Reference Guide. Skybox View Revision: 11

Transcription

1 Reference Guide Skybox View Revision: 11

2 Copyright Skybox Security, Inc. All rights reserved. This documentation contains proprietary information belonging to Skybox Security and is provided under a license agreement containing restrictions on use and disclosure. It is also protected by international copyright law. Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise without the prior written permission of Skybox Security. Skybox, Skybox View, Skybox Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox 5000/5000W/5500/6000 Appliance, are trademarks and registered trademarks of Skybox Security, Inc. Check Point, SiteManager-1, FireWall-1, Provider-1, SmartDashboard, VPN-1, and OPSEC are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other trademark and registered trademark products mentioned in this document are the property of their respective owners. Skybox Security, Inc. Telephone (in the U.S.): SKYBOX ( ) Telephone (outside the U.S.): Fax: Website: support@skyboxsecurity.com

3 Contents Intended Audience... 8 How this manual is organized... 8 Related documentation... 8 Technical support... 8 Part I: Tasks Managing tasks User roles and tasks Setting task parameters Task Properties dialog box Device access management Using Cyber-Ark for device password management Quick reference for data collection Quick reference: firewall configuration collection Quick reference: firewall traffic log and audit log collection Quick reference: proxies, VPN devices, and IPS devices Quick reference: load balancers Quick reference: routers and LAN controllers Quick reference: scanners Quick reference: alert services File import tasks Import directory tasks Data formats for file import tasks Basic file import tasks Advanced file import tasks Collector file import tasks Advanced collector file import tasks Script invocation tasks Importing interface and routing configuration Firewall configuration tasks Blue Coat proxy Check Point FireWall-1 firewall Check Point Provider-1 CMA Cisco PIX/ASA/FWSM firewall Cisco Security Manager Dell SonicWALL firewall Fortinet FortiGate firewall Fortinet FortiManager Security Management appliance Juniper Networks Junos firewall Juniper Networks NetScreen firewall Juniper Networks Network and Security Manager Linux iptables firewall McAfee Firewall Enterprise (Sidewinder) firewall Skybox View version

4 Skybox View Reference Guide Palo Alto Networks firewall Palo Alto Networks Panorama Sidewinder G2 (McAfee Firewall Enterprise) firewall VMware vshield Edge firewall Firewalls implemented in software Firewall log data tasks Check Point FireWall-1 activity log data (LEA collection) Check Point FireWall-1 change events (audit log data) Importing syslog change tracking events Syslog traffic events IPS tasks HP TippingPoint IPS devices IBM Proventia G appliances Load balancer tasks A10 Networks load balancer Cisco CSS load balancer Citrix NetScaler load balancer F5 BIG-IP load balancer Radware AppDirector load balancer Radware WSD load balancer Router tasks Cisco IOS router Cisco Nexus router HP ProCurve router Nortel Passport 8600 router Scanner tasks eeye Retina scanner McAfee Foundstone FoundScan Enterprise scanner IBM SiteProtector Qualys QualysGuard scanner Rapid7 Nexpose scanner Shavlik NetChk Protect patch management tool Tenable Network Security Nessus scanner Tripwire ncircle scanner Blacklists Management systems tasks McAfee epolicy Orchestrator Microsoft SCCM SolarWinds NCM Microsoft Active Directory Microsoft WSUS CiscoWorks HP Software & Solutions (OpenView) Symantec Management Suite Alerts and vulnerability definition feed tasks Symantec DeepSight alert services Skybox View version

5 Contents VeriSign idefense alert services Network tasks Network scan tasks Topology discovery tasks Analysis tasks Access requests tasks Change tracking tasks Exposure tasks False positive reduction tasks Policy compliance tasks Security Metrics calculation tasks Shadowed rules tasks Vulnerability detection tasks Model maintenance tasks Model completion and validation tasks Copy model tasks Model integrity tasks Outdated entities removal tasks Back up model and settings tasks Server software update tasks Collector software update tasks Dictionary update tasks Report and ticket tasks Report generation tasks Ticket generation tasks CSV access rule review export tasks CSV analysis export tasks CSV change tracking export tasks CSV compliance results export tasks CSV Configuration Compliance export tasks CSV firewall assurance export tasks CSV optimization and cleanup export tasks CSV security metrics export tasks Qualys format XML vulnerability occurrences export tasks Part II: Analyses Managing analyses Types of analyses Setting analysis parameters Analysis Properties dialog box Customizing the display of an analysis Risk analyses Assets analyses Attacks analyses Business Asset Groups analyses Business Units analyses Locations analyses Skybox View version

