Page 2
2022 ExtraHop Networks, Inc. All rights reserved. This manual in whole or in part, may not be reproduced, translated, or reduced to any machine-readable form without prior written approval from ExtraHop Networks, Inc. For more documentation, see https://docs.extrahop.com/. Published: 2022-03-22...
Send system notifications to a remote syslog server SSL Certificate Upload an SSL certificate Generate a self-signed certificate Create a certificate signing request from your ExtraHop system Trusted Certificates Add a trusted certificate to your ExtraHop system Access Settings Passwords...
Page 4
Installation prerequisites Set up the extended storage unit Shut down the Trace appliance Connect the extended storage unit Attach the extended storage unit Managing extended storage units with a foreign packetstore status ExtraHop 8.8 ExtraHop Trace Admin UI Guide 4...
Page 5
Trace appliance For extended storage units configured on a device other than the Trace appliance Reset Packetstore Trace Cluster Settings Manager Packet Query Status Remove packet queries Manage with a Command appliance ExtraHop 8.8 ExtraHop Trace Admin UI Guide 5...
Introduction to the ExtraHop Trace Admin UI The ExtraHop Trace Admin UI Guide provides detailed information about the administrator features and functionality of the ExtraHop Trace appliance. In addition, this guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the Trace Administration settings.
The Health page provides a collection of metrics that enable you check the operation of the Trace appliance. The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected. System Reports the following information about the system CPU usage and disk drives.
The audit log provides data about the operations of your ExtraHop system, broken down by component. The audit log lists all known events by timestamp, in reverse chronological order. If you experience an issue with the ExtraHop system, consult the audit log to view detailed diagnostic data to determine what might have caused the issue.
Exception files are a core file of the data stored in memory. When you enable the Exception File setting, the core file is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.
ExtraHop Remote Access enables you to allow ExtraHop account team members, ExtraHop Atlas analysts, and ExtraHop Support to connect to your ExtraHop system for configuration help. If you have signed up for the Atlas Remote Analysis service, ExtraHop analysts can perform an unbiased analysis of your network data and report on areas in your IT infrastructure where improvements can be made.
If the connection fails, there might be an issue with your firewall rules. Configure your firewall rules If your ExtraHop system is deployed in an environment with a firewall, you must open access to ExtraHop Cloud Services. For Reveal(x) 360 systems that are connected to self-managed sensors, you must also open access to the ExtraHop Cloud Recordstore.
This device can act as an SSL/TLS endpoint that decrypts and re-encrypts the traffic before sending the packets to ExtraHop Cloud Services. If the ExtraHop system cannot connect to the proxy server because the certificate validation has failed, you can bypass certificate validation and then connect to ExtraHop Cloud Services.
Page 13
Captures traffic forwarded from ERSPAN* or VXLAN**. This interface mode enables the port to handle more than 1 Gbps. Set this interface mode if the ExtraHop appliance has a 10 GbE port. This interface mode only requires that you configure an IPv4 address.
(Optional) Manually add routes. Click Save. Interface throughput ExtraHop appliance models EDA 6100, EDA 8100 and EDA 9100 are optimized to capture traffic exclusively on 10GbE ports. Enabling the 1GbE interfaces for monitoring traffic can impact performance, depending on the ExtraHop appliance.
Command appliance or with other devices outside of the local network, you can enable your ExtraHop system to connect to a proxy server you already have on your network. Internet connectivity is not required for the global proxy server.
• Password: The password for the user specified above. Bond interfaces You can bond multiple 1 GbE interfaces on your ExtraHop system together into a single logical interface that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable a larger throughput with a single IP address.
SMTP server should be the fully qualified domain name (FQDN) or IP address of an outgoing mail server that is accessible from the ExtraHop system. If the DNS server is set, then the SMTP server can be a FQDN, otherwise you must type an IP address.
(Explore appliance only) A registered Explore node is missing from the cluster. The node might have failed, or it is powered off. Log in to the Administration settings on the ExtraHop system through https://<extrahop- hostname-or-IP-address>/admin. In the Network Settings section, click Notifications.
The file is typically saved to the default download location for your browser. Send system notifications to a remote syslog server The syslog export option enables you to send alerts from an ExtraHop system to any remote system that receives syslog input for long-term archiving and correlation with other sources.
