ForeScout CounterACT. Configuration Guide. Version 1.4

Similar documents
ForeScout CounterACT. Configuration Guide. Version 1.2

ForeScout CounterACT. Plugin. Configuration Guide. Version 1.2

ForeScout CounterACT. Configuration Guide. Version 3.1

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

ForeScout CounterACT. Configuration Guide. Version 1.2

Forescout. Plugin. Configuration Guide. Version 2.2.4

ForeScout CounterACT. Core Extensions Module: CEF Plugin. Configuration Guide. Version 2.7

Forescout. Configuration Guide. Version 1.3

Forescout. Plugin. Configuration Guide. Version 1.2.2

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

Forescout. Engine. Configuration Guide. Version 1.3

Forescout. Configuration Guide. Version 3.5

CounterACT Wireless Plugin

ForeScout CounterACT. Configuration Guide. Version 5.0

ForeScout CounterACT. Track Changes to Network Endpoints. How-to Guide. Version 8.0

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.2.4

ForeScout CounterACT. Classify Devices. How-to Guide. Version 8.0

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

ForeScout CounterACT. Ensure Antivirus Compliance. How-to Guide. Version 8.0

ForeScout CounterACT. Ensure Instant Messaging and Peer to Peer Compliance. How-to Guide. Version 8.0

Forescout. Configuration Guide. Version 2.2

CounterACT NetFlow Plugin

Forescout. Configuration Guide. Version 8.1

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

ForeScout CounterACT. Configuration Guide. Version 4.1

ForeScout CounterACT. Deploying SecureConnector as a Service as Part of a Machine Image. How-to Guide. Version 8.0

ForeScout CounterACT. Cisco PIX/ASA Firewall Integration Module. Configuration Guide. Version 2.1

Enterprise Manager/Appliance Communication

ForeScout Research and Intelligent Analytics Program

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

ForeScout CounterACT. ARF Reports Module. Configuration Guide. Version 1.0.3

ForeScout CounterACT. Work with IPv6 Addressable Endpoints. How-to Guide. Version 8.0

ForeScout CounterACT. Centralized Licensing. How-to Guide. Version 8.0

ForeScout CounterACT. Configuration Guide. Version 1.1

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

Forescout. Control Network Vulnerabilities. How-to Guide. Forescout version 8.1

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

Forescout. Work with IPv6 Addressable Endpoints. How-to Guide. Forescout version 8.1

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

ForeScout CounterACT. Configuration Guide. Version

Forescout. Asset Reporting Format (ARF) Reports Module. Configuration Guide. Version 1.0.3

CounterACT DHCP Classifier Plugin

ForeScout Extended Module for Qualys VM

CounterACT External Classifier Plugin

ForeScout CounterACT. Windows Vulnerability DB. Configuration Guide. Updated February 2018

Forescout. Configuration Guide. Version 4.2

Forescout. Gradual Upgrade Guide. Version 8.1

CounterACT Aruba ClearPass Plugin

ForeScout CounterACT. Configuration Guide. Version 6.3

ForeScout Extended Module for Bromium Secure Platform

Forescout. Configuration Guide. Version 1.1

ForeScout CounterACT Version 8.0.1

Forescout. Configuration Guide. Version 2.4

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

ForeScout Extended Module for Advanced Compliance

ForeScout CounterACT. SecureConnector Advanced Features. How-to Guide. Version 8.0

CounterACT Check Point Threat Prevention Module

Port Mirroring in CounterACT. CounterACT Technical Note

ForeScout CounterACT. Gradual Upgrade Guide. Version 8.0

Control Wireless Networks

CounterACT Afaria MDM Plugin

CounterACT DNS Enforce Plugin

Forescout. Configuration Guide. Version 4.4

ForeScout CounterACT. Security Policy Templates. Configuration Guide. Version

CounterACT Microsoft System Management Server (SMS) System Center Configuration Manager (SCCM) Plugin

ForeScout Extended Module for IBM BigFix

CounterACT User Directory Plugin

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

Network Function Property Algorithm. CounterACT Technical Note

ForeScout CounterACT. Hardware Inventory Plugin. Configuration Guide. Version 1.0.3