6 Skybox View Reference Guide Networks analyses Regulation Compliance analyses Threat Origins analyses Vulnerability definitions risk analyses Vulnerability occurrences analyses Worms analyses Threat management analyses Vulnerability definitions threat management analyses Model validation analyses Assets validation analyses Network interfaces validation analyses Networks validation analyses Services validation analyses Ticket analyses Tickets analyses Part III: Tickets, reports, and notifications Tickets reference Tickets Ticket rules Reports reference Working with reports Report Properties dialog box Tickets reports Skybox Vulnerability Control and Skybox Threat Manager reports Skybox Firewall Assurance reports Skybox Network Assurance reports Notifications reference Notifications Customizing notification templates Selecting the correct template Editing templates Exportable data CSV-exportable data Other exports Part IV: Tools Access Control List Editor Using the Access Control List Editor Access Rule Properties dialog box ACL Management dialog box Skybox View version

7 Contents Access Rule Properties with Rule Review section Access Rule Properties dialog box (extended) Specifying routing rules Managing routing rules Replicating routing rules Access Analyzer Access Analyzer query fields for Vulnerability Control Access Analyzer query fields for Firewall Assurance and Network Assurance Network Map Network Map control panel Network Map filter toolbar s of individual maps Layout parameters Firewall Map Firewall Map filter pane Part V: Entities Model entities Entity relationships Locking entity parameters Business Asset Groups Business Units Clouds Assets Asset groups Locations Networks Network groups Network interfaces Services Threat Origins Vulnerability occurrences Index Skybox View version

8 Preface Intended Audience The Skybox View Reference Guide is the reference companion to the Skybox Firewall Assurance User s Guide, the Skybox Network Assurance User s Guide, the Skybox Vulnerability Control User s Guide, and the Skybox Threat Manager User s Guide. The intended audience is readers of the User s Guides who want additional technical and in-depth information. How this manual is organized The parts in this manual contain reference information about Skybox View, such as configuration of components and devices; supplying parameters of analyses, tasks, and model entities; and specifying access, dependency, and routing rules. Related documentation The following documentation is available for Skybox View: Skybox View Installation and Administration Guide Skybox View Developer s Guide Skybox View Release Notes The entire documentation set (in PDF format) is available in the <Skybox_View_Home>/docs directory. You can access a comprehensive Help file from any location in the Skybox View Manager by using the Help menu or by pressing F1. Technical support You can contact Skybox Security technical support by: Calling SKYBOX ( ) inside the U.S. or outside the U.S. Using the Skybox Security support portal at You must register to use the support portal. Registered users can view the knowledge base, download updates, and submit cases. Faxing (U.S. number) Sending an to support@skyboxsecurity.com When opening a case, you need the following information: Your contact information (telephone number and address) Skybox View version and build numbers Platform (Windows or Linux) Problem description Skybox View version

9 Any documentation or relevant logs You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox View Installation and Administration Guide). Preface Skybox View version

10 Part I: Tasks This part describes the parameters of Skybox View tasks.

11 Chapter 1 Managing tasks This chapter gives an overview of how to set the parameters of Skybox View tasks. For information about running tasks, task messages, and modifying tasks, see Tasks, in the Skybox Vulnerability Control Getting Started Guide. In this chapter User roles and tasks Setting task parameters Task Properties dialog box Device access management Using Cyber-Ark for device password management User roles and tasks Only Admins and Users have access to the Operational Console where Skybox View tasks are managed. Admins can create, manage, and run all tasks. Users can view tasks that add information to the model, delete information from the model, or save the model. Users can create, manage, and run the following: All types of analysis tasks All types of report tasks, including CSV export tasks and XML vulnerability occurrence export tasks Ticket generation tasks Copy model tasks (which copy model data from one model to another, such as from Live to What If) Setting task parameters The general procedure for setting task parameters is described in this section. The main dialog box for setting a task s parameters is described in Task Properties dialog box (on page 12) and Schedule tab (on page 13). These sections describe parameters common to all tasks. For information about the parameters specific to each Skybox View task type, see the section relating to the task. Tip: When you mouseover a field, a tooltip listing the values selected for that field appears. This is especially useful for fields of the s pane that can hold multiple values. To open the operational console On the toolbar, click. Skybox View version

