Versions Compared

Version Old Version 6 New Version 7
Changes made by

Shwetha S (Deactivated)

Shwetha S (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To ensure a successful discovery, complete the following configurations for the Grid and Grid members that are acting as the Consolidator and Probes before you start a discovery:

  • Define polling methods and schedule. 

  • Define advanced polling settings for TCP scanning and Ping sweeps. Also, specify routers and logging options. 

  • To collect data from SDN and SD-WAN devices, add and configure them as described in Configuring Discovery for SDN and SD-WAN below.

  • If you use SNMP or CLI collection as the polling methods, define device credentials for data collection. /wiki/spaces/nios90draft/pages/73279748. .

  • Assign credentials to device groups. 

  • Enable and schedule blackout periods for discovery and port configuration. For more information, see Defining Blackout Periods.

  • Configure automatic network view mapping for unassigned VRFs that have been discovered. For more information, see Configuring Automatic VRF Mapping.

  • Configure settings to monitor the lifecycle and vulnerabilities of discovered devices. For more information, see Configuring Advisor Properties below.

...

  1. For the Grid: From the Grid tab -> Grid Manager tab -> Discovery service, select Edit -> Grid Discovery Properties from the Toolbar.
    For members: From the Grid tab -> Grid Manager tab -> Discovery service, select Edit -> Member Discovery Properties from the Toolbar.
    For networks: From the IPAM tab, select the network checkbox and click the Edit icon.

  2. In the Grid Discovery Properties, Member Discovery Properties, or (IPv4 or IPv6) Network editor, click Polling -> Advanced and define the following settings.

  3. If you want to override the inherited Grid settings for Probe members and networks, click Override and define the following settings.

  4. TCP Scan Technique: Select the TCP technique you want to use for the discovery. The default is SYN. For more information, see TCP.

    • SYN: Select this to quickly perform scans on thousands of TCP ports per system, never completing connections across any well-known port. SYN packets are sent and the poller waits for a response while continuing to scan other ports. A SYN/ACK response indicates the protocol port is listening while an RST indicates it is not listening. The SYN option presents less impact on the network.

    • CONNECT: Select this to scan IPv6 networks. Unlike the SYN option, complete connections are attempted on the scanned system and each successive TCP protocol port being scanned.

  5.  Specify the TCP ports settings:

    • In the table, select the checkboxes of the TCP ports you want to discover. To select all ports, click the checkbox in the header.

    • To add a new port, click the Add icon.

  6. Specify other advanced polling settings:

    • Purge expired assets data after: Removes records of discovered assets that are no longer reachable after a specified period of time. The default is set to one day.

    • Purge expired device data after: Removes records of discovered network infrastructure devices that are no longer reachable after a specified period of time. The default is set to seven days, a more forgiving value given that devices sometimes require maintenance, upgrades or repairs, or in cases where hosts leave the network on long trips.

    • ARP Aggregate Limit: Sets a limit for the number of entries (IP addresses) per MAC address in ARP tables. If there are too many entries associated with a MAC address, this can be treated, for example, as a "honeypot". Therefore, MAC addresses with more entries than the specified limit are ignored and filtered out during data extraction and parsing. The default limit is 30 ARP table entries (IP addresses) per MAC address.

    • Route Limit: Limits the size of the routing table that discovery is required to collect from any given device. Some routers can have tables in the hundreds of thousands of entries, and collecting such a large body of data can impose performance problems in the network and in discovery data collection. This setting defaults to 3000, and automatically excludes BGP routes from the collection. Consult Infoblox Technical Support before making changes to this value.

    • Ping Sweep Timeout (ms): Period of time allowed, in milliseconds, before a Ping times out to any given device.

    • Ping Sweep Attempts: The number of attempts on each address in a Ping sweep before the sweep continues.

    • Ping Sweep Frequency: Defaults to 1, because ping sweep should not be executed more than once a day when the feature is enabled at the grid level or for a given discovery range. This setting affects the SmartPingSweep and CompletePingSweep features under GridDiscoveryProperties.

