Chapter 1: Introduction

Indeni offers the first proactive root cause analysis solution for network devices, designed to cut setup and administration time, lower costs, and ensure a stable, secure network. It is the first truly proactive system that:

  • Automatically identifies known devices.
  • Correctly identifies proper settings for known devices, cutting deployment time to five minutes or less.
  • Understands and analyzes thousands of parameters and compares settings in relation to each other.
  • Measures traffic throughput and flags approaching maximums.
  • Determines whether devices are partly or wholly functional or dead and, if non-functioning, identifies the cause and suggests remedial actions.
  • Flags the administrator when an error is seen, via alerts which can be forwarded by SNMP, email or pager.
  • Allows priority analysis of chosen critical parameters so that potentially severe problems can be flagged and dealt with first.

This user guide provides detailed instructions for installing and using Indeni. Additional support is available at www.indeni.com/support

Requirements

This guide is for technical users with a strong working knowledge of networking and network security administration. Users should be able to set up network devices on their own (Cisco routers, Check Point firewalls, etc., as the case may be) and be familiar with how to use the command line interface (CLI) for the chosen software.

Server Requirements

Indeni supports virtual servers such as VMware. Please contact Indeni support if you have questions regarding your virtual environment. The following server requirement rely on a parameter N which represents the number of network devices you plan to analyze with Indeni.

  • CPU: 64-bit capable CPU (minimum of 2 cores, with additional one core per every 20 devices in N)
  • Hard drive: 170GB + (2GB * N). For example, for 10 devices, a total of 190GB is required.
  • RAM: The formula is 50MB times N + 2GB, with the minimum being 4GB. For example, for 50 devices a total of 4.5GB is required. For a production setup, Indeni requires the use of at least 4GB.
  • Connectivity: the server should be able to access all of the required devices via TCP/IP. The server will also need Internet access to retrieve software updates. These can be done via an HTTPS proxy as well.

The installation file includes 64-bit Ubuntu 14.04 with the required packages, so there is no need to pre-install anything on the designated physical or virtual server.
NOTE: The server must be connected a local network during the OVA installation. Lack of connectivity may result in the setup script hanging during network configuration. If it’s not possible to connect to the network then please contact support@indeni.com

Web User Interface Access Requirements

The Indeni GUI is accessible via Web UI. Supported Internet browsers include: Microsoft Internet Explorer, Mozilla Firefox and Google Chrome. The browser’s pop-up blocker needs to be disabled.

NOTE: Experience shows that Google Chrome has the best performance of the above listed browsers and should be preferred.
Indeni can analyze both local and remote network devices over VPN or directly, providing you with a complete and comprehensive view of your network deployment at a global level.

Analyzed Device Requirements

If communications between the user workstations and Indeni and/or the communications between Indeni and the analyzed devices pass through a firewall, please allow the following:

Traffic from the user workstations to Indeni on the following ports:

  • SSH (TCP 22) – Allows SSH access to the Indeni device’s operating system.
  • HTTPS over TCP 8181 – Nonstandard port used for accessing the Indeni Web UI from users’ workstations.

Traffic from Indeni to the analyzed devices:

  • All Supported Devices (Advanced Analysis):
  • SSH (TCP 22) – Used for collecting information from the analyzed devices.
  • HTTPS (TCP 443)
  • Ping (ICMP Echo) – Devices are pinged regularly by Indeni to ensure they are responding. Note: the ping test can be deactivated in the individual device’s configuration at the Monitored Devices sub-tab under Settings.
Chapter 2: Installation

As stated in the previous section, Indeni runs on a virtual server or on a physical server.
Users will need to download the latest version of Indeni from www.indeni.com.

Installations on Virtual Machines

The Indeni OVA is used for deploying the system in virtualization environments as a virtual appliance.

  1. Access the download please contact your Indeni Account Manager.
  2. Supply the downloaded OVA to your virtualization environment’s administrator for deployment.

Configuring the Indeni virtual appliance

Log into the VMware interface, such as vSphere Web Client, and select “Deploy OVF Template”

Configure Indeni VMware
Configure Indeni VMware

Select the OVF file and proceed to run the wizard

Indeni Wizard

The wizard will ask for the:

  1. Name and folder of the new VM
  2. VMware resource to use for the VM
  3. Storage device
  4. Select the relevant network (see below)

Setup Indeni VMware

After clicking on Finish, wait for the OVA deployment to complete.

Deploy Indeni

Use the VMware interface to power up the VM and access its console. The initial login will present a wizard to configure the device’s apt-get proxy, static IP, NTP server, time zone and hostname.

The “apt-get proxy” should be configured if this VM is required to access the Internet via a proxy, instead of directly. “apt-get” is used to update the Indeni software installed on the VM.

Indeni Vmware apt-get proxy

Logging in to the System – Console

You can log in to the system after reboot, as shown in the previous section:

  • Username: XXXX
  • Password: XXXX

In production environments, it is highly recommended that users change the default password, using the passwd command.

