members cannot be changed after a bond interface is created. If you need to change the members, you must destroy and recreate the bond interface.

    Bond Mode: Specify whether to create a static bond or a dynamic bond through IEEE 802.3ad Link Aggregation (LACP).

    Interface Mode: The mode of the bond membership. A bond interface can be Management or Management+RPCAP/ERSPAN Target only.

    Enable DHCPv4: If DHCP is enabled, an IP address for the bond interface is automatically obtained.

    Hash Policy: Specify the hash policy. The Layer 3+4 policy balances the distribution of traffic more evenly across interfaces; however, it is not fully compliant with 802.3ad standards. The Layer 2+3 policy balances traffic less evenly; however, it is compliant with 802.3ad standards.

    IPv4 Address: The static IP address of the bond interface. This setting is unavailable if DHCP is enabled.

    Netmask: The network netmask for the bond interface.

    Gateway: The IP address of the network gateway.

    Routes: The static routes for the bond interface. This setting is unavailable if DHCP is enabled.

  4. Click Save.
Destroy a bond interface

When a bond interface is destroyed, the separate interface members of the bond interface return to independent interface functionality. One member interface is selected to retain the interface settings for the bond interface and all other member interfaces are disabled. If no member interface is selected to retain the settings, the settings are lost and all member interfaces are disabled.

  1. In the Network Settings section, click Connectivity.
  2. In the Bond Interfaces section, click the red X next to the interface you want to destroy.
  3. On the Destroy Bond Interface <interface number> page, select the member interface to move the bond interface settings to. Only the member interface selected to retain the bond interface settings remains active, and all other member interfaces are disabled.
  4. Click Destroy.

Notifications

The ExtraHop appliance can send notifications about configured alerts through email, SNMP traps, and syslog exports to remote servers. If an email notification group is specified, then emails are sent to the groups assigned to the alert.

Help on this page

Configure email settings for notifications

You must configure an email server and sender before the ExtraHop appliance can send notifications about system alerts by email or send scheduled reports from a Command appliance.

  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Network Settings section, click Notifications.
  3. Click Email Server and Sender.
  4. In the SMTP Server field, type the IP address or hostname for the outgoing SMTP mail server. The SMTP server should be the fully qualified domain name (FQDN) or IP address of an outgoing mail server that is accessible from the ExtraHop management network. If the DNS server is set, then the SMTP server can be a FQDN, otherwise you must type an IP address.
  5. In the SMTP Port field, type the port number for SMTP communication. Port 25 is the default value for SMTP and port 465 is the default value for SSL/TLS encrypted SMTP.
  6. Select one of the following encryption methods from the Encryption drop-down list:
    • None. SMTP communication is not encrypted.
    • SSL/TLS. SMTP communication is encrypted through the Secure Socket Layer/Transport Layer Security protocol.
    • STARTTLS. SMTP communication is encrypted through STARTTLS.
  7. In the Alert Sender Address field, type the email address for the notification sender.
    Note:The displayed sender address might be changed by the SMTP server. When sending through a Google SMTP server, for example, the sender email is changed to the username supplied for authentication, instead of the originally entered sender address.
  8. Optional: Select the Validate SSL Certificates checkbox to enable certificate validation. If you select this option, the certificate on the remote endpoint is validated against the root certificate chains specified by the trusted certificates manager. Note that the host name specified in the certificate presented by the SMTP server must match the hostname specified in your SMTP configuration or validation will fail. In addition, you must configure which certificates you want to trust on the Trusted Certificates page. For more information, see Add a trusted certificate to your ExtraHop appliance
  9. In the Report Sender Address field, type the email address responsible for sending the message. This field is only applicable when sending scheduled reports from an ExtraHop Command appliance.
  10. Select the Enable SMTP authentication checkbox and then type the SMTP server setup credentials in the Username and Password fields.
  11. Optional: Click Test Settings, type your email address, and then click Send. You should receive an email message with the subject title ExtraHop Test Email.
  12. Click Save.

Next steps

After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the Running Config file.

Add a new notification email address on an Explore or Trace appliance

You can send system storage alerts to individual recipients. Alerts are sent under the following conditions:

  • A physical disk is in a degraded state.
  • A physical disk has an increasing error count.
  • (Explore appliance only) A virtual disk is in a degraded state.
  • (Explore appliance only) A registered Explore node is missing from the cluster. The node might have failed, or it is powered off.
  1. In the Network Settings section, click Notifications.
  2. Under Notifications, click Email Addresses.
  3. In the Email address text box, type the recipient email address.
  4. Click Save.

Configure settings to send notifications to an SNMP manager

The state of the network can be monitored through the Simple Network Management Protocol (SNMP). SNMP collects information by polling devices on the network or SNMP enabled devices send alerts to SNMP management stations. SNMP communities define the group that devices and management stations running SNMP belong to, which specifies where information is sent. The community name identifies the group.

Note:Most organizations have an established system for collecting and displaying SNMP traps in a central location that can be monitored by their operations teams. For example, SNMP traps are sent to an SNMP manager, and the SNMP management console displays them.
  1. In the Network Settings section, click Notifications.
  2. Under Notifications, click SNMP.
  3. On the SNMP Settings page, in the SNMP Monitor field, type the hostname for the SNMP trap receiver. Multiple names can be entered, separated by commas.
  4. In the SNMP Community field, enter the SNMP community name.
  5. In the SNMP Port field, type the SNMP port number for your network that is used by the SNMP agent to respond back to the source port on the SNMP manager.
    The default response port is 162.
  6. Click Test Settings to verify that your SNMP settings are correct. If the settings are correct, you should see an entry in the SNMP log file on the SNMP server similar to the following:
    Connection from UDP: [192.0.2.0]:42164->[ 192.0.2.255]:162

    Where 192.0.2.0 is the IP address of your ExtraHop appliance and 192.0.2.255 is the IP address of the SNMP server.

  7. Click Save.
Download the ExtraHop SNMP MIB

SNMP does not provide a database of information that an SNMP-monitored network reports. SNMP information is defined by third-party management information bases (MIBs) that describe the structure of the collected data.

  1. Go to the Network Settings section and click Notifications.
  2. Under Notifications, click SNMP.
  3. Under SNMP MIB, click the Download ExtraHop SNMP MIB.
    The file is typically saved to the default download location for your browser.

Send system notifications to a remote syslog server

The syslog export option enables you to send alerts from an ExtraHop appliance to any remote system that receives syslog input for long-term archiving and correlation with other sources.

Only one remote syslog server can be configured for each ExtraHop appliance.
  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Network Settings section, click Notifications.
  3. In the Destination field, type the IP address of the remote syslog server.
  4. From the Protocol drop-down menu, select TCP or UDP. This option specifies the protocol over which the information will be sent to your remote syslog server.
  5. In the Port field, type the port number for your remote syslog server. By default, this value is set to 514.
  6. Click Test Settings to verify that your syslog settings are correct. If the settings are correct, you should see an entry in the syslog log file on the syslog server similar to the following:
    Jul 27 21:54:56 extrahop name="ExtraHop Test" event_id=1
  7. Click Save.

Next steps

After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the Running Config file.

SSL Certificate

SSL provides secure authentication to the Admin UI of the ExtraHop appliance. To enable SSL, a SSL certificate must be uploaded to the appliance.

You can designate a self-signed certificate for authentication instead of a certificate signed by a Certificate Authority. However, be aware that a self-signed certificate generates an error in the client browser, which reports that the signing certificate authority is unknown. The browser provides a set of confirmation pages to trust the certificate, even though the certificate is self-signed. We recommend that you create a certificate signing request from your ExtraHop appliance and upload the signed certificate instead.

