1. Manuals
  2. Brands
  3. ExtraHop Manuals
  4. Network Hardware
  5. Trace Admin UI
  6. Manual

ExtraHop Trace Admin UI Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
ExtraHop 8.8
ExtraHop Trace Admin UI Guide

Advertisement

Table of Contents
loading

Related Manuals for ExtraHop Trace Admin UI

Summary of Contents for ExtraHop Trace Admin UI

  • Page 1 ExtraHop 8.8 ExtraHop Trace Admin UI Guide...
  • Page 2 2022 ExtraHop Networks, Inc. All rights reserved. This manual in whole or in part, may not be reproduced, translated, or reduced to any machine-readable form without prior written approval from ExtraHop Networks, Inc. For more documentation, see https://docs.extrahop.com/. Published: 2022-03-22...

  • Page 3: Table Of Contents

    Send system notifications to a remote syslog server SSL Certificate Upload an SSL certificate Generate a self-signed certificate Create a certificate signing request from your ExtraHop system Trusted Certificates Add a trusted certificate to your ExtraHop system Access Settings Passwords...
  • Page 4 Installation prerequisites Set up the extended storage unit Shut down the Trace appliance Connect the extended storage unit Attach the extended storage unit Managing extended storage units with a foreign packetstore status ExtraHop 8.8 ExtraHop Trace Admin UI Guide 4...
  • Page 5 Trace appliance For extended storage units configured on a device other than the Trace appliance Reset Packetstore Trace Cluster Settings Manager Packet Query Status Remove packet queries Manage with a Command appliance ExtraHop 8.8 ExtraHop Trace Admin UI Guide 5...

  • Page 6: Introduction To The Extrahop Trace Admin Ui

    Introduction to the ExtraHop Trace Admin UI The ExtraHop Trace Admin UI Guide provides detailed information about the administrator features and functionality of the ExtraHop Trace appliance. In addition, this guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the Trace Administration settings.

  • Page 7: Status And Diagnostics

    The Health page provides a collection of metrics that enable you check the operation of the Trace appliance. The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected. System Reports the following information about the system CPU usage and disk drives.

  • Page 8: Audit Log

    The audit log provides data about the operations of your ExtraHop system, broken down by component. The audit log lists all known events by timestamp, in reverse chronological order. If you experience an issue with the ExtraHop system, consult the audit log to view detailed diagnostic data to determine what might have caused the issue.

  • Page 9: Support Scripts

    Exception files are a core file of the data stored in memory. When you enable the Exception File setting, the core file is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.

  • Page 10: Network Settings

    ExtraHop Remote Access enables you to allow ExtraHop account team members, ExtraHop Atlas analysts, and ExtraHop Support to connect to your ExtraHop system for configuration help. If you have signed up for the Atlas Remote Analysis service, ExtraHop analysts can perform an unbiased analysis of your network data and report on areas in your IT infrastructure where improvements can be made.

  • Page 11: Configure Your Firewall Rules

    If the connection fails, there might be an issue with your firewall rules. Configure your firewall rules If your ExtraHop system is deployed in an environment with a firewall, you must open access to ExtraHop Cloud Services. For Reveal(x) 360 systems that are connected to self-managed sensors, you must also open access to the ExtraHop Cloud Recordstore.

  • Page 12: Bypass Certificate Validation

    This device can act as an SSL/TLS endpoint that decrypts and re-encrypts the traffic before sending the packets to ExtraHop Cloud Services. If the ExtraHop system cannot connect to the proxy server because the certificate validation has failed, you can bypass certificate validation and then connect to ExtraHop Cloud Services.
  • Page 13 Captures traffic forwarded from ERSPAN* or VXLAN**. This interface mode enables the port to handle more than 1 Gbps. Set this interface mode if the ExtraHop appliance has a 10 GbE port. This interface mode only requires that you configure an IPv4 address.