Logging in to the System – Web Interface

  1. Open a browser window
  2. Access Indeni’s web dashboard at: https://:8181/
  3. Substitute your server’s IP address for (example: https://10.3.1.87:8181/).
  4. Log in to the Indeni web dashboard:
    Username: XXXX
    Password: XXXX

Indeni Login Screen

Chapter 3: Technical Overview

All major functions within Indeni are accessed from the tabs at the top of the dashboard. They include:

  • Operations Management
  • Tools
  • Settings

These tabs are available from all main screens within Indeni. The functionality of each one is described in this chapter.

Operations Management

The Operations Management tab allows users to quickly add and configure new devices as well as view all current and archived alerts. Once devices have been added to the system, the screen for this tab provides at-a-glance information regarding alerts relating to each device, with rollover access to detailed information for each alert. Use the sub-tabs within this window (Alerts, Analysis, Knowledge Management, and Alert Archive) to access further functionality as described on the next page.

Indeni Operations Management Tab

The Add Device button shown in the Monitored Devices panel on the left side of the screen is accessible only from this window.

Use the black arrow beside each device group in the Monitored Devices panel to expand or collapse the display for more alert information related to individual devices.

The sub-tabs in the Operations Management tab provide full access to all information and configuration settings related to alerts generated by Indeni:

Alerts

This tab displays all current alerts as well as the complete list of all analyzed devices and their associated alerts. Users can add devices, filter and search for alerts, and export alert data in several formats (pdf, csv, and xml).

Analysis

The Analysis tab provides the ability to visually track critical metrics over time. These metrics are correlated with the alerts that were issued at the relevant time.

Knowledge Management

Users have full control over how indeni handles alerts for each device. This screen provides a full list of alert categories and access to configuration settings by alert and by device.

Alert Archive

Acknowledging alerts moves them from the Alerts list to the Alert Archive list. This screen allows quick access and filtering tools to search for specific archived alerts by date, device, or alert type.

Complete functionality for the Operations Management tab is described in Chapter 5: Operations Management.

Tools

The Tools tab allows users to Search for information in indeni’s internal database, explore the device’s Live Configuration and export data from devices for further Troubleshooting.

Indeni Tools Tab

Live Configuration

 Acknowledging alerts moves them from the Alerts list to the Alert Archive list. This screen allows quick access and filtering tools to search for specific archived alerts by date, device, or alert type.

Users may instantly view the actual configurations on the analyzed devices using the Live Configuration sub-tab. The information presented by Indeni contains both software and hardware data and is clearly presented in a table format.

Settings

The Settings tab includes a wide range of functions using the sub-tabs.

Indeni Settings Tab

Monitored Devices

Add and configure devices from this sub-tab, which functions identically to the Add Device button under Operations Management. Clicking on any device listed provides full access to its settings.

Integration

From this sub-tab, users can add SNMP masters for sending indeni alerts directly to existing systems (such as NMSs) as well as add Syslog and SMTP servers.

Users

Add or delete users, set passwords, designate permissions, and allocate specific groups of devices to specific users from this sub-tab.

Licenses

On this sub-tab, Indeni displays the current state of user licenses, whether valid or expired. Users can also use this sub-tab to upload new licenses or download license details.

Chapter 4: Getting Started

To begin using Indeni, users must first add at least one device for the system to analyze. By default at installation, the system has one user with a default login and password.

Managing Users

Indeni assigns administrator privileges by default to all users logged into the system. To add new users, set passwords, assign email contact information, and modify permissions for each person to be allowed access to the system, select the Settings tab, and then the sub-tab Users.

NOTE: If more than one user is to access the Indeni Web UI at one time, then additional users must be created. Indeni will not allow concurrent users to have the same login.

Adding a User

  1. Click the Add User button under Defined Users on the left side of the screen.
  2. In the dialog box, type a user name and select OK.

Indeni displays the Selected User’s Details screen with additional fields as shown. Indeni does not allow renaming the individual user. If a mistake was made when entering the username, the administrator must use the Delete User button at the top of the screen to delete the user. Re-add the user with the correct name. Usernames are case sensitive.

  1. Set the user’s password. Indeni requires the use of strong passwords. Passwords must be at least eight characters long and use both alphabetic and numeric characters.
  2. Passwords are case sensitive.
  3. Enter the individual’s email settings and the SMTP server.
  4. Assign permissions appropriate to this user.
  5. Choose the Groups this user will be allowed to view/manage.
  6. Scroll down to the bottom of the screen and select Save. The Defined Users list on the left now displays the new users added to the system.

Adding Devices to the System

To begin using Indeni to manage and analyze network devices, recognized users must add devices to the system. This is a fast and easy process.

Check Point

GAiA
Adding a User to GAiA via the Portal

  1. Log in to the Web UI.
  2. Navigate to User Management -> Users
  3. Select the ADD button in the viewing pane.
  4. Add a user and select OK. Be sure to select the /bin/bash shell and the adminRole.

Check Point GAiA Indeni

NOTE: Check Point R80 Management Web UI screenshot below.

Check Point R80 Indeni

Adding a User to GAiA Through CLI
To add a new user to indeni via CLI, use the following commands:
clish
add user indeni uid 0 homedir /home/indeni
set user indeni gid 100 shell /bin/bash
add rba user indeni roles adminRole
set user indeni password
save config
Exit

61000 Security System

Please follow the “Adding a User to GAiA Through CLI” instructions above.

Provider-1/MDS/MDM – GAiA

  1. Add the user as described above for the relevant OS.
  2. In the Indeni UI, add the MDS first.
  3. After the MDS is successfully added, add the CMAs/domains you would like to analyze. Ideally, these would be the CMAs/domains that manage the firewalls you have set Indeni to analyze.

Check Point running Embedded GAiA

  1. Login to the Embedded GAiA device via CLI
  2. Type “expert” to enter expert mode
  3. Run: bashUser on

Cisco

Nexus Switches

To add a local user:

username user-id [ password password ] [ expire date ] [ role role-name ]

The role can be network-operator which has complete read access to the Nexus Switch
refer to the relevant configuration guide for further information:  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/sec_rbac.html

F5 BIG-IPs

In the Web UI, navigate to System -> User

NOTE: For more information about why administrative privileges are needed, please refer to this article: http://indeni.com/how-to-select-script-monitoring-authentication-types/

Please note that when using the local admin account it is required to configure SSH access manually as this is not enabled by default.

Palo Alto

Add a user with Role “Superuser” (can be “read-only”)

Palo Alto Super User Indeni

Adding a Device in the Web UI

Once a user has been designated, click on Add Device at one of these locations:

  • Operations Management tab
  • Monitored Devices sub-tab in the Settings tab.

Add any device Indeni

Indeni supports adding multiple devices at once. If two or more devices are to be added at once, add additional device lines as needed by clicking the “ADD DEVICE” button in the dialog box. Delete unneeded blank boxes by clicking “X” on the symbol.

Supply the device name and IP address for each device to be added. For example:
Device Name: Cluster_Member1
IP: 10.3.1.88

You can choose from three options: Add New Device, Add Known Device, and Upload List of Devices. Users should add all devices that are not known first, and then known devices (see next section), to build a complete list before setting credentials.

Add multiple devices Indeni

Upload List of Devices

Using the third option, Upload List of Devices, allows users to quickly upload a CSV file listing all known user devices to be added. indeni will analyze the file and allow the user to review the results and decide whether to proceed or not. The format of the CSV file is simple, it should only contain lines of the following format: DEVICE NAME, DEVICE IP.

Upload list of devices Indeni

Choosing Credentials

Once all devices have been added, use the appropriate radio button to supply the proper credentials for these devices. indeni supports two methods of doing so under Credentials to Use: SSH (Advanced Monitoring) and SNMP (Standard Monitoring).

Choose Credentials Indeni

SSH (Advanced Monitoring):

Supply the SSH login details for the user added previously. For example:

SSH Username: XXX

SSH Password: XXXX

You may use an SSH Key, which replaces the need for a password. Clicking on this activates a text box that you can paste the SSH key into. If the key file is encrypted, an SSH Passphrase is also required. The password requirement depends upon the type of key file used.

NOTE: When using SSH RSA keys for authentication, you must make sure that on the device indeni is connecting to the authorized_keys file is only writeable by the user (mode 755 for ~/.ssh and mode 600 for ~/.ssh/authorized_keys).

Click Add, which simultaneously adds the defined devices and stores the chosen analysis method and credentials. The system will attempt to connect to the new devices using the credentials provided. indeni will gather as much information as it can to determine what the new devices are and what analysis should be conducted.

This includes:

  • Operating System (Nexus, GAiA, BIG-IP, Secure Platform, etc.)
  • Products (Routing, Switching, Load Balancing, Firewall, VPN, IPS, Management, etc.)
  • Version
  • Relationships between devices (such as relationships between cluster or device group members)

Indeni re-validates its conclusion every few minutes. If there is a change in the device (for example, products added/removed, change of version) the system will automatically adapt.

Vendor Specific

Some vendors that Indeni supports require additional credentials or specific settings in order to allow indeni to access certain information. This is provided using the Vendor Specific section of the Add Device box.

Cisco Indeni credentials

Editing Devices

Administrators can also adjust settings for devices which have been added to the system using the Settings tab at the top of the screen and then the Monitored Devices sub-tab. Configuration settings for all other objects which are not the analyzed devices (such as SNMP, SMTP, and Syslog servers) can be accessed from the Integration sub-tab under Settings.

Chapter 5: Operations Management

The Alerts Sub-Tab

Indeni was designed to simplify management of networks and to free an administrator’s time for business initiatives rather than endlessly chasing network issues. Using the power of Indeni to analyze devices and resolve alerts lies at the heart of the system’s usefulness.

The Alerts tab displays all alerts noted by the system under the Current Alerts pane.

Even when the issue has been successfully resolved, the alert will remain on the display until the user acknowledges and archives the resolved alert, or chooses to show only unresolved alerts. Resolved alerts are marked as “RESOLVED:”.

Monitored Devices

Indeni displays all devices by name under Monitored Devices.

Indeni Monitored Devices Tab

As noted in Chapter 4, the left panel of the Monitoring tab displays all devices currently being analyzed by Indeni. Use the View button on the left to toggle between displaying devices by cluster, type, or management hierarchy. Use the orange arrow to edit or filter alerts for individual devices or groups of devices. The Search field allows users to search for devices by any portion of a device name.

Current Alerts

The checkboxes in the left column of this portion of the screen allow users to manage multiple alerts.

  • Use the topmost checkbox (in the header row) to check or uncheck all boxes at once or to select those for the current page only.
  • Use the small, black down arrow beside the box to adjust selections as shown below.
  • Click “None” or click the box again to uncheck all selections.

The View button and the Search box above the list of alerts can be used to filter the alert list or to search for a particular alert ID. The Freeze toggle button halts the automatic update of the list of alerts.

Indeni Current Alerts Tab

Searching Alerts

The Search box in the Current Alerts pane supports searching for alerts associated with certain devices using the device name or IP address, searching for an alert ID, or searching for text within alert headlines and descriptions.

  • To display alerts for a particular device, type the device name in the Search field. (You can also click on the orange circle to the right of the device name in the Monitored Devices section to display alerts for that device only.)
  • To display a particular kind of alert, type the desired parameter in the Search field.
  • To search for text, type a text string. For example, typing “R60SMC” in the Search field will display alerts for all R60SMC members. Clearing the field restores the entire list.

Filtering Alerts

To filter alerts, use the orange arrow next to its name in the Monitored Devices display and choose Filter Current Alerts from the pop-up menu.

Note that the screen view on the next page displays alerts only for IPSO, IP address 10.3.3.56.

Indeni Filtering Alerts

Use the checkbox to the left of the ID field to check or uncheck all filtered alerts at once.

Columns and Functionality

To adjust the width of individual columns on the screen, select the Columns… option on the View flyout:

Filter Indeni Alerts

Use the checkboxes to select which columns to display. Alternatively, right-click on any column header to access this menu.

Severity

This column displays a colored flag for each alert. Colors range from red to blue to distinguish critical warnings from less severe alerts. This allows users to find and resolve alerts most likely to cause imminent downtime and to visually assess the type of alert and remedial action required.

The Monitored Devices list also displays the current state of the device itself using the icons shown here. If a device has other alerts, it will indicate the number and type using text colors corresponding to the flags (blue for Info, etc.).

Monitor Device Alerts Indeni

By default, Indeni displays alerts as they occur.

  • To quickly sort by severity, click the View button above the Device column.
  • Click on or off any of the alert categories in the flyout box shown on the next page (only one option can be selected at a time) and Indeni will display only that information. For example, if you do not wish to see resolved alerts, click Unresolved Only. Indeni will only display alerts the system has not yet resolved or could not automatically resolve.

Indeni alert unresolved

Indeni also provides a fast and convenient listing of each device’s individual alerts under its name in the list of Monitored Devices on the left. This provides at-a-glance status for each device. Critical status only appears if the device is truly unresponsive or Indeni is having trouble analyzing it; otherwise the Okay symbol will be shown even if there are alerts for this device. The user can see that the device, while still functional, has errors and can investigate and correct them as required.

ID: Indeni assigns a unique number to each alert as it occurs. By default, alerts display in descending order of severity and by date modified.

Device: This column displays the device name assigned to each device for which an alert has been flagged.

Headline: This column displays the actual alert information: a brief description of the condition indeni has observed as well as its status.
In this column by default, each alert in the list displays in the “collapsed“ or at-a-glance mode, showing just the summary headline for the alert.

Last Update: This column allows users to further refine the displayed list of alerts by date range.

  1. Click the Filter icon in the column header.
  2. Click inside each blank field box to display a calendar.
  3. Choose the date range for the alerts you want to display and then click Apply
  4. To filter within a particular day, change the hour settings after the date in both the From and To fields to display alerts within a specified time range.
  5. Click Clear to clear the previous criteria. This will restore the entire list of alerts.
  6. To quickly sort alerts in ascending or descending order by date, click on the column name. A yellow arrow will appear. Click on it to sort the alerts.

Indeni filter by dateReviewing Alert Details

To expand an alert to show its details, click on any headline. In the expanded detail, information is categorized in several ways:

  • Description: A general overview and explanation of the problem.
  • Custom Notes: Gives users the option to add their own notes to a specific signature or to a specific group.
  • Manual Remediation Steps: indeni’s recommendation for how to manually correct the problem.
  • Notes and History: A summary of when the alert has been created, resolved, or remains unresolved, along with any notes which were added to the alert by using the blue “Append note” link.

Indeni Remediation Steps

Indeni constantly updates unresolved alerts. You can freeze the display to stop the system from updating content for the current alerts by toggling the Freeze button (Click the button again to resume updates.)

Resolving Alerts

Indeni can flag certain errors and offer suggestions on how to resolve issues manually.

Each Headline message, when expanded, tells the user if an error can be resolved or not, and what the recommended manual action should be.

Click on the alert to expand it and read the details provided by Indeni for resolution. If hyperlinks are included, clicking on those will provide more information on the alert and the process for remediating the issue.

Resolve Alerts Indeni

Using the Resolve Button

Indeni provides a Resolve button above the Headline column to assist users in resolving alerts. It is enabled when at least one visible alert is checked. Clicking on the Resolve button gives the user several options, from acknowledging and archiving an alert to manually changing configuration settings for the device in question. Note that the Resolve button will not activate unless an alert is checked, not just highlighted.