Important:When replacing an SSL certificate, the web server service is restarted. On a Command appliance, tunneled connections from Discover appliances are lost but are re-established automatically.

Upload an SSL certificate

You must upload a .pem file that includes both a private key and either a self-signed certificate or a certificate-authority certificate.

Note:The .pem file must not be password protected.
  1. In the Network Settings section, click SSL Certificate.
  2. Click Manage certificates to expand the section.
  3. Click Choose File and navigate to the certificate that you want to upload.
  4. Click Open.
  5. Click Upload.

Generate a self-signed certificate

  1. In the Network Settings section, click SSL Certificate.
  2. Click Manage certificates to expand the section.
  3. Click Build SSL self-signed certificate based on hostname.
  4. On the Generate Certificate page, click OK to generate the SSL self-signed certificate.
    Note:The default hostname is extrahop.

Create a certificate signing request from your ExtraHop appliance

A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority (CA) when you apply for an SSL certificate. The CSR is generated on the ExtraHop appliance where the SSL certificate will be installed and contains information that will be included in the certificate such as the common name (domain name), organization, locality, and country. The CSR also contains the public key that will be included in the certificate. The CSR is created with the private key from the ExtraHop appliance, making a key pair.

  1. Log into the Admin UI on your ExtraHop appliance.
  2. In the Network Settings section, click SSL Certificate.
  3. Click Manage certificates and then click Export a Certificate Signing Request (CSR).
  4. In the Subject Alternative Names section, type the DNS name of the ExtraHop appliance. You can add multiple DNS names and IP addresses to be protected by a single SSL Certificate.
  5. In the Subject section, complete the following fields. Only the Common Name field is required.
    Field Description Examples
    Common Name The fully qualified domain name (FQDN) of the ExtraHop appliance. The FQDN must match one of the Subject Alternative Names. *.example.com

    discover.example.com

    E-mail Address The email address of the primary contact for your organization. webmaster@example.com
    Organizational Unit The division of your organization handling the certificate. IT Department
    Organization The legal name of your organization. This entry should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Example, Inc.
    Locality/City The city where your organization is located. Seattle
    State/Province The state or province where your organization is located. This entry should not be abbreviated. Washington
    Country Code The two-letter ISO code for the country where your organization is located. US
  6. Click Export. The CSR file is automatically downloaded to your computer.

Next steps

Send the CSR file to your certificate authority (CA) to have the CSR signed. When you receive the SSL certificate from the CA, return to the SSL Certificate page in the Admin UI and upload the certificate to the ExtraHop system.

Trusted Certificates

Trusted certificates enable you to validate SMTP and LDAP connections from your ExtraHop appliance.

Help on this page

Add a trusted certificate to your ExtraHop appliance

Your ExtraHop appliance only trusts peers who present a Transport Layer Security (TLS) certificate that is signed by one of the built-in system certificates and any certificates that you upload. Only SMTP and LDAP connections are validated through these certificates.

Before you begin

You must log in as a user with unlimited privileges to add or remove trusted certificates.
When uploading a custom trusted certificate, a valid trust path must exist from the uploaded certificate to a trusted self-signed root in order for the certificate to be fully trusted. This can be achieved by either uploading the entire certificate chain for each trusted certificate or, preferably, by ensuring that each certificate in the chain has been uploaded to the trusted certificates system.
Important: To trust the built-in system certificates and any uploaded certificates, you must also enable SSL certificate validation on the LDAP Settings page or Email Settings page.
  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Network Settings section, click Trusted Certificates.
  3. Optional: The ExtraHop appliance ships with a set of built-in certificates. Select Trust System Certificates if you want to trust these certificates, and then click Save.
  4. To add your own certificate, click Add Certificate and then paste the contents of the PEM-encoded certificate chain into the Certificate field
  5. Type a name into the Name field and click Add.

Next steps

Configure LDAP and SMTP settings to validate outbound connections with the trusted certificates.

Access Settings

In the Access Settings section, you can change passwords, enable the support account, and specify users in the ExtraHop appliances for remote authentication.

Password

Users with administrative privileges to the Admin UI can change the password for any user that has an account stored locally in the appliance.

Help on this page

  • Select any user and change their password
    • You can only change passwords for local users, not for users authenticated with LDAP or other remote authentication servers.
    • The default password for Amazon Web Services (AWS) users is the string of numbers after the -i in the instance ID.

For more information about privileges for specific Admin UI users and groups, see the Users section.

Change the default password for the setup user

It is recommended that you change the default password for the setup user on the ExtraHop appliance after you log in for the first time. To remind administrators to make this change, there is a blue Change Password button at the top of the page while the setup user is accessing the Admin UI. After the setup user password is changed, the button at the top of the page no longer appears.

Note:The password must be a minimum of 5 characters.
  1. In the Admin UI, click the blue Change default password button.
    The Password page displays without the drop-down menu for accounts. The password will change for the setup user only.
  2. Type the default password in the Old password field.
  3. Type the new password in the New password field.
  4. Retype the new password in the Confirm password field.
  5. Click Save.

Support Account

Support accounts provide access for the ExtraHop Support team to help customers troubleshoot issues with the ExtraHop appliance. For the Discover appliance only, the Atlas Remote UI Account also provides remote analysis reports through Atlas Services.

These settings should be enabled only if the ExtraHop system administrator requests hands-on assistance from the ExtraHop Support team or if your organization is subscribed to Atlas Services.

Help on this page

Enable the Support account

  1. In the Access Settings section, click Support Account.
  2. Click Support Account.
    Note:On Command, Explore, and Trace appliances, this step is unnecessary.
  3. Click Enable Support Account.
  4. Copy the encrypted key from the text box and email the key to support@extrahop.com.
  5. Click Done.

Regenerate the Support account key

  1. In the Access Settings section, click Support Account.
  2. Click Support Account.
    Note:On Command, Explore, and Trace appliances, this step is unnecessary.
  3. Click Regenerate Key.
  4. Click Regenerate.
  5. Copy the encrypted key from the text box and email the key to support@extrahop.com.
  6. Click Done.

Enable the Atlas Remote UI account

The Atlas Remote UI account enables the ExtraHop Support team to provide remote analysis reports through Atlas Services (Discover appliance only).

  1. In the Access Settings section, click Support Account.
  2. Click Atlas Remote UI Account.
  3. Click Enable Atlas Remote UI Account.
  4. Copy the encrypted key from the text box and email the key to support@extrahop.com.
  5. Click Done.

Users

The Users page enables you to control local access to the ExtraHop appliance.

Help on this page

Add a local user account

By adding a local user account, you can provide users with direct access to your ExtraHop appliances and restrict their access as needed by their role in your organization.

To learn about default system user accounts, see Local users.
  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Access Settings section, click Users.
  3. Click Add User.
  4. In the Personal Information section, type the following information:

    Login ID: The username that users will log into their ExtraHop appliances with, which cannot contain any spaces. For example, adalovelace.

    Full Name: A display name for the user, which can contain spaces. For example, Ada Lovelace.

    Password: The password for this account, which must be a minimum of 5 characters.

    Confirm Password: Re-type the password from the Password field.

  5. In the User Type section, select the type of privileges for the user.
    • Unlimited privileges enables full read and write access to the Web and Admin UIs.
    • Limited privileges enable you to select from a subset of privileges and options.
    Note:For more information, see the User privileges section.
  6. Click Save.
Tip:
  • To modify settings for a user, click the username from the list to bring up the Edit user page.
  • To delete a user account, click the red X icon. If you delete a user from a remote authentication server, such as LDAP, you must also delete the entry for that user on the ExtraHop appliance.