CounterACT CEF Plugin

ForeScout Amazon Web Services (AWS) Plugin

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for ServiceNow

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

ForeScout Extended Module for IBM BigFix

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

ForeScout Extended Module for Tenable Vulnerability Management

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

ForeScout Extended Module for MaaS360

CounterACT Syslog Plugin

ForeScout CounterACT. Configuration Guide. Version 2.2

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

ForeScout Extended Module for Splunk

ForeScout CounterACT. Configuration Guide. Version 4.3

ForeScout Extended Module for MobileIron

Classify Mobile Assets

ForeScout App for IBM QRadar

ForeScout Extended Module for Symantec Endpoint Protection

ForeScout CounterACT Resiliency Solutions

ForeScout Extended Module for Splunk

ForeScout Agentless Visibility and Control

ForeScout Extended Module for HPE ArcSight

CounterACT IOC Scanner Plugin

Forescout. Controller Plugin. Configuration Guide. Version 1.1

ForeScout CounterACT. Resiliency Solutions. CounterACT Version 8.0

ForeScout CounterACT. Configuration Guide. Version 1.2

Forescout. eyeextend for Splunk. Configuration Guide. Version 2.9

ForeScout Extended Module for VMware AirWatch MDM

Classify Assets. How-to Guide. CounterACT Version 7.0.0

Transcription:

ForeScout CounterACT Core Extensions Module: Flow Analyzer Plugin Version 1.4

Table of Contents About the Flow Analyzer... 3 How It Works... 3 CounterACT Software Requirements... 4 Configure the Sharing of Anonymized Flow Data Statistics... 4 Enable Flow Analyzer Data Sharing... 4 Configure the Flow Analyzer... 5 Verify That the Plugin Is Running... 7 Test the Configuration... 7 Core Extensions Module Information... 7 Additional CounterACT Documentation... 8 Documentation Downloads... 8 Documentation Portal... 9 CounterACT Help Tools... 9 Version 1.4 2

About the Flow Analyzer The Flow Analyzer Plugin is a component of the ForeScout CounterACT Core Extensions Module. See Core Extensions Module Information for details about the module. The CounterACT Flow Analyzer detects flow information regarding the endpoints in your environment. It collects a statistical sampling of data about the network traffic in your environment, such as average packet size, average packet rate per second, inbound and outbound bandwidth usage, and DNS resolutions. ForeScout researchers continually attempt to provide better classification and posture assessment services to customers. Customers who opt to allow the anonymous information detected by the Flow Analyzer in their environments to be shared with ForeScout provide an important contribution to the ForeScout Research and Intelligent Analytics Program. For more information about the program, see Data Sharing for the ForeScout Research and Intelligent Analytics Program in the CounterACT Administration Guide. By default, after you accept the ForeScout Research and Intelligent Analytics Program participation terms, your CounterACT devices share selected endpoint properties with ForeScout. The purpose of the Flow Analyzer is to provide additional properties to be shared with ForeScout. Properties resolved by the Flow Analyzer are not available to CounterACT users from the Policy Manager. The ForeScout Research and Intelligent Analytics Program is a voluntary program. Customers are under no obligation to share their data to help ForeScout improve classification. The ForeScout Research and Intelligent Analytics Program and the Flow Analyzer provide no immediate benefits to an individual customer. In the long term, the program benefits customers in the form of more precise classification profiles. How It Works If additional property creation is enabled in your Flow Analyzer configuration, the following happens: 1. Network traffic data statistics are continuously collected and converted to hidden properties. The statistics are collected from two sources: Routers and switches that export NetFlow traffic processed by the CounterACT NetFlow Plugin (if installed and configured) SPAN traffic, which is converted to NetFlow protocol by the Flow Analyzer For the complete list of created properties, refer to Appendix I of the ForeScout Research and Intelligent Analytics Program Data Security Document. 2. If data sharing is enabled: a. All personally identifiable information (PII) is removed from the network traffic data statistics properties. The IP and MAC addresses of endpoints are converted to simulated addresses using a one-way function which ensures that the data can never reveal the actual addresses of endpoints in your network. For more information, see the ForeScout Research and Intelligent Analytics Program Data Security Document. Version 1.4 3