Clicking on the Resolve button produces a flyout menu with the options shown on the next page:

Acknowledge Alerts Indeni

NOTE: Functions on the Resolve menu vary by the type of alert, as well as whether or not multiple alerts were selected or not. For instance, “Stop Alerting for this Device” may not be an option for all alerts.

  • Acknowledge Selected Alerts: Selecting this option archives the alert in the Alert Archive and removes it from the list. Resolved alerts which have been reviewed by an administrator should be acknowledged in order leave only the active alerts present in the current alert list. To do so, click on the Resolve button and then select Acknowledge Selected Alerts.
  • Stop Alerting for this Device: Selecting this option will prevent indeni from flagging this particular error on this device. It does not block flagging of other errors for this device.
  • Check Alert Configuration for this Device: This option allows users to quickly review and edit alert settings for a particular device.
  • Review Device Configuration: This option quickly takes the user to the configuration screen for this device to check and/or change settings that might be causing the error.
  • Advanced: This option provides several choices, from configuring default parameters to halting alerts on selected devices. It allows the user to either stop alerting for a particular error on one device only, or to prevent indeni from flagging this error on all analyzed objects.

Advanced Alerting Indeni

Resolving Multiple Alerts

Use the checkboxes in the far left column of the Monitoring tab to archive multiple Resolved alerts at once.

  • Check the box for each alert you want to archive.
  • Click the Resolve button and select Acknowledge Selected Alerts to archive these alerts.

Annotating Alerts

Each individual alert issued by Indeni can be manually annotated by users, allowing them to communicate among themselves regarding specific alerts, as well as noting down observations and actions to be taken. Indeni automatically populates the notes with major status changes of the alert such as when it was created, when it was deemed resolved, and when it was acknowledged.

Appended notes pertain solely to the alert they were added to, and not to future or other instances of the same issue in other devices. If you would like to add notes to all future alerts issued for a certain issue, add Custom Notes to the configuration of the alert.

To append a note to an alert:

  1. Click on the alert to expand it.
  2. Scroll to the bottom of the expanded details to Notes and History.
  3. Click Append note. Indeni will display a dialog box.
  4. Type your note text in the box and click Append to save it permanently to the alert’s details.

Notes pertain to the alert for an individual device; they do not appear in an identical alert for a different device.

Append Note Indeni

The Analysis Tab

The Analysis tab allows users to graph certain metrics over time, view historical values and correlate the data with alerts issued by Indeni.

Indeni Reporting Analysis

The analysis tab allows for easy control of the data that is presented:

  • At the top left, you can select the timeframe the data should be presented for.
  • At the bottom left, under Choose Parameters, you can choose one or more parameters to display on the graph.
  • At the bottom right, you may choose whether or not to show alert flags on the graph. These appear as “lollipops” at the bottom of the graph.

To export the data, use the buttons at the top right of the view.

Using Signatures in Alerts

To set how a particular alert should be managed, use the Knowledge Management sub-tab under Operations Management. The screen below lists every type of alert Indeni can identify. This list is updated and expanded regularly.

Indeni Communication Preferences

Managing the Signatures

The Alerts Within Category section of the Knowledge Management sub-tab allows users to quickly adjust settings for each type of alert.

  • Name: Individual alert descriptions are provided in the first column, identifying what indeni can observe. This column is informational only.
  • Default Settings for Alert: This allows users to choose how alerts will be flagged. Some alerts you may want to simply log; others are important enough to forward immediately to a user’s attention. By default, alerts with a severity of Critical or Error are set to SNMP+Log; the rest are set to Alert Only.

Indeni Preferences Alerts

Indeni will log or flag specific alerts in accordance with user preferences.

Configure

Clicking this button on the far right column opens a window where the user can individually configure alert settings for every currently analyzed device on the network. This includes setting a default configuration for this particular alert that will apply to every new object added to the network.

Configure ARP issues Indeni

  • Configure: The Default Settings are shown for all new objects. However, you can also individually configure each device by clicking its Configure button to open the Edit Alert for Specific Device window.

Edit alert default indeni

  • All devices have the same configuration options per alert; however, the various alerts have different parameters to be configured for this window.
  • Note that Indeni allows users to add customized notes here for all alerts. These can include additional information which system architects and administrators would like to present as part of Indeni’s alerting.

Select OK or Apply to save your changes, or Cancel to return to the Configuration screen.

Alert Archive

Indeni stores all resolved alerts. These are placed under Current Alerts until they are acknowledged. To review alerts acknowledged in the Alerts sub tab, use the Alert Archive sub-tab under Operations Management.

Sort or filter alerts by using the arrow or filter icons in the Last Update column header.

  1. Click the Filter icon in the column header.
  2. Click inside each blank field box to display a calendar.
  3. Choose the date range for the alerts you want to display and then click on Apply. To filter within a particular day, change the hour settings after the date in both the From and Till fields to display alerts within a specified time range. (See Last Update under Columns and Functionality in this chapter for more detail.)

Alert Archive Indeni

Chapter 6: Tools

The Tools tab allows quick access to a device’s general details.

