swat user guide 4.1.0
TRANSCRIPT
-
8/3/2019 Swat User Guide 4.1.0
1/148
SWAT
User GuideSoftware Version 4.1.0
Wise-Mon Ltd., January 2011
-
8/3/2019 Swat User Guide 4.1.0
2/148
Table of Contents
Chapter 1: Introduction
Overview 1Existing Detection Tools 1
Key Features 3Intruders & Malicious Stations 3802.1x & NAC 4
Overview of 802.1x and NAC 4Online Network Discovery Tools 6
Additional Benefits 7Organizational Tree Support 7
ESM Integration 8Flexible MAC Address Permissions 8Enhanced Reports and Query Capabilities 8
Easy Installation 8
Scalable Installation 8
Chapter 2: Operational Concepts
Basic Mechanism 10
Run Modes 10Advanced Run Modes 11
Scaleable Solution 12Faster Network Discovery Cycle 12
Reduced Bandwidth Utilization 13
Flexible Solution Supporting New Device Types 13
Chapter 3: Pre-Installation
System Requirements 14
Obtaining the Software 15Database Configuration 15Switch/Router Information & Configuration 17
Chapter 4: Installation
Installing SWAT 18
SWAT Directories 21Reinstalling SWAT 22
Configuration 23General - Verbose Logging 24Interface 24
Discovery Agents & Managers 24Default Installation 25
Creating a New Agent 25
-
8/3/2019 Swat User Guide 4.1.0
3/148
SWAT User Guide 2
Table of Contents
Creating a New Manager 27
Installing the Manager 28Key File Creation 29
Generating a Key File 30
Uninstalling SWAT 30
Chapter 5: AdministrationAdministration Menu 31
General Administration Form 32Run Modes 36
SWAT Users 38
Alert Types 40
Alert Type List 41
Chapter 6: Network Configuration
Network Configuration Menu 42
Switch Groups 43
Switch Group List 46Switch Group Form 46
Switches 49
Switch Filtered Results 51
Switch Forms 53Switch Ports 58
States 59
Switch Port Filtered Results 60
Switch Port Forms 61
Routers 66
Router Filtered Results 67
Router Form 68
Site Configuration 71Site ConfigurationAdd Dialog Boxes 73
Site Configuration Filtered Results 75
Chapter 7: Reports
Reports Menu 76
Station Reports 77Inactive Stations Report 77New Stations Report 80Station History Report 82
Network Reports 83Inactive Ports 84
Active Multi MAC Ports 86Multi MAC Ports 88
Statistics Reports 89New Station Statistics 90Moving Station Statistics 91Station Alert Statistics 92
Port Statistics 92
Alert Console 93
-
8/3/2019 Swat User Guide 4.1.0
4/148
SWAT User Guide 3
Table of Contents
Alert Console Filtering Pane 94
Alert Console Filtered Results 95Scheduled Tasks 96
Scheduled Tasks Filtered Results 96
Chapter 8: Operations
Operations Menu 98
Station Permissions 99MAC Address Filtering Pane 99Add New MAC Address Pane 100MAC Addresses Filtered Results 101
Changing Permissions 102
MAC Address Details 104
Site Permissions 105
Site Permission Parameters 106
MAC Address Permission Filtering 107
MAC Address Permission Parameters 109
Advanced Station Addition 110
Site Filtered Parameters 112
Chapter 9: Antivirus Support
SWATs Added Value 113Supporting External Antivirus Systems 114
Chapter 10: Advanced Settings
Switch List File 117
Router List File 117
Defining New Device Types 118
EquipmentTypeEntry Tags 119
Loading the XML File 121
Watchdog Service 122
Chapter 11: Background Processes
Job List 127
Chapter 12: Compliance
GeneralCompliance Menu 127Policies Management 127Conditions Management 127
Compliance status 127Compliance Statistics 127Analyze Device 127Types Management 127
Appendix A: Antivirus Integration
Symantec Configuration 129
Appendix B: Advanced Configuration
Database Configuration 135
-
8/3/2019 Swat User Guide 4.1.0
5/148
SWAT User Guide 4
Table of Contents
Connection String 135
User Name and Password 136
Windows Server 2008 Configuration 136
-
8/3/2019 Swat User Guide 4.1.0
6/148
Preface
Welcome to SWAT (Switch Access Control), the ideal NAC for protecting
your network from unauthorized endpoint devices.
The purpose of this guide:
This guide contains information for using SWAT efficiently and correctly.
Who should use this guide?
This guide is intended for network and security managers.
Conventions:The manual uses the following conventions:
Actions you need to perform are displayed in bold. For example, click OK or
enter the IP address.
This font is used for hyperlinks.
This font is used for code and system activity.
UPPERCASE is used for keys and acronyms.
Cross-references are underlined. For example, see Conventions:.
The Italic font is used to emphasize words and phrases in certain cases.
NOTE
Notes are used to call your attention to important and specialinformation.
TIP
Tips are used to provide additional and beneficial information.
CAUTION
Caution implies essential information that should be taken with extracare.
1
-
8/3/2019 Swat User Guide 4.1.0
7/148
Introduction 1
1Chapter 1: Introduction
IN THIS CHAPTER:
Overview
Key Features
Intruders & Malicious Stations
802.1x & NAC
Additional Benefits
1.1 Overview
SWAT (SWitchAccess conTrol), a Wise-Mon NAC product, enables online
mapping of IP addresses to their exact physical entry point and geographical
location. Providing a critical feature for IDS/IPS, anti viruses and risk
management solutions, SWAT complements existing security tools by
automatically or manually blocking the actual port of an intruder and
preventing unauthorized stations from connecting to the organization's LAN
instantly. SWAT also enables quick and simple migration to 802.1x, providing
simple non-intrusive network access control for switches and end stations that
do not support 802.1x. The product supplies a MAC address security
permission system, restricting access to an organization's internal networkand creating a repository of all network nodes.
1.1.1 Existing Detection Tools
Various tools exist for identifying malicious stations within the enterprise
network; however each tool lacks a certain important feature which
jeopardizes the network's security. SWAT complements these tools, ensuring
full security and effectiveness.
-
8/3/2019 Swat User Guide 4.1.0
8/148
2Chapter 1: Introduction
SWAT User Guide
Intrusion Detection Systems
IDS (Intrusion Detection Systems) scan the data passing through them on the
way to the server farm or important parts of the network. IDS identify a
pattern ofattackand notify users of the attacker. The attacker is identified by
its IP address.
Intrusion Prevention Systems
IPS (Intrusion Prevention Systems) solutions are enhanced IDS which also
block the attacker after identifying it in one of the following methods:
Blocking its traffic.
Terminating its TCP communication.
Inserting access lists to firewalls and routers.
All these blocking mechanisms do not exclude the malicious stations from the
network. They only confine the intruder and limit its access to the server farm,
or at best prevent it from getting out of its segment. Intruders however, cancontinue infecting stations in the unblocked part of the network. Furthermore,
the stations they infect act as proxies for additional attacks.
Centralized Anti-Virus Solutions
There is a current trend to move to centralized anti-virus management on all
stations inside the organization. This enables controlled update of viruses'
information from the center, and the ability to receive alerts for:
Discovered viruses in the enterprise.
Stations that removed the agent of the anti-virus.
However, these products only notify the administrators of the alerts, yet do
not disable the malicious stations.
Risk Management Solutions
Risk Management Solution tools gather event logs and audit records from
servers and devices in the enterprise. Then they correlate the records in order
to discover intruders or malicious stations. If an intruder is found, the
operator is notified and actions are performed accordingly. However, on
network level, only the IP address of the malicious station is known, similar to
IPS capabilities.
-
8/3/2019 Swat User Guide 4.1.0
9/148
3Chapter 1: Introduction
SWAT User Guide
1.2 Key Features
SWAT is a unique and very powerful complimentary tool for most of the
existing security products in the field of malicious stations detection.
SWAT includes the following key features: Provides the exact location of an intruder:
Physicalswitch/slot/port.
Geographicalbuilding/floor/room/socket.
Complements the capabilities of existing IDS/IPS, anti viruses and risk
management solutions, disabling any intruders and excluding attackers
from the network within seconds of discovery.
Includes a powerful engine, providing a distributed instantaneous online
discovery process.
Physically moves new stations to a VLAN and automaticallydisables/enables them, enhancing network quarantine abilities.
Enables simple integration with management platforms (Tivoli, HP, CA
and more).
Performs online mapping, enabling IP address to MAC address mapping
along with online management of organization layout.
Easily installed, maintained and operated from a central position in the
network.
No additional components or adjustments to the network architecture
are required.
Multi-vendor switch support.
