Follow the below checklists (as required) to configure your network and ensure that you receive optimal results from the Network Glue Collector scan.
1.0 Configuration Checklists
1.1 SNMP Requirements
You will need to activate and configure SNMP on your network devices and add the respective SNMP community strings to Network Glue during the Network Glue Collector setup. This is necessary for the Collector to gather the most information possible about your devices and for the hierarchy of your network to be represented correctly. Configure your network’s SNMP devices compatible with SNMP v1 or v2c as follows:
- Ensure SNMP is activated on the network devices to be assessed by the Network Glue Collector.
- Set the device’s SNMP community strings so that they provide “read-only” access at minimum.
- Test your SNMP-enabled device’s read access, including basic device profile information such as system name, system description, or system uptime.
Note: There are many third-party tools available from vendor websites you can use for testing. An example is snmpwalk. An example of an snmpwalk command is snmpwalk -v1 -c public 10.10.1.50. For more information about the use of snmpwalk with specific SNMP-enabled network devices, please contact the manufacturer of the device.
You must complete SNMP configuration based on the hardware you have on your network. Below is a list of instructions for the most common network solutions used by our partners:
- Meraki
- Cisco
- HP
- Fortinet
- SonicWall
- Sophos
- Datto Networking
- Dell
- Ubiquiti (navigate to Settings > Services > SNMP)
- TP-Link (navigate to http://tplinkwifi.net > Advanced > System Tools > SNMP Settings)
1.2 Domain-Based Network Configuration Requirements
For a domain-based network, enable:
- Forward DNS lookup.
- Reverse DNS lookup.
- ICMP for all endpoints (ICMP is used to identify active computer endpoints and devices on the network).
1.3 Firewall Rules
- Check your firewall settings to ensure SNMP traffic is not blocked. If blocked, it will hinder the discovery of device names, MAC addresses, etc.
- Ping the device from the Network Glue Collector host machine and see if the device responds. If not, this can indicate its firewall is blocking access, or network ACLs may be preventing traffic.
1.4 Windows Domain Network Environments
Complete this checklist based on one of these three scenarios:
|
Configure your network’s domain controller, computer endpoints, and network user access rights as follows:
1.4.1 GPO (Group Policy Object) configuration for Windows Firewall (inbound rules)
- Allow WMI (Windows Management Instrumentation) service to operate through Windows Firewall. This includes the following rules:
- Windows Management Instrumentation (ASync-In).
- Windows Management Instrumentation (WMI-In).
- Windows Management Instrumentation (DCOM-In). Please note that the Active Directory user utilized in the Network Glue Collector setup needs access privileges to use Windows DCOM.
- Allow remote registry to operate through Windows Firewall on the computer endpoint.
- Allow ICMP (Internet control message protocol) to operate through Windows Firewall on the computer endpoint. ICMP requests are used to detect active computers on the network for scanning purposes.
1.4.2 GPO configuration for Windows services
- For WMI, set the startup type to “Automatic”.
- For remote registry, set the startup type to “Automatic”.
- For remote procedure call, set the startup type to “Automatic”.
1.4.3 Computer endpoint port availability
- Ensure that ports 135 and 445 are available for use with WMI and remote registry.
1.4.4 Third-party computer endpoint firewalls
- Ensure that third-party firewalls are disabled or configured similarly to Windows Firewall installed on computer endpoints as per this checklist.
2.0 Installation Checklists
2.1 Network Glue Collector
- Install the Collector on a device that is within the IP ranges that you want to scan to ensure it can discover all possible devices.
- Install the Collector on a server, rather than a workstation. If the Collector is installed on a workstation, the discovery process may stop running if the workstation is turned off or sent to sleep.
- If the Collector is installed on a virtual machine, change the virtual machine network settings (i.e. NAT mode) to bridge mode, ensuring that the Collector is on the same subnet as the range being scanned.
2.2 Multiple Subnets
- Install the Network Glue Collector on each subnet where possible to discover all the devices within each subnet.
Note: While the Collector can scan multiple subnets, the level of detail on the information may vary.