Live Configuration

Live Configuration allows indeni users to quickly and simply access all the configurations and settings on their analyzed devices.

  1. Click on the Tools tab.
  2. Select the Live Configuration sub-tab.
  3. Choose a specific device from the list on the left side of the screen.

Indeni will display in a table format all the configuration details of the particular device, once this device has been chosen from the list.

You can use the search field in the left panel to find specific devices either by IP or by device name.

Chapter 7: Settings

The Settings tab provides access to a variety of functions within indeni through its sub-tabs.

Indeni Settings

Monitored Devices

This tab provides the same functionality for adding, deleting, and configuring devices as described in Chapter 4: Getting Started.

Here users can change the parameters which define how indeni analyzes a device.

Connectivity

This option allows users to set and troubleshoot connection issues, change the device password, view the security key, and adjust other connection settings that may be causing network issues.

Connectivity parameters need to be set for each device. Hover over the icon for more details about each parameter, which vary by vendor, model, and device:

  • SSH Connection Timeout: The maximum wait time when connecting via SSH before deciding the device is not responding. Choose a value (days, hours, minutes, seconds).
  • SSH Username: Provide the SSH name to be used to log in to the device.
  • SSH Password: Provide the SSH password to be used to log in to the device.
  • SSH Private Key: Provide a private key to be used, if any.
  • SSH Private Key Passphrase: This field is required only if the private key is encrypted.
  • Max Aggregated Connection Bandwidth (in bytes): Maximum number of bytes per second that can be sent in each direction to avoid overload. Enter the maximum bandwidth value you want the connection to allow.
  • SSH Port: The port on which the SSH server is running. Set a port number.
  • Approved Host Key: Allows the client to determine if the SSH server being connected to is the correct one. Only one host key is approved for use at a time. Enter the approved key.
  • SSH Connection Reestablishment Timeout: The time to wait before attempting to reconnect. This value gives administrators time to resolve issues and ensures the device will not be overloaded with reconnection attempts. Choose a value (days, hours, minutes, seconds).
  • Require Ping Response for Alive Checks: Forces the device to respond to ICMP ECHO and TCP Port 7 to be considered alive. Toggle On or Off.
  • Max SSH Session Count: The maximum number of SSH alerts allowed for this device. The lower the number, the longer it will take for a particular issue to be identified and alerted upon. Choose a maximum number from the dropdown box.

Paths

During certain processes such as creating backups, Indeni stores information locally on the device and then fetches it to the Indeni server. Temporary files are deleted from the server when the operation is complete. Set the Location for Temporary Paths on Device.

Indeni paths

Troubleshooting parameters

Users can set a variety of parameters for troubleshooting the individual device. Hover over the icon for more information, as parameters change by vendor, model, and device.

Indeni Troubleshooting Parameters

  • Resource Test Critical CPU Usage Threshold: Defines the critical resource usage value that triggers a slowdown in analysis operations. Enter a value.
    Alternate SSH Port: When communicating with a Linux or FreeBSD-based device, Indeni may use an alternate SSH communications port in order to separate between Indeni’s actions and user-driven activities.
  • Resource Test Critical Memory Usage Threshold: Defines the critical resource usage value that triggers a slowdown in analysis operations. Enter a value. (In the example, if memory usage is above 90%, Indeni will stop analyzing the device.)
  • Override Resource Test: Indeni monitors resource usage for each device under normal analysis conditions and slows down analysis if critical levels are reached. Check the box to override this mechanism. Indeni will no longer monitor resource usage as a safety mechanism for this device. This is not recommended.

Scheduled Maintenance Window

To set up a maintenance schedule for a device:

  1. Click on the Add Window button: Enter the preferred time frames.
  2. To remove a schedule that has already been set up: Click on the Remove button.

Schedule Maintenance Indeni

Settings change by type of device, so not all devices will include all of the parameters listed above.

Integration

This tab manages a variety of objects used to notify users of alerts. Indeni can be configured to send alerts via SNMP trapping, SMTP email, or by using the UDP syslog protocol. Users must add the type of server desired to Indeni and configure the system to forward alerts to the desired users.

Indeni Integration SNMP

Adding an SNMP Master

SNMP trapping captures alerts, which can then be forwarded to a user’s mobile phone or pager for further action. Indeni supports any SNMP master.

IBM Tivoli

Indeni has been verified to be compatible with IBM Tivoli and has achieved the IBM Ready for Tivoli status. To request the files required to use IBM Tivoli please contact support at: http://indeni.com/support

CA Technologies

Indeni is also a Technology Alliance Partner of CA Technologies, providing security assurance solutions through their Technology Partner Program. Our solution helps ensure continuity of services and provides deep insight into real-time performance as well as impending issues that could impact service delivery. For more information on how to configure the integration between Indeni and CA Spectrum Infrastructure Manager, please download Integrating Indeni with CA Spectrum Infrastructure Manager at http://indeni.com/support

HP

Indeni participates in HP’s Enterprise Management Alliance Program. The software has been validated to integrate easily with HP Operations Manager (HP OM). HP OM contains a tool to convert the Indeni Management Information Base (MIB) file to a HP OM policy. The tool is not an integral part of HP OM but rather a contributed addition. The MIB file and more information on configuring Indeni with HP OM can be downloaded from http://www.indeni.com/support.