Easily installed, maintained and operated from a central position in
the network.
SWAT Provides a full enhanced compliance mechanism using variety of protocols:
WMI
SNMP
HTTP
TELNET
Additional features:
Quick and simple migration to 802.1x, providing access control for switches
and end stations that do not support 802.1x.
Includes a MAC address security permission system, restricting access to an
organization's internal network and creating a repository of all network
nodes.
1.3 Intruders & Malicious Stations
-
8/3/2019 Swat User Guide 4.1.0
10/148
4Chapter 1: Introduction
SWAT User Guide
The problem:
IDS/IPS, centralized anti-virus and risk management software detect and
block malicious stations either from within the organization or from the
outside. Hence, these products operate and block stations at the IP address
level (access list in firewalls/routers). This solution is sufficient for intruders
outside the organization, however malicious stations residing within the
-
8/3/2019 Swat User Guide 4.1.0
11/148
5Chapter 1: Introduction
SWAT User Guide
Organization can continue poisoning the enterprise's internal network. Most
malicious stations that actually cause damage come from within the
organization, thus there is a need to disconnect malicious stations based on
their IP address, at the actual physical port level. Most operators require the
exact physical location of the switch/slot/port of a station with a given IP
address, as well as the exact geographical location building/floor/room/socketfor disconnecting it from the network
Wise-Mon's solution:
Serving as the next step for IDS/IPS, anti viruses and risk management
solutions, SWAT complements existing security tools by blocking the actual
physical port ofan intruder. With the ability to perform online mapping of
MAC addresses, SWAT specifies the exact location of an intruder on both
physical and geographical level, right away.
In order to locate newly connected stations and validate them by using their
MAC addresses for identification, SWAT combines alert handling mechanismsand fast low-bandwidth switch polling. SWAT is easy to deploy and
implements an easy-to-use web-based GUI with full management
capabilities.
Several high speed low-bandwidth IP scanning and routers polling provide a
quick identification and compliance check for layer3 devices.
1.4 802.1x & NAC
SWAT provides online monitoring for the location of the station connected to
the internal network of the enterprise. When a malicious station isconnected, SWAT discovers it within seconds to minutes and presents precise
location information about it, also in the case of the station changing its IP
address. Hence, operators identify the intruder online by its IP address, and
are able to disconnect it from the network on the physical switch level.
1.4.1 Overview of 802.1x and NAC
The 802.1x standard addresses the issue of access permissions to the
network. When a station is connected to a switch, the user/device is
prompted by the switch for authentication information. This information is
passed by the switch to a radius server for verification. Only when thestation is authenticated, the switch allows it to connect to the network.
Hardware NAC system is an extension to 802.1x; it adds additional tests and
conditions, which the switch verifies before the network device is connected.
The tests can include the verification if an anti-virus product is running and
the patch level is high enough.
In order to implement 802.1x there is a need for:
Switches that support this standard.
-
8/3/2019 Swat User Guide 4.1.0
12/148
6Chapter 1: Introduction
SWAT User Guide
Network devices that support 802.1x.
A radius server which is connected to the organization's authentication
store.
It is clear that within 3-5 years 802.1x will become the standard for network
access authentication, both for wired & wireless devices.
The problems in implementing 802.1x:
There are a few problems with the current implementation of 802.1x:
Currently not all switches support this standard. For some switches it only
requires the change of the firmware, however for others it requires the
exchange of the complete switch.
Requires a change in the enterprise network's architecture (switch,
RADIUS, device drivers in stations, etc.).
The implementation itself is very complex and requires a long deployment
period (weeks to months in most organizations).
There are many network devices that do not support 802.1x:
Most printers.
Some UNIX platforms.
It is quite complicated to manage 802.1x.
SWAT as an easy way for 802.1x migration:
SWAT enables organizations to migrate to 802.1x easily and surely. SWAT
provides access control checks for switches and network stations that do not
support 802.1x. The implementation of SWAT does not require any change in
any switch and/or end device, and most network devices are supported as is.SWAT acts as a centralized guard of the internal network.
MAC address & location-based security permission system:
SWAT supplies a security mechanism, which restricts the access to the
organizations internal network based on MAC addresses. The product creates
-
8/3/2019 Swat User Guide 4.1.0
13/148
7Chapter 1: Introduction
SWAT User Guide
a repository of all nodes in the enterprise network. It then checks the
connecting nodes and either permits or disconnects the node from the network
according to the given permissions.
The security parameters for a permission entry are:
A list of ports on the switches. A list of switches (all the ports of a given switch).
A list of sockets and physical access points in the geographical premises of
the enterprise.
A socket is represented by the following list of information:
location-building-floor-room-socket.
Time-based permission system.
1.4.2 Online Network Discovery Tools
Most network management tools include a discovery mechanism. However
these tools have the following limitations:
SWAT vs. Regular Network Discovery Tools
Network Discovery Tools SWAT
Centralized tools mounted on asingle server. Thus, all discoverycommunication passes through thenetwork to the server and there isno distributed discovery.
High bandwidth utilizationsince all discoveries are
centralized, entailing highexpenses of bandwidth when theorganization is distributed.
Serial discovery process usuallypolls one node at a time, causing aslow discovery cycle. In a largenetwork the discovery cycle can
last many hours (this being thereason that most of these toolsrecommend scheduling a discoverycycle every few days).
Malicious station detectiontools do not integrate with anysecurity product.
Swat has the ability to distributeagents that perform the discoveryprocess. The discovery agents arelocated near the monitored
equipment and perform the discoveryin parallel.
SWAT locates the agents near themonitored devices, maintaining animage of the results in the agents.Only the delta between thediscoveries is returned to the center.This reduces the bandwidthutilization.
The distributed agents supplyparallel discovery. SWAT alsoperforms asynchronous discoveryoperations within the agent, allowing
faster operations within each agent.This enables SWAT to perform a fulldiscovery operation within minutes.
SWAT integrates with: IDS, IPS,centralized anti-virus management
stations and risk management tools.
-
8/3/2019 Swat User Guide 4.1.0
14/148
8Chapter 1: Introduction
SWAT User Guide
Network Discovery Tools SWAT
Limited device support for onlya given set of devices with mappingconnections. Adding new nodesusually requires changes in the
software.
No geographical locationsupport, and usually noinformation, is provided about thephysical location of a given node.
Non scaleable, becoming veryslow when the discovered networkgrows.
Mapping is hardly a standardized
issue. SWAT is designed to enable
support to new devices at site level by
changing configuration files. Minimalsoftware changes are required when
adding new device support to SWAT.
SWAT enables obtaining thegeographical location of a givendevice. The information of thelocation can be imported fromexternal sources and assetmanagement tools.
SWAT is designed for scalability,
allowing unlimited agents withunlimited mangers in the centers,
accepting data from the agents. The
managers can also be distributed to
the different devices.
NOTE
All communication betweenthe agents and managers in
the center is secured andencrypted.
1.5 Additional Benefits
1.5.1 Organizational Tree Support
SWAT enables building an organizational hierarchy tree. The hierarchy tree
describes the organization's structure and contains:
Sites.
Buildings.
Rooms.
Network sockets.
Based on this organizational tree, SWAT's alerts show the exact location of an
intruder, in addition to its switch/slot/port information. This allows for
location-based permission rules for given devices. The organizational tree data
and the connection between network sockets and switch/slot/port can be
-
8/3/2019 Swat User Guide 4.1.0
15/148
9Chapter 1: Introduction
SWAT User Guide
imported from existing asset management platforms in the organization, or
fully maintained using only the SWAT GUI.
1.5.2 ESM Integration
By learning the network structure from installed management platforms,
SWAT is easily integrated, saving the time needed for defining the switchesand routers in the network. SWAT also receives the list of MAC addresses and
automatically authorizes them all.
Leveraging ESM platform capabilities, SWAT can be used to show
port-switch-MAC-IP-socket-physical-room information in trap details,
displayed by the ESM platforms.
The following ESM platforms are supported:
HP OpenView NNM
IBM Tivoli Netview
1.5.3 Flexible MAC Address Permissions
SWAT enables setting MAC address permissions according to several flexible
rules. Specific MAC addresses are allowed to connect to specific network
sockets, buildings, rooms, switches, ports, at given time slots, etc.
MAC addresspermission scenario examples:
Allow a specific laptop to connect only to a specific floor in a specific building
for a given amount of time.
Allow only specific stations to connect to specific sockets in given buildings.
1.5.4 Enhanced Reports and Query CapabilitiesBased on a relational database, SWAT generates any report needed for
management. SWAT includes a large number of built-in reports such as:
Ports locked by SWAT or other systems.
MAC addresses in the enterprise and their authorization status.
