Reference Guide. Skybox View Revision: 11

Transcription

1 Reference Guide Skybox View Revision: 11

2 Copyright Skybox Security, Inc. All rights reserved. This documentation contains proprietary information belonging to Skybox Security and is provided under a license agreement containing restrictions on use and disclosure. It is also protected by international copyright law. Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise without the prior written permission of Skybox Security. Skybox, Skybox View, Skybox Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox 5000/5000W/5500/6000 Appliance, are trademarks and registered trademarks of Skybox Security, Inc. Check Point, SiteManager-1, FireWall-1, Provider-1, SmartDashboard, VPN-1, and OPSEC are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other trademark and registered trademark products mentioned in this document are the property of their respective owners. Skybox Security, Inc. Telephone (in the U.S.): SKYBOX ( ) Telephone (outside the U.S.): Fax: Website: [email protected]

3 Contents Intended Audience... 8 How this manual is organized... 8 Related documentation... 8 Technical support... 8 Part I: Tasks Managing tasks User roles and tasks Setting task parameters Task Properties dialog box Device access management Using Cyber-Ark for device password management Quick reference for data collection Quick reference: firewall configuration collection Quick reference: firewall traffic log and audit log collection Quick reference: proxies, VPN devices, and IPS devices Quick reference: load balancers Quick reference: routers and LAN controllers Quick reference: scanners Quick reference: alert services File import tasks Import directory tasks Data formats for file import tasks Basic file import tasks Advanced file import tasks Collector file import tasks Advanced collector file import tasks Script invocation tasks Importing interface and routing configuration Firewall configuration tasks Blue Coat proxy Check Point FireWall-1 firewall Check Point Provider-1 CMA Cisco PIX/ASA/FWSM firewall Cisco Security Manager Dell SonicWALL firewall Fortinet FortiGate firewall Fortinet FortiManager Security Management appliance Juniper Networks Junos firewall Juniper Networks NetScreen firewall Juniper Networks Network and Security Manager Linux iptables firewall McAfee Firewall Enterprise (Sidewinder) firewall Skybox View version

4 Skybox View Reference Guide Palo Alto Networks firewall Palo Alto Networks Panorama Sidewinder G2 (McAfee Firewall Enterprise) firewall VMware vshield Edge firewall Firewalls implemented in software Firewall log data tasks Check Point FireWall-1 activity log data (LEA collection) Check Point FireWall-1 change events (audit log data) Importing syslog change tracking events Syslog traffic events IPS tasks HP TippingPoint IPS devices IBM Proventia G appliances Load balancer tasks A10 Networks load balancer Cisco CSS load balancer Citrix NetScaler load balancer F5 BIG-IP load balancer Radware AppDirector load balancer Radware WSD load balancer Router tasks Cisco IOS router Cisco Nexus router HP ProCurve router Nortel Passport 8600 router Scanner tasks eeye Retina scanner McAfee Foundstone FoundScan Enterprise scanner IBM SiteProtector Qualys QualysGuard scanner Rapid7 Nexpose scanner Shavlik NetChk Protect patch management tool Tenable Network Security Nessus scanner Tripwire ncircle scanner Blacklists Management systems tasks McAfee epolicy Orchestrator Microsoft SCCM SolarWinds NCM Microsoft Active Directory Microsoft WSUS CiscoWorks HP Software & Solutions (OpenView) Symantec Management Suite Alerts and vulnerability definition feed tasks Symantec DeepSight alert services Skybox View version

5 Contents VeriSign idefense alert services Network tasks Network scan tasks Topology discovery tasks Analysis tasks Access requests tasks Change tracking tasks Exposure tasks False positive reduction tasks Policy compliance tasks Security Metrics calculation tasks Shadowed rules tasks Vulnerability detection tasks Model maintenance tasks Model completion and validation tasks Copy model tasks Model integrity tasks Outdated entities removal tasks Back up model and settings tasks Server software update tasks Collector software update tasks Dictionary update tasks Report and ticket tasks Report generation tasks Ticket generation tasks CSV access rule review export tasks CSV analysis export tasks CSV change tracking export tasks CSV compliance results export tasks CSV Configuration Compliance export tasks CSV firewall assurance export tasks CSV optimization and cleanup export tasks CSV security metrics export tasks Qualys format XML vulnerability occurrences export tasks Part II: Analyses Managing analyses Types of analyses Setting analysis parameters Analysis Properties dialog box Customizing the display of an analysis Risk analyses Assets analyses Attacks analyses Business Asset Groups analyses Business Units analyses Locations analyses Skybox View version

6 Skybox View Reference Guide Networks analyses Regulation Compliance analyses Threat Origins analyses Vulnerability definitions risk analyses Vulnerability occurrences analyses Worms analyses Threat management analyses Vulnerability definitions threat management analyses Model validation analyses Assets validation analyses Network interfaces validation analyses Networks validation analyses Services validation analyses Ticket analyses Tickets analyses Part III: Tickets, reports, and notifications Tickets reference Tickets Ticket rules Reports reference Working with reports Report Properties dialog box Tickets reports Skybox Vulnerability Control and Skybox Threat Manager reports Skybox Firewall Assurance reports Skybox Network Assurance reports Notifications reference Notifications Customizing notification templates Selecting the correct template Editing templates Exportable data CSV-exportable data Other exports Part IV: Tools Access Control List Editor Using the Access Control List Editor Access Rule Properties dialog box ACL Management dialog box Skybox View version

7 Contents Access Rule Properties with Rule Review section Access Rule Properties dialog box (extended) Specifying routing rules Managing routing rules Replicating routing rules Access Analyzer Access Analyzer query fields for Vulnerability Control Access Analyzer query fields for Firewall Assurance and Network Assurance Network Map Network Map control panel Network Map filter toolbar s of individual maps Layout parameters Firewall Map Firewall Map filter pane Part V: Entities Model entities Entity relationships Locking entity parameters Business Asset Groups Business Units Clouds Assets Asset groups Locations Networks Network groups Network interfaces Services Threat Origins Vulnerability occurrences Index Skybox View version

8 Preface Intended Audience The Skybox View Reference Guide is the reference companion to the Skybox Firewall Assurance User s Guide, the Skybox Network Assurance User s Guide, the Skybox Vulnerability Control User s Guide, and the Skybox Threat Manager User s Guide. The intended audience is readers of the User s Guides who want additional technical and in-depth information. How this manual is organized The parts in this manual contain reference information about Skybox View, such as configuration of components and devices; supplying parameters of analyses, tasks, and model entities; and specifying access, dependency, and routing rules. Related documentation The following documentation is available for Skybox View: Skybox View Installation and Administration Guide Skybox View Developer s Guide Skybox View Release Notes The entire documentation set (in PDF format) is available in the <Skybox_View_Home>/docs directory. You can access a comprehensive Help file from any location in the Skybox View Manager by using the Help menu or by pressing F1. Technical support You can contact Skybox Security technical support by: Calling SKYBOX ( ) inside the U.S. or outside the U.S. Using the Skybox Security support portal at You must register to use the support portal. Registered users can view the knowledge base, download updates, and submit cases. Faxing (U.S. number) Sending an to [email protected] When opening a case, you need the following information: Your contact information (telephone number and address) Skybox View version and build numbers Platform (Windows or Linux) Problem description Skybox View version

9 Any documentation or relevant logs You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox View Installation and Administration Guide). Preface Skybox View version

10 Part I: Tasks This part describes the parameters of Skybox View tasks.

11 Chapter 1 Managing tasks This chapter gives an overview of how to set the parameters of Skybox View tasks. For information about running tasks, task messages, and modifying tasks, see Tasks, in the Skybox Vulnerability Control Getting Started Guide. In this chapter User roles and tasks Setting task parameters Task Properties dialog box Device access management Using Cyber-Ark for device password management User roles and tasks Only Admins and Users have access to the Operational Console where Skybox View tasks are managed. Admins can create, manage, and run all tasks. Users can view tasks that add information to the model, delete information from the model, or save the model. Users can create, manage, and run the following: All types of analysis tasks All types of report tasks, including CSV export tasks and XML vulnerability occurrence export tasks Ticket generation tasks Copy model tasks (which copy model data from one model to another, such as from Live to What If) Setting task parameters The general procedure for setting task parameters is described in this section. The main dialog box for setting a task s parameters is described in Task Properties dialog box (on page 12) and Schedule tab (on page 13). These sections describe parameters common to all tasks. For information about the parameters specific to each Skybox View task type, see the section relating to the task. Tip: When you mouseover a field, a tooltip listing the values selected for that field appears. This is especially useful for fields of the s pane that can hold multiple values. To open the operational console On the toolbar, click. Skybox View version

12 Skybox View Reference Guide To create a Skybox View task On the Operational Console toolbar, click. To create a Skybox View task based on an existing task 1 In the Operational Console tree, select Tasks > All Tasks. The workspace lists all tasks defined for this model. 2 Right-click a task and select Create Task Like. A Task Properties dialog box containing a copy of the selected task appears. To edit a Skybox View task 1 In the Operational Console tree, select Tasks > All Tasks. The workspace lists all tasks defined for this model. 2 Do one of the following: Double-click a task. Right-click a task and select Properties. The Task Properties dialog box for the selected task appears. Task Properties dialog box The Task Properties dialog box contains the following tabs: General, Comments, and Schedule: General: This tab, described in General tab (on page 12), contains the fields that define the selected task type. Alerts: This tab, described in Alerts tab (on page 13), is used to define when and where alerts are sent for the task. Comments: This tab, which is the same for all tasks, contains your description of the task. Supplying a description is optional (but strongly recommended) and does not affect the task. When the Task table is displayed in the Operational Console, view comments by showing the User Comments column. Schedule: This tab, which is the same for all tasks, is described in Schedule tab (on page 13). It is used to schedule the automatic launching of the task. General tab The General tab consists of two panes: s: This pane contains parameters specific to each task. These parameters are described in the task-specific sections. General: This pane, described in the following table, is the same for all tasks. Name Task Type Collector Timeout Hours A name that you assign to the task. The task type. Task types are grouped into folders and are searchable. You can modify this parameter for new tasks only. The Skybox View Collector to be used by the task. Specifies whether the task has a timeout limit. This field is enabled only if Timeout is selected. Skybox View version

13 Chapter 1 Managing tasks Minutes Show Properties Dialog Before Launch Enable Auto-launch The hours portion of the task s timeout limit. This field is enabled only if Timeout is selected. The minutes portion of the task s timeout limit. Note: This field is displayed only when working with Skybox Vulnerability Control. Specifies whether to open the task s Properties dialog box before the task is launched. Specifies whether to launch the task automatically, according to the schedules that are specified in the Schedule tab. Alerts tab The Alerts tab is used to define who will get alerts for a task, and under what exit conditions. You can either use the global settings (from Tools > Options > Server Options > Task Settings > Task Alert Settings) or define specific ones. Enable Task Alerts To Specifies whether task alerts are sent for this task. This field is enabled only if Enable Task Alerts is selected. Specifies to which users task alerts are sent: Use Global Settings: Task alerts are sent to the users specified in the global settings. Exit Codes Specific: Enables you to specify users and addresses to which task alerts from this task are sent. This field is enabled only if Enable Task Alerts is selected. Specifies on which exit codes task alerts are sent for this task. Use Global Settings: Task alerts are sent according to the exit codes specified in the global settings. Specific: Enables you to specify the exit codes for which task alerts from this task are sent. Schedule tab The Schedule tab is used to schedule when a task runs automatically (auto-launch). Note: Each schedule (each row) is independent of every other schedule. You can add, modify, or delete schedules. To add a schedule to a task 1 In the Task Properties dialog box, click the Schedule tab. 2 Click Add. 3 Select a frequency for the task. 4 Select when the task is to run according to the selected frequency. Daily, Weekly, Monthly, Yearly To change the time of day, click the down arrow next to the Every day at or At field. (To close the Clock dialog box, click anywhere inside the Task Schedule dialog box.) Monthly If you specify a day that does not exist in all months for example, day 31 the task is not launched from this schedule in a month that does not contain that day. Skybox View version

14 Skybox View Reference Guide Yearly If you specify a day that does not exist in the selected month for example, November 31 the task is never launched from this schedule. 5 To specify that the task runs a limited number of times, select End After and specify how many times the task is to run automatically. 6 In the Model field, specify the model on which to run this schedule. 7 Click OK. 8 If auto-launch is disabled (Enable Auto-launch is cleared in the General tab), you are asked whether you want to enable auto-launch. You can run a sequence of tasks on a schedule. For information about task sequences, see the Using tasks for automation chapter in the Skybox Vulnerability Control User s Guide or the Skybox Network Assurance User s Guide. Device access management For some task types, you can instruct Skybox View to take user name and password pairs from a repository instead of typing this data in fields in the Task Properties dialog box. In many organizations, the same user name and password combination is used to access multiple devices of one type. For example, there might be one user name and password to access your organization s Cisco routers in London and a separate combination to access the Cisco routers in New York. Admins can configure Skybox View so that each user name and password combination is saved by Skybox View and can be used by online collection tasks for devices of the specified type and scope. This section contains information about setting up access for multiple devices. Creating access tokens In Skybox View, each combination of user name and password for a specific set of devices is referred to as an access token. Only Admins can create (and manage) these access tokens, which are used by some online collection tasks. For devices that require an administrator user name and password combination, create two access tokens; a regular one (of type <Device_type>) for the regular user name and password, and a separate one (of type <Device_type> Admin) for the administrator combination. The types of online collection tasks that can use access tokens are listed in the following table. Collection task type Token type Routers Cisco IOS Routers Nortel Passport To create an access token Cisco, Cisco Admin Nortel Passport 1 Select Tools > Administrative Tools > Device Access Management. 2 In the Device Access Management dialog box, click Add. 3 In the New Access Token dialog box: a) Type a Device Name for the access token, such as London Cisco routers. b) In the Field Type field, select the type of device. Cisco IOS routers, which require an administrator user name and password combination, require two access tokens, one for a regular user whose Type is the device name type (Cisco) and one for the administrator user name and password combination whose Type has the string Admin appended to the name (Cisco Admin). Skybox View version

15 Chapter 1 Managing tasks c) In the User Name field, type the user name for this set of devices. For Admin-type access tokens, this is the administrator user name. d) In the Password and Confirm Password fields, type the password for this set of devices. For Admin-type access tokens, this is the administrator password. e) If necessary, click the Browse button next to the Scope field to limit the scope of the device set. f) Click OK to save the new device access token. How access tokens are used After creating access tokens, you can use them in online collection tasks. Each access token type matches a specific type of collection. Admin-type access tokens are used only when required by the devices being accessed. Note: Access tokens are only used when Use Access Tokens is selected in the Properties dialog box of the task. If this option is not selected, even if access tokens exist for the devices specified in the task, they are not used. When Use Access Tokens is selected, Skybox View checks the access tokens to find those that match the scope and type of the task. Access tokens that do not match either the scope or the type of the task are not used. For example, if there is an access token for Cisco routers in London and one for Cisco firewalls in London, a router collection task uses only the router-type access token and a firewall collection task uses only the firewall-type access token. If two (or more) access tokens are found that match a task, the best match (the one with the most specific range) is used. For example, you create a collection task for a device with the address ; an access token with a range of matches the task, but an access token with a range of is a more specific match and is used by the task. Using Cyber-Ark for device password management Cyber-Ark is a tool that allows highly-sensitive passwords to be centrally stored, logged, and managed. The following tasks can be authenticated with Cyber-Ark: Firewalls Check Point FireWall-1 CPMI Collection (on page 45) Firewalls Cisco PIX/ASA/FWSM Collection (on page 58) Firewalls Cisco Security Manager Collection (on page 61) Firewalls FortiGate Collection (on page 64) Firewalls FortiManager Collection (on page 66) Firewalls Junos Collection (on page 68) Firewalls NetScreen Collection (on page 69) Firewalls Juniper Networks NSM Collection (on page 71) Firewalls McAfee Firewall Enterprise Collection (on page 73) Firewalls Palo Alto Networks Collection (on page 75) Firewalls Panorama Collection (on page 77) Firewalls SonicWALL Collection (on page 63) Skybox View version

16 Skybox View Reference Guide Load Balancer A10 Collection (on page 104) Load Balancer AppDirector Collection (on page 109) Load Balancer BIG-IP Collection (on page 108) Load Balancer NetScaler Collection (on page 107) Proxy Blue Coat Collection (on page 43) Routers Cisco IOS Collection (on page 114) Routers Cisco Nexus Collection (on page 118) Routers HP ProCurve Collection (on page 121) Tools Script Invocation (on page 40) You must configure Cyber-Ark so that Skybox View tasks can retrieve device authentication credentials from Cyber-Ark. Configuring Cyber-Ark for device credentials retrieval It is recommended that you create a separate safe to contain all device authentication credentials required by Skybox View collection tasks. It is recommended that you use one or more Cyber-Ark application security options: Add the IP address of the Skybox View Server Add the Operating System User of the Skybox View Server: (If you installed the Server as a service): skyboxview (If you did not install the Server as a service): The installation user Add the path to JBoss in the Skybox View installation: <Skybox_View_Home>\thirdparty\jboss Note: The default folder for Cyber-Ark is Root and the default application ID for connecting from Skybox View is SkyboxSecurity. If you change these in Cyber-Ark, you must also change them in Skybox View. For additional information, see Global Task Settings, in the Skybox View Installation and Administration Guide. Skybox View version

17 Chapter 2 Quick reference for data collection This chapter provides a quick reference for data collection from devices supported by Skybox View. More detailed information for each device is available in the following chapters. You can collect device data by: Connecting directly to the device or management system and collecting device data. For this method, you must know the device details, such as credentials and the device IP address. Skybox View has specific collection tasks for many types of devices. Importing saved device files. For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. In this chapter Quick reference: firewall configuration collection Quick reference: firewall traffic log and audit log collection Quick reference: proxies, VPN devices, and IPS devices Quick reference: load balancers Quick reference: routers and LAN controllers Quick reference: scanners Quick reference: alert services Quick reference: firewall configuration collection You can collect device data by: Connecting directly to the device ( ) or device management system ( ) and collecting device data. For this method, you must know the device details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of devices. Importing saved device files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Skybox View version

18 Skybox View Reference Guide Device Barracuda Networks (Phion) Barracuda NG Firewall Check Point Firewall-1 (on page 45) Check Point Provider-1 (on page 53) Cisco PIX/ASA/FWSM (on page 58) Cisco Security Manager (on page 61) Data source Integration requirements Skybox View includes a parser that creates an ixml file from Barracuda Networks Barracuda NG firewall configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\firewalls\barracuda\barracudangp arser.pl. For help using the script, run the script without any parameters. For additional help, open a case at the Skybox Security support portal. The OPSEC API is used to get configurations remotely from FireWall-1 Manager or from Provider- 1 CMA. The following files are required for FireWall-1 Manager: objects_5_0.c: The network objects rulebases_5_0.fws: The rulebase The following files are required for Provider-1 CMA: objects.c or objects_5_0.c: The CMA network objects rulebases.fws or rulebases_5_0.fws: The CMA rulebase g_objects.c or g_objects_5_0.c: The global network objects The following files are optional for FireWall-1 Manager and Provider-1 CMA: install_statuses.c: The statuses Note: If the Check Point configuration contains several policies, install_statuses.c is mandatory. vsx_objects.c: The VSX device objects You also need the name of the active policy on each firewall module and the ifconfig and netstat rnv output from each firewall module. The IP address of the firewall SSH or telnet access to the firewall An admin user with level 5 privileges The following files are required: run.txt: The PIX/ASA/FWSM configuration (Optional) route.txt: Dump of the PIX/ASA/FWSM routing table The IP address of the Security Manager A user name and password to access the Security Manager Skybox View version

19 Chapter 2 Quick reference for data collection Device CiscoWorks (on page 145) Dell SonicWALL (on page 63) Fortinet FortiGate (on page 64) Fortinet FortiManager (on page 66) Juniper Networks Junos (on page 68) Juniper Networks NetScreen (on page 69) Juniper Networks NSM (on page 71) Data source Integration requirements The following file is required: *.xml: The Security Manager source file The following file is required: <device_ip_address>.cfg: The firewall configuration The name or IP address of the firewall A user name and password to access the firewall The IP address of the firewall SSH or telnet access to the firewall A user name and password to access the firewall The following files are required: config.txt: The FortiGate configuration (Optional) route.txt: Dump of the FortiGate routing table The name or IP address of the FortiManager Security Management appliance A user name and password to access the FortiManager Security Management appliance The IP address of the firewall SSH or telnet access to the firewall A user name and password to access the firewall The following files are required: config.txt: The Junos configuration (Optional) route.txt: Dump of the Junos routing table The IP address of the firewall SSH or telnet access to the firewall A user name and password to access the firewall The following files are required: config.txt: The NetScreen configuration (Optional) route.txt: Dump of the NetScreen routing table A global domain Read-Only Administrator account. The name or IP address of the NSM A user name and password to access the NSM Skybox View version

20 Skybox View Reference Guide Device Linux iptables (on page 73) McAfee Firewall Enterprise (Sidewinder) (on page 73) Palo Alto Networks (on page 75) Palo Alto Networks Panorama (on page 77) Sidewinder G2 (McAfee Firewall Enterprise) (on page 78) Data source Integration requirements The following files are required: ifconfig.txt: The iptables interfaces configuration report filter.txt: The iptables filter table nat.txt: The iptables NAT table mangle.txt: The iptables mangle table The name or IP address of the firewall A user name and password to access the firewall The name or IP address of the firewall A user name and password to access the firewall The following files are required: config.xml: The Palo Alto configuration and system information (Optional) route.txt: Dump of the Palo Alto Networks routing table The name or IP address of the Panorama A user name and password to access the Panorama The following files are required: The interfaces file The ipfilter data file The proxy services definitions file The proxy rules data (ACL) file (Optional) Burbs definition file (Optional) Routing information file The Skybox View Sidewinder G2 parser creates an ixml file from these files. This ixml file can then be imported into Skybox View. Skybox View version

21 Chapter 2 Quick reference for data collection Device Stonesoft (McAfee) StoneGate Topsec WatchGuard Technologies Data source Integration requirements Skybox View includes a collector script that retrieves Stonesoft StoneGate firewall configuration files and a parser that creates an ixml file from these files. This ixml file can then be imported into Skybox View. The collector script is located at <Skybox_View_Home>\intermediate\bin\co llectors\firewalls\stonegate\stonegate Collection.pl. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\firewalls\stonegate\stonegatepar ser.pl. For help using the scripts, run each script without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View includes a parser that creates an ixml file from Topsec firewall configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\router\topsec\topsecparser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View includes a collector script that retrieves WatchGuard Technologies firewall configuration files and a parser that creates an ixml file from these files. This ixml file can then be imported into Skybox View. The collector script is located at <Skybox_View_Home>\intermediate\bin\co llectors\firewalls\watchguard\watchgua rdcollection.pl. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\firewalls\watchguard\watchguardp arser.pl. For help using the scripts, run each script without any parameters. For additional help, open a case at the Skybox Security support portal. Quick reference: firewall traffic log and audit log collection You can collect firewall traffic and audit data by: Connecting directly to the management system ( ) that manages the firewalls and collecting log data. For this method, you must know the management system details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific management systems. Skybox View version

22 Skybox View Reference Guide Importing saved firewall log files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Data Check Point Firewall-1 activity log data (on page 83) (LEA collection) Check Point FireWall-1 change events (on page 90) (audit log data) Syslog change events (on page 91) Syslog traffic events (on page 95) Data source Integration requirements The IP address of the FireWall-1 management system A user name and password to access the management system (If collecting from a log server) The IP address of the log server The IP address of the FireWall-1 management system A user name and password to access the management system (If collecting from a log server) The IP address of the log server Configure the firewall or syslog server to forward the change events The path to the directory containing the syslog files Configure the firewall or syslog server to forward the traffic events The path to the directory containing the syslog files Quick reference: proxies, VPN devices, and IPS devices You can collect device data by: Connecting directly to the device ( ) or device management system ( ) and collecting device data. For this method, you must know the device details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of devices. Importing saved device files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device BalaBit Shell Control Box Data source Integration requirements Skybox View includes a parser that creates an ixml file from BalaBit Shell Control Box proxy configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\proxy\balabitscb\balabitscbparse r.pl. For help using the parser, run the parser without Skybox View version

23 Chapter 2 Quick reference for data collection Device Blue Coat (on page 43) HP TippingPoint (on page 101) IBM ISS Proventia G (on page 102) Juniper SSL Data source + Integration requirements any parameters. For additional help, open a case at the Skybox Security support portal. The IP address of the proxy A user name and password to access the proxy The following files are required: *.txt or *.log: The Blue Coat configuration (Optional) route.txt: Dump of the Blue Coat routing table The name or IP address of the SMS appliance A super user name and password to access the SMS appliance The IP address of the TippingPoint device A user name and password to access the TippingPoint device The IP address of the Proventia G appliance A user name and password to access the SiteProtector database Skybox View includes a parser that creates an ixml file from Juniper SSL VPN appliance configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\vpn\juniper\junipersslvpnparser. pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. Quick reference: load balancers You can collect load balancer data by: Connecting directly to the load balancer ( ) and collecting device data. For this method, you must know the load balancer details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of load balancers. Importing saved load balancer files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device A10 Networks (on page 104) Data source Integration requirements The IP address of the load balancer A user name and password to access the load Skybox View version

24 Skybox View Reference Guide Device Cisco Ace Cisco CSS (on page 106) Citrix NetScaler (on page 107) F5 BIG-IP (on page 108) Radware AppDirector (on page 109) Radware WSD (on page 111) Data source Integration requirements balancer The following files are required: *.txt or *.log: The A10 configuration (Optional) route.txt: Dump of the A10 routing table Skybox View includes a parser that creates an ixml file from Cisco Ace load balancer configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\loadbalancers\ciscoace\ciscoacep arser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. The following file is required: A Cisco CSS configuration file The Skybox View Cisco CSS parser creates an ixml file from this file. This ixml file can then be imported into Skybox View. The IP address of the load balancer A user name and password to access the load balancer The IP address of the load balancer A user name and password to access the load balancer The IP address of the load balancer A user name and password to access the load balancer The following files are required: *.*: The AppDirector configuration (Optional) route.txt: Dump of the AppDirector routing table The IP address of the load balancer The SNMP Community string to access the load balancers The following file is required: *.txt: A WSD SNMP dump file Quick reference: routers and LAN controllers With Skybox View, you can collect router configuration data by: Connecting directly to the router ( ) and collecting device data. Skybox View version

25 Chapter 2 Quick reference for data collection For this method, you must know the router details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of routers. Importing saved device files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device Alcatel-Lucent Cisco Wireless LAN Controller CiscoWorks (on page 145) Brocade (Foundry Networks) Data source Integration requirements Skybox View includes a collector script that retrieves Alcatel-Lucent router configuration files and a parser that creates an ixml file from these files. This ixml file can then be imported into Skybox View. The collector script is located at <Skybox_View_Home>\intermediate\bin\co llectors\router\alcatellucent\alcatell ucentcollection.pl. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\router\alcatellucent\alcatelluce ntparser.pl. For help using the scripts, run each script without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View includes a parser that creates an ixml file from Cisco Wireless LAN Controller configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\wireless\ciscowlc\ciscowlcparser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. The following file is required: <device_ip_address>.cfg: The router configuration The following files are required: run.txt: The router s configuration (Optional) route.txt: Dump of the router s routing table Skybox View version

26 Skybox View Reference Guide Device H3C HP ProCurve (on page 121) Nortel Passport 8600 (on page 122) Data source Integration requirements Skybox View includes a parser that creates an ixml file from H3C router configuration files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\router\h3c\h3cparser.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. The IP address of the router A user name and password to access the router The following files are required: *.*: The ProCurve configuration (Optional) route.txt: Dump of the ProCurve routing table The IP address of the router SSH or telnet access to the router A user name and password to access the router The following files are required: run.txt: The Nortel configuration (Optional) route.txt: Dump of the Nortel routing table Quick reference: scanners You can collect device data by: Connecting directly to the scanner ( ) or scanner management system ( ) and collecting device data. For this method, you must know the scanner details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of scanners. Importing saved scanner files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Device eeye Retina scanner (on page 125) Data source Integration requirements One of: The path to an RTD file The name of the DSN that is configured for the Retina output Skybox View version

27 Chapter 2 Quick reference for data collection Device McAfee Foundstone FoundScan scanner (on page 126) HP Software & Solutions (OpenView) (on page 145) IBM SiteProtector (on page 128) Data source Integration requirements The name or IP address of the database server that hosts the FoundScan database A user name and password to access the FoundScan database The following file is required: *.txt: HPOV topology dump The IP address of the scanner The name or IP address of the database server that hosts the SiteProtector database A user name and password to access the SiteProtector database Nmap Use a topology discovery task (see page 151) Use a basic file import (on page 35) or advanced file import (on page 36) task. The following file is required: Outpost24 Qualys QualysGuard scanner (on page 129) Rapid7 Nexpose (on page 132) *.xml: Nmap XML file (output of nmap v ss O ox <out-file> <scan-range>) Skybox View includes a parser that creates an ixml file from Outpost24 scanner files. This ixml file can then be imported into Skybox View. The parser is located at <Skybox_View_Home>\intermediate\bin\pa rsers\scanners\outpost24\outpost24pars er.pl. For help using the parser, run the parser without any parameters. For additional help, open a case at the Skybox Security support portal. A user name and password to access the Qualys account The following files are required: scan.xml: Qualys scan (Optional) map.xml: Qualys map The IP address of the scanner A user name and password to access the scanner The following files are required: A set of *.xml: Rapid7 Nexpose audit report files The files can be in ns-xml, raw-xml, or qualys-xml format. Skybox View version

28 Skybox View Reference Guide Device Shavlik NetChk Protect patch management tool (on page 133) SNMP walk Tenable Network Security Nessus (on page 134) Tripwire ncircle scanner (on page 136) Data source Integration requirements One of: The path to an MDB file The name of the DSN that is configured for the NetChk Protect output The following file is required: *.txt: Shavlik NetChk Protect Vulnerability Scanner Report Use a basic file import (on page 35) or advanced file import (on page 36) task. The following file is required: *.*: SNMP walk dump The IP address of the scanner A user name and password to access the scanner The following file is required: *.nessus: Nessus XML file The following files are required for ncircle XML3: scan.xml: ncircle export XML aspl.xml: ncircle ASPL XML The following file is required for ncircle XML2: *.xml: ncircle export XML Quick reference: alert services You can collect device data by: Connecting directly to the <device> ( ) or management system ( ) and collecting device data. For this method, you must know the <device> details, such as credentials and the device IP address. Skybox View has many tasks that connect to specific types of devices. Importing saved <device> files ( ). For this method, you must save copies of the necessary files on your file system. Skybox View includes offline file import tasks that import these data files. Skybox View version

29 Chapter 3 File import tasks This chapter describes how to set the parameters of file import tasks. Note: File import tasks can import a new model (in XML or encrypted XML format) into the current model, thus merging two models. This is useful if you must merge several models. In this chapter Import directory tasks Data formats for file import tasks Basic file import tasks Advanced file import tasks Collector file import tasks Advanced collector file import tasks Script invocation tasks Importing interface and routing configuration Import directory tasks Import Directory tasks import the configuration or scan data files of multiple devices into a Skybox View model, where the files are in a specified directory located on the Skybox View Server or on a Skybox View Collector. For a list of supported devices, scanners, and files and their file formats, see Supported devices and files for import directory tasks (on page 30). Directory structure Single configuration files for devices and scanner output files must be located in the specified directory (this directory can contain any number of these files, for the same or different devices); if a device has multiple configuration files, the files must be located in a first-level subdirectory of the specified directory (one subdirectory per device). You can specify up to four directories per Import Directory task. The specified directory can contain any of the following file types: A device configuration file A single file combines device configuration and a dump of the routing table A single file that combines the netstat and ifconfig data A scanner output file An ixml file Each (first-level) subdirectory can contain one of the following sets of files: Device configuration and a dump of the routing table in separate files Check Point files: (Mandatory) objects.c, rulesbases.fws (Optional) global objects, statuses file Skybox View version

30 Skybox View Reference Guide Note: If the Check Point configuration contains several policies, install_statuses.c is mandatory (it contains the information of which policy is installed on which firewall). netstat and ifconfig data in separate files Note: In all cases the files can have any names: Skybox View identifies the file type. Task parameters The parameters that control Import Directory tasks are described in the following table. Basic tab Run in Modified in Set <n> Directory Comment Additional Sets The location of the files to import. The age of the files to import. Custom: Select Specific or Relative start and end times. Specify up to four sets of devices (directories). (To import more sets, use the Additional Sets field.) If you specify Location Hint in the Advanced tab, all devices must be at the same location. The full path to the directory containing the files (and subdirectories) to import. of the contents of Directory. Click the Browse button and type the directories containing the configuration data of additional sets of devices (one per line). Optionally, specify a location hint per directory. Advanced tab Location Hint Merge assets by Wins name Do not force unique tag merging ncircle ASPL file The location of the devices whose data is imported. (To import the data of more than one device, the devices must be at the same location.) Note: Use this parameter when different locations use the same set of IP addresses, so that two devices at different locations can have the same IP address. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. If selected, and the firewall or router being imported has a unique tag, the task tries to match the device to devices already existing in the model according to network interfaces. If unsuccessful, the task adds the device to the model. If cleared, the task adds the device to the model if it has a unique tag. (For ncircle XML3 imports) The ASPL file to use for all ncircle imports (so that the file is only parsed once by Skybox View). If this field is left blank, the ASPL file is parsed separately for each ncircle import. Supported devices and files for import directory tasks Import Directory tasks support the following devices, scanners, and files: Devices Skybox View version

31 A10 Networks load balancers Blue Coat proxies Check Point FireWall-1 firewalls and Provider-1 CMAs Cisco PIX/ASA/FWSM firewalls Cisco IOS routers Cisco Nexus routers F5 BIG-IP load balancers Fortinet FortiGate firewalls HP ProCurve routers Juniper Networks Junos firewalls and routers Juniper Networks NetScreen firewalls McAfee epolicy Orchestrator management systems McAfee Firewall Enterprise firewalls Palo Alto Networks firewalls Radware AppDirector load balancers Chapter 3 File import tasks ixml: A file containing device configuration written in Skybox View s Integration XML (ixml) For information about ixml, see the Integration part of the Skybox View Developer s Toolkit Scanner output Nessus vulnerabilities scanners (XML format) Qualys QualysGuard scanners (XML format) Rapid7 Nexpose scanners Tripwire ncircle scanners (XML format) Network state files (see Importing interface and routing configuration (on page 41)) netstat data files ifconfig data files Data formats for file import tasks Note: It is recommended that you use Import Directory tasks (see page 29) for all supported devices and file types (see page 30) (including network state files and ixml files). The import data format types supported by Skybox View are listed in the following table. The table also gives the relevant source file or folder required for the file import. The information in this table is used by the following file import task types: Import Basic, Import Advanced, Import Collector, and Import Collector Advanced. Note: For Import Basic tasks, you must specify the location of each file separately and not the folder. Format name Type of import data Source file or folder A10 A10 Folder containing the following files: *.txt or *.log: The A10 configuration (Optional) route.txt: Dump of the Skybox View version

32 Skybox View Reference Guide Format name Type of import data Source file or folder A10 routing table AppDirector APPDIRECTOR Folder containing the following files: BIG-IP BIGIP *.*: The AppDirector configuration (Optional) route.txt: Dump of the AppDirector routing table BlueCoat BLUECOAT Folder containing the following files: Cisco Router Configuration (used for Cisco IOS and Cisco Nexus routers) IOS_CONF *.txt or *.log: The Blue Coat configuration (Optional) route.txt: Dump of the Blue Coat routing table Folder containing the following files: run.txt: The Cisco router configuration (Optional) route.txt: Dump of the Cisco router routing table Note: Import Advanced and Import Collector tasks can import the output of selected subcommands of the ip route vrf * command. If route.txt is not found in the specified folder, the tasks process all files named route_xxx.txt. For example, execute the command show ip route vrf connected and save the output in route_connected.txt. Cisco Security Manager Configuration EPO FireWall-1 Configuration FortiGate Configuration file CSM_CONFIG_FILE EPO FW1_CONF FORTIGATE_CONFIG_ FILE Cisco Security Manager source file (*.xml) Folder containing the following files: objects_5_0.c: The network objects rulebases_5_0.fws: The rulebase (Optional) install_statuses.c: The statuses (Optional) vsx_objects.c: The VSX device objects (from the vsx_slot_objects table) Note: For Import Basic tasks, any file names with the appropriate extensions (*.c and *.fws) are permitted. Folder containing the following files: config.txt: The FortiGate configuration (Optional) route.txt: Dump of the FortiGate routing table Skybox View version

33 Chapter 3 File import tasks Format name Type of import data Source file or folder Foundry Configuration FWSM Configuration HFNetChk Vulnerability Scanner Report FOUNDRY FWSM_CONF HFNETCHK Folder containing the following files: run.txt: The Foundry configuration (Optional) route.txt: Dump of the Foundry routing table Folder containing the following files: run.txt: The PIX/ASA/FWSM configuration (Optional) route.txt: Dump of the PIX/ASA/FWSM routing table Shavlik NetChk Protect Vulnerability Scanner Report file (*.txt) HP ProCurve HPPROCURVE Folder containing the following files: *.*: The ProCurve configuration HPOV Topology Dump Intermediate Security Model XML IpTables Configuration Junos Configuration file McAfee Enterprise Firewall HPOV_TOPODUMP INTERMEDIATE_XML IPTABLES JUNOS_CONFIG_FILE MCAFEEFIREWALL (Optional) route.txt: Dump of the ProCurve routing table HP Software & Solutions (OpenView) topology dump file (*.txt) ixml file (*.xml) Folder containing the following files: ifconfig.txt: The iptables interfaces configuration report filter.txt: The iptables filter table nat.txt: The iptables NAT table mangle.txt: The iptables mangle table Folder containing the following files: config.txt: The Junos configuration (Optional) route.txt: Dump of the Junos routing table ncircle Scan NCIRCLE (ncircle XML2) ncircle export XML file (*.xml) (ncircle XML3) Folder containing the following files: ncircle export XML (scan.xml) ncircle ASPL XML (aspl.xml) Nessus Scan NESSUS_XML Nessus XML file (usually *.xml or *.nessus) Skybox View version

34 Skybox View Reference Guide Format name Type of import data Source file or folder NetScreen Configuration file NetScreen SNMP Dump file Network State NETSCREEN_CONFIG _FILE NETSCREEN_SNMP_D UMP HOST_ROUTING_AND _INTERFACES Folder containing the following files: config.txt: The NetScreen configuration (Optional) route.txt: Dump of the NetScreen routing table NetScreen SNMP dump file (*.txt) Folder containing the following files: netstat.txt: The network status report ifconfig.txt: The interfaces configuration report NMap Scan NMAP_XML Nmap XML file (*.xml) Nortel Bay 8600 Configuration Palo Alto Firewall Configuration PIX Configuration Provider-1 Configuration Qualys Map and Scan NORTEL_BAY PALO_ALTO PIX_CONF PFW1_CONF QUALYS Folder containing the following files: run.txt: The Nortel configuration (Optional) route.txt: Dump of the Nortel routing table Folder containing the following files: config.xml: The Palo Alto configuration (Optional) route.txt: Dump of the Palo Alto routing table Folder containing the following files: run.txt: The PIX/ASA/FWSM configuration (Optional) route.txt: Dump of the PIX/ASA/FWSM routing table Folder containing the following files: objects.c or objects_5_0.c: The CMA network objects rulebases.fws or rulebases_5_0.fws: The CMA rulebase g_objects.c or g_objects_5_0.c: The global network objects (Optional) install_statuses.c: The statuses (Optional) vsx_objects.c: The VSX device objects (from the vsx_slot_objects table) Note: For Import Basic tasks, any file names with the appropriate extensions (*.c and *.fws) are permitted Folder containing the following files: scan.xml: The Qualys scan Skybox View version

35 Chapter 3 File import tasks Format name Type of import data Source file or folder (Optional) map.xml: The Qualys Map Rapid7 Skybox Netmodel Skybox Netmodel Encrypted RAPID_7 SKYBOX_XML SKYBOX_XML_ENC Skybox View XML file (*.xml) Encrypted Skybox View XML file (*.xmlx) SnmpWalk Configuration SNMPWALK_DUMP SNMP walk dump file (*.*) vshield Edge WSD SNMP Dump RADWSD_SNMP_DUM P WSD SNMP dump file (*.txt) Basic file import tasks Import Basic tasks import scan data or configuration files of selected devices (up to five) into a Skybox View model, where the files are located on the local machine. To import data into Skybox View without a limitation on the number of devices imported per task, see Advanced file import tasks (on page 36). To import configuration files located on a remote machine, see Collector file import tasks (on page 39) and Advanced collector file import tasks (on page 39). Task parameters The parameters that control Import Basic tasks are described in the following table. Basic tab Import Data 1 Import Data 2 Import Data 3 Import Data 4 Import Data 5 A data set to import. Open the Import Data dialog box to specify the import parameters. For an explanation of the dialog box parameters, see Import Data dialog box (on page 36). (Optional) An additional data set to import. (Optional) An additional data set to import. (Optional) An additional data set to import. (Optional) An additional data set to import. Advanced tab Location Hint Merge assets by Wins name The location of the devices whose data is imported. (To import the data of more than one device, the devices must be at the same location.) Note: Use this parameter when different locations use the same set of IP addresses, so that two devices at different locations can have the same IP address. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. Skybox View version

36 Skybox View Reference Guide Import Data dialog box The parameters of the Import Data dialog box are described in the following table. Format <file_type_1> <file_type_2>... <file_type_n> The format type for the offline file import. Format types are listed in the first column of the table in Data formats for file import tasks (on page 31). This is the only field displayed when you open the dialog box. Once you select a Format, additional fields are displayed that allow you to select the required file types. For additional information about required file types, refer to the third column of the table in Data formats for file import tasks (on page 31). The first file type required for the selected Format. Additional file types required for the selected Format. Import Data dialog box for FireWall-1 or Provider-1 Configuration If you select FireWall-1 Configuration or Provider-1 Configuration in the Format field of the Import Data dialog box, additional fields are displayed in the dialog box. These parameters are described in the following table. Modules List Rulebase A comma-separated (or semicolon-separated) list of the names of specific Enforcement Modules to import into Skybox View. The policy (rulebase) to import: Use active policy: If a statuses file (usually install_statuses.c) is specified in Statuses file, the active policy as specified in the statuses file. Otherwise, the most recently edited policy as specified in the objects file. Network Objects file Rulebases file Global Network Objects file (Provider-1 only) Statuses file VSX Objects File Use Specific: Type the name of a policy. The locations of the configuration files required for the offline file import. For information about these files, see Importing Check Point FireWall-1 configuration data (on page 53) or Importing Check Point Provider-1 CMA configuration data (on page 57). Advanced file import tasks Import Advanced tasks import scan data or configuration files of any number of devices into a Skybox View model, where the files are located on the local machine. These tasks require a definition file a text file that specifies, for each device, the data type to be imported, the path of the data file to be imported, and possibly some additional parameters. For information about the definition file, see Definition file for advanced file import tasks (on page 37). Task parameters The parameters that control Import Advanced tasks are described in the following table. Skybox View version

37 Chapter 3 File import tasks Basic tab Definition Filename XML Output Filename The absolute path to the definition file that the Skybox View Server can access. For information about the definition file, see Definition file for advanced file import tasks (on page 37). If the file import succeeds, this file (in Skybox View s Integration XML (ixml) format) is created on the Skybox View Server and contains the imported data. If the file exists, it is overwritten. Note: If the definition file includes location hints, one output file is created for each location. (The location is added to the file name specified by this parameter.) Advanced tab Merge assets by Wins name Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. Definition file for advanced file import tasks Import Advanced and Import Collector Advanced tasks require a text file (the definition file) that specifies the data type to be imported, the path of the data file to be imported, and possibly some additional parameters. Each line of this text file represents one data file to be imported. The definition text file can contain as many lines as necessary. Format of lines in a definition file Each line in a definition text file has the following format: <import_format_type> <source_file folder> [<rulebase> [<modules>]] Where: <import_format_type> is the data type to be imported. For a list of import format types, refer to the second column of the table in Data formats for file import tasks (on page 31). <source_file folder> is one of: The full path of the data file to be imported The full path of a folder containing multiple data files to be imported (if the import type requires more than one file) The path must be written without quotes and it must not contain spaces. (For example, data files to be imported cannot be saved under C:\Program Files.) Important: When running a Skybox View Collector as a service on Windows, you cannot use a mapped network drive when specifying the full path. Workaround: Use the Universal Naming Convention (UNC) name: \\<server_name>\<share_name>\<folder>[\<file_name>]. <rulebase> and <modules> are applicable only if the value for <import_format_type> is FW1_CONF or PFW1_CONF. They are described in the following table. <rulebase> Use one of the following: Skybox View version

38 Skybox View Reference Guide The name of the policy (rulebase) to import. <modules> USE_AUTOMATIC: If install_statuses.c is included in the specified folder, the active policy as specified in install_statuses.c is imported. Otherwise, the most recently edited policy as specified in objects.c is imported. A comma-separated (or semicolon-separated) list of the names of the Enforcement Modules to be imported. If no Enforcement Modules are specified, all modules are imported. Examples of lines in a definition file For importing a Nessus XML: NESSUS_XML c:\scans\network_scan.xml For importing a Cisco IOS Router configuration: IOS_CONF c:\ios\router1 To import run.txt and, if it exists, route.txt, a folder is specified. For importing a FireWall-1 configuration: FW1_CONF c:\fws\mainfw Standard The folder must contain two files, objects_5_0.c and rulebases_5_0.fws. Because no Enforcement Modules are specified, all modules are imported. Including location hints in a definition file If your organization has overlapping networks, you might need to add a location hint to some lines of the definition file. Overlapping networks are networks in your organization that have identical or overlapping IP addresses and subnets. These networks are usually located in different parts of your organization, separated by firewalls or routers. Each line used to import an overlapping network must have the following format: <import_format_type> <source_file folder> [<location_hint>] Important Note: The square brackets ([ and ]) are part of the format of the line; they do not denote an optional element. Examples of lines with location hint in a definition file NMAP_XML c:\sample\result.xml [London\Bakers] PIX_CONF c:\sample\file.cfg [Paris] You can use \ and / as delimiters in the location hint. To preserve whitespace in location names, place the location inside double quotation marks. For example: PIX_CONF c:\sample\file.cfg [North America/New York]: The location is read as NorthAmerica >> NewYork PIX_CONF c:\sample\file.cfg ["North America/New York"]: The location is read as North America >> New York Skybox View version

39 Chapter 3 File import tasks Collector file import tasks Import Collector tasks import scan data or configuration files of single devices into a Skybox View model, where the files are located on a machine that is accessible by the selected Skybox View Collector. To import data held on a remote machine into Skybox View without a limitation on the number of devices imported per task, see Advanced file import tasks (on page 36). Task parameters The parameters that control Import Collector tasks are described in the following table. Basic tab File Type Path The format type for the file import. Possible format types are listed in the first column of the table in Data formats for file import tasks (on page 31). The path of the source file to import or the folder containing the source files to import. The value required for Path depends on the value of File Type; refer to the third column of the table in Data formats for file import tasks (on page 31). The name of the policy (rulebase) to import. Note: This value is used only if File Type has the value FireWall-1 Configuration or Provider-1 Configuration. Advanced tab Location Hint The location of the device whose data is imported. Note: Use this parameter when different locations use the same set of IP addresses, so that two devices at different locations can have the same IP address. Advanced collector file import tasks Import Collector Advanced tasks import scan data or configuration files of any number of devices into a Skybox View model, where the files are located on a machine that is accessible by the selected Skybox View Collector. These tasks require a definition file a text file that specifies, for each device, the data type to be imported, the path of the data file to be imported, and possibly some additional parameters. For information about the definition file, see Definition file for advanced file import tasks (on page 37). Task parameters The parameters that control Import Collector Advanced tasks are described in the following table. Definition Filename XML Output Filename The absolute path to the definition file that the Skybox View Collector can access. For information about the definition file, see Definition file for advanced file import tasks (on page 37). If the file import succeeds, this file (in Skybox View s Integration XML (ixml) format) is created on the Skybox View Server and contains the imported data. If the file exists, it is overwritten. Skybox View version

40 Skybox View Reference Guide Script invocation tasks Tools Script Invocation tasks run a program on a Skybox View machine (for example, on a machine running a Skybox View Collector, a Tools Script Invocation task could run a program to move data to a location from where Skybox View can import it). Task parameters The parameters that control Tools Script Invocation tasks are described in the following table. Basic tab Run in Program Arguments Import ixml ixml file path Where to run the program. The full path to the program to be run; include the program name. See the note immediately following this table. A space-separated list of the arguments to be used when the program is run. If User and Password are specified in the Advanced tab, use %u and %p in the string for these parameters. If Additional User and Additional Password are specified in the Advanced tab, use %u2 and %p2 in the string for these parameters. (Use %% if % is required in the argument string.) Specifies whether the program produces an ixml file to import into the model. This field is enabled only if Import ixml is selected. The path to the ixml file produced by the invoked program. Advanced tab Save output to file Method User Password Additional User Specifies whether to save the invoked program s output to a file. If selected, Skybox View saves the output to <Skybox_View_Home>\data\collector\temp\SimpleExec ution_<skybox_generated_number>.txt. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. Use this field if a user name is required as an argument for the specified program. The value in this field is represented by %u in the parameter string passed to the program. This field is displayed only if Method = Device. Use this field if a password is required as an argument for the specified program. The value in this field is represented by %p in the parameter string passed to the program. This field is displayed only if Method = Device. Use this field if an additional user name is required as an argument for the specified program. The value in this field is represented by %u2 in the parameter string passed to the program. Skybox View version

41 Chapter 3 File import tasks Additional Password This field is displayed only if Method = Device. Use this field if an additional password is required as an argument for the specified program. The value in this field is represented by %p2 in the parameter string passed to the program. Safe Object Additional Safe Additional Object This field is displayed only if Method = Cyber-Ark. Use this field if a user name is required as an argument for the specified program. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. Use this field if a user name is required as an argument for the specified program. The name of the Cyber-Ark object that contains the user name and password. The user name is represented by %u in the parameter string passed to the program. The password (if required) is represented by %p in the parameter string passed to the program. This field is displayed only if Method = Cyber-Ark. Use this field if an additional user name is required as an argument for the specified program. The name of the Cyber-Ark safe that contains the additional user authentication credential object. This field is displayed only if Method = Cyber-Ark. Use this field if an additional user name is required as an argument for the specified program. The name of the Cyber-Ark object that contains the additional user name and password. The user name is represented by %u2 in the parameter string passed to the program. The password (if required) is represented by %p2 in the parameter string passed to the program. Task Status Task Exit Status Script Exit Codes Error: Exit codes listed in Script Exit Codes signify failure. All other exit codes signify success. Success: Exit codes listed in Script Exit Codes signify success. All other exit codes signify failure. A comma-separated list of exit codes used by Task Exit Status. Important: When running a Skybox View Collector as a service on Windows, you cannot use a mapped network drive when specifying the full path in the Program field. Workaround: Use the Universal Naming Convention (UNC) name: \\<server_name>\<share_name>\<folder>\<file_name>. Importing interface and routing configuration Note: It is recommended that you use an Import Directory task to import the configuration data. Skybox View version

42 Skybox View Reference Guide Interface and routing configuration (HOST_ROUTING_AND_INTERFACES) On some types of assets (usually firewalls), the access rules and routing rules are controlled by different software. On Check Point firewalls, for example, firewall software manages the access rules while the operating system controls interfaces and routing. You can import routing table and network interface information from the following operating systems: Windows Linux Solaris Import of this information requires two files: ifconfig.txt: Output of the ifconfig -a command (Linux and Solaris) or the ipconfig /all command (Windows) netstat.txt: Output of the netstat -rvn command Skybox View version

43 Chapter 4 Firewall configuration tasks This chapter describes how to add firewall configuration data to the current model. In this chapter Blue Coat proxy Check Point FireWall-1 firewall Check Point Provider-1 CMA Cisco PIX/ASA/FWSM firewall Cisco Security Manager Dell SonicWALL firewall Fortinet FortiGate firewall Fortinet FortiManager Security Management appliance Juniper Networks Junos firewall Juniper Networks NetScreen firewall Juniper Networks Network and Security Manager Linux iptables firewall McAfee Firewall Enterprise (Sidewinder) firewall Palo Alto Networks firewall Palo Alto Networks Panorama Sidewinder G2 (McAfee Firewall Enterprise) firewall VMware vshield Edge firewall Firewalls implemented in software Blue Coat proxy You can add or update configuration data from Blue Coat proxies to the current model using an online collection task: Configure the proxies (see page 43) to allow access from a Skybox View Collector and create a proxy collection task (see page 44) to collect the proxy configurations and add the data to the model. The collection task can collect data from multiple proxies. You can also add or update configuration data from Blue Coat proxies to the current model using an offline file import task: Create and retrieve proxy configuration files and import their data (see page 44) into the model. The file import task can import the data of multiple proxies. Configuring Blue Coat proxies for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure a Blue Coat proxy for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Skybox View version

44 Skybox View Reference Guide Blue Coat collection tasks Proxy Blue Coat Collection tasks retrieve configuration data from Blue Coat proxies and add the data to the current model. Task parameters The parameters that control Proxy Blue Coat Collection tasks are described in the following table. Basic tab Run in Addresses Method Username Password Safe Object Where to run the data collection. A comma-separated list of the IP addresses of the Blue Coat proxies. Note: Skybox View can collect the configurations of multiple proxies only if the same authentication is used for all the proxies. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the proxy. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Override device prompt Override password prompt Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the proxy. Note: Use this parameter when different locations use the same set of IP addresses, so that two proxies at different locations can have the same IP address. Importing Blue Coat configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a Blue Coat firewall configuration: *.txt or *.log: The Blue Coat configuration file This file is the output of the Blue Coat show configuration command. Skybox View version

45 (Optional) route.txt: Dump of the Blue Coat routing table This file is the output of the Blue Coat ip-route-table command. Chapter 4 Firewall configuration tasks You can import the configuration of more than one firewall; put each set of configuration files in a separate folder. Note: To run an Import Collector task or an Import Collector Advanced task, the Skybox View Collector specified for the task must reside on a Linux platform. Check Point FireWall-1 firewall You can add or update configuration data from Check Point FireWall-1 NG and NGX firewalls to the current model using an online collection task: Configure the firewalls (see page 45) to allow access from a Skybox View Collector and create a firewall collection task (see page 50) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. You can also add or update configuration data from Check Point FireWall-1 NG and NGX firewalls to the current model using an offline file import task: Retrieve firewall configuration files and import their data (see page 53) into the model. The file import task can import the data of multiple firewalls. To add or update configuration data from a Check Point Provider-1 CMA, which can manage a number of Check Point FireWall-1 firewalls, see Check Point Provider-1 CMA (on page 53). Configuring FireWall-1 management systems for data collection To configure a Check Point FireWall-1 management system so that Skybox View can obtain FireWall- 1 configuration information: Create an administrator with a read-only permission profile. Obtain the IP address of the firewall. Configure the OPSEC application. Configure the management system to allow collection using the OPSEC protocol. Note: If your network includes a standby management system, repeat these steps for the standby system. Skybox View version

46 Skybox View Reference Guide To create an administrator 1 In Check Point SmartDashboard, select Manage > Users and Administrators. 2 Select New > Administrator. Figure 1: Check Point SmartDashboard - Administrator Properties dialog box 3 In the Administrator Properties dialog box, type skyboxview in the Login Name field. 4 Do one of the following: Select a Read Only All permissions profile. Create a Read Only All permissions profile: a) In the Administrator Properties dialog box, click New. Skybox View version

47 Chapter 4 Firewall configuration tasks b) In the Permissions Profile Properties dialog box, fill in the relevant fields; in the Permissions tab select Read Only All. Figure 2: Check Point SmartDashboard - Permissions Profile Properties dialog box c) Click OK. 5 Assign the permissions profile to the administrator. 6 Click the Admin Auth tab. 7 From the Authentication Scheme drop-down list, select VPN-1 & FireWall-1 Password. 8 Click Enter Password. 9 Type a password of your choice in the Password and Confirm Password fields and click OK. 10 Click OK. Skybox View version

48 Skybox View Reference Guide To obtain the IP address of the firewall 1 In Check Point SmartDashboard, select Manage > Network Objects. 2 Select the FireWall-1 management system object from the drop-down list and click Edit. Figure 3: Check Point SmartDashboard - Gateway Properties dialog box 3 From the Properties dialog box, write down the contents of the IP Address field; you need this information when you create the firewall collection task. 4 Close the Properties dialog box. Skybox View version

49 To configure the OPSEC application 1 Launch Check Point SmartDashboard. 2 Verify that the Skybox View Collector host is defined in SmartDashboard. 3 In SmartDashboard, select Manage > Servers and OPSEC Applications. 4 In the OPSEC Applications dialog box, click New and select OPSEC Application. Chapter 4 Firewall configuration tasks Figure 4: Check Point SmartDashboard - OPSEC Applications Properties dialog box 5 In the OPSEC Applications Properties dialog box, give the OPSEC application a name. Note this name; you need it when you create the firewall collection task. Note: It is recommended that you use Skybox; this is the default name that Skybox View uses when retrieving a new certificate. 6 From the Host drop-down list, select the Skybox View Collector host. 7 In the Client Entities box, select CPMI. 8 Click Communications and type an activation key. The activation key is a one-time password that is used to create the certificate for authentication and encryption between the Skybox View Collector and the management system; you need the key when you create the firewall collection task. Skybox View version

50 Skybox View Reference Guide 9 Click Initialize and wait for initialization to complete. 10 Click Close. 11 Click the CPMI Permissions tab. Figure 5: Check Point SmartDashboard - OPSEC Applications Properties dialog box - CPMI Permissions tab 12 Select the appropriate Permissions Profile. 13 Click OK to close the OPSEC Application Properties dialog box. 14 Click Close to close the OPSEC Applications dialog box. 15 Save the changes. To configure the firewall to allow collection 1 Add an access rule in the firewall to allow the Skybox View Collector to use the services required for the collection process. Note: This is only necessary if the connection between the Skybox View Collector and the FireWall-1 management host is blocked by the firewall. Figure 6: Tasks: FireWall-1 - Access rule for SBV Collector Use the following parameters for the access rule: Source: Skybox View Collector Destination: FireWall-1 management host Services: FW1_ica_pull (TCP/18210), CPMI (TCP/18190) 2 Install the FireWall-1 policy. Check Point FireWall-1 CPMI collection tasks (FireWall-1) Firewalls Check Point FireWall-1 CPMI Collection tasks retrieve configuration data from Check Point FireWall-1 management systems and add the data to the current model. (To retrieve configuration data from Check Point Provider-1 CMAs, see Check Point FireWall-1 CPMI collection tasks (Provider-1) (see page 56).) For VSX (virtual systems) firewalls, configuration data for all the virtual firewalls is retrieved. Skybox View version

51 Chapter 4 Firewall configuration tasks Note: You must create a separate CPMI collection task for each FireWall-1 management system. Task parameters The parameters that control Firewalls Check Point FireWall-1 CPMI Collection tasks when collecting data from FireWall-1 management systems are described in the following table. Basic tab Management The IP address of the FireWall-1 management system. Note: You must provide the IP address, not the asset name. Initialize Certificate issue date <Empty>: The connection to the management system is not initialized <Timestamp>: The timestamp of the authentication certificate used to authenticate the connection To retrieve an authentication certificate, click Initialize Certificate to open the Initialize Certificate dialog box (see page 52). Authentication Method Username Password Safe Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name of the administrator created for the task (see Configuring FireWall-1 management systems for data collection (on page 45)). This field is displayed only if Method = Device. The administrator s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the administrator authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the administrator name and password. Collection Collect Active Policy Specifies whether to collect the active policy. The active policy is the policy (rulebase) currently installed on the firewall. Rulebase This field is disabled if Collect Active Policy is selected. The name of the policy to collect. If you know the name of the policy, type it. Modules List SIC Name Click Fetch to retrieve a list of available policies from the management system. A comma-separated (or semicolon-separated) list of the names of specific FireWall-1 Enforcement Modules to collect. (Read only) The DN of the management system. Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection. Skybox View version

52 Skybox View Reference Guide Advanced tab Location Hint OPSEC Application SIC Name from MDS Do not Merge Secondary Management Certificate issue date The location of the FireWall-1 management system. Note: Use this parameter when different locations use the same set of IP addresses, so that two management systems at different locations can have the same IP address. The name given to the OPSEC application when it was configured for Skybox View (see Configuring FireWall-1 management systems for data collection (on page 45)). Skybox View displays the name that you provided when you initialized the connection. You must leave this checkbox cleared when collecting data from a FireWall-1 management system. Specifies whether to collect device configuration data but not merge it into the model. The configuration data is saved under <Skybox_View_Home>/data/collector/temp/. The IP address of the standby FireWall-1 management system. Note: You must provide the IP address, not the asset name. <Empty>: The connection to the standby management system is not initialized <Timestamp>: The timestamp of the authentication certificate used to authenticate the connection To retrieve an authentication certificate, click Initialize Certificate to open the Initialize Certificate dialog box (see page 52). Username Password SIC Name The user name of the administrator on the standby management system created for the task (see Configuring FireWall-1 management systems for data collection (on page 45)). The administrator s password. (Read only) The DN of the standby management system. Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection. Initialize Certificate dialog box The Initialize Certificate dialog box parameters are described in the following table. Use existing certificate OPSEC Application Date Retrieve new certificate OPSEC Application Activation Key Use the authentication certificate that Skybox View retrieved previously from the OPSEC application. The name given to the OPSEC application when it was configured for Skybox View (see Configuring FireWall-1 management systems (on page 45)). The date of the authentication certificate. Retrieve a new authentication certificate from the OPSEC application. The name given to the OPSEC application when it was configured for Skybox View (see Configuring FireWall-1 management systems (on page 45)). The activation key created in SmartDashboard when configuring the OPSEC application (see Configuring FireWall-1 management Skybox View version