To set up SNMP trapping for Indeni you must set up a server capable of receiving SNMP traps and configure it to accept traps from Indeni. An SNMPv2 community or SNMPv3 USM setting is required for SNMP to operate correctly.
Once the SNMP Master is set up on the server, at the Settings tab:

  1. Select the Integration sub-tab.
  2. Click the Add Device button under Defined Objects.
  3. Select SNMP Master.

Use the setup screen shown on the next page to configure SNMP trapping for this master. Assign appropriate names and passwords to individual masters, and choose the security algorithm in use on your system from the drop down lists provided. The user can do any of the following and then Save the changes:

  • Assign only a host address IP, hostname and community (that is, no SNMPV3 settings).
  • Set all fields EXCEPT for community (no SNMPv2 settings).
  • Set all fields.

Note: Hover over the icon for more details about each parameter.

When finished, by default, all alerts having an Error or Critical severity will be sent via SNMP traps to this master. Users can change what alerts are trapped, logged, or sent via the Signatures sub-tab on the Monitoring tab.

  • Use the Send Test SNMP Trap button to test the new configuration.

Configuring Indeni as an SNMP Device in the SNMP Master

When configuring the SNMP Master, users should:

  • Download the MIB file accessible at http://www.indeni.com/support.
  • Configure the SNMP Master to use the MIB to fetch data from indeni as well as receive the SNMP traps. indeni currently supports two trap formats:

indeniNewAlertTrap: This is issued when an alert is created. The trap contains all of the information pertaining to the alert, including its ID, in a trap field called indeniAlertEntryIndex. The trap fields are:

  • indeniAlertEntryIndex: The ID of the specific alert that was generated
  • indeniAlertSeverity: The alert’s severity
  • indeniAlertHeadLine: The alert’s headline
  • indeniAlertDescription: The alert’s description
  • indeniDeviceName: The name of the device the alert pertains to
  • indeniDeviceIp: The IP of the device
  • indeniAlertCategory: The category the alert belongs to
  • indeniAlertBaseIdentifier: The type of alert
  • indeniAlertStatus: The alert status
  • UNRESOLVED: Normally the status when an alert is first generated
  • RESOLVED: Normally issued as part of trap type 2 below
    indeniAlertStatusUpdateTrap: This is issued when an alert’s resolved status changes. When an alert has been remediated, indeni automatically changes the status to Resolved; however, if indeni later re-verifies and identifies it as unresolved it will remove the Resolved designation. Whenever the status changes, either from Unresolved to Resolved or vice versa, this trap will be issued with the ID of the original alert in the indeniAlertEntryIndex field. New values will appear in the indeniAlertSeverity and indeniAlertStatus fields.

Adding an SMTP Server

Indeni provides the means to add an SMTP server to the list of managed devices to facilitate alert emailing. Once configured, Critical and Error alerts are sent through this server by default.

To add a new SMTP server:

  1. Go to the Settings tab and select the Integration sub-tab.
  2. Click the Add Device button and select SMTP Server.
  3. Configure the new server.
  4. Use the Send Test Email button to test that the configuration is correct.
  5. Save the configuration. Indeni will add the new SMTP server to the list of Defined Objects.

 

Indeni SNMP Trap integration

Adding a Syslog Server

Indeni is also capable of sending alert information to syslog servers using the UDP syslog protocol. In order to conform to compliance requirements, administrators can also choose to have Indeni send a syslog message whenever a user attempts to access the system via the web dashboard, including whether or not such access was granted.
To add a syslog server:

  1. Go to the Settings tab and select the Integration sub-tab.
  2. Click the Add Device button under Defined Objects on the left side of the screen.
  3. Select Syslog Server.
  4. Configure the new syslog server.
  5. Send a test message to determine if the configuration is working.
  6. Save the configuration. Indeni will add the new syslog server to the list of Defined Objects

Indeni Syslog Integration

Users

Use this subtab to add, delete, and edit users, passwords, email settings, permissions for setting up and remediating individual devices, and permissions for group objects, as described in Chapter 4: Getting Started.

Licenses

Indeni’s license expiration date and limitations depend on what was purchased. To determine the status of your current Indeni licenses or to upload a new license, Select the Settings tab and then the Licenses sub-tab.

Licenses are obtained from an Indeni reseller as a file with a “.lic” extension. Users must download the .lic file to their own hard drive and then upload to Indeni. The file can then be removed from the local hard drive.

Indeni License

This screen displays the current status of the Indeni license as well as the exact terms of the license, such as the number of devices allowed, the expiration date, etc.
The system will notify users via an alert in the Operations Management tab when one of the following conditions is observed:

  • If 90 days remain before the license expires.
  • If the license has already expired.
  • If the user is approaching the limit of allowed analyzed devices.

Indeni Insight

Indeni Insight is designed to help CIOs and network architects gain more control and visibility over their networks. It works by supplying valuable insights and hard-to-access data about your network and other organizations’ networks from around the globe – enabling you to make smarter decisions.
For more information on what Indeni Insight includes and how it works, visit this page: http://indeni.com/indeni-insight/

Enable Indeni Insight

Chapter 8: Upgrades, Support

Upgrades

Products offered by Indeni, like networking itself, are constantly evolving. New capabilities and functionality, including Indeni’s ability to recognize and configure new devices and identify and resolve additional errors, are being added on a regular basis.