Different views of MAC address permissions.
Last connection time of MAC address and its location:
Site/building/room/socket
Switch/slot/port
1.5.5 Easy Installation
SWAT is easy to install and maintain. It requires a single Windows-based
server with SQL server (or MSDE) for database and reporting capabilities.
SWAT's client is HTTP/S web-based. No additional components, switches, OS
or hardware upgrades are required.
1.5.6 Scalable Installation
-
8/3/2019 Swat User Guide 4.1.0
16/148
1
Chapter 1: Introduction
SWAT User Guide
For large installations with thousands of switches, SWAT offers a distributed
and scalable deployment, designed for any size network.
-
8/3/2019 Swat User Guide 4.1.0
17/148
10Chapter 2: Operational Concepts
Operational Concepts 2IN THIS CHAPTER:
Basic Mechanism
Run Modes
Scaleable Solution
2.1 Basic Mechanism
SWAT performs its actions by learning the VLAN topology of the organization,
while matching the physical MAC addresses of the nodes in the organizationto the IP addresses assigned to them.
SWAT performs periodical checks of defined switches and routers. It extracts
the bridge and ARP information from the devices, mapping the location of
each device within the network.
SWAT also receives linkup traps from the switches in the organization and
examines the node connected to the originator of the trap. Every new node
SWAT detects is entered to the mapping database and verified according to
the permissions assigned to it. Then actions are performed based on these
permissions.
2.2 Run Modes
Various run modes are available for learning and maintaining images of
existing devices in an enterprise's internal network.
Learn modenewly discovered MAC addresses are automatically set as
valid and authorized for accessing the whole network. Known address
permissions are left unchanged. This mode is suitable for enterprises that
just installed SWAT andwant to build their device repository. SWAT also
supports the option of loading all the valid devices in the organization from
an external source.
Warn modea warning is sent by email or written to an event log when
unidentified/unauthorized MAC addresses connect to the network via open
ports. The unidentified MAC addresses are then blacklisted.
-
8/3/2019 Swat User Guide 4.1.0
18/148
11Chapter 2: Operational Concepts
SWAT User Guide
Disconnect modewhen unidentified/unauthorized MAC addresses try to
connect via an open port, the port is automatically locked and the foreign
computer is disconnected. The unidentified MAC addresses are then
blacklisted.
NOTE
Each and every mode can be configured for the entire enterprise
network or a specific switch or port.
2.2.1 Advanced Run Modes
Learn and Lock for Groupconnecting MAC addresses receive
authorization for the group of switches to which they are connected.
Learn and Lock for Switchconnecting MAC addresses receive
authorization for all ports on the switch to which they are connected.
Learn and Lock for Portconnecting MAC addresses receiveauthorization for the port to which they are connected.
Learn Once and Warnconnecting MAC addresses are automatically set
as valid and authorized for the whole network. The port to which they are
connected changes to Warn mode.
Learn Once and Disconnectconnecting MAC addresses are
automatically set as valid and authorized for the whole network. The port to
which they are connected changes to Disconnect mode.
Move to VLANconnecting new stations are physically moved to a VLAN
and automatically disabled/enabled. This run mode enables enhanced
network quarantine capabilities: stations receive new permissions in
accordance with the VLAN to which they are moved. Furthermore, stations
that receive a new dynamic IP address are discovered by SWAT.
The decision-making process, which takes place when access is determined for
a connecting computer during Warn orDisconnect mode, is as follows:
Unknown computerthe MAC address is blacklisted and its port is warned
or disconnected.
Known computerthe MAC address permissions are verified according to the
switch and port through which they connect.
NOTE
In order to stay connected, the permissions (exclusively positive ornegative) have to either approve the switch/port or not deny theswitch/port.
-
8/3/2019 Swat User Guide 4.1.0
19/148
12Chapter 2: Operational Concepts
SWAT User Guide
If the current run mode is any type of learn mode, the computer's MAC
address is authorized in one of the following ways:
If the MAC address is authorized to access the port, its permissions are not
altered.
If the address is not authorized:
Learn-and-Lock modes add permissions to the switch/port.
Learn and Learn Once modes add permissions to the entire network; old
permissions are deleted.
2.3 Scaleable Solution
SWAT is scalable to networks of all sizes. This is implemented by allowing the
distribution of SWAT collector agents near the devices they monitor, thus
providing the following added value:
Faster network discovery cycle. Reduced bandwidth utilization.
Secured communication.
Figure 2-1: Optional distributed architecture
2.3.1 Faster Network Discovery Cycle
Since SWAT operates in a distributed mode, it can perform discovery
operations in parallel. This enables a very fast discovery cycle. In addition, the
agents are also designed to perform fast discovery by performing their queries
both asynchronously and simultaneously.
-
8/3/2019 Swat User Guide 4.1.0
20/148
13Chapter 2: Operational Concepts
SWAT User Guide
Parallelism in two places:
Multiple agents which perform the discovery in parallel to different parts of
the network.
Each agent sends its requests asynchronously to the switches and routers it
monitors, and then correlates the answers. This way the discovery cycle
within each agent is very short.
2.3.2 Reduced Bandwidth Utilization
The agents are designed to use as little bandwidth as possible. This is critical
when the organization is composed of several sites connected by WAN lines.
The agentspass the discovered information periodically, however in order to
reduce bandwidth utilization, the agents keep an image of the discovered
information in their memory and pass only the changes to the center. Thus,
there is hardly any traffic directed to the center, even when the discovery
process has high frequency. According to adefined time, the agent notifies the
center of the switchs/routers status. If for any reason the agent does not send
keep-alive information to the manager within a predefined time, the SWAT
administrator is notified.
2.3.3 Flexible Solution Supporting New Device Types
In order to build an accurate mapping, SWAT is required to learn the
information from switches within the organization. Despite the bridge
information standard (Bridge MIB), some switches do not support this MIB,
and many support it in different ways. With SWAT, the installer of the
product can easily introduce new devices to the product by directing it to
where the information is located. Thisprocess can be carried out at site level
by the operator of the product.
-
8/3/2019 Swat User Guide 4.1.0
21/148
14Chapter 3: Pre-Installation
Pre-Installation 3IN THIS CHAPTER:
System Requirements
Obtaining the Software
Database Configuration
Switch/Router Information & Configuration
3.1 System Requirements
Hardware Requirements
Prerequisite Additional Specifications
Platform Intel.
Disk space At least 250 MB.
CPU Dual Pentium IV 2.0GHz processors with 512 KB
cache. SWATs CPU consumption depends on the
number of monitored switches and connected nodes.
NOTE
RAM 2 GB
It is assumed that SWAT is also running thedatabase used by the product, however this isnot a requirement.
Software Requirements
Prerequisite Additional Specifications
Operating system Windows 2000 server (Service Pack 3); Windows2003 server.
Internetinformationservices
IIS 5 or IIS 6.
-
8/3/2019 Swat User Guide 4.1.0
22/148
15Chapter 3: Pre-Installation
SWAT User Guide
Prerequisite Additional Specifications
Microsoft .Net
framework
Version 1.1.
NOTE
To ensure that IIS supports .NET pages,
you need to run the file:
aspnet_regiis.exe located in
winnt (windows - in 2003)\
Microsoft.NET\Framework\
#Version.
Database MS SQL server 2000 with service pack 3. This
database should be purchased separately; SWAT
does not include an installation of SQL server.
MSDE database.
Windows
InstallerSWAT installation uses MSI installation. This
requires the latest version of Windows Installer
(a Windows component). The required version of
Windows Installer is already bundled with service
pack 3 of Windows 2000.
Internet browser SWAT's graphical user switch port is web-based. In
order to use the GUI, you need Internet Explorer 6
and above.
3.2 Obtaining the Software
To obtain the software:
Contact Wise-Mon Technologies at [email protected] and provide
the following information:
The operating system on which you plan to install the product.
IP and MAC addresses of the computer running SWAT.
Wise-Mon provides you with a user name and password to access the FTP
site, customers.Wise-Mon-t.com, from where the installation package can be
downloaded. You will also receive the license file required for operating the
product.
3.3 Database Configuration
The installation process assumes the following:
The SQL server/MSDE database is running on the same LAN on which
SWAT is installed.
-
8/3/2019 Swat User Guide 4.1.0
23/148
16Chapter 3: Pre-Installation
SWAT User Guide
The database permits both SQL server and Windows authentication.
NOTE
Do not install the MSDE on a computer that already has an SQL server
installed on it.
Setting the SQL server and Windows authentication:
The following instructions refer only to SQL servers. For the MSDE database,
other instructions are available in the readme file located in the MSDE
directory on Wise-Mon's FTP site.
