Security Center Getting Started Guide · 1 day ago · DASHBOARD TAB AT THE ALL LEVELS LEVEL ........

ICS SHIELD

R 510.2

Security Center

Getting Started Guide

CS-ICSW400en-510B

June 2020

DocID CS-ICSW400en-510B 2

Notices

Trademarks Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

Trademarks that appear in this document are used only to the benefit of the trademark

owner, with no intention of trademark infringement.

Third-party licenses This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor


About this Guide

This guide is intended to serve as an introduction for using the Security Center.

Scope This guide details essential concepts and functionalities of Security Center. In

addition, the guide introduces a set of ICS Shield Add-ons, namely: product lines and

ESPs that require dedicated licenses. Each add-on is described briefly in a dedicated

chapter, followed by a reference to the individual guide that provides in-depth

descriptions and instructions for using the add-on.

Intended audience This guide is for Security Center operators, who are responsible for monitoring and

supporting an ICS Shield network.

Using this guide requires a basic knowledge of Operational Technology (OT) and

Information Technology (IT) infrastructures and operations.

Related documents The following list identifies publications that may contain information relevant to the

information in this document.

Document Name Document Number

ICS Shield R510.2 - VSE User Guide CS-ICSW601en-510B

ICS Shield R510.2 - VSE Administrator Guide CS-ICSW701en-510B

Performance Analyzer Installation and Configuration

Guide PZDOC-X578-en-150

ICS Shield R510.1 - Linux Machine PL User Guide CS-ICSE604en-510A

ICS Shield R510.1 - Network Device PL User Guide CS-ICSE605en-500A

ICS Shield R510.1 - Windows Machine PL User Guide CS-ICSE606en-510A

ICS Shield R510.1 - ePO ESP User Guide CS-ICSE609en-510A

ICS Shield R510.1 - WSUS Sync ESP User Guide CS-ICSE610en-510A


Revision history

Revision Supported Release Date Description

B R 510.2 June 28, 2020 Revised version of 510.2.

B R 510.2 September

26, 2019

Updated release of ICS Shield

documentation, with Security Center

documents only

A R 510.1 August 8,

2019

Updated release of ICS Shield

documentation

A R 500.1 February 27,

2019

First release of the ICS Shield

documentation


Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 9

1.1 Physical security ...................................................................................................................................... 9

1.2 Separate security zone ......................................................................................................................... 9

1.3 Limiting access ........................................................................................................................................ 9 1.3.1 At the Security Center level .............................................................................................. 9 1.3.2 At the directory or file level ............................................................................................... 10

1.4 Encryption and validation................................................................................................................... 11

1.5 Possible security risks .......................................................................................................................... 12

2. TERMS AND DEFINITIONS .............................................................................................. 13

3. OVERVIEW ............................................................................................................................. 15

4. CONCEPTS ............................................................................................................................. 16

4.1 VSE and site ............................................................................................................................................... 16

4.2 Device ........................................................................................................................................................... 16

4.3 Entity ............................................................................................................................................................. 17

5. BASIC FUNCTIONALITY .................................................................................................... 20

5.1 Accessing the Security Center ......................................................................................................... 20

5.2 My Day .......................................................................................................................................................... 22 5.2.1 Opening My Day.................................................................................................................... 23 5.2.2 Remote access connections ........................................................................................... 23

5.3 Sites ............................................................................................................................................................... 28 5.3.1 Navigating to an entity ...................................................................................................... 30 5.3.2 Context sensitivity ................................................................................................................ 32 5.3.3 Dashboard ............................................................................................................................... 35 5.3.4 Alarms......................................................................................................................................... 35 5.3.5 Data ............................................................................................................................................. 36

5.4 Remote access to a single VSE or device.................................................................................... 37 5.4.1 Installing and upgrading Secure Connect .............................................................. 38 5.4.2 Installing VNC Player .......................................................................................................... 39 5.4.3 Opening a remote access connection from Sites ................................................ 40 5.4.4 Closing connections ........................................................................................................... 43 5.4.5 Remote Connections .......................................................................................................... 44 5.4.6 Remote access session recording ............................................................................... 44

5.5 Remote activities on multiple VSEs and devices .................................................................... 45 5.5.1 Remote activities .................................................................................................................. 45 5.5.2 Running diagnostic activities......................................................................................... 52


5.5.3 Running fix activities .......................................................................................................... 54 5.5.4 Running instant commands ........................................................................................... 55

5.6 Transferring files ..................................................................................................................................... 56 5.6.1 Getting files ............................................................................................................................. 56 5.6.2 Sending files ........................................................................................................................... 57 5.6.3 Distributing software .......................................................................................................... 59