  • Page 14: Interface Throughput

    (Optional) Manually add routes. Click Save. Interface throughput ExtraHop appliance models EDA 6100, EDA 8100 and EDA 9100 are optimized to capture traffic exclusively on 10GbE ports. Enabling the 1GbE interfaces for monitoring traffic can impact performance, depending on the ExtraHop appliance.

  • Page 15: Enable Ipv6 For An Interface

    Command appliance or with other devices outside of the local network, you can enable your ExtraHop system to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server.

  • Page 16: Bond Interfaces

    • Password: The password for the user specified above. Bond interfaces You can bond multiple 1 GbE interfaces on your ExtraHop system together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address.

  • Page 17: Destroy A Bond Interface

    SMTP server should be the fully qualified domain name (FQDN) or IP address of an outgoing mail server that is accessible from the ExtraHop system. If the DNS server is set, then the SMTP server can be a FQDN, otherwise you must type an IP address.

  • Page 18: Add A New Notification Email Address On An Explore Or Trace Appliance

    (Explore appliance only) A registered Explore node is missing from the cluster. The node might have failed, or it is powered off. Log in to the Administration settings on the ExtraHop system through https://<extrahop- hostname-or-IP-address>/admin. In the Network Settings section, click Notifications.

  • Page 19: Download The Extrahop Snmp Mib

    The file is typically saved to the default download location for your browser. Send system notifications to a remote syslog server The syslog export option enables you to send alerts from an ExtraHop system to any remote system that receives syslog input for long-term archiving and correlation with other sources.

  • Page 20: Ssl Certificate

    A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority (CA) when you apply for an SSL certificate. The CSR is generated on the ExtraHop system where the SSL certificate will be installed and contains information that will be included in the certificate such as the common name (domain name), organization, locality, and country.

  • Page 21: Trusted Certificates

    In the Subject Alternative Names section, type the DNS name of the ExtraHop system. You can add multiple DNS names and IP addresses to be protected by a single SSL Certificate. Common Name In the Subject section, complete the following fields. Only the field is required.
  • Page 22 Important: To trust the built-in system certificates and any uploaded certificates, you must also enable SSL/TLS or STARTTLS encryption and certificate validation when configuring the settings for the external server. Log in to the Administration settings on the ExtraHop system through https://<extrahop- hostname-or-IP-address>/admin. Trusted Certificates.

  • Page 23: Access Settings

    Change the default password for the setup user It is recommended that you change the default password for the setup user on the ExtraHop system after Change Password you log in for the first time. To remind administrators to make this change, there is a blue button at the top of the page while the setup user is accessing the Administration settings.

  • Page 24: Regenerate Or Revoke The Ssh Key

    Regenerate or revoke the SSH key To prevent SSH access to the ExtraHop system with an existing SSH key, you can revoke the current SSH key. A new SSH key can also be regenerated if needed. In the Access Settings section, click Support Access.

  • Page 25: Users And User Groups

    The following accounts are configured by default on ExtraHop systems but do not appear in the list of names on the Users page. These accounts cannot be deleted and you must change the default password upon initial login.

  • Page 26: User Groups

    A user attempts to load a shared dashboard that they do not have access to. User privileges Administrators determine the level of access and functionality users have with the ExtraHop system. In addition to setting the privilege level for local users, you can enable options for any user privilege level.
  • Page 27 Privilege Levels Set the privilege level for your user to determine which areas of the ExtraHop system they can access. Users with unlimited or cloud setup privileges can access all areas of the ExtraHop system, including packets, session keys, and detections.
  • Page 28 Acknowledge Detections Modify detection status notes Create modify investigations Create modify tuning rules Create modify notification rules Analysis Priorities View Analysis Priorities page Add and modify analysis levels for groups devices ExtraHop 8.8 ExtraHop Trace Admin UI Guide 28...
  • Page 29 Records (Explore appliance) View record queries View record formats Create, modify, and save record queries Create, modify, and save record formats Scheduled Reports (Command appliance) Create, view, manage scheduled reports Threat Intelligence ExtraHop 8.8 ExtraHop Trace Admin UI Guide 29...
  • Page 30 Note: (Reveal(x) Enterprise only) The Detections Access settings appear only if the global privilege policy for detections access control is set to Only specified users can access detections. ExtraHop 8.8 ExtraHop Trace Admin UI Guide 30...

  • Page 31: Sessions

    If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help. When a user attempts to log onto an ExtraHop system, the ExtraHop system tries to authenticate the user in the following ways: •...
  • Page 32 Type the base DN in the Base DN field. The Base DN is the point from where a server will search for users. The base DN must contain all user accounts that will have access to the ExtraHop system. The users can be direct members of the base DN or nested within an OU within the base...

  • Page 33: Configure User Privileges For Remote Authentication

    Type the base DN in the Base DN field. The Base DN is the point from where a server will search for user groups. The base DN must contain all user groups that will have access to the ExtraHop system. The user groups can be direct members of the base DN or nested within an OU within the...

  • Page 34: Configure Remote Authentication Through Radius

    Continue. On the Add RADIUS Server page, type the following information: Host The hostname or IP address of the RADIUS server. Make sure that the DNS of the ExtraHop system is properly configured if you specify a hostname. Secret The shared secret between the ExtraHop system and the RADIUS server.

  • Page 35: Configure Remote Authentication Through Tacacs

    From the Remote authentication method drop-down list, select TACACS+, and then click Continue. On the Add TACACS+ Server page, type the following information: • Host: The hostname or IP address of the TACACS+ server. Make sure that the DNS of the ExtraHop system is properly configured if you are entering a hostname.

  • Page 36: Configure The Tacacs+ Server

    In addition to configuring remote authentication on your ExtraHop system, you must configure your TACACS+ server with two attributes, one for the ExtraHop service and one for the permission level. If you have a Trace appliance, you can optionally add a third attribute for packet capture and session key logging.

  • Page 37: Api Access

    You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users with unlimited privileges can view and edit CORS settings.

  • Page 38: Generate An Api Key

    You must generate an API key before you can perform operations through the ExtraHop REST API. Keys can be viewed only by the user who generated the key or by system administrators with unlimited privileges. After you generate an API key, add the key to your request headers or the ExtraHop REST API Explorer.
  • Page 39 View or delete your own API key. • Change your own password, but you cannot perform any other administration tasks through the REST API. • Perform any ExtraHop system task available through the REST API. "write": "limited" • Generate an API key.
  • Page 40 Privilege level Actions allowed "packets": "full_with_keys" • View and download packets from an ExtraHop system through the GET/packetcaptures/{id} operation. This is an add-on privilege that can be granted to a user with one of the following privilege levels: • "write": "full"...

  • Page 41: Appliance Settings

    Save system settings to the running config file When you modify any of the system configuration settings on an ExtraHop system, you must confirm the updates by saving the running config file. If you do not save the settings, the changes are lost when your ExtraHop system restarts.

  • Page 42: Edit The Running Config

    Disable specific ICMPv6 Echo Reply messages You can prevent the ExtraHop system from generating Echo Reply messages in response to ICMPv6 Echo Request messages that are sent to an IPv6 multicast or anycast address. You might want to disable these messages to reduce unnecessary network traffic.

  • Page 43: Services

    Management Protocol (SNMP). For example, you can configure your monitoring software to determine how much free space is available on an ExtraHop system and send an alert if the system is over 95% full. Import the ExtraHop SNMP MIB file into your monitoring software to monitor all ExtraHop-specific SNMP objects.

  • Page 44: Firmware

    Verify that your Reveal(x) 360 system has been upgraded to version 8.7 before upgrading your self- managed sensors. • If you have multiple types of ExtraHop appliances, you must upgrade them in the following order: Command appliance Discover appliances Explore appliances Trace appliances •...

  • Page 45: Upgrade The Firmware On Command And Discover Appliances

    Note: Your browser might time out after 5 minutes of inactivity. Refresh the browser page if the update appears incomplete. If the browser session times out before the ExtraHop system is able to complete the update process, you can try the following connectivity tests to confirm the status up the upgrade process: •...