A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority (CA) when you apply for an SSL certificate. The CSR is generated on the ExtraHop system where the SSL certificate will be installed and contains information that will be included in the certificate such as the common name (domain name), organization, locality, and country.
In the Subject Alternative Names section, type the DNS name of the ExtraHop system. You can add multiple DNS names and IP addresses to be protected by a single SSL Certificate. Common Name In the Subject section, complete the following fields. Only the field is required.
Page 22
Important: To trust the built-in system certificates and any uploaded certificates, you must also enable SSL/TLS or STARTTLS encryption and certificate validation when configuring the settings for the external server. Log in to the Administration settings on the ExtraHop system through https://<extrahop- hostname-or-IP-address>/admin. Trusted Certificates.
Change the default password for the setup user It is recommended that you change the default password for the setup user on the ExtraHop system after Change Password you log in for the first time. To remind administrators to make this change, there is a blue button at the top of the page while the setup user is accessing the Administration settings.
Regenerate or revoke the SSH key To prevent SSH access to the ExtraHop system with an existing SSH key, you can revoke the current SSH key. A new SSH key can also be regenerated if needed. In the Access Settings section, click Support Access.
The following accounts are configured by default on ExtraHop systems but do not appear in the list of names on the Users page. These accounts cannot be deleted and you must change the default password upon initial login.
A user attempts to load a shared dashboard that they do not have access to. User privileges Administrators determine the level of access and functionality users have with the ExtraHop system. In addition to setting the privilege level for local users, you can enable options for any user privilege level.
Page 27
Privilege Levels Set the privilege level for your user to determine which areas of the ExtraHop system they can access. Users with unlimited or cloud setup privileges can access all areas of the ExtraHop system, including packets, session keys, and detections.
Page 29
Records (Explore appliance) View record queries View record formats Create, modify, and save record queries Create, modify, and save record formats Scheduled Reports (Command appliance) Create, view, manage scheduled reports Threat Intelligence ExtraHop 8.8 ExtraHop Trace Admin UI Guide 29...
Page 30
Note: (Reveal(x) Enterprise only) The Detections Access settings appear only if the global privilege policy for detections access control is set to Only specified users can access detections. ExtraHop 8.8 ExtraHop Trace Admin UI Guide 30...
If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help. When a user attempts to log onto an ExtraHop system, the ExtraHop system tries to authenticate the user in the following ways: •...
Page 32
Type the base DN in the Base DN field. The Base DN is the point from where a server will search for users. The base DN must contain all user accounts that will have access to the ExtraHop system. The users can be direct members of the base DN or nested within an OU within the base...
Type the base DN in the Base DN field. The Base DN is the point from where a server will search for user groups. The base DN must contain all user groups that will have access to the ExtraHop system. The user groups can be direct members of the base DN or nested within an OU within the...
Continue. On the Add RADIUS Server page, type the following information: Host The hostname or IP address of the RADIUS server. Make sure that the DNS of the ExtraHop system is properly configured if you specify a hostname. Secret The shared secret between the ExtraHop system and the RADIUS server.
From the Remote authentication method drop-down list, select TACACS+, and then click Continue. On the Add TACACS+ Server page, type the following information: • Host: The hostname or IP address of the TACACS+ server. Make sure that the DNS of the ExtraHop system is properly configured if you are entering a hostname.
In addition to configuring remote authentication on your ExtraHop system, you must configure your TACACS+ server with two attributes, one for the ExtraHop service and one for the permission level. If you have a Trace appliance, you can optionally add a third attribute for packet capture and session key logging.
You can configure one or more allowed origins or you can allow access to the ExtraHop REST API from any origin. Only administrative users with unlimited privileges can view and edit CORS settings.
You must generate an API key before you can perform operations through the ExtraHop REST API. Keys can be viewed only by the user who generated the key or by system administrators with unlimited privileges. After you generate an API key, add the key to your request headers or the ExtraHop REST API Explorer.
Page 39
View or delete your own API key. • Change your own password, but you cannot perform any other administration tasks through the REST API. • Perform any ExtraHop system task available through the REST API. "write": "limited" • Generate an API key.
Page 40
Privilege level Actions allowed "packets": "full_with_keys" • View and download packets from an ExtraHop system through the GET/packetcaptures/{id} operation. This is an add-on privilege that can be granted to a user with one of the following privilege levels: • "write": "full"...