12 Skybox View Reference Guide To create a Skybox View task On the Operational Console toolbar, click. To create a Skybox View task based on an existing task 1 In the Operational Console tree, select Tasks > All Tasks. The workspace lists all tasks defined for this model. 2 Right-click a task and select Create Task Like. A Task Properties dialog box containing a copy of the selected task appears. To edit a Skybox View task 1 In the Operational Console tree, select Tasks > All Tasks. The workspace lists all tasks defined for this model. 2 Do one of the following: Double-click a task. Right-click a task and select Properties. The Task Properties dialog box for the selected task appears. Task Properties dialog box The Task Properties dialog box contains the following tabs: General, Comments, and Schedule: General: This tab, described in General tab (on page 12), contains the fields that define the selected task type. Alerts: This tab, described in Alerts tab (on page 13), is used to define when and where alerts are sent for the task. Comments: This tab, which is the same for all tasks, contains your description of the task. Supplying a description is optional (but strongly recommended) and does not affect the task. When the Task table is displayed in the Operational Console, view comments by showing the User Comments column. Schedule: This tab, which is the same for all tasks, is described in Schedule tab (on page 13). It is used to schedule the automatic launching of the task. General tab The General tab consists of two panes: s: This pane contains parameters specific to each task. These parameters are described in the task-specific sections. General: This pane, described in the following table, is the same for all tasks. Name Task Type Collector Timeout Hours A name that you assign to the task. The task type. Task types are grouped into folders and are searchable. You can modify this parameter for new tasks only. The Skybox View Collector to be used by the task. Specifies whether the task has a timeout limit. This field is enabled only if Timeout is selected. Skybox View version

13 Chapter 1 Managing tasks Minutes Show Properties Dialog Before Launch Enable Auto-launch The hours portion of the task s timeout limit. This field is enabled only if Timeout is selected. The minutes portion of the task s timeout limit. Note: This field is displayed only when working with Skybox Vulnerability Control. Specifies whether to open the task s Properties dialog box before the task is launched. Specifies whether to launch the task automatically, according to the schedules that are specified in the Schedule tab. Alerts tab The Alerts tab is used to define who will get alerts for a task, and under what exit conditions. You can either use the global settings (from Tools > Options > Server Options > Task Settings > Task Alert Settings) or define specific ones. Enable Task Alerts To Specifies whether task alerts are sent for this task. This field is enabled only if Enable Task Alerts is selected. Specifies to which users task alerts are sent: Use Global Settings: Task alerts are sent to the users specified in the global settings. Exit Codes Specific: Enables you to specify users and addresses to which task alerts from this task are sent. This field is enabled only if Enable Task Alerts is selected. Specifies on which exit codes task alerts are sent for this task. Use Global Settings: Task alerts are sent according to the exit codes specified in the global settings. Specific: Enables you to specify the exit codes for which task alerts from this task are sent. Schedule tab The Schedule tab is used to schedule when a task runs automatically (auto-launch). Note: Each schedule (each row) is independent of every other schedule. You can add, modify, or delete schedules. To add a schedule to a task 1 In the Task Properties dialog box, click the Schedule tab. 2 Click Add. 3 Select a frequency for the task. 4 Select when the task is to run according to the selected frequency. Daily, Weekly, Monthly, Yearly To change the time of day, click the down arrow next to the Every day at or At field. (To close the Clock dialog box, click anywhere inside the Task Schedule dialog box.) Monthly If you specify a day that does not exist in all months for example, day 31 the task is not launched from this schedule in a month that does not contain that day. Skybox View version

14 Skybox View Reference Guide Yearly If you specify a day that does not exist in the selected month for example, November 31 the task is never launched from this schedule. 5 To specify that the task runs a limited number of times, select End After and specify how many times the task is to run automatically. 6 In the Model field, specify the model on which to run this schedule. 7 Click OK. 8 If auto-launch is disabled (Enable Auto-launch is cleared in the General tab), you are asked whether you want to enable auto-launch. You can run a sequence of tasks on a schedule. For information about task sequences, see the Using tasks for automation chapter in the Skybox Vulnerability Control User s Guide or the Skybox Network Assurance User s Guide. Device access management For some task types, you can instruct Skybox View to take user name and password pairs from a repository instead of typing this data in fields in the Task Properties dialog box. In many organizations, the same user name and password combination is used to access multiple devices of one type. For example, there might be one user name and password to access your organization s Cisco routers in London and a separate combination to access the Cisco routers in New York. Admins can configure Skybox View so that each user name and password combination is saved by Skybox View and can be used by online collection tasks for devices of the specified type and scope. This section contains information about setting up access for multiple devices. Creating access tokens In Skybox View, each combination of user name and password for a specific set of devices is referred to as an access token. Only Admins can create (and manage) these access tokens, which are used by some online collection tasks. For devices that require an administrator user name and password combination, create two access tokens; a regular one (of type <Device_type>) for the regular user name and password, and a separate one (of type <Device_type> Admin) for the administrator combination. The types of online collection tasks that can use access tokens are listed in the following table. Collection task type Token type Routers Cisco IOS Routers Nortel Passport To create an access token Cisco, Cisco Admin Nortel Passport 1 Select Tools > Administrative Tools > Device Access Management. 2 In the Device Access Management dialog box, click Add. 3 In the New Access Token dialog box: a) Type a Device Name for the access token, such as London Cisco routers. b) In the Field Type field, select the type of device. Cisco IOS routers, which require an administrator user name and password combination, require two access tokens, one for a regular user whose Type is the device name type (Cisco) and one for the administrator user name and password combination whose Type has the string Admin appended to the name (Cisco Admin). Skybox View version