In order to set the SQL server and Windows authentication in the database
server, perform the following:
1. Enter the SQL servers enterprise manager.
2. Select the Properties section of the database server.
3. Select the Security tab.
4. Select the SQL server and Windows option.
Figure 3-1: SQL server and Windows authentication
Checking the database definitions:
You can check the database definitions by creating an ODBC entry for the
database, and then verify that the database is up and the SQL server user and
password are valid.
-
8/3/2019 Swat User Guide 4.1.0
24/148
17Chapter 3: Pre-Installation
SWAT User Guide
3.4 Switch/Router Information & Configuration
In order to configure the switches/routers, you need to first perform the
following steps:
1. Make sure you know all the IP addresses of all the switches.
TIP
Switch/router information can be obtained automatically byconfiguring SWAT to do so in the Management Platforms Connectivity
pane of the General Administration form (see General
Administration Formon page 32 for more information).
2. Make sure that the switch configured to allow SNMP receives both from
the SWAT's agent location and SWAT's central server (if they are not
located on the same machine).
3. Select the method of setting definitions for the switch/switch groups
(SNMP or SSH) either from the General Administration Form or per each
switch in the Switch form (see Switch Forms on page 53 for more
information).
-
8/3/2019 Swat User Guide 4.1.0
25/148
18Chapter 4: Installation
Installation 4IN THIS CHAPTER:
Installing SWAT
SWAT Directories
Configuration
Discovery Agents & Managers
Key File Creation
Uninstalling SWAT
4.1 Installing SWAT
To install SWAT perform the following:
1. Open the compressed file and extract the installation files.
2. Execute the file named Setup.exe.
The SWAT Installation Wizard opens.
Figure 4-1: Installation Wizard
3. Click Next and follow the directions on the screen.
-
8/3/2019 Swat User Guide 4.1.0
26/148
19Chapter 4: Installation
SWAT User Guide
NOTE
If you decide to change the default destination folder, make sure the
directory does not contain any spaces in the path, otherwise theproduct might malfunction.
4. After the Destination Folder screen appears, click Next to begin
transferring files to the destination folder. When this is done the following
screen appears:
Figure 4-2:Database location
5. In the Database Connection String tab, enter the database you want to
work with, your user name and password.
-
8/3/2019 Swat User Guide 4.1.0
27/148
20Chapter 4: Installation
SWAT User Guide
6. In the General tab, enter the requiredVerbose (Verbose=0-9 trace &
verbose level: 0-no output, 1-error output, 9-debug info) and clickApply.
Figure 4-3: Installation; Verbose
7. In the License tab, copy the license from the license file and clickApply.
(If you do not know your license number, contact Wise-Mon).
Figure 4-4: Swat license
-
8/3/2019 Swat User Guide 4.1.0
28/148
21Chapter 4: Installation
SWAT User Guide
NOTE
The installation process takes 5 to 8 minutes.
The installation process performs the following operations:
Copies files into the destination directory tree (see SWAT Directories below).
Creates the SWAT database and tables in the database server.
Creates a website for SWAT using Internet Information Services.
4.2 SWAT Directories
The following table presents the list of SWAT directories and a brief
description:
Directory Description
[INSTALLDIR] Main directory.
[INSTALLDIR]\bin Binaries.
[INSTALLDIR]\bin\SWAT_JOBD SWAT launch scripts.
[INSTALLDIR]\bin\OS_USER_MANAGEMENT
Installation scripts.
[INSTALLDIR]\bin\EVENT_LOG Enables adding alerts to the eventlog on the server.
[INSTALLDIR]\bin\IIS_MANAGMENT
Files for installing SWAT's website.
[INSTALLDIR]\bin\DATABASE_MANAGMENT
Scripts that manage the database(e.g., creating the database).
[INSTALLDIR]\doc Help file.
[INSTALLDIR]\SwatAgent Agent files, including file for creatinga new agent.
[INSTALLDIR]\SwatManager All manager files, includinginstallation file for creating a newmanager.
[INSTALLDIR]\Data Application data files.
[INSTALLDIR]\ini Configuration files.
[INSTALLDIR]\log Log files.
[INSTALLDIR]\Temp Temporary files.
[INSTALLDIR]\web Web files.
-
8/3/2019 Swat User Guide 4.1.0
29/148
22Chapter 4: Installation
SWAT User Guide
4.2.1 Reinstalling SWAT
Using a new database:
To use a new database, you need to perform the following steps before
reinstalling a new version/uninstalling an old version of SWAT:
1. Open the SQL Server Manager.
2. Connect to the SWAT database.
3. Open Management->Current Activities->Process info section in the
tree.
4. Right-click the SWAT Process Database column (listed as SWAT).
5. Select Kill Process.
6. Open Current Activities and refresh the screen.
7. From the SWAT database, perform the delete action (not detach).
8. Uninstall SWAT.
9. Reinstall SWAT.
Saving previous databases:
If you reinstall SWAT and do not want to loose the configuration information
that was entered in the previous installation, perform the following:
1. Create a backup of SWAT's database information using the batch file:
[INSTALLDIR]\bin \DATABASE_MANAGEMENT\DuplicateDB.bat
This script copies the existing SWAT database into a temporary database
before the uninstall process.
NOTE
Step 1 is possible only if the database is local (on the server).
For remote database, you need to manually copy the database using
SQLEnterprize as follows:
a. Open the SQL Server Manager.
b. Connect to the SWAT database.
c. Open Databases>SWAT. Right-clickAll Tasks and select the
Backup Database section in the tree.
d. Select the database backup file on your computer.
e. Open Databases and right-clickAll Tasks. Select the Database
section in the tree and set the new databases name as SWAT_OLD.
f. Select the file you saved in step e.
-
8/3/2019 Swat User Guide 4.1.0
30/148
23Chapter 4: Installation
SWAT User Guide
2. Delete the SWAT database (see Database Configuration on page 15 for
more information).
3. Uninstall SWAT from the control panel.
4. Follow the installation process.5. After the installation process is complete, restore the old database using
the batch file:
INSTALLDIR]\bin\DATABASE_MANAGEMENT\RestoreDB.bat
This script copies the existing SWAT database from the temporary
database into the production database.
4.3 Configuration
The configuration definitions for SWAT are saved in a file named SWAT.ini
located in the [INSTALLDIR]/inidirectory. In order for changes in the file to
take effect, the processes of SWAT must be restarted.
The file format appears below:
[general]
;Verbose=0-9 trace & verbose level: 0-no output, 1-error output, 9-debug
info
Verbose=1
[database]
dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT
;dsn=dbi:ODBC:SWAT
user=sa
password=sa
WEBdsn=Initial Catalog=SWAT;Data Source=localhost;Trusted_Connection=no
;------------------------------------------------------------
;Interface types
;regular interfaces see mib description 2-32
;Avaya 10/100 (p580,p880) - 62
;Giga port - 117
;------------------------------------------------------------
[interface]
InterfaceTypes=2-32,62,117
NOTE
Lines beginning with a semi-colon are ignored.
-
8/3/2019 Swat User Guide 4.1.0
31/148
24Chapter 4: Installation
SWAT User Guide
4.3.1 General - Verbose Logging
Detailed logging options are available for troubleshooting and debugging
purposes.
[general]
;Verbose=0-9 trace & verbose level: 0-no output, 1-error;output, 9-debug info
Verbose=1
These options are defined using the parameter Verbosein the General
section. The valid values are 0, 1, and 9:
0No logging output is written.
1Default value to log (only errors).
9Full logging of all actions. Use this value only when you encounter
problems with the product and want to collect data about the reason. Do not
leave this value for a long period of time, since it increases the log file
dramatically.
NOTE
There is a log cleanup mechanism that truncates log files that are bigger than
100 MB.
It is recommended to leave the verbose set to 1.
4.3.2 Interface
InterfaceTypes=2-32, 62, 117
The Interface section defines the IfTypesof interfaces SWAT monitors.
IfTypesare extracted from the SNMP interface MIB. Since switches can
contain both logical and VLAN interfaces, the list under the parameter
InterfaceTypes identifies only the physical interfaces.
NOTE
It is recommended not to change this list without consulting Wise-Mon.
4.4 Discovery Agents & Managers
SWAT is designed to perform extremely fast discovery cycles; to accomplish
this task discovery managers and agents are created. SWAT supports the
creation and distribution of multiple agents and managers. The managers
communicate with SWAT's logic through the database, and therefore they
should be located in or nearthe SWAT server. The agents should be spread in
-
8/3/2019 Swat User Guide 4.1.0
32/148
25Chapter 4: Installation
SWAT User Guide
the enterprise network, as close as possible to the switches and routers they
monitor. The best location for an agent in a remote branch is on a regional
server.
The discovery agents themselves are designed for speed. They query the
switches and routers in their responsibility zone simultaneously, in an
asynchronous way. The communication between the SWAT agents and
managers is designed to be minimal. To achieve this goal each agent keeps an
image of its monitored segment, and reports only the changes in the network
to the center. The changes are relatively minimal.
Dividing switches/routers between agents:
Through the SWAT GUI, the administrator determines which agent/manager
monitors a given switch or router.
Secured agent and manager communication:
The agent and manager communication is designed for security; the manageris the originator of the communication. There is an authentication process
between the agent and manager. The communication between the agent and
manager is encrypted (based on a shared password used for generating an
encryption key, which is used to encrypt their communication).
4.4.1 Default Installation
SWAT comes in the default installation with a single agent and manger. They
are both installed as services on the machine that runs SWAT. The service
names are:
SwatSwitchManagerSWAT manager. SwatSwitchAgentSWATagent. By default the agent waits for a manager to
connect to it on port 54100 with the TCP protocol.
The parameters used by the agent and manager are taken from the SWAT
agent.xmland SWAT manager.xml.
4.4.2 Creating a New Agent
In order to create a new agent, copy all the contents of
[INSTALLDIR]\SwatAgent, including its sub-directories, to the target
computer. The following directories are copied:
-
8/3/2019 Swat User Guide 4.1.0
33/148
26Chapter 4: Installation
SWAT User Guide
Agent Directories
Directory Description
[INSTALLDIR] Main directory.
[INSTALLDIR]\bin Binaries.
[INSTALLDIR]\ini Configuration files.
[INSTALLDIR]\log Log files.
[INSTALLDIR]\Temp Temporary files.
CAUTION
Do not to use the installation SwatAgent and SwatManager folders.Instead, copy them to a new location and then proceed with the
installation of the agents and managers.
Run the script Install.batlocated in the [INSTALLDIR]\bin directory.
The script is designed for Windows platform, although there are agents that
can run on non-Windows platforms (UNIX: HPUX, SUN, Linux).
The script receives two parameters which specify the [INSTALLDIR] and the
port, on which the agent runs.
For example: Install c:\Wise-Mon\swat\SwatAgent 54100.
The script changes the ini files so the agent binds to this port number, and
waits for a manager call from there. The script also creates a service named:
Wise-MonSwatSwitchAgent_agentPortwhich is automatically started.
NOTE
You need to choose a different port for each agent.
SwatAgent.xml ini File
The agent uses the following XML-based ini file. The file contains parameters
which are relevant to the agents operations.
C:\WISE-MON\SWAT\SwatAgent\ini\Swat.xml
127.0.0.1.54100
54100
120
2
3
-
8/3/2019 Swat User Guide 4.1.0
34/148
27Chapter 4: Installation
SWAT User Guide
Parameter Description
SWATXMLFile Points to SWATs internal ini file, located in the inidirectory as well.
NOTE
This parameter should not be changed.
KeyFile Points to the encryption and authentication key file,used for manager authentication and dataencryption.
nTCPPort Controls the port that the agent binds to. Themanager then connects to this port.
KeepAliveTime
out
Notifies the agent that after the defined number ofseconds a keep-alive message must be sent to the
manager, even if no information is required to besent.
nRetry The default value for retry operations when pollingthe communication devices.
nTimeout The default value for time-out value for requests sentto the communication devices.
UnInstall the
agent
Runs the script: UnInstall.bat located in the[INSTALLDIR]\bin directory. If the script doesnot receive parameters it removes the agent service.
MailSubjectPrefix Added as a prefix to the subject of the emails thatSWAT sends.
4.4.3 Creating a New Manager
In order to create a new agent, copy all the contents of
[INSTALLDIR]\SwatManager, including its sub-directories into the target
computer. The following directories are copied:
-
8/3/2019 Swat User Guide 4.1.0
35/148
28Chapter 4: Installation
SWAT User Guide
Manager Directories
Directory Description
[INSTALLDIR] Main directory.
[INSTALLDIR]\bin Binaries.
[INSTALLDIR]\ini Configuration files.
[INSTALLDIR]\log Log files.
[INSTALLDIR]\Temp Temporary files.
4.4.4 Installing the Manager
To install the manager:
Run the script: Install.bat located in the [INSTALLDIR]\bin
directory. The script is designed for Windows platform. The script receives two
parameters which specify the [INSTALLDIR] and the manager ID assigned tothe manager. Forexample:
Install C:\WISE-MON\SWAT\SwatManager 1
The script changes the ini files so the manager has the given manager ID. The
script also creates a service named: SwatSwitchManger_manageridwhich is
automatically started.
Agent SwatManager.xml ini File
The managers use the following XML-based ini file. The file contains the
following parameters that are relevant to the managers operations.
C:\WISE-MON\SWAT\SwatManager\ini\Swat.xml
1
300
180
180
-
8/3/2019 Swat User Guide 4.1.0
36/148
29Chapter 4: Installation
SWAT User Guide
Parameter Description
SWATXML
File
Points to SWATs internal ini file, located also in theINI directory.
NOTE
This parameter should not be changed.
ManagerID Specifies the manager ID assigned to the givenmanager. When adding a new router/switch, one ofthe parameters is the number of the managerassigned to the given switch.
ReloadSwitch
ListTimeout
The switch and router definitions under theresponsibility of this manager can be changed due touser additions/deletions or renewed discovery on theswitches and routers configuration. This parameter
instructs the manager to reload these definitionsevery given period (in seconds). If a change isdiscovered, which is relevant to a given agent, theconfiguration is resent to the agent.
Connection
Timeout
Instructs the manager to send an alert to theoperator if an agent did not respond in the giventime-out (in seconds).
ReplyTimeout Specifies the time-out value for retrying to reconnectto an agent that was previously unavailable.
Uninstalling the ManagerRun the script: UnInstall.bat located in the [INSTALLDIR]\bin
directory. If the script does not receive parameters, it removes the manager
service.
4.5 Key File Creation
The key file is an encrypted file containing data used for authenticating the
conversation partners and for encrypting the data that passes on that
conversation. Each session between a manager and agent should have a key
file that exists on both sides. The key files in the manager, are named after theIP address and the port number of the given agent, using the convention:
IP_address.port_number. For example, for an agent sitting on a station
with an IP: 10.0.1.150 binding to port 54100 the file is named
10.0.1.150.54100. In the agents ini file, there is a key that specifies the name
of the key file used by the agent.
-
8/3/2019 Swat User Guide 4.1.0
37/148
30Chapter 4: Installation
SWAT User Guide
4.5.1 Generating a Key File
As mentioned before, each session between an agent and manger, should have
a key file. The same key file can be used on more than one session; however,
this is less secure.
To generate a key file:
1. Create a clear text key file, and password in it.
2. Run the executable: [INSTALLDIR]\bin\encryptfile.exe
clr_file_name encrypted_file_name where:
clr_file_nameis the full path to the clear text key file.
encrypted_file nameis the full path to the encrypted key file
generated.
The encrypted file generated should be copied to the manager's
[INSTALLDIR]\ini\directory with the name specified.
The encrypted file generated should also be copied to the agent's[INSTALLDIR]\ini\ directory and pointed by the SwatAgent.xmlKeyFile
tag.
4.6 Uninstalling SWAT
To uninstall SWAT:
1. Open Start > Settings > Control Panel.
2. OpenAdd/Remove Programs.
3. SelectWise-Mon Technologies - SWAT.
4. Click Remove.
After uninstalling SWAT, remove the SWAT database from the database
server you created (using the database tools).
NOTE
The uninstall package does not remove newly created files. To
remove these you need to delete the SWAT directory.
-
8/3/2019 Swat User Guide 4.1.0
38/148
31Chapter 5: Administration
Administration 5IN THIS CHAPTER:
Administration Menu
General Administration Form
SWAT Users
Alert Types
5.1 Administration Menu
The Administration menu lets you set up the default settings and attributesfor SWAT.
Figure 5-1:Administration menu
The Administration menu includes the following options:
Option Description
General Opens the General Administration form, for you toenter various parameter definitions. See General
Administration Form on page 32 for moreinformation.
SWAT Users Determines the groups to be recognized by SWAT.See SWAT Users on page 38 for more information.
Alert Types Displays the list of available alerts. SeeAlert Typeson page 40 for more information.
-
8/3/2019 Swat User Guide 4.1.0
39/148
32Chapter 5: Administration
SWAT User Guide
5.2 General Administration Form
Select General from the Administration menu to open the General
Administration form:
Figure 5-2: General Administration form
Use the General Administration form to define the following various general
parameters according to which you want SWAT to perform:
-
8/3/2019 Swat User Guide 4.1.0
40/148
33Chapter 5: Administration
SWAT User Guide
Mail Pane
Use To
Administration
MailEnter the email address to which you want the
warnings to be sent.
