RevealX Enterprise Console Administration Guide
Introduction to the RevealX Enterprise Console Administration Guide
The RevealX Enterprise Console Administration Guide provides detailed information about the administration settings of RevealX Enterprise consoles. This guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the Admin UI for consoles.
After you have deployed your console, see the Sensor and console post-deployment checklist.
We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.
Supported browsers
The following browsers are compatible with all ExtraHop systems. Apply the accessibility and compatibility features provided by your browser to access content through assistive technology tools.
- Firefox
- Google Chrome
- Microsoft Edge
- Safari
| Important: | Internet Explorer 11 is no longer supported. We recommend that you install the latest version of any supported browser. |
Status and Diagnostics
The Status and Diagnostics section provides metrics about the overall health of your ExtraHop system.
Health
The Health page provides a collection of metrics that helps you to monitor the operation of your ExtraHop system and enables ExtraHop Support to troubleshoot system errors if necessary.
- System
- Reports the following information about the system CPU usage and hard
disk.
- CPU User
- The percentage of CPU usage associated with the ExtraHop system user.
- CPU System
- The percentage of CPU usage associated with the ExtraHop system.
- CPU Idle
- The CPU Idle percentage associated with the ExtraHop system.
- CPU IO
- The percentage of CPU usage associated with the ExtraHop system IO functions.
- Service Status
- Reports the status of ExtraHop system services.
- exalerts
- The amount of time the ExtraHop system alert service has been running.
- extrend
- The amount of time the ExtraHop system trend service has been running.
- exconfig
- The amount of time the ExtraHop system config service has been running.
- exportal
- The amount of time the ExtraHop system web portal service has been running.
- exshell
- The amount of time the ExtraHop system shell service has been running.
- Interfaces
- Reports the status of ExtraHop system interfaces.
- RX packets
- The number of packets received by the specified interface on the ExtraHop system.
- RX Errors
- The number of received packet errors on the specified interface.
- RX Drops
- The number of received packets dropped by the specified interface.
- TX Packets
- The number of packets transmitted by the specified interface on the ExtraHop system.
- TX Errors
- The number of transmitted packet errors on the specified interface.
- TX Drops
- The number of transmitted packets dropped by the specified interface.
- RX Bytes
- The number of bytes received by the specified interface on the ExtraHop system.
- TX Bytes
- The number of bytes transmitted by the specified interface on the ExtraHop system.
- Partitions
- Reports the memory that has been allocated to system components for the
ExtraHop system.
- Name
- The system components that have a memory partition in NVRAM.
- Options
- The read-write options for the system components.
- Size
- The partition size in gigabytes that is allocated for the system component.
- Utilization
- The amount of memory that is currently consumed by the system components, as a quantity and as a percentage of the total partition.
Active device count and limit
The Active Device Count and Limit chart enables you to monitor whether your active device count has exceeded the licensed limit. For example, an ExtraHop system with a 20,000-50,000 devices band is allowed up to 50,000 devices.
Click System Settings
and then click
All Administration. From the Status and
Diagnostics section, click Active Device Count and
Limit to view the chart.
The Active Device Count and Limit chart displays the following metrics:
- The dashed red line represents the licensed device limit.
- The solid black line represents the 95th percentile of active devices observed each day for the last 30 days.
- The blue bars represent the maximum number of active devices observed each day for the last 30 days.
This page also displays the following metrics:
- The licensed device limit for the previous day and for the last 30 days.
- The number of active devices observed the previous day.
- The 95th percentile of active devices observed over the last 30 days.
- The utilization percentage of the licensed device limit for the previous day and for the last 30 days. Utilization is the active device count divided by the licensed limit.
You can create a system notification rule to warn you if utilization exceeds a specified percentage or exceeds 100% of your licensed device limit. Limit percentages are customizable when you create a rule. If you find that you are consistently approaching or over your licensed limit, we recommend that you work with your sales team to move to the next available capacity band.
Verify active device count
You can view the Active Device Count and Limit chart to monitor whether your active device count has exceeded the licensed limit.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- From the Status and Diagnostics section, click Active Device Count and Limit to view the chart.
Audit Log
The audit log provides data about the operations of your ExtraHop system, broken down by component. The audit log lists all known events by timestamp, in reverse chronological order.
Send audit log data to a remote syslog server
The audit log collects data about ExtraHop system operations, broken down by component. The log stored on the system has a capacity of 10,000 entries, and entries older than 90 days are automatically removed. You can view these entries in the Administration settings, or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the table below.
The following steps show you how to configure the ExtraHop system to send audit log data to a remote syslog server.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes by saving the running configuration file.Audit log events
The following events on an ExtraHop system generate an entry in the audit log.
| Category | Event |
|---|---|
| Agreements |
|
| API |
|
| Sensor Migration |
|
| Browser sessions |
|
| Cloud Services |
|
| Console |
|
| Dashboards |
|
| Datastore |
|
| Detections |
|
| Exception files |
|
| ExtraHop recordstore records |
|
| ExtraHop recordstore cluster |
|
| ExtraHop Update Service |
|
| Firmware |
|
| Global Policies |
|
| Integrations |
|
| License |
|
| Login to the ExtraHop system |
|
| Login from SSH or REST API |
|
| Modules |
|
| Network |
|
| Notification rules |
|
| Offline capture |
|
| PCAP |
|
| Remote Access |
|
| RPCAP |
|
| Running Config |
|
| SAML Identity Provider |
|
| SAML login |
|
| SAML privileges |
|
| Sensor tags |
|
| SSL decryption |
|
| SSL session keys |
|
| Support account |
|
| Support Script |
|
| Syslog |
|
| System and service status |
|
| System time |
|
| System user |
|
| TAXII feeds |
|
| Threat briefings |
|
| ExtraHop packetstore |
|
| Trends |
|
| Triggers |
|
| User Groups |
|
Exception Files
Exception files are a core file of the data stored in memory. When you enable the Exception File setting, the core file is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.
Click Enable Exception Files or Disable Exception Files to enable or disable the saving of exception files.
Support Scripts
ExtraHop Support might provide a support script that can apply a special setting, make a small adjustment to the ExtraHop system, or provide help with remote support or enhanced settings. The Administration settings enable you to upload and run support scripts.
Network Settings
The Network Settings section provides configuration settings for your ExtraHop system. These settings enable you to set a hostname, configure notifications, and manage connections to your system.
Connect to ExtraHop Cloud Services
ExtraHop Cloud Services provides access to ExtraHop cloud-based services through an encrypted connection.
After the connection is established, information about the available services appear on the ExtraHop Cloud Services page.
- By sharing data with ExtraHop Machine Learning Service, you can enable features that
enhance the ExtraHop system and your user experience.
- Enable AI Search Assistant to find devices with natural language user prompts, which are shared with ExtraHop Cloud Services for product improvement. See the AI Search Assistant FAQ for more information.
- Opt in to Expanded Threat Intelligence to enable the Machine Learning Service to review data such as IP addresses and hostnames against threat intelligence provided by CrowdStrike, benign endpoints, and other network traffic information. See the Expanded Threat Intelligence FAQ for more information.
- Contribute data such as file hashes and external IP addresses to Collective Threat Analysis to improve the accuracy of detections. See the Collective Threat Analysis FAQ for more information.
- ExtraHop Update Service enables automatic updates of resources to the ExtraHop system, such as ransomware packages.
- ExtraHop Remote Access enables you to allow ExtraHop account team members and ExtraHop Support to connect to your ExtraHop system for configuration help. See the Remote Access FAQ for more information about remote access users.
| Video: | See the related training: Connect to ExtraHop Cloud Services |
Before you begin
- RevealX 360 systems are automatically connected to ExtraHop Cloud Services, however, you might need to allow access through network firewalls.
- You must apply the relevant license on the ExtraHop system before you can connect to ExtraHop Cloud Services. See the License FAQ for more information.
- You must have setup or system and access administration privileges to access Administration settings.
Configure your firewall rules
If your ExtraHop system is deployed in an environment with a firewall, you must open access to ExtraHop Cloud Services, and enable gRPC and HTTP/2. Ensure that HTTP/2 traffic is not downgraded to HTTP/1.1 by intermediate devices. For RevealX 360 systems that are connected to sensors, you must also open access to the cloud-based recordstore included with RevealX Standard Investigation.
Open access to Cloud Services
For access to ExtraHop Cloud Services, your sensors must be able to resolve DNS queries for *.extrahop.com and have access to TCP 443 (HTTPS) from one of the following IP addresses that correspond to your sensor license. We recommend opening access to both IP addresses to avoid service interruption.
| Region | IP Addresses |
|---|---|
| North, Central, South America (AMER) | 35.161.154.247 54.191.189.22 |
| Asia, Pacific (APAC) | 54.66.242.25 13.239.224.80 |
| Singapore | 13.251.160.61 52.220.25.71 |
| Europe, Middle East, Africa (EMEA) | 52.59.110.168 18.198.13.99 |
| United States Federal (US-FED) | 3.135.6.11 3.139.111.240 |
Open access to RevealX 360 Standard Investigation
For access to RevealX 360 Standard Investigation, your sensors must be able to access outbound TCP 443 (HTTPS) to these fully-qualified domain names:
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- oauth2.googleapis.com
- www.googleapis.com
- www.mtls.googleapis.com
- iamcredentials.googleapis.com
You can also review the public guidance from Google about computing possible IP address ranges for googleapis.com.
In addition to configuring access to these domains, you can also configure the global proxy server settings.
Connect to ExtraHop Cloud Services through a proxy
If you do not have a direct internet connection, you can try connecting to ExtraHop Cloud Services through an explicit proxy. The ExtraHop system will also communicate with the ExtraHop license server through the proxy connection.
Before you begin
Verify whether your proxy vendor is configured to perform machine-in-the-middle (MITM) when tunneling SSH over HTTP CONNECT to localhost:22. ExtraHop Cloud Services deploys an encrypted inner SSH tunnel, so traffic will not be visible to MITM inspection. We recommend that you create a security exception and disable MITM inspection for this traffic.| Important: | If you are unable to disable MITM on your proxy, you must disable certificate validation in the ExtraHop system running configuration file. For more information, see Bypass certificate validation. |
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click Connectivity.
- Click Enable ExtraHop Cloud Proxy.
- In the Hostname field, type the hostname for your proxy server, such as proxyhost.
- In the Port field, type the port for your proxy server, such as 8080.
- (Optional): If required, in the Username and Password fields, type a user name and password for your proxy server.
- Click Save.
Bypass certificate validation
Some environments are configured so that encrypted traffic cannot leave the network without inspection by a third-party device. This device can act as an TLS endpoint that decrypts and re-encrypts the traffic before sending the packets to ExtraHop Cloud Services.
| Note: | The following procedure requires familiarity with modifying the ExtraHop running configuration file. |
Disconnect from ExtraHop Cloud Services
You can disconnect an ExtraHop system from ExtraHop Cloud Services.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click ExtraHop Cloud Services.
- In the Cloud Services Connection section, click Disconnect.
Manage ExtraHop Cloud Services enrollment
Before you begin
Your system license determines which services are available for your ExtraHop console or sensor. A single license can only be applied to a single appliance or virtual machine (VM) at a time. If you want to repurpose a license from one appliance or VM to another, you can manage system enrollment from the ExtraHop Cloud Services page.Unenrolling a system deletes all data and historical analysis for the Machine Learning Service from the system and will no longer be available.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click ExtraHop Cloud Services.
- In the Cloud Services Connection section, click Unenroll.
Connectivity
The Connectivity page contains controls for your appliance connections and network settings.
- Interface Status
- On physical appliances, a diagram of interface connections appears, which updates
dynamically based on the port status.
- The blue Ethernet port is for management
- A black Ethernet port indicates a licensed and enabled port that is currently down
- A green Ethernet port indicates an active, connected port
- A gray Ethernet port indicates a disabled or unlicensed port
- Network Settings
-
- Click Change Settings to add a hostname for your ExtraHop appliance or to add DNS servers.
- Proxy Settings
-
- Enable a global proxy to connect to an ExtraHop console or other devices outside of the local network
- Enable a cloud proxy to connect to ExtraHop Cloud Services
- Bond Interface Settings
-
- Create a bond interface to bond multiple interfaces together into one logical interface with a single IP address.
- Interfaces
- View and configure your management and monitoring interfaces. Click any interface to display setting options.