Users and user groups

Users can access the ExtraHop appliance in three ways: through a set of pre-configured user accounts, through local user accounts configured on the appliance, or through remote user accounts configured on existing authentication servers, such as LDAP, Radius, and TACACS+.

If you are providing users access from an LDAP server, you can also import and manage the members of an existing user group.

Local users

This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.

The following accounts are configured by default on ExtraHop appliances but do not appear in the list of names on the Users page. These accounts cannot be deleted and you must change the default password upon initial login.
setup
This account provides full system read and write privileges on the Web UI, Admin UI, and Shell, which is the ExtraHop command-line interface (CLI). On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
shell
The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
Note:The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) is the string of numbers after the -i in the instance ID.
Remote Authentication

ExtraHop appliances supports remote authentication for user authentication. Remote authentication enables organizations that have authentication systems such as LDAP (such as OpenLDAP or Active Directory), RADIUS, or TACACS+ to enable all or a subset of their users to log on to the appliance with their existing credentials.

Centralized authentication provides the following benefits:

  • User password synchronization.
  • Automatic creation of ExtraHop accounts for users without administrator intervention.
  • Management of ExtraHop privileges based on LDAP groups.
  • Administrators can grant access to all known users or restrict access by applying LDAP filters.
User groups

On Discover and Command appliances, the User Groups page provides controls to view, enable, and disable user groups that are imported from a configured LDAP server. User groups allow for easier sharing of dashboards to all members in the group. Only remote user accounts and groups can be members of remote user groups.

Remote user groups are automatically discovered in the distinguished name (DN) specified as part of the remote authentication settings. See the Remote Authentication section about configuring LDAP authentication.

After you enable LDAP user groups through the remote authentication settings, the following user group properties appear in the table:
Group Name
Displays the name of the remote LDAP group. To view the members in the group, click the group name.
Members
Displays the number of users in the group that are associated with a dashboard and that have logged into the ExtraHop Discover or Command appliance.
Associations
Displays the number of dashboards that are shared with the group.
Status
Displays whether the group is enabled or disabled on the appliance. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing a dashboard.
Last Refresh
Displays the amount of time elapsed since the group membership was refreshed. User groups are refreshed under the following conditions:
  • Once per hour, by default. The refresh interval setting can be modified on the Remote Authentication > LDAP Settings page.
  • An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
  • A remote user logs into the ExtraHop Web UI or Admin UI for the first time.
  • A user attempts to load a shared dashboard that they do not have access to.
User privileges

Administrators determine the level of access and functionality users have with the ExtraHop Web and Admin UIs. In addition to setting the privilege level for the user, you can add certain options that can apply to any user privilege level.

For information about user privileges for the REST API, see the REST API Guide.

Privilege Levels

Set the privilege level for your user to determine which areas of the ExtraHop appliance they can access.

  Unlimited Full Write Limited Write Personal Write Full Read-Only Restricted Read-Only
Activity Maps  
Create, view, and load shared activity maps Y Y Y Y Y N
Save activity maps Y Y Y Y N N
Share activity maps Y Y Y N N N
Alerts  
View alert history Y Y Y Y Y N
Create and modify alerts Y Y N N N N
Custom Pages  
Create and modify custom pages Y Y N N N N
Dashboards  
View and organize dashboards Y Y Y Y Y Y
Create and modify dashboards Y Y Y Y N N
Share dashboards Y Y Y N N N
Detections
Note:Detections require a connection to the cloud-based ExtraHop Machine Learning Service.
View detections and provide feedback Y Y Y Y Y N
Analysis Priorities  
View Analysis Priorities page Y Y Y Y Y N
Add and modify analysis levels for groups Y Y N N N N
Add devices to a watchlist Y Y N N N N
Transfer priorities management Y Y N N N N
Device Groups  
Create and modify device groups Y Y N N N N
Metrics  
View metrics Y Y Y Y Y N
Records (Explore appliance)  
View record queries Y Y Y Y Y N
View record formats Y Y Y Y Y N
Create, modify, and save record queries Y Y N N N N
Create, modify, and save record formats Y Y N N N N
Scheduled Reports (Command appliance)  
Create, view, and manage scheduled reports Y Y Y N N N
Triggers  
Create and modify triggers Y Y N N N N
Administrative Privileges  
Access the ExtraHop Admin UI Y N N N N N
Connect to other appliances Y N N N N N
Manage other appliances (Command appliance) Y N N N N N
Privilege Options
The following privilege options can be assigned to users with any privilege level.
  • View and download packets
  • View and download packets and session keys
  • View connected appliances (Command appliance only)

Sessions

The ExtraHop system provides controls to view and delete user connections to the web interface. The Sessions list is sorted by expiration date, which corresponds to the date the sessions were established. If a session expires or is deleted, the user must log in again to access the web interface.

Help on this page

  • View active user connections to the appliance.
  • Click the red X to terminate a user connection.
  • Click Delete All to terminate all user connections

Remote Authentication

ExtraHop appliances supports remote authentication for user authentication. Remote authentication enables organizations that have authentication systems such as LDAP (such as OpenLDAP or Active Directory), RADIUS, or TACACS+ to enable all or a subset of their users to log on to the appliance with their existing credentials.

Centralized authentication provides the following benefits:

  • User password synchronization.
  • Automatic creation of ExtraHop accounts for users without administrator intervention.
  • Management of ExtraHop privileges based on LDAP groups.
  • Administrators can grant access to all known users or restrict access by applying LDAP filters.

Configure remote authentication through LDAP

The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. Instead of storing user credentials locally, you can configure your ExtraHop appliance to authenticate users remotely with an existing LDAP server. Note that ExtraHop LDAP authentication only queries for user accounts; it does not query for any other entities that might be in the LDAP directory.

Before you begin

  • This procedure requires familiarity with configuring LDAP.
  • Ensure that each user is in a permission-specific group on the LDAP server before beginning this procedure.
  • If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help.

When a user attempts to log onto an ExtraHop appliance, the ExtraHop system tries to authenticate the user in the following ways:

  • Attempts to authenticate the user locally.
  • Attempts to authenticate the user through the LDAP server if the user does not exist locally and if the ExtraHop system is configured for remote authentication with LDAP.
  • Logs the user onto the ExtraHop system if the user exists and the password is validated either locally or through LDAP. The LDAP password is not stored locally on the ExtraHop system. Note that you must enter the username and password in the format that your LDAP server is configured for. The ExtraHop appliance only forwards the information to the LDAP server.
  • If the user does not exist or an incorrect password is entered, an error message appears on the login page.
Important:If you change LDAP authentication at a later time to a different remote authentication method, the users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected.
  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Access Settings section, click Remote Authentication.
  3. From the Remote authentication method drop-down list, select LDAP and then click Continue.
  4. On the LDAP Settings page, complete the following server information fields:
    1. In the Hostname field, type the hostname or IP address of the LDAP server. If you are configuring a hostname, make sure that the DNS entry of the ExtraHop appliance is properly configured.
    2. In the Port field, type the port number on which the LDAP server is listening.
    3. From the Server Type drop-down list, select Posix or Active Directory.
    4. Optional: In the Bind DN field, type the bind DN. The bind DN is the user credentials that allow you to authenticate with the LDAP server to perform the user search. The bind DN must have list access to the base DN and any OU, groups, or user account required for LDAP authentication. If this value is not set, then an anonymous bind is performed. Note that anonymous binds are not enabled on all LDAP servers.
    5. Optional: In the Bind Password field, type the bind password. The bind password is the password required when authenticating with the LDAP server as the bind DN specified above. If you are configuring an anonymous bind, leave this field blank. In some cases, an unauthenticated bind is possible, where you supply a Bind DN value but no bind password. Consult your LDAP administrator for the proper settings.
    6. From the Encryption drop-down list, select one of the following encryption options.