b. Managed CounterACT Appliances transmit the properties through the Enterprise Manager for upload to the ForeScout Research and Intelligent Analytics Program. CounterACT Software Requirements The Flow Analyzer requires the following CounterACT releases and other CounterACT components: CounterACT version 8.0 An active Maintenance Contract for CounterACT devices It is recommended to have the NetFlow Plugin running Configure the Sharing of Anonymized Flow Data Statistics By default, the Flow Analyzer is not enabled. To enable the creation and sharing of anonymized flow data statistics with ForeScout, do the following: 1. Enable Flow Analyzer Data Sharing 2. Configure the Flow Analyzer Enable Flow Analyzer Data Sharing Configure the Data Sharing option for sharing properties with ForeScout. For more information, see Data Sharing for the ForeScout Research and Intelligent Analytics Program in the CounterACT Administration Guide. To enable data sharing of properties, including those created by the Flow Analyzer: 1. In the CounterACT Console, select Options from the Tools menu. The Options dialog box opens. 2. Select Advanced > Data Sharing. Version 1.4 4

3. Select both checkboxes: Allow selected endpoint properties to be shared with ForeScout This allows basic data sharing. Allow all endpoint properties to be shared with ForeScout This allows the sharing of endpoint properties created by the Flow Analyzer. Data sharing can be enabled only if you accept the ForeScout Research and Intelligent Analytics Program participation terms. To read the terms, select the Allow selected endpoint properties to be shared with ForeScout checkbox. Configure the Flow Analyzer Configure the Flow Analyzer to create properties based on anonymized network traffic data statistics. The following options are available: Always collect network traffic data statistics and create the hidden properties. Share the properties with ForeScout if data sharing is enabled. (Default) If the Allow all endpoint properties to be shared with ForeScout option is selected in the Options > Advanced > Data Sharing window, do the following: a. Collect network traffic data statistics. b. Create the hidden properties. Version 1.4 5

c. Share the properties with ForeScout. Never collect network traffic data statistics for creating additional properties. By default, the settings defined for the Flow Analyzer are applied to all CounterACT devices. You can create separate configurations for individual devices or for groups of devices. See Configuring Features for an Appliance or Group of Appliances in the CounterACT Administration Guide. To configure the Flow Analyzer: 1. In the CounterACT Console, select Options from the Tools menu. 2. In the navigation pane, select Modules > Flow Analyzer. The Flow Analyzer configuration pane opens. 3. Select an option to determine if the additional properties are created. Always If selected in Options > Advanced > Data Sharing Never Anonymized flow data statistics are always used for creating additional properties. If Data Sharing is enabled in the Options > Advanced > Data Sharing window, then the properties are shared with ForeScout. Otherwise, the data is collected locally and the properties are not shared with ForeScout. If the Allow all endpoint properties to be shared with ForeScout option is selected in the Options > Advanced > Data Sharing window, then anonymized flow data statistics are used for creating properties that are shared with ForeScout. Otherwise, the network traffic data is not collected. This is the default option. Flow data statistics are never collected, even if the Allow all endpoint properties to be shared with ForeScout option is selected in the Options > Advanced > Data Sharing window. 4. Select Apply to save the configuration. 5. Select Test to test the configuration on one or more CounterACT devices, and select OK. Version 1.4 6