- Packet Ingest Settings
-
- Configure the source of packets ingested by this sensor. You can enable the sensor to ingest packets from a direct feed or packets forwarded from a third-party.
Configure an interface
Set a static route
Before you begin
You must disable DHCPv4 before you can add a static route.- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click Connectivity.
- In the Interfaces section, click the name of the interface you want to configure.
- On the Network Settings for Interface <interface number> page, ensure that the IPv4 Address and Netmask fields are complete and saved, and click Edit Routes.
- In the Add Route section, type a network address range in CIDR notation in the Network field and IPv4 address in the Via IP field and then click Add.
- Repeat the previous step for each route you want to add.
- Click Save.
Global proxy server
If your network topology requires a proxy server to enable your ExtraHop system to communicate either with a console or with other devices outside of the local network, you can enable your ExtraHop system to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server. Ensure that HTTP/2 traffic is not downgraded to HTTP/1.1 by intermediate devices.
Configure a global proxy
| Important: | You can configure only one global proxy server per ExtraHop system. |
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click Connectivity.
- In the Proxy Settings section, click Enable Global Proxy.
- In the Hostname field, enter the hostname or IP address for your global proxy server
- In the Port field, enter the port number for your proxy server.
- In the Username field, enter the name of a user that has privileged access to your global proxy server.
- In the Password field, enter the password for the user specified above.
ExtraHop Cloud proxy
If your ExtraHop system does not have a direct internet connection, you can connect to the internet through a proxy server specifically designated for ExtraHop Cloud services connectivity. Only one proxy can be configured per system.
Complete the following fields and click Save to enable a cloud proxy.
Hostname: The hostname or IP address for your cloud proxy server.
Port: The port number for your cloud proxy server.
Username: The name of a user that has for access to your cloud proxy server.
Password: The password for the user specified above.
Bond interfaces
You can bond multiple interfaces on your ExtraHop system together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address. This configuration is also known as link aggregation, port channeling, link bundling, Ethernet/network/NIC bonding, or NIC teaming. Bond interfaces cannot be set to monitoring mode.
| Note: | When you modify bond interface settings, you lose connectivity to your ExtraHop system. You must make changes to your network switch configuration to restore connectivity. The changes required are dependent on your switch. Contact ExtraHop Support for assistance before you create a bond interface. |
- Bonding is only configurable on Management or Management + interfaces.
- Port channeling on traffic monitoring ports is supported on the ExtraHop sensors.
Interfaces chosen as members of a bond interface are no longer independently configurable and are shown as Disabled (bond member) in the Interfaces section of the Connectivity page. After a bond interface is created, you cannot add more members or delete existing members. The bond interface must be destroyed and recreated.
Create a bond interface
You can create a bond interface with at least one interface member and up to the number of members that are available for bonding.
Modify bond interface settings
After a bond interface is created, you can modify most settings as if the bond interface is a single interface.
Destroy a bond interface
When a bond interface is destroyed, the separate interface members of the bond interface return to independent interface functionality. One member interface is selected to retain the interface settings for the bond interface and all other member interfaces are disabled. If no member interface is selected to retain the settings, the settings are lost and all member interfaces are disabled.
Notifications
The ExtraHop system can send notifications about configured alerts through email, SNMP traps, and syslog exports to remote servers. If an email notification group is specified, then emails are sent to the groups assigned to the alert.
Configure email settings for notifications
You must configure an email server and sender before the ExtraHop system can send alert notifications, System Health notifications, or scheduled reports.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the running configuration file.Configure an email notification group
Add a list of email addresses to a group, then select the group when you configure email settings to send System Health Notifications, an alert, or a scheduled report. Although you can specify individual email addresses, email groups are an effective way to manage your recipient list.
Configure settings to send notifications to an SNMP manager
The state of the network can be monitored through the Simple Network Management Protocol (SNMP). SNMP collects information by polling devices on the network. SNMP enabled devices can also send alerts to SNMP management stations. SNMP communities define the group where devices and management stations running SNMP belong, which specifies where information is sent. The community name identifies the group.
| Note: | Most organizations have an established system for collecting and displaying SNMP traps in a central location that can be monitored by their operations teams. For example, SNMP traps are sent to an SNMP manager, and the SNMP management console displays them. |
Download the ExtraHop SNMP MIB
SNMP does not provide a database of information that an SNMP-monitored network reports. SNMP information is defined by third-party management information bases (MIBs) that describe the structure of the collected data.
Extract the ExtraHop vendor object OID
Before you can monitor a device with SNMP, you need the sysObjectID, which contains an OID that is the vendor-reported identity of the device.
Send system notifications to a remote syslog server
The syslog export option enables you to send alerts or audit logs from an ExtraHop system to any remote system that receives syslog input for long-term archiving and correlation with other sources.
You can send the following types of notifications to the syslog:
- Storage alert notifications
- ExtraHop alert notifications
| Note: | To send audit logs, see Send audit log data to a remote syslog server |
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the running configuration file.TLS Certificate
TLS certificates provide secure authentication to the ExtraHop system.
You can designate a self-signed certificate for authentication instead of a certificate signed by a Certificate Authority. However, be aware that a self-signed certificate generates an error in the client browser, which reports that the signing certificate authority is unknown. The browser provides a set of confirmation pages to trust the certificate, even though the certificate is self-signed. Self-signed certificates can also degrade performance by preventing caching in some browsers. We recommend that you create a certificate-signing request from your ExtraHop system and upload the signed certificate instead.
| Important: | When replacing an TLS certificate, the web server service is restarted. Tunneled connections from ExtraHop sensors to ExtraHop consoles are lost but then re-established automatically. |
Upload a TLS certificate
You must upload a .pem file that includes both a private key and either a self-signed certificate or a certificate-authority certificate.
| Note: | The .pem file must not be password protected. |
| Note: | You can also automate this task through the REST API. |
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click TLS Certificate.
- Click Manage certificates to expand the section.
- Click Choose File and navigate to the certificate that you want to upload.
- Click Open.
- Click Upload.
- Save the running configuration file
Create a certificate signing request from your ExtraHop system
A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority (CA) when you apply for a TLS certificate. The CSR is generated on the ExtraHop system where the TLS certificate will be installed and contains information that will be included in the certificate such as the common name (domain name), organization, locality, and country. The CSR also contains the public key that will be included in the certificate. The CSR is created with the private key from the ExtraHop system, making a key pair.
Next steps
Send the CSR file to your certificate authority (CA) to have the CSR signed. When you receive the TLS certificate from the CA, return to the TLS Certificate page in the Administration settings and upload the certificate to the ExtraHop system.| Tip: | If your organization requires that the CSR contains a new public key, generate a self-signed certificate to create new key pairs before creating the CSR. |
Trusted Certificates
Trusted certificates enable you to validate SMTP, LDAP, HTTPS ODS and MongoDB ODS targets, as well as Splunk recordstore connections from your ExtraHop system.
Add a trusted certificate to your ExtraHop system
Your ExtraHop system only trusts peers who present a Transport Layer Security (TLS) certificate that is signed by one of the built-in system certificates and any certificates that you upload. SMTP, LDAP, HTTPS ODS and MongoDB ODS targets, as well as Splunk recordstore connections can be validated through these certificates.
Before you begin
You must log in as a user with setup or system and access administration privileges to add or remove trusted certificates.| Important: | To trust the built-in system certificates and any uploaded certificates, you must also enable TLS or STARTTLS encryption and certificate validation when configuring the settings for the external server. |
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click Trusted Certificates.
- (Optional): If you want to trust the built-in certificates included in the ExtraHop system, select Trust System Certificates, click Save, and then save the running configuration file.
- To add your own certificate, click Add Certificate and then in the Certificate field, paste the contents of the PEM-encoded certificate chain.
- In the Name field, type a name.
- Click Add.
Access Settings
In the Access Settings section, you can change user passwords, enable the support account, manage local users and user groups, configure remote authentication, and manage API access.
Global Policies
Administrators can configure global policies that apply to all users who access the system.
Password policy
- Choose between two password policies; the default password policy of 5 or more
characters or a more secure strict password policy that has the following
restrictions:
- 8 or more characters
- Upper and lowercase characters
- At least one number
- At least one symbol
Note: If you select the strict password policy of 8 or more characters, passwords will expire every 60 days.
Device Group Edit Control
- Control whether users with limited write privileges can create and edit device groups. When this policy is selected, all limited write users can create device groups and add other limited write users as editors to their device groups.
Default Dashboard
- Specify the dashboard that users see when they log in to the system. Only dashboards shared with all users can be set as a global default. Users can override this default setting from the command menu of any dashboard.
File Extraction Password
- (NDR module only) Specify a required password that you can share with approved users to unzip files extracted and downloaded from a packet query.
Passwords
Users with privileges to the Administration page can change the password for local user accounts.
- Select any user and change their password
- You can only change passwords for local users. You cannot change passwords for users authenticated through LDAP or other remote authentication servers.
For more information about privileges for specific Administration page users and groups, see the Users section.
Change the default password for the setup user
It is recommended that you change the default password for the setup user on the ExtraHop system after you log in for the first time. To remind administrators to make this change, there is a blue Change Password button at the top of the page while the setup user is accessing the Administration settings. After the setup user password is changed, the button at the top of the page no longer appears.
| Note: | The password must be a minimum of 5 characters. |
Support Access
Support accounts provide access for the ExtraHop Support team to help customers troubleshoot issues with the ExtraHop system.
These settings should be enabled only if the ExtraHop system administrator requests hands-on assistance from the ExtraHop Support team.
Generate SSH key
- In the Access Settings section, click Support Access.
- Click Generate SSH Key.
- Copy the encrypted key from the text box and email the key to your ExtraHop representative.
- Click Done.
Regenerate or revoke the SSH key
To prevent SSH access to the ExtraHop system with an existing SSH key, you can revoke the current SSH key. A new SSH key can also be regenerated if needed.
- In the Access Settings section, click Support Access.
- Click Generate SSH Key.
-
Choose one of the following options:
- Click Regenerate SSH Key and then click
Regenerate.
Copy the encrypted key from the text box and email the key to your ExtraHop representative and then click Done.
- Click Revoke SSH Key to prevent SSH access to the system with the current key.
- Click Regenerate SSH Key and then click
Regenerate.
Users
The Users page enables you to control local access to the ExtraHop appliance.
Users and user groups
Users can access the ExtraHop system in three ways: through a set of pre-configured user accounts, through local user accounts configured on the appliance, or through remote user accounts configured on existing authentication servers, such as LDAP, SAML, Radius, and TACACS+. For RevealX 360, you can add user groups through the API
| Video: | See the related trainings: |
Local users
This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.
- setup
- This account provides full system read and write privileges to the browser-based user interface and to the ExtraHop command-line interface (CLI). For default login and password information, see Default User Accounts FAQ.
- shell
- The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical sensors, the default password for this account is the service tag number on the front of the appliance. On virtual sensors, the default password is default.
| Note: | The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) and Google Cloud Platform (GCP) is the instance ID of the virtual machine. |
Remote Authentication
The ExtraHop system supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example) to enable all or a subset of their users to log in to the system with their existing credentials.
| Important: | Menu selections vary depending on which appliance type you are configuring. For example, SAML is only available for sensors and consoles. |
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on user groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Remote users
If your ExtraHop system is configured for SAML or LDAP remote authentication, you can create an account for those remote users. Preconfiguring accounts on the ExtraHop system for remote users enables you to share system customizations with those users before they log in.
If you choose to auto-provision users when you configure SAML authentication, then the user is automatically added to the list of local users when they log in for the first time. However, you can create a remote SAML user account on the ExtraHop system when you want to provision a remote user before that user has logged in to the system. Privileges are assigned to the user by the provider. After the user is created, you can add them to local user groups.
Next steps
User groups
User groups enable you to manage access to shared content by group instead of by individual user. Customized objects such as activity maps can be shared with a user group, and any user who is added to the group automatically has access. You can create a local user group—which can include remote and local users. Alternatively, if your ExtraHop system is configured for remote authentication through LDAP, you can configure settings to import your LDAP user groups.
- Click Create User Group to create a local group. The user group appears in the list. Then, select the checkbox next to the user group name and select users from the Filter users... drop-down menu. Click Add Users to Group.
- (LDAP only) Click Refresh All User Groups or select multiple LDAP user groups and click Refresh Users in Groups.
- Click Reset User Group to remove all shared content from a selected user group. If the group no longer exists on the remote LDAP server, the group is removed from the user group list.
- Click Enable User Group or Disable User Group to control whether any group member can access shared content for the selected user group.
- Click Delete User Group to remove the selected user group from the system.
- View the following properties for listed user groups:
- Group Name
- Displays the name of the group. To view the members in the group, click the group name.
- Type
- Displays Local or Remote as the type of user group.
- Members
- Displays the number of users in the group.
- Shared Content
- Displays the number of user-created objects that are shared with the group.
- Status
- Displays whether the group is enabled or disabled on the system. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing content.
- Members Refreshed (LDAP only)
- Displays the amount of time elapsed since the group membership was refreshed. User
groups are refreshed under the following conditions:
- Once per hour, by default. The refresh interval setting can be modified on the page.
- An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
- A remote user logs in to the ExtraHop system for the first time.
- A user attempts to load a shared dashboard that they do not have access to.
User privileges
Administrators determine the module access level for users in the ExtraHop system.
For information about user privileges for the REST API, see the REST API Guide.
For information about remote user privileges, see the configuration guides for LDAP, RADIUS, SAML, and TACACS+.
Privilege Levels
Set the privilege level for your user to determine which areas of the ExtraHop system they can access.
- NDR Module Access
- Allows the user to access security features such as attack detections, investigations, and threat briefings.
- NPM Module Access
- Allows the user to access performance features such as operations detections and the ability to create custom dashboards.
- Packet and Session Key Access
- Allows the user to view and download packets and session keys, packets only, packet headers only, or packet slices only. Also allows the user to extract files associated with packets.
These privileges determine the level of functionality users have within the modules where they have been granted access.
For RevealX Enterprise, users with system access and administration privileges can access all features, packets, and session keys for their licensed modules.
For RevealX 360, system access and administration privileges, access to licensed modules, packets, and session keys must be assigned separately. RevealX 360 also offers an additional System Administration account that grants full system privileges except for the ability to manage users and API access.
The following table contains ExtraHop features and their required privileges. If no module requirement is noted, the feature is available in both the NDR and NDM modules.
| System and Access Administration | System Administration (RevealX 360 only) | Full Write | Limited Write | Personal Write | Full Read-Only | Restricted Read-Only | |
|---|---|---|---|---|---|---|---|
| Activity Maps | |||||||
| Create, view, and load shared activity maps | Y | Y | Y | Y | Y | Y | N |
| Save activity maps | Y | Y | Y | Y | Y | N | N |
| Share activity maps | Y | Y | Y | Y | N | N | N |
| Alerts | NPM module license and access required. | ||||||
| View alerts | Y | Y | Y | Y | Y | Y | Y |
| Create and modify alerts | Y | Y | Y | N | N | N | N |
| Analysis Priorities | |||||||
| View Analysis Priorities page | Y | Y | Y | Y | Y | Y | N |
| Add and modify analysis levels for groups | Y | Y | Y | N | N | N | N |
| Add devices to a watchlist | Y | Y | Y | N | N | N | N |
| Transfer priorities management | Y | Y | Y | N | N | N | N |
| Bundles | |||||||
| Create a bundle | Y | Y | Y | N | N | N | N |
| Upload and apply a bundle | Y | Y | Y | N | N | N | N |
| Download a bundle | Y | Y | Y | Y | Y | N | N |
| View list of bundles | Y | Y | Y | Y | Y | Y | N |
| Dashboards | |||||||
| View and organize dashboards | Y | Y | Y | Y | Y | Y | Y |
| Create and modify dashboards | Y | Y | Y | Y | Y | N | N |
| Share dashboards | Y | Y | Y | Y | N | N | N |
| Detections | NDR module license and access required
to view and tune security detections and create
investigations. NPM module license and access required to view and tune performance detections. |
||||||
| View detections | Y | Y | Y | Y | Y | Y | Y |
| Acknowledge Detections | Y | Y | Y | Y | Y | N | N |
| Modify detection status and notes | Y | Y | Y | Y | N | N | N |
| Create and modify investigations | Y | Y | Y | Y | N | N | N |
| Create and modify tuning rules | Y | Y | Y | N | N | N | N |
| Device Groups | Administrators can configure the Device Group Edit Control global policy to specify whether users with limited write privileges can create and edit device groups. | ||||||
| Create and modify device groups | Y | Y | Y | Y (If the global privilege policy is enabled) | N | N | N |
| Integrations | RevealX 360 only | ||||||
| Configure and modify integrations | Y | Y | N | N | N | N | N |
| File Analysis | |||||||
| Configure file analysis settings and rules | Y | Y | N | N | N | N | N |
| Metrics | |||||||
| View metrics | Y | Y | Y | Y | Y | Y | N |
| Notification Rules | NDR module license and access required
to create and modify notifications for security detections, security
detection catalog, and threat briefings. NPM module license and access required to create and modify notifications for performance detections and performance detection catalog. |
||||||
| Create and modify detection notification rules | Y | Y | Y | N | N | N | N |
| Create and modify detection notification rules for SIEM integrations (RevealX 360 only) | Y | Y | N | N | N | N | N |
| Create and modify detection catalog notification rules | Y | Y | Y | N | N | N | N |
| Create and modify threat briefing notification rules | Y | Y | Y | N | N | N | N |
| Create and modify system notification rules | Y | Y | N | N | N | N | N |
| Records | Recordstore required. | ||||||
| View record queries | Y | Y | Y | Y | Y | Y | N |
| View record formats | Y | Y | Y | Y | Y | Y | N |
| Create, modify, and save record queries | Y | Y | Y | N | N | N | N |
| Create, modify, and save record formats | Y | Y | Y | N | N | N | N |
| Scheduled Reports | Console required. | ||||||
| Create, view, and manage scheduled reports | Y | Y | Y | Y | N | N | N |
| Threat Intelligence | NDR module license and access required. | ||||||
| Manage threat collections | Y | Y | N | N | N | N | N |
| Manage TAXII feeds | Y | Y | N | N | N | N | N |
| View threat intelligence information | Y | Y | Y | Y | Y | Y | N |
| Triggers | |||||||
| Create and modify triggers | Y | Y | Y | N | N | N | N |
| Administrative Privileges | |||||||
| Access the ExtraHop Administration settings | Y | Y | N | N | N | N | N |
| Connect to other appliances | Y | Y | N | N | N | N | N |
| Manage other appliances (Console) | Y | Y | N | N | N | N | N |
| Manage users and API access | Y | N | N | N | N | N | N |
Add a local user account
By adding a local user account, you can provide users with direct access to your ExtraHop system and restrict their privileges as needed by their role in your organization.
| Tip: |
|
Add an account for a remote user
Add a user account for LDAP or SAML users when you want to provision the remote user before that user logs in to the ExtraHop system. After the user is added to the system, you can add them to local groups or share items directly with them before they log in through the LDAP or SAML provider.
Sessions
The ExtraHop system provides controls to view and delete user connections to the web interface. The Sessions list is sorted by expiration date, which corresponds to the date the sessions were established. If a session expires or is deleted, the user must log in again to access the web interface.
Remote Authentication
The ExtraHop system supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example) to enable all or a subset of their users to log in to the system with their existing credentials.
| Important: | Menu selections vary depending on which appliance type you are configuring. For example, SAML is only available for sensors and consoles. |
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on user groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
Next steps
Configure remote authentication through LDAP
The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. Instead of storing user credentials locally, you can configure your ExtraHop system to authenticate users remotely with an existing LDAP server. Note that ExtraHop LDAP authentication only queries for user accounts; it does not query for any other entities that might be in the LDAP directory.
Before you begin
- This procedure requires familiarity with configuring LDAP.
- Ensure that each user is in a permission-specific group on the LDAP server before beginning this procedure.
- If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help.
When a user attempts to log onto an ExtraHop system, the ExtraHop system tries to authenticate the user in the following ways:
- Attempts to authenticate the user locally.
- Attempts to authenticate the user through the LDAP server if the user does not exist locally and if the ExtraHop system is configured for remote authentication with LDAP.
- Logs the user onto the ExtraHop system if the user exists and the password is validated either locally or through LDAP. The LDAP password is not stored locally on the ExtraHop system. Note that you must enter the username and password in the format that your LDAP server is configured for. The ExtraHop system only forwards the information to the LDAP server.
- If the user does not exist or an incorrect password is entered, an error message appears on the login page.
| Important: | If you change LDAP authentication at a later time to a different remote authentication method, the users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected. |
Configure user privileges for remote authentication
You can assign user privileges to individual users on your ExtraHop system or configure and manage privileges through your LDAP server.
| Important: | This section applies only to sensors and consoles. For recordstores and packetstores, all users that can access the recordstore or packetstore are granted administrative privileges. |
The ExtraHop system supports both Active Directory and POSIX group memberships. For Active Directory, memberOf is supported. For POSIX, memberuid, posixGroups, groupofNames, and groupofuniqueNames are supported.
-
Choose one of the following options from the Privilege assignment
options drop-down menu:
- Obtain privileges level from remote server
This option assigns privileges through your remote authentication server. You must complete at least one of the following distinguished name (DN) fields.
System and Access Administration DN: Create and modify all objects and settings on the ExtraHop system, including Administration settings.
Full Write DN: Create and modify objects on the ExtraHop system, not including Administration settings.
Limited Write DN: Create, modify, and share dashboards.
Personal Write DN: Create personal dashboards and modify dashboards shared with the logged-in user.
Full read-only DN: View objects in the ExtraHop system.
Restricted Read-only DN: View dashboards shared with the logged-in user.
Packet Slices Access DN: View and download the first 64 bytes of packets captured through a packetstore.
Packet Headers Access DN: Search and download only the packet headers of packets captured through a packetstore.
Packet Access DN: View and download packets captured through a packetstore.
Packet and Session Keys Access DN: View and download packets and any associated TLS session keys captured through a packetstore.
NDR Module Access DN: View, acknowledge, and hide security detections that appear in the ExtraHop system.
NPM Module Access DN: View, acknowledge, and hide performance detections that appear in the ExtraHop system.
- Remote users have full write access
This option grants remote users full write access to the ExtraHop system. In addition, you can grant additional access for packet downloads, TLS session keys, NDR module access, and NPM module access.
- Remote users have full read-only access
This option grants remote users read-only access to the ExtraHop system. In addition, you can grant additional access for packet downloads, TLS session keys, NDR module access, and NPM module access.
- Obtain privileges level from remote server
- (Optional):
Configure packet and session key access. Select one of the following options to
allow remote users to download packet captures and TLS session keys.
- No access
- Packet slices only
- Packet headers only
- Packets only
- Packets and session keys
- (Optional):
Configure NDR and NPM module access (On sensors and consoles only).
- No access
- Full access
- Click Save and Finish.
- Click Done.
Configure remote authentication through SAML
You can configure secure, single sign-on (SSO) authentication to the ExtraHop system through one or more security assertion markup language (SAML) identity providers.
| Video: | See the related training: SSO Authentication |
| Important: | This guide is only for RevealX Enterprise. For RevealX 360, see Enable sensor access control through your own identity provider. |
When a user logs in to an ExtraHop system that is configured as a service provider (SP) for SAML SSO authentication, the ExtraHop system requests authorization from the appropriate identity provider (IdP). The identity provider authenticates the user's credentials and then returns the authorization for the user to the ExtraHop system. The user is then able to access the ExtraHop system.
Configuration guides for specific identity providers are linked below. If your provider is not listed, apply the settings required by the ExtraHop system to your identity provider.
Identity providers must meet the following criteria:
- SAML 2.0
- Support SP-initiated login flows. IdP-initiated login flows are not supported.
- Support signed SAML Responses
- Support HTTP-Redirect binding
The example configuration in this procedure enables access to the ExtraHop system through group attributes.
If your identity provider does not support group attribute statements, configure user attributes with the appropriate privileges for module access, system access, and packet forensics.
Enable SAML remote authentication
Before you begin
| Warning: | If your system is already configured with a remote authentication method, changing these settings will remove any users and associated customizations created through that method, and remote users will be unable to access the system. Local users are unaffected. |
User attribute mapping
You must configure the following set of user attributes in the application attribute mapping section on your identity provider. These attributes identify the user throughout the ExtraHop system. Refer to your identity provider documentation for the correct property names when mapping attributes.
| ExtraHop Attribute Name | Friendly Name | Category | Identity Provider Attribute Name |
|---|---|---|---|
| urn:oid:0.9.2342.19200300.100.1.3 | Standard Attribute | Primary email address | |
| urn:oid:2.5.4.4 | sn | Standard Attribute | Last name |
| urn:oid:2.5.4.42 | givenName | Standard Attribute | First name |
Group attribute statements
The ExtraHop system supports group attribute statements to easily map user privileges to all members of a specific group. When you configure the ExtraHop application on your identity provider, specify a group attribute name. This name is then entered in the Attribute Name field when you configure the identity provider on the ExtraHop system.
If your identity provider does not support group attribute statements, configure user attributes with the appropriate privileges for module access, system access, and packet forensics.
Configure SAML single sign-on with Okta
You can configure your ExtraHop system to enable users to log in to the system through the Okta identity management service.
Before you begin
- You should be familiar with administering Okta. These procedures are based on the Okta Classic UI. If you are configuring Okta through the Developer Console, the procedure might be slightly different.
- You should be familiar with administering ExtraHop systems.
These procedures require you to copy and paste information between the ExtraHop system and the Okta Classic UI, so it is helpful to have each system open side-by-side.
Configure SAML settings in Okta
This procedure requires you to copy and paste information between the ExtraHop Administration settings and the Okta Classic UI, so it is helpful to have each UI open side-by-side.
-
In the upper-right corner of the page, change the view from
Developer Console to Classic
UI.
-
In the Group Attribute Statement section, in the
Name field, type a string and configure a filter.
You will specify the group attribute name when you configure user privilege attributes on the ExtraHop system.The following figure shows a sample configuration.
Assign the ExtraHop system to Okta groups
- From the Directory menu, select Groups.
- Click the group name.
- Click Manage Apps.
- Locate the name of the application you configured for the ExtraHop system and click Assign.
- Click Done.
Configure SAML single sign-on with Google
You can configure your ExtraHop system to enable users to log in to the system through the Google identity management service.
Before you begin
- You should be familiar with administering Google Admin.
- You should be familiar with administering ExtraHop systems.
These procedures require you to copy and paste information between the ExtraHop system and Google Admin console, so it is helpful to have each system open side-by-side.
Add user custom attributes
- Log in to the Google Admin console.
- Click Users.
-
Click the Manage custom attributes icon
.
- Click Add Custom Attribute.
- In the Category field, type ExtraHop.
- (Optional): In the Description field, type a description.
-
In the Custom fields section, enter the following
information:
- In the Name field, type writelevel.
- From the Info Type drop-down menu, select Text.
- From the Visibility drop-down menu, select Visible to domain.
- From the No. of values drop-down menu, select Single Value.
-
Enable NDR module access:
- In the Name field, type ndrlevel.
- From the Info Type drop-down menu, select Text.
- From the Visibility drop-down menu, select Visible to domain.
- From the No. of values drop-down menu, select Single Value.
-
Enable NPM module access:
- In the Name field, type npmlevel.
- From the Info Type drop-down menu, select Text.
- From the Visibility drop-down menu, select Visible to domain.
- From the No. of values drop-down menu, select Single Value.
- (Optional):
If you have connected packetstores, enable packet access by configuring a
custom field:
- In the Name field, type packetslevel.
- From the Info Type drop-down menu, select Text.
- From the Visibility drop-down menu, select Visible to domain.
- From the No. of values drop-down menu, select Single Value.
- Click Add.
Add identity provider information from Google to the ExtraHop system
-
In the Google Admin console, click the Main menu icon
and select .
-
Click the Enable SSO for a SAML application icon
.
Add ExtraHop service provider information to Google
-
Return to the Google Admin console and click Next on the
Google Idp Information page to continue to step 3 of
5.
Configure remote authentication through RADIUS
The ExtraHop system supports Remote Authentication Dial In User Service (RADIUS) for remote authentication and local authorization only. For remote authentication, the ExtraHop system supports unencrypted RADIUS and plaintext formats.
Configure remote authentication through TACACS+
The ExtraHop system supports Terminal Access Controller Access-Control System Plus (TACACS+) for remote authentication and authorization.
| Important: | For recordstores and packetstores, enabling remote access grants administrative privileges to all users in the TACACS+ authentication system, regardless of the privileges that the authentication system specifies for each user. |
Configure the TACACS+ server
In addition to configuring remote authentication on your ExtraHop system, you must configure your TACACS+ server with two attributes, one for the ExtraHop service and one for the permission level. If you have an ExtraHop packetstore, you can optionally add a third attribute for packet capture and session key logging.
-
For the second value, add 1.
For example, the following figure shows the extrahop attribute and a privilege level of readwrite.
Here is a table of available permission attributes, values, and descriptions:Attribute Value Description setup 1 Create and modify all objects and settings on the ExtraHop system and manage user access readwrite 1 Create and modify all objects and settings on the ExtraHop system, not including Administration settings limited 1 Create, modify, and share dashboards readonly 1 View objects in the ExtraHop system personal 1 Create personal dashboards for themselves and modify any dashboards that have been shared with them limited_metrics 1 View shared dashboards ndrfull 1 View, acknowledge, and hide security detections npmfull 1 View, acknowledge, and hide performance detections packetsfull 1 View and download packets stored on a connected packetstore. packetslicesonly 1 View and download packet slices on a connected packetstore. packetheadersonly 1 Search and download only packet headers on a connected packetstore. packetsfullwithkeys 1 View and download packets and associated session keys stored on a connected packetstore.
API Access
The API Access page enables you to generate, view, and manage access for the API keys that are required to perform operations through the ExtraHop REST API.
Manage API key access
Users with system and access administration privileges can configure whether users can generate API keys for the ExtraHop system. You can allow only local users to generate keys, or you can also disable API key generation entirely.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Access Settings section, click API Access.
-
In the Manage API Access section, select one of the
following options:
- Allow all users to generate an API key: Local and remote users can generate API keys.
- Only local users can generate an API key: Remote users cannot generate API keys.
- No users can generate an API key: No API keys can be generated by any user.
- Click Save Settings.
Configure cross-origin resource sharing (CORS)
Cross-origin resource sharing (CORS) allows you to access the ExtraHop REST API across domain-boundaries and from specified web pages without requiring the request to travel through a proxy server.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Access Settings section, click API Access.
-
In the CORS Settings section, specify one of the following
access configurations.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
The URL must include a scheme, such as HTTP or HTTPS, and the exact domain name. You cannot append a path; however, you can provide a port number.
- To allow access from any URL, select the Allow API requests
from any Origin checkbox.
Note: Allowing REST API access from any origin is less secure than providing a list of explicit origins.
- To add a specific URL, type an origin URL in the text box, and then
click the plus (+) icon or press ENTER.
- Click Save Settings and then click Done.
Generate an API key
You must generate an API key before you can perform operations through the ExtraHop REST API. Keys can be viewed only by the user who generated the key or by users with system and access administration privileges. After you generate an API key, add the key to your request headers or the ExtraHop REST API Explorer.
Before you begin
Make sure the ExtraHop system is configured to allow API key generation.- In the Access Settings section, click API Access.
- In the Generate an API Key section, type a description for the new key, and then click Generate.
- Scroll down to the API Keys section and copy the API key that matches your description.
Privilege levels
User privilege levels determine which ExtraHop system and administration tasks the user can perform through the ExtraHop REST API.
You can view the privilege levels for users through the granted_roles and effective_roles properties. The granted_roles property shows you which privilege levels are explicitly granted to the user. The effective_roles property shows you all privilege levels for a user, including those received outside of the granted role, such as through a user group.
The granted_roles and effective_roles properties are returned by the following operations:
- GET /users
- GET /users/{username}
The granted_roles and effective_roles properties support the following privilege levels. Note that the type of tasks for each ExtraHop system vary by the available resources listed in the REST API Explorer and depend on the modules enabled on the system and user module access privileges.
| Privilege level | Actions allowed |
|---|---|
| "system": "full" |
|
| "write": "full" |
|
| "write": "limited" |
|
| "write": "personal" |
|
| "metrics": "full" |
|
| "metrics": "restricted" |
|
| "ndr": "full" |
This is a module access privilege that can be granted to a user in addition to one of the following system access privilege levels:
|
| "ndr": "none" |
This is a module access privilege that can be granted to a user in addition to one of the following system access privilege levels:
|
| "npm": "full" |
This is a module access privilege that can be granted to a user in addition to one of the following system access privilege levels:
|
| "npm": "none" |
This is a module access privilege that can be granted to a user in addition to one of the following system access privilege levels:
|
| "packets": "full" |
This is an add-on privilege that can be granted to a user with one of the following privilege levels:
|
| "packets": "full_with_keys" |
This is an add-on privilege that can be granted to a user with one of the following privilege levels:
|
| "packets": "slices_only" |
This is an add-on privilege that can be granted to a user with one of the following privilege levels:
|
System Configuration
In the System Configuration section, you can modify the following settings.
- Device Naming
- Configure the order of precedence when multiple names are found for a device.
- Inactive Sources
- Remove devices and applications that have been inactive between 1 and 90 days from search results.
- Detection Tracking
- Select whether to track detection investigations with the ExtraHop system or from an external ticketing system.
- Endpoint Lookup
- Configure links to an external IP address lookup tool for endpoints in the ExtraHop system.
- Geomap Data Source
- Modify the information in mapped geolocations.
- Backup and Restore
- Create, view, or restore system backups.
Device name precedence
Discovered devices are automatically named based on multiple sources of network data such as protocols, MAC or IP addresses, or device roles. When multiple names are found for a device, the order of device name precedence specifies which name is displayed by default in the ExtraHop system.
The ExtraHop system defaults to the following order of precedence:
- Custom Name
- Cloud Instance Name
- CDP Name
- DHCP Name
- DNS Name
- NetBIOS Name
- Default Name
Before you begin
- Device name precedence settings only apply to the console or sensor on which the settings are configured.
- Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
-
Click the System Settings icon and then click All
Administration.
- In the System Configuration section, click Device Name Precedence.
- Click and drag device names to create a new order of precedence.
- Click Save.
- (Optional): Click Revert to Default to undo your changes.
Configure inactive sources
Devices that have not sent or received data over the last 30 minutes are considered inactive and stop generating metrics. However, inactive devices can still appear in feature areas such as search results, activity maps, dashboards, and detections.
The following settings enable you to immediately remove inactive sources from search results and to specify when the system can automatically delete inactive devices from the ExtraHop system.
Here are some considerations about configuring inactive source settings:
- You must have System and Access Administration user privileges.
- Settings to delete inactive devices must be configured on a sensor. Devices deleted from the sensor are also deleted from the connected console.
- The ExtraHop system checks for inactive devices daily and deletes up to 5,000 devices at each check; devices that are inactive for the longest period are deleted first.
- Deleting devices affects your device capacity count.
- Deleted devices associated with features such as activity maps, dashboards, and detections are displayed as an unknown device.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the System Configuration section, click Inactive Sources
-
From the Search Results section, remove inactive sources from search results by
completing the following steps:
- Specify the number of days, from 1 to 90, that devices have been inactive.
- Click Remove Now.
-
From the ExtraHop System section, configure when to delete inactive devices
from the ExtraHop system:
- To delete devices that have been inactive for a specified number of days, select the associated checkbox and then specify a value between 10 and 1,000.
- To delete inactive devices after a specified number of devices are discovered, select the associated checkbox, and then specify a value between 50,000 and 10,000,000.
- Click Save.
Enable detection tracking
Detection tracking enables you to assign a detection to a user, set the status, and add notes. You can track detections directly in the ExtraHop system, with a third-party external ticketing system, or with both methods.
| Note: | You must enable ticket tracking on all connected sensors. |
Before you begin
- You must have access to an ExtraHop system with a user account that has Administration privileges.
- After you enable external ticket tracking, you must configure third-party ticket tracking by writing a trigger to create and update tickets on your ticketing system, then enable ticket updates on your ExtraHop system through the REST API.
- If you disable external ticket tracking, previously stored status and assignee ticket information is converted to ExtraHop detection tracking. If detection tracking from within the ExtraHop system is enabled, you will be able to view tickets that already existed when you disabled external ticket tracking, but changes to that external ticket will not appear in the ExtraHop system.
- (Optional):
After you select the option to enable external integrations, specify the URL
template for your ticketing system and add the $ticket_id
variable at the appropriate location. For example, type a complete URL
such as https://jira.example.com/browse/$ticket_id. The
$ticket_id variable is replaced with the ticket ID
associated with the detection.
After the URL template is configured, you can click the ticket ID in a detection to open the ticket in a new browser tab.
Next steps
If you enabled external ticket tracking integrations, you must continue on to the following task:Configure third-party ticket tracking for detections
Ticket tracking enables you to connect tickets, alarms, or cases in your work-tracking system to ExtraHop detections. Any third-party ticketing system that can accept Open Data Stream (ODS) requests, such as Jira or Salesforce, can be linked to ExtraHop detections.
Before you begin
- You must have selected the third-party detection tracking option in Administration settings.
- You must have access to an ExtraHop system with a user account that has System and Access Administration privileges.
- You must be familiar with writing ExtraHop Triggers. See Triggers and the procedures in Build a trigger.
- You must create an ODS target for your ticket tracking server. See the following topics about configuring ODS targets: HTTP, Kafka, MongoDB, syslog, or raw data.
- You must be familiar with writing REST API scripts and have a valid API key to complete the procedures below. See Generate an API key.
Write a trigger to create and update tickets about detections on your ticketing system
This example shows you how to create a trigger that performs the following actions:
- Create a new ticket in the ticketing system every time a new detection appears on the ExtraHop system.
- Assign new tickets to a user named escalations_team in the ticketing system.
- Run every time a detection is updated on the ExtraHop system.
- Send detection updates over an HTTP Open Data Stream (ODS) to the ticketing system.
The complete example script is available at the end of this topic.
-
Click the System Settings icon and then click
Triggers.
const summary = "ExtraHop Detection: " + Detection.id + ": " + Detection.title;
const description = "ExtraHop has detected the following event on your network: " + Detection.description
const payload = {
"fields": {
"summary": summary,
"assignee": {
"name": "escalations_team"
},
"reporter": {
"name": "ExtraHop"
},
"priority": {
"id": Detection.riskScore
},
"labels": Detection.categories,
"mitreCategories": Detection.mitreCategories,
"description": description
}
};
const req = {
'path': '/rest/api/issue',
'headers': {
'Content-Type': 'application/json'
},
'payload': JSON.stringify(payload)
};
Remote.HTTP('ticket-server').post(req);Send ticket information to detections through the REST API
After you have configured a trigger to create tickets for detections in your ticket tracking system, you can update ticket information on your ExtraHop system through the REST API.
Ticket information appears in detections on the Detections page in the ExtraHop system. For more information, see the Detections topic.
The following example Python script takes ticket information from a Python array and updates the associated detections on the ExtraHop system.
#!/usr/bin/python3
import json
import requests
import csv
API_KEY = '123456789abcdefghijklmnop'
HOST = 'https://extrahop.example.com/'
# Method that updates detections on an ExtraHop system
def updateDetection(detection):
url = HOST + 'api/v1/detections/' + detection['detection_id']
del detection['detection_id']
data = json.dumps(detection)
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization': 'ExtraHop apikey=%s' % API_KEY}
r = requests.patch(url, data=data, headers=headers)
print(r.status_code)
print(r.text)
# Array of detection information
detections = [
{
"detection_id": "1",
"ticket_id": "TK-16982",
"status": "new",
"assignee": "sally",
"resolution": None,
},
{
"detection_id": "2",
"ticket_id": "TK-2078",
"status": None,
"assignee": "jim",
"resolution": None,
},
{
"detection_id": "3",
"ticket_id": "TK-3452",
"status": None,
"assignee": "alex",
"resolution": None,
}
]
for detection in detections:
updateDetection(detection)
| Note: | If the script returns an error message that the TLS
certificate verification failed, make sure that a trusted certificate has
been added to your sensor or console. Alternatively, you can add the
verify=False option to bypass certificate verification. However, this
method is not secure and is not recommended. The following code sends an HTTP GET
request without certificate
verification:requests.get(url, headers=headers, verify=False) |
- Status
- The status of the ticket associated with the detection. Ticket tracking
supports the following statuses:
- New
- In Progress
- Closed
- Closed with Action Taken
- Closed with No Action Taken
- Ticket ID
- The ID of the ticket in your work-tracking system that is associated with the detection. If you have configured a template URL, you can click the ticket ID to open the ticket in your work-tracking system.
- Assignee
- The username assigned to the ticket associated with the detection. Usernames in gray indicate a non-ExtraHop account.
Configure lookup links
You can configure a list of external tools that are available for retrieving information about IP addresses and SHA-256 file hashes within the ExtraHop system. Lookup tool links are usually displayed when you click or hover over an IP address or file hash from Devices, Files, Records, or Detections pages. Click the link to launch the lookup tool, which will search for the associated IP address or file hash.
Here are some considerations about configuring lookup links:
- You must have System and Access Administration or System Administration (RevealX 360 only) user privileges.
- You can configure up to 15 lookup links of each type.
- The following lookup links are configured by default and can be modified or
deleted:
- ARIN Whois Lookup (IP addresses only)
- VirusTotal Lookup
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
-
Configure an IP address lookup link by clicking the IP
Address tab and completing the following steps:
- Show this link on all endpoints
- Show this link on external endpoints
- Show this link on internal endpoints
- Do not show this link
- Click Save.
-
Configure a file hash lookup link, by clicking the File
Hash tab and completing the following steps:
- Show this link on all files
- Do not show this link
- Click Save.
Geomap Data Source
Geographic locations mapped in the product and triggers reference a GeoIP database to identify the approximate location of an IP address.
Change the GeoIP database
You can upload your own GeoIP database to the ExtraHop system to ensure that you have the latest version of the database or if your database contains internal IP addresses that only you or your company know the location of.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the System Configuration section, click Geomap Data Source.
- Click GeoIP Database.
- In the City-level Database section, select Upload New Database.
- Click Choose File and navigate to the new city-level database file on your computer.
- Click Save.
Override an IP location
You can override missing or incorrect IP addresses that are in the GeoIP database. You can enter a comma-delimited list or tabbed list of overrides into the text box.
- IP address (a single IP address or CIDR notation)
- Latitude
- Longitude
- City
- State or region
- Country name
- ISO alpha-2 country code
You can edit and delete items as necessary, but you must ensure that there is data present for each of the seven columns. For more information about ISO country codes, refer to https://www.iso.org/obp/ui/#search and click Country Codes.
Back up and restore a sensor or console
After you have configured your ExtraHop console and sensor with customizations such as bundles, triggers, and dashboards or administrative changes such as adding new users, ExtraHop recommends that you periodically back up your settings to make it easier to recover from a system failure.
Contents of the daily backup file
The daily backup file contains essential information required to restore an EDA back to the last functioning configuration.
Included in the backup
- Customization JSON
- Configuration files
- Configuration JSON
- Pending license update
- Encrypted passwords for shell and system users
- Appliance certificates
- Client certificates used for tunneling
- Encrypted secret keys
- Time zone
- Variable files
- User geographic data
- Trusted certificates uploaded by the user
- Capture state
- Hopcloud certificates
- Configuration files for node tunnels
- Persistent ssh data
Excluded from the backup
- Configuration files
- Datastores (metrics and datastore credentials)
- Capture SSL decryption keys
- Cached certificates
- AWS ID files (AMI, instance, serial number)
- Hard disk ssh configuration and keys
- Variable files
- User name security identifier
- Packet capture reinitialization
- Packet capture wakeup
- Setup security identifier
- IP address host table
- Customizations
- Organizationally unique identifier (OUI) database and MD5 files
- Portal files
- Support login ssh files
- Variable library files
- DHCP lease
- Crash files
- Lock files
- Log files
- Packet capture files
- Diagnostic package results
- Bridge files disk images
- Database files
Back up a sensor or console
Create a system backup and store the backup file to a secure location.
| Important: | System backups contain sensitive information, including TLS keys. When you create a system backup, make sure you store the backup file to a secure location. |
- User customizations such as bundles, triggers, and dashboards.
- Configurations made from Administration settings, such as locally-created users and remote imported user groups, running configuration file settings, TLS certificates, and connections to ExtraHop recordstores and packetstores.
- License information for the system. If you are restoring settings to a new target, you must manually license the new target.
- Precision packet captures. You can download saved packet captures manually by following the steps in View and download packet captures.
- When restoring a virtual console that has a tunneled connection from a sensor, the tunnel must be reestablished after the restore is complete and any customizations on the console for that sensor must be manually recreated.
- User-uploaded TLS keys for traffic decryption.
- Secure keystore data, which contains passwords. If you are restoring a
backup file to the same target that created the backup, and the keystore is intact, you
do not need to re-enter credentials. However, if you are restoring a backup file to a
new target or migrating to a new target, you must re-enter the following credentials:
- Any SNMP community strings provided for SNMP polling of flow networks.
- Any bind password provided to connect with LDAP for remote authentication purposes.
- Any password provided to connect to an SMTP server where SMTP authentication is required.
- Any password provided to connect to an external datastore.
- Any password provided to access external resources through the configured global proxy.
- Any password provided to access ExtraHop Cloud Services through the configured ExtraHop cloud proxy.
- Any authentication credentials or keys provided to configure Open Data Stream targets.
Restore a sensor or console from a system backup
You can restore the ExtraHop system from the user-saved or automatic backups stored on the system or another location. You can perform two types of restore operations: only customizations (changes to alerts, dashboards, triggers, custom metrics, for example) or both customizations and system resources.
Before you begin
The target must be running the same firmware version, matching the first and second digits of the firmware that generated the backup file. If the versions are not the same, the restore operation will fail.Restore a sensor or console from a backup file
Transfer settings to a new sensor or console
This procedure describes the steps required to restore a backup file to a new console or sensor. Only system settings from your existing console or sensor are transferred. Metrics on the local datastore are not transferred.
Before you begin
- Create a system backup and save the backup file to a secure location.
- Power off the source sensor or console to remove
it from the network before transferring settings. The target and source cannot
be active on the network at the same time.
Important: Do not disconnect any sensors that are already connected to a console. -
Deploy and register the target sensor or
console.
- Ensure that the target is the same type of sensor or console (physical or virtual) as the source.
- Ensure that the target is the same size or larger (maximum throughput on the sensor; CPU, RAM, and disk capacity on the console) as the source.
- Ensure that the target has a firmware version that matches the firmware version that generated the backup file. If the first two digits of the firmware versions are not the same, the restore operation will fail.
- After transferring settings to a target console, you must manually reconnect all sensors.
- When transferring settings to a target console that is configured for a tunneled connection to the sensors, we recommend that you configure the target console with the same hostname and IP address as the source console.
Reconnect sensors to the console
Before you begin
| Important: | If your console and sensors are configured for a tunneled connection, we recommend that you configure the source and target consoles with the same IP address and hostname. If you cannot set the same IP address and hostname, skip this procedure and create a new tunneled connection to the new IP address or hostname of the console. |
Appliance Settings
You can configure the following components of the ExtraHop appliance in the Appliance Settings section.
All appliances have the following components:
- Running Config
- Download and modify the running configuration file.
- Services
- Enable or disable the Web Shell, management GUI, SNMP service, SSH access, and TLS session key receiver. The SSL Session Key Receiver option appears only on packet sensors.
- Firmware
- Upgrade the ExtraHop system firmware.
- System Time
- Configure the system time.
- Shutdown or Restart
- Halt and restart system services.
- License
- Update the license to enable add-on modules.
- Disks
- Provides information about the disks in the appliance.
- Login Screen Message
- Configure a custom message that displays before users log in to the ExtraHop system
The following components only appear on the specified appliances:
- Console Nickname
- Assign a nickname to an ExtraHop console. This setting is available only on the console.
- Reset Packetstore
- Delete all packets stored on ExtraHop packetstores. The Reset Packetstore page appears only on packetstores.
Running Config
The running configuration file specifies the default system configuration. When you modify system settings, you must save the running configuration file to preserve those modifications after a system restart.
| Note: | Making configuration changes to the code from the Edit page is not recommended. You can make most system modifications through other pages in the Administration settings. |
Save system settings to the running configuration file
When you modify any of the system configuration settings on an ExtraHop system, you must confirm the updates by saving the running configuration file. If you do not save the settings, the changes are lost when your ExtraHop system restarts.
-
Click View and Save Changes.
Edit the running configuration file
The ExtraHop Administration settings provide an interface to view and modify the code that specifies the default system configuration. In addition to making changes to the running configuration file through the Administration settings, you can also make changes on the Running Config page.
| Important: | Making configuration changes to the code from the Edit page is not recommended. You can make most system modifications through other Administration settings. |
Download the running configuration as a text file
You can download the running configuration file to your workstation. You can open this text file and make changes to it locally, before copying those changes into the Running Config window.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Appliance Settings section, click Running Config.
- Click Download config as a file.
Disable ICMPv6 Destination Unreachable messages
You can prevent the ExtraHop system from generating ICMPv6 Destination Unreachable messages. You might want to disable ICMPv6 Destination Unreachable messages for security reasons per RFC 4443.
To disable ICMPv6 Destination Unreachable messages, you must edit the Running Configuration. However, we recommend that you do not manually edit the Running Configuration file without direction from ExtraHop Support. Manually editing the running configuration file incorrectly might cause the system to become unavailable or stop collecting data. You can contact ExtraHop Support.
Disable specific ICMPv6 Echo Reply messages
You can prevent the ExtraHop system from generating Echo Reply messages in response to ICMPv6 Echo Request messages that are sent to an IPv6 multicast or anycast address. You might want to disable these messages to reduce unnecessary network traffic.
To disable specific ICMPv6 Echo Reply messages, you must edit the running configuration file. However, we recommend that you do not manually edit the running configuration file without direction from ExtraHop Support. Manually editing this file incorrectly might cause the system to become unavailable or stop collecting data. You can contact ExtraHop Support.
Services
These services run in the background and perform functions that do not require user input. These services can be started and stopped through the Administration settings.
- Enable or disable the Management GUI
- The Management GUI provides browser-based access to the ExtraHop system. By default, this
service is enabled so that ExtraHop users can access the ExtraHop system through a web
browser. If this service is disabled, the Apache Web Server session is terminated and all
browser-based access is disabled.
Warning: Do not disable this service unless you are an experienced ExtraHop administrator and you are familiar with the ExtraHop CLI. - Enable or disable the SNMP Service
- Enable the SNMP service on the ExtraHop system when you want your network device monitoring
software to collect information about the ExtraHop system. This service is disabled by
default.
- Enable the SNMP service from the Services page by selecting the Disabled checkbox and then clicking Save. After the page refreshes, the Enabled checkbox appears.
- Configure the SNMP service and download the ExtraHop MIB file
- Enable or disable SSH Access
- SSH access is enabled by default to enable users to securely log in to the ExtraHop
command-line interface (CLI).
Note: The SSH Service and the Management GUI Service cannot be disabled at the same time. At least one of these services must be enabled to provide access to the system. - Enable or disable the TLS Session Key Receiver (Sensor only)
- You must enable the session key receiver service through the Administration settings before
the ExtraHop system can receive and decrypt session keys from the session key forwarder. By
default, this service is disabled.
Note: If you do not see this checkbox and have purchased the TLS Decryption license, contact ExtraHop Support to update your license.
SNMP Service
Configure the SNMP service on your ExtraHop system so that you can configure your network device monitoring software to collect information about your ExtraHop system through the Simple Network Management Protocol (SNMP).
For example, you can configure your monitoring software to determine how much free space is available on an ExtraHop system and send an alert if the system is over 95% full. Import the ExtraHop SNMP MIB file into your monitoring software to monitor all ExtraHop-specific SNMP objects. You can configure settings for SNMPv1/SNMPv2 and SNMPv3.
Configure the SNMPv1 and SNMPv2 service
The following configuration enables you to monitor the system with an SNMP manager that supports SNMPv1 and SNMPv2.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Appliance Settings section, click Services.
- For SNMP Service, click Configure.
- Select the Enabled check box to enable the SNMP service.
- Select the SNMPv1 and SNMPv2 Enabled checkbox to enable the SNMPv1 and SNMPv2 service.
- In the SNMP Community field, type a friendly name for the SNMP community.
- In the SNMP System Contact field, type a valid name or email address for the SNMP system contact.
- In the SNMP System Location field, type a location for the SNMP system.
- Click Save Settings.
Next steps
Download the ExtraHop SNMP MIB file from the SNMP Service Configuration page.Configure the SNMPv3 service
The following configuration enables you to monitor the system with an SNMP manager that supports SNMPv3. The SNMPv3 security model provides additional support for authentication and privacy protocols.
Next steps
Download the ExtraHop SNMP MIB file from the SNMP Service Configuration page.Firmware
The Administration settings provide an interface to upload and delete the firmware on ExtraHop appliances. The firmware file must be accessible from the computer where you will perform the upgrade.
Before you begin
Be sure to read the release notes for the firmware version that you want to install. Release notes contain upgrade guidance as well as known issues that might affect critical workflows in your organization.Upgrade the firmware on your ExtraHop system
The following procedure shows you how to upgrade your ExtraHop system to the latest firmware release. While the firmware upgrade process is similar across all ExtraHop appliances, some appliances have additional considerations or steps that you must address before you install the firmware in your environment. If you need assistance with your upgrade, contact ExtraHop Support.
| Video: | See the related training: Update Firmware |
| Important: | When settings migration fails during firmware upgrade, the previously installed firmware version and ExtraHop system settings are restored. |
Pre-upgrade checklist
Here are some important considerations and requirements about upgrading ExtraHop appliances.
- A system notice appears on consoles and sensors connected to ExtraHop Cloud Services when a new firmware version is available.
- Verify that your RevealX 360 system has been upgraded to version 25.2 before upgrading your sensors.
- If you are upgrading from firmware version 8.7 or earlier, contact ExtraHop Support for additional upgrade guidance.
- If you are upgrading a virtual ExtraHop sensor deployed on a VMware ESXi/ESX, Microsoft Hyper-V, or Linux KVM platform from firmware version 9.6 or earlier, the VM must support Streaming SIMD Extensions 4.2 (SSE4.2) and POPCNT instruction; otherwise, the upgrade will fail.
- If you have multiple types of ExtraHop appliances, you must upgrade them in the
following order:
- Console
- Sensors (EDA and Ultra)
- Recordstores
- Packetstores
| Note: | Your browser might time out after 5 minutes of inactivity. Refresh the browser page if
the update appears incomplete. If the browser session times out before the ExtraHop system is able to complete the update process, you can try the following connectivity tests to confirm the status up the upgrade process:
|
Console upgrades
- For large console deployments (managing 50,000 devices or more), reserve a minimum of one hour to perform the upgrade.
- The console firmware version must be greater than or equal to the firmware version of all connected appliances. To ensure feature compatibility, all connected appliances should be running firmware version 8.7 or later.
Recordstore upgrades
- Do not upgrade recordstores to a firmware version that is newer than the version installed on connected consoles and sensors.
- After upgrading the console and sensors, disable record ingest on the recordstore before upgrading the recordstore.
- You must upgrade all recordstore nodes in a recordstore cluster. The cluster will not
function correctly if nodes are on dissimilar firmware versions.
Important: The messages Could not determine ingest status on some nodes and Error appear on the Cluster Data Management page in the Administration settings of the upgraded nodes until all nodes in the cluster are upgraded. These errors are expected and can be ignored. - You must enable record ingest and shard reallocation from the Cluster Data Management page after all nodes in the recordstore cluster are upgraded.
Upgrade the firmware on a console and sensor
Upgrade the firmware on recordstores
Next steps
After all nodes in the recordstore cluster are upgraded, re-enable record ingest and shard reallocation on the cluster. You only need to perform these steps on one recordstore node.- In the Recordstore Cluster Settings section, click Cluster Data Management.
- Click Enable Record Ingest.
- Click Enable Shard Reallocation.
Upgrade connected sensors in RevealX 360
Administrators can upgrade sensors that are connected to RevealX 360.
Before you begin
- Your user account must have privileges on RevealX 360 for System and Access Administration or System Administration.
- Sensors must be connected to ExtraHop Cloud Services
- Notifications appear when a new firmware version is available
- You can upgrade multiple sensors at the same time
-
From the Overview page, click System Settings
and then click
Sensors.
Sensors that are eligible for upgrade display an up arrow in the Sensor Version field.
System Time
The System Time page displays the current time settings configured for your ExtraHop system. View the current system time settings, the default display time for users, and details for configured NTP servers.
System time is the time and date tracked by services running on the ExtraHop system to ensure accurate time calculations. By default, the system time on the sensor or console is configured locally. For better accuracy, we recommend that you configure the system time through an NTP time server.
When capturing data, the system time must match the time on connected sensors to ensure that time stamps are correct and complete in scheduled reports, exported dashboards and chart metrics. If time sync issues occur, check that the configured system time, external time servers, or NTP servers are accurate. Reset the system time or sync NTP servers if needed
The table below contains details about the current system time configuration. Click Configure Time to configure system time settings.
| Detail | Description |
|---|---|
| Time Zone | Displays the currently selected time zone. |
| System Time | Displays the current system time. |
| Time Servers | Displays a comma-separated list of configured time servers. |
Default display time for users
The Default Display Time for Users section shows the time displayed to all users in the ExtraHop system unless a user manually changes their displayed time zone.
To modify the default display time, select one of the following options and then click Save Changes:
- Browser time
- System time
- UTC
NTP Status
The NTP Status table displays the current configuration and status of all NTP servers that keep the system clock in sync. The table below contains details about each configured NTP server. Click Sync Now to sync the current system time to a remote server.
| remote | The host name or IP address of the remote NTP server you have configured to synchronize with. |
| st | The stratum level, 0 through 16. |
| t | The type of connection. This value can be u for unicast or manycast, b for broadcast or multicast, l for local reference clock, s for symmetric peer, A for a manycast server, B for a broadcast server, or M for a multicast server. |
| when | The last time when the server was queried for the time. The default value is seconds, or m is displayed for minutes, h for hours, and d for days. |
| poll | How often the server is queried for the time, with a minimum of 16 seconds to a maximum of 36 hours. |
| reach | Value that shows the success and failure rate of communicating with the remote server. Success means the bit is set, failure means the bit is not set. 377 is the highest value. |
| delay | The round trip time (RTT) of the ExtraHop appliance communicating with the remote server, in milliseconds. |
| offset | Indicates how far off the ExtraHop appliance clock is from the time reported by the server. The value can be positive or negative, displayed in milliseconds. |
| jitter | Indicates the difference, in milliseconds, between two samples. |
Configure the system time
By default, the ExtraHop system synchronizes the system time through the *.extrahop.pool.ntp.org network time protocol (NTP) servers. If your network environment prevents the ExtraHop system from communicating with these time servers, you must configure an alternate time server source.
Before you begin
| Important: | Always configure more than one NTP server to increase the accuracy and reliability of time kept on the system. |
The NTP Status table displays a list of NTP servers that keep the system clock in sync. To sync the current system time a remote server, click the Sync Now button.
Shutdown or Restart
The Administration settings provides an interface to halt, shutdown, and restart the ExtraHop system and its system components. For each ExtraHop system component, the table includes a time stamp to show the start time.
- Restart or shutdown System to pause or shut down and restart the ExtraHop system.
- Restart Bridge Status (Sensor only) to restart the ExtraHop bridge component.
- Restart Capture (Sensor only) to restart the ExtraHop capture component.
- Restart Portal Status to restart the ExtraHop web portal.
- Restart Scheduled Reports (Console only) to restart the ExtraHop scheduled reports component.
Sensor Migration
You can migrate your stored metrics, customizations and system resources on your existing physical ExtraHop sensor to a new sensor.
Migrate an ExtraHop sensor
When you are ready to upgrade your existing sensor, you can easily migrate to new hardware without losing business critical metrics and time-consuming system configurations.
- License information for the system. If you are restoring settings to a new target, you must manually license the new target.
- Precision packet captures. You can download saved packet captures manually by following the steps in View and download packet captures.
- When restoring a virtual console that has a tunneled connection from a sensor, the tunnel must be reestablished after the restore is complete and any customizations on the console for that sensor must be manually recreated.
- User-uploaded TLS keys for traffic decryption.
- Secure keystore data, which contains passwords. If you are restoring a
backup file to the same target that created the backup, and the keystore is intact, you
do not need to re-enter credentials. However, if you are restoring a backup file to a
new target or migrating to a new target, you must re-enter the following credentials:
- Any SNMP community strings provided for SNMP polling of flow networks.
- Any bind password provided to connect with LDAP for remote authentication purposes.
- Any password provided to connect to an SMTP server where SMTP authentication is required.
- Any password provided to connect to an external datastore.
- Any password provided to access external resources through the configured global proxy.