      None: This options specifies cleartext TCP sockets. All passwords are sent across the network in cleartext in this mode.

      LDAPS: This option specifies LDAP wrapped inside SSL.

      StartTLS: This option specifies TLS LDAP. (SSL is negotiated before any passwords are sent.)

    7. Select Validate SSL Certificates to enable certificate validation. If you select this option, the certificate on the remote endpoint is validated against the root certificates as specified by the trusted certificates manager. You must configure which certificates you want to trust on the Trusted Certificates page. For more information, see Add a trusted certificate to your ExtraHop appliance.
    8. Type a time value in the Refresh Interval field or leave the default setting of 1 hour. The refresh interval ensures that any changes made to user or group access on the LDAP server are updated on the ExtraHop appliance.
  5. Configure the following user settings:
    1. Type the base DN in the Base DN field. The Base DN is the point from where a server will search for users. The base DN must contain all user accounts that will have access to the ExtraHop appliance. The users can be direct members of the base DN or nested within an OU within the base DN if the Whole Subtree option is selected for the Search Scope specified below.
    2. Type a search filter in the Search Filter field. Search filters enable you to define search criteria when searching the LDAP directory for user accounts.
      Important:The ExtraHop system automatically adds parentheses to wrap the filter and will not parse this parameter correctly if you add parentheses manually. Add your search filters in this step and in step 5b, similar to the following example:
      cn=atlas*
      |(cn=EH-*)(cn=IT-*)
      In addition, if your group names include the asterisk (*) character, the asterisk must be escaped as \2a. For example, if your group has a CN called test*group, type cn=test\2agroup in the Search Filter field.
    3. From the Search Scope drop-down list, select one of the following options. Search scope specifies the scope of the directory search when looking for user entities.

      Whole subtree: This option looks recursively under the group DN for matching users.

      Single level: This option looks for users that exist in the base DN only; not any subtrees.

  6. To configure user group settings, select the Import user groups from LDAP server checkbox and configure the following settings:
    1. Type the base DN in the Base DN field. The Base DN is the point from where a server will search for user groups. The base DN must contain all user groups that will have access to the ExtraHop appliance. The user groups can be direct members of the base DN or nested within an OU within the base DN if the Whole Subtree option is selected for the Search Scope specified below.
    2. Type a search filter in the Search Filter field. Search filters enable you to define search criteria when searching the LDAP directory for user groups.
      Important:For group search filters, the ExtraHop system implicitly filters on the objectclass=group, and so objectclass=group should not be added to this filter.
    3. From the Search Scope drop-down list, select one of the following options. Search scope specifies the scope of the directory search when looking for user group entities.

      Whole subtree: This option looks recursively under the base DN for matching user groups.

      Single level: This option looks for user groups that exist in the base DN; not any subtrees.

  7. Click Test Settings. If the test succeeds, a status message appears near the bottom of the page. If the test fails, click Show details to see a list of errors. You must resolve any errors before you continue.
  8. Click Save and Continue.
Configure user privileges for remote authentication

You can assign user privileges to individual users on your ExtraHop appliance or configure and manage privileges through your LDAP server.

When assigning user privileges through LDAP, you must complete at least one of the available fields. These fields require groups (not organizational units) that are pre-specified on your LDAP server. A user account with access must be a direct member of a specified group. User accounts that are a member of a group specified above will not have access. Groups that are not present are not authenticated on the ExtraHop appliance.

The ExtraHop appliance supports both Active Directory and Posix group memberships. For Active Directory, memberOf is supported. For Posix, memberuid, posixGroups, groupofNames, and groupofuniqueNames are supported.

Here is some information about the available fields:

Full access DN: Create and modify all objects and settings on the ExtraHop Web UI and Admin UI.

Read-write DN: Create and modify objects on the ExtraHop Web UI.

Limited DN: Create, modify, and share dashboards.

Personal DN: Create personal dashboards and modify dashboards shared with the logged-in user.

Node connection privileges DN: (Visible only on the Command appliance.): View a list of ExtraHop appliances that are connected to this Command appliance.

Full read-only DN: View objects in the ExtraHop Web UI.

Restricted read-only DN: View dashboards shared with the logged-in user.

Packet access full DN: View and download packets captured through the ExtraHop Trace appliance.

Packet and session key access full DN: View and download packets and any associated SSL session keys captured through the ExtraHop Trace appliance.

  1. Choose one of the following options from the Permission assignment options drop-down list:
    • Obtain privileges level from remote server

      This option assigns privileges through your remote authentication server. You must complete at least one distinguished name (DN) field. To enable a user to download packet captures and session keys, configure the Packet access full DN or Packet and session keys access full DN field.

    • Remote users have full write access

      This option allows remote users to have full write access to the ExtraHop Web UI.

    • Remote users have full read-only access

      This option allows remote users to have read-only privileges to the ExtraHop Web UI.

    • Remote users can view connected appliances

      This option, which only appears on the Command appliance, allows remote users to log into the Admin UI on the Command appliance and view any connected Discover, Explore, and Trace appliances.

  2. Select one of the following options to allow remote users to download packet captures and SSL session keys.
    • No access
    • Packets only
    • Packets and session keys
  3. Click Save and Finish.
  4. Click Done.

Configure remote authentication through RADIUS

The ExtraHop appliance supports Remote Authentication Dial In User Service (RADIUS) for remote authentication and local authorization only. For remote authentication, the ExtraHop appliance supports unencrypted RADIUS and plaintext formats.

  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Access Settings section, click Remote Authentication.
  3. From the Remote authentication method drop-down list, select RADIUS and then click Continue.
  4. On the Add RADIUS Server page, type the following information:
    Host
    The hostname or IP address of the RADIUS server. Make sure that the DNS of the ExtraHop appliance is properly configured if you specify a hostname.
    Secret
    The shared secret between the ExtraHop appliance and the RADIUS server. Contact your RADIUS administrator to obtain the shared secret.
    Timeout
    The amount of time in seconds that the ExtraHop appliance waits for a response from the RADIUS server before attempting the connection again.
  5. Click Add Server.
  6. Optional: Add additional servers as needed.
  7. Click Save and Finish.
  8. From the Permission assignment options drop-down list, choose one of the following options:
    • Remote users have full write access

      This option allows remote users to have full write access to the ExtraHop Web UI.

    • Remote users have full read-only access

      This option allows remote users to have read-only permissions to the ExtraHop Web UI.

      Note:You can add read-write permissions on a per-user basis later through the Users page in the Admin UI.
    • Remote users can view connected appliances

      This option, which only appears on the Command appliance, allows remote users to log into the Admin UI on the Command appliance and view any connected Discover, Explore, and Trace appliances.

  9. Select one of the following options to allow remote users to download packet captures and SSL session keys.
    • No access
    • Packets only
    • Packets and session keys
  10. Click Save and Finish.
  11. Click Done.

Configure remote authentication through TACACS+

The ExtraHop appliance supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.

Ensure that each user to be remotely authorized has the ExtraHop service configured on the TACACS+ server before beginning this procedure.
  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Access Settings section, click Remote Authentication.
  3. From the Remote authentication method drop-down list, select TACACS+, and then click Continue.
  4. On the Add TACACS+ Server page, type the following information:

    Host: The hostname or IP address of the TACACS+ server. Make sure that the DNS of the ExtraHop appliance is properly configured if you are entering a hostname.

    Secret: The shared secret between the ExtraHop appliance and the TACACS+ server. Contact your TACACS+ administrator to obtain the shared secret.