NOTE
Separate multiple addresses with a comma.
Mail Server IP Enter the IP address of the mail server.
TIP
You can also enter the name of the server.
Default Operations Settings Pane
Use To
Run Mode Select the required run mode from the drop-downlist. The run mode is the action SWAT performswhen a computer connects to the network via anopen port (see Run Modes on page 10 for furtherdetails).
Permission Select the permission you want to give to
connecting computers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the runmode is of the Learn group.
VLAN Number Enter the required VLAN number when usingMove to VLAN run mode.
Switch CheckFrequency(minutes)
Enter the required interval in minutes betweeneach cycle of discovery, i.e., the process of detectingnew MAC addresses in the network. (Thisinformation is used by the agents.)
-
8/3/2019 Swat User Guide 4.1.0
41/148
34Chapter 5: Administration
SWAT User Guide
Use To
Disconnect Time(minutes)
Unmanage Multi-MAC Interface
Ignore UnknownMAC
Disconnect Multi-MAC Interface
Check Spoofing onMulti-MACInterface
Port SettingsApplication
The amount of time SWAT leaves a port
disconnected after an unauthorized intrusion.
NOTE
The value zero causes a disconnection for an
unlimited amount of time.
Select Yes or No. When this attribute is set to Yes,ports with multiple addresses connected to themare unmanaged and SWAT is not responsible forthem.
Select Yes or No.
When No is selected: after receiving a specifieddetailed trap, which SWAT could not locate, the
MAC address is disconnected immediately.
Select Yes or No. When this attribute is set to Yes,ports with multiple MAC addresses connected tothem are automatically disconnected. Thisattribute is not affected by the current run mode.
NOTE
MAC addresses disconnected in this way arenot blacklisted. This feature is used toprevent insertion of hubs into the
organizations network.
Select Yes to activate spoofing on multi-MACinterfaces. The default setting is No.
Configures the port through SNMP, Telnet or SSH(see Switch List File on page 117).
Agent IP Enter the IP address of the agent that monitorsthe group.
Agent Port Enter the port number of the agent that monitors
the group.
Manager ID Enter the ID of the manager that is responsible formonitoring the given group.
-
8/3/2019 Swat User Guide 4.1.0
42/148
35Chapter 5: Administration
SWAT User Guide
Default Telnet Parameters Pane
Use To
Telnet/SSH user Enter the Telnet/SSH user name.
NOTE
Telnet/SSHPassword
Telnet EnablePassword
When Telnet connection parameters areprovided, SNMP is no longer used to changesettings on a switch; instead, a Telnet script
is executed.
Enter the Telnet/SSH password.
Enter the Telnet script for enabling the password.
Default Communities
Use To
Get Community Enter Get SNMP community for routers andswitches.
Set Community Enter Set SNMP community for routers and
switches.
NOTE
If no value is provided, the GetCommunityis taken as default.
-
8/3/2019 Swat User Guide 4.1.0
43/148
36Chapter 5: Administration
SWAT User Guide
SWAT Run Parameters Pane
Use To
Verbose Enter the detailing level of the log (0, 1, 9).
License Enter the license number.
LicenseInformation
View the detailed license information.
Management Platform Connectivity Pane
Use To
Management Platform Select the management platform (installed onthe same computer as SWAT) from the drop-down list. If you have a management platformfor your network, SWAT can elicit informationfrom it, including the list of switches androuters in the network and the MAC addressesdiscovered by the platform.
NOTE
Management PlatformODBC
Management PlatformDB User
Management PlatformDB Password
Load from Management
Platform
This feature is not included with the
default installation of the product.
Create an ODBC connection to the platformsserver on SWATs server.
Enter the user name of the management
platform database.
Enter the password of the managementplatform database.
Load the switch/MAC address from themanagement platform.
Use To
Save the changes made to the General form.
Clear the General form without saving anychanges.
5.2.1 Run Modes
-
8/3/2019 Swat User Guide 4.1.0
44/148
37Chapter 5: Administration
SWAT User Guide
The various run modes enable you to execute the following commands:
Run Mode Description
Learn Newly discovered MAC addresses areautomatically set as valid and authorized for
accessing the whole network. Knownaddresses' permissions are left unchanged,yet port data is updated. This run mode issuitable forenterprises that just installedSWAT and want to build their devicerepository. SWAT also supports an option toload all the valid devices in the organizationfrom an external source.
Learn and Lock for Group Connecting MAC addresses receiveauthorization only for the defined group ofswitches to which they are connected.
Learn and Lock for Switch Connecting MAC addresses receiveauthorization only for all ports on the switchto which they are connected.
Learn and Lock for Port Connecting MAC addresses receiveauthorization only for the port to which theyare connected.
Learn Once and Warn Connecting MAC addresses areautomatically set as valid and authorized forthe whole network. The port to which theyare connected changes to Warn mode.
Learn Once and Disconnect Connecting MAC addresses areautomatically set as valid and authorized forthe whole network. The port to which theyare connected changes toDisconnect mode.
Warn (mail) A warning is sent by email or written to anevent log when unidentified or unauthorizedMAC addresses have been discovered as
connected to the network via an open port.The unidentified MAC addresses are thenblacklisted.
-
8/3/2019 Swat User Guide 4.1.0
45/148
38Chapter 5: Administration
SWAT User Guide
Run Mode Description
Disconnect When unidentified or unauthorized MACaddresses try to connect via an open port, theport is automatically locked and the foreigncomputer is disconnected for a predefined
amount oftime.Ifthe MAC addressdiscovered is unknown, unidentified MACaddresses are blacklisted.
Move to VLAN When new stations try to connect, they arephysically moved to a VLAN andautomatically disabled/enabled. This runmode enables enhanced network quarantinecapabilities: stations receive new permissionsin accordance with the VLAN to which theyare moved. Furthermore, stations thatreceive a new dynamic IP address are
discovered by SWAT.
5.3 SWAT Users
Select SWAT Users from the Administration menu to open the SWAT Users
screen as follows:
Figure 5-3: SWAT Users screen
Use this screen to define the groups you want recognized by SWAT and
determine their permissions.
-
8/3/2019 Swat User Guide 4.1.0
46/148
39Chapter 5: Administration
SWAT User Guide
SWAT Groups Pane
Use To
SWAT Admin
(drop-down list box)Select the required group for the selected
permission scope.
Delete a group from the defined user groups.
Group Permission Scope Pane
This pane determines the permission scope of the defined SWAT groups.
Group Permission
Administrator
UserOverall permission (administration, operators,
reports and device manager).
Operator User Permission to manage the MAC addresses(see Operations Menu on page 98.
Report User Permission to manage the reports (see ReportsMenuon page 76).
Device ManagerUser
Permission to change definitions for given ports onspecific switches (see Network Configuration onpage 42).
Computer Groups Pane
Use To
Select Group
(drop-down list box)Display the defined groups on the SWAT server,
excluding those that are defined for the givenpermission scope.
Add a new group to the defined user groups.
Use To
Save the changes made to the groups added.
NOTE
The Update button is enabled only forgroups added by users.
-
8/3/2019 Swat User Guide 4.1.0
47/148
40Chapter 5: Administration
SWAT User Guide
5.4 Alert Types
SelectAlert Types from the Administration menu to view the full list ofthe
various alerts provided by SWAT:
Figure 5-4:Alert Types screen
Field Description
Alert Type Displays the list of alerts (seeAlert Type List belowfor the full list of alerts and their description).
Alert Description Presents a brief description of the various types ofalerts.
Send Mail When selected, receives mail in case of an alert.
Event Log When selected, writes the alert to an event log.
Severity Determines the severity of the alert. Select from thefollowing available options:
Info
Warning
Error
-
8/3/2019 Swat User Guide 4.1.0
48/148
41Chapter 5: Administration
SWAT User Guide
Field Description
Saves the changes.
Refreshes the Alert Types list.
5.4.1 Alert Type List
Alert Description
Agent Reconnect The agent reconnects to the manager after the
server is down.
Agent Time Out The agent is not responding.
SNMP Problem in
Device
External Intruder
Detected
The device is experiencing SNMP problems.
An unauthorized station is detected.
New MAC Address A new MAC address was found.
New Uplink Found The port is defined as uplink.
Port Disable Failed The attempt to disable the port failed.
Port Enable Failed The attempt to enable the port failed.
Router Down The router is not responding to SNMP.
Service Down The service is not responding.