Verify That the Plugin Is Running After configuring the plugin, verify that it is running. To verify: 1. Select Tools>Options and then select Modules. 2. Navigate to the plugin and select Start if the plugin is not running. Test the Configuration To test that the Flow Analyzer receives network traffic data, do one of the following: To test the configuration of all devices, in the Options > Modules pane, select Core Extensions > Flow Analyzer and select Test. In the Flow Analyzer configuration pane, select Test and specify the devices you want to test. During the test, the Flow Analyzer listens for network traffic data for several seconds. The test fails if: Property creation from flow data statistics is not enabled. No network traffic data is detected. Core Extensions Module Information The Flow Analyzer plugin is installed with the CounterACT Core Extensions Module. The Core Extensions Module provides an extensive range of capabilities that enhance the core CounterACT solution. These capabilities enhance detection, classification, reporting, troubleshooting and more, and include the following components: Advanced Tools Plugin CEF Plugin DHCP Classifier Plugin DNS Client Plugin DNS Enforce Plugin DNS Query Extension Plugin Device Classification Engine External Classifier Plugin Flow Analyzer Plugin IOC Scanner Plugin IoT Posture Assessment Engine NBT Scanner Plugin Version 1.4 7

NetFlow Plugin Reports Plugin Syslog Plugin Technical Support Plugin Web GUI Plugin The Core Extensions Module is a ForeScout Base Module. Base Modules are delivered with each CounterACT release. Components listed above are released and rolled back with the Core Extensions Module. Refer to the CounterACT Core Extensions Module Guide for more module information, for example module requirements, upgrade and rollback instructions. See Additional CounterACT Documentation for information about how to access the module guide. Additional CounterACT Documentation For information about other CounterACT features and modules, refer to the following resources: Documentation Downloads Documentation Portal CounterACT Help Tools Documentation Downloads Documentation downloads can be accessed from one of two ForeScout portals, depending on which licensing mode your deployment is using. Per-Appliance Licensing Mode - Product Updates Portal Centralized Licensing Mode - Customer Portal Software downloads are also available from these portals. To learn which licensing mode your deployment is using, see Identifying Your Licensing Mode in the Console. Product Updates Portal The Product Updates Portal provides links to CounterACT version releases, Base and Content Modules, and Extended Modules, as well as related documentation. The portal also provides a variety of additional documentation. To access the Product Updates Portal: 1. Go to https://updates.forescout.com/support/index.php?url=counteract. 2. Select the CounterACT version you want to discover. Version 1.4 8

Customer Portal The Downloads page on the ForeScout Customer Portal provides links to purchased CounterACT version releases, Base and Content Modules, and Extended Modules, as well as related documentation. Software and related documentation will only appear on the Downloads page if you have a license entitlement for the software. The Documentation page on the portal provides a variety of additional documentation. To access documentation on the ForeScout Customer Portal: 1. Go to https://forescout.force.com/support/. 2. Select Downloads or Documentation. Documentation Portal The ForeScout Documentation Portal is a searchable, web-based library containing information about CounterACT tools, features, functionality and integrations. If your deployment is using Centralized Licensing Mode, you may not have credentials to access this portal. To access the Documentation Portal: 1. Go to www.forescout.com/docportal. 2. Use your customer support credentials to log in. 3. Select the CounterACT version you want to discover. CounterACT Help Tools Access information directly from the CounterACT Console. Console Help Buttons Use context sensitive Help buttons to quickly access information about the tasks and topics you are working with. CounterACT Administration Guide Select CounterACT Help from the Help menu. Plugin Help Files 1. After the plugin is installed, select Options from the Tools menu and then select Modules. 2. Select the plugin and then select Help. Documentation Portal Select Documentation Portal from the Help menu. Identifying Your Licensing Mode in the Console If your Enterprise Manager has a ForeScout CounterACT See license listed in the Console, your deployment is operating in Centralized Licensing Mode. If not, your deployment is operating in Per-Appliance Licensing Mode. Version 1.4 9

Select Options > Licenses to see whether you have a ForeScout CounterACT See license listed in the table. Contact your ForeScout representative if you have any questions about identifying your licensing mode. Version 1.4 10

Legal Notice 2018 ForeScout Technologies, Inc. All rights reserved. ForeScout Technologies, Inc. is a Delaware corporation. A list of our trademarks and patents can be found at https://www.forescout.com/company/legal/intellectual-property-patents-trademarks. Other brands, products, or service names may be trademarks or service marks of their respective owners. 2018-04-10 09:21 Version 1.4 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback