Onboarding Devices

The user adding devices must be a member of a user group that has permissions granted to access the Administration module.

All devices are onboarded into SIP following a similar procedure that is completed in Administration. Each device has its own specific data requirements. These procedures require a few configuration changes to the monitored devices. Please make sure that you have the necessary permissions to update the device.

If you are installing multiple devices, using a management station to detect all supported devices can save you time. SIP detects all of the associated firewalls, management servers and log servers, and adds them for you at one time. The management station must be installed before the supported devices.

Our products (all SIP modules) interact with firewalls using machine to machine communication.

Please make sure that you have uploaded a current Security Manager product license that includes the device that you want to monitor. You will not be able to monitor any new device that is not included in your Security Manager product license. Check Point clusters do not have to be licensed in Security Manager.

In most cases, Security Manager requires use of an administrator account to collect data from your devices. Security Manager does not use this account or any other access method to make changes to any monitored device. A Check Point device is an exception to this rule is when Security Manager requests one-time use of a read-write account to automatically create an OPSEC application object in the Check Point database.

Below is a general overview of the various sections and boxes on the Create Device page. Some boxes are populated with recommended settings for the specific device.

When adding a device, as you progress through each section entering data specific to your device and network, you may not need to complete all boxes in the section.

Required sections are marked with a red alert icon. Required data is marked with a red * asterisk.

The first step is to select the device manufacturer (vendor) and then the specific device you want to add from the Devices page, and then the Create Device page opens.

General Properties

In the General Properties section you'll enter data specific to the device such as name, IP address and data collector. By default, automatically retrieving a device configuration is enabled.

Caution! To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

External ID can be used as a unique identifier defined by you for a specific network device when the device identifier is different than what is displayed in Security Manager. It's best use-case scenario is for a one time password (OTP) for the data collector to retrieve configurations.

Device Settings

In the Device Settings section you'll see the modules that the device is licensed for.

You'll also enter user credentials and verify retrieval points.

Protocol—the communication program used between Security Manager and the monitored device.

SSH is the only supported retrieval method. Telnet is no longer supported as a retrieval method due to potential security risks.

Port—the device endpoint from which Security Manager uses the specified protocol to retrieve device data.

Please refer to the Communication Protocols table for a complete list of ports and protocols used for communication between supported devices.

Policy Automation

The section is used to configure automation for supported devices. If you use Policy Planner, you are able to take a planned rule and stage it on a device from inside the Policy Planner module. This feature includes the capability to create new rules and place existing objects inside of them.

A Policy Planner license is required for each management station and device utilizing policy automation.

Log Monitoring

By default, log monitoring is enabled and used for Rule Usage Analysis.

For some devices, you'll select whether to track usage using hit counters or syslog.

  • Syslog Traffic Log Expression—the regular expression that allows the data collector to collect traffic logs for usage analysis. This information rarely, if ever, should be changed.

  • Log Update Interval—this number (in minutes) determines how often usage data is sent to the application server. The default value is 10.

  • Log Record Cache Timeout—this number (in minutes) determines how often the data collector cache will be processed and the processed records will be erased. The default value is 5.

When a log message is sent to the data collector, the data collector matches the log against a firewall policy. But in some cases, like if the data collector doesn’t yet have the normalized file from the application server, the policy will not be available yet, so the data collector caches parsed messages. The log record cache timeout keeps track of when to next process the cache.

Change Monitoring

By default, change monitoring and scheduled retrieval are enabled.

When both change monitoring and scheduled retrieval are enabled, each feature works independently. Security Manager will retrieve a configuration at the scheduled interval even if a changed configuration was just detected and retrieved. But, the newly retrieved configuration will be stored only if it differs from the previous one.

  • Enable Change Monitoring—enables Security Manager to monitor the device for change. Configurations will be retrieved automatically when changes to them are detected. It is recommended that you leave this feature enabled. This feature should be disabled only if you are unable to configure syslog to send messages to the Data Collector, or if your syslog server sends so many messages that automatic retrieval proves unwieldy. In these cases, you can schedule configuration retrieval instead.

  • Alternate Syslog Source IP—if the IP address of the location where syslog messages are being sent is different from that of the source interface (in your device administration tool), you must enter the alternate IP address in Security Manager. If the IP Address is the same, no changes are necessary.

Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.

Scheduled Retrieval

Enable Scheduled Retrieval—enables Security Manager to retrieve the current configuration at the scheduled interval that you specify. If no changes have been made since the previously retrieved configuration, Security Manager discards the newly retrieved configuration. If the configuration differs from the previously retrieved configuration, Security Manager stores the new configuration and displays it on the All Revisions page (security Manager > Device > Change > Revisions).

SSH is the only supported retrieval method. Telnet is no longer supported as a retrieval method due to potential security risks.

  • Check for Change Interval—is where you set the time (in minutes) between check intervals. The default is 1440 (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 1 hour (60 minutes).

In most cases, it is recommended that you enable this feature as a backup retrieval mechanism in addition to device monitoring (above). This backup method ensures that we will retrieve configurations in the event of a system outage or interruption. However, in some cases, such as if you are unable to configure syslog to send messages to the Data Collector, you may need to use scheduled retrieval as your sole configuration retrieval mechanism.

  • Check for Change Start Time— to schedule the first retrieval for a specific time, select the Starting at check box and select a time. The first retrieval will run at the time you enter. All subsequent retrievals will occur at the interval you entered above, based on the time that the first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval will occur immediately after you save the settings. Subsequent retrievals will occur at the interval you entered.

Advanced

This section varies by vendor as to the additional setting options that can be configured.

Share This Device

When using an MSSP, you can share a device with other domains. You must be at the Enterprise level in order to share a device.

Enforcement Window

An enforcement window is when changes are pushed to managed devices and ensures that the defined connectivity remains intact. Policy Planner will consider enforcement windows when performing automation changes. It will only push changes that are associated to devices that have active enforcement windows.

A device must be supported at Level 4 (behavior analysis) and Level 5 (automation) and licensed for Policy Planner to use an Enforcement Window. This option will not be available for unlicensed devices.

Supplemental Routes

A supplemental route supplements the routing tables retrieved from devices to fill in missing network data not supplied during normalization. Supplemental routes are not applied to synthetic routers or management stations.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before adding.

Device Pack Information

This section details the configurations set within the provided device pack.