15 Chapter 1 Managing tasks c) In the User Name field, type the user name for this set of devices. For Admin-type access tokens, this is the administrator user name. d) In the Password and Confirm Password fields, type the password for this set of devices. For Admin-type access tokens, this is the administrator password. e) If necessary, click the Browse button next to the Scope field to limit the scope of the device set. f) Click OK to save the new device access token. How access tokens are used After creating access tokens, you can use them in online collection tasks. Each access token type matches a specific type of collection. Admin-type access tokens are used only when required by the devices being accessed. Note: Access tokens are only used when Use Access Tokens is selected in the Properties dialog box of the task. If this option is not selected, even if access tokens exist for the devices specified in the task, they are not used. When Use Access Tokens is selected, Skybox View checks the access tokens to find those that match the scope and type of the task. Access tokens that do not match either the scope or the type of the task are not used. For example, if there is an access token for Cisco routers in London and one for Cisco firewalls in London, a router collection task uses only the router-type access token and a firewall collection task uses only the firewall-type access token. If two (or more) access tokens are found that match a task, the best match (the one with the most specific range) is used. For example, you create a collection task for a device with the address ; an access token with a range of matches the task, but an access token with a range of is a more specific match and is used by the task. Using Cyber-Ark for device password management Cyber-Ark is a tool that allows highly-sensitive passwords to be centrally stored, logged, and managed. The following tasks can be authenticated with Cyber-Ark: Firewalls Check Point FireWall-1 CPMI Collection (on page 45) Firewalls Cisco PIX/ASA/FWSM Collection (on page 58) Firewalls Cisco Security Manager Collection (on page 61) Firewalls FortiGate Collection (on page 64) Firewalls FortiManager Collection (on page 66) Firewalls Junos Collection (on page 68) Firewalls NetScreen Collection (on page 69) Firewalls Juniper Networks NSM Collection (on page 71) Firewalls McAfee Firewall Enterprise Collection (on page 73) Firewalls Palo Alto Networks Collection (on page 75) Firewalls Panorama Collection (on page 77) Firewalls SonicWALL Collection (on page 63) Skybox View version

16 Skybox View Reference Guide Load Balancer A10 Collection (on page 104) Load Balancer AppDirector Collection (on page 109) Load Balancer BIG-IP Collection (on page 108) Load Balancer NetScaler Collection (on page 107) Proxy Blue Coat Collection (on page 43) Routers Cisco IOS Collection (on page 114) Routers Cisco Nexus Collection (on page 118) Routers HP ProCurve Collection (on page 121) Tools Script Invocation (on page 40) You must configure Cyber-Ark so that Skybox View tasks can retrieve device authentication credentials from Cyber-Ark. Configuring Cyber-Ark for device credentials retrieval It is recommended that you create a separate safe to contain all device authentication credentials required by Skybox View collection tasks. It is recommended that you use one or more Cyber-Ark application security options: Add the IP address of the Skybox View Server Add the Operating System User of the Skybox View Server: (If you installed the Server as a service): skyboxview (If you did not install the Server as a service): The installation user Add the path to JBoss in the Skybox View installation: <Skybox_View_Home>\thirdparty\jboss Note: The default folder for Cyber-Ark is Root and the default application ID for connecting from Skybox View is SkyboxSecurity. If you change these in Cyber-Ark, you must also change them in Skybox View. For additional information, see Global Task Settings, in the Skybox View Installation and Administration Guide. Skybox View version