    Timeout: The amount of time in seconds that the ExtraHop appliance waits for a response from the TACACS+ server before attempting to connect again.

  5. Click Add Server.
  6. Optional: Add additional servers as needed.
  7. Click Save and Finish.
  8. From the Permission assignment options drop-down list, choose one of the following options:
    • Obtain privileges level from remote server

      This option allows remote users to obtain privilege levels from the remote server. You must also configure permissions on the TACACS+ server.

    • Remote users have full write access

      This option allows remote users to have full write access to the ExtraHop Web UI.

    • Remote users have full read-only access

      This option allows remote users to have read-only permissions to the ExtraHop Web UI.

      Note:You can add read-write privileges on a per-user basis later through the Users page in the Admin UI.
    • Remote users can view connected appliances

      This option, which only appears on the Command appliance, allows remote users to log into the Admin UI on the Command appliance and view any connected Discover, Explore, and Trace appliances.

  9. Select one of the following options to allow remote users to download packet captures and SSL session keys.
    • No access
    • Packets only
    • Packets and session keys
  10. Click Save and Finish.
  11. Click Done.
Configure the TACACS+ server

In addition to configuring remote authentication on your ExtraHop appliance, you must configure your TACACS+ server with two attributes, one for the ExtraHop service and one for the permission level. If you have a Trace appliance, you can optionally add a third attribute for packet capture and session key logging.

  1. Log into your TACACS+ server and navigate to the shell profile for your ExtraHop configuration.
  2. For the first attribute, add service.
  3. For the first value, add extrahop.
  4. For the second attribute, add the permission level, such as readwrite.
  5. For the second value, add 1.
    For example, the following figure shows the extrahop attribute and a permission level of readwrite.
    Here is a list of available permission attributes, values, and descriptions:
    • setup = 1, which allows the user to create and modify all objects and settings on the ExtraHop Web UI and Admin UI
    • readwrite = 1, which allows the user to create and modify all objects and settings on the ExtraHop Web UI
    • limited = 1, which allows the user to create, modify, and share dashboards
    • readonly = 1, which allows the user to view objects in the ExtraHop Web UI
    • personal = 1, which allows the user to create dashboards for themselves and modify any dashboards that have been shared with them
    • limited_metrics = 1, which allows the user to view shared dashboards
  6. Optional: If you have a Trace appliance, add a third attribute to allow users to download packet captures or packet captures with associated session keys.
    Here is a list of the available packet capture attributes and values:
    • packetsfull = 1, which allows users with any permission level to view and download packets
    • packetsfullwithkeys = 1, which allows users with any permission level to view and download packets and associated session keys stored on the Trace appliance

API Access

The API Access page enables you to generate, view, and manage access for the API keys that are required to perform operations through the ExtraHop REST API.

Help on this page

  • Click the link on the page for the ExtraHop API Explorer to open a web-based tool. The ExtraHop REST API Explorer enables you to try API calls directly on your ExtraHop appliance and also provides information about each resource and samples in cURL, Python 2.7, and Ruby.
  • View whether users can generate API keys and manage API access.
  • Configure cross-origin resource sharing (CORS).
  • Generate an API key.
  • View or delete the API keys that you have generated. If you are a user with unlimited privileges, you can see a list of all of the users who have generated a key on the system or delete another users key; however, only the user is able to see the key.
  • Learn more about the API functionality in the ExtraHop REST API Guide.

Manage API access

Users with unlimited privileges can configure whether users can generate API keys for the ExtraHop system. You can allow only local users to generate keys, or you can also disable API key generation entirely.

Users must generate an API key before they can perform operations through the ExtraHop REST API. Keys can be viewed only by the user who generated the key or system administrators with unlimited privileges. After a user generates an API key, they must append the key to their request headers.
  1. In the Access Settings section, click API Access.
  2. In the Manage Access section, select one of the following options:
    • Allow all users to generate an API key

      Local and remote users can generate API keys.

    • Only local users can generate an API key

      Only users created on the appliance can generate API keys.

    • No users can generate an API key

      API keys cannot be generated. Selecting this option will delete any

  3. Click Save Settings, then click OK, and then click Done.

Enable CORS for the ExtraHop REST API

Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server.

You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users with unlimited privileges can view and edit CORS settings.

Configure cross-origin resource sharing (CORS)

Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server.

You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users with unlimited privileges can view and edit CORS settings.
  1. In the Access Settings section, click API Access.
  2. In the CORS Settings section, specify one of the following access configurations.
    • To add a specific URL, type an origin URL in the text box, and then click the plus (+) icon or press ENTER.

      The URL must include a scheme, such as HTTP or HTTPS, and the exact domain name. You cannot append a path; however, you can provide a port number.

    • To allow access from any URL, select the Allow API requests from any Origin checkbox.
      Note:Allowing REST API access from any origin is less secure than providing a list of explicit origins.
  3. Click Save Settings and then click Done.
Delete an allowed origin

You can delete a URL from the list of allowed origins or disable access from all origins.

  1. In the Access Settings section, click API Access.
  2. In the CORS Settings section, modify one of the following access configurations.
    • To delete a specific URL, click the delete (X) icon next to the origin you want to delete.
    • To disable access from any URL, clear the Allow API requests from any Origin checkbox.
  3. Click Save Settings.

Generate an API key

You must generate an API key before you can perform operations through the ExtraHop REST API. Keys can be viewed only by the user who generated the key or by system administrators with unlimited privileges. After you generate an API key, add the key to your request headers or the ExtraHop REST API Explorer.

  1. In the Access Settings section, click API Access.
  2. In the API Keys section, enter a description for the key, and then click Generate.

Delete an API key

  1. In the Access Settings section, click API Access.
  2. In the Keys section, click the X next to the API key you want to delete.
  3. Click OK.

API privileges

The following REST API actions are allowed for each user privilege level.

Learn about ExtraHop Users and user groups or add a local user. Privileges can also be configured through remote authentication.
Privilege level Actions allowed
Unlimited privileges
  • Enable or disable API key generation for the ExtraHop appliance.
  • Generate an API key.
  • View the last four digits and description for any API key on the system.
  • Delete API keys for any user.
  • View and edit cross-origin resource sharing.
  • Transfer ownership of any non-system dashboard to another user.
  • Perform any Admin UI task available through the REST API.
  • Perform any Web UI task available through the REST API.
Full write privileges
  • Generate your own API key.
  • View or delete your own API key.
  • Change your own password, but you cannot perform any other Admin UI tasks through the REST API.
  • Perform any Web UI task available through the REST API.
Limited write privileges
  • Generate an API key.
  • View or delete their own API key.
  • Change your own password, but you cannot perform any other Admin UI tasks through the REST API.
  • Perform all GET operations through the REST API.
  • Modify the sharing status of dashboards that you are allowed to edit.
  • Delete dashboards that you own.
  • Perform metric and record queries.
Personal write privileges

Full read-only privileges

  • Generate an API key.
  • View or delete your own API key.
  • Change your own password, but you cannot perform any other Admin UI tasks through the REST API.
  • Perform all GET operations through the REST API.
  • Delete dashboards that you own.
  • Perform metric and record queries.
View and download packets and session keys privileges
  • View and download packets from an ExtraHop Discover appliance through the GET/packetcaptures/{id} operation.

This additional privilege can be granted to a user with full write, limited write, personal write, or read-only privileges.

Appliance Settings

You can configure the following components of the ExtraHop appliance in the Appliance Settings section.

All appliances have the following components:

Running Config
Download and modify the running configuration file.
Firmware
Upgrade the ExtraHop system firmware.
System Time
Configure the system time.
Shutdown or Restart
Halt and restart system services.
License
Update the license to enable add-on modules.
Disks
Provides information about the disks in the appliance.