5.7 Reports ......................................................................................................................................................... 60 5.7.1 Inventory ................................................................................................................................... 60 5.7.2 Healthcheck ............................................................................................................................ 61 5.7.3 Performance ........................................................................................................................... 62 5.7.4 System........................................................................................................................................ 62 5.7.5 Custom ...................................................................................................................................... 63

5.8 User profile ................................................................................................................................................. 64 5.8.1 Details ........................................................................................................................................ 64 5.8.2 Permissions ............................................................................................................................. 65 5.8.3 Notifications ........................................................................................................................... 66


List of Figures FIGURE 4-1. ENTITY HIERARCHY EXAMPLE ................................................................................ 19

FIGURE 5-1. LOGGING OUT OF ICS SHIELD ................................................................................. 22

FIGURE 5-2. MULTIPLE REMOTE ACCESS CONNECTIONS IN MY DAY PAGE ........... 22

FIGURE 5-3. FAVORITES AND RECENT HISTORY SECTIONS............................................... 24

FIGURE 5-4. REMOTE ACCESS CONNECTION ICONS ............................................................ 26

FIGURE 5-5. SECURITY CENTER - SITES SECTION PAGE ELEMENTS ........................... 28

FIGURE 5-6. DEVICE LIST NOT AVAILABLE ................................................................................... 31

FIGURE 5-7. DASHBOARD TAB AT THE ALL LEVELS LEVEL ................................................ 34

FIGURE 5-8. DASHBOARD TAB AT THE GROUP LEVEL .......................................................... 34

FIGURE 5-9. DASHBOARD TAB AT THE SITE LEVEL ................................................................. 34

FIGURE 5-10. DASHBOARD TAB AT THE DEVICE LEVEL ....................................................... 35

FIGURE 5-11. REMOTE CONNECTIONS TAB................................................................................ 40

FIGURE 5-12. ESTABLISH REMOTE ACCESS CONNECTION ............................................... 41

FIGURE 5-13. ADDING REMOTE CONNECTION PARAMETERS ......................................... 42

FIGURE 5-14. ACTIVITY LOG DETAILS .............................................................................................. 49

FIGURE 5-15. ACTIVITY LOG TAB ........................................................................................................ 52

TABLE 5-4: INVENTORY REPORTS ..................................................................................................... 60

TABLE 5-5: HEALTCHECK REPORTS ................................................................................................ 61

TABLE 5-6: PERFORMANCE REPORTS ........................................................................................... 62

TABLE 5-7: SYSTEM REPORTS ............................................................................................................. 62

TABLE 5-8: CUSTOM REPORTS ........................................................................................................... 63


List of Tables TABLE 1-1. LIST OF PORTS .................................................................................................................... 10

TABLE 5-1. OPENING A REMOTE ACCESS CONNECTION .................................................... 24

TABLE 5-2. SECURITY CENTER UI FEATURES ACCORDING TO CONTEXT................... 32

TABLE 5-3. DEFAULT REMOTE ACCESS PROTOCOLS ........................................................... 37

TABLE 5-4: INVENTORY REPORTS ..................................................................................................... 60

TABLE 5-5: HEALTCHECK REPORTS ................................................................................................ 61

TABLE 5-6: PERFORMANCE REPORTS ........................................................................................... 62

TABLE 5-7: SYSTEM REPORTS ............................................................................................................. 62

TABLE 5-8: CUSTOM REPORTS ........................................................................................................... 63

SECURITY CONSIDERATIONS


1. Security Considerations

This chapter outlines the security measures for Security Center.

1.1 Physical security

CAUTION

Security Center is a mission-critical component.

Take all necessary physical measures to prevent attacks or disasters.

Ensure that the server where the product is installed is located in an approved

physically secure location that is accessible only to authorized personnel. 1.2, Separate

security zone

1.2 Separate security zone Security Center contains sensitive information, such as cryptographic keys for the

secure tunnel. Loss of such information could lead to catastrophic consequences, and

therefore there is a need to protect the sensitive information and prevent attacks

against the product. To do that, the server where Security Center is installed must be

part of a secure network, with strict access control lists and appropriate

firewall/routing rules.

Ensure that Security Center is installed in a directory that is only accessible to

authorized personnel responsible for the product.

CAUTION

If Security Center is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.

1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for

limiting access to sensitive information as specified below.

1.3.1 At the Security Center level The user management at the host running the Security Center must follow the

principles of need to know and least privilege: Only users who absolutely must have

access to the computer are granted access, and these users are assigned the minimal

set of permissions allowing them to perform their job.



1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles

of need to know and least privilege: Only Users who absolutely must have access to the

requested directory and file are granted access, and these Users are assigned the

minimal set of permissions allowing them to perform their job.

Use the built-in file access audit logging of the OS to monitor unauthorized changes to

sensitive files.