17 Chapter 2 Quick reference for data collection This chapter provides a quick reference for data collection from devices supported by Skybox View. More detailed information for each device is available in the following chapters. You can collect device data by: Connecting directly to the device or management system and collecting device data. For this method, you must know the device details, such as credentials and the device IP address. Skybox View has specific collection tasks for many types of devices. Importing saved device files. For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. In this chapter Quick reference: firewall configuration collection Quick reference: firewall traffic log and audit log collection Quick reference: proxies, VPN devices, and IPS devices Quick reference: load balancers Quick reference: routers and LAN controllers Quick reference: scanners Quick reference: alert services Quick reference: firewall configuration collection You can collect device data by: Connecting directly to the device ( ) or device management system ( ) and collecting device data. For this method, you must know the device details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of devices. Importing saved device files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Skybox View version

18 Skybox View Reference Guide Device Barracuda Networks (Phion) Barracuda NG Firewall Check Point Firewall-1 (on page 45) Check Point Provider-1 (on page 53) Cisco PIX/ASA/FWSM (on page 58) Cisco Security Manager (on page 61) Data source Integration requirements Skybox View includes a parser that creates an ixml file from Barracuda Networks Barracuda NG firewall configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\firewalls\barracuda\barracudangp arser.pl. For help using the script, run the script without any parameters. For additional help, open a case at the Skybox Security support portal. The OPSEC API is used to get configurations remotely from FireWall-1 Manager or from Provider- 1 CMA. The following files are required for FireWall-1 Manager: objects_5_0.c: The network objects rulebases_5_0.fws: The rulebase The following files are required for Provider-1 CMA: objects.c or objects_5_0.c: The CMA network objects rulebases.fws or rulebases_5_0.fws: The CMA rulebase g_objects.c or g_objects_5_0.c: The global network objects The following files are optional for FireWall-1 Manager and Provider-1 CMA: install_statuses.c: The statuses Note: If the Check Point configuration contains several policies, install_statuses.c is mandatory. vsx_objects.c: The VSX device objects You also need the name of the active policy on each firewall module and the ifconfig and netstat rnv output from each firewall module. The IP address of the firewall SSH or telnet access to the firewall An admin user with level 5 privileges The following files are required: run.txt: The PIX/ASA/FWSM configuration (Optional) route.txt: Dump of the PIX/ASA/FWSM routing table The IP address of the Security Manager A user name and password to access the Security Manager Skybox View version

19 Chapter 2 Quick reference for data collection Device CiscoWorks (on page 145) Dell SonicWALL (on page 63) Fortinet FortiGate (on page 64) Fortinet FortiManager (on page 66) Juniper Networks Junos (on page 68) Juniper Networks NetScreen (on page 69) Juniper Networks NSM (on page 71) Data source Integration requirements The following file is required: *.xml: The Security Manager source file The following file is required: <device_ip_address>.cfg: The firewall configuration The name or IP address of the firewall A user name and password to access the firewall The IP address of the firewall SSH or telnet access to the firewall A user name and password to access the firewall The following files are required: config.txt: The FortiGate configuration (Optional) route.txt: Dump of the FortiGate routing table The name or IP address of the FortiManager Security Management appliance A user name and password to access the FortiManager Security Management appliance The IP address of the firewall SSH or telnet access to the firewall A user name and password to access the firewall The following files are required: config.txt: The Junos configuration (Optional) route.txt: Dump of the Junos routing table The IP address of the firewall SSH or telnet access to the firewall A user name and password to access the firewall The following files are required: config.txt: The NetScreen configuration (Optional) route.txt: Dump of the NetScreen routing table A global domain Read-Only Administrator account. The name or IP address of the NSM A user name and password to access the NSM Skybox View version

20 Skybox View Reference Guide Device Linux iptables (on page 73) McAfee Firewall Enterprise (Sidewinder) (on page 73) Palo Alto Networks (on page 75) Palo Alto Networks Panorama (on page 77) Sidewinder G2 (McAfee Firewall Enterprise) (on page 78) Data source Integration requirements The following files are required: ifconfig.txt: The iptables interfaces configuration report filter.txt: The iptables filter table nat.txt: The iptables NAT table mangle.txt: The iptables mangle table The name or IP address of the firewall A user name and password to access the firewall The name or IP address of the firewall A user name and password to access the firewall The following files are required: config.xml: The Palo Alto configuration and system information (Optional) route.txt: Dump of the Palo Alto Networks routing table The name or IP address of the Panorama A user name and password to access the Panorama The following files are required: The interfaces file The ipfilter data file The proxy services definitions file The proxy rules data (ACL) file (Optional) Burbs definition file (Optional) Routing information file The Skybox View Sidewinder G2 parser creates an ixml file from these files. This ixml file can then be imported into Skybox View. Skybox View version