Save system settings to the running config file When you modify any of the system configuration settings on an ExtraHop system, you must confirm the updates by saving the running config file. If you do not save the settings, the changes are lost when your ExtraHop system restarts.
Disable specific ICMPv6 Echo Reply messages You can prevent the ExtraHop system from generating Echo Reply messages in response to ICMPv6 Echo Request messages that are sent to an IPv6 multicast or anycast address. You might want to disable these messages to reduce unnecessary network traffic.
Management Protocol (SNMP). For example, you can configure your monitoring software to determine how much free space is available on an ExtraHop system and send an alert if the system is over 95% full. Import the ExtraHop SNMP MIB file into your monitoring software to monitor all ExtraHop-specific SNMP objects.
Verify that your Reveal(x) 360 system has been upgraded to version 8.7 before upgrading your self- managed sensors. • If you have multiple types of ExtraHop appliances, you must upgrade them in the following order: Command appliance Discover appliances Explore appliances Trace appliances •...
Note: Your browser might time out after 5 minutes of inactivity. Refresh the browser page if the update appears incomplete. If the browser session times out before the ExtraHop system is able to complete the update process, you can try the following connectivity tests to confirm the status up the upgrade process: •...
Click Upgrade. The ExtraHop system initiates the firmware upgrade. You can monitor the progress of the upgrade with the Updating progress bar. The appliance restarts after the firmware is installed. If you did not choose to automatically restart the appliance, click Reboot to restart the system.
The System Time page displays the current configuration and the status of all configured NTP servers. When capturing data, it is helpful to have the time on the ExtraHop appliance match the local time of the router. The ExtraHop appliance can set time locally or synchronize time with a time server. By default, system time is set locally, but we recommend that you change this setting and set time through a time server.
Configure the system time By default, the ExtraHop system synchronizes the system time through the *.extrahop.pool.ntp.org network time protocol (NTP) servers. If your network environment prevents the ExtraHop system from communicating with these time servers, you must configure an alternate time server source.
HTTPS request to ExtraHop Cloud Services. If your ExtraHop system is not licensed for ExtraHop Cloud Services or is not yet licensed, the system attempts to register the system through a DNS TXT request for regions.hopcloud.extrahop.com and...
ExtraHop Support. Update a license If ExtraHop Support provides you with a license file, you can install this file on your appliance to update the license. Note: If you want to update the product key for your appliance, you must register your ExtraHop system.
Important: The packetsore is locked when the Trace appliance is restarted. Before packets can written to disk, you must unlock the disk from the Packetstore Encryption Settings page. In the Appliance Settings section, click Disks. Navigate to the Packetstore Encryption Settings page. ExtraHop 8.8 ExtraHop Trace Admin UI Guide 51...
Storage Units to a Trace appliance and retain all packets currently stored on the appliance. Compatibility The ExtraHop Extended Storage Unit (ESU) is available in two models, the 72 TB ESU and the 96 TB ESU. ExtraHop Trace Appliance Extended Storage Unit ETA 6150 •...
Before connecting your ESU, make sure you have the following items available: • ExtraHop Trace appliance with firmware 7.2 or later. Firmware 7.4 is required to encrypt the ESU. If you have not deployed the Trace appliance, follow the instructions in the...
Note: If the Trace appliance was previously encrypted, the packetstore is locked after the Trace appliance is powered on. The packetstore must be locked before you can attach the ESU to an encrypted Trace appliance. ExtraHop 8.8 ExtraHop Trace Admin UI Guide 54...
Trace appliance, the extended storage unit is designated as “foreign”. This status can occur when an extended storage unit was previously connected and then disconnected from the RAID controller on the ExtraHop 8.8 ExtraHop Trace Admin UI Guide 55...
Trace appliance it was originally connected to. For extended storage units disconnected and then reconnected to the same Trace appliance Log in to the Administration settings on the ExtraHop system through https://<extrahop- hostname-or-IP-address>/admin. In the Appliance Settings section, click Disks.
Packet Query Status The Packet Query Status page provides a collection of metrics about the Trace appliance. The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is not performing as expected. Packet Query Status Displays statistics about packet queries run from the Packets page.
Before you begin Note: This procedure only enables you to perform management functions from a connected Command appliance or Reveal(x) 360. To search and download packets from the ExtraHop system, follow the instructions in Connect the Discover and Command appliances to the Trace appliance In the Trace Cluster Settings section, click Manager.