    • ARP Cache Refresh: Defines the time period between ARP refreshes by Network Insight across all switch ports. Before any other switch port polling and discovery operations take place (including any global discovery polling operations initiated by the administrator), another ARP refresh is carried out by the Probe appliance regardless of the time interval. The default is five minutes, because switch forwarding tables are frequently purged from LAN switching devices. The default on Cisco switches is five minutes/300 seconds. Network Insight primarily uses ARP Cache refreshes to improve the accuracy of end-device discovery. Without this feature, some endpoints may not be discovered and cataloged.

    • Ignore Conflict Duration: Used when resolving conflicts and when choosing the option to Ignore the conflict when resolving it. The length of time during which conflicts is ignored is defined with this settings. Increments can be defined in Hours or Days.

    • Number of discovered unmanaged IP addresses per notification: The maximum number of unmanaged IP addresses that the appliance discovers before it sends SNMP and email notifications, if enabled. The appliance resets the counter after it hits this number and sends notifications. The default is 20.

    • Interval between notifications for discovered unmanaged IP addresses: This number determines how often the appliance sends SNMP and email notifications, if enabled, when it discovers the maximum number of unmanaged IP addresses (configured for Number of discovered unmanaged IP addresses per notification ). This is the time interval between two notifications for discovered unmanaged objects. Select the time unit from the drop-down menu. The default is five minutes.

    • DNS Lookup Option: Specify whether you want to perform a reverse DNS lookup from discovered IP addresses. Select one of the following from the drop-down list:

      • Network Devices: Select this to resolve network device (switches and routers) IP addresses. This option is selected by default.

      • Network Devices and End Hosts: Select this to resolve both network device (switches and routers) and end host IP addresses.

      • Off: Select this to turn off reverse DNS lookups for discovered IP addresses.

      • DNS Lookup Throttle: This is the value in a percentage that throttles the traffic on the DNS servers. Setting a lower value reduces the number of requests to DNS servers. You can specify a value between 1 and 100. The default value is 100.

    • Disable discovery for networks not in IPAM: Disables executing discovery on any infrastructure networks that are not presented in the Infoblox IPAM system; e.g. present and managed in a network view or network container.

    • Authenticate and poll using SNMPv2c or later only: For credential discovery and device polling exclusively using SNMPv2c and up, preventing use of SNMPv1, enable this checkbox.

    • Use DHCP Routers as Seed Routers: Select this so the Probe members can use the default gateways for associated DHCP ranges and networks as seed routers to more quickly discover and catalog all devices (such as endpoint hosts, printers and other devices). All such default gateways are automatically leveraged by discovery, and no further configuration is necessary unless you wish to exclude a device from usage.
      Use this option carefully and avoid continuous updating of DHCP routers by a third-party component such as Microsoft servers, as it may trigger a discovery service restart when attempting to apply the new configuration.

      Ensure to check for a list of configured DHCP seed routers for any discovery Probe member in the Seed tab -> Advanced tab of the Member Discovery Properties editor.

    • Log IP Discovery events in Syslog: Sends a message to the configured Syslog service when an IP address of an active host is discovered.

    • Log network discovery events in Syslog: Sends a message to the configured Syslog service when a network discovery process takes place in the Grid.

  7. Save the configuration.

...

For more information on configuring device credentials, see the following sections:

If any SNMP or CLI credentials become obsolete, you can reset them for all affected devices at once. After that, Network Insight re-guesses the credentials for each device. This does not apply to CLI credentials manually set for specific devices. For more information, see the reset snmp andreset cli Administrative Shell commands.

You can assign a credential to a credential group that is specific to a particular device group. For more information about credential groups, seeConfiguring Credential Groups below.

Anchor
CSC
CSC
Configuring SNMPv1/v2 Credentials

An SNMPv1/v2 community string is similar to a password in that the discovered device accepts queries only from management systems that send the correct community string. This community string must exactly match the value that is entered in the managed system.

...

  1. From the Grid tab, select the GridManager tab, and then click Discovery.

  2. For the Grid: Click Edit -> GridDiscoveryProperties in the Toolbar.
    For the Probe member: Select the member checkbox, and then click Edit -> MemberDiscoveryProperties in the Toolbar.

  3. Click the Credentials tab.

  4. To override the inherited Grid settings for a Probe member, click Override.

  5. Click the Add icon and specify the credential details in the corresponding cells:

    • ReadCommunity: Enter a text string that the management system sends together with its queries to the network device during discovery.