53 Chapter 4 Firewall configuration tasks systems (on page 45)). Importing Check Point FireWall-1 configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are required to import a Check Point FireWall-1 configuration: objects_5_0.c: The network objects file contains objects (including assets, networks, and services) referenced in the access rules. rulebases_5_0.fws: The rulebase file contains the access rules. (Optional) install_statuses.c: The installed statuses file includes the name of the policy (the active policy) that is currently installed in the firewall. Note: If the Check Point configuration contains several policies, install_statuses.c is mandatory (it contains the information of which policy is installed on which firewall). (Optional) vsx_objects.c: The VSX device objects file contains objects (including assets, networks, and services) referenced in the access rules of VSX (virtual systems) firewalls. These files are located at: (Windows) C:\WINDOWS\FW1\<version#>\conf (Linux) /<FireWall-1_installation_path>/CPfw1-<version#>/conf You also need the name of the active policy on each firewall module and the ifconfig and netstat rnv output from each firewall module. For Import Basic tasks When you copy files from the remote device, write down the module names of the firewalls that you are importing. You can import multiple firewalls managed by the same management system by specifying firewall names in the Module List field. Store the set of files from each management system in a separate directory. Check Point Provider-1 CMA Check Point Provider-1 CMAs manage multiple Check Point FireWall-1 NG and NGX firewalls. You can add or update configuration data of the Check Point FireWall-1 NG and NGX firewalls that are managed by a Check Point Provider-1 CMA to the current model using an online collection task: Configure the CMA (see page 54) to allow access from a Skybox View Collector and create a firewall collection task (see page 56) to collect the CMA configuration and add it to the model. The collection task can collect data from multiple Check Point FireWall-1 NG and NGX firewalls managed by a single CMA. You can also add or update configuration data from Check Point Provider-1 CMAs to the current model using an offline file import task: Retrieve CMA configuration files and import their data (see page 57) into the model. The file import task can import the data of multiple CMAs. To add or update configuration data from Check Point FireWall-1 CMAs see Check Point FireWall-1 firewall (on page 45). Skybox View version

54 Skybox View Reference Guide Configuring Provider-1 for firewall data collection To configure a Check Point Provider-1 so that Skybox View can obtain FireWall-1 configuration information: Create a Multi-Domain Server (MDS) administrator. Configure a GUI client. Obtain the IP addresses of the CMAs. Configure the OPSEC applications (once for each CMA). Configure each CMA to allow collection using the OPSEC protocol. Note: If your network includes a standby MDS repeat these steps for the standby server. To create an MDS administrator 1 In the Check Point Provider-1/SiteManager-1 GUI, click the Administrators icon. 2 Select Manage > New Administrator. 3 In the General tab of the Add Administrator dialog box: a) Type skybox in the Administrator Name field. b) Select the None radio button. c) Click the Authentication tab. d) From the Authentication Scheme drop-down list, select VPN-1 & FireWall-1 Password. e) Click Enter Password. f) Type a password of your choice in the Password and Confirm Password fields and click OK. g) Click OK. 4 Right-click the new user and select Assign Customers. 5 In the Assign Customer dialog box: a) Assign all CMAs to the user. b) Select all CMAs and click Permissions. c) In the Permissions dialog box, select the Read Only All radio button. d) Click OK to close the Permissions dialog box. 6 Click OK to close the Assign Customer dialog box. To configure a GUI client 1 In the Check Point Provider-1/SiteManager-1 GUI, click the GUI Clients icon. 2 Select Manage > New GUI Client. 3 In the New GUI Client dialog box: a) Select IP Address from the Type drop-down list. b) In the Name field, type skybox. c) In the IP Address field, type the Skybox View Collector s IP address. d) (Version R55 only) Select Provider-1 GUI Client. e) Click OK. Skybox View version

55 To obtain the IP addresses 1 In the Check Point Provider-1/SiteManager-1 GUI, click the General icon. 2 Select View > MDS Contents Mode. 3 In the Provider-1/SiteManager-1 tree, double-click the MDS name. 4 In the Multi-Domain Server Configuration dialog box, click OK. Chapter 4 Firewall configuration tasks 5 In the Provider-1/SiteManager-1 tree, double-click each CMA and note its IP address; you need this information when you create the firewall collection task. To configure the OPSEC applications Note: Do the following for each CMA. 1 Launch Check Point SmartDashboard on the CMA. 2 In SmartDashboard, select Manage > Servers and OPSEC Applications. 3 In the OPSEC Applications dialog box, click New and select OPSEC Application. 4 In the OPSEC Applications Properties dialog box: a) Give the OPSEC application a name. Note this name; you need it when you create the firewall collection task. Note: It is recommended that you use Skybox; this is the default name that Skybox View uses when retrieving a new certificate. b) From the Host drop-down list, select the Skybox View Collector host. c) In the Client Entities box, select CPMI. d) Click Communications and type an activation key. The activation key is a one-time password that is used to create the certificate for authentication and encryption between the Skybox View Collector and the CMA; you need the key when you create the firewall collection task. e) Click Initialize and wait for initialization to complete. f) Click Close. g) Click the CPMI Permissions tab. h) Select the appropriate Permissions Profile. i) Click OK to close the OPSEC Application Properties dialog box. 5 Click Close to close the OPSEC Applications dialog box. 6 Save the changes. To configure a CMA to allow collection 1 Add an access rule in the CMA to allow the Skybox View Collector to use the services required for the collection process. Note: This is only necessary if the Skybox View Collector and the Provider-1 CMA are not in the same segment. Use the following parameters for the access rule: Source: Skybox View Collector Destination: FireWall-1 management host Services: FW1_ica_pull (TCP/18210), CPMI (TCP/18190) Skybox View version

56 Skybox View Reference Guide 2 Install the policy on the CMA. Check Point FireWall-1 CPMI collection tasks (Provider-1) Firewalls Check Point FireWall-1 CPMI Collection tasks retrieve the configuration data of Check Point FireWall-1 firewalls that are managed by a Check Point Provider-1 CMA and add the data to the current model. For VSX (virtual systems) firewalls, configuration data for all the virtual firewalls is retrieved. Note: You must create a separate CPMI collection task for each Provider-1 CMA. Task parameters The parameters that control Firewalls Check Point FireWall-1 CPMI Collection tasks when collecting data from Provider-1 CMAs are described in the following table. Basic tab Management The IP address of the CMA. (This is the CMA virtual IP address, not the MDS main IP address.) Note: You must provide the IP address, not the host name. Initialize Certificate issue date <Empty>: The connection to the CMA is not initialized <Timestamp>: The timestamp of the authentication certificate used to authenticate the connection To retrieve an authentication certificate, click Initialize Certificate to open the Initialize Certificate dialog box (see page 52). Authentication Method Username Password Safe Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name of the MDS administrator created for the task (see Configuring Provider-1 for firewall data collection (on page 54)). This field is displayed only if Method = Device. The MDS administrator s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the MDS administrator authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the MDS administrator name and password. Collection Collect Active Policy Specifies whether to collect the active policy. The active policy is the policy (rulebase) currently installed on the firewall. Rulebase This field is disabled if Collect Active Policy is selected. The name of the policy to collect. If you know the name of the policy, type it. Click Fetch to retrieve a list of available policies from the CMA. Skybox View version

57 Chapter 4 Firewall configuration tasks Modules List SIC Name A comma-separated (or semicolon-separated) list of the names of specific FireWall-1 Enforcement Modules to collect. (Read only) The global DN of the Provider-1 CMA. Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection. Note: As an alternative to using each CMA SIC name, you can use the MDS SIC name. In this case, select SIC Name from MDS in the Advanced tab. Advanced tab Location Hint OPSEC Application SIC Name from MDS Do not Merge Secondary Management Certificate issue date Username Password SIC Name The location of the CMA. Note: Use this parameter when different locations use the same set of IP addresses, so that two CMAs at different locations can have the same IP address. The name given to the OPSEC application for this CMA when it was configured for Skybox View (see Configuring Provider-1 for firewall data collection (on page 54)). Skybox View displays the name that you provided when you initialized the connection. Specifies whether, exceptionally, SIC Name (in the Basic tab) is taken from the MDS rather than the CMA. Specifies whether to collect device configuration data but not merge it into the model. The configuration data is saved under <Skybox_View_Home>/data/collector/temp/. The IP address of the standby CMA. (This is the CMA virtual IP address, not the MDS main IP address.) Note: You must type the IP address, not the host name. <Empty>: The connection to the standby CMA is not initialized <Timestamp>: The timestamp of the authentication certificate used to authenticate the connection To retrieve an authentication certificate, click Initialize Certificate to open the Initialize Certificate dialog box (see page 52). The user name of the MDS administrator on the standby CMA created for the task (see Configuring Provider-1 for firewall data collection (on page 54)). The MDS administrator s password. (Read only) The global DN of the standby CMA. Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection. Importing Check Point Provider-1 CMA configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are required to import a Check Point Provider-1 CMA configuration: objects_5_0.c: The global network objects file located in the /<installation_path>/cpmds-<version#>/conf directory. Skybox View version

58 Skybox View Reference Guide Note: You must rename this file to g_objects_5_0.c. objects_5_0.c: The CMA network objects file contains objects (including assets, networks, and services) referenced in the access rules. rulebases_5_0.fws: The CMA rulebase file contains the access rules. (Optional) install_statuses.c: The installed statuses file includes the name of the policy (the active policy) that is currently installed the firewall. Note: If the Check Point configuration contains several policies, install_statuses.c is mandatory (it contains the information of which policy is installed on which firewall). (Optional) vsx_objects.c: The VSX device objects file contains objects (including assets, networks, and services) referenced in the access rules of VSX (virtual systems) firewalls. These files are located in the /<installation_path>/cpmds- <version#>/customers/<customer_name>/cpfw1-<version#>/conf directory. You also need the name of the active policy on each firewall module and the ifconfig and netstat rnv output from each firewall module. For Import Basic tasks When you copy files from the remote device, write down the module names of the firewalls that you are importing and the running policy name. You can import multiple firewalls managed by the same SmartCenter or CMA by specifying firewall names in the Module List field. Store the set of files from each CMA in a separate folder. Cisco PIX/ASA/FWSM firewall You can add or update configuration data from Cisco PIX/ASA/FWSM firewalls to the current model using an online collection task: Configure the firewalls (see page 58) to allow access from a Skybox View Collector and create a firewall collection task (see page 59) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. You can also add or update configuration data from Cisco PIX/ASA/FWSM firewalls to the current model using an offline file import task: Retrieve firewall configuration files and to import their data (see page 61) into the model. The file import task can import the data of multiple firewalls. Configuring Cisco PIX/ASA/FWSM firewalls for data collection To configure a Cisco PIX/ASA/FWSM firewall so that Skybox View can obtain its configuration information: 1 In the firewall, create an admin user with level 5 privileges. Note: If the user name that you use to log in to the firewall has sufficient permissions, you do not need to create an admin user. The method described here creates an admin user that does not have login permissions; you need another user name to log in to the firewall. 2 Enable access to the firewall from the Skybox View Collector: If access rules are configured on the firewall, configure a rule to allow telnet or SSH access from the Skybox View Collector s IP address to the firewall. Skybox View version

59 Chapter 4 Firewall configuration tasks 3 (ASA only) Add the supported SSH protocol and algorithm. To create a user if you are using Cisco s authentication mechanism (basic or AAA) 1 Add a user with level 5 privileges: # username skybox password skybox privilege 5 2 Configure a password for this user. You need the user name and password when you create the firewall collection task. 3 Execute the following commands to grant this user permissions to the PIX/ASA/FWSM show conf and show route commands: # conf term # aaa authentication ssh console LOCAL # aaa authorization command LOCAL # privilege show level 5 command route # privilege show level 5 command running-config # privilege configure level 5 command ["terminal page" "no pager"] # write mem 4 (ASA only) Add the supported SSH protocol and algorithm: # ssh key-exchange group dh-group1-sha1 To create a user if you are using TACACS or RADIUS 1 Configure a level 5 user on the TACACS or RADIUS. 2 Configure a password for this user. You need the user name and password when you create the firewall collection task. 3 Execute the following commands to grant this user permissions to the PIX/ASA/FWSM show conf and show route commands: # conf term # privilege show level 5 command route # privilege show level 5 command running-config # privilege configure level 5 command ["terminal page" "no pager"] # write mem 4 (ASA only) Add the supported SSH protocol and algorithm: # ssh key-exchange group dh-group1-sha1 Cisco PIX/ASA/FWSM collection tasks Firewalls Cisco PIX/ASA/FWSM Collection tasks retrieve configuration data from Cisco PIX/ASA/FWSM firewalls and add the data to the current model. Note: If a firewall is configured in L2 (transparent) mode, you must define segments and assign them to the interfaces after incorporating the firewall configuration data. Task parameters The parameters that control Firewalls Cisco PIX/ASA/FWSM Collection tasks are described in the following table. Skybox View version

60 Skybox View Reference Guide Basic tab Connection Protocol The connection protocol to use. SSH Port Addresses If Connection Protocol is ssh, the port on which the firewall listens. A comma-separated list of the IP addresses of the PIX/ASA/FWSM firewalls. To collect configurations of all contexts from a firewall with multiple contexts (that is, virtual firewalls), type the IP address of the admin context. (To collect the configuration of a single context, type the IP address of the required context.) Note: You can collect the configurations of multiple firewalls only if the same authentication is used for all the firewalls. Authentication Method Username Password Admin Username Admin Password Safe Object Admin Safe Admin Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the firewall. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Device. The user name of an administrator on the firewall. After logging in with Username, Skybox View runs set user on the firewall using Admin Username. Note: If Username has sufficient permissions, you can leave this field blank; otherwise, it is mandatory. This field is displayed only if Method = Device. The administrator s password. Note: Only required if Admin Username is supplied (see previous note). This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the administrator authentication credential object. Note: If the user specified in Object has sufficient permissions, you can leave this field blank; otherwise, it is mandatory. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the administrator name and password. Note: Only required if Admin Safe is supplied (see previous note). Enable Setting Skybox View version

61 Chapter 4 Firewall configuration tasks Enabling Command The command to use for user authentication when: (Method = Device) Admin Username and Admin Password are provided Enable Privilege (Method = Cyber-Ark) Admin Object is provided This field is enabled only if Enabling Command = enable. The privilege to append when sending the enable command. (If this field is left blank, the enable command is sent with no value appended.) Advanced tab Location Hint Get Configuration Command Use config routes only The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. The command to send to the firewall to obtain the configuration. Specifies whether to skip the parsing of the dynamic routing file. Select this option if the dynamic routing file uses names rather than IP addresses. Importing Cisco PIX/ASA/FWSM configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a Cisco PIX/ASA/FWSM firewall configuration: run.txt: The PIX/ASA/FWSM configuration file This file is the output of the PIX/ASA/FWSM show run command. (Optional) route.txt: Dump of the PIX/ASA/FWSM routing table This file is the output of the PIX/ASA/FWSM show route command. If route.txt is included, its routing rules overwrite routing rules from run.txt because its information is more extensive and includes static and dynamic routing rules. You can import the configuration of more than one PIX/ASA/FWSM firewall; put each set of configuration files in a separate folder. Cisco Security Manager Cisco Security Managers (CSMs) manage multiple Cisco firewalls. You can add or update configuration data of the Cisco firewalls that are managed by a CSM to the current model using an online collection task: Configure the CSM (see page 62) to allow access from a Skybox View Collector and create a collection task (see page 62) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple Cisco firewalls managed by a single CSM. You can also add or update configuration data of the Cisco firewalls that are managed by a CSM to the current model using an offline file import task: Create and retrieve a CSM source file and import its data (see page 63) into the model. The file import task can import the data of multiple CSMs. Skybox View version

62 Skybox View Reference Guide To add or update configuration data from Cisco firewalls see Cisco PIX/ASA/FWSM firewall (on page 58). Configuring Cisco Security Manager for data collection To configure a CSM for data collection Configure CSM to allow collection. (The Skybox View Collector must have permission to connect to the CSM device using HTTPS on port 8443.) A read-only account is sufficient for data collection from CSM. Licensing data collection To be able to collect data from a CSM, you must install two API licenses on the CSM device: A developer license: The developer license is a 90-day license for developers who are integrating their products with CSM A production license: The production license is required by end customers who use third-party products. For additional information about CSM licensing, see _manager/4.3/installation/guide/licensing.html Cisco Security Manager collection tasks Firewalls Cisco Security Manager Collection tasks retrieve configuration data from Cisco firewalls managed by a Cisco Security Manager (CSM) and add the data to the current model. Task parameters The parameters that control Firewalls Cisco Security Manager Collection tasks are described in the following table. Basic tab Server Name or IP Https port The name or IP address of the CSM. The port on which the CSM listens. If you change the default port (8443) on the CSM, the Skybox View Collector must have permission to connect to the CSM host using HTTPS on the port that you specify. Authentication Method Username Password Safe Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the CSM. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. Skybox View version

63 Chapter 4 Firewall configuration tasks Object This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Collection Limit by device names Limit by groups Exclude groups A comma-separated list of the names of Cisco devices (managed by the CSM) for which to collect configuration data. You can use * as a wildcard in the device names. A comma-separated list of device groups (on the CSM) for which to collect configuration data. A comma-separated list of device groups and subgroups to exclude from the devices included in the Limit by groups field. Collect only firewalls Specifies whether to collect configuration data for firewalls only or for all devices as specified in the previous three fields. Advanced tab Location Hint The location of the CSM. Note: Use this parameter when different locations use the same set of IP addresses, so that two CSMs at different locations can have the same IP address. Importing CSM-managed Cisco firewalls configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following file is used to import the configuration of Cisco firewalls managed by a CSM: *.xml: The CSM source file You can import the source file of more than one CSM; put each source file in a separate folder. Dell SonicWALL firewall You can add or update configuration data from Dell SonicWALL firewalls to the current model using an online collection task: Configure the firewalls (see page 63) to allow access from a Skybox View Collector and create a firewall collection task (see page 63) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. Configuring SonicWALL firewalls for data collection To configure a SonicWALL firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Dell SonicWALL collection tasks Firewalls SonicWALL Collection tasks retrieve configuration data from SonicWALL firewalls and add the data to the current model. Task parameters The parameters that control Firewalls SonicWALL Collection tasks are described in the following table. Skybox View version

64 Skybox View Reference Guide Basic tab Run in Addresses Method Username Password Safe Object SSL Where to run the data collection. A comma-separated list of the IP addresses of the SonicWALL firewalls. Note: Skybox View can collect the configurations of multiple firewalls only if the same authentication is used for all the firewalls. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the firewall. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Specifies whether to connect to the device over HTTPS (SSL) rather than HTTP. Advanced tab Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Fortinet FortiGate firewall You can add or update configuration data from Fortinet FortiGate firewalls to the current model using an online collection task: Configure the firewalls (see page 65) to allow access from a Skybox View Collector and create a firewall collection task (see page 65) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. You can also add or update configuration data from Fortinet FortiGate firewalls to the current model using an offline file import task: Create and retrieve firewall configuration files and import their data (see page 66) into the model. The file import task can import the data of multiple firewalls. Skybox View version

65 Chapter 4 Firewall configuration tasks Configuring FortiGate firewalls for data collection To configure a FortiGate firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Configure the firewall to allow collection. (The Skybox View Collector must have permission to connect to the firewall using the SSH or telnet protocol.) Fortinet FortiGate collection tasks Firewalls FortiGate Collection tasks retrieve configuration data from FortiGate firewalls and add the data to the current model. Task parameters The parameters that control Firewalls FortiGate Collection tasks are described in the following table. Basic tab Connection Protocol The connection protocol to use. SSH Port If Connection Protocol is ssh, the port on which the firewall listens. FortiGate Addresses A comma-separated list of the IP addresses of the FortiGate firewalls. To collect configurations of Virtual Domains, type one IP address only for each physical device. Note: Skybox View can collect the configurations of multiple firewalls only if the same authentication is used for all the firewalls. Authentication Method Username Password Safe Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the firewall. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Location Hint Do Not Collect Routing Table The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Specifies whether the routing table is not collected. Select this option if the firewall is working in VDOM (Virtual Domains) Mode. Skybox View version

66 Skybox View Reference Guide Do Not Collect IPS Rule Groups Specifies whether the IPS rule groups are not collected. Clear this option if you want to collect IPS rule groups: the IPS rule properties show the associated vulnerability definitions with severity and CVE information. Importing FortiGate configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a FortiGate firewall configuration: config.txt: The FortiGate configuration file This file is the output of the FortiGate show command. Note: It is recommended that you run the following two commands before the show command: config system console and set output standard. (Optional) route.txt: Dump of the FortiGate routing table This file is the output of the FortiGate get router info routing-table command. You can import the configuration of more than one firewall; put each set of configuration files in a separate folder. Fortinet FortiManager Security Management appliance Fortinet FortiManager Security Management appliances manage multiple Fortinet FortiGate firewalls. You can add or update configuration data of the FortiGate firewalls that are managed by a FortiManager Security Management appliance to the current model using an online collection task: Configure the FortiManager Security Management appliance (see page 66) to allow access from a Skybox View Collector and create a collection task (see page 66) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple FortiGate firewalls managed by a single FortiManager Security Management appliance. To add or update configuration data from Fortinet FortiGate firewalls see Fortinet FortiGate firewall (on page 64). Configuring FortiManager Security Management appliance for data collection To configure a FortiManager Security Management appliance for data collection: 1 Create a separate account on the device for Skybox View tasks. 2 Configure the FortiManager Security Management appliance to allow collection. (The Skybox View Collector must have permission to connect to the Security Management appliance using HTTPS on port 8443.) Fortinet FortiManager Security Management appliance collection tasks Firewalls FortiManager Collection tasks retrieve configuration data from FortiGate firewalls managed by a Fortinet FortiManager Security Management appliance and add the data to the current model. Task parameters The parameters that control Firewalls FortiManager Collection tasks are described in the following table. Skybox View version

67 Chapter 4 Firewall configuration tasks Basic tab Server Name or IP The name or IP address of the FortiManager Security Management appliance. Authentication Method Username Password Safe Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the NSM. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Collection Device ADOMS Import Specific Devices Device Names A comma-separated list of administrative domains in which the firewalls, whose data is collected, exist. Specifies whether to collect data for specific firewalls in the specified administrative domains of the FortiManager Security Management appliance. If cleared, data for all firewalls in the specified domains is collected. This field is enabled only if Import Specific Devices is selected. A comma-separated list of the names of firewalls for which to collect configuration data. You can use * as a wildcard in the device names. Advanced tab Https Port Location Hint Do Not Collect Routing Table Do Not Collect IPS Rule Groups The port on which the FortiManager Security Management appliance listens. If you change the default port (8443) on the Security Management appliance, the Skybox View Collector must have permission to connect to the Security Management appliance using HTTPS on the port that you specify. The location of the FortiManager Security Management appliance. Note: Use this parameter when different locations use the same set of IP addresses, so that two Security Management appliances at different locations can have the same IP address. Specifies whether the routing table of each firewall is not collected. Select this option if the firewalls are working in VDOM (Virtual Domains) Mode. Specifies whether the IPS rule groups of each firewall are not collected. Skybox View version

68 Skybox View Reference Guide Clear this option if you want to collect IPS rule groups: the IPS rule properties show the associated vulnerability definitions with severity and CVE information. Juniper Networks Junos firewall You can add or update configuration data from Juniper Networks Junos firewalls to the current model using an online collection task: Configure the firewalls (see page 68) to allow access from a Skybox View Collector and create a firewall collection task (see page 68) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. You can also add or update configuration data from Juniper Networks Junos firewalls to the current model using an offline file import task: Create and retrieve firewall configuration files and import their data (see page 69) into the model. The file import task can import the data of multiple firewalls. Configuring Junos firewalls for data collection To configure a Junos firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Configure the firewall to allow collection. (The Skybox View Collector must have permission to connect to the firewall using the SSH or telnet protocol.) To import firewall activity log data (syslog data) from a Junos firewall: Configure the firewall to output log messages in structured-data format. (This requires Junos version 8.3 or higher.) For information about configuring the firewall, see Juniper Networks Junos collection tasks Firewalls Junos Collection tasks retrieve configuration data from Junos firewalls and add the data to the current model. Task parameters The parameters that control Firewalls Junos Collection tasks are described in the following table. Basic tab Connection Protocol The connection protocol to use. SSH Port Addresses Authentication Method If Connection Protocol is ssh, the port on which the firewall listens. A comma-separated list of the IP addresses of the Junos firewalls. Note: Skybox View can collect the configurations of multiple firewalls only if the same authentication is used for all the firewalls. Device: Use the authentication credentials provided here. Skybox View version

69 Chapter 4 Firewall configuration tasks Username Password Safe Object Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the firewall. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Location Hint The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Importing Junos configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a Junos firewall configuration: config.txt: The Junos configuration file This file is the output of the Junos command show configuration display inheritance except ## no-more If you are working with a cluster of Junos firewalls, prepend the output of the Junos command show chassis hardware no-more (Optional) route.txt: Dump of the Junos routing table This file is the output of the Junos command show route no-more You can import the configuration of more than one firewall; put each set of configuration files in a separate folder. If you need only the Junos configuration file, you can retrieve it via HTTP. To retrieve the configuration file of a Junos firewall 1 In your browser, log in to the Juniper Web Device Manager. 2 Click the Configure tab and select CLI Tools > CLI Viewer. 3 Save the configuration to a text file and name the file config.txt. Juniper Networks NetScreen firewall You can add or update configuration data from Juniper Networks NetScreen firewalls to the current model using an online collection task: Skybox View version

70 Skybox View Reference Guide Configure the firewalls (see page 70) to allow access from a Skybox View Collector and create a firewall collection task (see page 70) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. You can also add or update configuration data from Juniper Networks NetScreen firewalls to the current model using an offline file import task: Create and retrieve firewall configuration files and import their data (see page 71) into the model. The file import task can import the data of multiple firewalls. Configuring NetScreen firewalls for data collection To configure a NetScreen firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Configure the firewall to allow collection. (The Skybox View Collector must have permission to connect to the firewall using the SSH or telnet protocol.) Juniper NetScreen collection tasks Firewalls NetScreen Collection tasks retrieve configuration data from NetScreen firewalls and add the data to the current model. Task parameters The parameters that control Firewalls NetScreen Collection tasks are described in the following table. Basic tab Connection Protocol The connection protocol to use. SSH Port NetScreen Addresses Vsys List If Connection Protocol is ssh, the port on which the firewall listens. A comma-separated list of the IP addresses of the NetScreen firewalls. To collect configurations of Virtual Systems, type one IP address only for each physical device. Note: Skybox View can collect the configurations of multiple firewalls only if the same authentication is used for all the firewalls. A comma-separated list of names of Virtual Systems. If blank, the configurations of all Virtual Systems are collected. Authentication Method Username Password Safe Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the firewall. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. Skybox View version

71 Chapter 4 Firewall configuration tasks Object This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Location Hint The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Importing NetScreen configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a NetScreen firewall configuration: config.txt: The NetScreen configuration file This file is the output of the NetScreen get config all command. (Optional) route.txt: Dump of the NetScreen routing table This file is the output of the NetScreen get route command. You can import the configuration of more than one firewall; put each set of configuration files in a separate folder. If you need only the NetScreen configuration file, you can retrieve it via HTTP or TFTP. To retrieve the configuration file of a NetScreen firewall via HTTP 1 In your browser, log in to the NetScreen web management tool. 2 From the menu on the left, select Configuration > Update > Config File. 3 Select Save To File and specify config.txt. 4 Use an SSH client, such as PuTTY, to connect to the device CLI. 5 At the command prompt, execute the following command to get the version data: get system 6 Append the version data to the config.txt file saved at step 3. To retrieve the configuration file of a NetScreen firewall via TFTP 1 Log in to the NetScreen firewall, using either telnet or the firewall console. 2 Ensure that the TFTP server is running. 3 At the command prompt, execute the following commands: get config all > tftp <save_file_ip_address> config.txt get system > tftp <save_file_ip_address> config_version.txt 4 Append the content of config_version.txt to config.txt. Juniper Networks Network and Security Manager Juniper Networks Network and Security Managers (NSMs) manage multiple Juniper Networks NetScreen firewalls. You can add or update configuration data of the NetScreen firewalls that are managed by an NSM to the current model using an online collection task: Skybox View version

72 Skybox View Reference Guide Configure the NSM (see page 72) to allow access from a Skybox View Collector and create a collection task (see page 72) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple NetScreen firewalls managed by a single NSM. To add or update configuration data from Juniper Networks NetScreen firewalls see Juniper Networks NetScreen firewall (on page 69). Configuring Network and Security Manager for data collection To configure a Network and Security Manager for data collection: 1 Create a separate global domain Read-Only Administrator account on the device for Skybox View tasks. 2 Configure the NSM to allow collection. (The Skybox View Collector must have permission to connect to the NSM server using HTTPS on port 8443.) Juniper Networks NSM collection tasks Firewalls Juniper Networks NSM Collection tasks retrieve configuration data from Juniper Networks firewalls managed by a Juniper Networks Network and Security Manager (NSM) and add the data to the current model. Task parameters The parameters that control Firewalls Juniper Networks NSM Collection tasks are described in the following table. Basic tab Server Name or IP Port Number The name or IP address of the NSM. The port on which the NSM listens. If you change the default port (8443) on the NSM, the Skybox View Collector must have permission to connect to the NSM server using HTTPS on the port that you specify. Authentication Method Username Password Safe Object Login Domain Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the NSM. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. The name of the domain to which Username and Password log in. If you are logging in to a subdomain, you must use global.<subdomain_name>. If this field is left blank, assumes global domain. Skybox View version

73 Chapter 4 Firewall configuration tasks Collection Device Domains Import Specific Devices Device Names Device Type A comma-separated list of logical domains in which the firewalls, whose data is collected, exist. Specifies whether to collect data for specific firewalls in the specified logical domains of the NSM. If cleared, data for all firewalls in the specified domains is collected. This field is enabled only if Import Specific Devices is selected. A comma-separated list of the names of firewalls for which to collect configuration data. You can use * as a wildcard in the device names. Specifies whether to collect configuration data for NetScreen firewalls, Junos firewalls, or all Juniper firewalls. Advanced tab Location Hint The location of the NSM. Note: Use this parameter when different locations use the same set of IP addresses, so that two NSMs at different locations can have the same IP address. Linux iptables firewall You can add or update configuration data from Linux iptables firewalls to the current model using an offline file import task: Retrieve firewall configuration files and import their data (see page 73) into the model. The file import task can import the data of multiple firewalls. Importing Linux iptables configuration data The following files are required to import a Linux iptables firewall configuration: ifconfig.txt: The iptables interfaces configuration report This file is the output of the iptables ifconfig -a command. filter.txt: The iptables filter table This file is the output of the iptables iptables -t filter -L -n -v command. nat.txt: The iptables NAT table This file is the output of the iptables iptables -t nat -L -n -v command. mangle.txt: The iptables mangle table This file is the output of the iptables iptables -t mangle -L -n -v command. You can import the configuration of more than one iptables firewall; put each set of configuration files in a separate directory. McAfee Firewall Enterprise (Sidewinder) firewall You can add or update configuration data from McAfee Firewall Enterprise (Sidewinder) firewalls to the current model using an online collection task: Skybox View version

74 Skybox View Reference Guide Configure the firewalls (see page 74) to allow access from a Skybox View Collector and create a firewall collection task (see page 74) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. Configuring McAfee Firewall Enterprise firewalls for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure a McAfee Firewall Enterprise firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. McAfee Firewall Enterprise collection tasks Firewalls McAfee Firewall Enterprise Collection tasks retrieve configuration data from McAfee Firewall Enterprise firewalls and add the data to the current model. Task parameters The parameters that control Firewalls McAfee Firewall Enterprise Collection tasks are described in the following table. Basic tab Run in Addresses Method Username Password Safe Object Port Where to run the data collection. A comma-separated list of the IP addresses of the McAfee Firewall Enterprise firewalls. Note: Skybox View can collect the configurations of multiple firewalls only if the same authentication is used for all the firewalls. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the proxy. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. The port on which the firewall listens. If you change the default port (22) on the firewall, the Skybox View Collector must have permission to connect to the firewall using HTTPS on the port that you specify. Advanced tab Merge assets by Wins name Specifies whether to merge assets from the same network by name and not by IP address. Skybox View version

75 Chapter 4 Firewall configuration tasks Location Hint Select this option when assets do not have fixed IP addresses. The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Palo Alto Networks firewall You can add or update configuration data (including IPS data) from Palo Alto Networks firewalls to the current model using an online collection task: Configure the firewalls (see page 75) to allow access from a Skybox View Collector and create a firewall collection task (see page 75) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple firewalls. You can also add or update configuration data from Palo Alto Networks firewalls to the current model using an offline file import task: Create and retrieve firewall configuration files and import their data (see page 76) into the model. The file import task can import the data of multiple firewalls. Configuring Palo Alto firewalls for data collection To configure a Palo Alto firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Configure the firewall to allow collection. (The Skybox View Collector must have permission to connect to the firewall using HTTPS and either SSH or telnet.) Palo Alto Networks collection tasks Firewalls Palo Alto Networks Collection tasks retrieve configuration data (including IPS rules) from Palo Alto firewalls and add the data to the current model. Task parameters The parameters that control Firewalls Palo Alto Networks Collection tasks are described in the following table. Basic tab Server Name or IP Import specific vsys Vsys list A comma-separated list of the names or IP addresses of the Palo Alto firewalls. Specifies whether to collect configuration data for specific virtual systems running on the device. If cleared, configuration data for all virtual systems on the device is collected. This field is enabled only if Import specific vsys is selected. A comma-separated list of the names of specific virtual systems for which to collect configuration data. You can use * as a wildcard in the names. Authentication Skybox View version

76 Skybox View Reference Guide Method Username Password Safe Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the firewall. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Https port The port on which the firewall listens. If you change the default port (443) on the firewall, the Skybox View Collector must have permission to connect to the firewall using HTTPS on the port that you specify. Connection Protocol The connection protocol to use. SSH Port Location Hint If Connection Protocol is ssh, the port on which the firewall listens. The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Importing Palo Alto configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import Palo Alto firewall configuration data: config.xml: A file containing the Palo Alto configuration and system information 1. To create the file, concatenate the output of the following URL requests that provide the required configuration information: Configuration: ey> Predefined applications: config/predefined/application&key=<key> Application filters: config/devices/entry/vsys/entry/application-filter&key=<key> Application groups: config/devices/entry/vsys/entry/application-groups&key=<key> Skybox View version

77 Chapter 4 Firewall configuration tasks Services: config/predefined/service&key=<key> Threats (IPS signatures on the device): /config/predefined/threats/vulnerability&key=<key> Panorama pre-rules and post-rules: /config/panorama&key=<key> Where <IP_address> is the IP address of the firewall and <key> is retrieved using the following URL request: ord=<password> 2. Issue the show system info command to the firewall via telnet or SSH and append the output at the end of the file. (Optional) route.txt: A file containing the Palo Alto dynamic routing table The content of this file is obtained by issuing the following commands to the firewall via telnet or SSH: set cli pager off show routing route You can import the configuration of more than one firewall; put each set of configuration files in a separate folder. Palo Alto Networks Panorama Palo Alto Networks Panoramas manage multiple Palo Alto Networks firewalls. You can add or update configuration data of the Palo Alto Networks firewalls that are managed by a Panorama to the current model using an online collection task: Configure the Panorama (see page 77) to allow access from a Skybox View Collector and create a collection task (on page 77) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple Palo Alto Networks firewalls managed by a single Panorama. To add or update configuration data from Palo Alto Networks firewalls see Palo Alto Networks firewall (on page 75). Configuring Panorama for data collection To configure a Panorama for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Configure the device to allow collection. (The Skybox View Collector must have permission to connect to the device using HTTPS.) Palo Alto Networks Panorama collection tasks Firewalls Panorama Collection tasks retrieve configuration data (including IPS rules) from Palo Alto Networks firewalls managed by a Palo Alto Networks Panorama, and add the data to the current model. Task parameters The parameters that control Firewalls Panorama Collection tasks are described in the following table. Skybox View version

78 Skybox View Reference Guide Basic tab Server Name or IP The name or IP address of the Panorama. Authentication Method Username Password Safe Object Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the firewall. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Collection Device Groups Import Specific Devices Device Names A comma-separated list of device groups from which to collect Palo Alto Networks firewall configuration data. Specifies whether to collect configuration data from specified Palo Alto Networks firewalls instead of collecting configuration data from all the Palo Alto Networks firewalls in the device groups. This field is enabled only if Import Specific Devices is selected. A comma-separated list of Palo Alto Networks firewall names. Advanced tab Https port Location Hint The port on which the Panorama listens. If you change the default port (443) on the Panorama, the Skybox View Collector must have permission to connect to the Panorama server using HTTPS on the port that you specify. The location of the Panorama. Note: Use this parameter when different locations use the same set of IP addresses, so that two Panoramas at different locations can have the same IP address. Sidewinder G2 (McAfee Firewall Enterprise) firewall You can add or update configuration data from Sidewinder G2 (McAfee Firewall Enterprise) firewalls to the current model using an offline file import task: Create, retrieve, and parse firewall configuration files and import their data (see page 79) into the model. The file import task can import the data of multiple firewalls. Skybox View version

79 Chapter 4 Firewall configuration tasks Importing Sidewinder G2 configuration data Note: It is recommended that you use an Import Directory task to import the parsed configuration data. To import Sidewinder G2 firewall configurations 1 Create and retrieve the required Sidewinder G2 configuration files (see Creating Sidewinder G2 configuration files (on page 79)). 2 Parse the configuration files using the Skybox View Sidewinder G2 parser (see Parsing Sidewinder G2 configuration files (on page 79)). 3 In the Skybox View Operational Console, create a task and set Task Type to Import Directory (see Import directory tasks (on page 29)). 4 In the Directory field, specify the location of the ixml file created in step 2. Note: You can import the configuration of more than one firewall; give a different name to each file created by the parser. 5 Launch the task. Creating Sidewinder G2 configuration files To create Sidewinder configuration files 1 Connect to the Sidewinder firewall. a) Log in as admin (the cf command must be performed by a system administrator). b) Issue the srole command at the shell prompt to enter the administration shell. 2 Create the required files by issuing the following commands at the Sidewinder Command Line Interface: (Optional) burb definition: cf burb query > /tmp/burbquery.txt ipfilter data: cf ipfilter query > /tmp/ipfilterquery.txt Proxy rules data: cf acl query > /tmp/aclquery.txt Interfaces and burbs: cf interface query > /tmp/interfacequery.txt Proxy services definitions: cf proxy query > /tmp/proxyquery.txt (Optional) Routing information: netstat -nr > /tmp/routinginfo.txt Parsing Sidewinder G2 configuration files Skybox View includes a parser that creates an ixml file from Sidewinder G2 firewall configuration files. This ixml file can then be imported into Skybox View. The Skybox View Sidewinder G2 parser supports the following Sidewinder features: IP Filtering: A simple stateful packet filter that inspects the source and destination IP addresses, port, and protocol (Layers 3 and 4). Transparent Proxy: The firewall intercepts every connection attempt and opens the connection on the user s behalf. All internet connections are made by the firewall so that the internal network never communicates directly with the internet. Access to the proxy services of the firewall is controlled by an access rule, which is similar to the IP Filtering feature. However, in addition to accept or drop actions, authentication and application layer inspection might be required. Application Firewall: The firewall enforces a positive policy that specifies which actions are allowed. The Skybox View parser supports Sidewinder G2 firewall version 6.1. Skybox View version

80 Skybox View Reference Guide The Skybox View Sidewinder G2 parser is located at <Skybox_View_Home>\intermediate\bin\parsers\firewalls\sidewinder\SideWinder Parser.pl. Usage SideWinder.pl -h <host_name> -i <interfaces_file> -f <ip_filter_file> -a <acl_file> -p <proxies_file> [-r <routing_information_file>] [-b <burbs_file>] [-v silent standard debug] -o <output_xml_file> The Skybox View Sidewinder G2 parser arguments are described in the following table. Argument Value -h Host name of the Sidewinder firewall Note: Ignored if cf burb query file is supplied (-b argument) -i cf interface query output file -f cf ipfilter query output file -a cf acl query output file -p cf proxy query output file -o File name to store parsing results -b cf burb query output file -r netstat -nr output file -v Verbose level (silent, standard, or debug) VMware vshield Edge firewall You can add or update configuration data from VMware vshield Edge firewalls to the current model using an online collection task: Configure the firewall manger (see page 80) to allow access from a Skybox View Collector and create a firewall collection task (see page 80) to collect the firewall configurations and add the data to the model. The collection task can collect data from multiple virtual firewalls on a single device. You can also add or update configuration data from VMware vshield Edge firewalls to the current model using an offline file import task: Create and retrieve firewall configuration files and import their data (see page 81) into the model. The file import task can import the data of multiple virtual firewalls on a single device. Configuring VMware vshield Edge firewalls for data collection To configure a vshield Edge firewall for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. VMware vshield Edge collection tasks Firewalls VMware vshield Edge Firewall Collection tasks retrieve configuration data from vshield Edge firewalls and add the data to the current model. Task parameters The parameters that control Firewalls VMware vshield Edge Firewall Collection tasks are described in the following table. Skybox View version

81 Chapter 4 Firewall configuration tasks Basic tab Vshield Management IP Username Password The IP address of the vshield Edge Manager. The user name to access the vshield Edge Manager. The user s password. Advanced tab Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the firewall. Note: Use this parameter when different locations use the same set of IP addresses, so that two firewalls at different locations can have the same IP address. Importing VMware vshield Edge configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. You can import the configuration of more than one firewall; put each set of configuration files in a separate folder. Firewalls implemented in software You can add or update configuration data from firewalls implemented in software to the current model using an online collection task: Configure the firewalls (see page 82) to allow access from a Skybox View Collector and create a network state collection task (see page 82) to collect the firewall configurations and add the data to the model. Network State Collection tasks can collect configuration data from firewalls running on the following platforms: Nokia Windows Linux SPLAT Solaris Each task can collect data from one platform type only. Platform-dependent commands The ifconfig and netstat commands that Network State Collection tasks run for the different supported platforms are listed in the following table. Platform ifconfig netstat Nokia ifconfig -a netstat -nr Windows ipconfig netstat -r Linux ifconfig -a netstat -nrv Skybox View version

82 Skybox View Reference Guide SPLAT /bin/save_ifconfig /bin/netstat -nrv Solaris ifconfig -a netstat -nrv Configuring software firewalls for data collection The Skybox View Collector must have permission to connect to the firewall application using telnet or SSH: (Recommended) Create a separate read-only user on the device for Skybox View data collection. SPLAT To run a task of type Network State Collection to collect data from a firewall running on a SPLAT platform: (Recommended) Create a special user in the bash shell (instead of cpshell). Network state collection tasks Network State Collection tasks collect firewall configurations (routing rules and network interface) from firewalls that are implemented in software on top of an operating system. Task parameters The parameters that control Network State Collection tasks are described in the following table. Platform Basic tab The platform from which to collect firewall configuration data. Connection Protocol The connection protocol to use. SSH Port Device Addresses Device prompt Authentication Username If Connection Protocol is ssh, the port on which the firewall listens. The IP addresses of the devices whose routing rules are collected. The prompt for devices specified in the previous field. Note: If the prompt ends with the two characters ]# (a right bracket followed by a hash sign), this field can be left blank. The user name of a user of the device. Password The user s password. Advanced tab Location Hint The location of the destination network. Note: Use this parameter when different locations use the same set of IP addresses, so that two networks at different locations can have the same IP address. Skybox View version

83 Chapter 5 Firewall log data tasks This chapter describes how to add firewall log data (activity, audit, syslog, traffic) to the current model. In this chapter Check Point FireWall-1 activity log data (LEA collection) Check Point FireWall-1 change events (audit log data) Importing syslog change tracking events Syslog traffic events Check Point FireWall-1 activity log data (LEA collection) You can add or update firewall activity log data from Check Point FireWall-1 NG and NGX firewalls to the current model using an online collection task: Configure the device holding the firewall activity logs (on page 83) to allow access from a Skybox View Collector and create a firewall collection task (see page 87) to collect the logs and add their data to the model. Note: You must add the configuration data of each firewall to the current model (by running a Check Point FireWall-1 CPMI collection task (see page 50)) before running a Firewalls Check Point FireWall-1 LEA Collection task for the first time. Firewall activity log data is used for rule usage analysis, which is described in the Skybox Firewall Assurance User s Guide. Note: Alternatively, you can collect and add log data for rule usage analysis using a Traffic Events Syslog Import task (on page 95). (If you use this task type, the Skybox View Collector does not need access to the device; you must configure the device to forward the activity data to a syslog server.) Configuring devices for FireWall-1 log collection Note: If you are using versions R55 to R59 of FireWall-1, enable Rule GUID (Global Unique Identifier) (see Enabling Rule GUID (on page 87)). (Rule GUID is unavailable prior to version R55 and is enabled by default from version R60.) The logs generated by a Check Point FireWall-1 firewall are located either on the Check Point FireWall-1 management system that manages the firewall or on a dedicated log server. To allow Skybox View to collect FireWall-1 logs, you must: Obtain the IP address of the device where the logs are stored. Configure the OPSEC application to allow LEA collection. (If the logs are on a Check Point FireWall-1 management system) Configure the management system to allow collection using the OPSEC protocol. (If the logs are on a log server) Install the OPSEC application database on the log server. Skybox View version

84 Skybox View Reference Guide To obtain the IP address of a device 1 In Check Point SmartDashboard, select Manage > Network Objects. 2 Select the device holding the logs (either the FireWall-1 management system object or the log server) from the drop-down list and click Edit. Figure 7: Check Point SmartDashboard - Gateway Properties dialog box 3 Write down the contents of the IP Address field; you need this information when you create the firewall collection task. 4 Close the Properties dialog box. Skybox View version

85 To configure the OPSEC application 1 Launch Check Point SmartDashboard. 2 Verify that the Skybox View Collector host is defined in SmartDashboard. 3 In SmartDashboard, select Manage > Servers and OPSEC Applications. 4 In the OPSEC Applications dialog box, click New and select OPSEC Application. Chapter 5 Firewall log data tasks 5 In the OPSEC Applications Properties dialog box: a) Give the OPSEC Application a name. Note this name; you need it when you create the firewall collection task. b) From the Host drop-down list, select the Skybox View Collector host. c) In the Client Entities box, select LEA. d) Click Communications and type an activation key. The activation key is a one-time password that is used to create the certificate for authentication and encryption between the Skybox View Collector and the management system; you need the key when you create the firewall collection task. e) Click Initialize and wait for initialization to complete. f) Click Close. Skybox View version

86 Skybox View Reference Guide g) Click the CPMI Permissions tab. Figure 8: Check Point SmartDashboard - OPSEC Applications Properties dialog box - CPMI Permissions tab h) Select the appropriate Permissions Profile. i) Click OK to close the OPSEC Application Properties dialog box. 6 Click Close to close the OPSEC Applications dialog box. 7 Save the changes. To configure the firewall to allow collection 1 Add an access rule in the firewall to allow the Skybox View Collector to use the services required for the collection process. Note: This is only necessary if the connection between the Skybox View Collector and the FireWall-1 management host is blocked by the firewall. Figure 9: Tasks: FireWall-1 - Access rule for SBV Collector Use the following parameters for the access rule: Source: Skybox View Collector Destination: FireWall-1 management host Services: FW1_ica_pull (TCP/18210), LEA (TCP/18184) 2 Install the FireWall-1 policy. To install the OPSEC application database on the log server 1 Launch Check Point SmartDashboard. 2 Select Policy > Install Databases. 3 Check the log server. 4 Click Install. Skybox View version

87 Enabling Rule GUID Chapter 5 Firewall log data tasks Rule GUID allows each policy rule to be assigned a unique ID. Rule GUID is available starting from version R55 of the Check Point FireWall-1 NG firewall (and is enabled by default from version R60). If Rule GUID is not enabled, each rule is assigned an index by Skybox View. However, this index can change as rules are added to and deleted from the policy. If Rule GUID is not enabled, Skybox View collects log records only from the last policy installed. From that point forward, the records are collected correctly (assuming that the policy in Skybox View is updated each time a new policy is installed in the firewall). If Rule GUID is enabled, Skybox View can support mixed records (records with and without an ID), but rules without an ID are collected only from the latest policy. To enable Rule GUID on a Check Point FireWall-1 firewall (R55 and higher) Note: Run this procedure on a SmartCenter server. 1 Exit all GUI sessions. 2 From a command prompt, type /SmartConsole/R55/Program/GuiDBedit.exe. 3 Locate the property Table/Global Properties/properties/firewall_properties/rulebase_uids_in_ log. 4 Change the value of the property to true. 5 Update the change to the property. 6 To exit GuiDBedit, type quit. 7 Log in and install the Security Policy to make the change effective. Check Point FireWall-1 LEA collection tasks Firewalls Check Point FireWall-1 LEA Collection tasks retrieve firewall activity logs from Check Point FireWall-1 management systems (or from dedicated log servers) and add the data to the current model. You must create a separate LEA collection task for each FireWall-1 management system. For VSX (virtual systems) firewalls, configuration data for all the virtual firewalls is retrieved. Note: Skybox View supports log hit count collection for access rules with Log as their Track Option. You can create a Firewalls Check Point FireWall-1 LEA Collection task in two ways: Right-click a Firewalls Check Point FireWall-1 CPMI Collection task and select Create Task for Activity Log Collection. A Firewalls Check Point FireWall-1 LEA Collection task is created, with appropriate parameter values copied from the Check Point FireWall-1 CPMI collection task. Note: If you create the Firewalls Check Point FireWall-1 LEA Collection task from a Provider- 1 CPMI collection task, a warning message is displayed and SIC Name is not copied. Create a task and set Task Type to Firewalls Check Point FireWall-1 LEA Collection. You can add log data to the model only for firewalls that already exist in the model and have the same rules and objects as those used in the log; if the policy changes, update the firewall in the model before invoking the LEA collection task. (When working with FireWall-1 NG firewalls, the firewall must be updated every time the policy in the firewall changes so that rule usage analysis can work as accurately as possible; this is not necessary for FireWall-1 NGX firewalls.) Skybox View version

88 Skybox View Reference Guide Note: For large log files, a Firewalls Check Point FireWall-1 LEA Collection task can take several hours. Progress messages are displayed in the Messages tab of the task and updated, by default, every 60 seconds. You can change the update period by changing the value of the lea_progress_interval parameter in <Skybox_View_Home>\server\conf\sb_server.properties. To minimize collection time, if data for part of the Collection Period was collected previously, it is not collected again. Task parameters The parameters that control Firewalls Check Point FireWall-1 LEA Collection tasks are described in the following table. Basic tab Management The IP address of the FireWall-1 management system. Note: You must type the IP address, not the host name. Note: Authentication is made against the FireWall-1 management system, even if it is managed by Provider-1. Initialize Certificate issue date <Empty>: The connection to the management system is not initialized <Timestamp>: The timestamp of the authentication certificate used to authenticate the connection To retrieve an authentication certificate, click Initialize Certificate to open the Initialize Certificate dialog box (see page 52). Authentication Username Password The user name of the administrator created for the task (see Configuring devices for FireWall-1 log collection (on page 83)). The administrator s password. Collection Collect From Log Server Log Server Modules Collection Period SIC Name Specifies whether the activity logs are collected from a log server If cleared, the activity logs are collected from the management system. This field is enabled only if Collect From Log Server is selected. The IP address of the log server. If there is a secondary server, add the IP address of the secondary server (separated by a comma or space); if the primary server is down or inaccessible, the task collects the logs from the secondary server. To collect logs from the log server, install the OPSEC application database on the log server (see Configuring devices for FireWall-1 log collection (on page 83)). A list of the modules (firewalls and firewall folders) for which to collect logs. The period for which to collect activity logs. Custom: Select Specific or Relative start and end times. (Read only) The DN of the location of the activity logs. Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection. If you specified a secondary server in the Log Server field, the DN Skybox View version

89 Chapter 5 Firewall log data tasks of the secondary server is also displayed. Actual Rule Usage tab Trace Scope Source range A list of firewalls for which to collect actual usage (trace) information. Equals 'Any' Equals or includes Class B (2 16 addresses) Equals or includes the following amount of addresses Note: Actual usage information is collected when one or more of the criteria (that is, Source Range, Destination Range, or Service Range) are met. Destination range Equals 'Any' Equals or includes Class B (2 16 addresses) Equals or includes the following amount of addresses Note: Actual usage information is collected when one or more of the criteria (that is, Source Range, Destination Range, or Service Range) are met. Service range Equals 'Any' Equals or includes the following amount of ports Note: Actual usage information is collected when one or more of the criteria (that is, Source Range, Destination Range, or Service Range) are met. Advanced tab OPSEC Application Clear Mode Port Excluded Log Files Re-collect Time Frames Already In Database Device Time Zone offset Stop task with partial Results After The name given to the OPSEC application when it was configured for Skybox View (see Configuring devices for FireWall-1 log collection (on page 83)). Specifies whether the management system or log server works in clear mode. Clear this check box if the management system or log server works in encrypted mode rather than clear mode. The port to use on the management system or log server. Note: If the management system is working in encrypted mode and uses a non-default port (a port other than 18184), modify fwopsec.conf and cpmad_opsec.conf. A comma-separated list of log files that the task does not collect. Force (re)collection of log data that is already in the database. Note: This option is useful if there is a gap in collected data. The database holds the date of the most recently collected log and the task regards anything earlier as already collected. The three-letter code for the time zone to use for timestamps in the log. If blank, the local time zone is used. Specifies whether to stop the task after the specified number of minutes. All retrieved logs are saved. Skybox View version

90 Skybox View Reference Guide Check Point FireWall-1 change events (audit log data) You can add or update firewall audit log data from Check Point FireWall-1 NG and NGX firewalls to the current model using an online collection task: Configure the device holding the firewall activity logs (on page 83) to allow access from a Skybox View Collector and create an import collection task (see page 90) to collect the logs and add their data to the model. Note: You must add the configuration data of each firewall to the current model (by running a Check Point FireWall-1 CPMI collection task (see page 50)) before running a Change Tracking Events Check Point Audit Log Collection task for the first time. The imported data is used by tasks of type Analysis Change Tracking (on page 152). Check Point FireWall-1 change events collection tasks Change Tracking Events Check Point Audit Log Collection tasks retrieve firewall audit logs from Check Point FireWall-1 management systems (or from dedicated log servers) and add the data to the current model. You can add log data to the model only for firewalls that already exist in the model and have the same rules and objects as those used in the log; if the policy changes, update the firewall in the model before invoking the change events collection task. Task parameters The parameters that control Change Tracking Events Check Point Audit Log Collection tasks are described in the following table. Basic tab Management The IP address of the FireWall-1 management system. Note: You must type the IP address, not the host name. Note: Authentication is made against the FireWall-1 management system, even if it is managed by Provider-1. Initialize Certificate issue date <Empty>: The connection to the management system is not initialized <Timestamp>: The timestamp of the authentication certificate used to authenticate the connection To retrieve an authentication certificate, click Initialize Certificate to open the Initialize Certificate dialog box (see page 52). Authentication Username Password The user name of the administrator created for the task (see Configuring devices for FireWall-1 log collection (on page 83)). The administrator s password. Collection Collect From Log Server Log Server Specifies whether the audit logs are collected from a log server If cleared, the audit logs are collected from the management system. The IP address of the log server. To collect logs from the log server, install the OPSEC application database on the log server (see Configuring devices for FireWall-1 Skybox View version

91 Chapter 5 Firewall log data tasks SIC Name Modules log collection (on page 83)). (Read only) The DN of the location of the audit logs (if Collect From Log Server is not selected, the DN of the management system; otherwise the DN of the log server). Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection. A list of the modules (firewalls and firewall folders) for which to collect logs. Advanced tab OPSEC Application Clear Mode Port Excluded Log Files Device Time Zone offset Collection Period The name given to the OPSEC application when it was configured for Skybox View (see Configuring devices for FireWall-1 log collection (on page 83)). Specifies whether the management system or log server works in clear mode. Clear this check box if the management system or log server works in encrypted mode rather than clear mode. The port to use on the management system or log server. Note: If the management system is working in encrypted mode and uses a non-default port (a port other than 18184), modify fwopsec.conf and cpmad_opsec.conf. A comma-separated list of log files that the task does not collect. The three-letter code for the time zone to use for timestamps in the log. If blank, the local time zone is used. The period for which to collect audit logs. Custom: Select Specific or Relative start and end times. Importing syslog change tracking events Skybox View can use online collection tasks to extract data from syslog events and add the changes to the access rules and objects of Juniper Networks Junos firewalls, Juniper Networks NetScreen firewalls, Fortinet FortiGate firewalls, Cisco PIX/ASA/FWSM firewalls, and Palo Alto Networks firewalls to the current model. 1 Before importing syslog change tracking events task for the first time, run a task to add the configuration data of the firewall to the current model. 2 The Skybox View Appliance includes a built-in syslog server, which is activated by default. If you are working with a Skybox View Collector on a non-appliance machine, you must install a third party syslog sever on the Collector machine. Make sure to use one that can output specific events to syslog text files so that Skybox View can process them. 3 Configure the firewalls to send syslog messages (on page 92) to the Skybox Collector or any other syslog server and create a syslog change tracking events collection task (on page 92) to read the syslog file, collect the events, and add their data to the model. The imported data is used by tasks of type Analysis Change Tracking (on page 152). Skybox View version

92 Skybox View Reference Guide Forwarding syslog messages to the Appliance or Collector machine In order to work with syslog change events, you need to forward the change events from the firewall or syslog server to the Skybox View Appliance or Collector machine for parsing by the task. Since the majority of syslog events are not usually related to firewall changes, it is recommended that you forward only the change events and not the other syslog events. The following are the change-related syslog messages that should be forwarded from each type of firewall supported by the task: Juniper NetScreen: Messages of types 00001, 00018, and Juniper Junos: All CFG_AUDIT messages Fortinet FortiGate: All messages of subtype config Cisco ASA/PIX/FWSM: All [ASA PIX FWSM] messages Palo Alto Networks: All messages of type CONFIG Syslog change events collection tasks Change Tracking Events Syslog Import tasks retrieve syslog change events from firewalls of the following types and add relevant data from the events to the current model. Juniper Networks Junos Juniper Networks NetScreen Fortinet FortiGate Cisco PIX/ASA/FWSM Palo Alto Networks Note: Log data can be added to the model only for firewalls that exist in the model and have the same rules and objects as those used in the log; if the policy has changed, update the firewall in the model before invoking the Change Tracking Events Syslog Import task. Task parameters The parameters that control Change Tracking Events Syslog Import tasks are described in the following table. Basic tab File Directory Path Modules The path to the directory containing the syslog files to collect. Note: The task also collects any syslog files that are contained in archive (ZIP) files in this directory. Note: When using versions or of Skybox Appliance, there is a file to replace in order for this task to work properly. For additional information, see the What s next topic in the Appliance Quick Start Guide. A list of the modules (firewalls) for which to collect change events. Skybox View version

93 Chapter 5 Firewall log data tasks Advanced tab Date Format Junos and PIX/ASA/FWSM: The format of the syslog header timestamp NetScreen, FortiGate, and Palo Alto: The formats of the date and time fields, not the header timestamp For example, if a FortiGate syslog record starts Mar 13 13:44: date= time=12:37:45 devname=..., select :00:00 (and not Mar 14 00:00:00) If the required format does not appear in the drop-down list, add a row with the format to the file <Skybox_View_Home>\server\conf\collector_commands \date_patterns.txt. Collection Period The period for which to collect change events. How syslog change events are parsed Custom: Select Specific or Relative start and end times. The policy_syslog.txt file is used by tasks of type Change Tracking Events Syslog Import to create syslog-based change records from syslog entries that contain change events. The file includes a list of regular expressions, where each regular expression handles a different type of change. The task uses the file to: 1 Determine whether a particular syslog event is a change event 2 Pull the following information out of each relevant syslog entry and use it to create a change record: Type of entity that was changed (access rule or object) Device ID Rule ID (for changes to access rules) or object name Administrator who made the change Timestamp for the change Type of change (new, modified, or deleted) Currently, the file includes regular expressions that handle events from Juniper Networks Junos, Juniper Networks NetScreen, Fortinet FortiGate, Cisco PIX/ASA/FWSM, and Palo Alto Networks firewalls only. To work with events from other devices, contact Skybox support. policy_syslog.txt The policy_syslog.txt file is located in the following directory on the Collector machine: <Skybox_View_Home>/collector/conf/collector_commands What the file contains Default values for the following change properties: Device ID GUI ID (for access rules) Name (for objects) Change initiator (that is, the person who made the change) Skybox View version

94 Skybox View Reference Guide Change time The default values specify the place of the group defining the change property in the regular expressions. For example: DEVICE_ID - 1 means that the first group in all patterns is the device ID. Note: The default values at the top of the file are used for parsing NetScreen rules. Rules containing regular expressions used to check and parse the syslog events. Each regular expression for NetScreen contains the number of groups for which there are defaults, and the order of each group determines the default it matches. For example, the third group in the regular expression matches the default whose value is 3 (that is, changed by). Additional rules used to add properties to the change records defined by the regular expressions. Each rule in the file is a key/value set, where the key is the name of the rule, name of the change property (device ID, object name, change initiator, or timestamp), or change status, followed by -, following by the value (rule itself, change property, change status, change initiator, or change timestamp). The regular expression language used is the Java standard, as explained in How it works When a Change Tracking Events Syslog Import task is run, Skybox View reads each syslog event: 1 The task checks the event against the first regular expression to see if it matches, and continues checking through all the regular expressions in the file until it finds a matching regular expression. For example, the following line: Feb 7 12:06:07 lab-ns lab-ns: NetScreen device_id=lab-ns [Root]systemnotification-00018: Policy (300, Untrust->Trust, Any->my,DHCP-Relay, Deny) was deleted by admin_300 via web from host to :80. ( :24:37) matches the following regular expression: NETSCREEN_CHANGE_LOG_ACL_DELETE_PAT -.*device_id=([^\s]+).*policy \(([^\,]+).*was deleted by ([^\s]+).*\(([^\\)]+).* 2 If it does not find a match, it goes on to the next syslog event. 3 If it finds a match, it creates a syslog-based change record using the groups in the regular expression to find the values for each default. For example, for NetScreen rules, the value found by the first group becomes the device ID in the change record, the value found by the second group, and so on. The status of change is specified by the _STATE - <status_value> rule, where <status_value> must be one of the following values: NEW, MODIFIED, or DELETED. Whether the change relates to an access rule or an object (and hence what type of information is contained in the second grouping) is defined by the name of the rule (which by definition must contain either the string ACL or the string OBJECT). 4 This syslog-based change record is added to the Skybox View model. Modifying the policy_syslog.txt file To use the policy_syslog.txt file to work with a firewall type that is not supported, you must customize the file by creating additional definitions. In some cases such as if you customized the message patterns from supported firewall types the existing definitions might also need updating. Important: This file should only be modified after consulting Skybox Security Professional Services. Note the following when working with this file: The prefix of a rule represents the device type. Skybox View version