- Any password provided to access ExtraHop Cloud Services through the configured ExtraHop cloud proxy.
- Any authentication credentials or keys provided to configure Open Data Stream targets.
Before you begin
| Important: | If the source sensor has an external datastore and the datastore is configured on a SMB server requiring password authentication, contact ExtraHop Support to assist you with your migration. |
- Source and target sensors must be running the same firmware version.
- Migrate only to the same type of sensors, such as RevealX Enterprise to RevealX Enterprise. If you need to migrate between sensor types (such as RevealX Enterprise to RevealX 360), contact your ExtraHop sales team for assistance.
- Migration is only supported between physical sensors. Virtual sensor migrations are not supported.
- Migration is only supported from an earlier series to a newer series (for example, you can only migrate an EDA 6200 to an EDA 6300, EDA 9300, or similar.) In addition, you can only migrate from a smaller sensor to a larger sensor.
RevealX Compatibility Matrix
Supported migration paths are listed in the following table.
| Source | Target | |||||||
|---|---|---|---|---|---|---|---|---|
| EDA 1200 | EDA 6200 | EDA 8200 | EDA 8320 | EDA 9200 | EDA 9300 | EDA 10200 | EDA 10300 | |
| EDA 1200 | YES | YES | YES | YES | YES | YES | YES | YES |
| EDA 6200 | NO | YES* | YES | YES | YES | YES | YES | YES |
| EDA 8200 | NO | NO | YES* | YES* | YES* | YES | YES | YES |
| EDA 8320 | NO | NO | NO | YES | NO | YES | NO | YES |
| EDA 9200 | NO | NO | NO | NO | YES* | YES | YES | YES |
| EDA 9300 | NO | NO | NO | NO | NO | YES | NO | YES |
| EDA 10200 | NO | NO | NO | NO | NO | NO | YES* | YES |
| EDA 10300 | NO | NO | NO | NO | NO | NO | NO | YES |
*Migration is supported only if the source and target sensor were manufactured in May 2019 or later. Contact ExtraHop Support to verify compatibility.
For information about the former Performance Edition, contact your ExtraHop representative for help.
Prepare the source and target sensors
- Follow the instructions in the deployment guide for your sensor model to deploy the target sensor.
- Register the target sensor.
- Make sure that the target and the source sensor are running the exact same firmware version. You can download current and previous firmware from the ExtraHop Customer Portal.
-
Choose one of the following networking methods to migrate to the target
sensor.
- (Recommended) To complete the migration in the fastest time possible, directly connect the sensors with 10G management interfaces.
-
Create a bond interface (optional) of available 1G
management interfaces. With the appropriate network cables, directly connect
the available port or ports on the source sensor to similar ports on the
target sensor. The figure below shows an example configuration with bonded
1G interfaces.
Important: Make sure that your IP address and subnet configuration on both sensors route management traffic to your management workstation and migration traffic to the direct link. - Migrate the sensor over your existing network. The source and target sensors must be able to communicate with each other over your network. Note that migration might take significantly longer with this configuration.
Create a bond interface (optional)
Follow the instructions below to bond 1G interfaces. Creating a bond interface decreases the amount of time it takes to complete the migration over 1G interfaces.
Start the migration
Migration is recommended for upgrades where you want to retain the data and appliance configuration. Migration can take several hours to complete. During this time, neither the source nor the target sensor can collect data. The migration process cannot be paused or canceled.
Configure the target sensor
If sensor networking is not configured through DHCP, make sure connectivity settings are updated, including any assigned IP addresses, DNS servers, and static routes. Connections to ExtraHop consoles, recordstores, and packetstores on the source sensor are automatically established on the target sensor when network settings are configured.
- Log in to the Administration settings on the target sensor.
- In the Network Settings section, click Connectivity.
- In the Interfaces section, click the management interface (typically interface 1 or interface 3, depending on the sensor model).
- In the IPv4 Address field,type the IP address of the source sensor.
-
Configure any static routes that were configured on the source sensor:
- Click Edit Routes.
- Add any required route information.
- Click Save.
- Click Save.
Next steps
If you had to change any interface settings to perform the migration with bonded interfaces, make sure that the interface modes are configured as you expect them to be.Restore any additional settings that are not automatically restored.
License
The License Administration page enables you to view and manage licenses for your ExtraHop system. You must have an active license to access the ExtraHop system, and your system must be able to connect to the ExtraHop licensing server for periodic updates and check-ins about your license status.
To learn more about ExtraHop licenses, see the License FAQ.
Register your ExtraHop system
This guide provides instructions on how to apply a new product key and activate all of your purchased modules. You must have privileges on the ExtraHop system to access the Administration settings.
Register the appliance
Before you begin
| Note: | If you are registering a sensor or a console, you can optionally enter the product key after you accept the EULA and log in to the ExtraHop system (https://<extrahop_ip_address>/). |
Next steps
Have more questions about ExtraHop licensing works? See the License FAQ.Troubleshoot license server connectivity
For ExtraHop systems licensed and configured to connect to ExtraHop Cloud Services, registration and verification is performed through an HTTPS request to ExtraHop Cloud Services.
If your ExtraHop system is not licensed for ExtraHop Cloud Services or is not yet licensed, the system attempts to register the system through a DNS TXT request for regions.hopcloud.extrahop.com and an HTTPS request to all ExtraHop Cloud Services regions. If this request fails, the system tries to connect to the ExtraHop licensing server through DNS server port 53. The following procedure is useful to verify that the ExtraHop system can communicate with the licensing server through DNS.
nslookup -type=NS d.extrahop.com
Non-authoritative answer: d.extrahop.com nameserver = ns0.use.d.extrahop.com. d.extrahop.com nameserver = ns0.usw.d.extrahop.com.If the name resolution is not successful, make sure that your DNS server is properly configured to lookup the
Apply an updated license
When you purchase a new protocol module, service, or feature, the updated license is automatically available on the ExtraHop system. However you must apply the updated license to the system through the Administration settings for the new changes to take effect.
-
In the Appliance Settings section, click
License.
A message appears about the availability of your new license.
Update a license
If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license.
| Note: | If you want to update the product key for your appliance, you must register your ExtraHop system. |
Disks
The Disks page displays a map of the drives on the ExtraHop system and lists their statuses. This information can help you determine whether drives need to be installed or replaced. Automatic system health checks and email notifications (if enabled) can provide timely notice about a disk that is in a degraded state. System health checks display disk errors at the top of the Settings page.
Self-encrypting disks (SEDs)
For sensors that include self-encrypting disks (SEDs), the Hardware Disk Encryption status can be set to Disabled or Enabled. This status set to Unsupported for sensors that do not include SEDs.
These sensors support SEDs:
- EDA 9300
- EDA 10300
- IDS 9380
For information about configuring SEDs, see Configure self-encrypting disks (SEDs).
RAID
For help replacing a RAID 0 disk or installing an SSD drive, refer to the instructions below. The RAID 0 instructions apply to the following types of disks:
- Datastore
- Packet Capture
- Firmware
Do not attempt to install or replace the drive in Slot 0 unless instructed by ExtraHop Support.
| Note: | Ensure that your device has a RAID controller before attempting the following procedure. If unsure, contact ExtraHop Support. A persistently damaged disk might not be replaceable with this procedure. |
Replace a RAID 0 disk
-
Verify the new disk information:
- Under Unused Disks on the Disk Details page, verify that the new disk is the same size, speed, and type as the disk being replaced.
Mouse over the old and new disks in the Drive Map. The new disk displays the message "Unconfigured(good), Spun Up."
-
Under the section for the disk type, click Replace with Disk in slot
#n in the Disk Error Action row.
The data begins copying over. The Copy Status row displays the progress. Mousing over the disk in the Drive Map shows the status.
-
Remove the old disk.
The Drive Map now shows the new disk in green.
Install a new packet capture disk
-
In the Administration settings, refresh the browser.
The Drive Map shows the SSD slot in yellow because the drive is not configured.
-
Next to SSD Assisted Packet Capture, click
Enable.
-
Click OK to add the packet capture drive.
The page refreshes and the Drive Map shows the SSD as green and the Status changes to Online, Spun Up.
| Tip: | If the SSD drive is dislodged and reinserted, you can re-enable it. This process requires reformatting the disk, which erases all data. |
Console Nickname
By default, your ExtraHop console is identified by its hostname on connected sensors. However, you can optionally configure a custom name to identify your console.
Choose from the following options to configure the display name:
- Select Display custom nickname and type the name in the field you want to display for this console.
- Select Display hostname to display the hostname configured for this console.
Configure a login screen message
You can add a custom message to the login screen to display graphics and logos and to convey information to users such as password requirements, policy statements, support links, or maintenance announcements.
Here are some considerations about displaying a custom login screen message:
- You must have System and Access Administration user privileges.
- The login screen message only applies to the console or sensor on which the message is configured.
- The login screen message supports text and graphics in Markdown syntax, which is a markup language that converts plain text into HTML.
- Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
-
Click the System Settings icon and then click All
Administration.
- From the Appliance Settings section, click Login Screen Message.
- Click Display a custom login message.
- In the Editor pane, format the message and graphics you want and check the display output in the Preview pane.
- Click Save Changes.
Recordstore
You can send transaction-level records written by the ExtraHop system to a supported recordstore and then query those records from the Records page or REST API on your console and sensors.
Send records from ExtraHop to Google BigQuery
You can configure your ExtraHop system to send transaction-level records to a Google BigQuery server for long-term storage, and then query those records from the ExtraHop system and the ExtraHop REST API. Records on BigQuery recordstores expire after 90 days.
Before you begin
- Any console and all connected sensors must be running the same ExtraHop firmware version.
- You need the BigQuery project ID
- You need the credential file (JSON) from your BigQuery service account. The service account requires the BigQuery Data Editor, BigQuery Data Viewer, and BigQuery User roles.
- For access to the cloud-based recordstore included with RevealX Standard Investigation,
your sensors must be able to access outbound TCP 443 (HTTPS) to
these fully qualified domain names:
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- oauth2.googleapis.com
- www.googleapis.com
- www.mtls.googleapis.com
- iamcredentials.googleapis.com
You can also review the public guidance from Google about computing possible IP address ranges for googleapis.com.
- If you want to configure the BigQuery recordstore settings with Google Cloud
workload identity federation authentication, you need the configuration file from
your workload identity pool.
Note: The workload identity provider must be set up to provide a fully valid OIDC ID Token in response to a Client Credentials request. For more information about workload identity federation, see https://cloud.google.com/iam/docs/workload-identity-federation.
Enable BigQuery as the recordstore
| Note: | Any triggers configured to send records through commitRecord to an ExtraHop recordstore are automatically redirected to BigQuery. No further configuration is required. |
| Important: | If your ExtraHop system includes a console, configure all appliances with the same recordstore settings or transfer management to manage settings from the console. |
| Important: | Do not modify or delete the table in BigQuery where the records are stored. Deleting the table deletes all stored records. |
Transfer recordstore settings
If you have an ExtraHop console connected to your ExtraHop sensors, you can configure and manage the recordstore settings on the sensor, or transfer the management of the settings to the console. Transferring and managing the recordstore settings on the console enables you to keep the recordstore settings up to date across multiple sensors.
Send records from ExtraHop to Splunk
You can configure the ExtraHop system to send transaction-level records to a Splunk server for long-term storage, and then query those records from the ExtraHop system and the ExtraHop REST API.
- Any triggers configured to send records through commitRecord to a recordstore are automatically redirected to the Splunk server. No further configuration is required.
- If you are migrating to Splunk from a connected ExtraHop recordstore, you will no longer be able to access records stored on the recordstore.
- If you want to view and analyze ExtraHop data such as metrics and detections in a Splunk interface, configure a Splunk or Splunk SOAR integration.
Enable Splunk as the recordstore
| Important: | If your ExtraHop system includes a console or RevealX 360, configure all sensors with the same recordstore settings or transfer management to manage settings from the console or RevealX 360. |
Before you begin
- Any console and all connected sensors must be running the same ExtraHop firmware version.
- You must have version 7.0.3 or later of Splunk Enterprise and a user account that has administrator privileges.
- You must configure the Splunk HTTP Event Collector before your Splunk server can receive ExtraHop records. See the Splunk HTTP Event Collector documentation for instructions.