    • Credential Group: For the Grid, select a group to which you want to assign the credential. For the Probe member, the table displays settings that were configured on the Grid, but only the default credential group is used for the member. You can edit the credentials list making up the default group by clicking Override.

    • Order: The order for attempting the use of the credential.

    • Comment: A text comment about the credential.

  6. Optionally, you can test the credentials you added to the list. You can test SNMPv1/v2c and SNMPv3 credentials against any device or any IP address, at the Grid level or from any Probe member or network view. For more information, see Testing SNMP and CLI Credentials below/wiki/spaces/nios90draft/pages/73279748.

  7. Click Save&Close to save changes.

...

To export the entire list of community strings in a table file readable by a spreadsheet program, click the Export icon and choose Export Data in Infoblox CSV Import Format. To export all data in a different format, click the Export icon and choose Export Visible Data.

Anchor
CSNMPC
CSNMPC
Configuring SNMPv3 Credentials

SNMPv3 allows the use of two secret keys for every credential — one for authentication and another for encryption. Network Insight allows flexible application of keys — authentication but no encryption, for example. You define users in one of the three following ways:

...

To export the entire list of community strings in a table file readable by a spreadsheet program, click the Export icon and choose Export Data in Infoblox CSV Import Format. To export just the subset of data that is visible in the dialog, click the Export icon and choose Export Visible Data. A ShowPasswords option allows the secret keys to be visible in the import.

Anchor
CCC
CCC
Configuring CLI Credentials

SNMP protocols provide a powerful means of querying devices for broad arrays of information. The CLI discovery feature is required for port control tasks including port configuration and network provisioning and de-provisioning, but is not used for other discovery operations or to otherwise manage devices. By default, Probe appliances inherit their member discovery properties, including CLI credential sets, from the Grid level. Enable passwords are entered in separate records and kept as a separate list in Grid Manager.

...

  1. From the Grid tab, select the GridManager tab, and then click Discovery.

  2. For the Grid: Click Edit > GridDiscoveryProperties in the Toolbar.
    For the Probe member: Select a member checkbox, and then click Edit > MemberDiscoveryProperties in the Toolbar.

  3. Click the Credentials tab > CLI tab.

  4. To override the inherited Grid settings for a Probe member, click Override.

  5. Click the Add icon to add a new CLI username/password entry to the list. Select the CredentialType, which can be one of two choices.

  6. In LoginCredentials, click the Add icon and specify the credential details in the corresponding cells:

    • Protocol: Select SSH or Telnet. Infoblox recommends the use of SSH.

      • SSH: SSH credentials require both a username and a password. The default protocol is SSH.

      • Telnet: In Network Insight, Telnet credentials must use both a username and a password.

        Note that should you choose to use a Telnet-based credential, Network Insight requires both the username and password for the login account. This also applies when you override the CLI credentials on objects such as a fixed address, host, or IPv4 reservation. For more information, see the section Defining CLI Credentials Settings for Objects below.

    • Name: Username for the CLI login account.

    • Password: Login password for the CLI login account.

    • Credential Group: For the Grid, select a group to which you want to assign the credential. For the Probe member, the table displays settings that were configured on the Grid, but only the default credential group is used for the member. You can edit the credentials list making up the default group by clicking Override.

    • Comment: A text comment describing the CLI login account.

    • Order: By default, Network Insight inserts the new credential record at the bottom of the credentials list, which is reflected by its Order value, showing the order used for attempting the use of CLI credentials. Enter a new value in the Order field if you want the new credential to be in a position other than the last in order.

  7. In EnableCredentials, click the Add icon and specify the credential details in the corresponding cells:

    • Protocol: SSH or Telnet. Infoblox recommends the use of SSH.

    • Password: Enable password for device configuration access.

    • Credential Group: For the Grid, select a group to which you want to assign the current credential. For the Probe member, this setting is inherited and cannot be changed.

    • Comment: A text comment about the credential.

    • Order: By default, Network Insight inserts the new record at the bottom of the list, reflected by its Order value, showing the order used for attempting use of the CLI credentials. Enter a new value in the Order field if you want the new credential to be in a position other than the last in order.