The following components only appear on the specified appliances:

Services
Enable or disable the Web Shell, management GUI, SNMP service, and SSH access. The Services page appears only on ExtraHop Discover and Command appliances.
Command Nickname
Assign a nickname to the Command appliance. This setting is available only on the Command appliance.
Reset Packetstore
Delete all packets stored on the ExtraHop Trace appliance. The Reset Packetstore page appears only on the Trace appliance.

Running Config

The running configuration file specifies the default system configuration. When you modify system settings, you must save the running configuration file to preserve those modifications after a system restart.

Help on this page

Note:Making configuration changes to the code from the Edit page is not recommended. You can make most system modifications through other pages in the Admin UI.

Save system settings to the running config file

When you modify any of the system configuration settings on an ExtraHop appliance, you must confirm the updates by saving the running config file. If you do not save the settings, those changes are lost when your ExtraHop appliance is restarted.

To remind you that the running configuration has changed, a red asterisk next to the Running Config link on the main Admin UI page appears, as well a View and Save Changes button on all Admin UI pages, as shown in the figure below.

  1. Click View and Save Changes.
  2. Review the comparison between the old running config and the current running config (not yet saved).
  3. If the changes are correct, click Save. Otherwise, click Cancel, and if necessary, revert the changes by clicking Revert config.

Edit the running config

The ExtraHop Admin UI provides an interface to view and modify the code that specifies the default system configuration. In addition to making changes to the running configuration through the settings pages in the Admin UI, changes can also be made on the Running Config page.

Note:Making configuration changes to the code from the Edit page is not recommended. You can make most system modifications through other settings pages in the Admin UI.

Download the running config as a text file

You can download the Running Config settings to your workstation in text file format. You can open this text file and make changes to it locally, before copying those changes into the Running Config window.

  1. Click Running Config.
  2. Click Download config as a File.
The current running configuration is downloaded as a text file to your default download location.

Disable ICMPv6 Destination Unreachable messages

You can prevent ExtraHop appliances from generating ICMPv6 Destination Unreachable messages. You might want to disable ICMPv6 Destination Unreachable messages for security reasons per RFC 4443.

To disable ICMPv6 Destination Unreachable messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running config file incorrectly might cause the appliance to become unavailable or stop collecting data. You can contact ExtraHop Support at support@extrahop.com.

Disable specific ICMPv6 Echo Reply messages

You can prevent ExtraHop appliances from generating Echo Reply messages in response to ICMPv6 Echo Request messages that are sent to an IPv6 multicast or anycast address. You might want to disable these messages to reduce unnecessary network traffic.

To disable specific ICMPv6 Echo Reply messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running config file incorrectly might cause the appliance to become unavailable or stop collecting data. You can contact ExtraHop Support at support@extrahop.com.

Firmware

The Admin UI provides an interface to upload and delete the firmware on ExtraHop appliances. The firmware file must be accessible from the computer where you will perform the upgrade.

Before you begin

Be sure to read the release notes for the firmware version that you want to install. Release notes contain upgrade guidance as well as known issues that might affect critical workflows in your organization.

Help on this page

Upgrade the firmware on your ExtraHop appliance

The following procedure shows you how to upgrade your ExtraHop appliance to the latest firmware release. While the firmware upgrade process is similar across all ExtraHop appliances, some appliances have additional considerations or steps that you must address before you install the firmware in your environment. If you need assistance with your upgrade, contact ExtraHop Support.

Pre-upgrade checklist

Here are some important considerations and requirements about upgrading ExtraHop appliances.

  • If you have multiple types of ExtraHop appliances, you must upgrade them in the following order:
    1. Command appliance
    2. Discover appliances
    3. Explore appliances
    4. Trace appliances
  • If you have a Command appliance, apply the following guidance:
    • For large Command appliance deployments (managing 50,000 devices or more), reserve a minimum of one hour to perform the upgrade.
    • The Command appliance firmware version must be greater than or equal to the firmware version of all connected appliances.
  • If you have Explore appliances, apply the following guidance:
    • You must halt the ingest of records from Command and Discover appliances before upgrading. If you are upgrading from a firmware version prior to 7.4, temporarily remove any connected Explore appliances, or alternatively, disable triggers that commit records and disable the automatic flow records setting.

      If you are upgrading from firmware version 7.4 or later, disable record ingest on the Explore cluster.

      You must re-enable these settings after all nodes in the Explore cluster are upgraded.

    • You must upgrade all Explore nodes in an Explore cluster. The cluster will not function correctly if nodes are on dissimilar firmware versions.

      After each node is upgraded, verify that the status of all cluster indices on the Explore Cluster Status page displays Yellow or Green before upgrading the next node.

      Important:The message Could not determine ingest status on some nodes and Error appear on the Cluster Data Management page in the Admin UI of the upgraded nodes until all nodes in the cluster are upgraded. These errors are expected and can be ignored.
Upgrade the firmware
  1. Download the firmware for the appliance from the ExtraHop Customer Portal to your computer.
  2. Log into the Admin UI on the ExtraHop appliance.
  3. In the Appliance Settings section, click Firmware.
  4. Click Upgrade.
  5. On the Upgrade Firmware page, select one of the following options:
    • To upload firmware from a file, click Choose File, navigate to the .tar file you want to upload, and click Open.
    • To upload firmware from a URL, click retrieve from URL instead and then type the URL in the Firmware URL field.
  6. If you do not want to automatically restart the appliance after the firmware is installed, clear the Automatically restart appliance after installation checkbox.
  7. Click Upgrade.
    The ExtraHop appliance initiates the firmware upgrade. You can monitor the progress of the upgrade with the Updating progress bar. The appliance restarts after the firmware is installed.
  8. If you did not choose to automatically restart the appliance, click Reboot to restart the system.
    After the firmware update is installed successfully, the ExtraHop appliance displays the version number of the new firmware on the Admin UI.
    Note:Your browser might time out after 5 minutes of inactivity. Refresh the browser page if the update appears incomplete.

    If the browser session times out before the ExtraHop appliance is able to complete the update process, you can try the following connectivity tests to confirm the status up the upgrade process:

    • Ping the appliance from the command line of another appliance or client workstation.
    • From the Admin UI on a Command appliance, view the appliance status on the Manage Connected Appliances page.
    • Connect to the appliance through the iDRAC interface.
  9. If you disconnected any Explore appliances from Command and Discover appliances, make sure to reconnect them. If you disabled any triggers, automatic flow records, or disabled record ingest, make sure to re-enable those settings.

System Time

The System Time page displays the current configuration and the status of all configured NTP servers. When capturing data, it is helpful to have the time on the ExtraHop appliance match the local time of the router. The ExtraHop appliance can set time locally or synchronize time with a time server. By default, system time is set locally, but we recommend that you change this setting and set time through a time server.

Help on this page

  • Configure the system time.
  • View information about the appliance settings in the System Time section:
    Time Zone
    Displays the currently selected time zone
    System Time
    Displays the current system time.
    Time Servers
    Displays a comma-separated list of configured time servers.
  • View information for each configured NTP server in the NTP Status table:
    remote
    The host name or IP address of the remote NTP server you have configured to synchronize with.
    st
    The stratum level, 0 through 16.
    t
    The type of connection. This value can be u for unicast or manycast, b for broadcast or multicast, l for local reference clock, s for symmetric peer, A for a manycast server, B for a broadcast server, or M for a multicast server
    .
    when
    The last time when the server was queried for the time. The default value is seconds, or m is displayed for minutes, h for hours, and d for days.
    poll
    How often the server is queried for the time, with a minimum of 16 seconds to a maximum of 36 hours.
    reach
    Value that shows the success and failure rate of communicating with the remote server. Success means the bit is set, failure means the bit is not set. 377 is the highest value.
    delay
    The round trip time (RTT) of the ExtraHop appliance communicating with the remote server, in milliseconds.
    offset
    Indicates how far off the ExtraHop appliance clock is from the reported time the server gave you. The value can be positive or negative, displayed in milliseconds.
    jitter
    Indicates the difference, in milliseconds, between two samples.