Switched Changed The type of switch has changed.
Switch Down The switch is not responding to SNMP.
Unauthorized
Connection DetectedA station with the given MAC address in not
permitted in a specified location.
Virus Found A virus was found by the antivirus system (see
Antivirus Support on page 113 for furtherinformation).
-
8/3/2019 Swat User Guide 4.1.0
49/148
42Chapter 6: Network Configuration
Network Configuration 6IN THIS CHAPTER:
Network Configuration Menu
Switch Groups
Switches
Switch Ports
Routers
Site Configuration
6.1 Network Configuration Menu
The Network Configuration menu lets you set up the network structure and
permission settings of switch groups, switches, switch ports, routers and the
organizational site structure.
Figure 6-1: Network Configuration menu
The Network Configuration menu includes the following options:
Option Description
Switch Groups Defines a certain group of switches. See SwitchGroups on page 43 for more information.
Switches Filters by switches. See Switches on page 49 for
more information.
Switch Ports Filters by switch ports. See Switch Ports on page 58for more information.
-
8/3/2019 Swat User Guide 4.1.0
50/148
43Chapter 6: Network Configuration
SWAT User Guide
Option Description
Routers Filters by routers. See Routers on page 66 for more
information.
Site
Configuration
Opens the Site Configuration screen, allowing you
to link your physical network structure to yourorganization's physical structure. See SiteConfiguration on page 71 for more information.
6.2 Switch Groups
Select Switch Groups from the Network Configuration menu to open the
Switch Group screen.
Figure 6-2: Switch Groups screen
Use this screen to provide a unifying name to a certain group of switches.
Switch Group Filtering Pane
Use To
Group Name Enter the name of the defined group of switches.
Group Description Provide a description of the group of switches.
Run Mode Select the run mode of the group. See Run Modes onpage 36 for more information.
-
8/3/2019 Swat User Guide 4.1.0
51/148
44Chapter 6: Network Configuration
SWAT User Guide
Use To
Permission Select the permission you want to give to connecting
computers:
Allno restriction.
Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode
is of the Learn group.
Manager ID Enter the ID of the manager that is responsible for
monitoring the given group.
Agent IP Enter the IP address of the agent that monitors thegroup.
Agent Port Enter the port number of the agent that monitors thegroup.
Check Frequency Enter the required interval in minutes between eachcycle of discovery, i.e., the process of identifying newMAC addresses in the network. This information isused by the agents.
Disconnect Time Enter the required number of minutes for which aport is closed when a disconnection is warranted.
Filter according to the IP address entered for theswitch.
Clear the filtering pane (not the results).
-
8/3/2019 Swat User Guide 4.1.0
52/148
45Chapter 6: Network Configuration
SWAT User Guide
Add New Group Pane
Use To
Group Name Enter the name of the defined group of switches.
Group Description Provide a description of the group ofswitches.
Add a new group of switches.
Switch Groups Filtered Results
After clicking the Filter button, the following switch group parameters are
displayed:
Parameter Description
Group Name The name of the defined group of switches.
Group Description The users description for the group of switches.
Run Mode The run mode of the switch. See Run Modes on
page 36 for more information.
Permission The permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run modeis of the Learn group.
Opens the Switch Group List for you to update thecurrent list of defined groups.
Opens the Switch Group Form, for setting all theattributes of the group of switches.
Edits the MAC address permissions for the selectedswitches and sets them according to the selectedpermission. See MAC Address Permission Filteringon page 107 for more information.
-
8/3/2019 Swat User Guide 4.1.0
53/148
46Chapter 6: Network Configuration
SWAT User Guide
Parameter Description
Deletes selected switches.
Exports results to Excel.
6.2.1 Switch Group List
Use the Switch Group list to enforce a certain run mode on a defined group of
switches.
Figure 6-3: Switch group list
Select the required switches and clickApply.
6.2.2 Switch Group Form
Use the Switch Group form to provide the operational and permission
information of the selected group of switches. The form displays both
attributes and inherited values.
-
8/3/2019 Swat User Guide 4.1.0
54/148
47Chapter 6: Network Configuration
SWAT User Guide
Figure 6-4: Switch Group form
Field Description
Group Name The name of the defined group of switches.
Group Description The users description for the group of switches.
AdministrationMail
The email address to which warnings are sent.
NOTE
Separate multiple addresses with a comma.
Run Mode The run mode of the group. See Run Modes onpage 36 for more information.
-
8/3/2019 Swat User Guide 4.1.0
55/148
48Chapter 6: Network Configuration
SWAT User Guide
Field Description
Permission The permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode
is of the Learn group.
VLAN Number The number of the defined VLAN.
Manager ID The manager ID that handles the group.
Agent IP The IP address of the agent that polls the group.
Agent Port The port number of the agent that polls the group.
Group CheckFrequency
(minutes)
Disconnect Time(minutes)
Unmanage Multi-MAC Interface
Ignore UnknownMAC
Disconnect Multi-
MAC Interface
Polling frequency in minutes.
The time the switch port remains disconnected inminutes.
When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areunmanaged, i.e., SWAT is not responsible for them.
Select Yes or No.When No is selected: after receiving a specified
detailed trap, which SWAT could not locate, theMAC address is disconnected immediately.
When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areautomatically disconnected. This attribute is notaffected by the current run mode.
NOTE
MAC addresses that are disconnectedthis way are not blacklisted. (This
feature is used to prevent insertion ofhubs into the organizations network.)
-
8/3/2019 Swat User Guide 4.1.0
56/148
49Chapter 6: Network Configuration
SWAT User Guide
Field Description
SNMP Port The port number for SNMP communication. Thedefault port number is 162; for any other port, entera value.
Get Community Get SNMP community for the switch.
Set Community Set SNMP community for the switch. If none isgiven then Get Community is taken as default.
Telnet/SSH User The Telnet/SSH user name.
Telnet/SSH
Password
Telnet EnablePassword
Port Settings
Application
The Telnet/SSH password.
The Telnet script for enabling the password.
Configures the port through SNMP, Telnet or SSH
(see Switch List File on page 117).
Saves the changes made to the Switch Group form.
Closes the Switch Group form without saving anychanges.
6.3 Switches
Select Switches from the Network Configuration menu to open the Switches
screen and define your required switch-related filtering parameters.
Figure 6-5: Switches screen
-
8/3/2019 Swat User Guide 4.1.0
57/148
50Chapter 6: Network Configuration
SWAT User Guide
Switch Filtering Pane
Use To
Switch Name Enter the required switch name.
NOTE
You can use wildcards such as (%) or (*)for the switch name.
Switch IP Enter the required switch IP address.
Switch Group Add the new switch to the selected switch group.
Run Mode Select the run mode of the switch. See Run Modes on
page 36 for more information.
Permission Select the permission you want to give to connecting
computers: Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode
is of the Learn group.
Manager ID Enter the ID of the manager that is responsible formonitoring the given switch.
Agent IP Enter the IP address of the agent that monitors theswitch.
Agent Port Enter the port number of the agent that monitors the
switch.
Check Frequency Enter the required interval in minutes between eachcycle of discovery, i.e., the process of identifying newMAC addresses in the network. This information isused by the agents.
Disconnect Time Enter the required number of minutes for which a
port is closed when a disconnection is warranted.
-
8/3/2019 Swat User Guide 4.1.0
58/148
51Chapter 6: Network Configuration
SWAT User Guide
Use To
Add New Switch Pane
Filter according to the IP address entered for theswitch.
Clear the filtering pane (not the results).
Use To
Switch IP Enter the IP address of the new switch.
Switch Name Enter the switch name.
Get Community Default GET SNMPcommunity for routers andswitches.
Switch Group Add the new switch to the selected switch group.
Run Mode Selecttherunmodeofthenewswitch. SeeRun
Modes on page 36 for more information.
Permission Select the permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run modeis of the Learn group.
Add a new switch.
Add the switch and open the Switch Form screen.For more information see Switch Forms below.
6.3.1 Switch Filtered Results
After clicking the Filter button, the following switch parameters are displayed:
Parameter Description
Switch Name The switch name.
Switch IP The switch IP address.
-
8/3/2019 Swat User Guide 4.1.0
59/148
52Chapter 6: Network Configuration
SWAT User Guide
Parameter Description
Switch VLAN(s) The switch number.
Switch Group The switch group.
SysDescription The description value taken from the switch.
Last Automatic
Check DateThe timestamp of the last MAC address discovery.
Run Mode The run mode of the switch. See Run Modes on
page 36 for more information.
Permission The permission you want to give to connecting
computers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run modeis of the Learn group.
Loads the Switch List file. For more information seeSwitch List File on page 117.