95 Chapter 5 Firewall log data tasks The first part of a rule represents its name; the second part represents the value. The string - must be used to separate the two parts. Each pattern requires a separate parsing rule (regular expression). The name of each parsing rule for access rule changes must contain the string _ACL_ ; the name of each parsing rule for objects must contain the string _OBJECT_. It is recommended that you use names similar to those used for NetScreen, but there cannot be two rules with the same name. The regular expression must contain one group for each default specified at the top of the file. These define the contents of each change property in the change record. If the order of the defaults is different than that specified at the top of the file, there must be another rule for each default whose order is different. For each parsing rule, there must be another rule that defines the status of the change. This rule must have the same name as the parsing rule, with the string <state> appended at the end. For example, <device_type>_change_log_acl_add_pat_state - NEW To customize the file for an additional firewall type 1 Look at some syslog change events from the new type of firewall to determine how they are written and what the pattern differences are between this output and the existing output expected by the file. 2 Open the policy_syslog.txt file (on the Collector machine, in <Skybox_View_Home>/collector/conf/collector_commands). 3 In the file, create new rules based on the patterns in the syslog for the new firewall type as follows: a) For each type of syslog event in the new device type, copy the parallel NetScreen rule and change the device prefix and pattern. b) If the order of the defaults for the new device is different than that specified at the top of the file, create another rule for each default whose order is different. For example, if in the new type of firewall, the timestamp comes before the change initiator, you need a separate rule for each of them, such as: <device_type>_change_log_acl_add_pat_change_time - 3 <device_type>_change_log_acl_add_pat_changed_by - 4 Note: This step must be done per parsing rule. c) Make sure that each parsing rule for the new device has a matching state rule, where the value is NEW, MODIFIED, or DELETED. For example: <device_type>_change_log_acl_add_pat_state - NEW Syslog traffic events You can add or update firewall activity log data from the following firewalls to the current model using an online collection task: Check Point Firewall-1 (R75 or higher) Cisco PIX/ASA/FWSM Juniper Networks Junos Juniper Networks NetScreen Fortinet FortiGate Palo Alto Networks StoneGate Skybox View version

96 Skybox View Reference Guide 1 Before running a Traffic Events Syslog Import task for the first time, add the configuration data of the firewall to the current model by running a task of the relevant type, such as the following: Firewalls Cisco PIX/ASA/FWSM Collection (see page 59) Firewalls Junos Collection (see page 68) Firewalls NetScreen Collection (see page 70) Firewalls FortiGate Collection (see page 65) Firewalls Check Point FireWall-1 CPMI Collection (FireWall-1) (see page 50) or Firewalls Check Point FireWall-1 CPMI Collection (Provider-1) (see page 56) Firewalls Palo Alto Networks Collection (see page 75) For StoneGate firewalls, use the following: Collector script, located at: <Skybox_View_Home>\intermediate\bin\collectors\firewalls\stonegate\ stonegatecollection.pl Parser, located at: <Skybox_View_Home>\intermediate\bin\parsers\firewalls\stonegate\sto negateparser.pl 2 Configure the logged firewalls to allow access from a Skybox View Collector. Configuring firewalls is described in the following sections: Configuring Cisco PIX/ASA/FWSM firewalls for data collection (see page 58) Configuring Junos firewalls for data collection (see page 68) Configuring NetScreen firewalls for data collection (see page 70) Configuring FortiGate firewalls for data collection (see page 65) For Check Point firewalls, you must configure the firewall to forward activity data to a syslog server (the task then collects the logs from the syslog server): Configuring Check Point firewalls to send activity logs to a syslog server (see page 96) Configuring Palo Alto Networks firewalls for data collection (see page 75) For Palo Alto Network firewalls, standard syslog record format and CEF syslog format (on page 97) are supported. Note: For Palo Alto Networks firewalls using versions lower than 5.0.7, additional setup (on page 98) is required before running the task. 3 Create a syslog traffic events collection task (see page 98) to collect the logs and add their data to the model. Firewall activity log data is used for rule usage analysis, described in the Skybox Firewall Assurance User s Guide. Note: Alternatively, log data from Check Point firewalls for rule usage analysis can be collected and added using Check Point FireWall-1 LEA collection tasks (see page 87). Configuring Check Point firewalls to send activity logs to a syslog server You can add or update firewall activity log data from Check Point FireWall-1 NG and NGX firewalls to the current model using a Firewalls Check Point FireWall-1 LEA Collection task (see Check Point FireWall-1 activity log data (on page 83)); this requires allowing access from a Skybox View Collector to the Check Point device holding the firewall activity logs. If you do not want to allow access to the Check Point device (for R75 or higher), you can collect and add log data for rule usage analysis using a Traffic Events Syslog Import task. In this case, you must configure the Check Point device to forward the activity data to a syslog server. Skybox View version

97 Chapter 5 Firewall log data tasks How to forward activity logs to a syslog server 1 On the Check Point management system or MDS, add the following line to /etc/syslog.conf local4.info[tab character]@<ip address of the syslog server> 2 Modify /etc/rc.local: (Management system architecture) On the log server add the following line fw log -ftnlp 2> /dev/null awk 'NF' logger -p local4.info -t Firewall & (Provider-1 architecture) For each CMA in the MDS add the following two lines (one for fw.adtlog and one for fw.log) mdsenv cmaname ; $FWDIR/bin/fw log -ftnlp fw.adtlog logger -t "cma name " -p local4.info & mdsenv cmaname ; $FWDIR/bin/fw log -ftnlp fw.log logger -t "Provider cmaname " -p local4.info & For additional information about the fw log command, refer to the R75 Command Line Interface Reference Guide. 3 Reboot the device running the Check Point log server. Note: You must reboot the device; it is not sufficient to use the cpstop and cpstart commands. 4 Enable communication from the Check Point log server to the syslog server on port UDP 514. Examples of required format of Check Point syslog records The following are examples of the required format of syslog records (for example, the required date format). Check Point management system architecture: :17:06 Local4.Info Firewall: 2Nov2012 8:08:44 accept >eth1 rule: 1; rule_uid: {5AB2ED5F-16FF-4F66-8BAF-736BF620EC81}; service_id: TCP-7800; src: ; dst: ; proto: tcp; product: VPN-1 & FireWall-1; service: 7800; s_port: 56266; product_family: Network; Check Point Provider-1 architecture: :05:09 Local4.Info cma1: 16Sep :51:08 accept >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: telnet; src: ; dst: ; proto: tcp; product: VPN-1 & FireWall-1; service: 23; s_port: 54143; product_family: Network; Using CEF syslog with Palo Alto Networks firewalls When using CEF syslog format with Palo Alto Networks firewalls, you might need to make changes to the following file on the Collector machine before running the Traffic Events Syslog Import task: <Skybox_View_Home>\collector\conf\collector_commands\pa_log_rules.txt The following is the default version of this file: Skybox View version

98 Skybox View Reference Guide POLICY_ID_PAT - cs1= SERVICE_PAT - service= ICMP_TYPE_PAT - icmp type= PROTOCOL_PAT - proto= SOURCE_PAT - src= srcip= DESTINATION_PAT - dst= dstip= SOURCE_PORT_PAT - spt= DESTINATION_PORT_PAT - dpt= LOG_ID_PAT - log_id= logid= VD_PAT - vd= APPLICATION - app= VSYS - cs3= USER - suser= FULL_DATE - start= SERIAL_ID_PAT - deviceexternalid= If you made any changes to names of parameters on the device, you must change the names in this file to match the names on the device. Additional setup to work with older versions of Palo Alto Networks firewalls When using Palo Alto Networks firewalls whose version is lower than 5.0.7, you must customize the following file on the Collector machine before running the Traffic Events Syslog Import task: <Skybox_View_Home>\collector\conf\collector_commands\pan_rules.txt Change the file to the following: DEVICE_ID = 0 DEVICE_ID_PATTERN = ^[ ]*[^ ]+[ ]+[^ ]+[ ]+[^ ]+[ ]+([^ ]+) TIME = 6 PROTOCOL = 29 RULE_ID = 11 SOURCE = 7 SOURCE_PORT = 24 DESTINATION = 8 DESTINATION_PORT = 25 APPLICATION = 14 USER = 12 VSYS = 15 TYPE = 3 Syslog traffic events collection tasks Traffic Events Syslog Import tasks retrieve firewall activity logs from the following firewall types and add the relevant data from the logs to the current model: Check Point Firewall-1 (R75 or higher) Cisco PIX/ASA/FWSM Juniper Networks Junos Juniper Networks NetScreen Fortinet FortiGate Palo Alto Networks Skybox View version

99 Chapter 5 Firewall log data tasks StoneGate Note: Log data can be added to the model only for firewalls that exist in the model and have the same rules and objects as those used in the log; if the policy has changed, update the firewall in the model before invoking the Traffic Events Syslog Import task. Note: For logs with a great deal of information, a Traffic Events Syslog Import task can take some time. Parsing data from the logs The task checks each log record for one of the following strings to decide whether to parse the record and add its data to the model: PIX/ASA/FWSM: Junos: RT_FLOW_SESSION_CLOSE Note: The log must be in structured-data format (see Configuring Junos firewalls for data collection (see page 68)) NetScreen: FortiGate: TRAFFIC Palo Alto Networks: TRAFFIC Check Point: Firewall or cma Task parameters The parameters that control Traffic Events Syslog Import tasks are described in the following table. Basic tab File Directory Path Modules The path to the directory containing the syslog files to collect. A list of the modules (firewalls) for which to collect logs. Note: All modules must be of the same type (PIX/ASA/FWSM, Junos, NetScreen, FortiGate, Palo Alto Networks, or Firewall-1). Collection Period The period for which to collect activity logs. Custom: Select Specific or Relative start and end times. Actual Rule Usage tab Trace Scope Source range Destination range A list of firewalls for which to collect actual usage (trace) information. Equals Any Equals or includes Class B (2 16 addresses) Equals or includes the following amount of addresses Note: Actual usage information is collected when one or more of the criteria (that is, Source range, Destination range, or Service range) are met. Equals Any Equals or includes Class B (2 16 addresses) Equals or includes the following amount of addresses Note: Actual usage information is collected when one or more of Skybox View version

100 Skybox View Reference Guide the criteria (that is, Source range, Destination range, or Service range) are met. Service range Equals Any Equals or includes the following amount of ports Note: Actual usage information is collected when one or more of the criteria (that is, Source range, Destination range, or Service range) are met. Advanced tab Re-collect Time Frames Already in Database Date Format Date Position in Log Record (Cisco/Junos) Device ID Position in Log Record (Cisco/Junos) Limit Log lines Force (re)collection of log data that is already in the database. Note: This option is useful if there are gaps in collected data. The database holds the date of the most recently collected log and the task regards anything earlier as already collected. The format of the message date as it appears in the start_time field of the syslog message. If the required format does not appear in the drop-down list, add a row with the format to the file <Skybox_View_Home>\server\conf\collector_commands \date_patterns.txt. (Cisco and Junos firewalls only) The position of the message date in the syslog message header. (Position is defined as the nth word from the beginning of the line, where the first word is 1 (not 0) and words are separated by any whitespace.) (Cisco and Junos firewalls only) The position of the device ID in the syslog message header. (Position is defined as the nth word from the beginning of the line, where the first word is 1 (not 0) and words are separated by any whitespace.) The number of lines to parse in each log file. Skybox View version

101 Chapter 6 IPS tasks This chapter describes how to add IPS device configuration data to the current model. In this chapter HP TippingPoint IPS devices IBM Proventia G appliances HP TippingPoint IPS devices You can add or update configuration data from HP TippingPoint IPS devices to the current model using an online collection task: Configure the IPS devices (see page 101) to allow access from a Skybox View Collector and create a collection task (see page 101) to collect the HP TippingPoint device configuration and add the data to the model. After the data is collected, there are several additional steps that must be taken. For information about configuring Skybox View to work with IPS devices, see the IPS support in Skybox View section in the Skybox Vulnerability Control User s Guide. Configuring HP TippingPoint IPS devices for data collection To configure an HP TippingPoint IPS device so that Skybox View can obtain its configuration information, you must create a super user in the SMS appliance. HP TippingPoint collection tasks IPS HP TippingPoint Collection tasks retrieve TippingPoint IPS configuration data from Security Management System (SMS) appliances and add the data to the current model. Task parameters The parameters that control IPS HP TippingPoint Collection tasks are described in the following table. Basic tab SMS Authentication Server Name or IP User Name Password Collection Device Names The name or IP address of the SMS appliance. The super user name for logging in to the SMS appliance. The password for logging in to the SMS appliance as the super user. A list of the devices whose data is collected by this task, separated by commas. Wildcards are allowed. Skybox View version

102 Skybox View Reference Guide Device Authentication for Profile Retrieval Device User Name Password Note: Some information cannot be collected from the SMS appliance (even though it is the same for all the devices). If device credentials are specified, this information is collected from the specified device. Otherwise, it is collected from any device. The IP address of the TippingPoint device. The user name of a user of the TippingPoint device. The user s password. Advanced tab Location Hint The location of the devices to be collected. Note: Use this parameter when different locations use the same set of IP addresses, so that two devices at different locations can have the same IP address. IBM Proventia G appliances You can add or update configuration data from IBM Proventia G appliances to the current model using an online collection task: Create a collection task (see page 102) to collect the Proventia G appliance configuration and add the data to the model. After the data is collected, there are several additional steps that must be taken. For information about configuring Skybox View to work with IPS devices, see the IPS support in Skybox View section in the Skybox Vulnerability Control User s Guide. IBM SiteProtector IPS collection tasks IPS ISS SiteProtector IPS Collection tasks retrieve configuration data from IBM Proventia G appliances (the data is in IBM SiteProtector databases) and add the data to the current model. Task parameters The parameters that control IPS ISS SiteProtector IPS Collection tasks are described in the following table. Basic tab Sensor IP Address The IP address of the Proventia G appliance. Database connection Connection Method Address/Name The method to use to connect to the SiteProtector database. DSN is retained for backward compatibility only. Do not select it when creating new tasks. This field is enabled only if Connection Method = Direct. The name or IP address of the database server that hosts the SiteProtector database. User Authentication Database Username The user name to access the SiteProtector sensor. Database Password The user s password. Skybox View version

103 Chapter 6 IPS tasks Advanced tab Location Hint The location of the device. Note: Use this parameter when different locations use the same set of IP addresses, so that two devices at different locations can have the same IP address. Skybox View version

104 Chapter 7 Load balancer tasks Load balancing devices distribute traffic between servers. Typically, clients connect to the virtual server presented by the load balancer and are redirected to the real servers behind the load balancing device. Load balancers are modeled in Skybox View using access and address translation rules. This chapter describes how to add supported load balancer configuration data to the current model. The configuration of other load balancers can be: Imported using Skybox View s Integration XML (ixml) For information about ixml, see the Integration part of the Skybox View Developer s Toolkit Created manually In this chapter A10 Networks load balancer Cisco CSS load balancer Citrix NetScaler load balancer F5 BIG-IP load balancer Radware AppDirector load balancer Radware WSD load balancer A10 Networks load balancer You can add or update configuration data from A10 Networks load balancers to the current model using an online collection task: Configure the load balancers (see page 104) to allow access from a Skybox View Collector and create a load balancer collection task (see page 105) to collect the load balancer configurations and add the data to the model. The collection task can collect data from multiple load balancers. You can also add or update configuration data from A10 Networks load balancers to the current model using an offline file import task: Create and retrieve load balancer configuration files and import their data (see page 105) into the model. The file import task can import the data of multiple load balancers. Configuring A10 Networks load balancers for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure an A10 Networks load balancer for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Skybox View version

105 Chapter 7 Load balancer tasks A10 Networks collection tasks Load Balancer A10 Collection tasks retrieve configuration data from A10 Networks load balancers and add the data to the current model. Task parameters The parameters that control Load Balancer A10 Collection tasks are described in the following table. Basic tab Run in Addresses Method Username Password Safe Object Where to run the data collection. A comma-separated list of the IP addresses of the A10 Networks load balancers. Note: Skybox View can collect the configurations of multiple load balancers only if the same authentication is used for all the load balancers. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the load balancer. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the load balancer. Note: Use this parameter when different locations use the same set of IP addresses, so that two load balancers at different locations can have the same IP address. Importing A10 Networks configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import an A10 Networks load balancer configuration: *.txt or *.log: The A10 configuration file This file is the output of the A10 show run all-partitions command. (Optional) route.txt: Dump of the A10 routing table This file is the output of the A10 show ip route all command. Skybox View version

106 Skybox View Reference Guide If the A10 Networks load balancer has multiple administrative domains (partitions), run the command once per administrative domain and concatenate the output into a single file. You can import the configuration of more than one load balancer; put each set of configuration files in a separate folder. Note: To run an Import Collector task or an Import Collector Advanced task, the Skybox View Collector specified for the task must reside on a Linux platform. Cisco CSS load balancer You can add or update configuration data from Cisco CSS load balancers to the current model using an offline file import task: Create, retrieve, and parse load balancer configuration files, and import their data (see page 106) into the model. The file import task can import the data of multiple load balancers. Importing Cisco CSS configuration data Note: It is recommended that you use an Import Directory task to import the parsed configuration data. To import Cisco CSS load balancer configurations 1 Retrieve the Cisco CSS configuration file. 2 Parse the configuration file using the Skybox View Cisco CSS parser (see Parsing Cisco CSS load balancer configuration files (on page 106)). 3 In the Skybox View Operational Console, create a task and set Task Type to Import Directory (see Import directory tasks (on page 29)). 4 In the Directory field, specify the location of the ixml file created in step 2. Note: You can import the configuration of more than one load balancer; give a different name to each file created by the parser. 5 Launch the task. Parsing Cisco CSS load balancer configuration files Skybox View includes a parser that creates an ixml file from a Cisco CSS load balancer configuration file. This ixml file can then be imported into Skybox View. Note: This parser does not support the Cisco CSM-S that is installed with the Catalyst The Skybox View Cisco CSS parser supports the following CSS features: Routing ACLs (including NAT) and Access Groups (NQL) The Skybox View parser fully supports Cisco CSS load balancer versions 7.1 to 7.5. Not all configurations of earlier versions (4.1 and higher) have been tested. The Skybox View Cisco CSS parser is located in the <Skybox_View_Home>\intermediate\bin\parsers\loadBalancers\css folder. Usage CssParser.pl -h <host_name> -i <css_config_input_file> -o <output_xml_file> The Skybox View Cisco CSS parser arguments are described in the following table. Skybox View version

107 Chapter 7 Load balancer tasks Argument Value -h Host name of the Cisco CSS load balancer -i Cisco CSS configuration file -o File name to store parsing results Citrix NetScaler load balancer You can add or update configuration data from Citrix NetScaler load balancers to the current model using an online collection task: Configure the load balancers (see page 107) to allow access from a Skybox View Collector and create a load balancer collection task (see page 107) to collect the load balancer configurations and add the data to the model. The collection task can collect data from multiple load balancers. Configuring NetScaler load balancers for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure a NetScaler load balancer for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Citrix NetScaler collection tasks Load Balancer NetScaler Collection tasks retrieve configuration data from NetScaler load balancers and add the data to the current model. Task parameters The parameters that control Load Balancer NetScaler Collection tasks are described in the following table. Basic tab Run in Addresses Method Username Password Safe Where to run the data collection. A comma-separated list of the IP addresses of the NetScaler load balancers. Note: Skybox View can collect the configurations of multiple load balancers only if the same authentication is used for all the load balancers. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the load balancer. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. Skybox View version

108 Skybox View Reference Guide Object This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Override device prompt Override password prompt Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the load balancer. Note: Use this parameter when different locations use the same set of IP addresses, so that two load balancers at different locations can have the same IP address. F5 BIG-IP load balancer You can add or update configuration data from F5 BIG-IP load balancers to the current model using an online collection task: Configure the load balancers (see page 108) to allow access from a Skybox View Collector and create a load balancer collection task (see page 108) to collect the load balancer configurations and add the data to the model. The collection task can collect data from multiple load balancers. You can also add or update configuration data from F5 BIG-IP load balancers to the current model using an offline file import task: Create and retrieve load balancer configuration files and import their data (see page 109) into the model. The file import task can import the data of multiple load balancers. Configuring BIG-IP load balancers for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure a BIG-IP load balancer for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. F5 BIG-IP collection tasks Load Balancer BIG-IP Collection tasks retrieve configuration data from BIG-IP load balancers and add the data to the current model. Task parameters The parameters that control Load Balancer BIG-IP Collection tasks are described in the following table. Skybox View version

109 Chapter 7 Load balancer tasks Basic tab Run in Addresses Version Method Username Password Safe Object Where to run the data collection. A comma-separated list of the IP addresses of the BIG-IP load balancers. Note: Skybox View can collect the configurations of multiple load balancers only if the same authentication is used for all the load balancers. The BIG-IP device version. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the load balancer. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Collect AFM firewall Merge assets by Wins name Location Hint Specifies whether to collect BIG-IP Advance Firewall Management (AFM) configuration data. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the load balancer. Note: Use this parameter when different locations use the same set of IP addresses, so that two load balancers at different locations can have the same IP address. Importing F5 BIG-IP configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. You can import the configuration of more than one load balancer; put each set of configuration files in a separate folder. Note: To run an Import Collector task or an Import Collector Advanced task, the Skybox View Collector specified for the task must reside on a Linux platform. Radware AppDirector load balancer You can add or update configuration data from Radware AppDirector load balancers to the current model using an online collection task: Skybox View version

110 Skybox View Reference Guide Configure the load balancers (see page 110) to allow access from a Skybox View Collector and create a load balancer collection task (see page 110) to collect the load balancer configurations and add the data to the model. The collection task can collect data from multiple load balancers. You can also add or update configuration data from Radware AppDirector load balancers to the current model using an offline file import task: Create and retrieve load balancer configuration files and import their data (see page 111) into the model. The file import task can import the data of multiple load balancers. Configuring AppDirector load balancers for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure an AppDirector load balancer for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. Radware AppDirector collection tasks Load Balancer AppDirector Collection tasks retrieve configuration data from AppDirector load balancers and add the data to the current model. Task parameters The parameters that control Load Balancer AppDirector Collection tasks are described in the following table. Basic tab Run in Addresses Method Username Password Safe Object Where to run the program. A comma-separated list of the IP addresses of the AppDirector load balancers. Note: Skybox View can collect the configurations of multiple load balancers only if the same authentication is used for all the load balancers. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the load balancer. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Skybox View version

111 Chapter 7 Load balancer tasks Advanced tab Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the load balancer. Note: Use this parameter when different locations use the same set of IP addresses, so that two load balancers at different locations can have the same IP address. Importing Radware AppDirector configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a Radware AppDirector load balancer configuration: *.*: The AppDirector configuration file This file is the output of the AppDirector system config immediate command. (Optional) route.txt: Dump of the AppDirector routing table This file is the output of the AppDirector show ip route command. You can import the configuration of more than one load balancer; put each set of configuration files in a separate folder. Note: To run an Import Collector task or an Import Collector Advanced task, the Skybox View Collector specified for the task must reside on a Linux platform. Radware WSD load balancer You can add or update configuration data from Radware WSD load balancers to the current model using an online collection task: Configure the load balancers (see page 111) to allow access from a Skybox View Collector and create a load balancer collection task (see page 111) to collect the load balancer configurations and add the data to the model. The collection task can collect data from multiple load balancers. You can also add or update configuration data from Radware WSD load balancers to the current model using an offline file import task: Create and retrieve load balancer configuration files and import their data (see page 112) into the model. The file import task can import the data of multiple load balancers. Configuring Radware WSD load balancers for data collection To configure a Radware WSD load balancer so that Skybox View can obtain its configuration information, you must: Configure the load balancer to permit SNMP access from a Skybox View Collector. Radware WSD collection tasks Load Balancers Radware WSD Collection tasks retrieve configuration data from Radware WSD load balancers and add the data to the current model. Skybox View version

112 Skybox View Reference Guide Task parameters The parameters that control Load Balancers Radware WSD Collection tasks are described in the following table. Basic tab WSD Addresses s SNMP Community string A comma-separated list of the IP addresses of the Radware WSD load balancers. Note: The task can collect the configurations of multiple load balancers only if the same authentication is used for all the load balancers. The SNMP Community string to access the Radware WSD load balancers. Advanced tab Location Hint The location of the load balancer. Note: Use this parameter when different locations use the same set of IP addresses, so that two load balancers at different locations can have the same IP address. Importing Radware WSD configuration data To import a Radware WSD load balancer configuration, create a WSD SNMP dump file. To create a WSD SNMP dump file Create a WSD SNMP dump file by using the following commands: Skybox View version

113 Chapter 7 Load balancer tasks ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> > <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt ## snmpwalk.exe -c public -t 3 -v1 -On <IP_address> >> <output_name>.txt The output file can have any name, but must have the extension txt. You can import the configuration of more than one load balancer; give each WSD SNMP dump file a different name. Skybox View version

114 Chapter 8 Router tasks This chapter describes how to add the output of supported routers to the current model. In this chapter Cisco IOS router Cisco Nexus router HP ProCurve router Nortel Passport 8600 router Cisco IOS router You can add or update configuration data from Cisco IOS routers to the current model using an online collection task: Configure the routers (see page 115) to allow access from a Skybox View Collector and create a router collection task (see page 116) to collect the router configurations and add the data to the model. The collection task can collect data from multiple routers. You can also add or update configuration data from Cisco IOS routers to the current model using an offline file import task: Create and retrieve router configuration files and import their data (see page 118) into the model. The file import task can import the data of multiple routers. You can specify Cisco IOS commands that Skybox View ignores when collecting or importing the Cisco IOS configuration data (see Ignore List file (on page 114)). Ignore List file You can configure a list of Cisco IOS commands for Skybox View to ignore during offline file import or online collection of Cisco IOS configuration files. To configure Skybox View to use the Ignore List file Add the following line to <Skybox_View_Home>\collector\conf\sb_common.properties on the Collector machine and <Skybox_View_Home>\server\conf\sb_common.properties on the Server machine: com.skybox.view.agent.collector.router.ios.configurationloader.ignorelistfi le=<full_path_to_ignore_list_file>/<ignore_list_file_name> Format of the Ignore List file Each command or group of commands to be ignored must appear on a separate line of the Ignore List file. Each line must contain the first word of the Cisco IOS commands to be ignored. Skybox View version

115 Chapter 8 Router tasks To ignore a command that appears inside a block, a line must include the first word in the block opening command, followed by / and the first word of the command to be ignored. A command in the Ignore List file can use up to three words (the first three words of the command), to distinguish it from other commands that have the same prefix: http: Ignore all commands that begin with http. http server config: Ignore all commands that begin with http server config, but include all other commands that begin with http. interface/http: Ignore all commands that begin with http in the interface block. interface/http server config: Ignore all commands that begin with http server config in the interface block, but include all other commands that begin with http. Configuring Cisco IOS routers for data collection To configure a Cisco IOS router so that Skybox View can obtain its configuration information, you must: In the router, create an admin user with level 5 privileges. Note: If the user name that you use to log in to the router has sufficient permissions, you do not need to create an admin user. The method described here creates an admin user that does not have login permissions; you need another user name to log in to the router. (IOS version 15.1 and higher) To use the show conf command you must also grant the user file privileges. Enable access to the router from the Skybox View Collector: If access rules are configured on the router, configure a rule to allow telnet or SSH access from the Skybox View Collector s IP address to the router. Note: By default, Cisco IOS routers do not have an SSH server installed; install an IOS encryption support package (for example, IOS FW) to support connection using SSH. Note: By default, VPN configuration is not added to the model. To include the VPN configuration for Cisco IOS routers, change the value of the enablevpn parameter to true in <Skybox_View_Home>\server\conf\sb_common.properties. To create a user if you are using Cisco s authentication mechanism (basic or AAA) 1 Add a user with level 5 privileges: # username skybox password skybox privilege 5 2 Configure a password for this user. You need the user name and password when you create the router collection task. Skybox View version

116 Skybox View Reference Guide 3 Execute the following commands to grant this user permissions to the IOS show conf and show ip route vrf * commands: # conf term # privilege exec all level 5 show conf # privilege exec all level 5 show ip route # privilege exec all level 5 term length 0 # write mem To create a user if you are using TACACS or RADIUS 1 Configure a level 5 user on the TACACS or RADIUS. 2 Configure a password for this user. You need the user name and password when you create the router collection task. 3 Execute the following commands to grant this user permissions to the IOS router show conf and show ip route vrf * commands: # conf term # privilege exec all level 5 command running-config # privilege exec all level 5 command route # write mem To set file permissions for the show conf command (IOS version 15.1 and higher) Execute the command file privilege 1 at step 3 of the previous two procedures (before the command # write mem). Cisco IOS collection tasks Routers Cisco IOS Collection tasks retrieve configuration data from Cisco IOS routers and add the data to the current model. Specifying what routing information to collect By default, the Skybox View Collector executes the IOS show ip route vrf * command. To have the Collector execute only specific subcommands of this command, modify the ios.routingcommand parameter in <Skybox_View_Home>\collector\conf\sb_collector.properties; list the specific subcommands, separating the subcommands with commas. For example, ios.routingcommand=connected,static causes the Collector to execute the commands show ip route vrf connected and show ip route vrf static only. Note: Prior to version 12.2, IOS does not support the show ip route vrf * command. Select sh ip route in the Get Routing Table Command drop-down list (in the Advanced tab). Task parameters The parameters that control Routers Cisco IOS Collection tasks are described in the following table. Basic tab Connection Protocol The connection protocol to use. SSH Port Routers Addresses If Connection Protocol is ssh, the port on which the router listens. A comma-separated list of the IP addresses of the Cisco IOS routers. Skybox View version

117 Chapter 8 Router tasks Note: You can collect the configurations of multiple routers only if the same authentication is used for all the routers. Authentication Method Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) Username Password Admin Username Admin Password Safe Object Admin Safe Admin Object Access token: Take the values for the user name, user password, administrator name, and administrator password from a repository. For information about the repository, see Device access management (on page 14). This field is displayed only if Method = Device. The user name to access the router. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Device. The user name of an administrator on the router. After logging in with Username, Skybox View runs set user on the router using Admin Username. Note: If Username has sufficient permissions, you can leave this field blank; otherwise, it is mandatory. This field is displayed only if Method = Device. The administrator s password. Note: Only required if Admin Username is supplied (see previous note). This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the administrator authentication credential object. Note: If the user specified in Object has sufficient permissions, you can leave this field blank; otherwise, it is mandatory. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the administrator name and password. Note: Only required if Admin Safe is supplied (see previous note). Enable Setting Enabling Command The command to use for user authentication when: (Method = Device) Admin Username and Admin Password are provided (Method = Cyber-Ark) Admin Object is provided Skybox View version

118 Skybox View Reference Guide Enable Privilege This field is enabled only if Enabling Command = enable. The privilege to append when sending the enable command. (If this field is left blank, the enable command is sent with no value appended.) Advanced tab Location Hint Get Configuration Command Get Routing Table Command Ignore routing rules with following metrics The location of the router. Note: Use this parameter when different locations use the same set of IP addresses, so that two routers at different locations can have the same IP address. The command to send to the router to obtain the configuration. Note: For IOS version 15.1 and higher, if you select sh conf you must configure file permissions on the router (see Configuring Cisco IOS routers for data collection (on page 115)). The command to send to the router to create the routing table. Note: For versions of IOS prior to 12.2, you must select sh ip route. A comma-separated list of metrics of BGP routes to exclude from the collected routes. Importing Cisco IOS configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a Cisco IOS router configuration: run.txt: The IOS configuration file This file is the output of the IOS show run (or show running-config) command. (Optional) route.txt: Dump of the IOS routing table This file is the output of the IOS show ip route vrf * command. To import the output of selected subcommands of the ip route vrf * command, execute the subcommands and then manually concatenate the output into a single file. If route.txt is included, its routing rules overwrite routing rules from run.txt because its information is more extensive and includes static and dynamic routing rules. You can import the configuration of more than one router; put each set of configuration files in a separate folder. Note: By default, VPN configuration is not imported into the model. To include the VPN configuration for Cisco IOS routers, change the value of the enablevpn parameter to true in <Skybox_View_Home>\server\conf\sb_common.properties. Cisco Nexus router You can add or update configuration data from Cisco Nexus routers to the current model using an online collection task: Configure the routers (see page 119) to allow access from a Skybox View Collector and create a router collection task (see page 120) to collect the router configurations and add the data to the model. The collection task can collect data from multiple routers. Skybox View version

119 Chapter 8 Router tasks You can also add or update configuration data from Cisco Nexus routers to the current model using an offline file import task: Create and retrieve router configuration files and import their data (see page 120) into the model. The file import task can import the data of multiple routers. Configuring Cisco Nexus routers for data collection To configure a Cisco Nexus router so that Skybox View can obtain its configuration information, you must: In the router, create an admin user with level 5 privileges. Note: If the user name that you use to log in to the router has sufficient permissions, you do not need to create an admin user. The method described here creates an admin user that does not have login permissions; you need another user name to log in to the router. Enable access to the router from the Skybox View Collector: If access rules are configured on the router, configure a rule to allow telnet or SSH access from the Skybox View Collector s IP address to the router. Note: By default, VPN configuration is not added to the model. To include the VPN configuration for Cisco Nexus routers, change the value of the enablevpn parameter to true in <Skybox_View_Home>\server\conf\sb_common.properties. To create a user if you are using Cisco s authentication mechanism (basic or AAA) 1 Add a user with level 5 privileges: # username skybox password skybox privilege 5 2 Configure a password for this user. You need the user name and password when you create the router collection task. 3 Execute the following commands to grant this user permissions to the Nexus show conf and show ip route vrf * commands: # conf term # privilege exec all level 5 show conf # privilege exec all level 5 show ip route # privilege exec all level 5 term length 0 # write mem To create a user if you are using TACACS or RADIUS 1 Configure a level 5 user on the TACACS or RADIUS. 2 Configure a password for this user. You need the user name and password when you create the router collection task. 3 Execute the following commands to grant this user permissions to the Nexus router show conf and show ip route vrf * commands: # conf term # privilege exec all level 5 command running-config # privilege exec all level 5 command route # write mem Skybox View version

120 Skybox View Reference Guide Cisco Nexus collection tasks Routers Cisco Nexus Collection tasks retrieve configuration data from Cisco Nexus routers and add the data to the current model. Task parameters The parameters that control Routers Cisco Nexus Collection tasks are described in the following table. Basic tab Connection Protocol The connection protocol to use. SSH Port Addresses If Connection Protocol is ssh, the port on which the router listens. A comma-separated list of the IP addresses of the Nexus routers. To collect configurations of all VDCs from a router with multiple VDCs, type the IP address of the admin VDC. (To collect the configuration of a single VDC, type the IP address of the required VDC.) Note: You can collect the configurations of multiple routers only if the same authentication is used for all the routers. Authentication Method Username Password Safe Object Enabling Command Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Method = Device. The user name to access the router. This field is displayed only if Method = Device. The user s password. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Method = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. The command to use for user authentication. Advanced tab Location Hint Get Configuration Command The location of the router. Note: Use this parameter when different locations use the same set of IP addresses, so that two routers at different locations can have the same IP address. The command to send to the router to obtain the configuration. Importing Cisco Nexus configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import a Cisco Nexus router configuration: Skybox View version

121 run.txt: The Nexus configuration file Chapter 8 Router tasks This file is the output of the Nexus show conf (or show running-config) command. (Optional) route.txt: Dump of the Nexus routing table This file is the output of the Nexus show ip route vrf * command. To import the output of selected subcommands of the ip route vrf * command, execute the subcommands and then manually concatenate the output into a single file. If route.txt is included, its routing rules overwrite routing rules from run.txt because its information is more extensive and includes static and dynamic routing rules. You can import the configuration of more than one router; put each set of configuration files in a separate folder. Note: By default, VPN configuration is not imported into the model. To include the VPN configuration for Cisco Nexus routers, change the value of the enablevpn parameter to true in <Skybox_View_Home>\server\conf\sb_common.properties. HP ProCurve router You can add or update vulnerability occurrence data from HP ProCurve routers to the current model using an online collection task: Configure a router (see page 121) to allow access from a Skybox View Collector and create a router collection task (see page 121) to collect the router configurations and add the data to the model. The collection task can collect data from multiple routers. You can also add or update configuration data from HP ProCurve routers to the current model using an offline file import task: Create and retrieve router configuration files and import their data (see page 122) into the model. The file import task can import the data of multiple routers. Configuring HP ProCurve routers for data collection Note: To run this collection task, the Skybox View Collector specified for the task must reside on a Linux platform. To configure an HP ProCurve router for data collection: (Recommended) Create a separate read-only user on the device for Skybox View data collection. HP ProCurve collection tasks Routers HP ProCurve Collection tasks retrieve configuration data from HP ProCurve routers and add the data to the current model. Task parameters The parameters that control Routers HP ProCurve Collection tasks are described in the following table. Basic tab Run in Addresses Where to run the data collection. A comma-separated list of the IP addresses of the HP ProCurve routers. Skybox View version

122 Skybox View Reference Guide Method Username Password Safe Object Note: Skybox View can collect the configurations of multiple routers only if the same authentication is used for all the routers. Device: Use the authentication credentials provided here. Cyber-Ark: Retrieve authentication credentials from Cyber-Ark. (To use this option, you must configure Cyber-Ark (see page 16).) This field is displayed only if Mode = Device. The user name to access the proxy. This field is displayed only if Mode = Device. The user s password. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark safe that contains the user authentication credential object. This field is displayed only if Mode = Cyber-Ark. The name of the Cyber-Ark object that contains the user name and password. Advanced tab Merge assets by Wins name Location Hint Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the router. Note: Use this parameter when different locations use the same set of IP addresses, so that two routers at different locations can have the same IP address. Importing HP ProCurve configuration data Note: It is recommended that you use an Import Directory task to import the configuration data. The following files are used to import an HP ProCurve router configuration: *.*: The ProCurve configuration file This file is the output of the ProCurve show run command. (Optional) route.txt: Dump of the ProCurve routing table This file is the output of the ProCurve show ip route command. You can import the configuration of more than one router; put each set of configuration files in a separate folder. Note: To run an Import Collector task or an Import Collector Advanced task, the Skybox View Collector specified for the task must reside on a Linux platform. Nortel Passport 8600 router You can add or update configuration data from Nortel Passport 8600 routers to the current model using an online collection task: Configure the routers (see page 123) to allow access from a Skybox View Collector and create a router collection task (see page 123) to collect the router configurations and add the data to the model. Skybox View version

123 The collection task can collect data from multiple routers. Chapter 8 Router tasks You can also add or update configuration data from Nortel Passport 8600 routers to the current model using an offline file import task: Create and retrieve router configuration files and import their data (see page 123) into the model. The file import task can import the data of multiple routers. Configuring Nortel Passport 8600 routers for data collection To configure a Nortel router for data collection: (Recommended) Create a separate read-only user on the device for Skybox View tasks. Nortel Passport collection tasks Routers Nortel Passport Collection tasks retrieve configuration data from Nortel Passport routers and add the data to the current model. Task parameters The parameters that control Routers Nortel Passport Collection tasks are described in the following table. Basic tab Connection Protocol The connection protocol to use. Routers Addresses Authentication Use Access Tokens Username Password A comma-separated list of the IP addresses of the Nortel Passport routers. Note: You can collect the configurations of multiple routers only if the same authentication is used for all the routers. Specifies whether to take the values for Username and Password from a repository. For information about the repository, see Device access management (on page 14). The user name to access the Nortel Passport router. The user s password. Advanced tab Location Hint The location of the router. Note: Use this parameter when different locations use the same set of IP addresses, so that two routers at different locations can have the same IP address. Importing Nortel Passport 8600 configuration data The following files are used to import a Nortel Passport router configuration: run.txt: The Nortel configuration file This file is the output of the Nortel show conf command. (Optional) route.txt: Dump of the Nortel routing table This file is the output of the Nortel show ip route command. Skybox View version

124 Skybox View Reference Guide If route.txt is included, its routing rules overwrite routing rules from run.txt because its information is more extensive and includes static and dynamic routing rules. You can import the configuration of more than one router; put each set of configuration files in a separate folder. Skybox View version

125 Chapter 9 Scanner tasks Scanner tasks are relevant when working with all Skybox View products except Skybox Network Assurance. This chapter describes how to add the output of supported vulnerabilities scanners to the current model. There are two types of scanner tasks: Scan tasks: These tasks initiate a scan, collect the results, and add the data to the model. Collection tasks: These tasks collect the results of previously run scans and add the data to the model. In both cases, vulnerability occurrences are added or updated and, where necessary, new assets and services are added to the model. In this chapter eeye Retina scanner McAfee Foundstone FoundScan Enterprise scanner IBM SiteProtector Qualys QualysGuard scanner Rapid7 Nexpose scanner Shavlik NetChk Protect patch management tool Tenable Network Security Nessus scanner Tripwire ncircle scanner Blacklists eeye Retina scanner You can add or update vulnerability occurrence data from eeye Retina scanners to the current model using an online collection task: Configure a scanner (see page 125) to allow access from a Skybox View Collector and create a scanner collection task (see page 126) to collect the vulnerability occurrences found by the scanner and add the data to the model. You can create a blacklist of scanner IDs (see page 136) that Skybox View ignores. Configuring eeye Retina scanners for data collection Skybox View supports the Retina 4.9 and Retina 5 vulnerabilities scanners. Note: The Skybox View Collector that collects the results of the Retina vulnerabilities scanner must run on a Windows platform. Skybox View version

126 Skybox View Reference Guide To use the Retina vulnerabilities scanner 1 Install the Retina application. 2 Install a Skybox View Collector. The order of installation is not important. 3 Run a network scan from the Retina application. eeye Retina collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners Retina Collection tasks retrieve vulnerability occurrence data collected by eeye Retina scanners and add the data to the current model. Note: By default, data is collected only for assets that are marked in the Retina scanner database as scan finished. In some installations, this field is not filled and assets are skipped; to force collection of all assets, change the value of the Retina.ForceImport parameter to true in <Skybox_View_Home>\collector\conf\sb_collector.properties. Task parameters The parameters that control Scanners Retina Collection tasks are described in the following table. Basic tab Recency Scan Output Type Files Directory Path Collect scans generated in the specified number of days before today. The output type of the scan. This field is displayed only if Scan Output Type = FILE. The path to a directory containing Retina output RTD files The path to a single RTD file, including the file name Note: If you only specify a path, all RTD files in the directory are parsed and merged. DSN Name Dictionary location Dictionary files path This field is displayed only if Scan Output Type = DSN. The name of the DSN that is configured for the Retina output. Specifies how the Retina dictionary location is defined. This field is displayed only if Dictionary location = PATH. The path to the Retina dictionary files (audits.xml and services.xml). Note: This option is not supported for the Retina 4.9 vulnerabilities scanner. Advanced tab Location Hint The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can have the same IP address. McAfee Foundstone FoundScan Enterprise scanner You can add or update vulnerability occurrence data from McAfee Foundstone FoundScan Enterprise scanners to the current model using an online collection task: Skybox View version

127 Chapter 9 Scanner tasks Create a scanner collection task (see page 127) to collect the vulnerability occurrences found by the scanner and add the data to the model. You can create a blacklist of scanner IDs (see page 136) that Skybox View ignores. McAfee Foundstone FoundScan collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners FoundScan Collection tasks retrieve vulnerability occurrence data collected by McAfee Foundstone FoundScan Enterprise scanners and add the data to the current model. Task parameters The parameters that control Scanners FoundScan Collection tasks are described in the following table. Basic tab Network Scope Recency The assets (select networks or specific assets) whose vulnerability occurrence data is added to the Skybox View model by the task. Collect scans generated in the specified number of days before today. Database connection Address/Name The name or IP address of the database server that hosts the FoundScan database. User Authentication Database Username The user name of a user of the FoundScan scanner. Database Password The user s password. Advanced tab Location Hint DSN name Merge assets by Wins name Policy Name The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can have the same IP address. (Read only) The name of the DSN that is configured for the FoundScan Enterprise output. Note: This field is displayed for backward compatibility only; it is for existing tasks of this type created in previous versions of Skybox View. When creating new tasks, you must fill in a value in the Address/Name field in the Basic tab. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The FoundScan policy for which to retrieve a scan. If this field is left blank, the most recent scan is retrieved. Policy Name can be an expression with wildcards, as described in the following table. Using wildcards in the Policy Name parameter The wildcards that Policy Name parameter can use are listed in the following table. For example, to get all scans whose policy name does not end with D, type %[^D] as the policy name. Skybox View version

128 Skybox View Reference Guide Wildcard s % Any string of zero or more characters _ (underscore) Any single character [ ] Any single character in the specified range ([a-f]) or set ([abcdef]) [^] IBM SiteProtector Any single character not in the specified range ([^a-f]) or set ([^abcdef]) You can add or update vulnerability occurrence data collected by IBM Internet Scanners from an IBM SiteProtector database to the current model using an online collection task: Create a scanner collection task (see page 128) to collect the vulnerability occurrences found by the scanners and add the data to the model. You can create a blacklist of scanner IDs (see page 136) that Skybox View ignores. IBM SiteProtector Vulnerabilities Scanner collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners ISS SiteProtector Vulnerabilities Scanner Collection tasks retrieve vulnerability occurrence data, collected by IBM Internet Scanners, from IBM SiteProtector databases and add the data to the current model. Task parameters The parameters that control Scanners ISS SiteProtector Vulnerabilities Scanner Collection tasks are described in the following table. Basic tab Network Scope Recency Sensor IP Address Database connection Address/Name User Authentication The network entities or container entities whose vulnerability occurrence data is added to the Skybox View model by the task. An integer: Collect scans generated in the specified number of days before today. A date range: Collect scans generated between the specified dates. (Note: The dates must be in American date format (MM/DD/YYYY).) The IP address of the scanner. The name or IP address of the database server that hosts the SiteProtector database. Database Username The user name of a user of the management module. Database Password The user s password. Advanced tab Location Hint The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can Skybox View version

129 Chapter 9 Scanner tasks Merge assets by Wins name DSN name have the same IP address. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. (Read only) The name of the DSN that is configured for the (SiteProtector) management module. Note: This field is displayed for backward compatibility only; it is for existing tasks of this type created in previous versions of Skybox View. When creating new tasks, you must fill in a value in the Address/Name field in the Basic tab. Qualys QualysGuard scanner You can add or update vulnerability occurrence data from Qualys QualysGuard scanners to the current model using an online collection task: Configure a scanner (see page 129) to allow access from a Skybox View Collector and create a scanner collection task (see page 130) to collect the vulnerability occurrences found by the scanner and add the data to the model. You can also add or update configuration data from Qualys QualysGuard scanners to the current model using an offline file import task: Generate scanner vulnerability occurrence files and import their data (see page 132) into the model. The file import task can import the data of multiple scanners. You can create a blacklist of scanner IDs (see page 136) that Skybox View ignores. Configuring Qualys QualysGuard scanners for data collection To configure a Qualys scanner for data collection: (Recommended) Create a separate read-only user on the device for Skybox View tasks. The Qualys vulnerabilities scanner is unique among the vulnerabilities scanners used by Skybox View, in that the scan results are not stored in Skybox View. Rather, Skybox View accesses the Qualys website to pull network configurations and vulnerabilities scan results. Note: Connecting to the Qualys website via a proxy server is supported. Before configuring Qualys to work with Skybox View, contact Qualys and open an account. When opening the account with Qualys, save the following information: Qualys account user name Qualys account password You need this information when you create the task for running the Qualys vulnerabilities scanner. After creating a Qualys account, configure connection between the Skybox View Collector and the Qualys vulnerabilities scanner (that is, the QualysGuard IP address). Note: Make sure that the connection is not blocked by any firewalls. To configure connection to the QualysGuard vulnerabilities scanner Enable access from the Skybox View Collector to the QualysGuard API server at: (Users of Qualys US site) Skybox View version

130 Skybox View Reference Guide (Users of Qualys European site) Fallback: Use the Qualys website at: (Users of Qualys US site) (Users of Qualys European site) If web access from the Skybox View Collector goes through a proxy, configure the proxy IP address and port (see Proxy Settings, in the Skybox View Installation and Administration Guide). Qualys QualysGuard collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners Qualys Collection tasks retrieve vulnerability occurrence data collected by Qualys QualysGuard scanners and add the data to the current model. Task parameters The parameters that control Scanners Qualys Collection tasks are described in the following table. Basic tab Qualys site Custom Qualys site Username Password Network Scope The Qualys site to which to connect. This field is enabled only if Qualys site = Custom. If the Qualys site that to which you want to connect does not appear in the Qualys site drop-down list, select Custom from the drop-down list and type the site s URL. The user name of a user, as defined on the Qualys Management Site. Note: It is recommended that the user have read-only permissions only. The password of the user specified in Username. The devices (container entities or specific devices) whose vulnerability occurrence data is added to the Skybox View model by the task. Filter Filter by Filter by Scan Scan filter Specifies whether to collect scan and map files by name, by ID, or by user login. Note: This is user login and not user name. Specifies whether to retrieve scan data. (Filter by = NAME) The scan name to use when collecting the scan data. Only scans with names matching this string are imported. Note: Information about this filter is provided in the following table. (Filter by = USER) The user name to use when collecting the scan data. Only scans launched by users whose user name matches this string are imported. Filter by Map (Filter by = ID) The exact ID of the scan to use. Specifies whether to retrieve map data. Skybox View version

131 Chapter 9 Scanner tasks Map filter (Filter by = NAME) The map name to use when collecting the scan data. Only maps with names matching this string are imported. Note: Information about this filter is provided in the following table. (Filter by = USER) The user name to use when collecting the scan data. Only maps launched by users whose user name matches this string are imported. Recency (Filter by = ID) The exact ID of the map to use. This field is displayed only if Filter by = NAME or Filter by = USER. An integer: Collect scans generated in the specified number of days before today. Proxy Use proxy A date range: Collect scans generated between the specified dates. (Note: The dates must be in American date format (MM/DD/YYYY).) Specifies whether to use HTTP proxy settings. The proxy settings are set in the Options dialog box (see the Proxy Settings (Server) topic in the Skybox View Installation and Administration Guide). Advanced tab Location Hint Merge assets by Wins name The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can have the same IP address. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. About the Scan filter and Map filter fields The types of strings to use for the Scan filter field and the Map filter field (when Filter by = NAME or Filter by = USER) are listed in the following table. This text string Empty string A partial name (do not use quotation marks) N/A (without quotation marks) A regular expression (do not use quotation marks) Collects these scans or maps All scans or maps within the date range specified in the Recency field. (Filter by = NAME) Only scans or maps whose title contains this string. (Filter by = USER) Only scans or maps launched by a user whose user name contains this string. (Filter by = NAME) Scans or maps that have no title, just as they appear in the Qualys GUI (Filter by = USER) Not relevant (do not use) (Filter by = NAME) All scans or maps that contain the result of the regular expression in their title. For example, the regular expression Light Full matches scan titles such as Light scan and All Networks Full Scan. (Filter by = USER) All scans or maps launched by a user whose Skybox View version

132 Skybox View Reference Guide Importing Qualys QualysGuard scanner data user name contains the result of the regular expression. Note: Text matching in regular expressions for this field is not casesensitive. Importing scanner data is not relevant when working with Skybox Network Assurance. Note: It is recommended that you use an Import Directory task to import the scan data. The following files are used to import Qualys scan results: scan.xml: The Qualys scan file (Optional) map.xml: The Qualys Map You can import the results of more than one Qualys scan; put each set of files in a separate folder. Rapid7 Nexpose scanner You can add or update vulnerability occurrence data from Rapid7 Nexpose scanners to the current model using an online collection task: Create a scanner collection task (on page 132) to collect the data and add it to the model. You can also add or update vulnerability occurrence data from Rapid7 Nexpose scanners to the current model using an offline file import task: Retrieve scanner audit reports and import their data (on page 133) into the model. The file import task can import the data of multiple scanners. Rapid7 Nexpose collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners Rapid7 Collection tasks retrieve vulnerability occurrence data (audit reports) collected by Rapid7 Nexpose scanners and add the data to the current model. Task parameters The parameters that control Scanners Rapid7 Collection tasks are described in the following table. Basic tab Run in Rapid7 ip Username Password Where to run the data collection. The IP address of the Rapid7 Nexpose scanner, in the format nnn.nnn.nnn.nnn[:<port_number>]. The default port is 80 The user name to access the scanner. The user s password. Advanced tab Recency Filter By Name Collect reports generated in the specified number of days before today. If a full or partial report name is provided, only reports with names matching this string are imported. Wildcards are supported. Skybox View version

133 Chapter 9 Scanner tasks Filter By Format Filter By Template If a format is provided, only reports in this format are imported. Possible formats are: ns-xml raw-xml qualys-xml If a template type is provided, only reports using this template are imported. Possible templates are: audit-report full-audit Filter By API Version If an API version is provided, only reports using this API version are imported. Merge assets by Wins name Location Hint Importing Rapid7 Nexpose audit reports Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can have the same IP address. Importing Rapid7 vulnerability occurrence data is not relevant when working with Skybox Network Assurance. Note: It is recommended that you use an Import Directory task to import the audit reports. Rapid7 Nexpose audit reports can be imported in any of the following formats: ns-xml raw-xml qualys-xml You can import more than one Rapid7 Nexpose audit report; put each set of files in a separate folder. Shavlik NetChk Protect patch management tool You can add or update vulnerability occurrence data from Shavlik NetChk Protect patch management tools to the current model using an online collection task: Configure a patch management tool (see page 134) to allow access from a Skybox View Collector and create a scanner collection task (see page 134) to collect the vulnerability occurrences found by the patch management tool and add the data to the model. You can also add or update vulnerability occurrence data from Shavlik NetChk Protect patch management tools to the current model using an offline file import task: Generate patch management tool vulnerability occurrence files and import their data (see page 134) into the model. The file import task can import the data of multiple scanners. You can create a blacklist of scanner IDs (see page 136) that Skybox View ignores. Skybox View version

134 Skybox View Reference Guide Configuring Shavlik NetChk Protect patch management tools for data collection The Scan Output Type parameter of Scanners HFNetChk Pro Collection tasks can take the value FILE or DSN: FILE: The file must be located on the Skybox View Collector machine. DSN: The Collector must be installed on the machine where the DSN is defined. Shavlik NetChk Protect collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners HFNetChk Pro Collection tasks retrieve vulnerability occurrence and patch data collected by the Shavlik NetChk Protect patch management tool and add the data to the current model. Task parameters The parameters that control Scanners HFNetChk Pro Collection tasks are described in the following table. Basic tab Recency Scan Output Type Output File Path Output DSN Name Collect scans generated in the specified number of days before today. A value of zero means that only the most recent scan is collected. The output type of the scan. This field is displayed only if Scan Output Type = FILE. The full path to the NetChk Protect output MDB file. This field is displayed only if Scan Output Type = DSN. The name of the DSN that is configured for the NetChk Protect output. Advanced tab Location Hint The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can have the same IP address. Importing Shavlik NetChk Protect patch management tool data Importing scanner data is not relevant when working with Skybox Network Assurance. The following file is used to import Shavlik NetChk Protect vulnerability occurrence data: *.txt: NetChk Protect Vulnerability Scanner Report file You can import the results of more than one NetChk Protect scan; put each file in a separate folder. Tenable Network Security Nessus scanner You can add or update vulnerability occurrence data from Tenable Network Security Nessus scanners (version 5 and higher) to the current model using an online collection task: Configure a scanner (see page 135) to allow access from a Skybox View Collector and create a scanner scan task (see page 135) to execute a scan, collect the vulnerability occurrences found by the scanner, and add the data to the model. Skybox View version

135 Chapter 9 Scanner tasks You can also add or update vulnerability occurrence data from Tenable Network Security Nessus scanners to the current model using an offline file import task: Generate scanner vulnerability occurrence files and import their data (see page 136) into the model. The file import task can import the data of multiple scanners. You can create a blacklist of scanner IDs (see page 136) that Skybox View should ignore. Configuring Nessus scanners for data collection You can create two predefined policy files:.nessurc_all: All available plugins.nessurc_safe: All safe plugins A safe plugin is a plugin that has a script_category value of ACT_GATHER_INFO or ACT_SETTINGS. To create these files, run generate_nessus_policies.sh located in the <Skybox_View_Home>/collector/bin directory. You must specify the location of the plugins (for example, generate_nessus_policies.sh - p /opt/nessus/lib/nessus/plugins) Note: Plugins that you add after you create these files are not used in the scan. Tenable Network Security Nessus collection tasks These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Scanners Nessus Collection tasks retrieve vulnerability occurrence data collected by Tenable Network Security Nessus scanners (version 5 and higher) and add the data to the current model. Task parameters The parameters that control Scanners Nessus Collection tasks are described in the following table. Basic tab Run in Nessus URL Username Password Where to run the data collection. The URL of the Tenable Network Security Nessus scanner, in the format The default port is 443 The user name to access the scanner. The user s password. Advanced tab Recency Filter By Name Merge assets by Wins name Collect reports generated in the specified number of days before today. If a full or partial report name is provided, only reports with names matching this string are imported. Wildcards are supported. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. Skybox View version

136 Skybox View Reference Guide Location Hint The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can have the same IP address. Importing Tenable Network Security Nessus scanner data Importing scanner data is not relevant when working with Skybox Network Assurance. Note: It is recommended that you use an Import Directory task to import the scan data. The following file is used to import Nessus scanner data: *.nessus: Nessus XML file Note: For an Import Basic task change the extension from nessus to xml. You can import the results of more than one Nessus scan; put each file in a separate directory. Tripwire ncircle scanner You can add or update configuration data from Qualys QualysGuard scanners to the current model using an offline file import task: Generate scanner vulnerability occurrence files and import their data into the model. The file import task can import the data of multiple scanners. You can create a blacklist of scanner IDs (see page 136) that Skybox View ignores. Importing Tripwire ncircle scanner data Importing scanner data is not relevant when working with Skybox Network Assurance. Note: It is recommended that you use an Import Directory task to import the scan data. The following files are used to import ncircle scan results: For ncircle XML3: scan.xml: ncircle export XML file aspl.xml: ncircle ASPL XML file You can import the results of more than one ncircle scan; put each set of files in a separate folder. Note: If you are using an Import Directory task and importing more than one scan, it is recommended that you specify a single location for the ASPL XML file in the task properties. For additional information, see Import directory tasks (on page 29). For ncircle XML2: Blacklists *.xml: ncircle export XML You can import the results of more than one ncircle scan. This section describes how to exclude unnecessary scanner information from the model. Skybox View version

137 Chapter 9 Scanner tasks Not all information found by vulnerabilities scanners is about vulnerability occurrences, some is about the asset or its services (such as the number of users and the number of shares) and some is information that the scanner requires but has no additional value. This information is not used for attack simulation. The Skybox View Vulnerability Dictionary includes a predefined blacklist. This is a list of scanner IDs that contain irrelevant information and so should not be translated into vulnerability occurrences in the model. You can also create a user-defined blacklist file for a scanner, in which you list additional scanner IDs to ignore. The following scanners are supported: Nessus IBM Internet Scanner Retina Qualys FoundScan ncircle NetChk Protect These user-defined files must be stored in the following location on the Skybox View Server machine: <Skybox_View_Home>\data\specials. Creating blacklists The blacklist of scanner IDs to be ignored or deleted requires a separate text file for each scanner type. The scanners for which Skybox View supports blacklists are listed in the following table. Scanner File name Nessus IBM Retina Qualys FoundScan ncircle NetChk Protect nessus iss retina qualys foundscan ncircle hfnetcheck Note: Skybox View ignores files with other names. To create a blacklist for a specific scanner 1 Create a text file named according to the scanner type. The file name must not have an extension. If a file with the name of your scanner already exists, you can modify it or add extra lines. 2 In the text file, create a separate line for each scanner ID with one of the following formats: <scanner_id>[one space]<action> <scanner_id>[one space]<action>[one space]<regular expression> Note: For blacklists, the regular expression is not case-sensitive. <action> can be one of: DELETE: Delete all appearances of this scanner ID from the network model. IGNORE: Create vulnerability occurrences for a scanner with this ID with the system lifecycle status Suspected False Positive. Skybox View version

138 Skybox View Reference Guide You can use a regular expression to select between scanner results produced by the same scanner check. For example, if scanner check 1234 can produce two different results: Vulnerability occurrence is found and Maybe vulnerability occurrence is found, add the following line: 1234 IGNORE Maybe Skybox View ignores scanner ID 1234 if its result matches the regular expression Maybe. Do not set off the regular expression with quotation marks. 3 Use ; at the start of a line to create comments. 4 Save the file. Using blacklists Skybox View applies blacklists automatically to filter new scanner data that is imported to Skybox View; data that is already in the current model is not affected. To delete or ignore scanner IDs that exist in the current model Run the Dictionary Update Daily task. This task: Retrieves the latest Vulnerability Dictionary from the internet Checks all vulnerability occurrences in the model against blacklists and updates the model accordingly Note: Loading a model (using File > Models > Load) does not check vulnerability occurrences against the blacklists. If you load a saved model that contains vulnerability occurrences specified in the blacklists, those vulnerability occurrences are part of that model until you run the Dictionary Update Daily task on the loaded model. Skybox View version

139 Chapter 10 Management systems tasks This chapter describes how to add data from management systems to the current model. In this chapter McAfee epolicy Orchestrator Microsoft SCCM SolarWinds NCM Microsoft Active Directory Microsoft WSUS CiscoWorks HP Software & Solutions (OpenView) Symantec Management Suite McAfee epolicy Orchestrator You can add or update data from a McAfee epolicy Orchestrator (epo) database to the current model using an online collection task: Configure the database (see page 139) to allow access from Skybox View and create a collection task (see page 139) to collect the data and add it to the model. You can also add or update data from a McAfee epo database to the current model using an offline file import task: Create and retrieve epo data files, and import their data (see page 140) into the model. Configuring McAfee epolicy Orchestrator for data collection To retrieve data from a McAfee epolicy Orchestrator (epo) database: Skybox View requires read-only access to the epo database McAfee epolicy Orchestrator collection tasks Asset Management epo tasks retrieve configuration data (asset information, vulnerability occurrences and installed patches, and installed software) from a McAfee epolicy Orchestrator (epo) database and add the data to the current model. Task parameters The parameters that control Asset Management epo tasks are described in the following table. Basic tab Run in Server IP DB Name Where to run the data collection. The IP address of the epo server, in the format nnn.nnn.nnn.nnn[:<port_number>]. The default port is 80. The name of the epo database to access. Skybox View version