Configure the system time

By default, ExtraHop appliances synchronize the system time through the *.extrahop.pool.ntp.org network time protocol (NTP) servers. If your network environment prevents the ExtraHop appliance from communicating with these time servers, you must configure an alternate time server source.

  1. Log into the Admin UI on the ExtraHop appliance.
  2. In the Appliance Settings section, click System Time.
  3. Click Configure Time.
  4. Select your time zone from the drop-down list then click Save and Continue.
  5. On the Time Setup page, select one of the following options:
    • Set time manually
      Note:You cannot manually set the time for Discover appliances that are managed by a Command appliance.
    • Set time with NTP server
  6. Select Set time with NTP server and then click Select.
    The ExtraHop time servers, 0.extrahop.pool.ntp.org, 1.extrahop.pool.ntp.org, 2.extrahop.pool.ntp.org, and 3.extrahop.pool.ntp.org appear in the first four Time Server fields by default.
  7. Type the IP address or fully qualified domain name (FQDN) for the time servers in the Time Server fields. You can have up to nine time servers.
    Tip:After adding the fifth time server, click Add Server to display up to four additional timer server fields.
  8. Click Done.

The NTP Status table displays a list of NTP servers that keep the system clock in sync. To sync the current system time a remote server, click the Sync Now button.

Shutdown or restart

The Explore Admin UI provides an interface to halt, shutdown, and restart the Explore appliance components.

System
Restart or shut down the Explore appliance.
Admin
Restart the Explore appliance administrator component.
Receiver
Restart the Explore receiver component.
Search
Restart the Explore search service.

For each Explore appliance component, the table includes a time stamp to show the start time.

Restart an Explore appliance component

  1. On the Admin page in the Appliance Settings section, click Shutdown or Restart.
  2. Select Restart for the component you want to restart:
    • System (can also be shutdown completely)
    • Admin
    • Receiver
    • Search

License

The Admin UI provides an interface to add and update licenses for add-in modules and other features available in the ExtraHop appliance. The License Administration page includes the following licensing information and settings:

Manage license
Provides an interface to add and update the ExtraHop appliance
System Information
Displays the identification and expiration information about the ExtraHop appliance.
Features
Displays the list of licensed features and whether the licensed features are enabled or disabled.

Register your ExtraHop appliance

When you purchase an appliance, you will receive an email with a new product key that must be added to your appliance from the ExtraHop Admin UI. This guide provides instructions on how to apply the new product key and activate all of your purchased modules. You must have administrator privileges on the ExtraHop appliance to access the Admin UI.

Register the appliance

Before you begin

Note:If you are registering a Discover or Command appliance, you can optionally enter the product key from the ExtraHop Web UI, (https://<extrahop_ip_address>/) after you accept the EULA and log in.
  1. In your browser, type the URL of the ExtraHop Admin UI, https://<extrahop_ip_address>/admin.
  2. Review the license agreement, select I Agree, and then click Submit.
  3. On the login screen, type setup for the username.
  4. For the password, select from the following options:
    • For 1U and 2U appliances, type the serial number printed on the label on the back of the appliance. The serial number can also be found on the LCD display on the front of the appliance in the Info section.
    • For the EDA 1100, type the serial number displayed in the Appliance info section of the LCD menu. The serial number is also printed on the bottom of the appliance.
    • For a virtual appliance in AWS, type the instance ID, which is the string of characters that follow i- (but not i- itself).
    • For all other virtual appliances, type default.
  5. Click Log In.
  6. In the Appliance Settings section, click License.
  7. Click Manage License.
  8. If you have a product key, click Register and type your product key into the field.
    Note:If you received a license file from ExtraHop Support, click Manage License, click Update, then paste the contents of the file into the Enter License field. Click Update.
  9. Click Register.

Next steps

Have more questions about ExtraHop licensing works? See the License FAQ.
Troubleshoot license server connectivity

Your ExtraHop appliance must be able to resolve the *.d.extrahop.com domain from the DNS server settings that you configured on your ExtraHop appliance. Communication with the licensing server through DNS is required for license updates and check-ins.

Open a terminal application on your Windows, Linux, or Mac OS client that is on the same network as your ExtraHop appliance and run the following command:
nslookup -type=NS d.extrahop.com
If the name resolution is successful, output similar to the following appears:
Non-authoritative answer:
d.extrahop.com  nameserver = ns0.use.d.extrahop.com.
d.extrahop.com  nameserver = ns0.usw.d.extrahop.com.
If the name resolution is not successful, make sure that your DNS server is properly configured to lookup the extrahop.com domain.

Apply an updated license

When you purchase a new protocol module, service, or feature, your updated license is automatically available on your appliance. However you must apply your updated license to your appliance through the Admin UI for the new changes to take effect.

  1. Log into the Admin UI of your ExtraHop appliance.
  2. In the Appliance Settings section, click License. A message appears about the availability of your new license, as shown in the following figure.


  3. Click Apply new license. The capture process restarts, which might take a few minutes.
    Note:If your license is not automatically updated, troubleshoot licensing server connectivity or contact ExtraHop Support.

Update a license

If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license.

Note:If you want to update the product key for your appliance, you must register your ExtraHop appliance.
  1. Log into the Admin UI on your ExtraHop appliance.
  2. In the Appliance Settings section, click License.
  3. Click Manage License.
  4. Click Update.
  5. In the Enter License text box, enter the licensing information for the module.
    paste the license text provided to you by ExtraHop Support. Be sure to include all of the text, including the BEGIN and END lines, as shown in the example below:
    -----BEGIN EXTRAHOP LICENSE-----
    serial=ABC123D;
    dossier=1234567890abcdef1234567890abcdef;
    mod_cifs=1;
    mod_nfs=1;
    mod_amf=0;
    live_capture=1;
    capture_upload=1;
    ...
    ssl_decryption=0;
    +++;
    ABCabcDE/FGHIjklm12nopqrstuvwXYZAB12345678abcde901abCD;
    12ABCDEFG1HIJklmnOP+1aA=;
    =abcd;
    -----END EXTRAHOP LICENSE-----
  6. Click Update.

Disks

The Disks page provides information about the configuration and status of the disks in your Explore appliance. The information displayed on this page varies based on whether you have a physical or virtual appliance.

Help on this page

Note:We recommend that you configure the settings to receive email notifications about your system health. If a disk is beginning to experience problems, you will be alerted. For more information, see the Notifications section.

The following information displays on the page:

Drive Map
(Physical only) Provides a visual representation of the front of the Explore appliance.
RAID Disk Details
Provides access to detailed information about all the disks in the node.
Firmware
Displays information about disks reserved for the Explore appliance firmware.
Utility (Var)
Displays information about disks reserved for system files.
Search
Displays information about disks reserved for data storage.
Direct Connected Disks
Displays information about virtual disks on virtual machine deployments, or USB media in physical appliances.