21 Chapter 2 Quick reference for data collection Device Stonesoft (McAfee) StoneGate Topsec WatchGuard Technologies Data source Integration requirements Skybox View includes a collector script that retrieves Stonesoft StoneGate firewall configuration files and a parser that creates an ixml file from these files. This ixml file can then be imported into Skybox View. The collector script is located at <Skybox_View_Home>\intermediate\bin\co llectors\firewalls\stonegate\stonegate Collection.pl. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\firewalls\stonegate\stonegatepar ser.pl. For help using the scripts, run each script without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View includes a parser that creates an ixml file from Topsec firewall configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\router\topsec\topsecparser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View includes a collector script that retrieves WatchGuard Technologies firewall configuration files and a parser that creates an ixml file from these files. This ixml file can then be imported into Skybox View. The collector script is located at <Skybox_View_Home>\intermediate\bin\co llectors\firewalls\watchguard\watchgua rdcollection.pl. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\firewalls\watchguard\watchguardp arser.pl. For help using the scripts, run each script without any parameters. For additional help, open a case at the Skybox Security support portal. Quick reference: firewall traffic log and audit log collection You can collect firewall traffic and audit data by: Connecting directly to the management system ( ) that manages the firewalls and collecting log data. For this method, you must know the management system details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific management systems. Skybox View version

22 Skybox View Reference Guide Importing saved firewall log files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Data Check Point Firewall-1 activity log data (on page 83) (LEA collection) Check Point FireWall-1 change events (on page 90) (audit log data) Syslog change events (on page 91) Syslog traffic events (on page 95) Data source Integration requirements The IP address of the FireWall-1 management system A user name and password to access the management system (If collecting from a log server) The IP address of the log server The IP address of the FireWall-1 management system A user name and password to access the management system (If collecting from a log server) The IP address of the log server Configure the firewall or syslog server to forward the change events The path to the directory containing the syslog files Configure the firewall or syslog server to forward the traffic events The path to the directory containing the syslog files Quick reference: proxies, VPN devices, and IPS devices You can collect device data by: Connecting directly to the device ( ) or device management system ( ) and collecting device data. For this method, you must know the device details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of devices. Importing saved device files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device BalaBit Shell Control Box Data source Integration requirements Skybox View includes a parser that creates an ixml file from BalaBit Shell Control Box proxy configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\proxy\balabitscb\balabitscbparse r.pl. For help using the parser, run the parser without Skybox View version

23 Chapter 2 Quick reference for data collection Device Blue Coat (on page 43) HP TippingPoint (on page 101) IBM ISS Proventia G (on page 102) Juniper SSL Data source + Integration requirements any parameters. For additional help, open a case at the Skybox Security support portal. The IP address of the proxy A user name and password to access the proxy The following files are required: *.txt or *.log: The Blue Coat configuration (Optional) route.txt: Dump of the Blue Coat routing table The name or IP address of the SMS appliance A super user name and password to access the SMS appliance The IP address of the TippingPoint device A user name and password to access the TippingPoint device The IP address of the Proventia G appliance A user name and password to access the SiteProtector database Skybox View includes a parser that creates an ixml file from Juniper SSL VPN appliance configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\vpn\juniper\junipersslvpnparser. pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. Quick reference: load balancers You can collect load balancer data by: Connecting directly to the load balancer ( ) and collecting device data. For this method, you must know the load balancer details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of load balancers. Importing saved load balancer files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device A10 Networks (on page 104) Data source Integration requirements The IP address of the load balancer A user name and password to access the load Skybox View version

24 Skybox View Reference Guide Device Cisco Ace Cisco CSS (on page 106) Citrix NetScaler (on page 107) F5 BIG-IP (on page 108) Radware AppDirector (on page 109) Radware WSD (on page 111) Data source Integration requirements balancer The following files are required: *.txt or *.log: The A10 configuration (Optional) route.txt: Dump of the A10 routing table Skybox View includes a parser that creates an ixml file from Cisco Ace load balancer configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\loadbalancers\ciscoace\ciscoacep arser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. The following file is required: A Cisco CSS configuration file The Skybox View Cisco CSS parser creates an ixml file from this file. This ixml file can then be imported into Skybox View. The IP address of the load balancer A user name and password to access the load balancer The IP address of the load balancer A user name and password to access the load balancer The IP address of the load balancer A user name and password to access the load balancer The following files are required: *.*: The AppDirector configuration (Optional) route.txt: Dump of the AppDirector routing table The IP address of the load balancer The SNMP Community string to access the load balancers The following file is required: *.txt: A WSD SNMP dump file Quick reference: routers and LAN controllers With Skybox View, you can collect router configuration data by: Connecting directly to the router ( ) and collecting device data. Skybox View version