140 Skybox View Reference Guide Username Password The user name to access the epo database. The user s password. Advanced tab Merge assets by Wins name Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. Importing McAfee epolicy Orchestrator data Note: It is recommended that you use an Import Directory task to import the configuration data. Microsoft SCCM You can add or update data from a Microsoft System Center Configuration Manager (SCCM) database to the current model using an online collection task: Configure the database (see page 140) to allow access from Skybox View and create a collection task (see page 141) to collect the data and add it to the model. Configuring Microsoft SCCM for data collection To retrieve data from a Microsoft SCCM database: Skybox View requires read-only access to the SCCM database For Linux, you must configure ODBC support: If the Skybox View Collector is installed on a Linux device, see Installing ODBC support on Linux devices (on page 141) If you are using Skybox Appliance, see Installing ODBC support for Skybox Appliances (on page 140) Installing ODBC support for Skybox Appliances This section explains how to install ODBC support if you are using Skybox Appliance. To install ODBC support 1 Log in as the root user. 2 Install the Skybox View GCC libraries: yum --disablerepo=\* --enablerepo=skyboxview-appliance groupinstall "Basic Appliance Development Tools" 3 Install the UNIX ODBC attach file: a) tar -xvf unixodbc tar.gz b)./configure c) make d) make install 4 Install FreeTDS: a)./configure --with-tdsver=8.0 --with-unixodbc=/usr/local/ --withopenssl b) make Skybox View version

141 c) make install 5 Open the FreeTDS file for editing: vi /usr/local/etc/odbcinst.ini 6 Add the following lines to the file: [FreeTDS] = FreeTDS Driver for Linux & MSSQL Driver = /usr/local/lib/libtdsodbc.so #Setup = /usr/lib/odbc/libtdss.so UsageCount = 1 FileUsage = 1 7 Install the Perl libraries: a) cd /usr/local/repos/ps_extras/lib-perl/ b)./perl_mod_install.sh Installing ODBC support on Linux devices Chapter 10 Management systems tasks If the Skybox View Collector that is collecting the SCCM data is running on a Linux device, you must install ODBC support. To install ODBC support on a Linux device 1 Install UNIX ODBC. 2 Install FreeTDS: a)./configure --with-tdsver=8.0 --with-unixodbc=/usr/local/unixodbc/ -- with-openssl b) make c) make install 3 Add the following lines to the FreeTDS file /usr/local/etc/etc/odbcinst.ini: [FreeTDS] = FreeTDS Driver for Linux & MSSQL Driver = /usr/local/lib/libtdsodbc.so #Setup = /usr/lib/odbc/libtdss.so UsageCount = 1 FileUsage = 1 Microsoft SCCM collection tasks Asset Management SCCM tasks retrieve data (asset information, vulnerability occurrences and installed patches, and installed software) from a Microsoft System Center Configuration Manager (SCCM) database and add the data to the current model. The task uses a script that is written in Perl and requires the following Perl modules: DBI DBD::ODBC Parallel::ForkManager Task parameters The parameters that control Asset Management SCCM tasks are described in the following table. Skybox View version

142 Skybox View Reference Guide Basic tab Run in SCCM Server IP DSN Name Username Where to run the data collection. The name or IP address of the SCCM database server, in the format <server_name>[:<port_number>] or nnn.nnn.nnn.nnn[:<port_number>]. The default port is The MSSQL server name in the DSN. This field is retained for backward compatibility only; it is recommended that you use SCCM server ip. (If you provide values in both fields, the task uses SCCM server ip.) Note: If the Skybox View Collector is installed on a Linux device, you must configure ODBC support (on page 141) and use this field. An SCCM database user name. The format depends on the authentication type: Windows: domain\user Password SQL: user The SCCM database password for User. Advanced tab Include only assets in specified file Maximum number of assets to collect Merge assets by Wins name The full path to a text file containing a list of IP addresses of assets (one per line). The task collects data for assets with the listed IP addresses only. The maximum number of assets that the task collects. If this field is left blank or set to 0, all assets are collected. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. SolarWinds NCM You can add or update data from a SolarWinds NCM to the current model using an online collection task: Configure the configuration manager server (see page 142) to allow access from Skybox View and create a collection task (see page 142) to collect the data and add it to the model. Configuring SolarWinds NCM for data collection To retrieve data from a SolarWinds NCM: Skybox View requires read-only access to the configuration manager server SolarWinds NCM collection tasks Asset Management SolarWinds NCM tasks retrieve device configuration data from a SolarWinds NCM and add the data to the current model. Task parameters The parameters that control Asset Management SolarWinds NCM tasks are described in the following table. Skybox View version

143 Chapter 10 Management systems tasks Basic tab Run in Management Address Username Password Port Where to run the data collection. The IP address of the SolarWinds configuration manager server. The user name to access the SolarWinds configuration manager server. The user s password. The port on which the configuration manager server listens. If you change the default port (17778) on the configuration manager server, the Skybox View Collector must have permission to connect to the configuration manager server using HTTPS on the port that you specify. Advanced tab Recency Filter By Name Filter node type Collect Routing Information Merge assets by Wins name Location Hint Collect configurations saved on the configuration manager server in the specified number of days before today. If a full or partial configuration name is provided, only configurations with names matching this string are imported. A comma-separated list of device types whose configuration data is imported. Specifies whether to retrieve device routing information as well as device configuration data. Specifies whether to merge assets from the same network by name and not by IP address. Select this option when assets do not have fixed IP addresses. The location of the configuration manager server. Note: Use this parameter when different locations use the same set of IP addresses, so that two configuration manager servers at different locations can have the same IP address. Microsoft Active Directory You can add or update data from a Microsoft Active Directory database to the current model using an offline file import task: Create and retrieve Active Database data files, and import their data (see page 143) into the model. Importing Microsoft Active Directory data Note: It is recommended that you use an Import Directory task to import the parsed configuration data. Skybox View version

144 Skybox View Reference Guide To import Microsoft Active Directory data 1 Create a Tools Script Invocation task (see Script invocation tasks (on page 40)) to run the Skybox View Active Directory collection utility (see Skybox View Active Directory collection utility (on page 144)). 2 Run the task. 3 In the Skybox View Operational Console, create a task and set Task Type to Import Directory (see Import directory tasks (on page 29)). 4 In the Directory field, specify the location of the ixml file created in step 2. 5 Launch the task. Skybox View Active Directory collection utility Skybox View includes an Active Directory collection utility that creates an ixml file from a Microsoft Active Directory database. This ixml file can then be imported into Skybox View. The Skybox View Active Directory collection utility is located in the <Skybox_View_Home>\intermediate\windows\bin\System_Management\ActiveDirecto ry folder. Usage SkyboxADCollection.exe -u <user_name> -p <password> -h <LDAP_path> [-f <LDAP_filter>] [-o <output_drive_and_directory>] The Skybox View Active Directory collection utility arguments are described in the following table. Argument Value -u Domain user name -p Password (encrypted after first invocation) -h LDAP path to: Global catalog referral (for example, GC://dc=il,dc=skyboxsecurity,dc=com) LDAP direct access (for example, Ldap://dc=il,dc=skyboxsecurity,dc=com) -f LDAP filter -o Full path to the output directory Microsoft WSUS You can add or update data from a Microsoft WSUS database to the current model using an offline file import task: Configure WSUS (see page 144) to allow access from Skybox View, create and retrieve WSUS data files, and import their data (see page 145) into the model. Configuring Microsoft WSUS for data collection To retrieve data from a Microsoft WSUS database: The user running the Skybox View WSUS collection utility must be part of the WSUS Administrators group and the WSUS Reporters group To run the Skybox View WSUS collection utility remotely, install Windows Server Update Services ( Skybox View version

145 Chapter 10 Management systems tasks Importing Microsoft WSUS data Note: It is recommended that you use an Import Directory task to import the parsed configuration data. To import Microsoft WSUS data 1 Create an ixml file from the WSUS database (see Skybox View WSUS collection utility (on page 145)). 2 In the Skybox View Operational Console, create a task and set Task Type to Import Directory (see Import directory tasks (on page 29)). 3 In the Directory field, specify the location of the ixml file created in step 1. 4 Launch the task. Skybox View WSUS collection utility Skybox View includes a WSUS collection utility that creates an ixml file from a Microsoft WSUS database. This ixml file can then be imported into Skybox View. The Skybox View WSUS collection utility is located in the <Skybox_View_Home>\intermediate\windows\bin\System_Management\WSUS folder. Note: The WSUS collection utility can only run on a Windows platform. If you are running the Skybox View Server under Linux, save the output file to a location that can be accessed from the Skybox View Server. Usage Locally (on the WSUS server): SkyboxWsusCollection.exe -t local -m HostsOnly Remotely: SkyboxWsusCollection.exe -t remote -h <WSUS_server_ip> -s false -p <port> -m HostsOnly CiscoWorks CiscoWorks network management system provides: Advanced monitoring of network devices such as routers and firewalls Configuration capabilities for the network devices Management capabilities that simplify network administration CiscoWorks keeps a repository of configurations for these network devices. You can export these configurations to files named <device_ip_address>.cfg. The device configuration contained in these files is the equivalent of the information generated by a show conf command. To import these configuration files from CiscoWorks, use one of the following: An Import Collector task (on page 39) An Import Advanced task (on page 36) (and set the File Type parameter to Cisco Work Configuration) HP Software & Solutions (OpenView) HP Software & Solutions Network Node Manager (NNM) is a comprehensive network management system. It uses various network discovery methods to build a network topology map. The resulting map topology information is stored in a database. Skybox View version

146 Skybox View Reference Guide Skybox View supports the import of the topology information as formatted by the ovtopodump utility. From the HP Software & Solutions topology map, Skybox View reads information about networks, gateways, and assets. The ovtopodump utility, part of every standard HP Software & Solutions NNM installation, dumps the HP Software & Solutions topology database into a formatted text file. To extract the HP Software & Solutions topology information into a formatted file that Skybox View can import, run the following command: # ovtopodump -CLlsr > output.txt. You can import the file created by the ovtopodump utility using a file import task (any variant: Basic, Advanced, Collector, or Collector Advanced, see Import tasks (on page 29)). Set the Format or File Type parameter to HPOV Topology Dump. Symantec Management Suite Skybox View includes a collector script that retrieves Symantec Management Suite data files. The collector is located at <Skybox_View_Home>\intermediate\bin\collectors\System_Management\symantec\s epmanagementcollection.pl. For help using the script, run the script without any parameters. For additional help, open a case at the Skybox Security support portal. Skybox View version

147 Chapter 11 Alerts and vulnerability definition feed tasks This chapter describes how to add the output of supported alert services to the current model. In this chapter Symantec DeepSight alert services VeriSign idefense alert services Symantec DeepSight alert services You can add or update threat alerts from the Symantec DeepSight alert services to the current model using an online collection task: Create an alert service collection task (see page 147) to collect the threat alerts made available by the service and add the data to the model. Symantec DeepSight collection tasks Alert Service DeepSight Collection tasks collect DeepSight threat alerts and add or update the relevant vulnerability definitions in the current model. These tasks also update the DeepSight product catalog. Note: Schedule these tasks to run on a higher frequency than most tasks (such as every hour) to ensure that all alerts are downloaded as soon as they become available. Task parameters The parameters that control Alert Service DeepSight Collection tasks are described in the following table. Download Recent Alerts Only Download Product Catalog Specifies whether to download only alerts added or updated since the last download. If cleared, downloads all content available from the service (including old alerts). Note: The first time that you run the task all alerts are downloaded, even if Download Recent Alerts Only is selected. Specifies whether to download the DeepSight product catalog while downloading the alerts. If Download Recent Alerts Only is selected, only recent products are downloaded. Note: The first time that you run the task the product catalog is downloaded, even if Download Product Catalog is not selected. User Authentication Username Password DataFeed service version User name for DeepSight alert services. Password for DeepSight alert services. Select the version of the DeepSight DataFeed service to which you are subscribed. Skybox View version

148 Skybox View Reference Guide Note: By default, DeepSight threat alerts are not displayed. To view these alerts, select Tools > Options > Server Options > Threat Alerts Configuration and then select DeepSight. See also Setting up the vulnerability definition source, in the Skybox Vulnerability Control User s Guide. VeriSign idefense alert services You can add or update threat alerts from the VeriSign idefense alert services to the current model using an online collection task: Create an alert service collection task (see page 148) to collect the threat alerts made available by the service and add the data to the model. VeriSign idefense collection tasks Alert Service idefense Collection tasks collect idefense threat alerts and add or update the relevant vulnerability definitions in the current model. These tasks also update the idefense product catalog. Note: Schedule these tasks to run on a higher frequency than most tasks (such as every hour) to ensure that all alerts are downloaded as soon as they become available. Task parameters The parameters that control Alert Service idefense Collection tasks are described in the following table. Download only recent alerts Specifies whether to download only alerts added or updated since the last download. If cleared, downloads all content available from the service (including old alerts). Note: Before running a task of this type for the first time, read the subsection following this table. Authentication Username Password User name for idefense alert services. Password for idefense alert services. idefense alert types Include MalCode IRs Include Threat IRs Specifies whether to collect MalCode Intelligence Reports. Specifies whether to collect Threat Intelligence Reports. Note: By default, idefense threat alerts are not displayed. To view these alerts, select Tools > Options > Server Options > Threat Alerts Configuration and then select idefense. Running an idefense collection task the first time By default, the starting date for collection is (that is, January 1, 2000). The first time that you run the task, all alerts from this date forward are downloaded, even if Download only recent alerts is selected. Note: The task can take up to 20 hours to download all the alerts the first time it runs. If you do not need data from so far back, change the starting date by changing the value of the idefense_epoch_date parameter in <Skybox_View_Home>\server\conf\sb_server.properties. A progress message is displayed for each 10% of the data that is downloaded. Skybox View version

149 Chapter 12 Network tasks This chapter describes how to set the parameters of network tasks. In this chapter Network scan tasks Topology discovery tasks Network scan tasks Network Scan tasks scan selected networks to discover assets, retrieve configurations, map services, and scan for vulnerability occurrences. The processes performed by these tasks are described in Network discovery process (on page 150). Note: Network Scan tasks are not yet supported if the Skybox View Collector is running on a 64bit platform. Task parameters The parameters that control Network Scan tasks are described in the following table. Basic tab Network Scope Exclude Scope Trace and Scan Route Discover Configurations Discover Services Vulnerabilities Scanner Discover Incrementally The assets or container entities to be scanned by the task. Specific assets or container entities to exclude from the scope defined in Network Scope. Specifies whether to find gateways leading to the destination network. Specifies whether to retrieve configuration and routing information from assets. Specifies whether to find open ports and other relevant information (see Network discovery process (on page 150)) and map them to services. Specifies whether to scan for vulnerability occurrences and which vulnerabilities scanner to use. Specifies whether basic asset discovery (ping sweep) is executed to discover new assets in the destination network. If selected, any other selected options (Trace and Scan Route, Discover Configurations, Discover Services, or Vulnerabilities Scanner) are only performed on new assets. Advanced tab Location Hint The location of the scanner. Note: Use this parameter when different locations use the same set of IP addresses, so that two scanners at different locations can Skybox View version

150 Skybox View Reference Guide have the same IP address. For additional information about these parameters, see Network discovery process (on page 150). Network discovery process When a Network Scan task is run, the operations described in the following table are performed. Operation Purpose Invoked Result Ping sweep Find live assets in the destination network Always List of assets (IP addresses) in the destination network traceroute Find gateways leading to the destination network If Trace And Scan Route selected List of gateways (IP addresses), marked as IP forwarding, leading to the destination network Platform discovery (Linux) Determine operating system and platform of destination assets Always (if port 161/UDP already found open) Detect services available for configuration discovery Platform discovery (Windows) Determine operating system and platform of destination assets Always Resolves MS Domain Name, if possible Configuration discovery using SNMP Read network configuration of assets (if port 161/UDP already found open) If Discover Configurations selected Network interfaces and routing table for each asset Configuration discovery using telnet/ssh Read network configuration of Cisco routers and firewalls (if the telnet or SSH port already found open) If Discover Configurations selected Configuration and routing table retrieved from each device Port scan Find open TCP ports on destination assets If Discover Services selected List of open TCP ports to create as services in the model Port scan using SNMP Find open TCP and UDP ports (if port 161/UDP already found open) If Discover Services selected List of open TCP and UDP ports (and their bindings to net interfaces) to create as services in the model ONC RPC service detection Detect all ONC RPC (Sun RPC) programs If Discover Services selected List of ONC RPC programs to create as services in the model Banner grabbing Retrieve text banners from wellknown services If Discover Services selected List of banners to map to the product in the Skybox View Vulnerability Dictionary Skybox View version

151 Chapter 12 Network tasks Operation Purpose Invoked Result Vulnerability scan Scan using IBM Internet Scanner If ISS Scanner selected IBM Internet Scanner database is updated and scan is imported into model Vulnerability scan Scan detected assets using Nessus If Nessus Scanner selected Scan is imported into model Topology discovery tasks Network Topology Discovery tasks detect network topology (networks and the gateways between them). Use Network Topology Discovery tasks when the network scope is unknown. Skybox View collects the IP addresses representing internal or external interfaces of border gateways, or a range of border networks. Task parameters The parameters that control Network Topology Discovery tasks are described in the following table. Basic tab Boundary Scope Network Scope Initial Addresses Limits the scope of the task, by defining scopes (container entities) and points (devices) in the network that the task is not allowed to reach or go beyond. The (included) scopes of the task, subject to the limitations placed by the Boundary Scope parameter. The points in the network from which the task starts working. If you type multiple IP addresses, the Skybox View Collector starts to scan from all addresses simultaneously. Advanced tab Location Hint The location of the destination network. Note: Use this parameter when different locations use the same set of IP addresses, so that two networks at different locations can have the same IP address. Skybox View version

152 Chapter 13 Analysis tasks This chapter describes how to set the parameters of the analysis tasks. In this chapter Access requests tasks Change tracking tasks Exposure tasks False positive reduction tasks Policy compliance tasks Security Metrics calculation tasks Shadowed rules tasks Vulnerability detection tasks Access requests tasks These tasks are relevant when working with Skybox Firewall Assurance, Skybox Change Manager, and Skybox Network Assurance. Analysis Access Requests tasks reanalyze the results of all access requests (called change requests in Change Manager) in all Access Change tickets. For additional information, see Access Change ticket fields (on page 222). Task parameters There are no parameters specific to Analysis Access Requests tasks. Change tracking tasks These tasks are relevant only when working with Skybox Firewall Assurance. Analysis Change Tracking tasks generate change records by comparing the current firewall configuration file with the previous one. Change records describe differences in access rules and firewall objects. These changes can then be viewed in Skybox View. For additional information, see Change tracking, in the Skybox Firewall Assurance User s Guide. Task parameters The parameters that control Analysis Change Tracking tasks are described in the following table. Firewall Scope The firewalls or firewall folders for which the task generates change tracking records. Change tracking and change reconciliation When change reconciliation is enabled, the task matches the change records with change requests in Access Change tickets. Matching uses the following methods: Match the Extracted Ticket ID field of the change record with the External Ticket ID field in the Skybox View ticket Skybox View version

153 Chapter 13 Analysis tasks The extracted ticket ID is the ID of the ticket issued by your organization about the requested change; it is extracted from the comment field of the access rule or firewall object using a regular expression. Match the IP addresses and ports of the source and destination of the actual change with those in the change requests in the Access Ticket When matching is performed by IP addresses and ports, the results include the percentage of coverage of the change by the change request For additional information about change tracking and change reconciliation settings, see Change Tracking Settings, in the Skybox View Installation and Administration Guide. For additional information about the Change Reconciliation feature, see Reviewing and reconciling changes, in the Skybox Firewall Assurance User s Guide. Exposure tasks These tasks are relevant only when working with Skybox Vulnerability Control. Analysis Exposure tasks run attack simulations (see the Simulating attacks section in the Skybox Vulnerability Control User s Guide). Task parameters The parameters that control Analysis Exposure tasks are described in the following table. Basic tab Calculate Risks Backdoor Exploits Require Vulnerability Occurrences Simulate Full IP Spoofing Specifies whether the task calculates exposure status and risks. If this parameter is cleared, attacks are generated and you can view attack maps, but exposure status and risks are not calculated. Note: Only clear this parameter (as a work-around) if severe problems are encountered in the exposure and risk analysis stages of attack simulation. Specifies whether an attack that exploits a backdoor can be developed only if a backdoor vulnerability occurrence is defined on the service. Note: If this parameter is selected, the existence of a service without a backdoor vulnerability occurrence is not sufficient to develop an attack. Similarly, if the backdoor vulnerability occurrence is marked as fixed (the backdoor was removed), attacks that use the backdoor are blocked in the model, even if the service exists on the asset. Specifies whether simulated attackers try spoofing their source IP address to all IP addresses. If this parameter is cleared, spoofing is limited to IP addresses in the actual network of the attacker. Note: Full IP spoofing slows the task. Advanced tab Simulation Scope Limits attack simulation to the scope specified by this parameter. Note: It is recommended to leave this field blank; if a scope is specified, only attacks that are completely inside the scope are reported. Skybox View version

154 Skybox View Reference Guide Asset Aggregation Enabled Workstation Vul Severity Workstation Ignore Ports Ignore List Specifies whether asset aggregation is enabled. If asset aggregation is enabled, assets that behave in the same way from an attacker s point of view (for example, the same vulnerability occurrences or the same access) are treated internally by the task as a single node (aggregated). Using this mode improves the performance of the task. Usually, there is no effect on the accuracy of the results. Workstations whose vulnerability occurrence severity is less than the specified value are not prevented (because of the vulnerability occurrence) from being aggregated into groups of similar workstations. Note: The recommended value is Low. (A higher value might improve attack simulation performance when the model includes a large number of vulnerability occurrences, but might decrease the accuracy.) A comma-separated list of ports to ignore when checking similarities between workstations to aggregate them into groups. Assets that appear in this list of scopes are not aggregated into groups of similar assets. False positive reduction tasks These tasks are relevant only when working with Skybox Vulnerability Control. Analysis False Positive Reduction tasks check whether any vulnerability occurrences in the model that were reported by a scanner are intrinsically false (for example, a Linux vulnerability occurrence reported for a Windows machine). For additional information, see False positive reduction, in the Skybox Vulnerability Control User s Guide. Task parameters The parameters that control Analysis False Positive Reduction tasks are described in the following table. Network Scope Run Only Patch Solver The network entities or container entities to be analyzed by the task. Specifies whether to change the status of vulnerability occurrences to False Positive only if a patch that fixes the vulnerability occurrence was applied to the device (without checking for product or version match). Policy compliance tasks These tasks are relevant only when working with Skybox Firewall Assurance and Skybox Network Assurance. Analysis Policy Compliance tasks check whether the network is compliant with your organization s policies. Task parameters The parameters that control Analysis Policy Compliance tasks are described in the following table. Skybox View version

155 Chapter 13 Analysis tasks Basic tab Scope Analyze Access Policy Policy Scope Analyze Rule Policy Rule Scope Analyze Configuration Policy Specifies whether the task analyzes compliance for Firewall Assurance or for Network Assurance. Specifies whether to analyze Access Compliance. This field is enabled only if Analyze Access Policy is selected. The parts of the Access Policies tree (Access Policies, policy folders, policy sections, or specific Access Checks) to be analyzed. (Firewall Assurance only) Specifies whether to analyze Rule Compliance. This field is enabled only if Analyze Rule Policy is selected. The parts of the Rule Policies tree (Rule Policies or specific Rule Checks) to be analyzed. Specifies whether to analyze Configuration Compliance. Configuration Scope This field is enabled only if Analyze Configuration Policy is selected. The parts of the Configuration Policies tree (policy folders, Configuration Policies, or specific Configuration Checks) to be analyzed. Advanced tab Firewall Scope Network Scope Severity Threshold Analyze Access Queries This field is displayed only if Scope = Firewall Assurance. The firewalls or firewall folders for which compliance is analyzed. If this field is left blank, all firewalls in the All Firewalls list are used. This field is displayed only if Scope = Network Assurance. The network entities or container entities for which compliance is analyzed. If this field is left blank, all networks in the model are used. The severity threshold to use when analyzing policies for compliance. Only Access Checks / Rule Checks / Configuration Checks with at least this severity are checked for compliance. Specifies whether to analyze access queries when analyzing the Access Policy. Access queries are access-related queries that do not affect policy compliance. Security Metrics calculation tasks These tasks are relevant only when working with Skybox Vulnerability Control. Analysis Security Metrics tasks calculate the security metrics scores (see Analyzing the security metrics, in the Skybox Vulnerability Control User s Guide). For suggestions about how often to recalculate the security metrics scores, see Recalculating the security metrics, in the Skybox Vulnerability Control User s Guide. Task parameters There are no parameters specific to Analysis Security Metrics tasks. Skybox View version

156 Skybox View Reference Guide Shadowed rules tasks Access rule analysis is relevant only when working with Skybox Firewall Assurance. Analysis Shadowed Rules tasks analyze the access rules of selected firewalls for: Shadowed rules: Access rules shadowed by other rules above them in the rule chain Redundant rules: Access rules covered by rules of the same type below them in the rule chain For additional information, see Shadowing and redundancy analysis, in the Skybox Firewall Assurance User s Guide. Task parameters The parameters that control Analysis Shadowed Rules tasks are described in the following table. Firewall Scope The firewalls or firewall folders to be analyzed by the task. Vulnerability detection tasks Skybox Vulnerability Detector creates vulnerability occurrences from data that already exists in the Skybox View model. Vulnerability detection tasks: patch data These tasks are relevant when working with all Skybox View products except Skybox Network Assurance. Analysis Vulnerability Detector tasks detect vulnerability occurrences based on version and patch information (imported from patch management and asset management systems) and add them to the model. For additional information, see Detecting assets and vulnerability occurrences, in the Skybox Vulnerability Control User s Guide. Note: Since this task does not involve active scanning, you can run it as often as required (such as daily) without disrupting the network. Task parameters The parameters that control Analysis Vulnerability Detector tasks are described in the following table. Basic tab Network Scope Service Source Vulnerability Publication Period Do not generate Microsoft Vulnerabilities The assets to be analyzed by the task (or their container entities). Specifies whether vulnerability occurrences should only be added to the model for the specified services. Specifies whether vulnerability occurrences should only be added to the model for vulnerability definitions that were published within the specified time frame. Custom: Select Specific or Relative start and end times. If cleared and Service Source is, for example, SCCM, the task adds vulnerability occurrences to the model for Microsoft vulnerabilities using missing patch information. Advanced tab Ignore platform Some vulnerability definitions are platform-dependent. However, Skybox View version

157 Chapter 13 Analysis tasks dependency Include vulnerability definitions Exclude vulnerability definitions Vulnerability Severity Threshold Product Scope Only Assets with Patch Data Skybox View does not always know the device platform. If selected, Skybox View ignores the platform dependency and the vulnerability occurrences are added to the model even though they might not exist. If cleared, vulnerability occurrences corresponding to platformdependent vulnerability definitions are not added to the model even though they might exist. Specifies the vulnerability definitions for which vulnerability occurrences are added to the model. Specifies the vulnerability definitions for which vulnerability occurrences are not added to the model. Specifies whether only vulnerability occurrences with the specified threshold and higher are added to the model. You can select a severity level or type a severity score. Specifies whether vulnerability occurrences should only be added to the model for the specified vendors and products. When vendors are selected, all their products are analyzed by the task. Specifies whether the task only adds vulnerability occurrences to the model for assets that have patch data. Vulnerability detection tasks: device configuration These tasks are relevant only when working with Skybox Firewall Assurance. Analysis Vulnerability Detector for Network Devices tasks extract vulnerability occurrences from imported firewall configuration data and add the vulnerability occurrences to the model. The vulnerability occurrences can be viewed in the Vulnerability Occurrences tab of the Configuration Compliance section for each firewall. (This can be useful if there is no scanner data available for the firewalls.) The following devices are currently supported: Juniper NetScreen, Juniper Junos, and Cisco ASA and FWSM firewalls. Additional devices will be supported in future versions. Note: Since this task does not involve active scanning, you can run it as often as required (such as daily) without disrupting the network. Task parameters The parameters that control Analysis Vulnerability Detector for Network Devices tasks are described in the following table. Basic tab Network Scope The assets to be analyzed by the task (or their container entities). Vulnerability Publication Period Advanced tab Specifies whether vulnerability occurrences should only be added to the model for vulnerability definitions that were published within the specified time frame. Custom: Select Specific or Relative start and end times. Ignore platform dependency Some vulnerability definitions are platform-dependent. However, Skybox View does not always know the device platform. If selected, Skybox View ignores the platform dependency and Skybox View version

158 Skybox View Reference Guide Include vulnerability definitions Exclude vulnerability definitions Vulnerability Severity Threshold Product Scope the vulnerability occurrences are added to the model even though they might not actually exist. If cleared, vulnerability occurrences corresponding to platformdependent vulnerability definitions are not added to the model even though they might actually exist. Specifies the vulnerability definitions for which vulnerability occurrences are added to the model. Specifies the vulnerability definitions for which vulnerability occurrences are not added to the model. Specifies whether only vulnerability occurrences with the specified threshold and higher are added to the model. You can select a severity level or type a severity score. Specifies whether vulnerability occurrences should only be added to the model for the specified vendors and products. When vendors are selected, all their products are analyzed by the task. Vulnerability detection tasks: scan data These tasks are relevant only when working with Skybox Vulnerability Control. Analysis Vulnerability Detector for Scanners tasks extract vulnerability occurrences from imported scan data and add the vulnerability occurrences to the model. (This can be useful if updates were made to a vulnerability source after you imported scan data: scanning is intrusive and resource-intensive; running a task of this type is neither.) For additional information, see Vulnerability occurrences detection, in the Skybox Vulnerability Control User s Guide. Data from the following scanners is currently supported: Qualys QualysGuard McAfee Vulnerability Manager (Foundstone) Additional scanners will be supported in future versions. Note: Since this task does not involve active scanning, you can run it as often as required (such as daily) without disrupting the network. Task parameters The parameters that control Analysis Vulnerability Detector for Scanners tasks are described in the following table. Basic tab Network Scope Vulnerability Publication Period Operation Mode The assets to be analyzed by the task (or their container entities). Specifies whether vulnerability occurrences should only be added to the model for vulnerability definitions that were published within the specified time frame. Custom: Select Specific or Relative start and end times. Specifies the source of vulnerability definitions for which vulnerability occurrences are added to the model. Skybox View version

159 Chapter 13 Analysis tasks Advanced tab Ignore platform dependency Include vulnerability definitions Exclude vulnerability definitions Vulnerability Severity Threshold Product Scope Some vulnerability definitions are platform-dependent. However, Skybox View does not always know the device platform. If selected, Skybox View ignores the platform dependency and the vulnerability occurrences are added to the model even though they might not actually exist. If cleared, vulnerability occurrences corresponding to platformdependent vulnerability definitions are not added to the model even though they might actually exist. Specifies the vulnerability definitions for which vulnerability occurrences are added to the model. Specifies the vulnerability definitions for which vulnerability occurrences are not added to the model. Specifies whether only vulnerability occurrences with the specified threshold and higher are added to the model. You can select a severity level or type a severity score. Specifies whether vulnerability occurrences should only be added to the model for the specified vendors and products. When vendors are selected, all their products are analyzed by the task. Skybox View version

160 Chapter 14 Model maintenance tasks This chapter describes how to set the parameters of model tasks. In this chapter Model completion and validation tasks Copy model tasks Model integrity tasks Outdated entities removal tasks Back up model and settings tasks Server software update tasks Collector software update tasks Dictionary update tasks Model completion and validation tasks Model Completion and Validation tasks verify that the model is correct and that it has no missing components or objects. For a list of the validation rules for which these tasks always check, see Validation rules (on page 162). For additional information, see Overview of validating the model, in the Skybox Vulnerability Control User s Guide. After running the task, look in the Model Analyses > Model Validation analyses for devices with missing routing tables, disconnected interfaces, and missing next hops. If any data is missing, add it manually. Task output You can specify which validation message types (error, warning, or information) are displayed in the Messages tab of the Operational Console while the task is running. All validation messages are written to the validation log file located on the Skybox View Server at <Skybox_View_Home>/server/log/validation.log, regardless of the message types displayed on screen. A new log file is created for each run of a validation task; older log files are renamed with a sequential numeric extension. Although the Messages tab of the Operational Console is limited to 2000 lines of output, the validation log file contains all output of the task. Task parameters The parameters that control Model Completion and Validation tasks are described in the following table. Completion and Cleanup Convert Perimeter Networks to Clouds A perimeter network is a network in the model in which all the next hops of its network interfaces are missing (that is, they lead to gateways that are not in the model). This parameter specifies whether the task converts these perimeter networks to (Perimeter) Clouds. When a perimeter network is converted to a Perimeter Cloud, its IP address ranges (its Cloud Addresses) include all the addresses behind interfaces (ABIs) of its network interfaces. Skybox View version

161 Chapter 14 Model maintenance tasks Update cloud addresses Update asset assignment to networks and clouds For information about ABIs, see Addresses behind network interfaces (on page 333). Specifies whether the task recalculates the IP addresses of Perimeter Clouds and Connecting Clouds whose included addresses are marked as Automatic (routing based). The IP addresses are computed based on the ABIs of the network interfaces connected to the cloud. Specifies whether the task: Attempts assignment of previously unassigned assets to networks and clouds (since new clouds might have been created and the IP address ranges of some existing clouds might have been updated) by checking whether an IP address of the unassigned asset matches a current network or cloud. Checks if assets that are part of clouds belong there (that is, whether an IP address of the asset matches the updated address ranges of the clouds). If an asset no longer matches a cloud it becomes unassigned and an attempt is made to assign it to a network or another cloud, as explained in the previous bullet. Note: This option checks only clouds whose Associate Assets Dynamically flag is selected. Connect incomplete VPN tunnels Delete empty networks Specifies whether the task attempts to connect incomplete VPN tunnels (where the IP addresses of one or both ends of the tunnel do not match other entities in the model). Specifies whether to remove empty networks (that is, networks that contain no assets) from the model. Validation Check for Connectivity Issues Show Error Messages Show Warning Messages Show Information Messages Access Analyzer Cache Precalculation Limitation Type Specifies whether the task checks for connectivity issues in the model, such as missing next hops, overlapping networks, and duplicated devices. Connectivity issues are associated with network interfaces of network devices. You can view connectivity issues using analyses of type Network Interface, such as the following analysis in the Model workspace: Model Analyses > Model Validation > Network Interfaces Validation > Interfaces with Connectivity Issues. Note: Reviewing connectivity issues on an ongoing basis is very important for keeping the model complete and consistent. For a complete list of the checks performed, see validation rules (on page 162). Specifies whether to display error messages in the Messages tab of the Operational Console during validation. Specifies whether to display warning messages in the Messages tab of the Operational Console during validation. Specifies whether to display information messages in the Messages tab of the Operational Console during validation. Specifies whether to precalculate access analysis (and add the results to the cache of the Access Analyzer) for firewalls and routers with many access rules. Precalculation speeds up subsequent queries in the Access Analyzer. Specifies which type of assets have access analysis precalculated for the Access Analyzer cache. Skybox View version

162 Skybox View Reference Guide No Precalculation Assets with too many access rules Precalculate devices with more than N access rules Precalculate specific devices Specific Assets This field is displayed only if Limitation Type = Assets with too many access rules. Specifies the minimum number of access rules per asset for which precalculation is performed. This field is displayed only if Limitation Type = Specific Assets. Specifies the devices for which precalculation is performed. Validation rules The validation rules that are checked by Model completion and validation tasks (see page 160) are listed in the following table. Validation rule Severity Asset Asset must have at least one concrete interface Asset must not have two services on the same port Asset must not have more than one operating system Asset must not have more than one platform Forwarding asset (router) must have a routing table Asset or server must have associated services Netstatus must be set Asset should have a default gateway Error Error Error Error Warning Error Warning Information Network Network must have a valid IP address Network must have a valid label (or an empty string) Network must include at least one interface Network cannot contain an interface that is outside its range Network that is not empty (that is, does not contain only routers) should have some vulnerability occurrences Network cannot have two non-virtual or non-load balancer interfaces with the same IP address Error Warning Warning Error Warning Error Vulnerability occurrence Vulnerability occurrence must be associated with a service Vulnerability definition of vulnerability occurrence must have a valid catalog ID Error Error Service Netstatus must be set Service must not have duplicate vulnerability occurrence with the same id Service must have a valid catalog ID Warning Warning Error Skybox View version

163 Chapter 14 Model maintenance tasks Validation rule Routing rule Routing rule must have a destination Routing rule must have non-null gateways Routing rule that is attached to an interface must not have more than one gateway Routing rule must have asset!= null Gateway does not exist in model Gateway asset exists in model, but is not marked as is_forwarding Access rule Access rules must not contain null in originalruletext If the rule s Unsupported flag is false, none of the following can be null: actiontype directiontype firewallservicespace sourceipspace targetipspace If asset is filtering, it must have access rules defined Asset Group Asset group must not be an empty group Dependency Dependency must have at least one src/dst Threat Origin Threat Origin must have at least one src Threat Origin must affect at least one application Severity Warning Warning Warning Warning Error Error Error Error Error Error Error Error Error Copy model tasks Model Copy tasks copy a model (Live, What If, or Forensics) to a different model in the database. Task parameters The parameters that control Model Copy tasks are described in the following table. Source Model Target Model Model integrity tasks The model from which to copy. The model to which to copy. Note: The existing version of this model in the database is overwritten. Model Integrity tasks verify (and, if necessary, correct) mappings in the model database between: Skybox View version

164 Skybox View Reference Guide Business Asset Groups and networks Vulnerability definition tickets and networks These mappings cannot be maintained in real time and must be updated (using a Model Integrity task) every time the model is updated. For additional information, see the Model integrity topic in the Skybox Vulnerability Control User s Guide. Task parameters There are no parameters specific to Model Integrity tasks. Outdated entities removal tasks Model Outdated Removal tasks remove outdated entities, such as assets and services, from the model. Outdated entities are entities that were not changed recently. When a Model Outdated Removal task runs, it compares the last scan time of each entity with the current date and time to establish the entity s age. Entities of a specified age are marked as Down and older entities are removed from the model. Task output All task messages are written to the log file located on the Skybox View Server at <Skybox_View_Home>/server/log/aging/aging.log. A new log file is created for each run of a remove outdated entities task; older log files are renamed with a sequential numeric extension. Although the Messages tab of the Operational Console is limited to 2000 lines of output, the aging log file contains all output of the task. Task parameters The parameters that control Model Outdated Removal tasks are described in the following table. Basic tab Network Scope Asset Down (days) Removed (days) Service Down (days) Removed (days) Vulnerability Occurrence Not Found (days) Removed (days) Advanced tab The network entities or container entities on which to run the task. The number of days that an asset must be missing from a scan before it is marked as Down. The number of days that an asset must be missing from a scan before it is removed from the model. The number of days that a service must be missing from a scan before it is marked as Down. The number of days that a service must be missing from a scan before it is removed from the model. The number of days that a vulnerability occurrence must be missing from a scan before it is marked as Not Found. The number of days that a vulnerability occurrence must be missing from a scan before it is removed from the model. Age unassigned assets Exclude gateways Age for unassigned assets to be removed from the model. Do not include gateways (or their associated services, vulnerability Skybox View version

165 Chapter 14 Model maintenance tasks Dry run occurrences, and network interfaces) in the aging process. Show which entities would be removed from the model using the parameters of the task, without removing them. In a dry run, a list of entities that would be aged by the task is written to the Messages tab of the Operational Console and to aging.log but the entities are not aged. Back up model and settings tasks Backup Model and Settings tasks back up the model and selected settings files. You should save the files created by tasks of this type to an external location in case they are required for disaster recovery (see the Backing up the Skybox View model and settings files topic in the Skybox View Installation and Administration Guide). For information about restoring the model, see the Restoring the Skybox View model topic in the Skybox View Installation and Administration Guide. Each time a Backup Model and Settings task is run, two files are created: <Skybox_View_Home>\data\xml_models\xml_backup_task_<date>--<time>.xmlx <Skybox_View_Home>\data\settings_backup\settings_backup_<date>-- <time>.zip To back up the Skybox View model only (for example, to save historical data to load to the Forensics model), select Files > Models > Save (see the Backing up and loading the model topic in the Skybox View Installation and Administration Guide). Note: You can add a custom list of files and directories to be backed up by these tasks. Specify these files and directories in <Skybox_View_Home>/server/conf/user_backup_list.txt. Instructions and format examples are included in this file. Task parameters The parameters that control Backup Model and Settings tasks are described in the following table. Basic tab Full Backup Custom Backup Save Model Save Tasks and Report Definitions Save Users Save System Settings Save Ticket Attachments Specifies whether to make a full backup (back up model, tasks, report definitions, users, system settings, ticket attachments, and recent reports). Specifies whether to make a partial backup based on which of the following parameters are selected. Specifies whether to back up the model. This field is enabled only if Custom Backup is selected. Specifies whether to back up tasks and report definitions. This field is enabled only if Custom Backup is selected. Specifies whether to back up the users. This field is enabled only if Custom Backup is selected. Specifies whether to back up system settings. This field is enabled only if Custom Backup is selected. Specifies whether to back up ticket attachments. This field is enabled only if Custom Backup is selected. Skybox View version

166 Skybox View Reference Guide Save Reports Save Reports from the last (in days) Specifies whether to back up recently created reports. This field is enabled only if Custom Backup is selected. Only reports created within the specified number of days are backed up by the task. Advanced tab Save Dictionary Specifies whether to back up the Skybox View Vulnerability Dictionary. Server software update tasks Tools Server Software Update tasks query the Skybox View update management server to see whether an update to Skybox View is available. If an update is available, the task: 1 Downloads the update in the background 2 Adds a notification in the status bar of the Manager window that an update is available 3 Notifies the user at every login until the update is applied For information about applying the update, see Updating the Server and local components, in the Installation and Administration Guide. Task parameters There are no parameters specific to Tools Server Software Update tasks. Collector software update tasks Tools Collector Software Update tasks send a Skybox View Collector software update to a selected Skybox View Collector. Although the Skybox View Server checks the version of all running Collectors on an hourly basis to see whether they need updating, run a Tools Collector Software Update task if you do not want to wait until the next automatic update or if a Collector was down during the automatic update. Task parameters There are no parameters specific to Tools Collector Software Update tasks. Dictionary update tasks The Skybox View Vulnerability Dictionary is used only when working with Skybox Vulnerability Control, Skybox Threat Manager, Skybox Firewall Assurance, and Skybox Change Manager. Dictionary Auto Update tasks update the Vulnerability Dictionary via the internet. For additional information, see Dictionary updates, in the Skybox View Installation and Administration Guide. The Server or Collector must be able to connect to the internet to use tasks of this type. The connection can be by proxy if you do not want your Server or Collector to have a direct connection to the internet. Task parameters The parameters that control Dictionary Auto Update tasks are described in the following table. Skybox View version

167 Chapter 14 Model maintenance tasks Update Dictionary Type How to collect the Dictionary update file. Note: Before running the task for the first time, set the proxy settings that the Dictionary Auto Update task uses in the Options dialog box (select Tools > Options > Server Options > Proxy Settings). Skybox View version

168 Chapter 15 Report and ticket tasks This chapter describes how to set the parameters of report (including CSV export) and ticket tasks. In this chapter Report generation tasks Ticket generation tasks CSV access rule review export tasks CSV analysis export tasks CSV change tracking export tasks CSV compliance results export tasks CSV Configuration Compliance export tasks CSV firewall assurance export tasks CSV optimization and cleanup export tasks CSV security metrics export tasks Qualys format XML vulnerability occurrences export tasks Report generation tasks Report Auto Generation tasks generate a report from a report definition. For additional information, see Automating reports (on page 240). Task parameters The parameters that control Report Auto Generation tasks are described in the following table. Report Definition Ticket generation tasks The report definition from which to generate the report, selected from a list of report definitions that already exist. Tickets Auto Generation tasks check all ticket rules. A task of this type: 1 Checks to see whether tickets should be generated. 2 Generates any necessary tickets. 3 Handles the ticket details (for example, designating an assignee if possible and activating an alert if required). For additional information about working with tickets, see Tickets and workflow, in the Skybox Vulnerability Control User s Guide. Task parameters There are no parameters specific to Tickets Auto Generation tasks. CSV access rule review export tasks These tasks are relevant only when working with Skybox Firewall Assurance or Skybox Network Assurance. Skybox View version

169 CSV Access Rules Review Export tasks save access rule review results to a CSV file. Chapter 15 Report and ticket tasks When using Skybox Firewall Assurance, you can save results for firewalls and firewall folders. When using Skybox Network Assurance, you can save results for all or part of your organization s network. Each time a CSV Access Rules Review Export task is run, a file named access_rules_review_<scope>--<time>.csv is created in the specified directory. Task parameters The parameters that control CSV Access Rules Audit Export tasks are described in the following table. Scope Type Firewall Assurance Network Assurance Selected CSV Columns The type of results to export. This field is enabled only if Scope Type = Firewall Assurance. The firewalls for which to export Configuration Compliance results. This field is enabled only if Scope Type = Network Assurance. The parts of your organization s network for which to export Configuration Compliance results. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. Export File Properties Directory Timestamp Row Count Limit Header Row Encoding The directory under <Skybox_View_Home> where the output file is saved. Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. Mail to Recipients Skybox View Users External s Compress File The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. CSV analysis export tasks These tasks are relevant only when working with Skybox Vulnerability Control, Skybox Firewall Assurance, and Skybox Network Assurance. In Skybox Firewall Assurance and Skybox Network Assurance CSV analysis is available only for model analyses. CSV Analysis Export tasks save information from a specific analysis to a CSV file. Each time a CSV Analysis Export task is run, a file named <analysis_name>_<date>-- <time>.csv is created in the specified directory. Task parameters The parameters that control CSV Analysis Export tasks are described in the following table. Skybox View version

170 Skybox View Reference Guide Analysis Definition Directory Encoding Row Count Limit Timestamp Header Row Mail to Recipients Skybox View Users External s Compress File The analysis whose results are exported. The directory under <Skybox_View_Home> where the output file is saved. The character set to be used for encoding the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a timestamp to each row of the output file. Specifies whether to add a header row to the output file. The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. CSV change tracking export tasks These tasks are relevant only when working with Skybox Firewall Assurance. CSV Change Tracking Export tasks save to a CSV file changes made to access rules and firewall objects within a specific time period. Each time a CSV Change Tracking Export task is run, a file named change_tracking_<firewall_name>_<date>--<time>.csv is created in the specified directory. Note: If you select more than one firewall, the firewall names are not included. Task parameters The parameters that control CSV Change Tracking Export tasks are described in the following table. Firewall Assurance Scope Change Tracking Period Selected CSV Columns Export File Properties Directory Timestamp Row Count Limit Header Row Encoding The firewalls or firewall folders to include in the output file. The time period for the changes included in the output file. Custom: Select Specific or Relative start and end times. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. The directory under <Skybox_View_Home> where the output file is saved. Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. Skybox View version

171 Chapter 15 Report and ticket tasks Mail to Recipients Skybox View Users External s Compress File The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. CSV compliance results export tasks These tasks are relevant only when working with Skybox Firewall Assurance or Skybox Network Assurance. CSV Compliance Results Export tasks save compliance results to a CSV file. When using Skybox Firewall Assurance, you can save results for firewalls and firewall folders and for all or part of the Access (or Rule) Policy. When using Skybox Network Assurance, you can save results for all or part of the Access Policy. Each time a CSV Compliance Results Export task is run, a file named <compliance_type>_<scope>_<date>--<time>.csv is created in the specified directory. Task parameters The parameters that control CSV Compliance Results Export tasks are described in the following table. Type Firewall Assurance Scope Selected Firewall Assurance CSV Columns Access Policy Scope Selected Network Assurance CSV Columns Rule Policy Scope Violations Scope The type of results to export. This field is enabled only if Type = Firewall Access Compliance or Type = Firewall Rule Compliance. The firewalls for which to export compliance results. This field is enabled only if Type = Firewall Access Compliance. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. This field is enabled only if Type = Network Assurance or Type = Firewall Access Compliance. The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) for which to export compliance results. This field is enabled only if Type = Network Assurance. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. This field is enabled only if Type = Firewall Rule Compliance. The parts of the Rule Policy for which to export compliance results. This field is enabled only if Type = Firewall Rule Compliance. Specifies whether to include only Rule Policy violations or all tests in the output file. Skybox View version

172 Skybox View Reference Guide Selected Rule Compliance CSV Columns This field is enabled only if Type = Firewall Rule Compliance. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. Export File Properties Directory Timestamp Row Count Limit Header Row Encoding The directory under <Skybox_View_Home> where the output file is saved. Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. Mail to Recipients Skybox View Users External s Compress File The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. CSV Configuration Compliance export tasks These tasks are relevant only when working with Skybox Firewall Assurance or Skybox Network Assurance. CSV Configuration Compliance Export tasks save Configuration Compliance results to a CSV file. When using Skybox Firewall Assurance, you can save results for firewalls and firewall folders, for all or some of the available Configuration Policies. When using Skybox Network Assurance, you can save results for all or some of the available Configuration Policies and all or part of your organization s network. Each time a CSV Configuration Compliance Export task is run, a file named <compliance_type>_<scope>_<date>--<time>.csv is created in the specified directory. Task parameters The parameters that control CSV Configuration Compliance Export tasks are described in the following table. Type Device Scope Policy Scope Network Assurance Scope The type of results to export. This field is enabled only if Type = Firewall Assurance. The firewalls for which to export Configuration Compliance results. This field is enabled only if Type = Network Assurance. The parts of the Configuration Policies (policy folders, policies, or specific Configuration Checks) for which to export compliance results. This field is enabled only if Type = Network Assurance. The parts of your organization s network for which to export Configuration Compliance results. Skybox View version

173 Chapter 15 Report and ticket tasks Selected CSV Columns Export File Properties Directory Timestamp Row Count Limit Header Row Encoding Mail to Recipients Skybox View Users External s Compress File CSV firewall assurance export tasks Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. The directory under <Skybox_View_Home> where the output file is saved. Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. These tasks are relevant only when working with Skybox Firewall Assurance. CSV Firewall Assurance tasks save firewall summary information from selected firewalls to a CSV file. Each time a CSV Firewall Assurance task is run, a file is created in the specified directory: If all firewalls are selected, the file is named fw_summary_all_firewalls_<date>-- <time>.csv If one firewall is selected, the file is named fw_summary_<firewall_name>_<firewall_ip_address>_<date>--<time>.csv If more than one firewall is selected, the file is named fw_summary_<date>--<time>.csv Task parameters The parameters that control CSV Firewall Assurance tasks are described in the following table. Firewall Assurance Scope Exported Information Change Tracking Period Selected CSV Columns Export File Properties Directory The firewalls or firewall folders whose data is exported. The type of information to export to the output file. Currently, the only value is Firewall Summary. The time period of the data to export to the output file. Custom: Select Specific or Relative start and end times. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. The directory under <Skybox_View_Home> where the output file is saved. Skybox View version

174 Skybox View Reference Guide Timestamp Row Count Limit Header Row Encoding Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. Mail to Recipients Skybox View Users External s Compress File The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. CSV optimization and cleanup export tasks These tasks are relevant only when working with Skybox Firewall Assurance. CSV Optimization and Cleanup Export tasks save optimization and cleanup information (either shadowed and redundant rules, or rule usage data) from selected firewalls to a CSV file. Each time a CSV Optimization and Cleanup Export task is run, a file is created in the specified directory: For rule usage results, the file is named <fw_rule_usage>_<firewall_name>_<date>-- <time>.csv For shadowed and redundant rules, the file is named <fw_shadowed_rules>_<firewall_name>_<date>--<time>.csv Note: If you select more than one firewall as the scope, the firewall names are not included in the file name. Task parameters The parameters that control CSV Optimization and Cleanup Export tasks are described in the following table. Firewall Assurance Scope Export Redundant and Shadowed Rules Export Rule Usage Global Rules and Objects Export Rule Usage with Trace Data Global Rules The firewalls or firewall folders whose data is exported. Specifies whether the output file is to contain information about shadowed and redundant rules. Specifies whether the output file is to contain rule usage data. This field is enabled only if Export Rule Usage is selected. Specifies whether, when global rules and objects are used in the firewall, all the information for each rule or object is consolidated to a single line in the output file. Specifies whether the output file is to contain rule usage data and also detailed rule usage trace data. This field is enabled only if Export Rule Usage with Trace Data is selected. Specifies whether, when global rules are used in the firewall, all the information for each rule is consolidated to a single line in the Skybox View version

175 Chapter 15 Report and ticket tasks Selected Redundant and Shadowed CSV Columns Selected Rule Usage CSV Columns Selected Rule Usage with Trace Data CSV Columns Period Export File Properties Directory Timestamp Row Count Limit Header Row Encoding output file. This field is enabled only if Export Redundant and Shadowed Rules is selected. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected Redundant and Shadowed CSV Columns dialog box. This field is enabled only if Export Rule Usage is selected. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected Rule Usage CSV Columns dialog box. This field is enabled only if Export Rule Usage with Trace Data is selected. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected Rule Usage with Trace Data CSV Columns dialog box. The time period of the data to export to the output file. Custom: Select Specific or Relative start and end times. The directory under <Skybox_View_Home> where the output file is saved. Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. Mail to Recipients Skybox View Users External s Compress File The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. CSV security metrics export tasks These tasks are relevant only when working with the Security Metrics feature of Skybox Vulnerability Control. CSV Security Metrics export tasks save the security metrics information of a Business Unit or Business Asset Group to a CSV file. Each time a CSV Security Metrics export task is run, a file named security_profile_<business_asset_group_name Business_Unit_name>_<date>-- <time>.csv is created in the specified directory. Task parameters The parameters that control CSV Security Metrics export tasks are described in the following table. Security Metric Type The type of security metrics information to export. Skybox View version

176 Skybox View Reference Guide Business unit Selected CSV Columns Export File Properties Directory Timestamp Row Count Limit Header Row Encoding Mail to Recipients Skybox View Users External s Compress File The Business Unit or Business Asset Group for which to export the security metrics information. Specify what information to save in the output file, and its order in each row. Click the Browse button to open the Selected CSV Columns dialog box. The directory under <Skybox_View_Home> where the output file is saved. Specifies whether to add a timestamp to each row of the output file. The maximum number of rows to output to the CSV file. Specifies whether to add a header row to the output file. The character set to be used for encoding the output file. The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Specifies whether recipients should receive the output file in compressed (ZIP) format. Qualys format XML vulnerability occurrences export tasks These tasks are relevant only when working with Skybox Vulnerability Control. XML Vulnerability Occurrence (Qualys Format) Export tasks save information from a specific vulnerability occurrences analysis to an XML file in Qualys format. Each time an XML Vulnerability Occurrence (Qualys Format) Export task is run, a file named <analysis_name>_<date>--<time>.xml is created in the specified directory. Task parameters The parameters that control XML Vulnerability Occurrence (Qualys Format) Export tasks are described in the following table. Analysis Definition Directory Encoding Row Count Limit Timestamp Mail to Recipients Skybox View Users External s The vulnerability occurrences analysis whose results are exported. The directory under <Skybox_View_Home> where the output file is saved. The character set to be used for encoding the output file. The maximum number of rows to output to the XML file. Specifies whether to add a timestamp to each row of the output file. The Skybox View users who receive the output file as an attachment. External users (represented by a comma-separated list of addresses) who receive the output file as an attachment. Skybox View version

177 Chapter 15 Report and ticket tasks Compress File Specifies whether recipients should receive the output file in compressed (ZIP) format. Skybox View version

178 Part II: Analyses This part describes how to set the parameters of Skybox View analyses.

179 Chapter 16 Managing analyses A Skybox View analysis is a query about a type of entity in your network, such as assets, Business Asset Groups, Threat Origins, networks, or vulnerability occurrences. Each time an analysis is selected, Skybox View checks all entities of the selected type to see whether they meet the specified criteria. Entities that meet all criteria specified in the analysis are listed in the Table pane. Analyses are configured using the Analysis Properties dialog box. In this chapter Types of analyses Setting analysis parameters Analysis Properties dialog box Customizing the display of an analysis Types of analyses Skybox View includes the types of analyses listed in the following table. Analysis type Displays a list of... Model workspace (all products) Assets validation (on page 204) Network interfaces validation (on page 206) Networks validation (on page 209) Tickets workspace (all products) Tickets (on page 214) Assets, including servers, gateways, and workstations. For each asset, you can see its name, primary IP address, operating system and platform information, and network status. You can view asset information in the context of risk in the Exposure workspace (see Assets analyses (on page 183)). Network interfaces. These analyses are used to complete and fix the network model. For example, use them to find network interfaces with missing next hops, to help identify edges of the model, and to help discover missing networks. For each network interface, you can see its IP address, location path, and discovery method. Networks. Networks validation analyses check for problems in networks, typically to verify whether they were imported correctly. For each network, you can see its IP address, location path, and discovery method. To view network information in the context of risk, use the Exposure workspace (see Networks analyses (on page 189)). Tickets. For each ticket, you can see the ticket ID, ticket type, title, asset, vulnerability occurrence or vulnerability definition, owner, priority, due date, and status. Skybox View version

180 Skybox View Reference Guide Analysis type Displays a list of... Exposure workspace Assets (on page 183) Attacks (on page 185) Business Asset Groups (on page 186) Business Units (on page 187) Locations (on page 188) Networks (on page 189) Regulation Compliance (on page 191) Threat Origins (on page 192) Vulnerability definitions (on page 192) Vulnerability occurrences (on page 193) Worms (on page 200) Assets, including servers, gateways, and workstations. For each asset, you can see its name, primary IP address, operating system and platform information, and network status. To view validation information about assets, such as a list of assets with no vulnerability occurrences or gateways with no routing rules, use Asset validation analyses (on page 204). Attacks. For each attack, you can see the Threat Origin, the destination, the risk, and the shortest number of steps it takes to get from the Threat Origin to the destination. Business Asset Groups. For each Business Asset Group, you can see its total risk. Business Units. For each Business Unit, you can see its total risk. Locations. For each location, you see the user comment (description). Networks. For each network, you can see its IP address, location path, and discovery method. You can filter the analysis to display only specific types of networks, only segmented networks, and more. Regulations and Business Impacts. For each Regulation or Business Impact, you can see its description, risk, and loss type (CIA). Threat Origins. For each Threat Origin, you can see its type (human or worm), likelihood to attack, attacker skill, attacker privilege, and risk. Vulnerability definitions. For each vulnerability definition, you can see severity, title, ID of the vulnerability definition in the Skybox View Vulnerability Dictionary and CVE ID, reported date, vulnerability occurrence count, and imposed risk. Vulnerability occurrences. For each vulnerability occurrence, you can see severity, exposure, title, ID of the vulnerability definition in the Skybox View Vulnerability Dictionary and CVE ID, information about the asset on which the vulnerability occurrence is found, risk, and whether a ticket is already open for this vulnerability occurrence. Worm threats. Threat Manager workspace Vulnerability definitions (on page 202) Vulnerability definitions. For each vulnerability definition, you can see severity, source, source ID, title, CVE ID, reported date and modification date, status, and whether the vulnerability definition is marked as For Review. Skybox View version

181 Setting analysis parameters Chapter 16 Managing analyses The general procedure for configuring an analysis is the same whether you are changing the parameters of an existing analysis or creating a new analysis and specifying its parameters. To change the parameters of an analysis Right-click the desired analysis and select Properties. In the Properties dialog box, you can modify all parameters except for Analysis Type. To create a blank analysis Right-click a folder in the selected workspace and select New > Analysis. In the Tickets workspace, select New > Ticket Analysis. Note: You can only create analyses in folders that are intended to contain them, such as the Analyses tree in the Vulnerability Control workspace, the Model Analyses tree in the Model workspace, the Threat Manager workspace, or the Tickets workspace (for ticket analyses). To create an analysis based on an existing analysis Right-click an analysis on which to base a new analysis and select Create Analysis Like. The parameters of the Analysis Properties dialog box are described in Analysis Properties dialog box (on page 181). Analysis Properties dialog box The Analysis Properties dialog box contains two tabs: General and Comments. General tab The General tab contains the specific parameters of the analysis. It consists of two panes. General: This pane has the same format for all analysis types. It displays the name of the analysis and the analysis type. You can change the name of any analysis. You can change the type only for a new or created-like analysis. s: This pane contains parameters specific to each analysis. The parameters are described in the analysis-specific sections. In the s pane, if no value is selected for a field, all values are used. In other words, the analysis does not filter entities using this field. Tip: When you mouseover a field, a tooltip listing the values selected for that field appears. This is especially useful for fields of the s pane that hold multiple values. Comments tab The Comments tab is the same for all analysis types. It contains your description of the analysis. Supplying a comment does not affect the analysis; it is optional but strongly recommended. When the folder containing the analysis is selected in the Tree pane, this comment is displayed near the name of the analysis in the Table pane. Customizing the display of an analysis You can customize the view of an analysis by removing columns, adding additional columns, or repositioning columns in the display. The columns that are available depend on the type of analysis. Skybox View version

182 Skybox View Reference Guide To remove one column from the display Right-click the column header and select Remove This Column. To add columns, remove multiple columns, or reposition columns in the display 1 Right-click a column header and select Customize Current View. The Customize Current View dialog box lists the columns that can be displayed in this analysis. The currently displayed columns are selected, and displayed according to their order in the list. 2 Make changes and click OK. To make temporary changes to the display Right-click a column header and select one of the following: Sort: Sort the list by the selected column Group: Group the entities in the table according to the contents of the selected column AutoFilter: Filter the table by one of the values in the selected column Skybox View version

