Device Security
Integrate Device Security with Network Switches for SNMP Discovery
Table of Contents
Integrate Device Security with Network Switches for SNMP Discovery
Device Security and Cortex XSOAR use SNMP to learn device
details from network switches.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
One of the following Cortex XSOAR setups:
|
Device Security can work through Cortex XSOAR
and an on-premises XSOAR engine to retrieve information from switches
about the devices connected to them. To do this, XSOAR uses SNMP v2c or v3.
The engine begins by establishing trust with an entry switch—usually
at the edge or aggregation layer—by sending it an SNMP community
string for read-only access. After this, the engine queries the
switch for information about the devices connected to it; specifically,
it learns the switch name and IP address, device MAC address and
IP address, and (for Cisco Catalyst switches) the name of the physical
port on the switch to which a device connects. The XSOAR engine
also queries the entry switch for the IP addresses of neighboring
switches on the network. It collects device information from them
next and also gets a list of their neighboring switches as well.
XSOAR continues collecting device information and learning about
other switches until it has queried them all.
After collecting
information through SNMP, Device Security adds newly discovered details
about existing devices in its inventory and also adds newly discovered
devices to its inventory. When Device Security learns of a new device
through SNMP, it displays Discovered via snmp in
the Source column for it on the Devices page.
You
can also filter the inventory to display only those devices learned
through SNMP. Click the Filter icon
(
![]()
) above the inventory table, choose Source
and SNMP, optionally click the Save changes icon
(
![]()
) if you want to save
the filter for future use, and then Apply.
Device Security
then displays only devices that match the filter; that is, devices
discovered through SNMP.
To
retrieve this information, the XSOAR engine does an SNMP walk for
the following object identifiers (OIDs):
| OID | Comment |
|---|---|
| 1.3.6.1.2.1.1.5 | This OID gets the switch name. |
| 1.3.6.1.2.1.4.22.1.2 | This gets the ARP table on the switch, which contains device MAC address/IP address pairs. |
| 1.3.6.1.2.1.17.4.3.1.2, 1.3.6.1.2.1.17.1.4.1.2, 1.3.6.1.2.1.31.1.1.1.1 | These three OIDs combine together to get the device MAC address and physical port on the switch pairs. (Only Cisco Catalyst switches return this information.) |
| 1.3.6.1.4.1.9.9.23.1.2.1.1.4, 1.0.8802.1.1.2.1.4.2.1 | These OIDs provide the IP addresses of neighboring switches learned through Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP). |
Make sure the switches on your network allow read-only
access from the Cortex engine to these OIDs.
When you
look at the Device Details page for a device learned through SNMP,
you’ll only see fields for which Device Security has data. If a switch
provides partial data for a device, then Device Security shows the
data it received and hides the fields for which it wasn't sent anything.
Cortex
XSOAR runs a recurring job to query switches. Running the job on
a daily basis is recommended although you can set the interval between
jobs to occur more or less frequently as you want.
Using SNMP to collect information from network switches requires either a full-featured Cortex XSOAR server
or the purchase and activation of an Device Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic
plan includes a license for three integration add-ons, one of which can be used for
SNMP discovery. The advanced plan includes a license for all supported third-party
integrations.
Alternatively, you can use the free Network Discovery plugin to do
SNMP crawling. You can download the plugin onto a supported firewall
without needing to integrate with Cortex XSOAR.