Transfer recordstore settings
If you have an ExtraHop console connected to your ExtraHop sensors, you can configure and manage the recordstore settings on the sensor, or transfer the management of the settings to the console. Transferring and managing the recordstore settings on the console enables you to keep the recordstore settings up to date across multiple sensors.
ExtraHop Sensor Settings
The ExtraHop Sensor Settings section on the ExtraHop console enables you to connect to a packet sensor and manage connected sensors.
Depending on your network configuration, you can establish a connection from the sensor (tunneled connection) or from the console (direct connection).
- We recommend that you log in to the Administration settings on your console and create a direct connection to the sensor. Direct connections are made from the console over HTTPS on port 443 and do not require special access. For instructions, see Connect to a sensor from a RevealX Enterprise console.
- If your sensor is behind a firewall, you can create an SSH tunnel connection from this sensor to your console. For instructions, see Connect to a RevealX Enterprise console from a sensor.
Connect to a sensor from a RevealX Enterprise console
You can manage multiple ExtraHop sensors from a RevealX Enterprise console. After you connect the sensors, you can view and edit the sensor properties, assign a nickname, upgrade firmware, check the license status, and create a diagnostic support package.
| Video: | See the related training: Connect an Appliance to a RevealX Enterprise Console (ECA) |
Before you begin
You can only establish a connection to a sensor that is licensed for the same system edition as the console. For example, a console on RevealX Enterprise can only connect to sensors on RevealX Enterprise.| Important: | We strongly recommend configuring a unique hostname. If the system IP address changes, the ExtraHop console can re-establish connection easily to the system by hostname. |
Generate a token on the sensor
- Log in to the Administration settings on the sensor.
- In the ExtraHop Command Settings section, click Generate Token.
- Click Generate Token.
- Copy the token and continue to the next procedure.
Manage packet sensors
From the ExtraHop console, you can view connected sensors and manage some administrative tasks.
Select the checkbox for one or more connected sensors. Then, select from the following administrative tasks.
- Click Check License to connect to the ExtraHop licensing server and retrieve the latest status for the selected sensors. If your Command appliance is unable to access data from a connected sensor, the license might be invalid.
- Click Run Support Script and then select from the following
options:
- Click Run Default Support Script to collect information about the selected sensors. You can send this diagnostics file to ExtraHop Support for analysis.
- Click Run Custom Support Script to upload a file from ExtraHop Support that provides small system changes or enhancements.
- Click Upgrade Firmware to upgrade the selected sensor. You can enter a URL to the firmware on the Customer Portal website or upload the firmware file from your computer. With either option, we strongly recommend you read the firmware release notes and the firmware upgrade guide.
- Click Disable or Enable to temporarily alter the connection between sensors and consoles. When this connection is disabled, the Command appliance does not display the sensor and cannot access the sensor data.
- Click Remove Appliance to permanently disconnect selected sensors.
ExtraHop Recordstore Settings
This section contains configuration settings for the ExtraHop recordstore.
| Note: | This section applies only to RevealX Enterprise. You do not need to connect sensors to the cloud-based recordstore included with RevealX 360. |
Connect the EXA 5200 to the ExtraHop system
After you deploy an EXA 5200 recordstore, you must establish a connection from all ExtraHop sensors and the console to the recordstore nodes before you can query for stored records.
| Important: | If your recordstore cluster is configured with manager-only nodes, you only need to connect the sensors and console to the data-only nodes in the recordstore cluster. Do not connect to the manager-only nodes since manager-only nodes do not receive records. |
-
For each additional recordstore node in the cluster, click Add
New and enter the individual hostname or IP address in the corresponding
Node field.
Next steps
If the recordstore settings are managed by sensors and not by a connected console, repeat this procedure on the console.Disconnect the recordstore
To halt the ingest of records to the recordstore, disconnect all recordstore nodes from the ExtraHop console and sensors.
| Note: | If recordstore connections are managed by a console, you can only perform this procedure on the console. |
-
Click the red X next to every node in the recordstore
cluster.
Connect the EXA 5300 to the ExtraHop system
After you deploy an EXA 5300 recordstore, you must establish a connection from all ExtraHop sensors and the console to the recordstore nodes before you can query for stored records.
Before you begin
Ensure your ExtraHop system is running firmware version 9.8 or later.Here are some important considerations about recordstore connections:
- You cannot connect sensors to more than one EXA 5300, but you can connect multiple EXA 5300s to a single console.
- If a sensor or console is connected to an EXA 5200 or EXA 5100v, you must disconnect from the EXA 5200 or EXA 5100v before you can connect to an EXA 5300.
Recordstore partitions
The EXA 5300 organizes data by table partitions. The Recordstore Status page includes a Partition Summary section that lists all partitions, including the data for a specific table for a selected date.
Older records are deleted automatically when the disk is full, but you can also delete partitions manually from the system, if needed. On the Recordstore Status page, select one or more partitions and click Delete Selected. If you delete a partition, any record searches will not return records from that partition for that date. Partition deletion operations are captured in the audit log.
Generate a token on the EXA 5300
The EXA 5300 recordstore connects to an ExtraHop console with token-based authentication.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Connected Appliance Administration section, under Recordstore Settings, click Generate Token.
- Click Generate Token.
- Copy the token and continue to the next procedure.
Connect the EXA 5300 to a console or sensor
Connect the EXA 5300 recordstore to an ExtraHop console or sensor.
| Important: | EXA 5300 recordstore connections cannot be managed from a console, so you must perform this procedure from both the console and the sensor. |
- Log in to the Administration settings on the console or sensor through https://<extrahop-hostname-or-IP-address>/admin.
- In the Recordstore Settings section, click Connect Recordstores.
- Click Add New.
- In the Node 1 field, type the hostname or IP address of any recordstore in the recordstore cluster.
- Click Save.
- In the Token from ExtraHop Recordstore field, type or paste the token that you generated on the EXA 5300.
- Click Connect.
- When the recordstore settings are saved, click Done.
Configure record ingest on a recordstore
Configure record ingest settings on an ExtraHop recordstore. Record ingest only must be enabled if you have previously disabled these settings.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
-
Manage the record ingest setting:
- For the EXA 5200, in the Recordstore Settings section, click Cluster Data Management.
- For the EXA 5300, in the Recordstore Settings section, click Data Management.
- In the Record Ingest section, click Enable Record Ingest.
- Click Save.
Manage recordstores
From the ExtraHop console, you can view connected recordstores and manage some administrative tasks.
View information about connected recordstores as individual appliances or as part of a cluster.
- Click Recordstore Cluster in the Name field to open the Cluster Properties. You can add a custom nickname for the recordstore and view the Cluster ID.
- Click any node name to open the node properties. By clicking Open Admin UI, you can access the Administration settings for the specific recordstore.
- View the date and time that the appliance was added to this console.
- View the license status for your appliances.
- View the list of actions that you can perform on this appliance.
- View the Job column to see the status of any running support scripts.
Select the recordstore cluster or a single node in the cluster by clicking an empty area in the table, and then select from the following administrative tasks.
- Click Run Support Script and then select from the following
options:
- Select Run Default Support Script to collect information about the selected recordstore. You can send this diagnostics file to ExtraHop Support for analysis.
- Select Run Custom Support Script to upload a file from ExtraHop Support that provides small system changes or enhancements.
- Click Remove Cluster to permanently disconnect the selected recordstore. This option only prevents you from performing the administrative tasks on this page from the console. The recordstore remains connected to your packet sensor and continues to collect records.
Collect flow records
You can automatically collect and store all flow records, which are network-layer communications between two devices over an IP protocol. If you enable this setting, but do not add any IP addresses or port ranges, all detected flow records are captured. Configuring flow records for automatic collection is fairly straight-forward and can be a good way to test connectivity to your recordstore.
Before you begin
You must have access to an ExtraHop system with System and Access Administration privileges.ExtraHop Recordstore Status
If you have connected an ExtraHop recordstore to your sensor or console, you can access information about the recordstore.
The table on this page provides the following information about any connected recordstores.
- Activity since
- Displays the timestamp when record collection began. This value is automatically reset every 24 hours.
- Record Sent
- Displays the number of records sent to the recordstore from a sensor.
- I/O Errors
- Displays the number of errors generated.
- Queue Full (Records Dropped)
- Displays the number of records dropped when records are created faster than they can be sent to the recordstore.
ExtraHop Packetstore Settings
ExtraHop packetstores continuously collect and store raw packet data from your sensors.
Connect a packetstore to RevealX Enterprise
Before you can query for packets on RevealX Enterprise systems, you must have a deployed packetstore and you must connect the console and all sensors to your packetstore.
| Note: | To connect sensors to the console on a RevealX360 system, see Connect a sensor to RevealX 360 |
Connected to a sensor
Connected to sensor and console
Manage packetstores
From the ExtraHop console, you can view connected packetstores and manage some administrative tasks.
View information about connected packetstores.
- Click Packetstore Cluster in the Name field to open the Cluster Properties. You can add a custom nickname for the packetstore and view the Cluster ID.
- Click any appliance to view the properties. By clicking Open Admin UI, you can access the Administration settings for the specific packetstore.
- View the date and time that the appliance was added to this Command appliance.
- View the license status for your appliances.
- View the list of actions that you can perform on this appliance.
- View the Job column to see the status of any running support scripts.
Select a packetstore. Then, select from the following administrative tasks.
- Click Run Support Script and then select from the following
options:
- Click Run Default Support Script to collect information about the selected packetstore. You can send this diagnostics file to ExtraHop Support for analysis.
- Click Run Custom Support Script to upload a file from ExtraHop Support that provides small system changes or enhancements.
- Click Upgrade Firmware to upgrade the selected packetstore. You can enter a URL to the firmware on the Customer Portal website or upload the firmware file from your computer. With either option, we strongly recommend you read the firmware release notes and the firmware upgrade guide.
- Click Remove Appliance to permanently disconnect the selected packetstore. This option only prevents you from performing the administrative tasks on this page from the console. The packetstore remains connected to your packet sensor and continues to collect packets.
Appendix
Common acronyms
The following common computing and networking protocol acronyms are used in this guide.
| Acronym | Full Name |
|---|---|
| AAA | Authentication, authorization, and accounting |
| AMF | Action Message Format |
| CIFS | Common Internet File System |
| CLI | Command Line Interface |
| CPU | Central Processing Unit |
| DB | Database |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain Name System |
| ERSPAN | Encapsulated Remote Switched Port Analyzer |
| FIX | Financial Information Exchange |
| FTP | File Transfer Protocol |
| HTTP | Hyper Text Transfer Protocol |
| IBMMQ | IBM Message Oriented Middleware |
| ICA | Independent Computing Architecture |
| IP | Internet Protocol |
| iSCSI | Internet Small Computer System Interface |
| L2 | Layer 2 |
| L3 | Layer 3 |
| L7 | Layer 7 |
| LDAP | Lightweight Directory Access Protocol |
| MAC | Media Access Control |
| MIB | Management Information Base |
| NFS | Network File System |
| NVRAM | Non-Volatile Random Access Memory |
| RADIUS | Remote Authentication Dial-In User Service |
| RPC | Remote Procedure Call |
| RPCAP | Remote Packet Capture |
| RSS | Resident Set Size |
| SMPP | Short Message Peer-to-Peer Protocol |
| SMTP | Simple Message Transport Protocol |
| SNMP | Simple Network Management Protocol |
| SPAN | Switched Port Analyzer |
| SSD | Solid-State Drive |
| SSH | Secure Shell |
| SSL | Secure Socket Layer |
| TACACS+ | Terminal Access Controller Access-Control System Plus |
| TCP | Transmission Control Protocol |
| TLS | Transport Layer Security |
| UI | User Interface |
| VLAN | Virtual Local Area Network |
| VM | Virtual Machine |
Configure Cisco NetFlow devices
The following are examples of basic Cisco router configuration for NetFlow. NetFlow is configured on a per-interface basis. When NetFlow is configured on the interface, IP packet flow information will be exported to the ExtraHop sensor.
| Important: | NetFlow takes advantage of the SNMP ifIndex value to represent ingress and egress interface information in flow records. To ensure consistency of interface reporting, enable SNMP ifIndex persistence on devices sending NetFlow to the sensor. For more information on how to enable SNMP ifIndex persistence on your network devices, refer the configuration guide provided by the device manufacturer. |
For more information on configuring NetFlow on Cisco switches, see your Cisco router documentation or the Cisco website at www.cisco.com.
Thank you for your feedback. Can we contact you to ask follow up questions?