183 Chapter 17 Risk analyses Risk analyses are available only when working with the Exposure feature of Skybox Vulnerability Control. In this chapter Assets analyses Attacks analyses Business Asset Groups analyses Business Units analyses Locations analyses Networks analyses Regulation Compliance analyses Threat Origins analyses Vulnerability definitions risk analyses Vulnerability occurrences analyses Worms analyses Assets analyses An assets analysis displays a list of assets, including servers, gateways, and workstations. For each asset, you can see its name, primary IP address, operating system and platform information, and network status. To view validation information about assets, such as a list of assets with no vulnerability occurrences or gateways with no routing rules, use operational analyses (on page 204) (in the Model workspace). The parameters that control assets analyses are described in the following table. Basic tab Network Scope Asset Attribute Filter Asset Name Operating Systems Asset Type Layer 2 Virtual Has Patches The assets (select container entities or specific assets) to display. A string for filtering asset names. Use the characters? and * for standard pattern matching. The operating systems of the assets. The types of the assets. Specifies whether only L2 assets are displayed. Specifies whether only virtual assets are displayed. The assets to display: All: All assets Yes: Only assets that have patches No: Only assets that have no patches Skybox View version

184 Skybox View Reference Guide Tag Scan Time Filtering Mode Scan Time Service Attribute Filter Service Service Created Since Operational Attributes Vulnerability Occurrence Count Threshold Sort Advanced tab A string for filtering asset tags. Use the characters? and * for standard pattern matching. Whether to display scanned or unscanned assets. Depending on the value of Filtering Mode: When the assets were last scanned How long since the assets were last scanned Select Custom to define a specific date range by: Specifying starting and ending dates Specifying starting and ending times relative to the current time The services running on the assets. Only assets with services installed in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for services in the analysis Specifying the earliest creation time relative to the current time for services in the analysis The minimum number of vulnerability occurrences per asset. Specifies how to sort the displayed assets. Locked By User Validation Severity VPN Attributes Participate in VPN Specifies whether only assets that have at least one field locked by the user are displayed. (A lockable field is automatically locked if the user modifies its value.) Only assets that have the selected validation severity are displayed. Specifies whether the assets participate in a VPN group. VPN Original Text Creation & Modification Created Since Created By The original text of any comment found in the VPN configuration. Use the characters? and * for standard pattern matching. Only assets created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for assets in the analysis Specifying the earliest creation time relative to the current time for assets in the analysis Only assets created by a user whose name contains the specified string are displayed. Skybox View version

185 Chapter 17 Risk analyses Modified Since Modified By Only assets modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for assets in the analysis Specifying the earliest modification time relative to the current time for assets in the analysis Only assets modified by a user whose name contains the specified string are displayed. Attacks analyses An attacks analysis displays a list of attacks. For each attack, you can see the Threat Origin, the destination, the risk, and the shortest number of steps it takes to get from the Threat Origin to the destination. The parameters that control attacks analyses are described in the following table. Basic tab Target Threat Origins Worm SBV Catalog ID Risk Threshold Sort The possible destinations of an attack: assets or Business Asset Groups. The possible starting points of an attack: Threat Origin Categories or specific Threat Origins. The ID of a specific worm in the Skybox View Vulnerability Dictionary. The minimum risk level caused by the attacks; only attacks with at least the specified risk are displayed. Specifies how to sort the displayed attacks. Advanced tab Creation & Modification Created Since Created By Modified Since Modified By Only attacks created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for attacks in the analysis Specifying the earliest creation time relative to the current time for attacks in the analysis Only attacks created by a user whose name contains the specified string are displayed. Only attacks modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for attacks in the analysis Specifying the earliest modification time relative to the current time for attacks in the analysis Only attacks modified by a user whose name contains the specified string are displayed. Skybox View version

186 Skybox View Reference Guide Business Asset Groups analyses A Business Asset Groups analysis displays a list of Business Asset Groups. For each Business Asset Group, you can see its total risk (the risk that the Business Asset Group is under due to attacks and vulnerability occurrences). You can customize Business Asset Groups analyses to display risk from specific Threat Origin Categories. The parameters that control Business Asset Groups analyses are described in the following table. Basic tab Asset Group Name Network Scope Risk Threshold Regulation Compliance Vulnerability Occurrence Count Threshold Asset Count Threshold Sort A string for filtering the Business Asset Group names. Use the characters? and * for standard pattern matching. The Business Asset Groups (select Business Units or specific Business Asset Groups) to display. The minimum impact on the Business Asset Groups. Only Business Asset Groups whose risk comes from the specified source and whose impact rate or level is at least the value specified are displayed. The Regulations or Business Impacts with which a Business Asset Group is associated for the Business Asset Group to be displayed. The minimum number of vulnerability occurrences on all assets in a Business Asset Group for the Business Asset Group to be displayed. This parameter is useful for excluding Business Asset Groups that do not have a significant number of vulnerability occurrences. The minimum number of assets in a Business Asset Group for the Business Asset Group to be displayed. Specifies how to sort the displayed Business Asset Groups. Advanced tab Creation & Modification Created Since Only Business Asset Groups created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for Business Asset Groups in the analysis Created By Modified Since Specifying the earliest creation time relative to the current time for Business Asset Groups in the analysis Only Business Asset Groups created by a user whose name contains the specified string are displayed. Only Business Asset Groups modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for Business Asset Groups in the analysis Modified By Specifying the earliest modification time relative to the current time for Business Asset Groups in the analysis Only Business Asset Groups modified by a user whose name contains the specified string are displayed. Skybox View version

187 Chapter 17 Risk analyses Dependency rules Dependency rules ( ) are used in Skybox Vulnerability Control to specify how attacks on assets affect the security of Business Asset Groups. Note: User-defined dependency rules are an advanced option; it is usually unnecessary to define explicit dependency rules. (An implicit dependency is created automatically when you assign assets to a Business Asset Group, see Implicit dependency, in the Skybox Vulnerability Control User s Guide.) To create dependency rules in the Model workspace, right-click the Dependency Rules node and select New Dependency Rule. The parameters of dependency rules are described in the following table. Rule Name User Comments Cause The name of the dependency rule. A statement describing this dependency rule. Loss Type On Network Entities Effect Loss Type Network Entities The types of loss on the causal network entities that cause the loss listed in the Effect pane. Specifies how many of the causal network entities must suffer the type of loss (listed in Loss Type) to cause the additional loss that is listed in the Effect pane. Note: The value selected for this field affects how Network Entities is interpreted (for the loss listed in the Effect pane to come about). The network entities that can cause the loss effect of the type listed in the Effect pane and to the network entities listed in the Effect pane. The types of implied loss resulting from the parameters listed in the Cause pane. The network entities to which a loss is caused as a result of the parameters listed in the Cause pane. (Read only) A description of this dependency rule prepared by Skybox View, using the values for the parameters listed in the Cause and Effects panes. The abbreviations C, I, and A in this field denote confidentiality, integrity, and availability. For additional information about dependency rules, see Adding dependency rules, in the Skybox Vulnerability Control User s Guide. Business Units analyses A Business Units analysis displays a list of Business Units. For each Business Unit, you can see its total risk (the risk that the Business Unit is under due to attacks and vulnerability occurrences). You can customize Business Units analyses to display risk from specific Threat Origin Categories. The parameters that control Business Units analyses are described in the following table. Basic tab Business Unit Name A string for filtering the Business Unit names. Use the characters? and * for standard pattern matching. Skybox View version

188 Skybox View Reference Guide Network Scope Risk Threshold Vulnerability Occurrence Count Threshold Asset Count Threshold Sort The Business Units to display. The minimum impact on the Business Units. Only Business Units whose risk comes from the specified source and whose impact rate or level is at least the value specified are displayed. The minimum number of vulnerability occurrences on all assets in a Business Unit for the Business Unit to be displayed. This parameter is useful for excluding Business Units that do not have a significant number of vulnerability occurrences. The minimum number of assets in a Business Unit for the Business Unit to be displayed. This parameter is useful for excluding Business Units that do not have a significant number of assets. Specifies how to sort the displayed Business Units. Advanced tab Creation & Modification Created Since Only Business Units created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for Business Units in the analysis Created By Modified Since Specifying the earliest creation time relative to the current time for Business Units in the analysis Only Business Units created by a user whose name contains the specified string are displayed. Only Business Units modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for Business Units in the analysis Modified By Specifying the earliest modification time relative to the current time for Business Units in the analysis Only Business Units modified by a user whose name contains the specified string are displayed. Locations analyses A locations analysis displays a list of locations. For each location, you see the user comment (description). You can customize locations analyses to display asset and vulnerability occurrence counts for each location. The parameters that control locations analyses are described in the following table. Basic tab Location Name A string for filtering the location names. Use the characters? and * for standard pattern matching. Network Scope The locations to display. Note: The location selected and its children are considered to be in Skybox View version

189 Chapter 17 Risk analyses Vulnerability Occurrence Count Threshold Asset Count Threshold Sort the scope. The minimum total number of vulnerability occurrences on all assets in a location for the location to be displayed This parameter is useful for excluding locations that do not have a significant number of vulnerability occurrences. The minimum number of assets in a location for the location to be displayed. This parameter is useful for excluding locations that do not have a significant number of assets. Specifies how to sort the displayed locations. Advanced tab Creation & Modification Created Since Only locations created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for locations in the analysis Created By Modified Since Specifying the earliest creation time relative to the current time for locations in the analysis Only locations created by a user whose name contains the specified string are displayed. Only locations modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for locations in the analysis Modified By Specifying the earliest modification time relative to the current time for locations in the analysis Only locations modified by a user whose name contains the specified string are displayed. Networks analyses Skybox View supports several types of networks, including regular networks, clouds, tunnel networks, VPN networks, and linked networks. Networks analyses are used to display a list of networks. For each network, you can see its IP address, location path, and discovery method. You can filter the analysis to display only specific types of networks, only segmented networks, and more. You can customize networks analyses to display asset and vulnerability occurrence counts for each network or to display last scan times. To view network validation information, such as a list of empty networks, use validation analyses (on page 209) (in the Model workspace). The parameters that control networks analyses are described in the following table. Basic tab Network Name Network Scope A string for filtering the network names. Use the characters? and * for standard pattern matching. The network entities or container entities to display. Skybox View version

190 Skybox View Reference Guide If you select locations or other container entities, the networks inside them are displayed. If you select specific assets, the networks to which the assets belong are displayed. You can select an entity such as an asset group or a Business Last Scan Time Vulnerability Occurrence Count Threshold Asset Count Threshold Network Type Sort Asset Group and click to select every asset inside it; the networks to which those assets belong are displayed. When the services were last scanned. Select Custom to define a specific date range by: Specifying starting and ending dates for the scan Specifying starting and ending times relative to the current time The minimum total number of vulnerability occurrences on the assets in a network for the network to be displayed This parameter is useful for excluding networks that do not have a significant number of vulnerability occurrences. The minimum number of assets in a network for the network to be displayed. This parameter is useful for excluding networks that do not have a significant number of assets. The types of networks to display. Specifies how to sort the displayed networks. Segmented Advanced tab Broken VPNs Encrypted Traffic Validation Severity Creation & Modification Created Since Created By Modified Since Specifies whether only segmented networks are displayed. Specifies whether only networks with broken VPNs are displayed. The networks to display: Any: All networks Yes: Networks that support encrypted traffic only No: Networks that do not support encrypted traffic only Only networks with at least this validation severity are displayed. Only networks created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for networks in the analysis Specifying the earliest creation time relative to the current time for networks in the analysis Only networks created by a user whose name contains the specified string are displayed. Only networks modified in the specified time interval are displayed. Only assets modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for networks in the analysis Skybox View version

191 Chapter 17 Risk analyses Modified By Specifying the earliest modification time relative to the current time for networks in the analysis Only networks modified by a user whose name contains the specified string are displayed. Regulation Compliance analyses Regulation Compliance analyses are used to display a list of Regulations and Business Impacts. For each Regulation or Business Impact, you can see its description, risk, and loss type (CIA). Note: Risk for a Business Impact or Regulation is the risk that the Business Impact or Regulation is under based on the risk of its Business Asset Groups. The risk is calculated by aggregating the risks of the Business Asset Groups affected by this Regulation. The parameters that control Regulation Compliance analyses are described in the following table. Basic tab Regulation Name Regulation Compliance Risk Threshold Sort A string for filtering the Regulations or Business Impacts names. Use the characters? and * for standard pattern matching. The Regulations or Business Impacts. The minimum impact for the Regulations or Business Impacts. Only Regulations or Business Impacts whose impact rate or level is at least the value specified are displayed. Specifies how to sort the Regulations or Business Impacts that are displayed. Advanced tab Creation & Modification Created Since Created By Modified Since Modified By Only Regulations or Business Impacts created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for Regulations and Business Impacts in the analysis Specifying the earliest creation time relative to the current time for Regulations and Business Impacts in the analysis Only Regulations or Business Impacts created by a user whose name contains the specified string are displayed. Only Regulations or Business Impacts modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for Regulations and Business Impacts in the analysis Specifying the earliest modification time relative to the current time for Regulations and Business Impacts in the analysis Only Regulations or Business Impacts modified by a user whose name contains the specified string are displayed. Skybox View version

192 Skybox View Reference Guide Threat Origins analyses A Threat Origin is a possible source for security breaches, defined by its location in the network, attacker skill and likelihood to attack. A Threat Origins analysis displays a list of Threat Origins. For each Threat Origin, you can see its type (human or worm), likelihood to attack, attacker skill, attacker privilege, and risk. The parameters that control Threat Origins analyses are described in the following table. Basic tab Network Scope Threat Origins Threat Type Imposed Risk Threshold Sort The assets (select container entities or specific assets) to display. The possible Threat Origins or Threat Origin Categories of an attack. The types of the Threat Origins. The minimum impact of the Threat Origins. Only Threat Origins whose impact rate or level is at least the value specified are displayed. Specifies how to sort the displayed Threat Origins. Advanced tab Show Disabled Threat Origins Specifies whether to display disabled Threat Origins. Vulnerability definitions risk analyses A vulnerability definitions risk analysis displays a list of vulnerability definitions. For each vulnerability definition, you can see severity, title, ID of the vulnerability definition in the Skybox View Vulnerability Dictionary and CVE ID, reported date, vulnerability occurrence count, and imposed risk. You can customize the analysis to display additional information, including whether the vulnerability definition has open tickets. The parameters that control vulnerability definitions risk analyses are described in the following table. Basic tab Severity Source Severity Title Sort The source against which to check the severity of the vulnerability definitions. The severity levels or minimum severity score of the vulnerability definitions. A string for filtering the vulnerability definition titles. Use the characters? and * for standard pattern matching. Specifies how to sort the displayed vulnerability definitions. Advanced tab ID External Catalog External Catalog ID The ID numbers of the vulnerability definitions. The external catalog in which the vulnerability definitions have a catalog ID. The ID number of the vulnerability definitions in the selected external catalog. Skybox View version

193 Chapter 17 Risk analyses CVSS Base Score CVSS Temporal Score Vulnerability Count Threshold Asset Count Threshold Product search string Creation & Modification Reported Date Modification Date Vulnerability occurrences analyses The range of CVSS base scores of the vulnerability definitions. The range of CVSS temporal scores of the vulnerability definitions. The minimum number of occurrences of a vulnerability definition in the network for the vulnerability definition to be displayed. The minimum number of assets with an occurrence of a vulnerability definition for the vulnerability definition to be displayed. Only vulnerability definitions that affect products whose title includes the specified string are displayed. Only vulnerability definitions reported in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest report date for vulnerability definitions in the analysis Specifying the earliest report time relative to the current time for vulnerability definitions in the analysis Only vulnerability definitions modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for vulnerability definitions in the analysis Specifying the earliest modification time relative to the current time for vulnerability definitions in the analysis A vulnerability occurrences analysis displays a list of vulnerability occurrences. For each vulnerability occurrence, you can see severity, exposure, title, ID of the vulnerability definition in the Skybox View Vulnerability Dictionary and CVE ID, information about the asset on which the vulnerability occurrence is found, risk, and whether a ticket has been opened for this vulnerability occurrence. You can customize the analysis to display additional information, including risk from specific Threat Origins. Vulnerability occurrences analyses are used to display different groups of vulnerability occurrences, such as high-risk vulnerability occurrences and vulnerability occurrences by exposure (whether it takes one or more steps to attack the asset on which the vulnerability occurrence is located). The parameters that control vulnerability occurrences analyses are described in the following table. Basic tab Network Scope Operating System Vulnerability Occurrence Attribute Filter The devices (container entities or specific devices) whose services are displayed. The operating systems on which the vulnerability occurrences are found. Vulnerability The vulnerability definitions to display. Skybox View version

194 Skybox View Reference Guide Definitions Open the Vulnerability Definition Finder dialog box (on page 198) to specify the vulnerability definitions. Vulnerability Occurrence Status The status of the vulnerability occurrences. Open the Vulnerability Occurrence Status dialog box (on page 195) to select basic and advanced statuses. Status Change Date The date of the last status change for this vulnerability occurrence. Select Custom to define a specific date range by: Severity Source Severity Level Severity Score CVSS Base Score CVSS Temporal Score Scan Time Filtering Mode Scan Time Sort Risk tab Imposed Risk Threshold Participation in Attacks Business Asset Groups Regulation Compliance Threat Origins Specifying starting and ending dates for the last status change Specifying starting and ending times relative to the current time for the last status change The source against which to check the severity of the vulnerability definitions. Only vulnerability occurrences with the specified severity levels are displayed. Only vulnerability occurrences with at least the specified severity score are displayed. The range of CVSS base scores of the vulnerability occurrences. The range of CVSS temporal scores of the vulnerability occurrences. Specifies whether the results include: Not Scanned in: Vulnerability occurrences that were not scanned in a specified period of time Last Scan Time: Vulnerability occurrences that were last scanned before a specific date. Used in conjunction with the Scan Time field. When the services were last scanned. Select Custom to define a specific date range by: Specifying starting and ending dates for the scan Specifying starting and ending times relative to the current time Specifies how to sort the displayed vulnerability occurrences. The source (Threat Origin Category), exposure level, and minimum risk value of the displayed vulnerability occurrence. Open the Imposed Risk Threshold dialog box (see page 197) to set these values. Business Asset Groups that the vulnerability occurrences can attack. The Regulations or Business Impacts with which a vulnerability occurrence is associated for the vulnerability occurrence to be displayed. Only vulnerability occurrences that can be attacked from the specified Threat Origins are displayed. Skybox View version

195 Chapter 17 Risk analyses Operational tab Discovery Method Specifies how the vulnerability occurrences were discovered. Locked By User Has Tickets Commonality Detection Reliability Specifies whether only vulnerability occurrences that have at least one field locked by the user are displayed. (A lockable field is automatically locked if the user modifies its value.) Specifies whether only vulnerability occurrences that have tickets are displayed: Yes: Only vulnerability occurrences that have tickets are displayed Any: Vulnerability occurrences are displayed without regard to tickets No: Only vulnerability occurrences that do not have tickets are displayed Possible commonalities of the vulnerability occurrences. The level of detection reliability for which to display vulnerability occurrences. The detection reliability value is included in the scan report that contains the vulnerability occurrence and indicates the certainty with which the scanner determines that the vulnerability occurrence exists. Low: The scanner is not sure whether the vulnerability occurrence exists Medium: The scanner is fairly certain that the vulnerability occurrence exists Creation & Modification Created Since Created By Modified Since Modified By Vulnerability Occurrence Status dialog box Only vulnerability occurrences created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for vulnerability occurrences in the analysis Specifying the earliest creation time relative to the current time for vulnerability occurrences in the analysis Only vulnerability occurrences created by a user whose name contains the specified string are displayed. Only vulnerability occurrences modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for vulnerability occurrences in the analysis Specifying the earliest modification time relative to the current time for vulnerability occurrences in the analysis Only vulnerability occurrences modified by a user whose name contains the specified string are displayed. The Vulnerability Occurrence Status dialog box is used to specify the vulnerability occurrence statuses to fill the Status field of a Properties dialog box, such as a vulnerability occurrences analysis, a vulnerability occurrences ticket rule, or a Vulnerabilities report. Skybox View version

196 Skybox View Reference Guide There are two levels of vulnerability occurrence status: Basic statuses (found, ignored, and fixed) are displayed in the GUI. Advanced statuses are specific instances of the basic statuses that are stored internally but not usually displayed. For example, the basic status of Found is divided into three advanced statuses: The vulnerability occurrence was rediscovered after it was considered fixed. The vulnerability occurrence was found by a scanner. The vulnerability occurrence was added by a user. You can select any combination of basic and advanced statuses. To select the vulnerability occurrence statuses to fill the Status field 1 Open the Status dialog box; click the Browse button of a (vulnerability occurrence) Status field. If the Status field is blank, the Vulnerability Occurrence Status dialog box (Basic) appears. Do one of the following: Figure 10: Vulnerability Occurrence Status dialog box (Basic) Select a basic status and click OK. Note: If you select a basic status but do not want to fine-tune your selection, skip the following instructions that explain how to select advanced statuses. Select a basic status and then click Advanced to fine-tune your selection. (This automatically selects the advanced statuses associated with the selected basic status.) Click Advanced to select specific advanced statuses. Skybox View version

197 Chapter 17 Risk analyses If the Status field contains a value or if you changed any field in the Advanced settings, the Vulnerability Occurrence Status (advanced settings) dialog box appears. Figure 11: Vulnerability Occurrence Status dialog box (Advanced) To select advanced statuses, click Advanced. Figure 12: Advanced vulnerability occurrence statuses dialog box 2 Select or clear statuses as required and click OK. The Vulnerability Occurrence Status (advanced settings) dialog box appears. 3 To accept the advanced statuses that you selected, click OK. Imposed Risk Threshold dialog box The Imposed Risk Threshold dialog box is used to define the source, exposure levels, and risk value parameters of vulnerability occurrences that are included in the results of vulnerability occurrences analyses. The parameters of the Imposed Risk Threshold dialog box are described in the following table. Source The Threat Origin Category that imposes the risk. Risk from other Threat Origins Categories is not used for this analysis. Skybox View version

198 Skybox View Reference Guide Exposure Levels Value You can select multiple exposure levels: Direct: Vulnerability occurrences that the Threat Origin can exploit in one step. Indirect: Vulnerability occurrences that the Threat Origin can exploit, but only in more than one step. Protected: Vulnerability occurrences that cannot be accessed by an attacker because they are protected by an IPS device. Potential: Vulnerability occurrences that have an accessible service (such as HTTP), but might not be accessible because of other exploit conditions that cannot be guaranteed (for example, authentication might be required). Inaccessible: A vulnerability occurrence that cannot be accessed by an attacker (for example, the vulnerable service is disabled or the vulnerability occurrence is blocked by a firewall). Excluded: Vulnerability occurrences excluded from attack simulation. (Attack simulation excludes vulnerability occurrences with the following statuses: False Positive, Fixed, or Ignored.) Unknown: Vulnerability occurrences with unknown exposure. The exploit conditions of these vulnerability occurrences are irrelevant for attack simulation (for example, a browser weakness that might cause damage to a workstation if its user surfs to a hostile website). The minimum imposed risk of the vulnerability occurrences. Only vulnerability occurrences whose risk value is at least the specified amount are used. Any: Risk value is not used to select vulnerability occurrences Monetary Level Score (0-100) If Monetary is specified, type a number representing the monetary value in the default currency. If Level or Score is specified, select a value. Vulnerability Definition Finder dialog box The Vulnerability Definition Finder dialog box is used to specify the vulnerability definitions to fill the Vulnerability Definitions parameter of a Properties dialog box for any of the following: vulnerability occurrences analysis vulnerability occurrences ticket rule Vulnerabilities report Vulnerability occurrence The parameters of the Vulnerability Definition Finder dialog box are described in the following table. Basic tab Severity Source The source against which to check the severity of the vulnerability Skybox View version

199 Chapter 17 Risk analyses Severity Title Sort definitions. The severity levels of the vulnerability definitions or the minimum severity score (0-10). A string for filtering the vulnerability definition titles. Use the characters? and * for standard pattern matching. Specifies how to sort the vulnerability definitions that are returned after doing a search. ID Advanced tab External Catalog External Catalog ID CVSS Base Score CVSS Temporal Score Vulnerability Count Threshold Asset Count Threshold Product search string Creation & Modification Reported Date Modification Date To select vulnerability definitions A vulnerability definition ID. The prefix cannot be changed. The external catalog in which the vulnerability definitions have a catalog ID. The ID number of the vulnerability definitions in the selected external catalog. The range of CVSS base scores of the vulnerability definitions. The range of CVSS temporal scores of the vulnerability definitions. The minimum number of occurrences of a vulnerability definition in the network for the vulnerability definition to be returned. The minimum number of assets with an occurrence of a vulnerability definition for the vulnerability definition to be returned. Only vulnerability definitions that affect products whose title includes the specified string are returned. Only vulnerability definitions reported in the specified time interval are returned. Select Custom to define a specific date range by: Specifying the earliest report date for vulnerability definitions in the analysis Specifying the earliest report time relative to the current time for vulnerability definitions in the analysis Only vulnerability definitions modified in the specified time interval are returned. Select Custom to define a specific date range by: Specifying the earliest modification date for vulnerability definitions in the analysis Specifying the earliest modification time relative to the current time for vulnerability definitions in the analysis 1 Determine the parameters to use for the search and fill in the values in the dialog box. If you leave a field empty, that parameter is not used in the search. 2 Click Search. All vulnerability definitions in the model are searched. Vulnerability definitions that match the specified parameters are listed in the Search Results field and the number of matching vulnerability definitions is displayed above the field. Skybox View version

200 Skybox View Reference Guide 3 To select vulnerability definitions listed in the Search Results field, select them in the Search Results field and click to copy them to the Selected Vulnerability Definitions field. 4 If necessary, make additional searches by refining the search parameters or using different ones (and then clicking Search). Add the desired results from each search to the Selected Vulnerabilities field. 5 Click OK. Only the vulnerability definitions listed in the Selected Vulnerabilities field are returned to the Vulnerability Definitions parameter of the calling dialog box. Worms analyses A worms analysis displays a list of worm threats. A worm threat is a worm that participates in attacks from a specific worm Threat Origin. Note: When defining threats for worms, you can select several worms per threat, so there might be several attacks using different worms that originate from the same Threat Origin. For each worm threat, you can see its title, ID of the worm threat in the Skybox View Vulnerability Dictionary, commonality, reported date, imposed risk, and more. The parameters that control worms analyses are described in the following table. Basic tab Name SBV Worm ID Commonality Imposed Risk Threshold Reported Sort The string for filtering the worm names. Use the characters? and * for standard pattern matching. The worm type identification number in the Vulnerability Dictionary. Specifies how common the worms are. The minimum risk level for the worms. Only worms that have an aggregated risk level (from all entities that they can attack) that is at least the value specified are displayed. When the worms were reported. Specifies how to sort the displayed worms. Advanced tab Type The type of worms to include in the analysis: Real: Worms that use vulnerability occurrences to attack an asset and continue spreading. Potential: Worms defined by the Skybox Security content team that use common services instead of vulnerability occurrences. For example, the worm named Potential Worm Microsoft IIS HTTP (SBW-00287) does not have a real vulnerability; it uses IIS HTTP service to attack an asset and progress. Use these worms to simulate a worm attack on a specific port (to see what would happen if a vulnerability were to be published for that port). Simulated Any: Potential and real worms. Specifies whether only worms that are included in at least one Threat Origin (and are therefore used during attack simulation) are displayed. Skybox View version

201 Chapter 17 Risk analyses Creation & Modification Created Since Created By Modified Since Modified By Only worms created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for worms in the analysis Specifying the earliest creation time relative to the current time for worms in the analysis Only worms created by a user whose name contains the specified string are displayed. Only worms modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for worms in the analysis Specifying the earliest modification time relative to the current time for worms in the analysis Only worms modified by a user whose name contains the specified string are displayed. Skybox View version

202 Chapter 18 Threat management analyses Threat management analyses are available only when working with Skybox Threat Manager. In this chapter Vulnerability definitions threat management analyses Vulnerability definitions threat management analyses A vulnerability definitions threat management analysis displays a list of vulnerability definitions. For each vulnerability definition, you can see severity, source, source ID, title, CVE ID, reported date and modification date, status, and whether the vulnerability definition is marked as For Review. You can customize the analysis to display additional information, including a vulnerability occurrence count and whether the vulnerability definition has open tickets. The parameters that control vulnerability definitions threat management analyses are described in the following table. Basic tab Severity Source Severity Status Title ID CVSS Base Score CVSS Temporal Score The source against which to check the severity of the vulnerability definitions. The severity levels or minimum severity score of the vulnerability definitions. The status of the vulnerability definitions. A string for filtering the vulnerability definition titles. Use the characters? and * for standard pattern matching. The ID numbers of the vulnerability definitions in the alert source. The range of CVSS base scores of the vulnerability definitions. The range of CVSS temporal scores of the vulnerability definitions. Creation & Modification Reported Date Modified Date When the vulnerability definitions were reported. Select Custom to define a specific date range by: Specifying the earliest report date for vulnerability definitions in the analysis Specifying the earliest report time relative to the current time for vulnerability definitions in the analysis When the vulnerability definitions were last modified. Select Custom to define a specific date range by: Specifying the earliest modification date for vulnerability definitions in the analysis Skybox View version

203 Chapter 18 Threat management analyses For Review Sort Specifying the earliest modification time relative to the current time for vulnerability definitions in the analysis Specifies whether to display: Only vulnerability definitions marked as For Review Only vulnerability definitions not marked as For Review All vulnerability definitions regardless of their For Review status Specifies how to sort the displayed vulnerability definitions. Advanced tab Vulnerability Count Threshold Asset Count Threshold Products In List Product List Items Product search string Custom Vulnerability Definitions Created by Custom Vulnerabilities Only The minimum number of occurrences of a vulnerability definition in the network for the vulnerability definition to be displayed. The minimum number of assets with an occurrence of a vulnerability definition for the vulnerability definition to be displayed. Specifies whether only vulnerability definitions for products that are mapped to the deployed product list are displayed. Only vulnerability definitions for the selected products or product groups are displayed. Only vulnerability definitions that affect products whose title includes the specified string are displayed. Only custom vulnerability definitions created by a user whose name contains the specified string are displayed. Specifies whether only custom vulnerability definitions are displayed. Skybox View version

204 Chapter 19 Model validation analyses In this chapter Assets validation analyses Network interfaces validation analyses Networks validation analyses Services validation analyses Assets validation analyses Assets validation analyses display a list of assets, including servers, gateways, and workstations. For each asset, you can see its name, primary IP address, operating system and platform information, and network status. You can view asset information in the context of risk in the Exposure workspace (see Assets analyses (on page 183)). The parameters that control assets validation analyses are described in the following table. Basic tab Asset Attribute Filter Asset Name Network Scope Asset Type Layer 2 Forwarding ACL Enabled IPS Enabled Has Patches Tag Operating Systems Scan Time Filtering Mode A string for filtering asset names. Use the characters? and * for standard pattern matching. The assets (select container entities or specific assets) to display. The types of the assets. Specifies whether only L2 assets are displayed. Specifies whether only forwarding assets are displayed. Specifies whether only ACL-enabled assets are displayed. Specifies whether only IPS-enabled assets are displayed. Specifies whether to display assets based on whether they have patches: All: All assets Yes: Only assets that have patches No: Only assets that have no patches A string for filtering asset tags. Use the characters? and * for standard pattern matching. The operating systems of the assets. Whether to display scanned or unscanned assets. Skybox View version

205 Chapter 19 Model validation analyses Scan Time Service Attribute Filter Service Service Created Since Sort Advanced tab Model Validation Depending on the value of Filtering Mode: When the assets were last scanned How long since the assets were last scanned Select Custom to define a specific date range by: Specifying starting and ending dates Specifying starting and ending times relative to the current time The services running on the assets. Only services installed in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for services in the analysis Specifying the earliest creation time relative to the current time for services in the analysis Specifies how to sort the displayed assets. No Routing Rules No Access Rules No IPS Rules Disconnected Gateways No Services No Vulnerability Occurrences Not In Business Asset Groups Only no owner Validation Severity Model Maintenance Locked By User About to be deleted Dynamic Routing VPN Attributes Specifies whether only assets that have no routing rules are displayed. Specifies whether only assets that have no access rules are displayed. Specifies whether only assets that have no IPS rules are displayed. Specifies whether only assets that are disconnected gateways are displayed (that is, gateway devices (firewalls, routers, or load balancers) that are not connected to any other device or network in the model). Specifies whether only assets that have no services are displayed. Specifies whether only assets that have no vulnerability occurrences are displayed. Specifies whether only assets that are not in any Business Asset Group are displayed. Specifies whether only assets that have no owner are displayed. Only assets that have the selected validation severity are displayed. Specifies whether only assets that have at least one field locked by the user are displayed. (A lockable field is automatically locked if the user modifies its value.) Specifies whether only assets that are about to be deleted are displayed. Specifies whether only assets that use dynamic routing are displayed. Skybox View version

206 Skybox View Reference Guide Participate in VPN VPN Original Text Creation & Modification Created Since Created By Modified Since Modified By Specifies whether the assets participate in a VPN group. The original text of any comment found in the VPN configuration. Use the characters? and * for standard pattern matching. Only assets created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for assets in the analysis Specifying the earliest creation time relative to the current time for assets in the analysis Only assets created by a user whose name contains the specified string are displayed. Only assets modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for assets in the analysis Specifying the earliest modification time relative to the current time for assets in the analysis Only assets modified by a user whose name contains the specified string are displayed. Network interfaces validation analyses Network interfaces validation analyses are used to complete and fix the network model. For example, use these analyses to find network interfaces with missing next hops, to help identify edges of the model, and to help discover missing networks. For each network interface, you can see its IP address, location path, and discovery method. The parameters that control network interfaces validation analyses are described in the following table. Basic tab Network Scope Asset Type Asset Name Interface Type Interface Name Connectivity Issues The network entities or container entities whose network interfaces are displayed. If you select locations, the network interfaces included in the networks of the location are displayed. If you select specific assets, their network interfaces are displayed. If you select an asset container (asset group, Business Asset Group, Business Unit), the network interfaces of the assets included in the container entity are displayed. The type of assets to analyze. A string for filtering asset names. Use the characters? and * for standard pattern matching. The type of network interfaces to display. A string for filtering interface names. Use the characters? and * for standard pattern matching. Skybox View version

207 Chapter 19 Model validation analyses (Radio buttons) Selected Issues Not Viewed Has Missing Next Hops Has Missing Connections Network without Zone Assigned to Cloud Default Gateway Locked to Network Is Up Sort Specify how to filter the network interfaces for connectivity issues: Ignore: Display network interfaces regardless of whether they have connectivity issues Any Issue: Display network interfaces that have at least one connectivity issue Specific Issues: Display network interfaces that have the connectivity issues specified in Selected Issues. If the value of Connectivity Issues is Specific Issues, specifies the issues to use for filtering the network interfaces. For a list of the specific connectivity issues, see Selected issues (on page 208). Specifies whether only network interfaces that have not been viewed are displayed. Specifies whether only network interfaces that have missing next hops are displayed. Missing next hop: A next routing hop that is mentioned in the routing table is missing in the network of the network interface. Specifies whether only network interfaces that have missing connections are displayed. A network has a missing connection if it has a missing next hop and it is not associated with a Perimeter Cloud or Connecting Cloud. Specifies whether only network interfaces that are attached to networks that are not part of a zone or marked as a zone are displayed. Specifies whether only network interfaces that are attached to clouds are displayed. Specifies whether only network interfaces that are the default gateway for their assets are displayed. Specifies whether only network interfaces that are locked to networks are displayed. You can lock a network interface to a network to enforce association between the network interface and a network that did not occur automatically during import. (For example, if there is an error in the mask of the network interface as it appears in the configuration file.) Specifies whether only network interfaces whose assets are currently up are displayed. Specifies how to sort the displayed network interfaces. Advanced tab Creation & Modification Created Since Only network interfaces created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for network interfaces in the analysis Specifying the earliest creation time relative to the current time for network interfaces in the analysis Skybox View version

208 Skybox View Reference Guide Created By Modified Since Only network interfaces created by a user whose name contains the specified string are displayed. Only network interfaces modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for network interfaces in the analysis Modified By Specifying the earliest modification time relative to the current time for network interfaces in the analysis Only network interfaces modified by a user whose name contains the specified string are displayed. Selected issues The connectivity issues for network interfaces are described in the following table, together with possible solutions for each one. Issue Unassigned interface Next hop not in model The network interface is not assigned to any network. This often means that the interface matches more than one network in the model. Solution: Manually assign the interface to the correct network (using the Properties dialog box of the interface). A next hop (in the routing table) is not in the model, but its destination networks are in the model. Solution: If the next hop should be in the model, import its configuration. Next hop and its destination networks not in model A next hop is not in the model and neither are its destination networks. Solutions: If the next hop belongs in the model, import its configuration. Next hop exists in a separate network If the next hop is out of the model scope or is unavailable at this stage, use the Define Network as Cloud command to create a cloud that represents the missing next hops and the networks to which they lead. A next hop is missing in the network of the interface but appears in another network of the model that overlaps the network of the network interface. This might mean that you must manually merge the two networks (and is often caused by incorrect mask specification in a configuration file). Solutions: Select the network interface in the list and view the Matching Networks tab for additional information. Potential matching network for interface assigned to cloud If a merges necessary, identify the network with the correct IP address and mask, and assign to it the network interfaces that are currently associated with the wrong network (using the Network Interface Properties dialog box to set the network). The interface is assigned to a cloud, but has a next hop that appears in another network of the model. Solution: In the model, find the network that matches the missing next hop, as explained in the following paragraph. If that network should be connected to the network interface (instead of the Skybox View version

209 Chapter 19 Model validation analyses Issue VPN or Tunnel endpoint is missing Duplicated network device Duplicated IP address in network cloud), remove the cloud and assign the network interface to the matching network. To find networks that match the next hop, select the network interface in the Network Interfaces analysis, and look at the Matching Network related tab. Check if a listed network includes the IP address of the missing next hop. The other end of the VPN or the tunnel is missing. Solution: Check if the other end point exists in the model. If it does, and it is represented correctly, connect between them manually. The model contains another network device with the same name and this device has a network interface with the same IP address. Solution: If the two devices in the model represent the same device, remove the device with the older modification date. The IP address of this interface appears more than once in its network. Solution: Review the network interfaces associated with the network, and do one of the following: If the gateways with the identical IP addresses are duplicates, remove the one with the older modification date. If a network interface should not be associated with this network, assign it to the correct network. Overlapping network The network of the interface overlaps with another network in the model. Select the network interface in the list and view the Matching Networks tab for additional information. There is one network currently assigned to the network interface in the model (In the following explanation, this is referred to as the current network). Any matching network in the list that is not the current network (and is not a cloud) is an overlapping network. In some cases an overlapping network and the current network (in the model) represent the same subnet in the real network. This might occur, for example, when the mask specified for one of the network interfaces in the corresponding configuration file is wrong (networks that have different masks are not merged). If this is case, delete the network (current or overlapping) with the wrong mask, and assign its interfaces to the correct network. (Do this by opening the Properties window of each of the network interfaces and setting the network correctly.) If all the overlapping networks represent separate subnets in the real network, ignore the issue (by marking it as Viewed). Networks validation analyses Skybox View supports several types of networks, including regular networks, clouds, tunnel networks, VPN networks, and linked networks. Networks validation analyses check for problems in networks, typically to verify whether they were imported correctly. For each network, you can see its IP address, location path, and discovery method. You can customize networks analyses to display interface and vulnerability occurrence counts for each network or to display last scan times. To view network information in the context of risk, use the Exposure workspace (see Networks analyses (on page 189)). Skybox View version

210 Skybox View Reference Guide The parameters that control networks validation analyses are described in the following table. Basic tab Network Name Network Scope Network Type Min Asset Count Max Asset Count Only Overlapping Segmented Broken VPNs Encrypted Traffic Sort A string for filtering the network names. Use the characters? and * for standard pattern matching. The network entities or container entities to display. If you select locations or other container entities, the networks inside them are displayed. If you select specific assets, the networks to which the assets belong are displayed. You can select an entity such as an asset group or a Business Asset Group and click to select every asset inside it; the networks to which those assets belong are displayed. The types of networks to display. The minimum number of assets per network. This parameter is useful for excluding networks that do not have a significant number of assets. The maximum number of assets per network. Use this parameter with Min Asset Count to find networks of a specific size, such as between 20 and 50 assets. Specifies whether only overlapping networks (that is, networks that have the same IP address but are located in different places) are displayed. Specifies whether only segmented networks are displayed. Specifies whether only networks with broken VPNs are displayed. The networks to display: Any: All networks Yes: Networks that support encrypted traffic only No: Networks that do not support encrypted traffic only Specifies how to sort the displayed networks. Advanced tab Model Validation No Assets No Gateways Not Fully Scanned Unsegmented Assets Not Scanned In Specifies whether only networks that have no assets are displayed. Specifies whether only networks that have no gateway devices (firewalls or routers) are displayed. Specifies whether only networks that were not fully scanned are displayed. Specifies whether only segmented networks that contain at least one unsegmented asset are displayed. The length of time for which the networks were not scanned. Select Custom to define a specific time range by: Specifying starting and ending dates for the scan Skybox View version

211 Chapter 19 Model validation analyses Validation Severity Specifying starting and ending times relative to the current time Only assets with at least this validation severity are displayed. Creation & Modification Created Since Only networks created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for networks in the analysis Created By Modified Since Specifying the earliest creation time relative to the current time for networks in the analysis Only networks created by a user whose name contains the specified string are displayed. Only networks modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for networks in the analysis Modified By Specifying the earliest modification time relative to the current time for networks in the analysis Only networks modified by a user whose name contains the specified string are displayed. Services validation analyses A services analysis displays a list of services (products). Services analyses are used to display asset services (products). You can use them after Analysis Vulnerability Detector tasks to check the banner translations. The parameters that control services analyses are described in the following table. Basic tab Network Scope Asset Name Asset Type Product The network entities or container entities to check for services. A string for filtering the names of assets to check for services. Use the characters? and * for standard pattern matching. The types of assets to check for services. Only vulnerability definitions for the selected products are displayed. Scan Time Filtering Mode Specifies whether the results are to include: Last Scan Time: Services last scanned before a specific date. Not Scanned in: Services not scanned in a specified number of time Used in conjunction with the Scan Time field. Skybox View version

212 Skybox View Reference Guide Scan Time When the services were last scanned. Select Custom to define a specific date range by: Specifying starting and ending dates for the scan Sort Specifying starting and ending times relative to the current time Specifies how to sort the displayed vulnerability occurrences. Advanced tab Discovery Method Specifies how the vulnerability occurrences were discovered. Banner Identification Identified Specifies how the vulnerability occurrences were identified. Any Yes Identification Level VS Supported No Any Yes No This parameter is enabled only if the Identified parameter has the value Yes. CPE Version Identified Any Yes No This parameter is enabled only if both the Identified parameter and VS Supported parameter have the value Yes. Distinct Banner Specifies whether the results are filtered to include a single arbitrary record per unique banner text. In other words, if there are many services with the same banner value, only one of them is retrieved and displayed. Banner Text Services Operating System Service Service Type Creation & Modification Created Since Only vulnerability occurrences created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for vulnerability occurrences in the analysis Specifying the earliest creation time relative to the current time for vulnerability occurrences in the analysis Skybox View version

213 Chapter 19 Model validation analyses Created By Modified Since Modified By Only vulnerability occurrences created by a user whose name contains the specified string are displayed. Only vulnerability occurrences modified in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest modification date for vulnerability occurrences in the analysis Specifying the earliest modification time relative to the current time for vulnerability occurrences in the analysis Only vulnerability occurrences modified by a user whose name contains the specified string are displayed. Skybox View version

214 Chapter 20 Ticket analyses Ticket analyses are located in the Tickets workspace. Note: When working with the Threat Manager feature of Skybox Vulnerability Control, ticket analyses are also available in the Threat Manager workspace. In this chapter Tickets analyses Tickets analyses A tickets analysis displays a list of tickets. For each ticket, you can see the ticket ID, ticket type, title, asset, vulnerability occurrence, owner, priority, due date, and status. You can customize the view of the analysis to add other relevant columns. For example, if your tickets are only for Business Asset Groups, you can hide the vulnerability occurrence and asset information; if your organization uses ticket phases, you can display the current phase of each ticket and the phase due date. The parameters that control tickets analyses are described in the following table. Some parameters might not be applicable to all ticket types. Basic tab Type Ticket Phases Status Priority Threshold Ticket Owner Owner Lookup Owner Phases Due Date The types of the tickets. The phases of the tickets. The status of the tickets. The minimum priority of the tickets. The owners of the tickets. If owners are specified in Ticket Owner, specifies whether to search for the selected ticket owners in the current ticket phase of each ticket or in a specific phase. (When Specific Phase is selected, select the desired phases in the Owner Phases field.) The phases in which to search for the ticket owner. Only tickets whose due date is in the selected time interval are displayed. Select Custom to define a specific date range by: Specifying starting and ending dates for the due date Phase Due Date Specifying starting and ending times relative to the current time for the due date Only tickets whose due date is in the selected time interval for the phase specified in Selected Phase are displayed. Select Custom to define a specific date range by: Specifying starting and ending dates for the due date Skybox View version

215 Chapter 20 Ticket analyses Selected Phase Done Date Specifying starting and ending times relative to the current time for the due date The phase for the Phase Due Date filter. Only closed tickets whose end date is in the selected time interval are displayed. Select Custom to define a specific date range by: Specifying starting and ending dates for the end date Tickets Editable by Me Title User Comment Sort Specifying starting and ending times relative to the current time for the end date Specifies whether only tickets that you (the current user) have permission to edit are displayed. A string that must be part of the ticket title. A string that much be part of the user comment. Specifies how to sort the displayed tickets. Advanced tab Products Network Scope Ticket Rule Permissions Tickets with unauthorized owners Solutions Name The products or product groups for which the tickets were created or the affected products of the vulnerability definitions. Note: When you use this parameter, you limit the display to vulnerability definition tickets. The devices (container entities or specific devices) for which to display tickets. Only tickets created as a result of this ticket rule are displayed. Only tickets whose current owners have no permissions for the current phase are displayed. (This can happen if the owner s permissions or their group permissions were changed after the ticket was assigned.) Note: These fields are relevant only for vulnerability occurrence and vulnerability definition tickets. Only vulnerability occurrence or vulnerability definition tickets that have this string in the name of any of their solutions are displayed. Use the characters? and * for standard pattern matching. Creation & Modification Only vulnerability occurrence or vulnerability definition tickets that have this string in their descriptions are displayed. Use the characters? and * for standard pattern matching. Created Since Only tickets created in the specified time interval are displayed. Select Custom to define a specific date range by: Specifying the earliest creation date for tickets in the analysis Created By Modified Since Specifying the earliest creation time relative to the current time for tickets in the analysis Only tickets created by a user whose name contains the specified string are displayed. Only tickets modified in the specified time interval are displayed. Select Custom to define a specific date range by: Skybox View version

216 Skybox View Reference Guide Specifying the earliest modification date for tickets in the analysis Modified By Specifying the earliest modification time relative to the current time for tickets in the analysis Only tickets modified by a user whose name contains the specified string are displayed. Skybox View version

217 Part III: Tickets, reports, and notifications This part describes Skybox View tickets, reports, and notifications.

218 Chapter 21 Tickets reference This chapter describes how to set the parameters for Skybox View tickets and ticket rules. In this chapter Tickets Ticket rules Tickets This section describes how to set the parameters for Skybox View tickets. Tickets in Skybox View represent action items that must be carried out in your corporate network. After you ascertain the critical issues, you can create tickets and assign them to the appropriate staff members. Tickets can be created automatically using ticket rules (see page 226). Skybox View includes the types of tickets listed in the following table. Ticket type Used to... Skybox Vulnerability Control and Skybox Threat Manager Business Asset Group (on page 220) Vulnerability occurrence (on page 220) Vulnerability definition (on page 221) (Skybox Vulnerability Control only) Reduce the risk value of Business Asset Groups Mitigate specific vulnerability occurrences (Exposure feature): Describe a mitigation process for all vulnerability occurrences of the vulnerability definition (Threat Manager feature): Assess the vulnerability definition risk and start an organization-wide remediation process Skybox Firewall Assurance and Skybox Network Assurance Access Change (on page 222) Access Policy violation (on page 224) Change connectivity, such as enabling a user to access a specific server Fix violations of the Access Policy, such as when partial access is available from a source to a destination but the Access Policy states that there must be no access Ticket Properties dialog box All ticket types include an Attributes pane. Its parameters are described in the following table. Title Ticket ID Status The title of the ticket. In some cases, a title is created automatically, but you can modify or change it. (Read only) A unique number that identifies the ticket. The status of the ticket. Skybox View version

219 Chapter 21 Tickets reference Closure Reason Priority Phase (ticket types with phases) Phase Due Date (ticket types with phases) Due Date Done Date Owner Cc Network Scope (vulnerability definition tickets only) Vendor Reference (vulnerability definition tickets only) External Ticket ID External Ticket Status (Read only) The reason that the ticket was closed; this field is empty until the ticket is closed. The priority of the ticket. The phase of the ticket. (Read only) The due date of the current ticket phase. For information about defining phases, see Defining ticket phases (on page 225). The date by which to implement the solution. (Read only) For tickets whose solutions are already implemented, shows the date on which the status of the ticket was changed to Closed, Resolved, or Verified. The user who is in charge of implementing the solution on the corporate network. Additional users or addresses of people who are to receive alerts about the ticket. Note: Ticket notifications require configuration (see Ticket Configuration, in the Skybox View Installation and Administration Guide). The scope for which to create the ticket. If left blank, the ticket is created for the entire network. A specific vendor ID. For example, if the vulnerability definition has a Microsoft ID, you can type the value MS13-<nnn>. If there is a parallel ticket in an external ticketing system (such as Remedy), this field contains the ID of the ticket in the external system. If there is a parallel ticket in an external ticketing system (such as Remedy), this field contains the status of the ticket in the external system. The Ticket dialog box also contains parameters specific to each type of ticket. For information about these parameters, see the following sections: Skybox Vulnerability Control and Skybox Threat Manager: Business Asset Group ticket parameters (on page 220) Vulnerability occurrence ticket parameters (on page 220) Vulnerability definition ticket parameters (on page 221) Skybox Firewall Assurance and Skybox Network Assurance: Access Change ticket parameters (on page 222) Access Policy violations ticket parameters (on page 224) Skybox Vulnerability Control and Skybox Threat Manager tickets The following ticket types are available only when working with Skybox Vulnerability Control: Business Asset Group (on page 220) Skybox View version

220 Skybox View Reference Guide The following ticket types are available when working with Skybox Vulnerability Control and Skybox Threat Manager: Vulnerability occurrence (on page 220) Vulnerability definition (on page 221) Business Asset Group ticket parameters Business Asset Group tickets are action items for reducing the risk value of Business Asset Groups. When used in conjunction with ticket rules, they enable Skybox View to send alerts when the risk of a Business Asset Group increases. Naming convention By default, the title of a Business Asset Group ticket takes the name of the Business Asset Group. Properties The parameters used in Business Asset Group tickets are listed in the following table. Problem Attachments Comments User Comments This tab is used to explain why the ticket was opened. This tab is used to add attachment files to the ticket. This tab is used for comments. This field can be used for workflow-related comments between the person who assigns the ticket and the ticket owner. Each time a comment is added, Skybox View labels it with a user name and timestamp. Vulnerability occurrence ticket parameters Vulnerability occurrence tickets are action items for mitigating specific vulnerability occurrences. Naming convention When creating a ticket for a single vulnerability occurrence, the title of the ticket is the title of the vulnerability definition with the asset on which it is found. When creating a set of tickets for several vulnerability occurrences, you must add a prefix; the title of each ticket is a string consisting of the prefix, the title of the vulnerability definition, and the asset on which the vulnerability occurrence is found. Properties The tabs and parameters used in vulnerability occurrence tickets are listed in the following table. s Phases When phases are used for vulnerability occurrence tickets, this tab is used to: View the list of phases for this ticket Change owners and due dates of phases Vulnerability Definition (Read only) Information about the vulnerability definition on which this ticket is based. Solutions Show only selected solutions Solutions table Use this tab to select or create solutions for the vulnerability occurrence on which this ticket is based. Specifies whether to display selected solutions only. This field is useful if there is a long list of known solutions and you want to see only selected solutions. The known solutions for the vulnerability occurrence, including those from the Skybox View Vulnerability Dictionary, and any Skybox View version

221 Chapter 21 Tickets reference s Comments proprietary solutions created for your organization. Select solutions that might work for this particular vulnerability occurrence or click Add Custom to add an additional proprietary solution. (The Add Custom button is not displayed for Closed tickets.) This tab is used for: Providing additional information about the recommended solution Workflow-related comments between the person who assigns the ticket and the ticket owner Each time a comment is added, Skybox View labels it with a user name and timestamp. Attachments History Lists all attachments to the ticket. Lists all events for this ticket, such as creation, updates, and attachments. For additional information about creating vulnerability occurrence tickets, see Creating tickets manually, in the Skybox Vulnerability Control User s Guide. Vulnerability definition ticket parameters When used in Skybox Threat Manager, vulnerability definition tickets are action items for assessing the vulnerability occurrence risk and starting an organization-wide remediation process. When used in Skybox Vulnerability Control, vulnerability definition tickets are action items describing a mitigation process for all vulnerability occurrences of the selected vulnerability definition. The tabs and parameters used in vulnerability definition tickets are described in the following table. s Phases When phases are used for vulnerability definition tickets, this tab is used to: View the list of phases for this ticket Change owners and due dates of phases Vulnerability Definition (Read only) Information about the vulnerability definition on which this ticket is based. Solutions Show only selected solutions Solutions Comments Use this tab to select or create solutions for the vulnerability definition. Specifies whether to display selected solutions only. This field is useful if there is a long list of known solutions and you want to see only selected solutions. The known solutions for the vulnerability definition, including those from the alert service, and any proprietary solutions created for your organization. Select solutions that might work for this particular vulnerability definition or click Add Custom to add an additional proprietary solution. This tab is used for: Providing additional information about the recommended solution Workflow-related comments between the person who assigns the ticket and the ticket owner Skybox View version

222 Skybox View Reference Guide s Products CVSS External URLs Deployment Total Assets Fixed Assets Each time a comment is added, Skybox View labels it with a user name and timestamp. Lists the product or products to associate with this ticket. The products are selected from the Product List. (Read only) The CVSS values for the vulnerability definition. Links to websites that might offer additional information about the vulnerability definition. Information about the number of assets on which the vulnerability definition is found. Note: This tab is displayed when working with ticket phases only. The total number of assets on which the vulnerability definition is found. The number of assets that are fixed (for example, updated with a service patch or the vulnerable product removed). % Fixed (Read only) The number of fixed assets as a percentage of the total number of assets. Attachments History Lists all attachments to the ticket. Lists all events for this ticket, such as creation, updates, and attachments. For information about vulnerability definition tickets: When working with the Exposure feature of Skybox Vulnerability Control, see Creating vulnerability definition tickets, in the Skybox Vulnerability Control User s Guide. When working with Skybox Threat Manager without ticket phases, see Working with tickets, in the Skybox Threat Manager User s Guide. When working with Skybox Threat Manager using ticket phases, see Working with tickets and phases, in the Skybox Threat Manager User s Guide. Skybox Firewall Assurance and Skybox Network Assurance tickets The following ticket type is available when working with Skybox Firewall Assurance and Skybox Network Assurance: Access Change (on page 222) The following ticket type is available only when working with Skybox Network Assurance: Access Policy violations (on page 224) Access Change ticket parameters This ticket type is available only when working with Skybox Network Assurance and Skybox Firewall Assurance. Access Change tickets are action items to change connectivity, such as enabling users to access a specific server. The tabs and parameters used in Access Change tickets are listed in the following table. Phases When phases are used for Access Change tickets, this tab is used to: View the list of phases for this ticket Skybox View version

223 Chapter 21 Tickets reference Change owners and due dates of phases This tab is used by the ticket creator to explain the desired access. Problem A free text description of the change request, such as the motivation for the change. Change Details Access Requests Additional (free text) information about the change request, such as the clients, servers, and ports through which access is required. This tab is used to list, create, and modify access requests that determine whether the desired access is achieved. The icon at the beginning of each access request row indicates the compliance status of the request: Passed, Failed, or Not analyzed. Click Add to open a New Access Request dialog box. Select an existing access request and click Modify to open an Access Request Properties dialog box. The following rows of this table describe the fields of the dialog box. Note: For each access request that you create, all fields must be assigned a value; there are no default values. Mode Firewall Specifies whether the request is for the network (Network Mode) or for a specific firewall (Firewall Mode). For firewall mode, the firewall through which access is requested. Rule Type The type of access to test: Access Denied or Access Required. Source Scope The source points for access analysis. Click the Browse button to define the source scope or IP address range. Note: If you are working with a hierarchical model, the scope should consist of a network or assets in the model. If you do not have assets in the model, select a network and use the IP Ranges field to specify the assets. Destination Scope Services The destination points for access analysis. Open the Source and Destination Scope dialog box to define the destination scope or IP address range. Note: If you are working with a hierarchical model, the scope should consist of a network or assets in the model. If you do not have assets in the model, select a network and use the IP Ranges field to specify the assets. The services at the destination for access analysis. Filter By Skybox View version

224 Skybox View Reference Guide NAT Comments User Comments Attachments History Specifies the NAT for the request: Source Nat: Show only access results that involve source NAT (that is, the source of the query was translated) Destination Nat: Show only access results that involve destination NAT (that is, the destination of the query was translated) No Source Nat: Show only access results that do not involve source NAT (that is, the source of the query was not translated) No Destination Nat: Show only access results that do not involve destination NAT (that is, the destination of the query was not translated) None: Show all results (do not filter by NAT) This tab is used for comments. Use this field for workflow-related comments between the person who assigns the ticket and the ticket owners. Each time a comment is added, Skybox View labels it with a user name and timestamp. This tab is used to add attachment files to the ticket. This read-only tab is used to view changes made to the ticket. For information about Access Change tickets, see Access Change tickets, in the Skybox Network Assurance User s Guide. For information about access requests, see Creating access requests, in the Skybox Network Assurance User s Guide. Access Policy violation ticket parameters This ticket type is available only when working with Skybox Network Assurance. Access Policy violation tickets are action items to fix a violation of the Access Policy, such as when partial access is available from a source to a destination but the Access Policy states that there must be no access. Naming convention By default, the title of an Access Policy violation ticket is the name of the Access Check together with the source and destination of the violating access test. Properties The tabs and parameters used in Access Policy violation tickets are listed in the following table. Violation Details () Access Check Name Access Check Path Type Fields in this tab are read-only. They contain detailed information about the violated Access Check and the violation, including the source, destination, and services. The description of the Access Check from which the test is derived. The name of the Access Check from which the test is derived. The path of the Access Check in the Policy tree. <Access Check type> to <Entities>, where: Skybox View version

225 Chapter 21 Tickets reference <Access Check type> is one of No Access Check, Limited Access Check, Full Access Check. Severity Test ID Violation Creation Time Authentication Source Scope Destination Scope Services <Entities> is one of Model Entities Only or Potential Entities. Potential Entities (named Possible IP Ranges in the Access Analyzer) are all IP addresses and port ranges exposed by firewall access rules, even if they do not exist in the model The severity of the Access Check. The access test ID number of the violation. The date and time on which the violation was first discovered. Specifies whether authentication is examined in the Access Check. The source scope of the violated access test. The destination scope of the violated access test. The services of the violated access test. Limitations Limit on Destination IPs Suggested Solution Device Change Details User Comments Attachments (For Limited Access Checks) The specific limitations for the Access Check. This tab is used to suggest solutions to the problem that caused the violation. Free text field for describing the device on which to make changes to fix this violation. Free text field for describing the changes to make to fix this violation. Use this field for workflow-related comments between the person who assigns the ticket and the ticket owner. Each time a comment is added, Skybox View labels it with a user name and timestamp. This tab is used to add attachment files to the ticket. For information about Access Policy violation tickets, see the Access Policy violation tickets topic in the Skybox Network Assurance User s Guide. Defining ticket phases Skybox View includes a ticketing system to manage the workflow for vulnerability occurrence remediation, firewall changes, and so on. Ticket workflow can be simple: tickets are opened, in progress, and then closed. However, some ticket workflows must support a process that involves several departments or employees, where each is responsible for a different aspect. Skybox View enables you to define phases that describe the workflow for each (relevant) ticket type. In each phase, the ticket owner is responsible for a specific task, such as risk assessment, planning, or deployment. You can use phases with the following types of tickets: Access Change The following are suggested phases for Access Change tickets: Request, Technical Details, Risk Assessment, Implementation, and Verification. Skybox View version

226 Skybox View Reference Guide Vulnerability definition The following are suggested phases for Vulnerability definition tickets: Assess Risk, Develop Solution, Deployment, and Verification. Vulnerability occurrence In Skybox View, each phase has an owner, due date, start date and end date, and the phase owners can promote or demote the ticket through the phases, until completion. Each type of ticket can have its own set of phases or you can use the same phase names for all entities. When a ticket is created, it contains the list of its relevant phases. Initially, the ticket is assigned to the first phase and its owner is the owner of the first phase. During the life cycle of the ticket, the ticket can progress to the next phase or, if necessary, go back to the previous phase. Phase permissions By default, all editable ticket fields can be edited in all phases. However, you can limit the ability to update solutions and deployment information to specific phases. Note: If you limit the ability to update solutions or deployment to a single phase, the fields in these areas become read-only for other phases until they are specifically permitted (that is, until you permit them for other phases as well). To define ticket phases 1 Select Tools > Options > Server Options > Ticket Configuration > Ticket Priorities & Phases. 2 From the Ticket Type drop-down list, select the type of ticket for which you want to define phases. 3 For each phase to be added: a) Click Add. b) In the New Phase dialog box, do one of the following: Type a name and (optional) a comment about the phase Select Existing Phase and then select a phase name from the drop-down list c) In the Permissions pane, define the permissions for this phase. d) Click OK. Note: The phases are stored in the order in which you add them; you cannot change the order except by deleting phases and then adding them in the correct order. As soon as you define one phase, a final phase is added to the list automatically. By default, this phase is named Verification. You can rename it, but it cannot be deleted. This phase is used as the final step in the life cycle of each ticket; tickets that are completed are automatically passed to this phase. In some organizations, the administrator uses this phase to review the work and validate its completion. If your organization is not interested in using this final check, you can complete the work by moving the ticket to the Verification phase. Ticket rules A ticket rule is a rule that specifies entities to be ticketed. Tickets Auto Generation tasks check all entities against the appropriate ticket rules (for example, all Business Asset Groups against ticket rules for Business Asset Groups), creating new tickets when necessary and updating existing ones. This section describes how to set the parameters for Skybox View ticket rules and how to adjust the content of alerts that are sent when tickets are created, changed, or deleted by these ticket rules. The types of ticket rules included in Skybox View are listed in the following table. Skybox View version