25 Chapter 2 Quick reference for data collection For this method, you must know the router details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of routers. Importing saved device files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device Alcatel-Lucent Cisco Wireless LAN Controller CiscoWorks (on page 145) Brocade (Foundry Networks) Data source Integration requirements Skybox View includes a collector script that retrieves Alcatel-Lucent router configuration files and a parser that creates an ixml file from these files. This ixml file can then be imported into Skybox View. The collector script is located at <Skybox_View_Home>\intermediate\bin\co llectors\router\alcatellucent\alcatell ucentcollection.pl. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\router\alcatellucent\alcatelluce ntparser.pl. For help using the scripts, run each script without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View includes a parser that creates an ixml file from Cisco Wireless LAN Controller configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\wireless\ciscowlc\ciscowlcparser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. The following file is required: <device_ip_address>.cfg: The router configuration The following files are required: run.txt: The router s configuration (Optional) route.txt: Dump of the router s routing table Skybox View version

26 Skybox View Reference Guide Device H3C HP ProCurve (on page 121) Nortel Passport 8600 (on page 122) Data source Integration requirements Skybox View includes a parser that creates an ixml file from H3C router configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\router\h3c\h3cparser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. The IP address of the router A user name and password to access the router The following files are required: *.*: The ProCurve configuration (Optional) route.txt: Dump of the ProCurve routing table The IP address of the router SSH or telnet access to the router A user name and password to access the router The following files are required: run.txt: The Nortel configuration (Optional) route.txt: Dump of the Nortel routing table Quick reference: scanners You can collect device data by: Connecting directly to the scanner ( ) or scanner management system ( ) and collecting device data. For this method, you must know the scanner details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of scanners. Importing saved scanner files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device eeye Retina scanner (on page 125) Data source Integration requirements One of: The path to an RTD file The name of the DSN that is configured for the Retina output Skybox View version

27 Chapter 2 Quick reference for data collection Device McAfee Foundstone FoundScan scanner (on page 126) HP Software & Solutions (OpenView) (on page 145) IBM SiteProtector (on page 128) Data source Integration requirements The name or IP address of the database server that hosts the FoundScan database A user name and password to access the FoundScan database The following file is required: *.txt: HPOV topology dump The IP address of the scanner The name or IP address of the database server that hosts the SiteProtector database A user name and password to access the SiteProtector database Nmap Use a topology discovery task (see page 151) Use a basic file import (on page 35) or advanced file import (on page 36) task. The following file is required: Outpost24 Qualys QualysGuard scanner (on page 129) Rapid7 Nexpose (on page 132) *.xml: Nmap XML file (output of nmap v ss O ox <out-file> <scan-range>) Skybox View includes a parser that creates an ixml file from Outpost24 scanner files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\scanners\outpost24\outpost24pars er.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. A user name and password to access the Qualys account The following files are required: scan.xml: Qualys scan (Optional) map.xml: Qualys map The IP address of the scanner A user name and password to access the scanner The following files are required: A set of *.xml: Rapid7 Nexpose audit report files The files can be in ns-xml, raw-xml, or qualys-xml format. Skybox View version

28 Skybox View Reference Guide Device Shavlik NetChk Protect patch management tool (on page 133) SNMP walk Tenable Network Security Nessus (on page 134) Tripwire ncircle scanner (on page 136) Data source Integration requirements One of: The path to an MDB file The name of the DSN that is configured for the NetChk Protect output The following file is required: *.txt: Shavlik NetChk Protect Vulnerability Scanner Report Use a basic file import (on page 35) or advanced file import (on page 36) task. The following file is required: *.*: SNMP walk dump The IP address of the scanner A user name and password to access the scanner The following file is required: *.nessus: Nessus XML file The following files are required for ncircle XML3: scan.xml: ncircle export XML aspl.xml: ncircle ASPL XML The following file is required for ncircle XML2: *.xml: ncircle export XML Quick reference: alert services You can collect device data by: Connecting directly to the <device> ( ) or management system ( ) and collecting device data. For this method, you must know the <device> details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of devices. Importing saved <device> files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Skybox View version