Updates are performed by running the “apt-get” Linux from Indeni’s server CLI.

Note: Updates require access to Indeni’s repositories residing on Amazon’s Web Services at s3.amazonaws.com

  1. Log into Indeni’s server using an SSH console
  2. Run the following commands:
    sudo apt-get update
    sudo apt-get upgrade

Support

The Support section of www.indeni.com is available 24/7. Documentation, including updated editions of this user manual, is available via .pdf download.
Additional support is also available via:
Toll-free: +1-877-778-8991
Online support: http://www.indeni.com/support
Email: support@indeni.com

Chapter 9: System Security and Safeguards

Database Structure

Indeni stores its information locally on the hard drive on which it is installed. The database contains different types of information with two general classifications: highly confidential and confidential. The highly confidential information is stored within an encrypted file (using two types of encryption employing industry standards and best practices). The confidential information is sorted in non-encrypted files.
The database files are not accessible via the web interface and can only be retrieved by logging into the system via SSH and downloading them using standard protocols (SCP, SFTP, etc.). The SSH service is the standard sshd application, which has a long track record of being safe so long as the passwords selected by the user are strong ones. Refer to your organization’s password policies for more information on choosing a strong password.

Underlying Operating System

The operating system supplied with the system is Ubuntu 14.04 Server. By default, the set of services accessible via the network has been reduced to the absolute minimum required, further hardening the operating system. These services are:

  • SSH
  • HTTP and HTTPS (the Indeni server’s web interface, hosted inside Jetty)
  • TCP Ports 9009, 9912 used by Indeni’s Server component

Device Access Credentials Storage

The credentials used to access devices, such as the SSH Username and Password, are stored within the database described above. The username is stored in the confidential store, while the password is stored in the highly confidential store (and is encrypted). By protecting the database files, an organization is protecting this information from being compromised.

Password Security of Users Defined in the System

All users defined in the system (allowed to access the system itself via the web interface) are required to use strong passwords as defined by PCI DSS requirements 8.5.10, 8.5.12, 8.5.13, and 8.5.14. Passwords are stored as salted hashes within the encrypted database. This protects the original passwords from being recovered.

Protecting Analyzed Devices

The commands executed on analyzed devices (routers, firewalls, load balancers, management servers, etc.) are defined by the internal logic of the product and cannot be modified by a user. This is to limit the commands that can be executed by Indeni on analyzed devices to those which have been tested and approved by Indeni.

Indeni also monitors the resource usage (CPU, RAM, etc.) on each analyzed device and reduces the analysis work to an absolute minimum if it notes that the resource usage has crossed certain thresholds. This is in order to avoid placing an extra load on an unstable device that may result in its failure. Once the resource usage returns to normal levels, full analysis operations are resumed.

No Change Policy

Indeni has a very strict no change policy, meaning no changes will be made on the devices Indeni analyzes. The only writing actions Indeni executes is to write temporary files to /tmp and to initiate an additional instance of SSHD when needed.

Chapter 10: Basic Troubleshooting

Below are some basic troubleshooting procedures which may be used to verify and initial setup or any communication errors between Indeni and the analyzed devices:

Accessing the Embedded GAiA

When accessing the Embedded GAiA , please verify that the URL format is https://:8181/ (example: https://10.3.1.87:8181/) and that port 8181 is open and not restricted by any firewall rules.

Adding Devices to Indeni

The following pages address common scenarios of problems users encounter when adding a device to Indeni. Note in the following examples that there is a further explanation of the problem within each alert shown, which can assist you in finding the solution. In most cases, the content of the alert will provide the user with all the required details. Please make sure to expand the alert so that the alert’s content becomes available.

Verify SSH connectivity between Indeni and the analyzed device by connecting to indeni over SSH and initiating an SSH session into the analyzed device using indeni’s designated username and password.

In some cases, as indicated in the alert’s details, management servers require their superior management server to be analyzed before they can be analyzed (for example, MDS needs to be analyzed before a CMA can be, in the case of Check Point). If indicated, please make sure to analyze the superior management servers.

Failed to communicate – No response on port 22
This is how the alert would appear:

Port 22 Indeni

As a first step to assess where the issue lies, try to SSH from the indeni server to the analyzed device. If this fails, try to understand why this happens and this will lead to solving this issue. Make sure that port 22 is opened in your firewall. Please check the rule base of any firewalls involved in the path between indeni and this device to ensure this port is allowed.

Failed to communicate – SSH Credentials
This is how the alert would appear:

SSH Credentials Indeni

Authentication failed. Please update the SSH credentials as follows.
Find the device ID in the list on the left panel of the Monitoring/Current Alerts screen. Click on the orange circle beside the device to change its settings. From the pop-up, select Device Configuration/Monitoring Parameters.

Device configuration Indeni

The Edit Device window opens. Scroll down the Edit Device screen and update “SSH Password” or “SSH username” field. Click on Save.

Edit Device Indeni