227 Chapter 21 Tickets reference Ticket rule type Used to... Skybox Vulnerability Control Business Asset Groups (on page 229) Vulnerability occurrences (on page 231) Trigger automatic creation of Business Asset Group tickets (see page 220) Trigger automatic creation of vulnerability occurrence tickets (on page 220) Skybox Vulnerability Control and Skybox Threat Manager Vulnerability definitions (on page 230) Trigger automatic creation of vulnerability definition tickets (on page 221) Skybox Firewall Assurance and Skybox Network Assurance Access Change (on page 231) Access Policy violation (on page 232) Setting ticket rule parameters Trigger automatic creation of Access Change tickets (see page 222) Trigger automatic creation of Access Policy violations tickets (see page 224) Note: A ticket is created for an entity only if the entity matches all parameters of the ticket rule in the General and History tabs. To change a ticket rule s parameters 1 Select Tools > Administrative Tools > Ticket Rules. 2 In the Skybox View Admin window, do one of the following: Double-click the desired ticket rule in the Table pane. Select the desired ticket rule in the Table pane; on the toolbar, click. In the Ticket Rule dialog box, you can modify all parameter values except for Ticket Type. To create a ticket rule 1 Select Tools > Administrative Tools > Ticket Rules. 2 Do one of the following: On the toolbar, click. In the Admin tree, right-click Ticket Rules and select New Ticket Rule. The parameters of the Ticket Rule Properties dialog box that are common to all Skybox View ticket rule types are described in Ticket Rule Properties dialog box (on page 227). For the parameters of the Ticket Rule Properties dialog box that are specific to each ticket rule type, see the specific ticket rule type. Ticket Rule Properties dialog box The Ticket Rule Properties dialog box contains the following tabs: General, Alerts, Comments, and History. General tab The General tab consists of two panes: Skybox View version

228 Skybox View Reference Guide General: Contains fields that are common to all ticket rules. They are described in the following table. s: Contains fields that are specific to each ticket rule type. For information about these fields, see the following sections: In Skybox Vulnerability Control: Business Asset Groups ticket rules (on page 229) Vulnerability occurrences ticket rules (on page 231) Vulnerability definitions ticket rules (on page 230) In Skybox Network Assurance: Access Change ticket rules (on page 231) Access Policy violations ticket rules (on page 232) The parameters of the General tab (General pane) of ticket rules are described in the following table. Name Ticket Type Ticket s Owner Should be Handled Within Alert Only Alerts tab A name for the ticket rule. The type of entity to which the ticket rule applies. The owner of the tickets created by this rule. If the tickets created by this rule should have a due date, select this option and type the desired number (1-999) of days or weeks between the creation date of each ticket and its due date. Specifies whether to send alerts (as specified in the Alerts tab (see page 229)) for this ticket rule type without opening any tickets. Note: If selected, tickets are created with a status of Closed for tracking purposes. In the Alerts tab of the Ticket Rules dialog box, you specify who is notified about a ticket that is created according to this ticket rule and how to send the alert. For additional information, see Defining alerts. Comments tab The Comments tab of the Ticket Rules dialog box contains your description of the ticket rule. Supplying a description does not affect the ticket rule. It is optional but strongly recommended. You can configure the Ticket Rules table to include a User Comments column. History tab The History tab of the Ticket Rules dialog box allows you to specify that tickets are created only for entities created or modified by specific users or during specific time frames. The parameters of the History tab are described in the following table. Created Since Created by Modified Since Modified by Tickets are created only for entities created in the specified time interval. Tickets are created only for entities created by a user whose name contains the specified string. Tickets are created only for entities modified in the specified time interval. Tickets are created only for entities modified by a user whose Skybox View version

229 Chapter 21 Tickets reference name contains the specified string. Defining alerts History tab To define an alert 1 In the Alerts tab of the Tickets Rule dialog box, click Add. 2 In the New Ticket Alert dialog box: a) In the Media Type field, select one of the following values: alerts are sent to registered Skybox View users only. All types of users (individuals and external systems) can receive alerts, but users of type Recipient can view alerts only they have no access to Skybox View and so they cannot view the actual tickets. SNMP: SNMP alerts are sent to an external SNMP management system as SNMP traps. Syslog: Syslog alerts are sent as messages to the syslog server. b) Click the Browse button of the Recipient field. c) In the Recipient dialog box, select a recipient and click OK. d) Click OK. 3 Repeat steps 1 through 5 for each desired recipient of alerts for tickets created from this ticket rule. Note: Admins can modify the content of ticket rule alerts (see Changing the content of ticket rule alerts (on page 232)). Use the History tab of the Ticket Rules dialog box to specify that tickets are created only for entities created or modified by specific users or during specific time frames. The parameters of the History tab are described in the following table. Created Since Created by Modified Since Modified by Business Asset Groups ticket rules Tickets are created only for entities created in the specified time interval. Tickets are created only for entities created by a user whose name contains the specified string. Tickets are created only for entities modified in the specified time interval. Tickets are created only for entities modified by a user whose name contains the specified string. These ticket rules are available only when working with Skybox Vulnerability Control. Business Asset Groups ticket rules are triggers for automatic creation of Business Asset Group tickets (see page 220). The parameters of Business Asset Groups ticket rules are described in the following table. Risk Threshold The risk threshold for which to create tickets: tickets are created only for Business Asset Groups whose risk is equal to or greater than the selected threshold. Skybox View version

230 Skybox View Reference Guide Network Scope Ticket s Priority By Imposed Risk Scale The threshold can relate to the overall risk or to risk from a specific Threat Origin Category, such as Internal Threats or External Threats. The Business Asset Groups for which to create tickets. Specifies how to set the priority of tickets defined by this rule. A specific priority: This priority is assigned to all tickets created by the rule. Risk: The priority of each assigned ticket is set to the risk value of the ticketed Business Asset Group. Specifies how to display risk in tickets and alerts created by this ticket rule. Vulnerability definitions ticket rules These ticket rules are available only when working with Skybox Vulnerability Control and Skybox Threat Manager. Vulnerability definitions ticket rules are triggers for automatic creation of vulnerability definition tickets (on page 221). The parameters of vulnerability definitions ticket rules are described in the following table. Imposed Risk Threshold Severity Commonality Vulnerability Count Threshold Asset Count Threshold Ticket s Priority By Imposed Risk Scale Reported Date Source CVSS Base Score CVSS Temporal Score The minimum risk value of vulnerability definitions for which to create tickets. The severity levels of vulnerability definitions for which to create tickets. The commonality of vulnerability definitions for which to create tickets. The minimum number of occurrences of a vulnerability definition in the model for a ticket to be created for the vulnerability definition. The minimum number of assets in the model that are vulnerable to a vulnerability definition for a ticket to be created for the vulnerability definition. Specifies how to set the priority of tickets defined by this rule. A specific priority: This priority is assigned to all tickets created by the rule. Imposed Risk, Severity, or Commonality: The priority of each assigned ticket is set to the value of the selected field of the ticketed vulnerability definition. Specifies how to display risk in tickets and alerts created by this rule. Only vulnerability definitions created in the specified time interval are ticketed. The source or sources (such as DeepSight or the Skybox View Vulnerability Dictionary) for which to create new vulnerability definition tickets. The range of CVSS base scores of vulnerability definitions for which to create tickets. The range of CVSS temporal scores of vulnerability definitions for which to create tickets. Skybox View version

231 Chapter 21 Tickets reference Vulnerability occurrences ticket rules These ticket rules are available only when working with Skybox Vulnerability Control. Vulnerability occurrences ticket rules are triggers for automatic creation of vulnerability occurrence tickets (on page 220). The parameters of vulnerability occurrence ticket rules are described in the following table. Imposed Risk Threshold Network Scope Operating System Vulnerability Definitions Severity Commonality Ticket s Priority By The exposure level and minimum risk value of vulnerability occurrences to ticket. Usually, the imposed risk threshold relates to total risk, but you can specify a specific source. Open the Imposed Risk Threshold dialog box (see page 197) to set these values. The devices (container entities or specific devices) that this Rule Checks. The operating systems for which to create tickets; tickets are created for vulnerability occurrences on assets with the selected operating systems. The vulnerability definitions for which to create tickets. Open the Vulnerability Definition Finder dialog box (on page 198) to specify the vulnerability definitions. The severity levels of vulnerability occurrences for which to create tickets. The commonality of vulnerability occurrences for which to create tickets. Specifies how to set the priority of tickets defined by this rule. A specific priority: This priority is assigned to all tickets created by the rule. Imposed Risk Scale Imposed Risk, Severity, or Commonality: The priority of each assigned ticket is set to the value of the selected field of the ticketed vulnerability occurrence. Specifies how to display risk in tickets and alerts created by this ticket rule. Access Change ticket rules These ticket rules are available only when working with Skybox Network Assurance. Access Change ticket rules are triggers for automatic creation of Access Change tickets (see page 222). The parameters of Access Change ticket rules are described in the following table. Network Scope Asset Type Ticket s Priority The network entities or container entities for which to create tickets. The asset types for which to create tickets. The priority to assign to tickets defined by this rule. ACL Changed Since Create tickets only for devices that have access rules that changed in the selected time frame. Skybox View version

232 Skybox View Reference Guide Access Policy violations ticket rules These ticket rules are available only when working with Skybox Network Assurance. Access Policy violations ticket rules are triggers for automatic creation of Access Policy violations tickets (see page 224). The parameters of Access Policy violations ticket rules are described in the following table. Policy Scope Device Scope Severity Threshold Ticket s Priority By Changing the content of ticket rule alerts The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) for which to create tickets. The device scope for which to create tickets; tickets are created for devices in the specified scope only. The minimum severity of violations for which to create tickets. Specifies how to set the priority of tickets defined by this rule. A specific priority: This priority is assigned to all tickets created by the rule. Importance: The priority of each assigned ticket is set to the equivalent of the severity of the ticketed device. The texts of the s (alerts) sent by ticket rules are based on templates. There are separate templates for ticket headers and for details. Skybox View provides default templates, but you can customize them for your organization by changing the default template files. A complete ticket rule alert consists of a header and one or more details files. When alerts are specified for a ticket rule, only one message is sent per alert recipient even if there are multiple tickets generated for the rule. For the other media types, a separate alert message is sent for each ticket generated by the rule. The following is a sample alert created by a Skybox Vulnerability Control ticket rule named Vuls with High Risk. It has one header and two details. Skybox View version

233 Chapter 21 Tickets reference *************************************************************** From: skyboxview Sent: Wednesday, October 27, :04 PM To: John Unix Subject: Ticket Rule Vuls with High Risk: 2 Tickets You have received 2 notifications from ticket rule "Vuls with High Risk". =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Title: Vuls with High Risk: Allaire ColdFusion Allows Remote Handling of Files Priority: High Owner: John Due Date: Detection Time: Vulnerability Name: Allaire ColdFusion Allows Remote Handling of Files Host: finance_server_0 [ ] Service: ColdFusion Server Severity: High Exposure: Indirect Imposed Risk: High =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Title: Vuls with High Risk: DoS in ColdFusion via Start/Stop Utility Priority: High Owner: John Due Date: Detection Time: Vulnerability Name: DoS in ColdFusion via Start/Stop Utility Host: finance_server_0 [ ] Service: ColdFusion Server Severity: Medium Exposure: Indirect Imposed Risk: High **************************************************************** To edit a ticket rule alert template 1 Select the correct template (on page 233). 2 Open the template in a text editor. 3 Make changes to the template (on page 234). 4 Save the template. Selecting the correct template The ticket alert templates are stored in the following location: <Skybox_View_Home>\server\conf\ticket_templates There are separate templates for each type of ticket. The _header templates define how the main information about the ticket appears in the alert; other templates define the content of each detailed section in the alert. The header files that are used for each type of alert are listed in the following table. The same header files are used for all ticket rule types. Skybox View version

234 Skybox View Reference Guide Alert type Ticket created Ticket updated Ticket deleted File name create_ticket_header_template.txt update_ticket_header_template.txt delete_ticket_header_template.txt The files that are used for the details of each alert are listed in the following table. A different file is used for each ticket rule type. Ticket rule type Access Change Business Asset Groups Access Policy Violation Vulnerability Occurrences Vulnerability Definitions File name access_change_alert_and_notification_template.txt business_assets_alert_and_notification_template.txt policy_violation_alert_and_notification_template.txt vulnerabilities_alert_template.txt vulnerability_notification_full_template.txt vulnerability_notification_template.txt vulnerability_types_alert_and_notification_template.txt Editing templates Each template consists of static text and keywords (variables) as in the following example. General: Ticket ID: TICKET_ID Title: TITLE Priority: PRIORITY Status: STATUS Owner: USER Due Date: DUE_DATE Creation Time: DETECTION_TIME Vulnerability Types: Severity: VULT_SEVERITY Commonality: VULT_COMMONALITY Number of Instances: VULT_NUM_OF_INSTANCES Imposed Risk: VULT_IMPOSED_RISK The text in the template is the actual text that is in each alert of the selected type. The keywords are listed in the template as <KEYWORD_NAME>. The keywords are replaced by the current value of the relevant field in Skybox View each time an alert is created. Note: The names of the keywords cannot be changed. For a list of keywords that you can use in each type of alert, see Keywords for ticket rule alerts (on page 235). You can change the text and the keywords, and you can add text and appropriate keywords to a file or delete text and keywords. For example, if the owner is not necessary for the alert type of the template, delete the line: Owner: USER Skybox View version

235 Keywords for ticket rule alerts Chapter 21 Tickets reference The keywords that you can use in alerts and the ticket fields from which they are taken are listed in the following tables. You can use the following keywords in all alert headers. Field <Name_of_changed _field> <New_value_of_cha nged_field> <Old_value_of_chan ged_field> <Type_of_ticket_rul e> Ticket ID Keyword MODIFIED_FIELD NEW_VALUE OLD_VALUE TICKET_TYPE TICKET_ID You can use the following keywords for all alert types. Field Keyword Creation Time Due Date Owner Priority Status Ticket ID Title DETECTION_TIME DUE_DATE USER PRIORITY STATUS TICKET_ID TITLE You can use the following keywords in all Access Change alerts. Field Keyword Change Details Firewalls/Hosts AC_CHANGE_DETAILS AC_FIREWALLS_HOSTS You can use the following keywords in all Vulnerability Definition notifications. Field Keyword Business Asset Exposure Business Asset Name Imposed Risk BA_EXPOSURE BA_NAME BA_IMPOSED_RISK You can use the following keywords in all Access Policy violation alerts. Note: When the term rule is used in a field name or keyword, it means Access Check. Field Rule Rule Name Rule Path Creation Time Keyword APR_DESCRIPTION APR_NAME APR_PATH TEST_CREATION_TIME Skybox View version

236 Skybox View Reference Guide Field Destination Services Importance (of Access Check) Limitation (for Limited Access Checks) Source Test ID Type (of APR) Violation Creation Time Keyword TEST_DESTINATION TEST_SERVICES APR_IMPORTANCE RULE_LIMITATION TEST_SOURCE TEST_ID RULE_TYPE VIOLATION_CREATION_TIME You can use the following keywords in all Vulnerabilities alerts. Field Keyword CVE Dictionary ID Host Relevant Network Interfaces SBV Dictionary ID Service VUL_CVE_CATALOG_ID VUL_DESCRIPTION VUL_HOST NET_INTERFACES VUL_SBV_CATALOG_ID VUL_SERVICE You can use the following keywords in all vulnerability definition alerts. Field Keyword Commonality Imposed Risk VULT_COMMONALITY VULT_IMPOSED_RISK Number of Instances VULT_NUM_OF_INSTANCES Severity VULT_SEVERITY Skybox View version

237 Chapter 22 Reports reference This chapter describes how to use and customize Skybox View reports. Reports in Skybox View are detailed accounts of specific data in the model, such as high risk entities, firewall changes, overdue tickets, or top ten entities. In this chapter Working with reports Report Properties dialog box Tickets reports Skybox Vulnerability Control and Skybox Threat Manager reports Skybox Firewall Assurance reports Skybox Network Assurance reports Working with reports You work with reports in the Reports tree and workspace. Skybox View includes the types of reports listed in the following table. Report type Used to present... All products Tickets (on page 243) Information about tickets, including their status (such as new or in progress), priority, and assigned owner Skybox Vulnerability Control FISMA/NIST (on page 245) Security Metrics (on page 252) Risk Assessment (on page 249) Information about systems, threat statements, risk assessment, and actions with milestones; used to meet FISMA risk reporting requirements Note: FISMA/NIST reports and Risk Assessment reports (on page 249) provide the same information using different terminology. FISMA/NIST reports use the terminology required to meet the FISMA requirements. Security metrics information for a specific scope Information about systems, threat statements, risk assessment, and actions with milestones; used to meet FISMA risk reporting requirements Note: FISMA/NIST reports (on page 245) and Risk Assessment reports provide the same information using different terminology. FISMA/NIST reports use the terminology required to meet the FISMA requirements. Risks (on page 250) Information about entities (such as Business Asset Groups) that have the highest potential risk of being compromised PCI DSS (on page 247) Information about vulnerability occurrences found on system components, including Business Asset Groups, networks, and network devices Skybox View version

238 Skybox View Reference Guide Report type Skybox Threat Manager Threat Alert Management (on page 253) Used to present... Information about vulnerability definitions for which threat alerts were issued Skybox Vulnerability Control and Skybox Threat Manager Vulnerabilities (on page 255) Skybox Firewall Assurance Access Compliance (on page 260) Change Tracking (on page 262) Firewall Assurance (on page 263) Firewall Changes (on page 266) NERC Compliance (on page 267) PCI Firewall Compliance (on page 268) Rule Usage Analysis (on page 270) Information about vulnerability occurrences found in the model; you can use these reports to review the vulnerability occurrences in a specific network segment, to filter exposed vulnerability occurrences, to show vulnerability occurrences with a specified severity level, or to show which vulnerability occurrences that impose the highest risk on your organization Policy-related information about firewalls, to help you to understand the compliance status of your policy as applied to each of the specified firewalls and to identify problematic access configuration in your firewalls Information about changes to access rules and firewall objects in firewalls, to help you to understand what changes were made in your firewalls during a specified period of time Overall information about of the state of firewalls in the network, including any combination of: Compliance for Access and Rule Policy Configuration Compliance Optimization & Cleanup Change Tracking Information about changes to firewalls in the network, by comparing the firewall s access rules and objects between two different models (such as Live and What If or Live and Forensics) and presenting the changes NERC Compliance reports present information about the compliance of network devices, such as firewalls and routers, with the following NERC Critical Infrastructure Protection (CIP) standards of cyber security for the identification and protection of cyber assets: CIP Critical Cyber Asset Identification CIP Security Management Controls CIP Electronic Security Perimeters CIP Systems Security Management Information about compliance of firewalls with PCI DSS V2.0 requirement 1: Install and maintain a firewall configuration to protect cardholder data, a sensitive area within the trusted network of a company Rule usage information for firewalls to help you to understand the usage patterns of the access rules Skybox Firewall Assurance and Skybox Network Assurance Access Checks (on page 259) Skybox Network Assurance Information about the Access Checks in your Access Policy Skybox View version

239 Chapter 22 Reports reference Report type Network Compliance (on page 270) Used to present... Policy-related information about the compliance of your organization s network, to help you to understand the compliance status of your network to your Access Policy and to identify problematic access configuration in your network Skybox View reports Skybox View reports are generated from report definitions, which are templates for reports that specify: What information to display in the report How to display it What output format to use for the report (Optional) A list of users who are to receive the report by Skybox View includes predefined report definitions for various purposes. You can generate reports from these report definitions without making changes to the definition. You can also customize the predefined reports or create other reports to suit the requirements of your organization. Note: The predefined report definitions are available from the Public Reports folder. Users without access to this folder can create their own report definitions in the Private Reports folder. You can generate reports manually and automatically (using tasks). Generating reports manually All reports can be generated from the Reports workspace. In addition, reports about specific entities can often be created by right-clicking the entity in the Tree pane (in other workspaces) and using the Reports shortcut menu. To generate a report from a report definition 1 In the Reports tree, select the desired report definition. 2 Do one of the following: Right-click the report definition in the tree and select Generate. Click Generate in the workspace. You are asked whether to generate the report in the background or in the foreground. As it can take some time to generate the report, it is often useful to generate in the background and keep working. 3 Select the desired generation method (background or foreground) and click OK. If the report is generated in the background, you can double-click in the status bar to open the Operational Console and follow the task s progress (using the displayed messages). A report based on the current data is generated from the report definition. When generation finishes, the report is displayed in the workspace. Note: When reports are generated in the background, they are not visible in the workspace until you click. Skybox View version

240 Skybox View Reference Guide Changing the default report generation method Report generation can take some time, especially for reports with large amounts of information. When generating reports manually, you can generate the report in the foreground or in the background (as a temporary task). Generating in the foreground is slightly faster, but you cannot do other work in Skybox View until the report is generated. If you generate in the background, you can keep working at the same time. Reports generated by tasks are always generated in the background. Each time that you generate a report manually, you are given a choice of report generation method unless you select Do not show this warning message again. If you select this option, all reports are generated according to the last method selected. To toggle the default report generation method 1 Select Tools > Options > Manager Options > Reports Configuration. 2 In the Default Report Generation Method area, select Generate in the background as a Report Generation task or Generate in the foreground. 3 Click OK. Note: When reports are generated in the background, they are not visible in the workspace until you click. Distributing reports By default, reports are visible in the workspace, but are not distributed to users. However, you can specify recipients for reports in the report definition. Every time a report is generated from the selected report definition, a copy is sent to each specified recipient. Note: Each recipient must be a registered Skybox View user. recipients are specified in the Recipients field of the report definition (see Report Properties dialog box (on page 242)). Automating reports You can automate report creation using Report Auto Generation tasks (see Report generation tasks (on page 168)). Each type of report (that is, each report definition) requires a separate task. You can have several schedules for a report in one task. For example, to generate a report on the 1st and 15th of each month requires two schedules. Note: To send the report to specific users each time it is generated, edit the Recipients field of the report definition before running the task. You can generate reports on a regular basis. You can also generate reports only after you update specific types of data; for example, you can generate a Vulnerability Occurrences (Overview) report every time a vulnerability occurrence scan is run or a New Tickets report each time new tickets are created automatically by including the report generation task in a task sequence after the triggering task. For information about scheduling tasks and using task sequences, see the Scheduling tasks and task sequences topic in the Skybox Vulnerability Control User s Guide, the Skybox Threat Manager User s Guide, the Skybox Firewall Assurance User s Guide, or the Skybox Network Assurance User s Guide. Creating and editing report definitions Report definitions are used to change the content or look-and-feel of the reports. You can create a report definition based on an existing definition or from scratch. Skybox View version

241 To create a report definition Chapter 22 Reports reference 1 In the Reports tree, right-click the parent node of the report definition and select New > Report Definition. Note: Users can create new reports in the Private Report Definitions folder. Admins can create new reports in any folder. 2 In the New Report Definition dialog box: a) In the Name field, type a name for the new report definition and select a Report Type. The s pane of the dialog box changes to display the relevant fields for the selected report type. b) Fill in the necessary information (see Report Properties dialog box (on page 242)). c) Do one of the following: Click OK to save the report definition without generating a report. Click Generate to save the report definition and generate a report. To create a report definition based on an existing definition Right-click a report definition and select Create Report Definition Like. To edit a report definition Report formats Right-click the report definition and select Properties. Note: If you change a report definition, it is recommended that you also change its name, so that you still know what the report is about. You can generate reports in three formats: PDF (default): The best visual format HTML: Can be incorporated into a website or intranet site RTF: Can be edited and incorporated into other reports Before you generate a report, select the format that best suits your requirements. You can see the format in the report details (in the workspace). The format appears in parenthesis next to the name of the report definition, at the top of the pane. You change the format of a report using the Format field of the report s Properties dialog box. For information about report parameters, see Report Properties dialog box (on page 242). Customizing Skybox View reports You can change the logo in Skybox View reports from the Skybox View logo to a different one, such as your organization s logo. You can also change the background image. To change the logo 1 Prepare the logo file: Use a graphic of exactly 738 x 138 pixels, and save it in GIF format with the name RP_Logo.gif. 2 Replace the file <Skybox_View_Home>/server/conf/report/images/oem1/RP_Logo.gif with the new file you prepared. Note: You must restart the Skybox View Server to apply this change. Skybox View version

242 Skybox View Reference Guide To change the background image 1 Prepare the image file: Use a graphic of exactly 654 x 802 pixels, and save it in JPEG format with the name RP_Background.jpg. 2 Replace the file <Skybox_View_Home>/server/conf/report/images/oem1/RP_Background.jpg with the new file you prepared. Note: You must restart the Skybox View Server to apply this change. Accessing copies of a generated report Using the Reports tree, you can view the last report generated from each report definition. If necessary, access previous versions of reports on the Manager computer at <Skybox_View_Home>\data\<model_type>\temp\clientreports Note: HTML reports are stored as ZIP files. If you distribute an HTML report from the Server, use the ZIP file (rather than individual files from it) and unzip all the files into one folder at the destination location to view the complete report afterwards. Changing the location of stored reports You can change the default location of stored reports from the Skybox View home folder to the user s home folder. This is useful when a user does not have write-access to all locations on their computer or when multiple users are working on the same computer. To store reports in the user s home folder 1 Select Tools > Options > Manager Options > Reports Configuration. 2 Select Save generated reports in the %HOMEPATH% directory. When this option is selected, reports are stored at the following location: (Windows XP) C:\Documents and Settings\<user_name>\SkyboxView\<model_name>\temp\clientreports (Windows Vista and Windows 7) C:\Users\<user_name>\SkyboxView\<model_name>\temp\clientreports Report Properties dialog box To open the Report Properties dialog box of a report definition, right-click the report definition in the tree and select Properties. The Report Properties dialog box has two tabs: General tab The General tab consists of two panes: The General pane contains parameters common to all Skybox View report types. The Report Type can be specified only for a new report definition. The s pane contains parameters specific to each type of Skybox View report, as described in the following sections. For a new report definition, the s pane is empty until you specify the Report Type field in the General pane. Comments tab Skybox View version

243 Chapter 22 Reports reference The Comments tab contains your free-form comment that describes reports generated from this report definition. This comment is displayed next to these reports whenever they are listed in the Table pane of Skybox View. Skybox View product Report All products Tickets (on page 243) Skybox Vulnerability Control and Skybox Threat Manager Skybox Firewall Assurance Skybox Network Assurance Tickets reports FISMA/NIST (on page 245) Security Metrics (on page 252) Risk Assessment (on page 249) Risks (on page 250) PCI DSS (on page 247) Threat Alert Management (on page 253) Vulnerabilities (on page 255) Access Checks (on page 259) Access Compliance (on page 260) Change Tracking (on page 262) Firewall Assurance (on page 263) Firewall Changes (on page 266) NERC Compliance (on page 267) PCI Firewall Audit (on page 268) Rule Usage Analysis (on page 270) Access Checks (on page 259) Network Compliance (on page 270) Tickets reports contain information about tickets, including their status (such as new or in progress), priority, and assigned owner. Report sections The following sections are included in a tickets report: Tickets Status and Priority: Ticket lifecycle statuses (such as New, In Progress, and Overdue) and their priority. The information is displayed using pie charts. Tickets Status per Owner: Ticket statuses for each Skybox View user to whom tickets are assigned. The information is displayed using a bar chart and a table. Tickets List: Tickets in the scope of the report. The tickets are grouped by priority, status, owner, or user group. The information is displayed using pie charts and tables. Detailed reports include links from each ticket in this section to the detailed information about the ticket in the Ticket Details section. (Optional) Tickets Details: Detailed information about each ticket, including information about the entity for which the ticket was created. Report parameters The parameters that control tickets reports are described in the following table. Skybox View version

244 Skybox View Reference Guide Basic tab Detail Level The level of detail about tickets to include in the report: Overview: Include summary information about tickets Network Scope Grouped by Details: Include detailed information about each ticket and the overview information The devices (container entities or specific devices) whose tickets are included in the report. Specifies how to group the tickets in the Tickets List section and the Ticket Details section. Ticket Attribute Filter Ticket Type Ticket Phases Status Priority Ticker Owner Creation Date Due Date Done Tickets Since Modified Since (days) Ticket Rule The type of tickets to include in the report. This field is disabled if Ticket Type = Business Asset Group. The phases of tickets to include in the report. The statuses of tickets to include in the report. The minimum priority of tickets to include in the report. The ticket owners to include in the report. Tickets owned by other Skybox View users are not included in the report. The time interval since the creation date of tickets to include in the report. The time interval of due dates for tickets to include in the report. The time interval of end dates for tickets to include in the report. The number of days (counting back from the current date) since the ticket was modified. Only tickets with a modification date that is within the specified number of days at the time the report is generated are included in the report. The ticket rule used to generate tickets. Only tickets generated by this ticket rule are included in the report. If no ticket rule is selected, all tickets (whether generated by a ticket rule or manually) are considered for the report. Advanced tab Products The products or product groups to include in the report. Display Sections Open Tickets Overdue Tickets Invalid Tickets Done Tickets Show User Comments Specifies whether the Tickets List and Tickets Details sections include a subsection for open tickets. Specifies whether the Tickets List and Tickets Details sections include a subsection for overdue tickets. Specifies whether the Tickets List and Tickets Details sections include a subsection for invalid tickets. Specifies whether the Tickets List and Tickets Details sections include a subsection for completed tickets. Specifies whether user comments on the tickets appear in the Tickets Details section. Skybox View version

245 Chapter 22 Reports reference All: Show all user comments on each ticket None: Hide all user comments on each ticket Show Vulnerability Occurrences Show Solutions Last: Show only the most recent user comment on each ticket Specifies whether vulnerability occurrence information is included in the Ticket Details section for each vulnerability occurrence ticket or vulnerability definition ticket. Specifies whether vulnerability occurrence solutions are included in the Ticket Details section for each vulnerability occurrence ticket or vulnerability definition ticket. All: Show all known solutions for each vulnerability occurrence Selected: Show only the selected solutions for each vulnerability occurrence Selected. If none: Show only the selected solutions for each vulnerability occurrence; if no solution is selected, show all known solutions for each vulnerability occurrence This is useful when you are using the report to see all vulnerability occurrences for each ticket and their solutions. Max. Number of Services The maximum number of services to display in the details section for each access policy compliance tickets. If an access policy compliance ticket includes more than this number of services, Skybox View does not include all the services for this access policy compliance ticket in the report. Skybox Vulnerability Control and Skybox Threat Manager reports The following report types are available only when working with Skybox Vulnerability Control: FISMA/NIST (on page 245) Security Metric (on page 252) Risk Assessment (on page 249) Risks (on page 250) PCI DSS (on page 247) Vulnerability Management (on page 258) The following report types are available only when working with Skybox Threat Manager: Threat Alert Management (on page 253) The following report types are available when working with Skybox Vulnerability Control and Skybox Threat Manager: Vulnerabilities (on page 255) FISMA/NIST reports FISMA/NIST reports are available only when working with Skybox Vulnerability Control. Skybox View version

246 Skybox View Reference Guide FISMA Risk Management reports present information about systems, threat statements, risk assessment, and actions with milestones. The reports are used to meet FISMA risk reporting requirements. Note: FISMA/NIST reports and Risk Assessment reports (on page 249) provide the same information using different terminology. FISMA/NIST reports use the terminology required to meet the FISMA requirements. Report sections The following sections are included in a FISMA Risk Management report: Introduction: The purpose of the report, the staff members involved, and the tools used. The introductory text is completely customizable. System Characterization: An overview of the system and its components, including a list of the information systems, a list of assets for each information system, and a list of network devices. Threat Statements: The threats to the system and their risk levels. Risk Assessments: The threat observations for each information system including risk level, origins, and impacts. In detailed reports, there is a link from each observation to a list of vulnerability occurrences that would enable the threat observation. Summary: Information about each threat observation (threat, attacker location, destination, and risk) and a list of recommended actions for each observation, in the form of Skybox View tickets. Report parameters The parameters that control FISMA/NIST reports are described in the following table. Basic tab Detail Level The level of detail about risk observations to include in the report: Overview: Include summary information about risk and risk observations Network Scope Details: Include detailed information about each risk observation and the vulnerability occurrences that caused the risk, and the overview information The network entities or container entities to include in the report. Introduction Text Report Introduction Text Report Risk Assessment Text A free-form field used to hold the introductory text for the report. A free-form field used to hold the risk assessment text for the report. Threat s Risk Threshold The minimum risk threshold to use. Open the Risk Threshold dialog box to specify: Vulnerability Occurrence s A source: Only risk caused by threats from the specified source (Threat Origin Category) is included in the report. The minimum value to use for the report. Note: Only Business Asset Groups that have at least the minimum risk for the selected source are included in the report. Skybox View version

247 Chapter 22 Reports reference Vulnerability Occurrence Status Imposed Risk Threshold Severity POA&M s Status The status of vulnerability occurrences to include in the report; only vulnerability occurrences with one of the specified statuses are included in the report. Open the Vulnerability Occurrence Status dialog box (on page 195) to specify the desired statuses. Filters vulnerability occurrences according to the threat category to which they are exposed, their exposure level, and their imposed risk value. Open the Imposed Risk Threshold dialog box (see page 197) to set these values. The severity levels of vulnerability occurrences to include in the report; vulnerability occurrences with other severity levels are not included in the report. The ticket statuses to include in the report. Advanced tab Max Vulnerability Occurrences Severity Source Severity Score Threshold The maximum number of vulnerability occurrences to include in the report for each observation. (Read only) The Skybox View Vulnerability dictionary is always used as the source of risk severity for the report. The minimum severity score (CVSS) of vulnerability occurrences to include in the report. PCI DSS reports PCI DSS reports are available only when working with Skybox Vulnerability Control. PCI DSS reports present information about vulnerability occurrences found on system components, including Business Asset Groups, networks, and network devices. The vulnerability occurrences are listed as action items according to their exposure. The reports are used to meet PCI DSS requirement 6.1 but you can also use them to meet reporting requirements for other standards. Report sections The following sections are included in a PCI DSS report: Introduction: The purpose of the report. The introduction explains how the report provides evidence that the system meets (or does not meet) PCI DSS requirement 6.1. However, the text is completely customizable and you can change it if the report is used for different purposes. System Components: The system components that are included in the report scope, include Business Asset Groups, networks (if any), and network devices. Vulnerabilities: The vulnerability occurrences present on the system components. The vulnerability occurrences are grouped by their exposure to the potential attackers. Vulnerability occurrences with an exposure level of direct, indirect, or other are action items that require mitigation. Fixed and blocked vulnerability occurrences, if included, do not require mitigation. (Optional) Threat Origins: The Threat Origins that can affect the system components. (Optional) Asset Lists: The assets (non-network devices) and the network devices in the scope of the report, indicating their compliance with PCI DSS requirement 6.1. Compliant assets are those with no direct, indirect, or unknown vulnerability occurrences. Skybox View version

248 Skybox View Reference Guide Report parameters The parameters that control PCI DSS reports are described in the following table. Basic tab Report Sections Network and Group Scope Summary Vulnerability Occurrences Mitigated Vulnerability Occurrences Threat Origins Asset Lists (Read only) The System Components section is always included in the report. (Read only) The Vulnerabilities section is always included in the report. Specifies whether to include vulnerability occurrences that are already mitigated as a subsection of the Vulnerabilities section. Specifies whether to include the Threat Origins section in the report. Note: This section is not required for PCI DSS requirement 6.1. Specifies whether to include the Asset Lists section in the report. Report Scope Business Asset Groups & Units The Business Units or specific Business Asset Groups to include in the report. Card Holder impacts The Business Impacts and Regulations that, if present on a Business Asset Group, indicate that card holder data is stored on this Business Asset Group. Networks & Locations Threat Origins Vulnerability Occurrence Severity The networks and locations to include in the report. This field is enabled only if Threat Origins is selected as a report section. The Threat Origins to include in the report. The severity levels (or scores) of vulnerability occurrences to include in the report; vulnerability occurrences with other severity levels are not included in the report. Advanced tab Introduction Text Severity Source A free-form field used to hold the introductory text for the report. (Read only) The Skybox View Vulnerability dictionary is always used as the source of risk severity for the report. Table Limits Max Asset Groups in Asset Group Table Max Vulnerability Occurrences per Table The maximum number of Business Asset Groups to display in the list of Business Asset Groups in the System Components section. The maximum number of vulnerability occurrences to display in each list of vulnerability occurrences (direct, indirect, and so on) in the Vulnerability Occurrences section. Max assets per table The maximum number of assets per table in the Asset Lists section. Additional Vulnerability Occurrence Filters CVSS Base Score The range of CVSS base scores of vulnerability occurrences to include in the report; vulnerability occurrences with other CVSS base scores are not included in the report. Skybox View version

249 Chapter 22 Reports reference CVSS Temporal Score Vulnerability Occurrence Creation Date Vulnerability Occurrence Modification Date Risk Assessment reports The range of CVSS temporal scores of vulnerability occurrences to include in the report; vulnerability occurrences with other CVSS temporal scores are not included in the report. The range of vulnerability occurrence creation dates to include in the report; vulnerability occurrences with other creation dates are not included in the report. The range of vulnerability occurrence modification dates to include in the report; vulnerability occurrences with other last modification dates are not included in the report. Risk Assessment reports are available only when working with Skybox Vulnerability Control. Risk Assessment reports present information about systems, threat statements, risk assessment, and actions with milestones. The reports are used to meet FISMA risk reporting requirements. Note: FISMA/NIST reports (on page 245) and Risk Assessment reports provide the same information using different terminology. FISMA/NIST reports use the terminology required to meet the FISMA requirements. Report sections The following sections are included in a Risk Assessment report: Introduction: The purpose of the report, the staff members involved, and the tools used. The introductory text is completely customizable. System Characterization: An overview of the system and its components, including a list of the Business Asset Groups, a list of assets for each Business Asset Group, and a list of network devices. Threat Statements: The threats to the system and their risk levels. Risk Assessments: The possible attacks for each Business Asset Group including risk level, origins, and impacts. Detailed reports include a link from each attack to a list of vulnerability occurrences that would enable such an attack. Summary: Information about each attack (threat, attacker location, destination, and risk). Report parameters The parameters that control Risk Assessment reports are described in the following table. Basic tab Detail Level Network Scope Introduction Text Report Introduction Text The level of detail about risks to include in the report: Overview: Include summary information about risks and attacks Details: Include detailed information about each attack and the vulnerability occurrences that caused this attack, and the overview information The entities to include in the report. A free-form field used to hold the introductory text for the report. Skybox View version

250 Skybox View Reference Guide Report Risk Assessment Text A free-form field used to hold the risk assessment text for the report. Threat s Risk Threshold The minimum risk threshold to use. Open the Risk Threshold dialog box to specify: Vulnerability Occurrence s A source: Only risk caused by threats from the specified source (Threat Origin Category) is included in the report. The minimum value to use for the report. Note: Only Business Asset Groups that have at least the minimum risk for the selected source are included in the report. Vulnerability Occurrence Status Imposed Risk Threshold Severity The status of vulnerability occurrences to include in the report; only vulnerability occurrences with one of the specified statuses are included in the report. Open the Vulnerability Occurrence Status dialog box (on page 195) to specify the desired statuses. Filters vulnerability occurrences according to the threat category to which they are exposed, their exposure level, and their imposed risk value. Open the Imposed Risk Threshold dialog box (see page 197) to specify the desired exposure levels or the imposed risk threshold. The severity levels of vulnerability occurrences to include in the report; vulnerability occurrences with other severity levels are not included in the reports. Ticket s Status The ticket statuses to include in the report. Advanced tab Max Vulnerability Occurrence Severity Source Severity Score Threshold Include section of vulnerability occurrences on Business Asset Groups The maximum number of vulnerability occurrences to include for each attack in the report. (Read only) The Skybox View Vulnerability dictionary is always used as the source of risk severity for the report. The minimum severity score (CVSS) of vulnerability occurrences to include in the report. Specifies whether to include a section in the report that lists individual vulnerability occurrences on Business Asset Groups. Risks reports Risks reports are available only when working with Skybox Vulnerability Control. Risks reports contain information about entities (such as Business Asset Groups) that have the highest potential risk of being compromised. Usually risks reports are used to highlight the Business Asset Groups with the highest risk and to provide the risk factors that caused the risk on these Business Asset Groups. Skybox View version

251 Chapter 22 Reports reference For additional information about risks reports, see Risks reports, in the Skybox Vulnerability Control User s Guide. Report sections The following sections are included in a risks report: Business Assets Count per Risk Level: The number of Business Asset Groups per risk level in the selected scope. (A Business Asset Group is a group of assets that serve a common business purpose.) The information is displayed using a bar graph and text. Business Assets at Risk Count over Time: The number of Business Asset Groups at each risk level for each specified time period (quarter or month). The following sections can be included in a risks report, according to the report properties as described in the following table: Business Unit Risks, Business Asset Risks, Regulation Compliance Risks, and Threat Origin Risks sections: The risk levels of the Business Units, Business Asset Groups, Regulations, or Threat Origins in the selected scope. Detailed reports include links from each entity in these sections to the detailed information about the entity in the Risk Factors sections. Note: In this report, the term Regulation refers to Regulations and Business Impacts. You can also view trend data for Regulations and Threat Origins. Threat Origins by Business Assets: The Business Asset Groups that can potentially be damaged by each Threat Origin. Each entry presents a different Business Asset Group and the potential risk that could be caused to it by the Threat Origins listed in Threat Origin Risks section. Risk Factors: Detailed information about the entities listed in the corresponding overview sections and an explanation of the factors used in analyzing their risk. The risk of a Regulation is calculated by aggregating the risk of the associated Business Asset Groups. For each Business Asset Group, only the risk portion generated by this Regulation is taken into consideration. The risk of a Threat Origin is calculated by aggregating the risks of the possible Business Impacts of attacks starting at that Threat Origin. Report parameters The parameters that control risks reports are described in the following table. Basic tab Detail Level The level of detail about risks to include in the report: Overview: Include summary information about risk levels for various entities Risk Threshold Details: Include detailed information about each entity and explains the risk factors for the entity, and includes the overview information The minimum risk value of entities to include in the report. Open the Risk Threshold dialog box to specify: A source: Only risk caused by threats from the specified source (Threat Origin Category) is included in the report. The minimum value to use for the report. Skybox View version

252 Skybox View Reference Guide Risk Scale The type of risk scale to use. Business Units and Asset Groups Display 'Business Units' Display 'Business Asset Groups' Display Trends for Business Asset Groups Specifies whether the report includes sections about Business Units. Specifies whether the report includes sections about Business Asset Groups. This field is disabled if Display 'Business Asset Groups' = None. If this field has a value of Yes, additional sections with information about Business Asset Group risk trends are included in the report. Business Unit Scope This field is disabled if Display 'Business Asset Groups' = None. The scope of Business Units for the Business Asset Groups. Display 'Group Count Over Time' Display 'Regulation Compliance' Regulation Compliance Scope This field is disabled if Display 'Business Asset Groups' = None. Specifies whether the report includes the Business Assets at Risk Count over Time section, which displays the risk levels of Business Asset Groups over time. Specifies whether the report includes sections about Regulations (and Business Impacts). This field is disabled if Display 'Regulation Compliance' = No. The Regulations and Business Impacts to include in the report. If Display 'Regulation Compliance' = Yes (With Trend), an additional section with information about regulation compliance trends is included in the report. Threats Advanced tab Display 'Threat Origins' Specifies whether the report includes sections about Threat Origin risk. When Yes (With Trend) is selected, an additional section with information about Threat Origin risk trends is included in the report. Trend Trend Frequency The frequency quarterly or monthly of trend samples for the report when trend sections are displayed. Trend Sample Count Number of samples to show in the trends. Trend End Date The last date for which to show trend data in the report. This is useful for history reports. Security Metrics reports Security Metrics reports are available only when working with Skybox Vulnerability Control. Security Metrics reports display security metric information for the specified scope and provide another way to view this information. For additional information about viewing and analyzing security metrics, see the Analyzing security metrics section in the Skybox Vulnerability Control User s Guide. Report sections The following sections are included in a Security Metrics report: Skybox View version

253 Chapter 22 Reports reference <Selected_unit>: A snapshot of the security metric score for the selected unit. It includes a breakdown of the score by the subunits of the selected unit and a graph of the score over time. The subunits in the table are sorted by their contribution to the overall score. If you choose to display two levels of security metrics in the report, each subunit in the table is linked to a subsection displaying a snapshot of the security metrics for that subunit. Top-10 Vulnerability Types: The ten vulnerability occurrences that contribute the most to the VLI score of the selected unit. Report parameters The parameters that control Security Metrics reports are described in the following table. Basic tab Network Scope Security Metrics s Security Metrics Trend Period Number of Levels Advanced tab The Business Unit or Business Asset Group whose security metrics are included in the report. If no entity is selected, the report is presented for the organization (that is, for the root node of your organization). Note: These reports include security metrics for the selected entity and optionally for its child subunit (one level down). They do not include information for additional levels. The type of security metrics to use for this report (usually VLI or RLI). The trend frequency to use for security metric trend information (weekly or monthly). The number of levels in the business hierarchy to include in the report (1 or 2). 1: The report includes information about the selected entity only 2: The report includes information about the selected entity and its child subunits Max. Number of Units The maximum number of Business Units to include in the report (as children of the selected entity). If Network Scope includes more than this number of Business Units, Skybox View does not include all the Business Units in the report. Threat Alert Management reports Threat Alert Management reports are available only when working with Skybox Threat Manager. Threat Alert Management reports contain information about vulnerability definitions for which threat alerts were issued. For additional information, see Threat Alert Management reports, in the Skybox Threat Manager User s Guide. Report sections The following sections are included in a Threat Alert Management report: Vulnerability Definitions List: The vulnerability definitions included in the report by their status. (Optional) Vulnerability Definitions Details: Detailed information about the vulnerability definitions and known solutions for each one, as listed in the Skybox View Vulnerability Dictionary. This section is not displayed in overview reports. Skybox View version

254 Skybox View Reference Guide Report parameters The parameters that control Threat Alert Management reports are described in the following table. Basic tab Detail Level ID Title Status Severity CVSS Base Score CVSS Temporal Score Creation & Modification Reported Date Modification Date Sort Advanced tab Vulnerability Count Threshold Asset Count Threshold Severity Source Custom Vulnerability Definitions Created by Custom Vulnerabilities Only The level of detail about vulnerability definitions to include in the report: Overview: Include summary information about the vulnerability definitions Details: Include detailed information about each vulnerability definition, including known solutions and the overview information The ID numbers of the vulnerability definitions (in the alert source) to include in the report. A string for filtering the titles of vulnerability definitions to include in the report. Use the characters? and * for standard pattern matching. The statuses of the vulnerability definitions to include in the report (Irrelevant, Resolved, In Progress, or Unassigned). The severity levels or minimum severity score of the vulnerability definitions to include in the report. The range of CVSS base scores of the vulnerability definitions to include in the report. The range of CVSS temporal scores of the vulnerability definitions to include in the report. Only vulnerability definitions reported in the specified time interval are included in the report. Only vulnerability definitions modified in the specified time interval are included in the report. Specifies how to sort the vulnerability definitions in the report. The minimum number of occurrences on the network that a vulnerability definition must have for the vulnerability definition to be included in the report. The minimum number of occurrences on assets that a vulnerability definition must have for the vulnerability definition to be included in the report. (Read only) The Skybox View Vulnerability dictionary is always used as the source of risk severity for the report. The creators of custom vulnerability definitions to include in the report. Specifies whether to include only custom vulnerability definitions in the report. Skybox View version

255 Chapter 22 Reports reference Vulnerabilities reports Vulnerabilities reports are available only when working with Skybox Vulnerability Control and Skybox Threat Manager Vulnerabilities reports contain information about vulnerability occurrences found in the model. Usually the reports are used to review the vulnerability occurrences in a specific network segment or location, to filter exposed vulnerability occurrences, to show vulnerability occurrences with a specified severity level, or to show vulnerability occurrences that impose the highest risk on your organization. For additional information about vulnerabilities reports, see the Vulnerabilities reports section including the Limiting the scope of vulnerabilities reports topic in the Skybox Vulnerability Control User s Guide. Report sections The following sections can be included in a vulnerabilities report: Vulnerabilities Severity, Risk and Exposure: The vulnerability occurrences included in the report grouped by severity, risk, and exposure level. The information is displayed using pie charts and tables. Vulnerability Count over Time: Trends in the vulnerability occurrence count. The graph refers to all vulnerability occurrences in the network scope of the report, regardless of Vulnerability Occurrence Attribute filters defined in the report. Vulnerabilities By Operating System / By Location / By Business Unit / By Business Asset Group / By Type: The vulnerability occurrences included in the report grouped by the selected entity (operating system, location, and so on). The information in each section is displayed as a bar chart of the top five entities with the most vulnerability occurrences, followed by a table. Vulnerabilities per Host Grouped by Host: Detailed information about the vulnerability occurrences on each asset. The section is not displayed in overview reports. For reports including solutions, each vulnerability occurrence is linked to a list of known solutions (in the Vulnerabilities and Solutions section). Vulnerabilities and Solutions: Known solutions for each vulnerability definition in the report, as listed in the Skybox View Vulnerability Dictionary, and the assets on which the vulnerability definition is found. Each asset is linked to the vulnerability occurrence in the Vulnerabilities per Host Grouped by Host section, so that you can view information about the vulnerability occurrence on that asset. This section is included when Detail Level = Details & Solutions. Report parameters The parameters that control vulnerabilities reports are described in the following table. Basic tab Detail Level The level of detail about vulnerability occurrences to include in the report: Overview: Include summary information about the vulnerability occurrences Details: Include detailed information about each vulnerability occurrence and the overview information Details & Solutions: Include known solutions for each vulnerability occurrence, and the overview and detailed information Important: Overview information is provided for all vulnerability occurrences that meet the criteria of the report. Detailed Skybox View version

256 Skybox View Reference Guide Network Scope Operating System Assets Grouped by Vulnerability Occurrence Attribute Filter Vulnerability Definitions Vulnerability Occurrence Status information and solutions are only provided for the first 50 vulnerability occurrences. Therefore, for Details or Details & Solutions reports, it is recommended that you narrow the criteria so that the report includes fewer than 50 vulnerability occurrences. The assets (container entities or specific assets) whose vulnerability occurrences are included in the report. The operating systems to include in the report. Specifies how to group the assets in the Vulnerability Occurrences per Asset section. If None is selected, the assets are listed alphanumerically (and not grouped). Note: The Vulnerability Occurrences per Asset section is only included when Detail Level = Details or Detail Level = Details & Solutions. The vulnerability definitions to include in the reports. Open the Vulnerability Definition Finder dialog box (on page 198) to specify vulnerability definitions. The vulnerability occurrence statuses to include in the report. Open the Vulnerability Occurrence Status dialog box (on page 195) to select basic and advanced statuses. Status Change Date Select Custom to define a specific date range by: Imposed Risk Threshold Severity Source Severity Level Severity Score Threshold Scan Time Filtering Mode Last Scan Time Created Since Specifying starting and ending dates for the scan Specifying starting and ending times relative to the current time The source (Threat Origin Category), exposure level, and minimum risk value to use in the report. Open the Imposed Risk Threshold dialog box (see page 197) to set these values. The source against which to check the severity of the vulnerability definitions. The severity levels of vulnerability occurrences to include in the report. The minimum severity score (CVSS) of vulnerability occurrences to include in the report. Specifies which results to include: Not Scanned in: Vulnerability occurrences that were not scanned in a specified period of time Last Scan Time: Vulnerability occurrences that were last scanned before a specific date. Used in conjunction with the Scan Time field. A range of dates: only vulnerability occurrences scanned within the selected time interval are included in the report. Select Custom to define a specific date range by: Specifying starting and ending dates for the scan Specifying starting and ending times relative to the current time Only vulnerability occurrences created in the specified time Skybox View version

257 Chapter 22 Reports reference interval are included in the report. Select Custom to define a specific date range by: Specifying starting and ending dates for the scan Specifying starting and ending times relative to the current time Advanced tab Risk Scale Commonality Display Sections Vulnerability Occurrences By Operating System Vulnerability Occurrences By Location Vulnerability Occurrences By Business Units Vulnerability Occurrences By Business Asset Groups Vulnerability Occurrences By Vulnerability Vulnerability Occurrences Grouped by Vulnerability Occurrences Detailed Format Trend Display Trend The type of risk scale to be used for displaying risk values. The commonality values of vulnerability occurrences to include in the report. Specifies whether to include the Vulnerabilities By Operating System section in the report: No: Do not include this section. Yes (By Family): Include this section and group the vulnerability occurrences by operating system families. Yes (By Product): Include this section and group the vulnerability occurrences by products (specific operating system). Specifies whether to include the Vulnerabilities By Location section in the report. Specifies whether to include the Vulnerabilities By Business Unit section in the report. Specifies whether to include the Vulnerabilities By Business Asser section in the report. Specifies whether to include the Vulnerabilities By Type section in the report. Specifies how to show the breakdown of vulnerability occurrences in the aforementioned sections: Severity: Show the breakdown of the vulnerability occurrences in each section by severity. Risk: Show the breakdown of the vulnerability occurrences in each section by risk level. Specifies how to list the vulnerability occurrences in the Vulnerabilities per Host Grouped by Host section. No: List all vulnerability occurrences for a single asset together in a table containing the main information about each one). Yes: List each vulnerability occurrence for an asset separately with all of its details. Specifies whether to include trend information in the report. Note: Currently, the only trend available is Vulnerability Count over Time. Skybox View version

258 Skybox View Reference Guide Trend Frequency This field is enabled only if Display Trend = Yes. The frequency of trends included in the reports. Trend Sample Count This field is enabled only if Display Trend = Yes. Vulnerability Management reports The number of samples included in the trend graphs. Vulnerability Management reports are available only when working with Skybox Vulnerability Control. Vulnerability Management reports contain information about the vulnerability and risk management process in a format similar to that displayed in the UI. For additional information about Vulnerability Management reports, see Vulnerability Management reports, in the Skybox Vulnerability Control User s Guide. Report sections The following section is included in all Vulnerability Management reports: Summary: The information provided in the main Discovery Center and Analytics Center pages. You can specify which other information to include in the report, as described in the following table. Report parameters The parameters that control Vulnerability Management reports are described in the following table. Basic tab Vulnerability Management Features Discovery Summary Specifies whether the report includes information from the Discovery Center dashboard. Analytics Summary Security Metric Details Select Security Metrics Change Period Specifies whether the report includes information from the Analytics Center dashboard. This field is enabled only if Analytics Summary is selected. Specifies whether the report includes details about security metrics. This field is enabled only if Security Metric Details is selected. The security metrics to include in the report. This field is enabled only if Security Metric Details is selected. The change period to include in the report. Select Custom to define a specific date range by: Specifying starting and ending dates for the change period Exposure Specifying starting and ending times relative to the current time for the change period This field is enabled only if Analytics Summary is selected. Advanced tab Max. Number of New Vulnerability Occurrences Skybox View version

259 Chapter 22 Reports reference Max. Number of Business Asset Groups Max. Number of Threat Origins Max. Number of Regulation Types Max. Number of Units Max. Number of vulnerability definitions by Contribution to Security Metric Skybox Firewall Assurance reports The following report types are available when working with Skybox Firewall Assurance: Access Checks (on page 259) Access Compliance (on page 260) Change Tracking (on page 262) Firewall Assurance (on page 263) Firewall Changes (on page 266) NERC Compliance (on page 267) PCI Firewall Audit (on page 268) Rule Usage Analysis (on page 270) Note: Firewall Assurance reports can provide any combination of change tracking, Access Compliance, Rule Compliance, Configuration Compliance, and rule usage analysis information in a single report. Most of this information is available in separate reports. Access Checks reports Access Checks reports are available only when working with Skybox Firewall Assurance or Skybox Network Assurance. Access Checks reports provide information about the Access Checks in your Access Policy. For additional information about Access Checks reports: When working with Skybox Firewall Assurance, see the Access Checks reports for Firewall Auditing topic in the Skybox Firewall Assurance User s Guide. When working with Skybox Network Assurance, see the Access Checks reports for Network Auditing topic in the Skybox Network Assurance User s Guide. Report sections The following sections are included in an Access Checks report: Access Checks Overview: The Access Checks by policy section. The information is displayed using tables. Skybox View version

260 Skybox View Reference Guide Detailed reports include links from each Access Check in this section to detailed information about the Access Check in the next section. (Optional) Access Checks Details: Detailed information about each Access Check, using the same order used in the previous section. Report parameters The parameters that control Access Checks reports are described in the following table. Basic tab Detail Level The level of detail about Access Checks to include in the report: Overview: Include summary information about the Access Policy, including a list of the Access Checks in each policy section Policy Scope Severity Threshold Sort by Details: Include detailed information about each Access Check and the overview information The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) to include in the report. The minimum severity of Access Checks to include in the report. Specifies how to sort the policy sections in the report. Advanced tab Max. Number of Services Length of Rule This field is enabled only if Detail Level = Details. The maximum number of destination services to include in the report for each Access Check in the Details section. If an Access Check includes more than this number of destination services, Skybox View does not include all the destination services for this Access Check in the report. The maximum length of the description of each Access Check to include in the Details section. Access Compliance reports Access Compliance reports are available only when working with Skybox Firewall Assurance. Access Compliance reports provide policy-related information about specified firewalls and help you to understand the compliance status of your policy as applied to each of the specified firewalls and to identify problematic access configuration in your firewalls. For additional information about Access Compliance reports, see the Access Compliance reports topic in the Skybox Firewall Assurance User s Guide. Report sections The following sections are included in an Access Compliance report: Summary: The number of firewalls in the report s scope, a pie chart displaying a breakdown of access tests and violations for the firewalls in the scope, and a list of links to firewalls in the report, with the firewall name, IP address, and compliance percentage. Sections for each firewall separately: These sections are listed and described in the following table. Report parameters The parameters that control Access Compliance reports are described in the following table. Skybox View version

261 Chapter 22 Reports reference Basic tab Firewall Scope Group by Policy Sections Report Sections Overview Filter by Severity Display Violations Violating Access Rules Exceptions Access Rules The firewalls or firewall folders to include in the report. Specifies whether to group the information about each firewall by policy sections. The sections to display for each firewall in the report (Read only) Access Compliance reports always include a section named <firewall_name> for each firewall. The section includes the firewall s name and IP address, and a table of each policy sections with its compliance rate for this firewall. Specifies whether to include only violations of specific severities in the report. Specifies whether to include a section containing information about violations for each firewall. The name of the section and its contents depend on the value selected from the drop-down list: Violations Only: The sections are named Violations for <firewall_name> and contain only violations. All Tests: The sections are named Access Tests for <firewall_name> and list all access tests (compliant tests and violations) for each firewall. New Violations: The sections are named Violations for <firewall_name> and contain only new violations (according to the definition in Options > Server Options > Entity Settings). Specifies whether to include a section named Violating Access Rules for <firewall_name> for each firewall. This section contains a table listing the violating access rules for the firewall. The table is followed by detailed information about each violating access rule, including a list of Access Checks violated by the access rule. Specifies whether to include a section named Firewall Exceptions for <firewall_name> for each firewall. This section lists the exceptions for the firewall. Specifies whether to include a section named Access Rules for <firewall_name> for each firewall. This section lists the access rules (grouped by rule chain) for each firewall in the report. Advanced tab Introductory text Policy Scope Split if scope is greater than Max. Number Of Firewalls Include only Non- Compliant Firewalls The text to display at the beginning of the report, as an introduction. The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) to include in the report. For detailed reports, specifies the maximum number of firewalls to present in one report. When there are more firewalls than this in a detailed report, all the summaries are presented together in the report, but all the detailed information for each firewall is saved as a smaller, linked report. The maximum number of firewalls to include in the report. If Firewall Scope includes more than this number of firewalls, Skybox View does not include all the firewalls in the report. Specifies whether to include all firewalls in the scope that match the firewall filters or only firewalls that have compliance metrics Skybox View version

262 Skybox View Reference Guide Compliance Threshold (%) and do not meet the Compliance Threshold. This field is enabled only if Include only Non-Compliant Firewalls is selected. Only firewalls whose compliance level is equal to or less than this threshold are included in the report. Firewall Filters Firewall Type Operating System The types of firewalls to include in the report. The operating systems to include in the report. Exception Filters: These fields are enabled only if Exceptions is selected in the Basic tab. Created Since Only exceptions created in the specified time interval are included in the report. Select Custom to define a specific date range by: Specifying the earliest creation date for exceptions in the report Expiration Date Specifying the earliest creation time relative to the current time for exceptions in the report Only exceptions that expire in the specified time interval are included in the report. Select Custom to define a specific date range by: Change Tracking reports Specifying the earliest expiration date for exceptions in the report Specifying the earliest expiration time relative to the current time for exceptions in the report Change Tracking reports are available only when working with Skybox Firewall Assurance. Change Tracking reports provide information about changes to access rules and firewall objects in specified firewalls and help you to understand what changes were made in your firewalls during a specified period of time. For additional information about Change Tracking reports, see Change Tracking reports, in the Skybox Firewall Assurance User s Guide. Report sections The following sections are included in a Change Tracking report: Summary: A list of changed firewalls followed by a list of all the changes included in the report. For each firewall in the report: <firewall_name>: The number of changed access rules and objects found for this firewall. Changed Access Rules: The changed access rules for the firewall with the main parameters of each one. Detailed reports include links from each access rule in this section to detailed information in the Changed Access Rules Details section. Changed Objects: The changed firewall objects for the firewalls with the main parameters of each one. Detailed reports include links from each object in this section to detailed information in the Changed Objects Details section. Skybox View version