Explore Cluster Settings

The Explore Cluster Settings section provides the following configurable settings:

Join Cluster
Join an Explore appliance to an existing Explore cluster. This setting appears only for single nodes that have not yet been joined to an Explore cluster.
Cluster Members
Displays all of the Explore nodes that are members of the Explore cluster.
Managers and Connected Appliances
Displays the hostname of the Command appliance that is configured to manage the Explore appliance as well as a list of all Discover appliances and Command appliances connected to the ExtraHop Explore appliance.
Cluster Data Management
Displays settings to configure the data replication level, enable or disable shard reallocation, and enable or disable record ingest. These settings are applied to all nodes in the Explore cluster.
Connect to a Command Appliance
Configure settings to enable a Command appliance to remotely run support scripts on the Explore appliance
Restore Cluster State
Restore the Explore cluster to a healthy state. This setting only appears if the Explore cluster displays a status of red on the Cluster Status page.

Create an Explore cluster

If you are deploying more than one Explore appliance, you can join the appliances together to create a cluster. For the best performance, data redundancy, and stability, you must configure at least three Explore appliances in an Explore cluster.

Before you begin

You must have already installed the Explore appliances in your environment before proceeding.

In the following example, the Explore appliances have the following IP addresses:

  • Node 1: 10.20.227.177
  • Node 2: 10.20.227.178
  • Node 3: 10.20.227.179

You will join nodes 2 and 3 to node 1 to create the Explore cluster.

Important:Each node that you join must have the same configuration (physical or virtual) and the same ExtraHop firmware version.
  1. Log into the Admin UI of all three Explore appliances with the setup user account in three separate browser windows or tabs.
  2. Select the browser window of node 1.
  3. In the Status and Diagnostics section, click Fingerprint and note the fingerprint value. You will later confirm that the fingerprint for node 1 matches when you join the remaining two nodes.
  4. Select the browser window of node 2.
  5. In the Explore Cluster Settings section, click Join Cluster.
  6. In the Host field, type the hostname or IP address of node 1 and then click Continue.
  7. Confirm that the fingerprint on this page matches the fingerprint you noted in step 3.
  8. In the Setup Password field, type the password for the node 1 setup user account and then click Join.
    When the join is complete, the Explore Cluster Settings section has two new entries: Cluster Members and Cluster Data Management.
  9. Click Cluster Members. You should see node 1 and node 2 in the list.
  10. In the Status and Diagnostics section, click Explore Cluster Status. Wait for the Status field to change to Green before adding the next node.
  11. Repeat steps 5 - 10 to join each additional node to the new cluster.
    Note:To avoid creating multiple clusters, always join a new node to an existing cluster and not to another single appliance.
  12. When you have added all of your Explore appliances to the cluster, click Cluster Members in the Explore Cluster Settings section. You should see all of the joined nodes in the list, similar to the following figure.
  13. In the Explore Cluster Settings section, click Cluster Data Management and make sure that Replication Level is set to 1 and Shard Reallocation is ON.

Cluster Members

If you have multiple nodes connected to an Explore cluster, you can view information about each node.

Help on this page

The table on this page provides the following information about each node in the cluster.

Nickname
Displays the IP address or nickname of the Explore appliance.
To assign a nickname, or change the existing nickname of a cluster member, click the IP address or nickname in the Nickname column, type a name in the Name field, and then click Rename Node.
Host
Displays the IP address of the Explore appliance.
Firmware Version
Displays the firmware version of the Explore appliance. Every node in the cluster must have the same firmware version to prevent unexpected behavior when replicating data across all nodes.
License Status
Displays the current status of the ExtraHop license. The License Status field displays one of the following states:
Nominal
The Explore appliance has a valid license.
Invalid
The Explore appliance has an invalid license. New records cannot be written to this node and existing records cannot be queried.
Pre-Expired
The Explore appliance has a license that is expiring soon.
Pre-Disconnected
The Explore appliance cannot connect to the ExtraHop license server.
Disconnected
The Explore appliance has not connected to the ExtraHop license server for more than 7 days. New records cannot be written to this node and existing records cannot be queried.
Connection Status
Displays whether the appliance is connected to the other members in the cluster. The possible connection states are Connected and Unreachable.
Actions
Remove an Explore node from the cluster.

Remove a node from the cluster

  1. In the Explore Cluster Settings section, click Cluster Members.
  2. In the Actions column for the node you want to remove, click Remove Node.
  3. Click Remove Node to confirm.

Manager and Connected Appliances

The Manager and Connected Appliances section includes the following information and controls.

Manager
Displays the hostname of the Command appliance that is configured to manage the Explore appliance. To connect to a Command appliance through a tunneled connection, click Connect to a Command Appliance. A tunneled connection might be required if a direct connection cannot be established through the Command appliance.
Click Remove Manager to remove the Command appliance as the manager.
Note:The Explore appliance can be managed by only one Command appliance.
Clients
Displays a table of all Discover appliances and Command appliances connected to the Explore appliance. The table includes the hostname of the connected client and the client product key.
Click Remove Client in the Actions column to remove a connected client.

Cluster Data Management

The Cluster Data Management page enables you to adjust settings for how records are collected and stored on your Explore cluster. You must connect a Discover appliance to the Explore cluster before you can configure replication level and shard reallocation settings.

Help on this page

You can manage how record data is stored on your Explore cluster.

  • Change the replication level to determine how many copies of each record are stored. A higher number of copies improves fault tolerance if a node fails and also improves the speed of query results. However, a higher number of copies takes up more disk space and might slow the indexing of the data.
    Option Description
    0 Data is not replicated to other nodes in the cluster. This level allows you to collect more data on the cluster; however, if there is a node failure, you will permanently lose data.
    Important:Select this option only when configuring a single-node cluster.
    1 There is one copy of the original data stored on the cluster. If one node fails, you will not permanently lose data.
    2 There are two copies of the original data stored on the cluster. This level requires the most disk space but provides the highest level of data protection. Two nodes in the cluster can fail without permanently losing data.

    This option is not valid with single-node clusters.

  • Enable or disable shard reallocation. Shard reallocation is enabled by default. Prior to upgrading the firmware or taking the node offline for maintenance (for example, replacing disks, power cycling the appliance, or removing network connectivity between Explore nodes), you should disable shard reallocation.
  • Enable or disable record ingest. Record ingest is enabled by default and controls whether records can be written to your Explore cluster. You must disable record ingest prior to upgrading firmware.

Connect to a Command appliance

Connect to a Command appliance to remotely run support scripts and upgrade firmware on the Explore appliance.

This procedure connects the Explore appliance to the Command appliance through a tunneled connection. Tunneled connections are required in network environments where a direct connection from the Command appliance is not possible because of firewalls or other network restrictions. When possible, you should always connect appliances directly from the Command appliance.

  1. In the Explore Cluster Settings section, click Connect to a Command Appliance.
  2. Configure the following settings:

    Command appliance hostname: The hostname or IP address of the Command appliance.

    Command appliance setup password: The setup user password for the Command appliance.

    Explore node nickname (Optional): A friendly name for the Explore node. If no nickname is entered, the node is identified by the hostname.

  3. Select the Manage with Command appliance checkbox and then click Connect.

Restore the cluster state

In rares instances, the Explore cluster might not recover from a Red status, as seen in the Status section on the Explore Cluster Status page. When this state occurs, it is possible to restore the cluster to a Green state.

When you restore the cluster state, the Explore cluster is updated with the latest stored information about the Explore nodes in the cluster and all other connected Discover and Command appliances.

Important:If you have recently restarted your Explore cluster, it might take an hour before the cluster status Green appears, and restoring the cluster might not be necessary. If you are unsure whether you should restore the cluster state, contact ExtraHop Support.
  1. In the Explore Cluster Settings section, click Restore Cluster State.
  2. On the Restore Cluster State page, click Restore Cluster State.
  3. Click Restore Cluster to confirm.
Published 2018-10-18 17:50