Optional - Configure Device Profiling/Visibility

Configure Profiling and Visibility

This section describes how to configure SafeConnect Essentials to profile devices attached to the network for desired network subnets.

This section assumes that administrators have completed all the required steps on the NetworkIntegrationSteps page or the SafeConnect Layer 3 Integration page (for Layer 3 integrations only).

The steps below are not required for 802.1X/WPA2E Authentication, mac authentication or Initial VLAN Assignment. They are only required for Device Profiling/Visibility.

Configure DHCP Syslog

SafeConnect will process DHCP syslog exported from DHCP servers to correlate IP and MAC addresses in real-time. The DHCP Syslog configuration is in the Configuration Manager under Network Inputs.

images/download/attachments/7186512/image2019-5-21_15-41-16.png

Select the appropriate DHCP vendor from the drop down list.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddave5ae7ee11d7f81c2562217e14fad091e.png
DHCP Syslog

Once vendor and IP are configured, click the Add button to add the server to SafeConnect. Instructions for configuring the server to export syslog to SafeConnect are located below the Add button.

images/download/attachments/7186512/image2018-11-29_12-53-40.png

Configure DHCP Device Identification

SafeConnect will examine DHCP requests forwarded by DHCP relay agents to help with device fingerprinting. SafeConnect will not respond to DHCP requests and does not act as a DHCP server, the requests are used for identification purposes only. The DHCP Device Identification configuration is in the Configuration Manager under Network Inputs.

images/download/attachments/7186512/image2019-5-21_15-43-14.png

Choose the appropriate vendor and expand the section for instructions on how to forward DHCP requests as seen in the example below.

images/download/attachments/7186512/image2019-1-7_13-25-39.png

images/download/attachments/7186512/image2019-1-7_13-27-45.png

Add desired subnets to SafeConnect for Profiling/Visibility

With the network integration tasks all completed, the next step is to define the desired subnet(s) in SafeConnect. Adding a Subnet Definition in SafeConnect is required for any subnet to be examined for Profiling/Visibility. Subnet Definitions can be added in the Configuration under Enforcement Setup.

images/download/attachments/7186512/image2019-5-21_15-46-2.png

To add a new subnet, click on Enable Configuration Mode and then click Add New Subnet.

images/download/attachments/7186512/image2018-11-29_12-56-6.png
Define Network Subnets

images/download/attachments/7186512/image2018-11-29_12-57-2.png
Define Network Subnets

Select the appropriate device from the Enforcement Device drop down menu and fill out the remaining fields, then click the Add button followed by the Commit Changes button. The Enforcement device will be RADIUS for Layer 2 integrations or a Layer 3 switch/router for Layer 3 integrations.

images/download/attachments/7186512/image2018-11-29_12-57-44.png
New Subnet Mappings

Next, click the Disable Configuration mode and the newly added subnet should show up in the list.

images/download/attachments/7186512/image2018-11-29_12-58-35.png

With the Subnet Definition added, the next step is to create a policy in SafeConnect. The purpose the policy is to add the previously configured subnets to the system for Profiling/Visibility. Policies are configured in the Policy Manager portion of the SafeConnect UI.

images/download/attachments/7186512/image2018-11-29_12-59-17.png

Once in the Policy Manager, select Qualifiers from the Qualifiers Menu drop down list.

images/download/attachments/7186512/image2018-11-29_13-1-26.png
Qualifiers Menu, Qualifiers

Create a subnet qualifier by clicking on the Subnet tab and filling in the network address under the IP address field, adding an optional description and clicking the Save button.

images/download/attachments/7186512/image2018-11-29_13-2-2.png
Qualifiers Menu, Subnets

To add the newly created Qualifier to a Qualifier Set, select Qualifier Set from the Qualifiers menu.

images/download/attachments/7186512/image2018-11-29_13-2-32.png
Qualifiers Menu, Qualifier Set

Give the Qualifier Set a name and highlight the new subnet qualifier in the left (Available) window.

images/download/attachments/7186512/image2018-11-29_13-4-26.png

Click the right arrow to move the new subnet qualifier to the right (Selected) window and click Save.

images/download/attachments/7186512/image2018-11-29_13-5-6.png

To add the Qualifier Set to a Qualifier Container, select Qualifier Container from the Qualifiers Menu.

images/download/attachments/7186512/image2018-11-29_13-5-46.png
Qualifier Menu, Qualifier Container

Give the Qualifier Container a name. With the Machine Types and Networking checkboxes checked, highlight and move “All host types” and the newly created Qualifier Set and move them to the Selected window.

images/download/attachments/7186512/image2018-11-29_13-6-57.png
Sandbox-Qualifier-Container

With all of the qualifying configuration complete, the next step is to create a Policy Group. Select Policy Group from the Policies Menu.

Give the Policy Group a name, select the Qualifier Container created in the previous step from the drop down list, click Save and then click Apply and Use.

images/download/attachments/7186512/image2019-1-21_17-23-37.png

To review the configurations, select Overview, expand the Policy Group and verify the data is correct.

images/download/attachments/7186512/image2018-11-29_13-17-27.png
Overview

images/download/attachments/7186512/image2019-1-21_17-26-8.png

Test with endpoint to validate Profiling/Visibility

With all configuration tasks completed, a test endpoint device can be connected to the test subnet. The SafeConnect Device Manager section of the UI is used to verify the status of online devices.

images/download/attachments/7186512/image2019-5-21_16-19-33.png

After connecting an endpoint to the test subnet and the device obtains an IP address, it should show up in the Device Manager in SafeConnect. Click on the IP address or MAC address to view device details.

images/download/attachments/7186512/image2019-5-21_16-18-38.png
SafeConnect Devices

The endpoint will also now show up as compliant with policy in Device Manager.

images/download/attachments/7186512/image2018-11-29_13-30-8.png
Device Details

This concludes the steps required to configure and test Profiling and Visibility and completes the features available in SafeConnect Essentials. SafeConnect Essentials is the base product in the SafeConnect family of products. For information on the additional features available in SafeConnect Core and SafeConnect Enterprise, please visit the links below.

SafeConnect Standard Configuration Guide

SafeConnect Enterprise Configuration Guide