263 Chapter 22 Reports reference (Optional) Changed Access Rules Details: Information about each changed access rule, including deleted rules. (Optional) Changed Objects Details: Information about each changed firewall object, including deleted objects. Report parameters The parameters that control Change Tracking reports are described in the following table. Basic tab Tracking Period Firewalls Scope Firewall Scope Firewall Type Report Sections All Changes Changes By FW Details The tracking period to use for the report. Select Custom to define a specific date range by: Specifying starting and ending dates for the tracking period Specifying starting and ending times relative to the current time for the tracking period The firewalls or firewall folders to include in the report. The types of firewalls to include in the report. (Read only) The report always includes a section that lists all the changes in the scope of the report. Lists all the changes for each firewall, with a separate chapter in the report for each firewall. Lists detailed information about each change for each firewall, with a separate chapter in the report for each firewall. Firewall Assurance reports Firewall Assurance reports are available only when working with Skybox Firewall Assurance. Firewall Assurance reports provide a complete overview of the state of firewalls in the network, and can also include detailed information. These reports include the following features: compliance for Access and Rule Policy, Configuration Compliance, Optimization & Cleanup, and Change Tracking. You can generate the report for any combination of these features. Report sections The following sections are included in a Firewall Assurance report: Introduction: The types of information that can be included in the report. Folder Summary: Summary information similar to that found on the folder s summary page. Compliance Summary: Summary information about each feature in the report scope. The following sections can optionally be included in a Firewall Assurance report, according to the report properties as decribed in the following table: For each firewall in the report Summary: <firewall_name>: Basic information about this firewall, and overview information about each feature in the report scope similar to that displayed on the firewall s summary page. If any detailed information is requested, a separate section for each firewall in the report (named Details: <firewall_name>) includes the relevant detailed information divided by features. Skybox View version

264 Skybox View Reference Guide Report parameters The parameters that control Firewall Assurance reports are described in the following table. Basic tab Firewall Scope Report Level The firewalls and firewall folders to include in the report. Note: If the report is created for a single firewall folder, there is a folder summary section at the beginning of the report. Specifies the detail level of the report: Overview: High-level report that summarizes compliance by feature for all firewalls. When the scope is a single folder, the folder summary is also included. Firewall Summary: Overview information and summary information for each firewall per compliance feature. Compliance Features Access Compliance Policy Scope Display Violations Details: Firewall Summary information and detailed information for each firewall per compliance feature. Specifies whether to include summary information about Access Compliance. This field is displayed only if Report Level = Details. The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) to include in the report. This field is displayed only if Report Level = Details. Specifies whether to include a section containing information about Access Policy violations for each firewall. The name of the section and its contents depend on the value selected from the drop-down list: Violations Only: The sections are named Violations for <firewall_name> and contain only violations. All Tests: The sections are named Access Tests for <firewall_name> and list all access tests (compliant tests and violations) for each firewall. Violating Access Rules Exceptions Rule Compliance New Violations: The sections are named Violations for <firewall_name> and contain only new violations (according to the definition in Tools > Options > Server Options > Entity Settings). This field is displayed only if Report Level = Details. Specifies whether to include a section named Violating Access Rules for <firewall_name> for each firewall. This section contains a table listing the violating access rules for the firewall s Access Policy. The table is followed by detailed information about each violating access rule, including a list of Access Checks that are violated by the access rule. This field is displayed only if Report Level = Details. Specifies whether to include a section named Firewall Exceptions for <firewall_name> for each firewall. This section lists the Access Policy exceptions for the firewall. Specifies whether to include summary information about Rule Compliance. Skybox View version

265 Chapter 22 Reports reference Display Violations This field is displayed only if Report Level = Details. Specifies whether to include a section containing information about Rule Policy violations for each firewall. The name of the section and its contents depend on the value selected from the drop-down list: Violations Only: The sections are named Violations for <firewall_name> and contain only violations. All Tests: The sections are named Access Tests for <firewall_name> and list all access tests (compliant tests and violations) for each firewall. Violating Access Rules Exceptions Configuration Compliance Display Violations New Violations: The sections are named Violations for <firewall_name> and contain only new violations (according to the definition in Tools > Options > Server Options > Entity Settings). This field is displayed only if Report Level = Details. Specifies whether to include a section named Violating Access Rules for <firewall_name> for each firewall. This section contains a table listing the violating access rules for the firewall s Rule Policy. The table is followed by detailed information about each violating access rule, including a list of Rule Checks that are violated by the access rule. This field is displayed only if Report Level = Details. Specifies whether to include a section named Firewall Exceptions for <firewall_name> for each firewall. This section lists the Rule Policy exceptions for the firewall. Specifies whether to include summary information about Configuration Compliance. This field is displayed only if Report Level = Details. Specifies whether to include a section containing information about Configuration Policy violations for each firewall. The name of the section and its contents depend on the value selected from the drop-down list: Violations Only: The sections are named Violations for <firewall_name> and contain only violations. All Tests: The sections are named Access Tests for <firewall_name> and list all access tests (compliant tests and violations) for each firewall. Optimization & Cleanup Rule Usage Analysis Period Rule Usage Object Usage Shadowed New Violations: The sections are named Violations for <firewall_name> and contain only new violations (according to the definition in Tools > Options > Server Options > Entity Settings). Specifies whether to include summary information about rule usage, and shadowed and redundant rules. The period of time to use for rule usage analysis information in the report. Select Custom to specify a start time relative to the current time. Specifies whether to include information about rule usage in detailed reports. Specifies whether to include information about object usage in detailed reports. Specifies whether to include information about shadowed rules in detailed reports. Skybox View version

266 Skybox View Reference Guide Redundant Change Tracking Analysis Period Appendix: List of all changes Rule Changed Object Changed Detailed Rule Changed Detailed Object Changed Specifies whether to include information about redundant rules in detailed reports. Specifies whether to include summary information about change tracking. The period of time to use for change tracking information in the report. Select Custom to specify a start time relative to the current time. Specifies whether to include an overall list of changes for all firewalls at the end of the report. Specifies whether to include a list of changes to access rules in detailed reports. Specifies whether to include a list of changes to firewall objects in detailed reports. Specifies whether to include detailed information about changes to access rules in detailed reports. Specifies whether to include detailed information about changes to firewall objects in detailed reports. Advanced tab Introductory Text Max Number of detailed records Split if scope is greater than Firewall Filters Firewall Type Operating System The text to use in the introduction to the report. The maximum number of records to include in each detailed section. For detailed reports, specifies the maximum number of firewalls to present in one report. When there are more firewalls than this in a detailed report, all the summaries are presented together in the report, but all the detailed information for each firewall is saved as a smaller, linked report. The types of firewalls to include in the report. The operating systems to include in the report. Firewall Changes reports Firewall Changes reports are available only when working with Skybox Firewall Assurance. Firewall Changes reports provide information about changes to firewalls in the network. The firewalls access rules and objects are compared between two different models (typically Live compared with What If or Live compared with Forensics) and any changes are listed in the report. Note: Changes include new access rules and deleted access rules as well as modifications. Report sections The following sections are included in a Firewall Changes report: Summary: The changed and unchanged firewalls included in the scope of the report. Optionally, for each firewall in the report: <firewall_name>: The number of changed access rules and objects found for this firewall. Changed Access Rules: The changed access rules for the firewall with the main parameters of each one. Skybox View version

267 Chapter 22 Reports reference Detailed reports include links from each access rule in this section to the detailed information about the access rule in the next section. Changed Access Rules Details: Information about each changed access rule, including deleted rules. For modified access rules, information about the changed parameters is listed in two columns (current model and comparison model). Report parameters The parameters that control Firewall Changes reports are described in the following table. Basic tab Compare to The model with which to compare the current model for reports. The default comparison model depends on the current model. (For the Live model, the default comparison model is What If. For the What If model, the default comparison model is Live.) Note: No comparison is performed if the currently active model is also the comparison model; the report is generated with a warning. Firewalls Scope Firewall Scope Firewall Type The firewalls to include in the report. The types of firewalls to include in the report. Report Sections Overview Details (Read only) The report always includes overall information about firewall changes. Specifies whether to include detailed information about firewall changes. Advanced tab Display Unreferenced Objects Display description in summary Max. Number of Changes per Firewall Specifies whether only referenced objects in the report are displayed. Specifies whether to display the comments from the access rules as part of the report; the comments can contain important information. The maximum number of changes per firewall to include in the report. If the number of changes in a firewall is larger than this value, the firewall is listed in the report as having too many changes and no changes are included. This usually indicates a configuration problem on the firewall. If you must see the changes anyway, increase the value of this parameter. NERC reports NERC Compliance reports are available only when working with Skybox Firewall Assurance. NERC (North American Electric Reliability Corporation) Compliance reports present information about the compliance of network devices, such as firewalls and routers, with the following NERC Critical Infrastructure Protection (CIP) standards of cyber security for the identification and protection of cyber assets: CIP Critical Cyber Asset Identification CIP Security Management Controls Skybox View version

268 Skybox View Reference Guide CIP Electronic Security Perimeters CIP Systems Security Management For additional information about NERC reports, see NERC Compliance reports, in the Skybox Firewall Assurance User s Guide. Report sections The following sections are included in a NERC Compliance report: Introduction: The purpose of the report. Security Perimeter Compliance: Identification of security perimeters (zones) and security levels of their critical firewalls (cyber assets). Cyber Asset Compliance For each firewall (cyber asset) in the report: Summary of NERC compliance Optionally, for each firewall (cyber asset) in the report: Access Compliance Exceptions Change tracking Configuration Compliance Report parameters The parameters that control NERC Compliance reports are described in the following table. Basic tab Firewall Scope Report Sections Overview Details The firewalls or firewall folders to include in the report. (Read only) The report always includes summary information about NERC Compliance. Specifies whether to include detailed information in the report. Advanced tab Split if scope is greater than For detailed reports, specifies the maximum number of firewalls to present in one report. When there are more firewalls than this in a detailed report, all the summaries are presented together in the report, but all the detailed information for each firewall is saved as a smaller, linked report. PCI Firewall Compliance reports PCI Firewall Compliance reports are available only when working with Skybox Firewall Assurance. PCI Firewall Compliance reports present information about compliance of firewalls with PCI DSS V2.0 requirement 1: Install and maintain a firewall configuration to protect cardholder data, a sensitive area within the trusted network of a company. PCI DSS requirement 1 is represented in Skybox View as an Access Policy. To maintain a protected system, the requirements are checked against the corresponding policy sections for each firewall that is in the scope of the report. Skybox View version

269 Chapter 22 Reports reference For additional information about PCI Firewall Compliance reports, see PCI Firewall Compliance reports, in the Skybox Firewall Assurance User s Guide. Report sections The following sections are included in a PCI Firewall Compliance report: Introduction: The purpose of the report. The introduction explains what PCI DSS requirement 1 is and how it is modeled in Skybox View. You can customize the text. Summary: The compliance for each firewall in the report, with a link to additional information. For each firewall in the report: Summary: A list of the subsections of PCI DSS requirement 1 with compliance indications for this firewall. If detailed information is included in the report, each subsection has a link to additional information. Optionally, for each firewall in the report: Details: For each subsection of PCI DSS requirement 1, the following information is listed: folder name (in the Access Policy), description, number of policy exceptions. If there are violating access rules, these are listed in a table, with links to additional information about the access rule and the PCI policy rules that the access rule violated. Exceptions: A list of the firewall s exceptions Appendix (Optional): The description of PCI DSS requirement 1, including all its subsections. The text is taken directly from the PCI DSS Requirements and Security Assessment Procedures, version 1.2 document. Report parameters The parameters that control PCI Firewall Compliance reports are described in the following table. Basic tab PCI Policy Firewall Scope Report Sections Overview Details Exceptions PCI Requirement 1 The PCI policy to use for the report. Note: If you are not using the default policy or if you made changes to the hierarchy of the policy, you must map the policy to the requirement sections. The firewalls or firewall folders to include in the report. Note: The network interfaces of these firewalls must be mapped to PCI zone types. (Read only) The report always includes a summary section for each firewall. Specifies whether to include detailed information about each firewall s compliance. Specifies whether to include an exceptions section for each firewall. Specifies whether to include the description of PCI DSS requirement 1 as an appendix. Advanced tab Introduction Text A free-form field used to hold the introductory text for the report. Skybox View version

270 Skybox View Reference Guide Max. Number of Firewalls Show N/A Requirements The maximum number of firewalls to include in the report. If Firewall Scope includes more than this number of firewalls, Skybox View does not include all the firewalls in the report. Specifies whether to include subsections of the requirement that are not modeled in Skybox View as part of the Details section. Rule Usage Analysis reports Rule Usage Analysis reports are available only when working with Skybox Firewall Assurance. Rule Usage Analysis reports present rule usage information for firewalls to help you to understand the usage patterns of the access rules. The reports present all firewalls in the selected scope that have unused access rules or access rules with unused objects. For additional information about Rule Usage Analysis reports, see the Rule Usage Analysis reports topic in the Skybox Firewall Assurance User s Guide. The parameters that control Rule Usage Analysis reports are described in the following table. Basic tab Firewall Scope Rule s Analysis Period Advanced tab The firewalls to include in the report. Note: The selected firewalls are only included in the report if they have had changes to their access rules or to the objects in the access rules during the analyzed period. The time period of data to include in the report. Select Custom to define a specific date range by: Specifying starting and ending dates for the report Specifying starting and ending times relative to the current time for the report Show Original Text Specifies whether to display, in the report, the original text (found in the firewall configuration) of the source, destination, and service fields of the access rules. If cleared, the resolved IP addresses are used in the report. Skybox Network Assurance reports The following report types are available when working with Skybox Network Assurance: Access Checks (on page 259) Network Compliance (on page 270) Network Compliance reports Network Compliance reports are available only when working with Skybox Network Assurance. Network Compliance reports provide policy-related information about the compliance of your organization s network and help you to understand the compliance status of your network to your Access Policy and to identify problematic access configuration in your network. Skybox View version

271 Chapter 22 Reports reference For additional information about Network Compliance reports, see Network Compliance reports, in the Skybox Network Assurance User s Guide. Report sections The following sections are included in a Network Compliance report: Access Policy Compliance Summary: Compliance violations, including the number of access tests and the number of violations. The section also displays Access Policy tests by compliance (compliant compared with non-compliant/violation) and by severity. The information is displayed using text and pie charts. Policy Sections Compliance: The policy sections in the scope of the report with their compliance. Each policy section is linked to the list of its violations in the next section. One of the following sections must be included in a Network Compliance report: Access Policy Violations / Access Policy Tests: All violations (or access tests) for each policy section in the scope of the report. The violations or access tests are sorted by Access Check and then by test ID. The following sections can also be included in a Network Compliance report: Policy Violations Details: Detailed information about each violation, including the violation s parameters and access results. Exceptions: The exceptions for each policy section in the scope of the report. Report parameters The parameters that control Network Compliance reports are described in the following table. Basic tab Policy Scope The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) to include in the report. Note: Access queries are not included in Network Compliance reports. Report Sections Overview Details Violations (Read only) The report always includes summary information about Access Compliance, violations, and exceptions Specifies whether to include detailed information about each violation. Specifies whether to include violations and access tests in the report: New Violations: Include only new violations (violations found in the last seven days) Violations Only: Include all violations Exceptions All Tests: Include violations and successful access tests Specifies whether to include exceptions in the report. Advanced tab Max. Number of Services The maximum number of services to display in the Policy Violations Details section for each violation. If a violation includes more than this number of services, Skybox View does not include all the services for this violation in the report. Skybox View version

272 Skybox View Reference Guide Exception Filters Created Since Expiration Date Only exceptions created in the specified time interval are included in the report. Select Custom to define a specific date range by: Specifying the earliest creation date for exceptions in the report Specifying the earliest creation time relative to the current time for exceptions in the report Only exceptions that expire in the specified time interval are included in the report. Select Custom to define a specific date range by: Specifying the earliest expiration date for exceptions in the report Specifying the earliest expiration time relative to the current time for exceptions in the report Skybox View version

273 Chapter 23 Notifications reference This chapter describes how to use and customize Skybox View notifications and how to adjust the content of the alerts that they send. In this chapter Notifications Customizing notification templates Selecting the correct template Editing templates Notifications Notifications in Skybox View are rules that cause messages (alerts) to be sent to users to let them know of events that occurred in Skybox View, such as new or modified vulnerability definitions, or increases in security metrics scores. The types of notifications included in Skybox View are listed in the following table. Notification type Triggered by... Skybox Firewall Assurance Change tracking (on page 274) Firewall compliance violation (on page 274) Skybox Vulnerability Control Security metrics (on page 275) Vulnerability definition (on page 278) All products Tasks of type Analysis Change Tracking Tasks of type Analysis Policy Violation Tasks of type Analysis Security Metrics Ticket (on page 276) Ticket update events To create a notification Vulnerability definition update events (by the source catalog or by a user changing a vulnerability definition s status) 1 Select Tools > Administrative Tools > Notifications. 2 In the Skybox View Admin window, right-click the Notifications node and select New Notification. 3 Select the Notification Type. 4 Fill in the fields as described in the appropriate topic for the notification type: Change tracking (on page 274) Firewall compliance violation (on page 274) Skybox View version

274 Skybox View Reference Guide Security metrics (on page 275) Vulnerability definitions (on page 278) Tickets (on page 276) 5 Click OK. Alerts are triggered and sent (according to the selected parameters). Change tracking notification parameters Change tracking notifications are used only when working with Skybox Firewall Assurance. alerts are created from these notifications when tasks of type Analysis Change Tracking are run. Recipients Skybox View Users External s Sends alerts to the selected Skybox View users. Sends alerts to the specified addresses. Notification Events New Firewall Changes Notify on Status Change Statuses (Read only) Specifies whether alerts are sent each time a change to an access rule or object occurs on a firewall, including new and deleted access rules and objects. Specifies whether alerts are sent when the status of an access rule is changed. Used with Statuses. When Notify on Status Change is selected, use this field to select the statuses (Authorized, Ignored, Pending, Unauthorized) for which alerts are sent. Change Record Filter Firewalls Notify on Changes Made by Changes Made by The firewalls for which alerts are sent. Specifies whether alerts are sent when changes are made by specific users. When Notify on Changes Made by is selected, use this field to provide a comma separated list of names or partial names of users. Wildcards (* and?) are supported. For additional information about these notifications, see the Notifications section in the Skybox Firewall Assurance User s Guide. Firewall compliance violation notification parameters Firewall compliance violation notifications are used only when working with Skybox Firewall Assurance. alerts are created from these notifications when tasks of type Analysis Policy Violation are run. Recipients Skybox View Users External s Sends alerts to the selected Skybox View users. Sends alerts to the specified addresses. Skybox View version

275 Chapter 23 Notifications reference Notification Events New Firewall Violations (Read only) Specifies whether alerts are sent each time a new policy violation occurs on a firewall (that is, between two network interface zones on a single firewall). Policy Violation Filter Firewalls Policy Scope Severity The firewalls for which alerts are sent. The parts of the Access Policy (policy folders, policy sections, or specific Access Checks) for which alerts are sent. The severity of Access Checks for which alerts are sent. For additional information about these notifications, see Notifications, in the Skybox Firewall Assurance User s Guide. Security metric notification parameters Security metric notifications are used when working with the security metric feature of Skybox Vulnerability Control. Security metric notifications define which security metric events trigger an alert and who receives the alert. The alerts are created when tasks of type Analysis Security Metrics are run. Alerts can be sent each time a security metrics score increases or decreases. You can select specific units and score thresholds to be the triggers. For example, if you select specific Business Units, alerts are only sent if the security metric level for any of those Business Units changes. Note: Only one alert is sent for each security metric notification, which lists all relevant changes. However, if you select Notify on Security Metric Level Increase and Notify on Security Metric Level Decrease, separate alerts are sent for increases and decreases. Recipients Skybox View Users External s Sends alerts to the selected Skybox View users. Sends alerts to the specified addresses. Notification Events Security Metric Level Increase Notification Comment Security Metric Level Decrease Notification Comment (Read only) Alerts are always sent for security metric increases that match the filters. A comment to include with the alert about a security metric increase. Specifies whether to send alerts every time a security metric (that matches all of the filters) decreases. A comment to include with the alert about a security metric decrease. Security Metric Filter Security Metric Type The type of security metric (VLI or RLI) for which alerts are sent. Participating Units Alerts are sent only if the security metric change is in one of the specified units. Each unit must be specified separately; if you select a parent unit, Skybox View does not send alerts if the level of one of its child units changes (unless the level of the parent unit also changes). Skybox View version

276 Skybox View Reference Guide Security Metric Threshold Alerts are sent only if the security metric reaches or passes the selected level. For information about creating security metrics notifications, see Setting up security metrics notifications, in the Skybox Vulnerability Control User s Guide. Ticket notification parameters Ticket notifications define which ticket events trigger an alert and who receives it; an alert can be sent each time a ticket changes in a specific way. The parameters of ticket notifications are described in the following table. Recipients Ticket s Cc List Ticket Owner Ticket Owner s Group(s) Ticket Reporter Skybox View Users External s Sends alerts to all users listed in this field. The ticket s cc list is filled automatically with the cc list of the PAL entry that is associated with this ticket. You can add additional recipients to the cc list. Sends an alert to the owner (assignee) of the ticket. Sends alerts to all users who are in the same user groups as the owner (assignee) of the ticket. Sends an alert to the user who created the ticket. Sends an alert to the selected Skybox View users. Sends alerts to the specified addresses. When the assignees or Cc List recipients of this Ticket change, send notifications to: New Recipients Former Recipients (Read only) Sends alerts to users added to the ticket. Sends alerts to users removed from the ticket. Notification Events Ticket Events Any ticket change (including creation and deletion) Specific actions and updates Specifies whether alerts are sent each time a ticket (that matches all of the filters) is created, changed, or deleted. Alerts are sent each time one of the specified changes occurs to a ticket that matches all of the filters. Use the Actions and Updates parameter to specify the change types that trigger alerts. Actions and Updates A list of change types that, if selected, trigger alerts when they occur. Overdue Notify on overdue tickets Specifies whether alerts are sent whenever a ticket becomes overdue (misses the due date for the current phase). Ticket Filter Network Scope Type Ticket Phases The network entities or container entities for which to send alerts. The type of ticket for which to send alerts. Alerts are sent only if the ticket is in one of the selected phases. Skybox View version

277 Chapter 23 Notifications reference Ticket Owner Owner Lookup Owner Phases Priority CVSS Base Score CVSS Temporal Score Alerts are sent only if the ticket belongs to one of the selected owners. Specifies whether to look for the owner in the current phase or in specific phases. If the value of Owner Lookup is Specific Phase, enables you to define in which phases to search for the owner. Alerts are sent only if the entity for which the ticket was created has the selected priority. (Skybox Vulnerability Control and Skybox Threat Manager only) Alerts are sent only if the CVSS base score of the vulnerability definition for which the ticket was created is in the selected range. (Skybox Vulnerability Control and Skybox Threat Manager only) Alerts are sent only if the CVSS temporal score of the vulnerability definition for which the ticket was created is in the selected range. The content of ticket notifications can be customized to suit the requirements of your organization. For additional information, see Customizing ticket notifications (on page 277). Customizing ticket notifications You can choose to create customized ticket notifications that are not based on the predefined notification templates, but rather use a different system. Once created, custom notification templates are stored as part of the model and can be reused, modified, and copied from within the Skybox View Admin interface. To create a custom notification 1 Click the Notification Templates tab. 2 Select Use Custom Notification. Note: This indicates to Skybox View that it should not use the default template that would otherwise be used for the selected event types. The notification contains only the information that you add. 3 Whatever is in the Subject field is used as the subject header of the notification. Do the following: a) Add the appropriate text. For example, Subject: New Ticket ID (without the quotation marks, but including the space at the end). b) With the cursor placed after the text, click Insert Label. See Keywords for notifications (on page 286) for a list of all possible keywords. c) From the list that appears, double-click the name of the field you want to add. In this example, you would probably select Ticket ID. The appropriate keyword, such as TICKET_ID, is inserted in the text. d) Add any text that should appear in the subject header after the keyword. In this example, you might add Notification (remember to include a space). 4 The Primary Information field provides changes that were made. Prepare it using the same steps you used for the Subject field, adding as many lines of text and keywords as necessary. Note: The Details field is not necessary in Change Manager notifications; it provides information used for other types of ticket notifications. 5 Click OK. The new notification is added to the list of notifications. Skybox View version

278 Skybox View Reference Guide Creating additional notifications for the same (or similar) event You can create additional notifications for the same (or a similar) event. This can be useful if you need to create more than one notification for an event. For example, you might want a very simple notification for the ticket requestor and a more detailed notification for the owner of the next phase or you might have created a notification for ticket promotion and want a very similar one for ticket demotion. To create a new custom notification based on an existing one 1 Right-click the notification and select Create Notification Like. 2 Open the new (copy) notification from the list and make the necessary changes. Vulnerability definition notification parameters Vulnerability definition notifications are used only when working with Skybox Threat Manager. Vulnerability definition notifications define which vulnerability definition events trigger an alert and who receives it. Alerts can be sent when vulnerability definitions change in a specific way. The parameters of vulnerability definition notifications are described in the following table. Recipients Skybox View Users External s Sends alerts to the selected Skybox View users. Sends alerts to the specified addresses. Notification Events New Vulnerability Definitions Updated Vulnerability Definitions Status of Vulnerability Definition Changed to Vulnerability Definitions not handled for more than N days Specifies whether alerts are sent each time a vulnerability definition is created based on a threat alert. Specifies whether alerts are sent each time a vulnerability definition is updated based on a threat alert. A list of changes that trigger alerts if the specific actions and updates option is selected. Alerts are sent whenever a vulnerability definition is overdue by the specified number of days. Vulnerability Definition Filter Severity CVSS Base Score CVSS Temporal Score Alerts are sent only if the vulnerability definition is at least the selected severity. Alerts are sent only if the vulnerability definition s CVSS base score is in the selected range. Alerts are sent only if the vulnerability definition s CVSS temporal score is in the selected range. Skybox View version

279 Chapter 23 Notifications reference Products In List Product List Items Product search string Custom Vulnerability Definitions Created by Custom Vulnerability Definitions Only Specifies the affected products for which to send alerts: Any: Send alerts for all products. The Product List Items field is disabled. Yes: Send alerts only if at least one of the affected products of the vulnerability definition matches a product specified in the Product List Items field. No: Send alerts only if at least one of the affected products of the vulnerability definition does not matches a product specified in the Product List Items field. Used in conjunction with the Products In List field. Alerts are sent only if the name of one of the affected products of the vulnerability definition matches the search string. Specifies whether alerts are sent only if the custom vulnerability definitions to which they are related were created by specific users. Specifies whether alerts are sent only for custom vulnerability definitions. For information about creating these notifications, see Creating notifications, in the Skybox Vulnerability Control User s Guide. Customizing notification templates The texts of the alerts triggered by notifications are based on templates. There are separate templates for alert headers and for details (sections). Skybox View provides default template files, but you can also create additional templates for specific notifications. A complete alert for an event consists of a header and one or more sections (usually one per event). The following is a sample alert that consists of one header and three sections. Skybox View version

280 Skybox View Reference Guide Vulnerability Type Event: Updated Status for Vulnerability Type(s) Notification Rule Name: Irrelevant Vulnerabilities Number of Vulnerability Types whose status was updated: 3 Vulnerability Type(s) Details: =========================================== #1 ID: SBV Title: Gforge <= SQL Injection Allows Remote SQL Commands Execution Severity: High (7.5) CVSS Base Score: 7.5 CVSS Temporal Score: 6.7 Status: Irrelevant Reported Date: 1/15/08 Modification Date: 1/28/09 CVE: CVE Last Change: The of solution ID was Modified #2 ID: SBV Title: MyBB < forumdisplay.php and search.php Scripts Allow Remote Code Execution Severity: High (7.5) CVSS Base Score: 8.2 CVSS Temporal Score: 7.1 Status: Irrelevant Reported Date: 1/16/08 Modification Date: 1/28/09 CVE: CVE Last Change: New Related Source was added: CVE #3 ID: SBV Title: Sun Java System Access Manager 7.1 on Application Server 9.1 Container Authentication Bypass Severity: High (7.5) CVSS Base Score: 7.5 CVSS Temporal Score: 6.1 Status: Irrelevant Reported Date: 10/1/07 Modification Date: 1/28/09 CVE: CVE Last Change: The of solution ID was Modified To adjust a notification template 1 Select the correct template. 2 Open the template in a text editor. Skybox View version

281 Chapter 23 Notifications reference 3 Make changes to the template. 4 Save the template. Selecting the correct template The notification templates are stored in the <Skybox_View_Home>\server\conf\notification_templates directory. There are separate templates for each type of notification (security metrics, vulnerability definition, change tracking, firewall compliance violation, and ticket). The _header templates define how the main information about the notification appears in the alert; the _section templates define how each notification event appears in the alert. The tables in the following sections explain which files are used for each type of notification. To change the content of a template, see Editing templates (on page 283). Files for change tracking notifications The files that are used for change tracking notifications are listed in the following table. Event File name Change to an access rule or firewall object changetrackingnew_header.txt changetrackingnew_section.txt For a list of keywords used in these files, see Keywords for change tracking notifications (on page 284). Files for firewall compliance violation notifications The files that are used for firewall compliance violation notifications are listed in the following table. Event Firewall compliance violation File name aprviolation_header.txt aprviolation_section.txt For a list of keywords used in these files, see Keywords for firewall violation notifications (on page 284). Files for security metrics notifications The files that are used for security metrics notifications are listed in the following table. Event Increase in security metrics levels Decrease in security metrics levels File name kpilevelincrease_header.txt kpilevelincrease_section.txt kpileveldecrease_header.txt kpileveldecrease_section.txt For a list of keywords used in these files, see Keywords for security metrics notifications (on page 285). Files for ticket notifications The files that are used for ticket notifications are listed in the following table. Event New ticket created File name ticketcreated_header.txt ticketcreatedtypeaccesschange_header.txt Skybox View version

282 Skybox View Reference Guide Event Ticket updated Ticket updated (Used for updates other than change of phase, owner, or status) Ticket cloned Ticket closed Ticket deleted Ticket demoted Overdue ticket Ticket predue (coming due soon) Ticket promoted File name ticketcreated_section.txt ticketupdated_header.txt ticketupdatedtypeaccesschange_header.txt ticketupdated_section.txt ticketminorfieldsupdate_header.txt ticketminorfieldsupdatetypeaccesschange_header.txt ticketminorfieldsupdate_section.txt ticketcloned_header.txt ticketclonedtypeaccesschange_header.txt ticketcloned_section.txt ticketclosed_header.txt ticketclosedtypeaccesschange_header.txt ticketclosed_section.txt ticketdeleted_header.txt ticketdeletedtypeaccesschange_header.txt ticketdeleted_section.txt ticketdemoted_header.txt ticketdemotedtypeaccesschange_header.txt ticketdemoted_section.txt ticketoverdue_header.txt ticketoverduetypeaccesschange_header.txt ticketoverdue_section.txt ticketpredue_header.txt ticketpreduetypeaccesschange_header.txt ticketpredue_section.txt ticketpromoted_header.txt ticketpromotedtypeaccesschange_header.txt ticketpromoted_section.txt Ticket reassigned (new owner) ticketreassigned_header.txt ticketreassignedtypeaccesschange_header.txt ticketreassigned_section.txt Ticket rejected Ticket reopened Request to close a ticket Ticket resolved Ticket implementation verified ticketrejected_header.txt ticketrejected_section.txt ticketreopened_header.txt ticketreopenedtypeaccesschange_header.txt ticketreopened_section.txt ticketrequesttoclose_header.txt ticketrequesttoclosetypeaccesschange_header.txt ticketrequesttoclose_section.txt ticketresolved_header.txt ticketresolved_section.txt ticketverified_header.txt ticketverified_section.txt For a list of keywords used in these files, see Keywords for ticket notifications (on page 286). Skybox View version

283 Chapter 23 Notifications reference Files for vulnerability definition notifications The files that are used for vulnerability definition notifications are listed in the following table. Event Creation of new vulnerability definition Vulnerability definition not handled in a specific number of days Status change of a vulnerability definition Update of a vulnerability definition (new information) Update of significant fields of a vulnerability definition (new information) File name vtcreation_header.txt vtcreation_section.txt vtneglected_header.txt vtneglected_section.txt vtstatuschange_header.txt vtstatuschange_section.txt vtupdate_header.txt vtupdate_section.txt vtsignificantupdate_header.txt vtsignificantupdate_section.txt Note: A significant field is one that can change the ticket s flow or priority: a change in severity or urgency, or a change in the list of affected products. For a list of keywords used in these files, see Keywords for vulnerability definition notifications (on page 288). Editing templates Each notification template consists of static text and keywords (variables) as in the following example. ID: TICKET_ID Ticket Type: TICKET_TYPE Title: TITLE Owner: OWNER_NAME Phase: CURRENT_PHASE Due Date: DUE_DATE Pending Closure With Status: STATUS The text in the template is the actual text that appears in each alert of the selected type. The keywords are listed in the template as <KEYWORD_NAME>. The keywords are replaced by the current value of the relevant field in Skybox View each time an alert is created. The names of the keywords cannot be changed, but you can change the text and use different keywords as necessary. You can also add text and appropriate keywords to a file or delete text and keywords. For example, if the owner is not necessary for the notification type that is defined in the template, delete the line: Owner: OWNER_NAME The keywords that you can use in the alerts sent by notifications and the fields from which they are taken are listed in the following sections: Keywords for change tracking notifications (on page 284) Keywords for firewall compliance violation notifications (on page 284) Keywords for security metrics notifications (on page 285) Keywords for ticket notifications (on page 286) Keywords for vulnerability definition notifications (on page 288) Skybox View version

284 Skybox View Reference Guide For information about which template to use for each notification type, see Selecting the correct template (on page 281). Keywords for change tracking notifications Keywords that you can use for change tracking notifications are listed in the following table. Change field Keyword Current date Total number of changes Number of firewalls with changes The section in the alert (each firewall has its own section) The name of the firewall Total number of changes for this firewall Number of access rules changed for this firewall Number of objects changed for this firewall Original Rule ID CURRENT_DATE TOTAL_NUMBER_OF_CHANGES FIREWALL_NUM SECTION_NUMBER FW_NAME TOTAL_FW_NUMBER_OF_CHANGES ACL_NUMBER_OF_CHANGES OBJECT_NUMBER_OF_CHANGES ORIGINAL_RULE_ID Original Text Before ORIGINAL_TEXT_BEFORE Original Text After List of detailed changes for the firewall ORIGINAL_TEXT_AFTER DETAILED_CHANGES_TABLE Keywords for firewall compliance violation notifications Keywords that you can use for firewall compliance violation notifications are listed in the following table. Violation field Keyword The name of the notification that created this alert The creation time of the violation The number of the violation The test ID of the violation The importance of the violated Access Check NOTIFICATION_RULE_NAME CREATION_TIME NUMBER ID IMPORTANCE Skybox View version

285 Chapter 23 Notifications reference Violation field The name of the firewall where the violation occurred The IP address of the firewall The name of the Access Check The type of the Access Check (Limited, No-Access, or Full Access) The path of the Access Check in the policy tree The source used in the Access Check The destination used in the Access Check Keyword FIREWALL_NAME FIREWALL_IP APR_NAME APR_TYPE APR_PATH SOURCE DESTINATION Keywords for security metrics notifications Keywords that you can use for security metrics notifications are listed in the following table. Security metrics Keyword field The type of the notification Security metric short name Security metric event type (increase or decrease) The name of the notification that created this alert Security metric long name Last-but-one security metric calculation time Most recent security metric calculation time User comment Link to the security metrics web interface The name of the security metric unit NOTIFICATION_TYPE KPI_SHORT_TYPE EVENT_TYPE NOTIFICATION_RULE_NAME KPI_TYPE PREV_KPI_CALC_TIME LAST_KPI_CALC_TIME USER_COMMENT LINK_TO_WEB_UI UNIT_NAME Skybox View version

286 Skybox View Reference Guide Security metrics field New security metrics score security metrics score from previous calculation Keyword NEW_KPI_LEVEL OLD_KPI_LEVEL Keywords for ticket notifications Keywords that you can use in all ticket notifications are listed in the following tables. In addition, all fields used for vulnerability definition notifications can be used for vulnerability definition ticket notifications. To include a vulnerability definition field in the notification template, you must add the prefix VT to the field name in the ticket notification template. For example: to include the reported date of the vulnerability definition in ticket notifications, you would include VT_Reported_Date in the template. The following keywords can be used for all ticket notifications. Ticket field ID Ticket type Title Ticket description Priority Owner Owner with For example: ISPS ([email protected]) Phase Due date Original phase due date (if it was changed) Ticket affected products Names of additional changed fields <Name_of_changed _field> <Old_value_of_chan ged_field> <New_value_of_cha nged_field> Keyword TICKET_ID TICKET_TYPE TITLE TICKET_DESCRIPTION PRIORITY OWNER_NAME OWNER_NAME_WITH_ CURRENT_PHASE DUE_DATE PHASES_ORIGINAL_DATES TICKET_AFFECTED_PRODUCTS ADDITIONAL_FIELDS_UPDATED UPDATED_FIELD OLD_VALUE NEW_VALUE The following keywords can be used in Access Change ticket notifications Ticket field The importance of the violated Access Keyword IMPORTANCE Skybox View version

287 Chapter 23 Notifications reference Ticket field Check The test ID of the violated Access Check The name of the Access Check The type of the Access Check (Limited, No-Access, or Full Access) The path of the Access Check in the policy tree The source used in the Access Check The destination used in the Access Check Keyword VIOLATION_ID APR_NAME APR_TYPE APR_PATH SOURCE DESTINATION Keywords that you can use in ticket notifications for specific events are listed in the following table. Ticket field Keyword Event/ Note Creation time CREATION_OF_TICKET Ticket creation (and other ticket events, when necessary) Original ticket ID ORIGINAL_TICKET_ID Cloned ticket URL URL Displays the URL of the Change Manager with the relevant ticket ID. Done date DONE_DATE Ticket completion Status STATUS Ticket completion (and other ticket status change notifications) Closure type CLOSURE_TYPE Ticket closure (explains how the ticket was closed) Deletion time DELETION_TIME Ticket deletion Deleted by DELETED_BY Ticket deletion Current owner CURRENT_OWNER Events such as promote, demote, or reassign Current owner with CURRENT_OWNER_WITH_ Same as CURRENT_OWNER, but adds the address in parentheses. For example: ISPS If the user does not have an address defined, then this is exactly the same as CURRENT_OWNER Previous owner PREVIOUS_OWNER Events such as promote, demote, or reassign Skybox View version

288 Skybox View Reference Guide Ticket field Keyword Event/ Note Previous owner with PREVIOUS_OWNER_WITH_ Same as PREVIOUS_OWNER, but adds the address in parentheses. For example: ISPS If the user does not have an address defined, then this is exactly the same as PREVIOUS_OWNER Previous phase PREVIOUS_PHASE Phase-changing events such as promote or demote Current phase number Previous phase number Total number of phases Latest user comment Start time of the current phase Phase due date CURRENT_PHASE_NUMBE R PREVIOUS_PHASE_NUMBE R TOTAL_NUMBER_OF_PHAS ES LAST_USER_COMMENT CURRENT_PHASE_START_ TIME CURRENT_PHASE_DUE_DA TE Displays the number of the current phase. If there are no phases or f the ticket is closed, the value is empty. For all phase-changing events. Displays the number of the previous phase. In all other cases, the value is empty. Displays the total number of phases of the ticket. If there are no phases, the value is empty. Overdue ticket Keywords for vulnerability definition notifications Keywords for vulnerability definition notifications are listed in the following table. Vulnerability definition field Vulnerability event type Notification name Number of new vulnerability definitions Vulnerability types (The number of the vulnerability definition in the alert) ID Title Severity Keyword EVENT_TYPE NOTIFICATION_RULE_NAME VT_NUMBER DETAILS NUMBER ID TITLE SEVERITY_LEVEL SEVERITY_SCORE Skybox View version

289 Chapter 23 Notifications reference Vulnerability definition field CVSS base score CVSS temporal score Status Reported date Modification date CVE Last change Last modification source Last modified by system Last modified by user Keyword CVSS_BASE_SCORE CVSS_TEMPORAL_SCORE STATUS REPORTED_DATE MODIFICATION_DATE CVE LAST_CHANGE LAST_MODIFICATION_SOURCE LAST_MODIFIED_BY_SYSTEM LAST_MODIFIED_BY_USER Skybox View version

290 Chapter 24 Exportable data This chapter explains the information that you can retrieve from the Skybox View database, and the formats in which you can retrieve it. In this chapter CSV-exportable data Other exports CSV-exportable data You can export most Skybox View data in CSV format using shortcut menus. For some data types, you can automate the export using CSV export tasks. You can save the following types of data to CSV using the entity s shortcut menu. Entity Workspaces Additional information Tickets Model analyses Networks Assets Network interfaces Business Asset Groups Vulnerability occurrences Vulnerability definitions Security metrics information for Business Units and Business Asset Groups Access rules Firewall Access Compliance Ticket, Threat Manager Model Exposure Exposure Threat Manager Security Metrics Firewall Assurance, Network Assurance Firewall Assurance For each Business Asset Group, the output includes a list of its member assets (in one field). The output file includes all the access rules of the specified scope, with one row per access rule that includes information about the rule itself and all related Firewall Assurance information. The output file might include multiple rows for each Access Check, where each row represents a specific violation (<firewall identification details> <violation details> <violating rule>). Skybox View version

291 Chapter 24 Exportable data Entity Workspaces Additional information Rule Compliance Firewall Assurance The output file might include multiple rows for each Rule Check, where each row represents a specific violation. Rule usage data Firewall Assurance Each row in the output file represents one access rule. Shadowed rules Firewall Assurance Each row displays a shadowed rules and its shadowing rules (or a redundant rule and the rules that make it redundant). Change tracking Firewall Assurance Each row describes a change in an access rule or object. Access Compliance (by selecting a policy, folder, or section) Network Assurance The output might include multiple rows for each Access Check, where each row represents a specific violation. Note: You can save all tables displayed in Skybox View in the Table pane or the Details pane to CSV using the File menu (File > Export Table to CSV, with the table selected). Tables exported using this method are saved without any preprocessing. CSV export tasks Skybox View has tasks that are used to export CSV data on a regular basis. The files are stored on the Server machine at <Skybox_View_Home>\data\csv, and are named using the following general formula: <information_type>_<entity_name>_<date>--<time>.csv The following tasks are available: Skybox View product CSV export task type Comments Skybox Firewall Assurance and Skybox Network Assurance Skybox Firewall Assurance Skybox Vulnerability Control and Skybox Threat Manager CSV compliance results export (on page 171) CSV analysis export (on page 169) CSV Configuration Compliance export (on page 172) CSV access rules review export (on page 168) CSV change tracking export (on page 170) CSV optimization and cleanup export (on page 174) CSV firewall summary export (on page 173) CSV analysis export (on page 169) Skybox Vulnerability Control CSV Security Metric export (on page 175) Exports compliance results for networks or firewalls Model analyses only Exports Configuration Compliance results for networks or firewalls Exports rule usage data and shadowed rules Note: In the task fields, you can choose that recipients (if any) should receive the file in compressed (ZIP) format. Skybox View version

292 Skybox View Reference Guide Other exports Some Skybox View information is available by other means, including API, XML, and graphic files. The Skybox web service API (SOAP) enables: SOC integration retrieving Skybox View events Helpdesk integration synchronizing tickets (unidirectional or bidirectional) Access Analysis remote activation of Skybox View s Access Analyzer For information about the Skybox View API, see APIs, in the Skybox View Developer s Guide. You can export and import Firewall and Network Assurance policies in XML format. You can export the following policies from the shortcut menu: Access Policies (for Skybox Firewall Assurance and Skybox Network Assurance) Rule Policies (Skybox Firewall Assurance only) Configuration Policies (Skybox Firewall Assurance only) The Network Map is available in JPEG and GraphML formats. Vulnerability occurrence analyses (lists of vulnerability occurrences) can be exported to XML files in Qualys format for integration with SIEM solutions; right-click the analysis in the tree and select Export to XML Vulnerability Occurrences or use a task of type XML Vulnerability Occurrence (Qualys Format) Export. Skybox View version

293 Part IV: Tools This part describes the tools that are provided for use in the Skybox View Manager.

294 Chapter 25 Access Control List Editor The Access Control List Editor is used to view and, optionally, (in the What If model) add, modify, and delete the access rules used by an asset in the Skybox View model. The Access Control List Editor is available on every asset that has an ACL whether it is a firewall, a router, or another server. In this chapter Using the Access Control List Editor Access Rule Properties dialog box ACL Management dialog box Using the Access Control List Editor To open the Access Control List Editor Right-click an asset in the Tree pane or the Table pane and select Access Rules. Each rule chain in the device s ACL is displayed in a separate tab. The number and names of the rule chains vary according to the device type. Access rules with a green background are implicit rules on the firewall. Access rules with a gray background are disabled. The Original Rule ID column shows the rule number in the original vendor application. The following actions are available in the Access Control List Editor: Find: Enables you to search for particular access rules. To use pattern matching in the search, select Pattern match (? and *) in the Match Criteria field; you can then use the characters? and * as wildcards in the Find What string. Show Object Names / Show Resolved Addresses: Toggles the display in the Source and Destination columns between the object names and their resolved names (that is, how Skybox View interpreted the object names based on the current model). Object Tree: When firewall objects are available, displays the object tree next to the list of rules. Move Up, Move Down, and Move To: These actions change the order of the access rules. Move to Other Chain: Enables you to move the selected access rule to a different rule chain. Modify: Enables you to edit the selected access rule in the Access Rule Properties dialog box (see page 294). New, Remove, Disable / Enable Note: Disabled access rules are grayed and italicized. Access Rule Properties dialog box The parameters of the Access Rule Properties dialog box are described in the following table. Skybox View version

295 Chapter 25 Access Control List Editor Action Type Direction Type Expiration Date Original Rule ID Original Text Source Network Interfaces Network Interfaces Routed Network Interface The action to be taken on a packet (traffic) that matches this rule s criteria (parameters). Note: Unless the value for this field is Translate, the Source, Destination, and Service fields in the NAT pane are disabled. Note: If Undefined is selected, the action performed is Deny. The directions of the packets for which to apply the access rule. (Check Point firewalls only) The expiration date of the access rule. Once a rule is past its expiration date, it is not used in access analysis, Access Compliance, or attack simulation. (Read only) The original rule ID (name or number) found in the firewall configuration, if one exists. This information is obtained by the online collection task or offline file import task that reads the configuration. (Read only) The original command for this access rule found in the device configuration, if one exists. This information is obtained by the online collection task or offline file import task that reads the configuration. The network interfaces on which to apply the rule only if the packet arrived from the specified interface. The network interfaces on which to apply the rule (for any packet direction). (Cisco firewalls only) The egress interface configured in the NAT rule. Note: When an egress interface is provided, no route lookup is done. Source Addresses A comma-separated list of source IP addresses for which to match this rule (the allowable source addresses for a packet). Separate the first and last values of a range with a hyphen. Users Objects Name To allow all source addresses except those selected, select NOT. (Palo Alto Networks and Check Point firewalls only) A list of users that get permissions in this rule; the field is populated when importing the firewall. A user applies to the firewall; the firewall identifies the user based on the IP address from LDAP (or the VPN login) and then allows the user to access the destination. (Except Check Point firewalls) The original representation of the users in firewall objects. (Check Point firewalls only) Destination Addresses A comma-separated list of destination IP addresses for which to match this rule (the allowable destination addresses for a packet). Separate the first and last values of a range with a hyphen. To allow all destination addresses except those selected, select NOT. Skybox View version

296 Skybox View Reference Guide Objects Name (Except Check Point firewalls) The original representation of the addresses in firewall objects. (Check Point firewalls only) Services Services The services for which to match this rule (the allowable services for a packet). To manage the services for this rule, click the Browse button to open the Services Selection dialog box and then click Add to open the New Service dialog box. To allow all services except those selected, select NOT. Note: To define a service as a specific IP protocol: select IP and then select Protocol. Then, if you know: The protocol name, select it from the drop-down list Applications Objects Name NAT Source Destination Service The protocol number, type it; when you click OK, Skybox View verifies that this is a valid protocol number and substitutes the protocol name (Palo Alto Networks firewalls only) A list of the applications that are allowed for this rule. The firewall uses traffic identification to determine what types of applications (such as Gmail) exist for the rule in addition to the regular HTTP (port 80) communication. (Except Check Point firewalls) The original representation of the applications in firewall objects. (Check Point firewalls only) These fields are enabled only if Action Type = Translate. A comma-separated list of NAT source addresses for which to match this rule (the allowable NAT source addresses for a packet). Separate the first and last values of a range with a hyphen. A comma-separated list of NAT destination addresses for which to match this rule (the allowable NAT destination addresses for a packet). Separate the first and last values of a range with a hyphen. The NAT service (protocol and port). Use one of the following formats: protocol/port VPN VPN Usage protocol/(range-of-ports) Specifies whether data is sent over VPN: None: Data is not sent over VPN; this is a regular access rule. Any: A packet matches this rule only if it arrives or is sent out over a VPN of this firewall. Specific: A packet matches this rule only if it comes in or leaves the firewall over the VPN specified in the Specific field. Remote Access: This access rule applies only to packets coming from a Remote Access VPN. Note: If the value of this field is Remote Usage, the value of the Action Skybox View version

297 Chapter 25 Access Control List Editor Specific IPS Rule Group Type field must be set to Authenticate. This field is enabled only if VPN Usage = Specific. The VPN over which to send data. The IPS area is displayed (instead of the VPN area) only if the value of the Action Type field, described at the beginning of this table, is IPS. Specifies whether to use only the specified IPS rule group. Rule Attributes Disabled Unsupported Implied Specifies whether the access rule is disabled (has no effect). You can change the value for this field in the Access Control List Editor, using the Enable/Disable button. (Read only) Specifies whether the access rule is unsupported (that is, it cannot be modeled or repeated in the Skybox View model). (Read only) Specifies whether the access rule is implied (that is, it was not defined explicitly by the user but is derived from other device settings). ACL Management dialog box The ACL Management dialog box displays the order in which the access chains of a firewall are applied. (To add access rules to a rule chain or to change the order of the access rules in the chain, see Using the Access Control List Editor (on page 294).) You can access the ACL Management dialog box from the Properties dialog box of any asset or network device that is access-rule-enabled; click the Browse button next to the Firewall Type field. This dialog box has several variations, depending on the device for which you are specifying the order of access rules. of the ACL Management dialog box The ACL Management dialog box displays the following for all devices except Custom firewalls: The Available Rule Chains pane: The available rule chains for the device, in alphabetic order. The Inbound Order pane: The order in which the rule chains are applied for inbound traffic. The Outbound Order pane: The order in which the rule chains are applied for outbound traffic. The Outbound Order pane is empty for load balancers because they have no rule chains for outbound traffic. (Check Point FireWall-1 only) VPN Mode: Simplified or Traditional. The rule chains that are available for non-custom devices and the order in which they are applied cannot be changed. When working with custom firewalls, you can create additional rule chains and change the order of the chains. ACL Management dialog box: Custom firewall Skybox View supports three types of custom firewalls with different rule chains. You can use each one to define a type of firewall that is not directly supported by Skybox View. The Available Rule Chains pane lists, in alphabetic order, the rule chains that are available for use by the Inbound and Outbound panes. Skybox View version

298 Skybox View Reference Guide Note: Adding a rule chain to the Available Rule Chains pane of the ACL Management dialog box merely makes it available for use by the Inbound and Outbound panes, it does not place it into the list of rule chains used for the firewall. The Inbound and Outbound panes list the rule chains that are used for this firewall and specify their order. To add a rule chain to the ACL Management dialog box 1 In the Available Rule Chains pane of the ACL Management dialog box, click New. 2 In the New Rule Chain dialog box, in the Rule Chain Label field, type the name of an existing rule chain to add. The rule chain name can contain any ASCII characters, including spaces. Note: Rule chain names are case-sensitive. 3 Click OK. Skybox View version

299 Chapter 26 Access Rule Properties with Rule Review section This information is relevant only in Skybox Firewall Assurance and Skybox Network Assurance. The Access Rule Properties dialog box with Rule Review section is used to review access rules. It displays: Basic information about the access rule that was obtained from the device itself Information about the access rule obtained from various Skybox View processes, including compliance and usage trace information Attributes that have been assigned to the rule for review purposes, such as owner information and IDs of any related tickets In this chapter Access Rule Properties dialog box (extended) Access Rule Properties dialog box (extended) The parameters of the (extended) Access Rule Properties dialog box are described in the following tables. Basic information All the information in this area is read-only; you can modify access rules from the Access Control List Editor (on page 294). Action Type Direction Type Chain Expiration Date Original Text Original Rule ID Modification Time Network Interfaces Source Network Interfaces Routed Network The action to be taken on a packet (traffic) that matches this rule s criteria (parameters). The directions of the packets for which to apply the access rule. The chain in which the access rule is found. (Check Point firewalls only) The expiration date of the access rule. Once a rule is past its expiration date, it is not used in access analysis, Access Compliance, or attack simulation. The original command for this access rule found in the device configuration, if one exists. The original rule ID (name or number) found in the firewall configuration, if one exists. The last time the access rule was modified on the device. The network interfaces on which to apply the rule (for any packet direction). The network interfaces on which to apply the rule only if the packet arrived from the specified interface. (Cisco firewalls only) Skybox View version

300 Skybox View Reference Guide Interface The egress interface configured in the NAT rule. Note: When an egress interface is provided, no route lookup is done. Source Addresses Users Objects Name A comma-separated list of source IP addresses that match this rule (the allowable source addresses for a packet). (Palo Alto Networks firewalls only) A list of users that get permissions in this rule; the field is populated when importing a PA Networks firewall. A user applies to the firewall; the firewall identifies the user based on the IP address from LDAP (or the VPN login) and then allows the user to access the destination. (Except Check Point firewalls) The original representation of the users in firewall objects. (Check Point firewalls only) Destination Addresses Objects Name A comma-separated list of destination IP addresses that match this rule (the allowable destination addresses for a packet). (Except Check Point firewalls) The original representation of the addresses in firewall objects. (Check Point firewalls only) Services Services Rule Applications Objects Name User Comments The services that match this rule (the allowable services for a packet). (Palo Alto Networks firewalls only) A list of the applications that are allowed for this rule. The firewall uses traffic identification to determine what types of applications (such as Gmail) exist for the rule in addition to the regular HTTP (port 80) communication. (Except Check Point firewalls) The original representation of the applications in firewall objects. (Check Point firewalls only) A description of the access rule (provided within the device configuration). Comments about the access rule (provided within the device information). Access rule information obtained from Skybox View processes The Compliance Category table in the Highlights tab displays an overview of the information about the access rule obtained from Skybox View processes; all information in this table is read-only. Detailed information is listed in each of the other tabs. Access Policy Rule Policy The number of Access Policy violations caused by this rule. The violations are listed in the Policy Compliance tab. The number of Rule Policy violations caused by this rule. Skybox View version

301 Chapter 26 Access Rule Properties with Rule Review section Usage Trace Shadowed & Redundant Change Tracking The violations are listed in the Policy Compliance tab. Rule trace summary (when available). The Usage Trace tab includes detailed information about the rule trace for each object in the access rule (when available) and also includes the usage type and hit count for the rule. The number of rules that shadowed this rule and rules that cause this rule to be redundant. The Shadow tab includes detailed information about the shadowing; the Redundant tab includes detailed information about the redundancy. The number of changes to the access rule. The Change Tracking tab lists the actual changes. Rule attributes The Rule Attributes area of the Highlights tab displays user-defined attributes of the access rule that are often used for review and recertification; you can edit these attributes. Owner Ticket ID Next Review Date Business Function Comment The owner of this access rule. The IDs of any tickets related to this access rule. You can enter these values manually for external ticketing systems. When a request for recertifying the rule is opened, the ID of the requesting ticket is automatically inserted in this field (and it then becomes read-only). The next date set for reviewing this access rule. The address of the owner of this access rule. The business function of this access rule. Comments about this access rule. Skybox View version

302 Chapter 27 Specifying routing rules Routing rules are resolved from routing tables and from configuration files of routers and other gateways. During data collection, Skybox View reads and models routing rules, and normalizes them into the routing rule data format used by Skybox View. Skybox View supports two types of routing rules: standard and PBR (policy-based routing rules). This chapter describes how to view routing rules and how to manage them when necessary (usually in the What If model) by adding, modifying, deleting, and replicating routing rules manually. In this chapter Managing routing rules Replicating routing rules Managing routing rules You can view routing rules in the Details pane (Routing Rules tab) when a router (or other asset with routing rules) is selected in the Table pane. You can view and edit them in the Routing Rules dialog box. To open the Routing Rules dialog box 1 Open the Model workspace. 2 In the tree, select an entity node that displays, in the Table pane, the desired asset. 3 In the Table pane, right-click the asset and select Routing Rules. The Routing Rules dialog box has two tabs: Routing Rules and PBR. The columns of the tables in these tabs are described in Routing Rule Properties dialog box (on page 303) and Access Policy Based Routing Rule Properties dialog box (on page 304). To add a new routing rule 1 In the Routing Rules dialog box, click New. 2 In the New Routing Rule Properties dialog box, fill in appropriate values for the fields of the new rule (see Routing Rule Properties dialog box (on page 303)) and click OK. To modify a routing rule 1 In the Routing Rules dialog box, select a routing rule to modify. (To search for a rule, click Find and use the Find in Table (Routing Rules) dialog box (on page 303).) 2 Click Modify. 3 In the Routing Rule Properties dialog box, modify values of parameters as required (see Routing Rule Properties dialog box (on page 303)) and click OK. Skybox View version

303 Chapter 27 Specifying routing rules To add a new PBR 1 In the Routing Rules dialog box, click the PBR tab. 2 Click New. 3 In the New Access Policy Based Routing Rule dialog box, fill in appropriate values for the parameters of the new rule (see Access Policy Based Routing Rule Properties dialog box (on page 304)) and click OK. To modify a PBR 1 In the Routing Rules dialog box, click the PBR tab. 2 Select the PBR to modify. 3 Click Modify. 4 In the Access Policy Based Routing Rule Properties dialog box, modify values of parameters as required (see Access Policy Based Routing Rule Properties dialog box (on page 304)) and click OK. Find in Table (Routing Rules) dialog box The Find in Table (Routing Rules) dialog box is used to find a routing rule in the current tab of the Routing Rules dialog box. The parameters of this dialog box are described in the following table. Find what Look in Field Search Case Sensitive Match Criteria The string for which to search. Use the characters? and * for standard pattern matching (see the Match Criteria field later in this table). The fields (columns) to search for the string specified in the Find what field. Search in all visible columns or select one visible column for the search. The search direction. Specifies whether the search for the string specified in the Find what field is case-sensitive. The desired match between the routing rule parameters and the string listed in the Find what field. Select Pattern match (? and *) if the Find what field uses the characters? and * for standard pattern matching. Routing Rule Properties dialog box The Routing Rule Properties dialog box is used to create new routing rules and modify the parameters of existing routing rules. The parameters of this dialog box are described in the following table. Destination IP Address Destination Mask The destination IP address for the rule. The destination mask for the rule. Gateway IP Address The gateway IP address for the rule. If the computer (host) is directly connected to the gateway, use a value of Network Interface The network interface for the rule. Skybox View version

304 Skybox View Reference Guide Metric Dynamic Used to select the best (most appropriate) rule for the network destination: the smaller the metric, the better it is for this purpose. When specifying a value, take into account the value of the Dynamic parameter. Specifies whether the rule was created by a dynamic routing protocol. Check box is selected: The rule is dynamic; it is created by a dynamic routing protocol (such as OSPF or BGP). This choice is good for large networks. Use a high metric (see Metric, earlier in this table). Check box is cleared: The rule is static; it is created explicitly. This choice is good for small networks and can be used as a fallback for large ones. Use a low metric (see Metric, earlier in this table). Access Policy Based Routing Rule Properties dialog box The Access Policy Based Routing Rule Properties dialog box is used to create new policy-based routing rules and modify the parameters of existing policy-based routing rules. The parameters of this dialog box are described in the following table. Action Type What action to take when a packet matches the rule. Undefined: Same effect as Deny. Allow: If packet matches rule, allow packet to continue. Deny: If packet matches rule, drop the packet. Applied Network Interfaces Default IPS: The network interfaces for which to apply the rule for an inbound packet. The default rule: If this flag is cleared, the usual routing rules are skipped for this packet. If this flag is selected, the packet is routed with the usual routing rule if it exists; if it does not exist, the packet is routed by the PBR rule. If the PBR rule uses a default definition for the next hop or interface, this rule is considered only if no other relevant regular (non-pbr) routing rule exists. Outgoing Network Interfaces Next Hop Original Text If the PBR rule does not use the default definition for the next hop or interface, the PBR rule is considered instead of the regular (non-pbr) routing rule. The network interfaces for which to apply the rule for an outbound packet. The next IP address to which the computer (host) connects. The text of the command found in the router configuration. This information is obtained by the online collection task or offline file import task that reads the configuration. Note: This field is applicable only for devices with command syntax, such as Cisco IOS routers. For other devices, this field is left blank. Skybox View version

305 Chapter 27 Specifying routing rules Source A comma-separated list of the allowable source IP addresses for a packet. Separate the first and last values of a range with a hyphen. Destination To allow all source IP addresses except those selected, select NOT. A comma-separated list of the allowable destination IP addresses for a packet. Separate the first and last values of a range with a hyphen. Services To allow all destination IP addresses except those selected, select NOT. A comma-separated list of the allowable services (protocol and port). A single value has one of the following formats: protocol/port, for example, TCP/21 protocol/(range-of-ports), for example, TCP/(21-22) To allow all services except those selected, select NOT. User Comments One of the columns, hidden by default, in the PBR tab of the Routing Rules dialog box. Replicating routing rules Skybox View supports the replication of a set of routing rules to all the assets in a network, asset group, or Business Asset Group. To replicate routing rules 1 In the Model workspace, navigate to the desired asset in the Table pane. 2 Right-click the asset and select Advanced > Replicate Routing Rules to. 3 In the Replicate Routing Rules dialog box, select the destination type for the routing rules: Network, Asset Group, or Business Asset Group. 4 Select the destination for the replication of the routing rules. 5 Click OK. Skybox View version