  8. Optionally, you can test the credentials you added to the list. For more information, see Testing SNMP and CLI Credentials below.

  9. Click Save&Close.

Anchor
DCCO
DCCO
Defining CLI Credentials for Objects

You can define CLI credentials and enable password credentials for individual devices through associated IPAM objects:

...

  1. From the DataManagement tab, select the IPAM tab.

  2. In the IPAM IP List page or the IPAM IP Map page, navigate to the required network and then to the IP associated with the object you want to edit.

    Note for each network, the IP list page provides a Type data column showing the IPAM object type that is associated with any IP address. Also, check the MAC Address column in the IP List page for information about associated objects.

  3. Click the IP address. On the IP address page, click the RelatedObjects tab.

  4. Select the checkbox for the object in the Related Objects panel and click Edit.

  5. In the object editor, click the Discovery tab.

  6. Click OverrideCLICredentials.
    By default, CLI credential definitions use SSH at the object level. Select AllowTelnet if you want to allow both SSH and Telnet credential usage. Infoblox recommends SSH because of better security.

  7. Enter the Name and Password values and the EnablePassword value.

  8. Click TestCLICredentials to test the CLI discovery credential settings applied to the object.

  9. When finished, click Save&Close.

Anchor
TSCC
TSCC
Testing SNMP and CLI Credentials

After configuring SNMP and CLI credentials, you can click TestCredentials in the SNMP Credentials or CLI Credentials panel to test the credentials. Credential testing ensures that the configured credentials work for as many devices and networks as possible. The procedure in this section applies to both the Grid and the member levels. You can override the Grid settings at the member level.

...

Probe members, networks and ranges inherit the credential groups assignment from the Grid. You can override this assignment with another credential group for networks and ranges. For members, you cannot assign a credential group as they always use the default group for credential guessing.

Assigning a Credential Group to the Grid

...

  1. From the Grid tab, select the Grid Manager tab, and then click Discovery.

  2. Click Edit > Grid Discovery Properties in the Toolbar.

  3. Click the Advisor tab.
    Image RemovedImage Added

  4. Select Enable Advisor Application.

    Note this checkbox is available if a Consolidator exists in the Grid and the discovery service is working.

  5. Network Interface: Specify one of the network interfaces of the Consolidator that runs Advisor. This interface is used for the internet connection to obtain the lifecycle and vulnerability data.

  6. Execution Interval: Specify how often the Advisor service should be executed every N days or weeks.

  7. Execution Hour: Specify the server hour when the Advisor service should be executed.

    Note the Advisor runs not at the exact hour specified, but at any minute of the specified hour.

  8. If you do not want to expose your Grid member directly to the internet, select Use proxy server. Ensure that the proxy server has access to the internet.

  9. Specify the following information for the proxy server:

    • DNS Name or IP Address

    • Port

    • Credentials to connect to Proxy Server (username and password)

  10. Under Advisor Central, specify the following data:

    • API Endpoint Address: The IP address of the Advisor API endpoint.

    • API Endpoint Port: The port of the Advisor API endpoint.

    • Authentication: Select Token or Credentials.

    • If you selected token authentication, specify the authentication token value.

    • If you selected credentials authentication, specify the username and password.

  11. In Minimum Severity, specify the severity threshold for vulnerabilities data that you want to obtain for your devices. To see possible values, hover the mouse over the field. The popup window displays the following values:

    • Critical: 9.0-10.0

    • High: 7.0-8.9

    • Medium: 4.0-6.9

    • Low: 0.1-3.9

    • None: 0.0

  12. Last Scheduled Execution Result: Displays the timestamp of the last successful or unsuccessful scheduled execution result.

  13. Last Run Now Result: Displays the timestamp of the last successful or unsuccessful immediate execution result.

  14. Test connection to central: Central refers to the server where the application for Network Insight Advisor is running, that is the Advisor server. NIOS sends a POST query to the Advisor server from Discovery Consolidator, when you click Test connection to central. In the API Endpoint Address, the server address is specified. If the query enters the Advisor server successfully and returns a correct response, then OK is displayed else Not OK is displayed.

  15. If you want to launch Advisor immediately, click Run Now.

  16. Save the configuration.