1.3.2.1 Ports used by Security Center

The ports used for Security Center are listed in the table below.

Table 1-1. List of ports

Port Number Direction Used for

8447 Outbound Communication server –

used in TCP

8448 Inbound Access Gateway (RAG).

443 Outbound Web UI

1935 Inbound The address for the

streaming server machine as

IP:port. Usually the same as

RAG IP + port 1935 (default

RTMP port, used for RDP

recording).

Note

This port is optional and is only

used if session recording is

enabled.

9999 Outbound The address for the

streaming server HTTP

control module as IP:port.

Usually the same as RAG IP +

the port defined in nginx.conf.

Note



Port Number Direction Used for


used if session recording is

enabled.

10000 - 16000

Inbound High ports used by the

Remote Access feature.

Notes

• The use of high ports is only relevant when the Security Center is not configured in SAAS mode.

• This is the default port range; the port range can be modified based on the customer needs

389 Outbound Connection to LDAP server.

Note


used if Active Directory is

enabled.

389 Outbound Connection to SLDAP server.

Note

This port is optional and is

only used if Custom

authentication is enabled.

1.4 Encryption and validation All cryptographic keys generated for the encrypted communication must follow the

current industry standards, including key size, encryption suites, certificate swapping

and so on.

Operators and other personnel who have a low authorization level are advised to

ensure that they only run software provided from the Headquarters as a code-signed

execution file, such as Secure Connect, VNC Player, and Hyper Tunnel. A code-signed

software displays the signed by notification when it starts to run.

It is recommended to use a valid certificate issued by a trusted Certificate Authority

(CA), either the organization’s internal CA or an external CA.



1.5 Possible security risks Note the following best practices:

• Ensure that directories used for storing remote access session recordings are

handled as containing sensitive information. If these directories are located in a

shared drive, the location needs to have the least privileges assigned to both the

NTFS permissions and the share permissions.

• Change the initial passwords of the database schemas.

• Create HTTPS certificate for Security Center web server.

NOTE

A full procedure explaining the process of creating a valid and CA-signed

HTTPS certificate can be found in section Security Center with HTTPS/SSL in

the Security Center installation guide, which is to be released later this year.

TERMS AND DEFINITIONS


2. Terms and Definitions

NOTE

The terms and definitions table is sorted by alphabetical order.

Term Definition

add-on An umbrella term for product lines and ESPs.

analysis rule The user-defined range of values for a specific metric, such as

CPU utilization or buffer cache hit ratio.

analysis rule violation

If the value collected meets the criteria defined by the analysis

rule, this triggers an analysis rule violation.

asset Any site component that is connected to the network and is

accessible from the VSE

corrective action A collection profile that performs an action to correct a

problem detected by other collection profiles; for example, if a

monitoring profile detected a low disk space issue, a

corrective action will delete obsolete and large temporary files

device A representation of a physical or virtual server or machine in

the VSE

diagnose routine (DR)

A collection profile that runs on demand and is intended to

collect in-depth diagnostic data.

Essential security policy (ESP)

A set of actions and scripts that together instruct the VSE to

perform certain procedures on devices that are defined in the

VSE.

execution profile A collection of scripts related to one logical area, such as

machine security status, hardware information, event logs, or

storage information; these scripts can either be run on

demand (Diagnose Routine or Corrective Action) or based on

a predefined schedule.

knowledge alarms Alarms defined within a specific product line, which are

triggered by analysis rules and concern the device handled by

the product line; for example, if the CPU temperature of a

network switch exceeds a predefined threshold.

TERMS AND DEFINITIONS


Term Definition

monitoring profile (MP)

A collection profile configured to run at set time intervals,

such as Every day at 18:00.

product line A set of actions and scripts that together instruct the VSE to

perform certain procedures on devices that are defined in the

VSE.

reverse tunnel A secured connection initiated by the VSE to the Security

Center.

site A remote physical location, such as an industrial plant, which

includes one or more network environments and has at least

one VSE.

tunnel A secure connection established from the Security Center to

the VSE.

Virtual security engine (VSE)

The ICS Shield component that is installed at the remote site,

monitors the assets at the site, and provides additional

functionalities such as remote access.

OVERVIEW


3. Overview

The ICS Shield Security Center allows operators to perform all troubleshooting,

monitoring, remote activity management and software distribution functions assigned

to them.

From the Security Center, an operator can do the following:

• Perform health check monitoring on systems installed at customer sites, based on

site reports arriving at the Security Center.

• Perform basic technical support operations, such as requesting remote access to

supported devices, collecting data and performing remote activities

• Manage the installed base by viewing an inventory of all existing systems,

performing different activities and distributing software modules to systems in the

field.