306 Chapter 28 Access Analyzer This chapter describes how to set the parameters of queries in the Access Analyzer. In this chapter Access Analyzer query fields for Vulnerability Control Access Analyzer query fields for Firewall Assurance and Network Assurance Access Analyzer query fields for Vulnerability Control The Access Analyzer is available only when working with the Exposure feature of Skybox Vulnerability Control. The query fields for the Access Analyzer when working with Skybox Vulnerability Control are described in the following table. Field Source Scope Services The source points for access analysis. Click the Browse button to define the source scope or IP address range. For information about source and destination fields, see Defining the source and the destination, in the Skybox Vulnerability Control User s Guide. The services to use on the source assets to analyze access. NOT: All services except the ones that you select are used to analyze access. Note: Use this field in special cases only: by default, TCP and UDP communication source ports are chosen randomly. Destination Sending To For information about using Arriving At and Sending To fields, see Additional destination options, in the Skybox Vulnerability Control User s Guide. IP Ranges Services The IP address ranges to use when sending packets. This field is used to limit the query to specific IP addresses, even though the destination (or source) field might be a network or a location. The services to use when sending packets to specific IP address ranges. NOT: All services except the ones that you select are used to analyze access. Use this field when the packet is sent through a proxy server and only the proxy port is known. Arriving At For information about using Arriving At and Sending To fields, see Additional destination options, in the Skybox Vulnerability Control User s Guide. Skybox View version

307 Chapter 28 Access Analyzer Field Scope Services Filter By NAT The destination points for access analysis. Click the Browse button to define the destination scope or IP address range. The services to use to access the destination. NOT: All services except the ones that you select are used to analyze access. Specifies the NAT for the request: Source Nat: Show only access results that involve source NAT (that is, the source of the query was translated) Destination Nat: Show only access results that involve destination NAT (that is, the destination of the query was translated) No Source Nat: Show only access results that do not involve source NAT (that is, the source of the query was not translated) No Destination Nat: Show only access results that do not involve destination NAT (that is, the destination of the query was not translated) Advanced Access Rules None: Show all results (do not filter by NAT) Use All: All access rules encountered in the model are used. Ignore All Rules: Access and address translation rules are ignored. This option is useful for connectivity testing and model verification. Routing Rules Use Only NAT Rules: Use All: All routing rules are used. Ignore All Rules: Routing rules are ignored each packet is routed through all available interfaces. This option is useful for connectivity testing and model verification. Routes Per Service Simulate IP Spoofing During Analysis Ignore Rules on Ignore Dynamic Rules Only: Only static routing rules are used and packets that do not match the static routing rules are routed through all available interfaces. Note: This option has no effect on assets and gateways without routing rules. For such assets, packets are routed through all available interfaces. The number of routes to be analyzed for each service. If the displayed route is incomplete for example, it covers access from only some of the sources increase this value to provide a more complete result. Note: Increasing the value of this parameter increases the analysis time for this query. Note: To change the default value, modify the AccessAnalyzer_max_routes_for_service parameter in <Skybox_View_Home>\server\conf\sb_server.properti es. Specifies whether to analyze access from any IP address (to simulate IP address spoofing). Specifies whether to analyze access as if the source assets allow Skybox View version

308 Skybox View Reference Guide Field Source Show Source network in Destination any outbound traffic, regardless of the current access and routing rules. Specifies whether to include the Source networks in the Analysis Result pane. Note: If you change input parameters after analyzing a rule, you must reanalyze the rule for the changes to take effect. For additional information about working with the Access Analyzer, see Access Analyzer, in the Skybox Vulnerability Control User s Guide. Access Analyzer query fields for Firewall Assurance and Network Assurance The query fields for the Access Analyzer when working with Skybox Firewall Assurance or Skybox Network Assurance are described in the following table. Field Firewall (Displayed when Firewall Mode is selected on the toolbar) The firewall on which to analyze access. Source Scope The source points for access analysis. Click the Browse button to define the source scope or IP address range. For information about source and destination fields: When working with Skybox Firewall Assurance, see Defining the source and the destination, in the Skybox Firewall Assurance User s Guide. Services When working with Skybox Network Assurance, see Defining the source and the destination, in the Skybox Network Assurance User s Guide. The services to use on the source assets to analyze access. NOT: All services except the ones that you select are used to analyze access. Note: Use this field in special cases only: by default, TCP and UDP communication source ports are chosen randomly. Destination Sending To For information about using Arriving At and Sending To fields, see Additional destination options, in the Skybox Firewall Assurance User s Guide or the Skybox Network Assurance User s Guide. IP Ranges Services The IP address ranges to use when sending packets. This field is used to limit the query to specific IP addresses, even though the destination (or source) field might be a network or a location when using Skybox Network Assurance, or all the IP addresses behind a network interface when using Skybox Firewall Assurance. The services to use when sending packets to specific IP address ranges. NOT: All services except the ones that you select are used to analyze access. Skybox View version

309 Chapter 28 Access Analyzer Field Use this field when the packet is sent through a proxy server and only the proxy port is known. Arriving At For information about using Arriving At and Sending To fields, see Additional destination options, in the Skybox Firewall Assurance User s Guide or the Skybox Network Assurance User s Guide. Scope Services Filter By NAT The destination points for access analysis. Click the Browse button to define the destination scope or IP address range. The services to use to access the destination. NOT: All services except the ones that you select are used to analyze access. Specifies the NAT for the request: Source Nat: Show only access results that involve source NAT (that is, the source of the query was translated) Destination Nat: Show only access results that involve destination NAT (that is, the destination of the query was translated) No Source Nat: Show only access results that do not involve source NAT (that is, the source of the query was not translated) No Destination Nat: Show only access results that do not involve destination NAT (that is, the destination of the query was not translated) Advanced Access Rules None: Show all results (do not filter by NAT) Use All: All access rules encountered in the model are used. Ignore All Rules: Access and address translation rules are ignored. This option is useful for connectivity testing and model verification. Routing Rules Use Only NAT Rules: Use All: All routing rules are used. Routes Per Service Ignore All Rules: Routing rules are ignored each packet is routed through all available interfaces. This option is useful for connectivity testing and model verification. Ignore Dynamic Rules Only: Only static routing rules are used and packets that do not match the static routing rules are routed through all available interfaces. Note: This option has no effect on assets and gateways without routing rules. For such assets, packets are routed through all available interfaces. The number of routes to be analyzed for each service. If the displayed route is incomplete for example, it covers access from only some of the sources increase this value to provide a more complete result. Note: Increasing the value of this parameter increases the analysis time for this query. Note: To change the default value, modify the AccessAnalyzer_max_routes_for_service parameter in Skybox View version

310 Skybox View Reference Guide Field Simulate IP Spoofing During Analysis Ignore Rules on Source Show Source network in Destination <Skybox_View_Home>\server\conf\sb_server.properti es. Specifies whether to analyze access from any IP address (to simulate IP address spoofing). Specifies whether to analyze access as if the source assets allow any outbound traffic, regardless of the current access and routing rules. Specifies whether to include the Source networks in the Analysis Result pane. Note: If you change input parameters after analyzing a rule, you must reanalyze the rule for the changes to take effect. For additional information about working with the Access Analyzer, see Access Analyzer, in the Skybox Network Assurance User s Guide. Skybox View version

311 Chapter 29 Network Map This chapter describes how to set the parameters of the Network Map. For information about the Network Map: When working with Skybox Vulnerability Control, see the Network visualization (maps) chapter in the Skybox Vulnerability Control User s Guide. When working with Skybox Network Assurance, see the Network visualization (maps) topic in the Skybox Network Assurance User s Guide. In this chapter Network Map control panel Network Map filter toolbar s of individual maps Layout parameters Network Map control panel The options available in the control panel of the Network Map are described in the following table. Button/Field (Basic) Map Reload the maps Help Save current map Save current map as a new one These buttons and fields are always visible. Enables you to select a different map to display in the Map pane. If you have made changes to the current map, you can save those changes before the selected map is displayed. Prompts to save all unsaved maps, refreshes the map definitions from the Server, and reloads the selected map to the Map pane. Opens help for the Network Map. Saves the current map (including any changes) with its original name. Note: This option is not available for the default map. Saves the current map with a new name. You can also change map parameters before saving. Redraws the current map (excluding nodes that are hidden). When the map is redrawn, the optimized layout is recalculated, which might result in a better view of the map, especially if there are changes to the model or map parameters. Zoom to Fit Display Filter Pane Fits all nodes of the map into the Map pane (excluding nodes that are hidden). Displays a small pane above the map that is used to filter which nodes are displayed in the map. Note: You can also use Ctrl-F to display the filter pane, and the Skybox View version

312 Skybox View Reference Guide Button/Field Select Neighbor Nodes Clear Current Selection Highlight Neighbors Esc key (in the Show field or in the white space of the Map pane) to close it. When specific nodes are selected in the map, adds the immediate neighbor nodes of the selected nodes to the selection. Clears the map so that no nodes are selected. When a node in the map is selected, all neighbors within the specified number of hops are also highlighted in lighter colors. For example, a distance of 1 specifies that immediate neighbors (only) are highlighted. File Save current map Save current map as a new one Export Properties New Delete Map Saves the current map (including any changes) with its original name. Note: This option is not available for the default map. Saves the current map with a new name. You can also change map parameters before saving. For information about map parameters, see s of individual maps (on page 314). Opens the Network Map Properties dialog box for editing the scope of the current map. Export image: Saves the visible portion of the map as a graphic to the folder you select in the Export dialog box. Note: You can adjust the resolution of the saved image in the Export dialog box for easier viewing outside of Skybox View. Export to Visio: Exports the visible portion of the map as a Microsoft Visio drawing file (*.VDX). Anyone can open the exported map in Visio (that is, they do not need to be a Skybox View user to view or print the map). Note: VDX is a standard XML drawing format supported by Visio. Creates a new map from the nodes that are currently visible in the Map pane. Deletes the current map from the Map pane and the database, and opens the default map. View Zoom In Zoom Out Zoom to Area Display Locations Display Map Groups Increases the magnification of the map. Decreases the magnification of the map. When selected, moving the mouse up and down controls the size of the display rather than moving the display up and down. Specifies which (if any) location labels are displayed in the map. Locations labels are not part of the map; you can drag them around the map. Specifies which (if any) Map Group labels are displayed in the map. Map Group labels are not part of the map: you can drag Skybox View version

313 Chapter 29 Network Map Button/Field them around the map. Layout Redraws the current map (excluding nodes that are hidden). When the map is redrawn, the optimized layout is recalculated, which might result in a better view of the map, especially if there are changes to the model or map parameters. Opens an advanced dialog box that enables you to fine-tune the display in the map window. For additional information, see Layout parameters (on page 315). Map Groups New Attach to Map Group Detach from Map Group Help Highlight Creates a new Map Group from the nodes selected in the map. Enables you to attach the nodes selected in the map to a Map Group. Enables you to detach the nodes selected in the map from a Map Group. Opens help for Map Groups. The map groups to highlight Collapses all Map Groups. If there are any nested Map Groups, only the outermost group is displayed. Expands all Map Groups so that all the groups at all levels are visible. Highlight Node Type Network Type Location Zone Validation Highlights in peach all devices of the specified type (firewall or router) in the map. Highlights in tan all networks of the specified type (Perimeter Cloud, regular network, or secure VPN) in the map. Highlights in turquoise all nodes related to the selected location. Highlights in tan all networks and devices that belong to the selected zone type. Note: Zones are defined and used in Skybox Network Assurance. Has Missing Hops: Highlights in gray all devices that have at least one missing next hop according to their routing tables. Empty Networks: Highlights in gray all networks that contain no non-gateway assets. Hides most nodes in the map, so that only the highlighted nodes and their neighbors to the selected degree are displayed. Selects all the highlighted nodes in the map and their neighbors to the selected degree. Skybox View version

314 Skybox View Reference Guide Button/Field Sets all the highlight settings back to None and clears all highlights in the map. Network Map filter toolbar The options available in the filter pane are described in the following table. To open the pane click in the control panel or press Ctrl-F; to close the pane click in the pane or press the Esc key. Button/Field Visible Show Show Only Highlighted Regular Mouse Mode Focus Extend Neighbors Distance Display All Nodes Close Filter Pane (Read only) Specifies how many nodes are currently visible in the map and the total number of nodes in the current map. Note: When a Map Group is collapsed, it is counted as one node. For nested Map Groups, only the outermost group is counted. Enables you to select entities in the map by typing in the (full or partial) name or IP address of the desired nodes. Wildcards and specific regular expression syntaxes are also permitted. For additional information, see Navigating the Network Map, in the Skybox Network Assurance and Skybox Vulnerability Control User Guides. Hides most nodes in the map, so that only the highlighted nodes and their neighbors to the selected degree are displayed. Specifies that when you select nodes in the map, the selected nodes and their neighbors are highlighted. Specifies that when you select nodes in the map, only those nodes and their neighbors (within a radius of Neighbors Distance) are displayed. All other nodes in the map are hidden. Specifies that when you select nodes in the map, the map expands (if parts of it were hidden) by adding all neighbors of the selected node up to a radius of Neighbors Distance. The radius of the neighborhood to use for Focus and Expand modes. Restores all hidden nodes to the map but keeps the current magnification (so some nodes might not be visible in the display). Hides the filter pane. s of individual maps With the Network Map open, click dialog box. (in the General pane) to open the Network Map Properties Note: The parameters in this dialog box refer to the specific map that is displayed in the Map pane. The map parameters are described in the following table. Skybox View version

315 Chapter 29 Network Map General Name A name for the map. s Network Scope Network Exclude Scope Expand scope s neighborhood The locations, networks, and assets to include in the Network Map. Specific locations, networks, and assets to exclude from the scope defined in Network Scope. Note: When you create a map, you must generate the map once before you can specify the exclude scope. Specifies whether to include the closest neighborhood of the selected scope in the map. Auto group nodes with the same neighbors Networks Gateways Specifies whether to group all networks that have the same neighbors. These are usually either clusters or networks at the perimeter of the model that are connected to the same firewall or router. The networks are displayed as one entity with a grouping symbol around them. Specifies whether to group all gateway entities of the same type that have the same neighbors. These are usually clusters of firewalls or routers used for redundancy. The gateways are displayed as one entity with a grouping symbol around them. Auto group mesh VPN Mesh Tunnel Mesh Layout parameters The layout of the network map is based on a simulation of interacting forces. Nodes in the network map represent networks and gateways, with networks represented by blue dots and gateways represented by icons of their device type. Edges in the network map represent the connection between the gateways and the networks in which they are included; each edge represents one network interface of a gateway. The default layout values are appropriate for most medium to large models. In some cases, adjusting (tuning) the layout parameters can achieve a better layout. Tuning the layout parameters If tuning is required, a change to one or two of the parameters is usually sufficient to produce a better layout. The process is mainly trial and error; here are some tips: When the model is relatively small or has low complexity (such as the demo model or when presenting a single location), a smaller DragCoefficient (such as 0.003) or a smaller DefaultSpringLength (such as 60) might create a better layout. Decreasing the DefaultSpringLength can improve distinction between areas of nodes in the layout. Decreasing the GravitationalConstant (a stronger repelling force) usually leads to a more spreadout model; the SpringCoefficient might need to be increased to balance the antigravity forces. Skybox View version

316 Skybox View Reference Guide How the simulation works Three types of forces are simulated in the network map: N-body force: A force between the nodes, such as gravity, anti-gravity, or electrostatic force. By default, each node repels the other nodes according to its distance from them. Spring force: Each edge acts as a spring. It applies force on the nodes it connects if the length of the edge is greater or smaller than the default (resting) spring length. Drag force: Resistance to change in the node positions due to other forces, similar to air resistance or fluid viscosity. Each force type has parameters that control its behavior, as listed in the following table. NBodyForce GravitationalConsta nt Distance BarnesHutTheta Affects the magnitude of the gravity or antigravity. Nodes attract each other if this value is positive and repel each other if it is negative. The distance within which two nodes interact. If -1 the value is treated as infinite. Enables computing gravity (or antigravity) between a node and a group of relatively distant nodes, rather than between the node and each of the group members. The parameter determines that when all the group members fit into a viewing angle from the node that is smaller than theta, the mass of the group is aggregated, and the gravity force is computed between node and the group. A small theta leads to somewhat more accurate gravity computation, but a longer calculation time. Drag Force DragCoefficient Specifies the magnitude of the drag force. SpringForce SpringCoefficient The spring tension coefficient (k in Hooke s law). DefaultSpringLength The spring s resting length (length at equilibrium position). Layout invisible nodes Specifies whether the layout operation considers all nodes (including those that are currently hidden). Skybox View version

317 Chapter 30 Firewall Map This chapter describes how to set the parameters of the Firewall Map. In this chapter Firewall Map filter pane Firewall Map filter pane The options available in the filter pane are described in the following table. To open the pane press Ctrl-F; to close the pane click Button/Field Visible Show Show Only Highlighted Regular Mouse Mode Focus Extend Neighbors Distance Display All Nodes Close Filter Pane in the pane or press the Esc key. (Read only) Specifies how many nodes are currently visible in the map and the total number of nodes in the current map. Note: When a Map Group is collapsed, it is counted as one node. For nested Map Groups, only the outermost group is counted. Enables you to select entities in the map by typing in the (full or partial) name or IP address of the desired nodes. Wildcards and specific regular expression syntaxes are also permitted. For additional information, see Navigating the Network Map, in the Skybox Network Assurance and Skybox Vulnerability Control User Guides. Hides most nodes in the map, so that only the highlighted nodes and their neighbors to the selected degree are displayed. Specifies that when you select nodes in the map, the selected nodes and their neighbors are highlighted. Specifies that when you select nodes in the map, only those nodes and their neighbors (within a radius of Neighbors Distance) are displayed. All other nodes in the map are hidden. Specifies that when you select nodes in the map, the map expands (if parts of it were hidden) by adding all neighbors of the selected node up to a radius of Neighbors Distance. The radius of the neighborhood to use for Focus and Expand modes. Restores all hidden nodes to the map but keeps the current magnification (so some nodes might not be visible in the display). Hides the filter pane. Skybox View version

318 Part V: Entities This part describes the entities used in the Skybox View model.

319 Chapter 31 Model entities You can access all model entities from: The Model tree The Network Map You can access specific types of model entities from other places in Skybox View. For example, you can access network devices from the Network Assurance workspace. In this chapter Entity relationships Locking entity parameters Business Asset Groups Business Units Clouds Assets Asset groups Locations Networks Network groups Network interfaces Services Threat Origins Vulnerability occurrences Skybox View version

320 Skybox View Reference Guide Entity relationships The main entity types in the Skybox View model are assets and networks. Figure 13: Entity relationships You can group assets into Business Asset Groups and Asset Groups. These are logical groupings. Assets can be part of networks or clouds. These are topological groupings. Networks and clouds can be parts of locations. You can group networks into Network Groups for zoning purposes when working with Skybox Network Assurance. Locking entity parameters Some fields (parameters) of model entities are lockable: (Locked): The data in the field was entered or changed by a user; it is not changed by the system. (Unlocked): The data in the field is the system-collected (or default) value. Click to set the field data back to the system-collected (or default) value. The icon toggles to. The main reason for changing the value of a field of a model entity is because scans or online collections return an incorrect value for the field; locked fields are not updated by the system. Business Asset Groups A Business Asset Group ( ) is a group of assets that serve a common business purpose. Each Business Asset Group has an associated set of damage (Business Impact) and dependency rules that define the impact of security loss on that Business Asset Group. Skybox View version

321 Chapter 31 Model entities Business Asset Groups are relevant only to Skybox Vulnerability Control for attack simulation. The Business Asset Group dialog box has three tabs: Properties (on page 321) Business Impacts (on page 322) Regulations (on page 322) For additional information about Business Asset Groups, see the Business Asset Groups section in the Skybox Vulnerability Control User s Guide. Business Asset Groups: Properties tab The Properties parameters of Business Asset Groups are described in the following table. Name Members Member Dependency The name of this Business Asset Group. The members of this Business Asset Group. Specify assets or networks. If you specify a network, all nonnetwork-device assets in that network are considered part of the Business Asset Group. Note: If you want to include the network devices in the Business Asset Group, clear Exclude network devices from selected networks in the Members dialog box. Specifies how the security of a Business Asset Group depends on the security of its member assets. Default: Security loss of any type (confidentiality, integrity, or availability) on a Business Asset Group member implies the same type of security loss on the Business Asset Group; integrity loss on a Business Asset Group member implies an availability and confidentiality security loss on the Business Asset Group. Simple: Security loss of any type (confidentiality, integrity, or availability) on a Business Asset Group member implies the same type of security loss on the Business Asset Group. Threat Origins None: Used when the Default and Simple options of describing dependency are not sufficient and you prefer to state explicitly how a security loss on each of the Business Asset Group members affects the Business Asset Group (see Adding dependency rules and Explicit dependency rules, in the Skybox Vulnerability Control User s Guide). Specifies whether to consider the listed Threat Origins when examining attacks on this Business Asset Group. Ignore pane: Threat Origins to ignore when examining attacks on this Business Asset Group. Analyze for Risk pane: Threat Origins that are not Detached (that is, Threat Origins to consider when examining attacks on this Business Asset Group). Use and to move selected Threat Origins from one pane to the other. Alternatively, in the Threat Origin Properties dialog box, you can define the Business Asset Groups to be considered by the Threat Origin. For additional information, see Adding Threat Origins, in the Skybox Vulnerability Control User s Guide. Skybox View version

322 Skybox View Reference Guide Owner User Comments Threat Origins with grayed out bombs next to their name are disabled. The owner of this Business Asset Group. A statement describing this Business Asset Group. Business Asset Groups: Business Impacts tab A Business Impact is a rule that specifies the damage to your organization as a result of an attack (that is, security loss) on a Business Asset Group. Business Impacts are defined in the Skybox View Admin window. For information about Business Impacts, see Business Impacts and Regulations, in the Skybox Vulnerability Control User s Guide. In the Business Impacts tab of the Business Asset Groups dialog box (see Business Asset Groups (on page 320), in the Skybox View Reference Guide), you specify which of the Business Impacts to associate with the selected Business Asset Group (expressing the effects of a security loss). The Business Impacts parameters of Business Asset Groups are described in the following table. (Attach/Detach check box) Name Damage Loss Type Business Asset Groups: Regulations tab Specifies whether the selected Business Impact is attached to this Business Asset Group. (Read only) The name of this Business Impact. Damage associated with the Business Impact. Note: You can specify Damage as either a monetary value or a level between Very High and Very Low. (Read only) Loss type associated with the Business Impact: C (confidentiality), I (integrity), A (availability) A Regulation is a type of Business Impact that specifies the impact to a Business Asset Group (that is, the damage to your organization) that results if your organization is not in compliance with a securityrelated regulation. For information about Regulations, see Business Impacts and Regulations, in the Skybox Vulnerability Control User s Guide. The Regulations parameters of Business Asset Groups are described in the following table. (Attach/Detach check box) Name Damage Loss Type Business Units Business Units ( purposes. Specifies whether the selected Regulation is attached to this Business Asset Group. (Read only) The name of the Regulation. Damage associated with the Regulation. Note: You can specify Damage as either a monetary value or a level between Very High and Very Low. (Read only) Loss type associated with the Regulation: C (confidentiality), I (integrity), A (availability) ) allow you to group your organization s Business Asset Groups for management The parameters of Business Units are described in the following table. Skybox View version

323 Chapter 31 Model entities Name Members Owner User Comments The name of this Business Unit. The members of this Business Unit: Business Units under the direct responsibility of this Business Unit (for creating a hierarchy of Business Units) Business Asset Groups under the direct responsibility of the Business Unit Locations that include the assets that support the operation of the Business Unit Specifying locations is required only if you need vulnerability occurrence counts for the Business Units. The owner of this Business Unit. A statement describing this Business Unit. Clouds Business Units are relevant only to Skybox Vulnerability Control. For additional information, see Business Units, in the Skybox Vulnerability Control User s Guide. Clouds are networks (or groups of networks) that are not completely modeled, such as the internet, partner organizations, or sensitive areas in your own organization which cannot be fully modeled. Skybox View supports the following types of clouds: : Perimeter Cloud: Used to represent missing networks at the edges of the model : Connecting Cloud: Used to represent missing networks between two entities in the model For additional information about clouds: When working with Skybox Vulnerability Control, see Clouds, in the Skybox Vulnerability Control User s Guide. When working with Skybox Network Assurance, see Clouds, in the Skybox Network Assurance User s Guide. Perimeter Clouds Perimeter Clouds ( ) are networks or groups of networks at the edges of the model that are not completely modeled, such as the internet and partner organization. The parameters of Perimeter Clouds are described in the following table. Name Associate Assets Dynamically Location Path Do Not Outdate A user-provided name for the cloud. Specifies whether Skybox View attempts to match assets to this cloud when new assets are imported that do not belong to any existing network, and when Model Completion and Validation tasks (see page 160) are run. (Read only) The hierarchical path of the cloud in the Model tree. Specifies whether to exclude the cloud (including its assets and their network interfaces, services and vulnerability occurrences) from the aging process. The aging process marks entities that were not updated for a userdefined period of time as Down and later removes them from the model. Skybox View version

324 Skybox View Reference Guide Owner Zone Type The owner of this cloud. Note: This field is displayed only for Skybox Network Assurance. The zone type to which this cloud belongs. A zone type is a way of classifying entities into different zones (DMZ, External, Internal, and so on) for use in the Access Policy. Network Address IP Address Mask Discovery Method The IP address of the cloud. The network mask of the cloud. Specifies how the cloud was discovered. Cloud Addresses Include A list of IP address ranges to include in the scope of the cloud. There are three ways to define the IP addresses to include: Automatic (routing based): Skybox View calculates the IP addresses to include based on the addresses behind the network interfaces (see page 333) that are connected to the cloud. These addresses can be recalculated each time a task of type Model Completion and Validation (see page 160) is run. User Defined: Lists the current automatic addresses and enables the user to edit them. These addresses are not recalculated automatically. Exclude Any: All IP addresses. A list of IP address ranges to be excluded from the scope of the cloud. Click Private to exclude IANA reserved addresses: If you are configuring an internet cloud, exclude reserved addresses. If you are configuring a public cloud, exclude public IP addresses that are used by your organization. Routable from Cloud Include A list of IP address ranges to be used as destination addresses from the cloud. These destination IP address ranges are used for all queries starting at the cloud in attack simulation and the Access Analyzer. There are two ways to define the IP addresses to include: User Defined: Lists the current automatic IP addresses and enables the user to edit them. These addresses are not recalculated automatically. Exclude Any: All IP addresses. A list of IP address ranges to be excluded from the destination address ranges of the cloud. Click Private to exclude IANA reserved addresses: Skybox View version

325 Chapter 31 Model entities Comments If you are configuring an internet cloud, exclude reserved addresses. If you are configuring a public cloud, exclude public IP addresses that are used by your organization. Any additional information about the cloud. Connecting Clouds Connecting Clouds ( ) are networks (or groups of networks) that are missing between two entities in the model (that is, not at the edges of your organization s network), such as sensitive areas in your organization that cannot be fully modeled. The parameters of Connecting Clouds are described in the following table. Name Associate Assets Dynamically Location Path Owner Zone Type Connections Connection Cloud Addresses Include Exclude A user-provided name for the cloud. Specifies whether Skybox View attempts to match assets to this cloud when new assets are imported that do not belong to any existing network, and when Model Completion and Validation tasks (see page 160) are run. (Read only) The hierarchical path of the cloud in the Model tree. The owner of this cloud. Note: This field is displayed only for Skybox Network Assurance. The zone type to which this cloud belongs. A zone type is a way of classifying entities into different zones (DMZ, External, Internal, and so on) for use in the Access Policy. A connection is an entity to which the cloud is connected. Each connection consists of a network, gateway, and network interface to which the cloud is connected. To add another connection to a cloud, click Add. A list of IP address ranges to include in the scope of the cloud. There are three ways to define the IP addresses to include: Automatic (routing based): Skybox View calculates the IP addresses to include based on the addresses behind the network interfaces (see page 333) that are connected to the cloud. These addresses can be recalculated each time a task of type Model Completion and Validation (see page 160) is run. User Defined: Lists the current Automatic (routing based) addresses and enables the user to edit them. These addresses are not recalculated automatically. Any: All IP addresses. A list of IP address ranges to be excluded from the scope of the cloud. Skybox View version

326 Skybox View Reference Guide Click Private to exclude IANA reserved addresses: If you are configuring an internet cloud, exclude reserved addresses. If you are configuring a public cloud, exclude public IP addresses used by your organization. Routable from Cloud Include A list of IP address ranges to be used as destination addresses from the cloud. These destination address ranges are used for all queries starting at the cloud for attack simulation and the Access Analyzer. There are two ways to define the IP addresses to include: User Defined: Lists the current automatic addresses and enables the user to edit them. These addresses are not recalculated automatically. Exclude Any: All IP addresses. A list of IP address ranges to be excluded from the destination address ranges of the cloud. Click Private to exclude IANA reserved addresses: If you are configuring an internet cloud, exclude reserved addresses. If you are configuring a public cloud, exclude public IP addresses used by your organization. Advanced Forwarding Cloud ACL Enabled Firewall Type Comments Specifies whether forwarding is enabled (that is, whether the cloud can forward packets from one interface to another). Specifies whether access rules are enabled on this cloud. (For ACL-enabled clouds only) The type selected sets the access rule order. For Custom types only, you can specify the rule chains and their order; click the Browse button to open the ACL Management dialog box (see page 297). Any additional information about the cloud. Assets An asset is a device or system in your corporate network. Skybox View supports the following types of assets: : Asset (used for non-network-device assets that do not belong to another category) : Server Skybox View version

327 Chapter 31 Model entities : Workstation : Printer : Router : Firewall : IPS : Load Balancer : Proxy : Wireless Device : Network Device (used for network-device assets that do not belong to another category) : Virtualization Host : Switch : Mobile Device Note: You can use the Find dialog box to help you to find a specific asset. The parameters of assets are described in the following table. Asset Name ACL Enabled Other Names Forwarding Network Interfaces Firewall Type Proxy ARP Type IPS Enabled The name of this asset. Specifies whether access rules are enabled on this asset. Note: Unknown is equivalent to No. For information about enabling access rules, see Using the Access Control List Editor (on page 294). (Read only) A name that Skybox View generates internally. Specifies whether forwarding is enabled (that is, whether the asset can forward packets from one interface to another). Note: Unknown is equivalent to No. For information about specifying routing rules, see Specifying routing rules (on page 302). A list of network interfaces associated with this asset. The network interface parameters are described in Network interfaces (on page 331). This field is enabled only if ACL Enabled = Yes. The type selected sets the access rule order. For Custom types only, you can specify the rule chains and their order; click the Browse button to open the ACL Management dialog box (see page 297). IP addresses ranges for which this asset is to act as a proxy for ARP requests. The type of the asset. The list of asset types precedes this table. This field is enabled only if ACL Enabled = Yes. Specifies whether the asset is IPS enabled. Note: Unknown is equivalent to No. Skybox View version

328 Skybox View Reference Guide Status The status of this asset. Up: Only an asset that is Up can be attacked. Down: An asset that is Down cannot be attacked but is visible for analyses. This overrides the interface status (that is, if the status of the asset is Down, interfaces with status Up are considered down). Not Found Patches Owner Dynamic Routing Layer 2 Do Not Outdate Virtual Routing Enabled Unknown A list of applicable patches for this asset. The owner of this asset. Specifies whether the asset supports dynamic routing (see Specifying routing rules (on page 302)). Specifies whether this is an L2 asset. Specifies whether to exclude the asset (and its network interfaces, services, and vulnerability occurrences) from the aging process. The aging process marks entities that were not updated for a userdefined period of time as Down and later removes them from the model. Specifies whether virtual routing is enabled on this asset. Operating System OS Vendor OS OS Version The operating system vendor for this asset. The operating system used for this asset. The operating systems in the drop-down list depend on the vendor selected. The version of the operating system. The versions in the drop-down list depend on the operating system selected. Platform Platform Vendor Platform Platform Version Tag User Comments The platform vendor for this asset. The platform used for this asset. The platforms in the drop-down list depend on the vendor selected. The version of the platform. The versions in the drop-down list depend on the platform selected. A unique identifier for the asset (such as a serial number from an inventory management system), which can be used to help to identify assets when adding new assets or updating existing ones. A statement describing this asset. Asset groups An asset group ( ) is a logical container that you can use to group and filter assets. The parameters of asset groups are described in the following table. Skybox View version

329 Chapter 31 Model entities Name Group Type Assets Member Dependency Owner User Comments The name of this asset group. The type of the asset group. The assets that belong to this asset group. Default: Security loss of any type (confidentiality, integrity, or availability) on a group member implies the same type of security loss on the asset group; integrity loss on a group member also implies an availability and confidentiality security loss on the asset group. Simple: Security loss of any type (confidentiality, integrity, or availability) on a group member implies the same type of security loss on the asset group. None: Used when the Default and Simple options of describing dependency are not sufficient and you prefer to state explicitly how a security loss on each of the asset group members affects the asset group (see Dependency rules (on page 187); see also Adding dependency rules and Explicit dependency rules, in the Skybox Vulnerability Control User s Guide). The owner of this asset group. A statement describing this asset group. Locations Locations ( ) reflect the physical or geographical organization of your network, such as a site, a building, or a lab inside a building. Locations contain other locations and networks. The parameters of locations are described in the following table. Location Name Members Location Path Owner User Comments The name of this location. The members of this location (other locations and networks). (Read only) The hierarchical path of the location in the model tree. The owner of the location. A statement describing this location. For additional information about locations: When working with Skybox Vulnerability Control, see Locations, in the Skybox Vulnerability Control User s Guide. When working with Skybox Network Assurance, see Locations, in the Skybox Network Assurance User s Guide. Networks A network has a specific IP address and a mask. Skybox View supports the following types of networks: : Regular : Tunnel : Link Skybox View version

330 Skybox View Reference Guide : Secure VPN : Serial Link Note: In the Network Map, tunnels and VPN tunnels are represented as colored lines linking their two endpoints. For information about modeling networks in Skybox View, see Building the network layer, in the Skybox Vulnerability Control User s Guide. The parameters of networks are described in the following tables. The parameters common to all network types are described in the first table. General Name Type IP Address Mask Location Path Owner Zone Type Do Not Outdate Comments A user-provided name for the network. The type of this network. The IP address of this network. The mask of this network. (Read only) The hierarchical path of the network in the Model tree. The owner of this network. Note: This field is displayed only for Skybox Network Assurance. The zone type to which this network belongs. A zone type is a way of classifying networks into different zones (DMZ, External, Internal, and so on) for use in the Access Policy. Specifies whether to exclude the network (including its assets and their network interfaces, services and vulnerability occurrences) from the aging process. The aging process marks entities that were not updated for a userdefined period of time as Down and later removes them from the model. A free-form user comment about this network. (Read only) A description of the network. The additional fields that are displayed in the Tunnel Properties pane for Tunnel, Secure VPN, and Serial Link networks are described in the following table. Type The type of the network. For Tunnel networks, select one of the following: OTHER GRE For Secure VPN networks, select one of the following: Tunnel Transport This field is disabled for Serial Link networks. Endpoint 1 Endpoint 2 Display as Cloud in Network Map One endpoint of the tunnel network or secure VPN network. The other endpoint of the tunnel network or secure VPN network. This field is enabled for Secure VPN networks only. Skybox View version

331 Network groups Chapter 31 Model entities A network group () is a logical container that you can use to group and filter networks. Network groups are especially useful when working with Skybox Network Assurance. By marking network groups (instead of individual networks) as zones to check for Access Compliance, you can understand the model better and also improve performance. The parameters of network groups are described in the following table. Group Name Members Owner Zone Type User Comments The name of this network group. The networks that belong to the network group. The owner of this network group. Note: This field is displayed only for Skybox Network Assurance. The zone type to which this network group belongs. A zone type is a way of classifying network groups or individual networks into different zones (DMZ, External, Internal, and so on) for use in the Access Policy. A statement describing this network group. For information about how network groups are used to build the model, see Network groups, in the Skybox Network Assurance User Guide. Network interfaces Network interfaces ( ) enable an asset to communicate with other assets and networks. To view the network interfaces of an asset select the asset and then select the Network Interfaces tab in the Details pane. Note: If necessary, click to view the Network Interfaces tab. The parameters of network interfaces are described in the following table. General Name Type The name of this network interface. The type of this network interface. Proxy ARP Behavior Defines the behavior of this network interface with regard to ARP requests: IP Address Subnet Mask MAC Address Status Network Static: The interface acts as a proxy for ARP requests for IP addresses ranges, as described in Asset (on page 326). Any Address: This option is not used in the current version. Disabled: Proxy ARP is disabled on this interface. Unknown: The ARP state of this interface is unknown. In Skybox View, proxy ARP is not simulated on this interface. The IP address of this network interface. The subnet mask of this network interface. The MAC address of this network interface. (For networks of type Ethernet only.) The status of this network interface. The network or cloud to which this network interface is attached. Skybox View version

332 Skybox View Reference Guide Primary IP Address Layer 2 Default Gateway Addresses Behind Interface Note: In some cases, the automatic attachment does not work correctly, and the network interface is not attached to the correct network. This might occur, for example, if there is an error in the mask of the network interface in the configuration file. If necessary, you can select a different network in this field, and then click the Lock icon to lock the interface to the network. Additional offline file imports or online collections of firewall data do not change the association. Specifies whether the value in the IP Address field is the primary IP address for the network interface. Specifies whether this is an L2 network interface. Specifies whether this network interface is the default gateway for its asset. Each network interface on a gateway device is used to communicate with a specific set of networks. The IP addresses of these networks are the interface s ABI (addresses behind interface). Note: By default, the fields related to ABI are updated every time that Skybox View imports the device s routing table. If you have changed the value of the ABI fields manually for a specific network Default Gateway/ Unknown Addresses Specific Addresses Zone Zone Type interface, these fields are locked ( ) and their values are not updated by the import. For information about ABIs, see Addresses behind network interfaces (on page 333). Specifies whether this network interface is the default interface or the interface leading to the internet and does not have specific IP addresses. Data that is not routed through any other network interface on the asset is routed through this network interface automatically. The IP addresses behind this interface (that is, the ABI for this interface). These are the IP addresses of the networks with which this network interface communicates. Addresses: IP address ranges considered to be behind this network interface Exclude: IP addresses to be excluded from the address ranges in the Addresses field Skybox Firewall Assurance and Skybox Network Assurance only. Information about the zone to which this network interface is attached. (Zones are used with the Access Policy.) The type of zone to which this network interface is attached. Zone Name Comments The name of the zone to which this network interface is attached. A free-form user comment about this network interface. (Read only) A description of the network interface. This field is filled for network interfaces found during collection of the asset configuration. Typically, this field contains the interface comment or description that appeared in the original asset configuration. Skybox View version

333 Addresses behind network interfaces Chapter 31 Model entities Each network interface on a gateway device is used to communicate with a specific set of networks. The IP addresses of these networks are the interface s ABI (addresses behind interface). These IP addresses are assumed to be distinct on each interface an IP address that is behind one network interface of a firewall is not also behind another network interface on the same firewall. When firewalls are imported into the model, Skybox View ascertains the ABI for each network interface in the firewall based on the routing table and other information received as part of the firewall import. ABIs are used for: Skybox Firewall Assurance: Analyzing access between network interfaces of the firewall Skybox Network Assurance and Skybox Vulnerability Control: Calculating automatic (routing based) IP address ranges for clouds For Perimeter Clouds, the cloud IP addresses are based on the ABI of the network interface that connects the cloud to the model. For Connecting Clouds, the cloud IP addresses are calculated by taking the intersection of the ABIs for all the network interfaces connected to the cloud minus all the addresses of all networks to which the cloud is connected. For information about using ABIs in Skybox Firewall Assurance, see Addresses behind network interfaces, in the Skybox Firewall Assurance User s Guide. Services Services ( ) on assets are found by vulnerabilities scanners (such as Qualys) or by network scans (such as NMAP), or added from an ixml built from an asset repository. The parameters of services are described in the following table. Vendor Service Type Product Protocol Version Port # Protocol # Program # CPE The vendor for this service. (Read only) The service type of this service, as supplied by the Skybox View database. The product used for this service. The products listed in the drop-down list are in accordance with the vendor selected. The protocol used by this service. The version of the product. The versions listed in the drop-down list are in accordance with the product selected. This field is displayed only if Protocol = TCP or UDP. The port number of this service. This field is displayed only if Protocol = IP. This field is displayed only if Protocol = RPC. Status Network Interfaces The status of this service. The network interfaces for this service. (Read only) A description of this service, as supplied by the Skybox View database. Skybox View version

334 Skybox View Reference Guide Banner User Comments A free text field containing data that helps Skybox View to identify details of the product running the service. This text is typically the initial service output that is displayed upon connecting to the service, like telnet or FTP. A statement describing this service. Threat Origins Threat Origins are used only when working with Skybox Vulnerability Control. A Threat Origin ( ) is a location inside or outside your network that constitutes a threat (that is, a location where an attacker might be found). There are two basic types of Threat Origins: Human and Worm. All Threat Origins are user-defined. Note: To use Worm Threat Origins you need a Skybox View Worm Support license. You can view and create Threat Origin in the Model workspace, using the Threat Origin Categories ( ) > All Threat Origins node, see Adding Threat Origins, in the Skybox Vulnerability Control User s Guide. Human Threat Origins The parameters of human Threat Origins are described in the following table. General tab Name Threat Location Categories Attacker Skill Likelihood to Attack A name for the Threat Origin The locations from which this Threat Origin can attack the network. Categories of the Threat Origin for grouping purposes, such as external, internal, or worm. Note: Although assigning categories is not required, it is recommended that you assign at least one category to each Threat Origin. This enables presentation of a more complete picture when viewing risk analyses and reports. In particular, it enables viewing the risk and exposure of vulnerability occurrences according to each of the specified categories. The presumed skill level of the attacker launching the attack. The skill level is used as a factor when analyzing risk from this Threat Origin. The presumed likelihood that this Threat Origin will launch an attack on the network. Advanced tab Attacker Privilege Cloud Source Addresses The presumed privilege of the attacker on the device from which the attack is initiated. Many vulnerability occurrences cannot be exploited without a specific privilege level (such as Root). The range of source IP addresses to use in cloud attacks: All: Use all cloud addresses as sources for attacks. Wide source addresses: Consider for this Threat Origin only attacks that are possible from wide address ranges of the cloud. Skybox View version

335 Chapter 31 Model entities Specific addresses: Consider for this Threat Origin only attacks that are possible from specific addresses of the cloud. For additional information, see the Using clouds as Threat Origins topic in the Skybox Vulnerability Control User s Guide. Lower Likelihood for Attacks from Specific Addresses Specifies whether to assign a lower risk value from attacks that originate from specific IP addresses inside clouds. Business Asset Groups Ignore Analyze for Risk Business Asset Groups for which you are not interested in the effects of attacks from this Threat Origin. Business Asset Groups for which you want to view the effect of attacks from this Threat Origin. For additional information about human Threat Origins, see the Defining human Threat Origins topic in the Skybox Vulnerability Control User s Guide. Worm Threat Origins The parameters of worm Threat Origins described in the following table. General tab Name Threat Location Categories Likelihood to Attack A name for the Threat Origin The locations from which this Threat Origin can attack the network. Categories of the Threat Origin for grouping purposes, such as external or internal. Note: Although assigning categories is not required, it is recommended that you assign at least one category to each Threat Origin. This enables presentation of a more complete picture when viewing risk analyses and reports. In particular, it enables viewing the risk and exposure of vulnerability occurrences according to each of the specified categories. The presumed likelihood that this Threat Origin will launch an attack on the network. Worm Selection Type (Worm Selection) Available / Selected Worm Settings Worm type of this Threat Origin: , Network, Messenger/Chat, Zero-day Automatic Worm Selection: Skybox View uses all available worms of the selected Type in this Threat Origin Manual Worm Selection: Skybox View uses only selected worms of the selected Type in this Threat Origin This control is enabled only if Manual Worm Selection is selected. Used to specify which worms are used to attack as part of this Threat Origin. Opens the Worm Settings options page. (See the Worm Settings topic in the Skybox View Installation and Administration Guide.) Skybox View version

336 Skybox View Reference Guide Advanced tab Cloud Source Addresses Lower Likelihood for Attacks from Specific Addresses The range of source IP addresses to use in cloud attacks: All addresses: Use all cloud IP addresses as possible sources for attacks. Wide source addresses: Consider for this Threat Origin only attacks that are possible from wide address ranges of the cloud. Specific addresses: Consider for this Threat Origin only attacks that are possible from specific addresses of the cloud. For additional information, see the Using clouds as Threat Origins topic in the Skybox Vulnerability Control User s Guide. Specifies whether to assign a lower risk value from attacks that originate from specific IP addresses inside clouds. For additional information about worm Threat Origins, see the Defining worm Threat Origins topic in the Skybox Vulnerability Control User s Guide. Vulnerability occurrences Vulnerability occurrences are used only when working with Skybox Vulnerability Control. Vulnerability occurrences ( Internet Scanner). ) on assets are found by vulnerabilities scanners (such as Nessus or IBM The parameters of vulnerability occurrences are described in the following table. ID / Title The vulnerability definition of this vulnerability occurrence. Service Commonality CVE Severity Detection Reliability Status Exposure (Read only) The service that this vulnerability occurrence affects. (Read only) States how frequently attackers exploit the vulnerability definition of this vulnerability occurrence. (Read only) Identity of the vulnerability definition of this vulnerability occurrence in the CVE dictionary. The severity of the vulnerability definition of this vulnerability occurrence. The level of detection reliability of this vulnerability occurrence. The detection reliability value is imported from the scanner that reported the vulnerability occurrence and indicates the certainty with which the scanner determines that the vulnerability occurrence exists. Low: The scanner is not sure whether the vulnerability occurrence exists Medium: The scanner is fairly certain that the vulnerability occurrence exists The status of this vulnerability occurrence (Found, Ignored, or Fixed). (Read only) States how exposed this vulnerability occurrence is to attacks from the Threat Origins. For example, a directly exposed vulnerability occurrence can be reached in one step from the Skybox View version

337 Chapter 31 Model entities Status Explanation User Comments attacking Threat Origin. (Read only) The cause of the Status. (Read only) A description of this vulnerability occurrence, supplied by the Skybox View database. A statement describing this vulnerability occurrence. The types of additional parameters of vulnerability occurrences that are accessible from the Details pane are listed in the following table. Many of the parameters are taken from the vulnerability definition. Tab General CVSS Asset Service Risk Profile External Catalogs External URLs Affected Platforms Tickets Solutions Scanner Info Comments History General information about the vulnerability occurrence. CVSS base score and temporal score of the vulnerability definition, including metrics on which the scores are based. Information about the asset on which this vulnerability occurrence is located. Information about the service on which this vulnerability occurrence is found. Information about the risk of this vulnerability occurrence. A list of the catalog names and IDs of the vulnerability definition as it appears in the external catalogs that are supported by Skybox View. Note: Not every vulnerability definition in the Skybox View Vulnerability Dictionary is listed in all external catalogs supported by Skybox View. A list of links to URLs containing information about the vulnerability definition. The platforms affected by this vulnerability occurrence. A list of Skybox View tickets opened on this vulnerability occurrence. A list of known solutions that close this vulnerability occurrence. If the vulnerability occurrence was imported by a scanner, this tab contains additional information from the scanner. User comments about this vulnerability occurrence. History of this vulnerability occurrence, including creation time and last modification time. Skybox View version

338 Index A A10 Networks collection tasks 105 A10 Networks load balancer 104 Access Analyzer 306 Access Analyzer query fields for Firewall Assurance and Network Assurance 308 Access Analyzer query fields for Vulnerability Control 306 Access Change ticket parameters 222 Access Change ticket rules 231 Access Checks reports 259 Access Compliance reports 260 Access Control List Editor 294 Access Policy Based Routing Rule Properties dialog box 304 Access Policy violation ticket parameters 224 Access Policy violations ticket rules 232 Access requests tasks 152 Access Rule Properties dialog box 294 Access Rule Properties dialog box (extended) 299 Access Rule Properties with Rule Review section 299 Accessing copies of a generated report 242 ACL Management dialog box 297 Custom firewall 297 Additional setup to work with older versions of Palo Alto Networks firewalls 98 Addresses behind network interfaces 333 Advanced collector file import tasks 39 Advanced file import tasks 36 Alerts and vulnerability definition feed tasks 147 Alerts tab 13 Analysis Properties dialog box 181 Analysis tasks 152 Asset groups 328 Assets 326 Assets analyses 183 Assets validation analyses 204 Attacks analyses 185 Automating reports 240 B Back up model and settings tasks 165 Basic file import tasks 35 Blacklists 136 Blue Coat collection tasks 44 Blue Coat proxy 43 Business Asset Group ticket parameters 220 Business Asset Groups 320 Business Impacts tab 322 Properties tab 321 Regulations tab 322 Business Asset Groups analyses 186 Business Asset Groups ticket rules 229 Business Units 322 Business Units analyses 187 C Change tracking notification parameters 274 Change Tracking reports 262 Change tracking tasks 152 Changing the content of ticket rule alerts 232 Changing the default report generation method 240 Check Point FireWall-1 activity log data (LEA collection) 83 Check Point FireWall-1 change events (audit log data) 90 Check Point FireWall-1 change events collection tasks 90 Check Point FireWall-1 CPMI collection tasks (FireWall-1) 50 Check Point FireWall-1 CPMI collection tasks (Provider-1) 56 Check Point FireWall-1 firewall 45 Check Point FireWall-1 LEA collection tasks 87 Check Point Provider-1 CMA 53 Cisco CSS load balancer 106 Cisco IOS collection tasks 116 Cisco IOS router 114 Cisco Nexus collection tasks 120 Cisco Nexus router 118 Cisco PIX/ASA/FWSM collection tasks 59 Cisco PIX/ASA/FWSM firewall 58 Cisco Security Manager 61 Cisco Security Manager collection tasks 62 CiscoWorks 145 Citrix NetScaler collection tasks 107 Citrix NetScaler load balancer 107 Clouds 323 Collector file import tasks 39 Collector software update tasks 166 Configuring A10 Networks load balancers for data collection 104 Configuring AppDirector load balancers for data collection 110 Configuring BIG-IP load balancers for data collection 108 Configuring Blue Coat proxies for data collection 43 Skybox View version

339 Configuring Check Point firewalls to send activity logs to a syslog server 96 Configuring Cisco IOS routers for data collection 115 Configuring Cisco Nexus routers for data collection 119 Configuring Cisco PIX/ASA/FWSM firewalls for data collection 58 Configuring Cisco Security Manager for data collection 62 Configuring Cyber-Ark for device credentials retrieval 16 Configuring devices for FireWall-1 log collection 83 Configuring eeye Retina scanners for data collection 125 Configuring FireWall-1 management systems for data collection 45 Configuring FortiGate firewalls for data collection 65 Configuring FortiManager Security Management appliance for data collection 66 Configuring HP ProCurve routers for data collection 121 Configuring HP TippingPoint IPS devices for data collection 101 Configuring Junos firewalls for data collection 68 Configuring McAfee epolicy Orchestrator for data collection 139 Configuring McAfee Firewall Enterprise firewalls for data collection 74 Configuring Microsoft SCCM for data collection 140 Configuring Microsoft WSUS for data collection 144 Configuring Nessus scanners for data collection 135 Configuring NetScaler load balancers for data collection 107 Configuring NetScreen firewalls for data collection 70 Configuring Network and Security Manager for data collection 72 Configuring Nortel Passport 8600 routers for data collection 123 Configuring Palo Alto firewalls for data collection 75 Configuring Panorama for data collection 77 Configuring Provider-1 for firewall data collection 54 Configuring Qualys QualysGuard scanners for data collection 129 Configuring Radware WSD load balancers for data collection 111 Configuring Shavlik NetChk Protect patch management tools for data collection 134 Skybox View version Index Configuring software firewalls for data collection 82 Configuring SolarWinds NCM for data collection 142 Configuring SonicWALL firewalls for data collection 63 Configuring VMware vshield Edge firewalls for data collection 80 Connecting Clouds 325 Copy model tasks 163 Creating access tokens 14 Creating and editing report definitions 240 Creating Sidewinder G2 configuration files 79 CSV access rule review export tasks 168 CSV analysis export tasks 169 CSV change tracking export tasks 170 CSV compliance results export tasks 171 CSV Configuration Compliance export tasks 172 CSV export tasks 291 CSV firewall assurance export tasks 173 CSV optimization and cleanup export tasks 174 CSV security metrics export tasks 175 CSV-exportable data 290 Customizing notification templates 279 Customizing Skybox View reports 241 Customizing the display of an analysis 181 Customizing ticket notifications 277 D Data formats for file import tasks 31 Defining alerts 229 Defining ticket phases 225 Definition file for advanced file import tasks 37 Dell SonicWALL collection tasks 63 Dell SonicWALL firewall 63 Dependency rules 187 Device access management 14 Dictionary update tasks 166 Distributing reports 240 E Editing templates 234, 283 eeye Retina collection tasks 126 eeye Retina scanner 125 Enabling Rule GUID 87 Entity relationships 320 Exportable data 290 Exposure tasks 153 F F5 BIG-IP collection tasks 108 F5 BIG-IP load balancer 108 False positive reduction tasks 154 File import tasks 29 Files for change tracking notifications 281

340 Skybox View Reference Guide Files for firewall compliance violation notifications 281 Files for security metrics notifications 281 Files for ticket notifications 281 Files for vulnerability definition notifications 283 Find in Table (Routing Rules) dialog box 303 Firewall Assurance reports 263 Firewall Changes reports 266 Firewall compliance violation notification parameters 274 Firewall configuration tasks 43 Firewall log data tasks 83 Firewall Map 317 Firewall Map filter pane 317 Firewalls implemented in software 81 FISMA/NIST reports 245 Fortinet FortiGate collection tasks 65 Fortinet FortiGate firewall 64 Fortinet FortiManager Security Management appliance 66 Fortinet FortiManager Security Management appliance collection tasks 66 Forwarding syslog messages to the Appliance or Collector machine 92 G General tab 12 Generating reports manually 239 H History tab 229 How access tokens are used 15 How syslog change events are parsed 93 How this manual is organized 8 HP ProCurve collection tasks 121 HP ProCurve router 121 HP Software & Solutions (OpenView) 145 HP TippingPoint collection tasks 101 HP TippingPoint IPS devices 101 Human Threat Origins 334 I IBM Proventia G appliances 102 IBM SiteProtector 128 IBM SiteProtector IPS collection tasks 102 IBM SiteProtector Vulnerabilities Scanner collection tasks 128 Ignore List file 114 Import Data dialog box 36 Import directory tasks 29 Importing A10 Networks configuration data 105 Importing Blue Coat configuration data 44 Importing Check Point FireWall-1 configuration data 53 Importing Check Point Provider-1 CMA configuration data 57 Importing Cisco CSS configuration data 106 Importing Cisco IOS configuration data 118 Importing Cisco Nexus configuration data 120 Importing Cisco PIX/ASA/FWSM configuration data 61 Importing CSM-managed Cisco firewalls configuration data 63 Importing F5 BIG-IP configuration data 109 Importing FortiGate configuration data 66 Importing HP ProCurve configuration data 122 Importing interface and routing configuration 41 Importing Junos configuration data 69 Importing Linux iptables configuration data 73 Importing McAfee epolicy Orchestrator data 140 Importing Microsoft Active Directory data 143 Importing Microsoft WSUS data 145 Importing NetScreen configuration data 71 Importing Nortel Passport 8600 configuration data 123 Importing Palo Alto configuration data 76 Importing Qualys QualysGuard scanner data 132 Importing Radware AppDirector configuration data 111 Importing Radware WSD configuration data 112 Importing Rapid7 Nexpose audit reports 133 Importing Shavlik NetChk Protect patch management tool data 134 Importing Sidewinder G2 configuration data 79 Importing syslog change tracking events 91 Importing Tenable Network Security Nessus scanner data 136 Importing Tripwire ncircle scanner data 136 Importing VMware vshield Edge configuration data 81 Imposed Risk Threshold dialog box 197 Initialize Certificate dialog box 52 Installing ODBC support for Skybox Appliances 140 Installing ODBC support on Linux devices 141 Intended Audience 8 IPS tasks 101 Skybox View version J Juniper NetScreen collection tasks 70 Juniper Networks Junos collection tasks 68 Juniper Networks Junos firewall 68 Juniper Networks NetScreen firewall 69 Juniper Networks Network and Security Manager 71 Juniper Networks NSM collection tasks 72 K Keywords for change tracking notifications 284 Keywords for firewall compliance violation notifications 284 Keywords for security metrics notifications 285

341 Keywords for ticket notifications 286 Keywords for ticket rule alerts 235 Keywords for vulnerability definition notifications 288 L Layout parameters 315 Linux iptables firewall 73 Load balancer tasks 104 Locations 329 Locations analyses 188 Locking entity parameters 320 M Management systems tasks 139 Managing analyses 179 Managing routing rules 302 Managing tasks 11 McAfee epolicy Orchestrator 139 McAfee epolicy Orchestrator collection tasks 139 McAfee Firewall Enterprise (Sidewinder) firewall 73 McAfee Firewall Enterprise collection tasks 74 McAfee Foundstone FoundScan collection tasks 127 McAfee Foundstone FoundScan Enterprise scanner 126 Microsoft Active Directory 143 Microsoft SCCM 140 Microsoft SCCM collection tasks 141 Microsoft WSUS 144 Model completion and validation tasks 160 Model entities 319 Model integrity tasks 163 Model maintenance tasks 160 Model validation analyses 204 Modifying the policy_syslog.txt file 94 N NERC reports 267 Network Compliance reports 270 Network discovery process 150 Network groups 331 Network interfaces 331 Network interfaces validation analyses 206 Network Map 311 Network Map control panel 311 Network Map filter toolbar 314 Network scan tasks 149 Network state collection tasks 82 Network tasks 149 Networks 329 Networks analyses 189 Networks validation analyses 209 Nortel Passport 8600 router 122 Nortel Passport collection tasks 123 Notifications 273 Notifications reference 273 Skybox View version O Other exports 292 Outdated entities removal tasks 164 P Index Palo Alto Networks collection tasks 75 Palo Alto Networks firewall 75 Palo Alto Networks Panorama 77 Palo Alto Networks Panorama collection tasks 77 s of individual maps 314 Parsing Cisco CSS load balancer configuration files 106 Parsing Sidewinder G2 configuration files 79 Part I Tasks 10 Part II Analyses 178 Part III Tickets, reports, and notifications 217 Part IV Tools 293 Part V Entities 318 PCI DSS reports 247 PCI Firewall Compliance reports 268 Perimeter Clouds 323 Policy compliance tasks 154 policy_syslog.txt 93 Preface 8 Q Qualys format XML vulnerability occurrences export tasks 176 Qualys QualysGuard collection tasks 130 Qualys QualysGuard scanner 129 Quick reference alert services 28 firewall configuration collection 17 firewall traffic log and audit log collection 21 load balancers 23 proxies, VPN devices, and IPS devices 22 routers and LAN controllers 24 scanners 26 Quick reference for data collection 17 R Radware AppDirector collection tasks 110 Radware AppDirector load balancer 109 Radware WSD collection tasks 111 Radware WSD load balancer 111 Rapid7 Nexpose collection tasks 132 Rapid7 Nexpose scanner 132

342 Skybox View Reference Guide Regulation Compliance analyses 191 Related documentation 8 Replicating routing rules 305 Report and ticket tasks 168 Report formats 241 Report generation tasks 168 Report Properties dialog box 242 Reports reference 237 Risk analyses 183 Risk Assessment reports 249 Risks reports 250 Router tasks 114 Routing Rule Properties dialog box 303 Rule Usage Analysis reports 270 S Scanner tasks 125 Schedule tab 13 Script invocation tasks 40 Security metric notification parameters 275 Security Metrics calculation tasks 155 Security Metrics reports 252 Selected issues 208 Selecting the correct template 233, 281 Server software update tasks 166 Services 333 Services validation analyses 211 Setting analysis parameters 181 Setting task parameters 11 Setting ticket rule parameters 227 Shadowed rules tasks 156 Shavlik NetChk Protect collection tasks 134 Shavlik NetChk Protect patch management tool 133 Sidewinder G2 (McAfee Firewall Enterprise) firewall 78 Skybox Firewall Assurance and Skybox Network Assurance tickets 222 Skybox Firewall Assurance reports 259 Skybox Network Assurance reports 270 Skybox View Active Directory collection utility 144 Skybox View reports 239 Skybox View WSUS collection utility 145 Skybox Vulnerability Control and Skybox Threat Manager reports 245 Skybox Vulnerability Control and Skybox Threat Manager tickets 219 SolarWinds NCM 142 SolarWinds NCM collection tasks 142 Specifying routing rules 302 Supported devices and files for import directory tasks 30 Symantec DeepSight alert services 147 Symantec DeepSight collection tasks 147 Symantec Management Suite 146 Syslog change events collection tasks 92 Syslog traffic events 95 Syslog traffic events collection tasks 98 Skybox View version T Task Properties dialog box 12 Technical support 8 Tenable Network Security Nessus collection tasks 135 Tenable Network Security Nessus scanner 134 Threat Alert Management reports 253 Threat management analyses 202 Threat Origins 334 Threat Origins analyses 192 Ticket analyses 214 Ticket generation tasks 168 Ticket notification parameters 276 Ticket Properties dialog box 218 Ticket Rule Properties dialog box 227 Ticket rules 226 Tickets 218 Tickets analyses 214 Tickets reference 218 Tickets reports 243 Topology discovery tasks 151 Tripwire ncircle scanner 136 Types of analyses 179 U User roles and tasks 11 Using CEF syslog with Palo Alto Networks firewalls 97 Using Cyber-Ark for device password management 15 Using the Access Control List Editor 294 V Validation rules 162 VeriSign idefense alert services 148 VeriSign idefense collection tasks 148 VMware vshield Edge collection tasks 80 VMware vshield Edge firewall 80 Vulnerabilities reports 255 Vulnerability Definition Finder dialog box 198 Vulnerability definition notification parameters 278 Vulnerability definition ticket parameters 221 Vulnerability definitions risk analyses 192 Vulnerability definitions threat management analyses 202 Vulnerability definitions ticket rules 230 Vulnerability detection tasks 156 device configuration 157 patch data 156 scan data 158 Vulnerability Management reports 258 Vulnerability Occurrence Status dialog box 195 Vulnerability occurrence ticket parameters 220

343 Index Vulnerability occurrences 336 Vulnerability occurrences analyses 193 Vulnerability occurrences ticket rules 231 W Working with reports 237 Worm Threat Origins 335 Worms analyses 200 Skybox View version