  • Page 46: Upgrade The Firmware On Trace Appliances

    Click Upgrade. The ExtraHop system initiates the firmware upgrade. You can monitor the progress of the upgrade with the Updating progress bar. The appliance restarts after the firmware is installed. If you did not choose to automatically restart the appliance, click Reboot to restart the system.

  • Page 47: System Time

    The System Time page displays the current configuration and the status of all configured NTP servers. When capturing data, it is helpful to have the time on the ExtraHop appliance match the local time of the router. The ExtraHop appliance can set time locally or synchronize time with a time server. By default, system time is set locally, but we recommend that you change this setting and set time through a time server.

  • Page 48: Configure The System Time

    Configure the system time By default, the ExtraHop system synchronizes the system time through the *.extrahop.pool.ntp.org network time protocol (NTP) servers. If your network environment prevents the ExtraHop system from communicating with these time servers, you must configure an alternate time server source.

  • Page 49: Register Your Extrahop System

    HTTPS request to ExtraHop Cloud Services. If your ExtraHop system is not licensed for ExtraHop Cloud Services or is not yet licensed, the system attempts to register the system through a DNS TXT request for regions.hopcloud.extrahop.com and...

  • Page 50: Apply An Updated License

    ExtraHop Support. Update a license If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license. Note: If you want to update the product key for your appliance, you must register your ExtraHop system.

  • Page 51: Disks

    Important: The packetsore is locked when the Trace appliance is restarted. Before packets can written to disk, you must unlock the disk from the Packetstore Encryption Settings page. In the Appliance Settings section, click Disks. Navigate to the Packetstore Encryption Settings page. ExtraHop 8.8 ExtraHop Trace Admin UI Guide 51...

  • Page 52: Change The Packet Capture Disk Encryption Key

    Storage Units to a Trace appliance and retain all packets currently stored on the appliance. Compatibility The ExtraHop Extended Storage Unit (ESU) is available in two models, the 72 TB ESU and the 96 TB ESU. ExtraHop Trace Appliance Extended Storage Unit ETA 6150 •...

  • Page 53: Installation Prerequisites

    Before connecting your ESU, make sure you have the following items available: • ExtraHop Trace appliance with firmware 7.2 or later. Firmware 7.4 is required to encrypt the ESU. If you have not deployed the Trace appliance, follow the instructions in the...

  • Page 54: Attach The Extended Storage Unit

    Note: If the Trace appliance was previously encrypted, the packetstore is locked after the Trace appliance is powered on. The packetstore must be locked before you can attach the ESU to an encrypted Trace appliance. ExtraHop 8.8 ExtraHop Trace Admin UI Guide 54...

  • Page 55: Managing Extended Storage Units With A Foreign Packetstore Status

    Trace appliance, the extended storage unit is designated as “foreign”. This status can occur when an extended storage unit was previously connected and then disconnected from the RAID controller on the ExtraHop 8.8 ExtraHop Trace Admin UI Guide 55...

  • Page 56: For Extended Storage Units Disconnected And Then Reconnected To The Same Trace Appliance

    Trace appliance it was originally connected to. For extended storage units disconnected and then reconnected to the same Trace appliance Log in to the Administration settings on the ExtraHop system through https://<extrahop- hostname-or-IP-address>/admin. In the Appliance Settings section, click Disks.

  • Page 57: Trace Cluster Settings

    Packet Query Status The Packet Query Status page provides a collection of metrics about the Trace appliance. The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected. Packet Query Status Displays statistics about packet queries run from the Packets page.

  • Page 58: Remove Packet Queries

    Before you begin Note: This procedure only enables you to perform management functions from a connected Command appliance or Reveal(x) 360. To search and download packets from the ExtraHop system, follow the instructions in Connect the Discover and Command appliances to the Trace appliance In the Trace Cluster Settings section, click Manager.

Table of Contents