Loads the ports of the selected switches.
Loads the MAC addresses of the selected switches.
Opens the Switch Forms, for setting all theattributes of the switch.
Edits the MAC address permissions for the selectedswitches and sets them according to the selectedpermission. See MAC Address Permission Filteringon page 107 for more information.
Deletes selected switches.
Exports results to Excel.
-
8/3/2019 Swat User Guide 4.1.0
60/148
53Chapter 6: Network Configuration
SWAT User Guide
6.3.2 Switch Forms
Use the switch form to provide the operational and permission information of
the selected switch. The switch form displays both attributes and inherited
values.
Switch FormSingle Switch
When a single switch is selected the following switch form is displayed:
Figure 6-6: Switch formone switch selected
Field Description
Switch Name The name of the switch.
Switch IP The IP address of the switch.
Group IP The IP address of the switch group.
Switch SysName The system name of the switch.
Switch
SysDescription
SwitchSysObjectID
The information found in the switch
SysDescriptionfield.
The system object ID of the switch.
-
8/3/2019 Swat User Guide 4.1.0
61/148
54Chapter 6: Network Configuration
SWAT User Guide
Field Description
Switch LastAutomatic CheckTime
AdministrationMail
The last discovery time of the switch.
The email address to which warnings are sent.
NOTE
Separate multiple addresses with a comma.
Run Mode The run mode of the switch. See Run Modes onpage 36 for more information.
Permission The permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run modeis of the Learn group.
VLAN Number The number of the VLAN.
Manager ID The manager ID that handles the switch.
Agent IP The IP address of the agent that polls the switch.
Agent Port The port number of the agent that polls the switch.
Switch CheckFrequency(minutes)
Disconnect Time(minutes)
Unmanage Multi-MAC Interface
Ignore UnknownMAC
Polling frequency in minutes.
The time the switch port remains disconnected inminutes.
When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areunmanaged, i.e., SWAT is not responsible for them.
Select Yes or No.When No is selected: after receiving a specifieddetailed trap, which SWAT could not locate, the
MAC address is disconnected immediately.
-
8/3/2019 Swat User Guide 4.1.0
62/148
55Chapter 6: Network Configuration
SWAT User Guide
Field Description
Disconnect Multi-MAC Interface
When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areautomatically disconnected. This attribute is notaffected by the current run mode.
NOTE
MAC addresses disconnected this way
are not blacklisted. (This feature is usedto prevent insertion of hubs into theorganizations network.)
SNMP Port The port number for SNMP communication. Thedefault port number is 162; for any other port, entera value.
Get Community Get SNMP community for the switch.
Set Community Set SNMP community for the switch. If none isgiven then Get Community is taken as default.
Telnet/SSH User The Telnet/SSH user name.
Telnet/SSH
Password
Telnet EnablePassword
Port SettingsApplication
The Telnet/SSH password.
The Telnet script for enabling the password.
Configures the port through SNMP, Telnet or SSH
(see Switch List File on page 117).
Saves the changes made to the switch form.
Closes the Switch form without saving any changes.
-
8/3/2019 Swat User Guide 4.1.0
63/148
56Chapter 6: Network Configuration
SWAT User Guide
Switch FormMultiple Switches
When multiple switches are selected the following switch form is displayed:
Figure 6-7: Switch formmultiple switches selected
Field Description
Administration
Mail
The email address to which warnings are sent.
NOTE
Separate multiple addresses with a comma.
Run Mode The run mode of the switch. See Run Modes onpage 36 for more information.
-
8/3/2019 Swat User Guide 4.1.0
64/148
57Chapter 6: Network Configuration
SWAT User Guide
Field Description
Permission The permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode
is of the Learn group.
Switch Group The switch group.
Manager ID The manager ID that handles the switch.
Agent IP The IP address of the agent that polls the switch.
Agent Port The port number of the agent that polls the switch.
Switch Check
Frequency(minutes)
Disconnect Time(minutes)
Unmanage Multi-MAC Interface
Ignore UnknownMAC
Disconnect Multi-MAC Interface
Polling frequency in minutes.
The time the switch port remains disconnected in
minutes.
When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areunmanaged, i.e., SWAT is not responsible for them.
Select Yes or No.When No is selected: after receiving a specified
detailed trap, which SWAT could not locate, theMAC address is disconnected immediately.
When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areautomatically disconnected. This attribute is notaffected by the current run mode.
NOTE
MAC addresses disconnected this wayare not blacklisted. This feature is used
to prevent insertion of hubs into theorganizations network.
-
8/3/2019 Swat User Guide 4.1.0
65/148
58Chapter 6: Network Configuration
SWAT User Guide
Field Description
SNMP Port The port number for SNMP communication. Thedefault port number is 162; for any other port, entera value.
Get Community Get SNMP community for the switch.
Set Community Set SNMP community for the switch. If none isgiven then Get Community is taken as default.
Telnet/SSH User The Telnet/SSH user name.
Telnet/SSH
Password
Telnet EnablePassword
Port Settings
Application
The Telnet/SSH password.
The Telnet script for enabling the password.
Configures the port through SNMP, Telnet or SSH
(see Switch List File on page 117).
Saves the changes made to the switch form.
Closes the switch form without saving any changes.
6.4 Switch Ports
Select Switch Ports from the Network Configuration menu to open the
Switch Ports screen and define your required switch port-related filtering
parameters:
Figure 6-8: Switch Ports screen
-
8/3/2019 Swat User Guide 4.1.0
66/148
59Chapter 6: Network Configuration
SWAT User Guide
Port Filtering Pane
Use To
Switch Name Enter the name of the switch.
Switch IP Enter the IP address of the switch.
Switch Group Add the new switch to the selected switch group.
Slot Enter the switch slot number in which the port islocated.
Port Enter the port number on a given slot.
State Select the current state of the port: Enable,Disable,Unmanaged, or Uplink. See States below for moredetails.
Run Mode Select the run mode of the switch port. See Run
Modes on page 36 for more information.
Permission Enter the permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run modeis of the Learn group.
Port Status Select the ports status: connected or no link.
VLAN(s) Enter the required VLAN.
Filter the switch ports according to the IP addressentered in the Switch Port IP field.
Clear the filtering pane (not the results).
6.4.1 States
The following states exist:
Enablethe port in the switch is open.
Disablethe port in the switch is closed.
Unmanaged the port is not managed by SWAT.
-
8/3/2019 Swat User Guide 4.1.0
67/148
60Chapter 6: Network Configuration
SWAT User Guide
Uplinkthe port is connected to a different switch.
Ports that connect switches are never disconnected. If a new MAC address is
discovered on an uplink port, an alert is also sent in Disconnect mode.
NOTE
SWAT automatically identifies uplinks, providing the switches are
defined through the system.
6.4.2 Switch Port Filtered Results
After clicking the Filter button, the following switch port parameters are
displayed:
Parameter Description
Port Status The status of the port.
Switch Name The name of the switch.
Switch IP The IP address of the switch.
Slot The switch slot number in which the port is located.
Port The ports serial number.
If Index The serial number of the switch port in the switch.
Port State Shows the current state of the switch port: Enable,Disable, Unmanaged, or Uplink. See States on
page 59 for more details.
VLAN(s) The number of VLANs.
Run Mode The run mode of the switch. See Run Modes onpage 36 for more information.
Permission The permission you want to give to connectingcomputers:
Allno restriction.
Lock for grouprestricted to a defined group.
Lock for switchrestricted to a defined switch.
Lock for portrestricted to a defined port.
Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run modeis of the Learn group.
-
8/3/2019 Swat User Guide 4.1.0
68/148
61Chapter 6: Network Configuration
SWAT User Guide
Parameter Description
Opens the drop-down list box, enabling you to selectthe required state of the switch port: Enable,
Disable, Uplink or Unmanage.
Sets the selected state.
Edits the MAC address permissions for the selectedswitches and sets them according to the selectedpermission. See MAC Address Permission Filteringon page 107 for more information.
Opens the Switch Port Forms (see below).
Opens the VLAN Number dialog box for you to set
the filtered interfaces VLANs.
Deletes the selected switch ports.
Exports results to Excel.
Go Defines the number of lines displayed per page in
the filtered results.
6.4.3 Switch Port Forms
The switch port form includes informational parameters and attributes that
determine its security mode. Most of the parameters are inheritable.
-
8/3/2019 Swat User Guide 4.1.0
69/148
62Chapter 6: Network Configuration
SWAT User Guide
Switch Port FormSingle Switch Port
When a single switch port is selected the following switch port form is
displayed:
\
Figure 6-9:
Figure 6-10: Switch Port formone switch port selected
Field Description
Switch Name The name of the sw