29 Chapter 3 File import tasks This chapter describes how to set the parameters of file import tasks. Note: File import tasks can import a new model (in XML or encrypted XML format) into the current model, thus merging two models. This is useful if you must merge several models. In this chapter Import directory tasks Data formats for file import tasks Basic file import tasks Advanced file import tasks Collector file import tasks Advanced collector file import tasks Script invocation tasks Importing interface and routing configuration Import directory tasks Import Directory tasks import the configuration or scan data files of multiple devices into a Skybox View model, where the files are in a specified directory located on the Skybox View Server or on a Skybox View Collector. For a list of supported devices, scanners, and files and their file formats, see Supported devices and files for import directory tasks (on page 30). Directory structure Single configuration files for devices and scanner output files must be located in the specified directory (this directory can contain any number of these files, for the same or different devices); if a device has multiple configuration files, the files must be located in a first-level subdirectory of the specified directory (one subdirectory per device). You can specify up to four directories per Import Directory task. The specified directory can contain any of the following file types: A device configuration file A single file combines device configuration and a dump of the routing table A single file that combines the netstat and ifconfig data A scanner output file An ixml file Each (first-level) subdirectory can contain one of the following sets of files: Device configuration and a dump of the routing table in separate files Check Point files: (Mandatory) objects.c, rulesbases.fws (Optional) global objects, statuses file Skybox View version

30 Skybox View Reference Guide Note: If the Check Point configuration contains several policies, install_statuses.c is mandatory (it contains the information of which policy is installed on which firewall). netstat and ifconfig data in separate files Note: In all cases the files can have any names: Skybox View identifies the file type. Task parameters The parameters that control Import Directory tasks are described in the following table. Basic tab Run in Modified in Set <n> Directory Comment Additional Sets The location of the files to import. The age of the files to import. Custom: Select Specific or Relative start and end times. Specify up to four sets of devices (directories). (To import more sets, use the Additional Sets field.) If you specify Location Hint in the Advanced tab, all devices must be at the same location. The full path to the directory containing the files (and subdirectories) to import. of the contents of Directory. Click the Browse button and type the directories containing the configuration data of additional sets of devices (one per line). Optionally, specify a location hint per directory. Advanced tab Location Hint Merge assets by Wins name Do not force unique tag merging ncircle ASPL file The location of the devices whose data is imported. (To import the data of more than one device, the devices must be at the same location.) Note: Use this parameter when different locations use the same set of IP addresses, so that two devices at different locations can have the same IP address. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. If selected, and the firewall or router being imported has a unique tag, the task tries to match the device to devices already existing in the model according to network interfaces. If unsuccessful, the task adds the device to the model. If cleared, the task adds the device to the model if it has a unique tag. (For ncircle XML3 imports) The ASPL file to use for all ncircle imports (so that the file is only parsed once by Skybox View). If this field is left blank, the ASPL file is parsed separately for each ncircle import. Supported devices and files for import directory tasks Import Directory tasks support the following devices, scanners, and files: Devices Skybox View version

31 A10 Networks load balancers Blue Coat proxies Check Point FireWall-1 firewalls and Provider-1 CMAs Cisco PIX/ASA/FWSM firewalls Cisco IOS routers Cisco Nexus routers F5 BIG-IP load balancers Fortinet FortiGate firewalls HP ProCurve routers Juniper Networks Junos firewalls and routers Juniper Networks NetScreen firewalls McAfee epolicy Orchestrator management systems McAfee Firewall Enterprise firewalls Palo Alto Networks firewalls Radware AppDirector load balancers Chapter 3 File import tasks ixml: A file containing device configuration written in Skybox View s Integration XML (ixml) For information about ixml, see the Integration part of the Skybox View Developer s Toolkit Scanner output Nessus vulnerabilities scanners (XML format) Qualys QualysGuard scanners (XML format) Rapid7 Nexpose scanners Tripwire ncircle scanners (XML format) Network state files (see Importing interface and routing configuration (on page 41)) netstat data files ifconfig data files Data formats for file import tasks Note: It is recommended that you use Import Directory tasks (see page 29) for all supported devices and file types (see page 30) (including network state files and ixml files). The import data format types supported by Skybox View are listed in the following table. The table also gives the relevant source file or folder required for the file import. The information in this table is used by the following file import task types: Import Basic, Import Advanced, Import Collector, and Import Collector Advanced. Note: For Import Basic tasks, you must specify the location of each file separately and not the folder. Format name Type of import data Source file or folder A10 A10 Folder containing the following files: *.txt or *.log: The A10 configuration (Optional) route.txt: Dump of the Skybox View version