From the search and breadcrumbs area at the top (available on all screens) and the

tree in the left pane (not available on all screens), you can create new remote activities

for specific VSEs and devices as needed, as well as view the latest data available for

any device. As in all components, you use the navigation area to navigate between the

different items, and you can use the navigation map link to navigate to any part of the

Sites, Reports, Builder, or Administration components.

In addition, the ICS Shield Security Center homepage provides up-to-date system

health status and quick access tools for prompt engagement.

CONCEPTS


4. Concepts

This chapter presents several key concepts that help understanding the role of the

Security Center in ICS Shield.

4.1 VSE and site The terms VSE and site, which are basic to understanding ICS Shield, are at times used

interchangeably:

• A site is a physical location, such as an industrial plant or a warehouse.

• The VSE is the ICS Shield software component that is installed at the site for

monitoring the devices at the site.

Usually, when the term site is used in the context of ICS Shield, it refers to the VSE

software installed at the site. This is because data about objects at the site is only

collected if the objects are represented as devices in the VSE, and therefore a physical

site is usually meaningless in describing ICS Shield processes.

Typically, the Security Center is located at an organizational data center that is

physically located separately from the industrial plant sites. Therefore, the sites and

their associated VSEs are considered remote from the Security Center. As a result,

tasks performed by the Security Center on one or more VSEs installed at remote sites

are referred to as remote connections and remote activities.

4.2 Device A site typically consists of many hardware and software components – network

switches, routers, virtual machine hosts, and so on – that fulfill various functions

required for the site’s performance. While performing its designated function, a

component might generate data that can be very valuable for the organizational

enterprise. This data can be collected by a VSE, provided that the component is

connected to the network and defined in the VSE. A network componant defined in the

VSE is called a device and is identified by its IP address. The set of actions, rules, and

scripts that together instruct the VSE to perform various procedures on a device is

called a product line.

In summary:

CONCEPTS


A device is a representation at the VSE of a physical or virtual server or machine. The

essential parameters in the device definition (the product line and the IP address)

determine how the VSE acts on the device.

4.3 Entity In the ICS Shield, data is associated with the following set of entities:

• Devices

• Systems

• VSEs

• Groups

• All Levels

Data is generated by devices and collected by VSEs; all additional entities are logical

entities that can be very useful in organizing the data. Combining entities can save

considerable time and effort by avoiding repetitive work; for example, you can perform

the same task on the entire group instead of on single entities, or examine the status

of multiple entities.

The Security Center organizes these entities in a hierarchy consisting of several levels

of entities. These entities are displayed below in ascending order:

• Device - the lowest level of the hierarchy; for example, in a paper mill, a sawing

machine can be one device, and it can be called the Saw.

• System – an optional logical grouping of several devices.

For example, if several devices (a heater, a fan, and a thermostat) are used as part

of a drying process, they can be grouped together in a system called the Dryer.

• Site – the name denoting VSE in the hierarchy.

A site can group together one or more systems and standalone devices. For

example, all devices and systems in a warehouse in Clermont, Quebec, can be

grouped in a site called Clermont Warehouse, while a similar VSE is called

Montreal, Quebec.

• Group level 3 – this is the level where you can add new sites, and it is used for

grouping together several VSEs.

For example, a cardboard manufacturing process might consist of several

manufacturing plants and several warehouses located at several different

physical sites in Quebec, Canada. At each site there is a separate VSE. It might be

CONCEPTS


advantageous to group together all the manufacturing plant VSEs in a group

called Cardboard Production, and all the warehouse VSEs in another group called

Warehouses.

• Group level 2 – allows grouping together several level-3 groups.

For example, the level 3 groups mentioned above - Cardboard Production and

Warehouses - can be grouped, based on their location, in a group called Quebec,

while another level 2 group reflects a similar organizational structure in Ontario

and is called Ontario.

• Group level 1 – allows grouping together several level-2 groups.

For example, all level 2 groups that represent provinces in Canada can be grouped

in a level 1 group called Canada. Another level 1 group reflects a similar

organizational structure in several US states and is called USA.

• All levels – the highest level in the hierarchy; in this example, the name of the

paper company.

In summary, the example of the entity hierarchy is shown in the figure below.

CONCEPTS

DocID CS-ICSE400en-500A 19

Figure 4-1. Entity hierarchy example


5. Basic Functionality

This chapter introduces the basics of the Security Center, namely: the functions that

do not require additional licenses. These functions, available through several

workspaces or modules in the Security Center interface, enable the operator to

accomplish various tasks related to ICS Shield functions.

5.1 Accessing the Security Center The ICS Shield Security Center can be configured by your administrator to use one of

the following authentication methods:

• Native Authentication (Username and Password) - default option

• SAML

• LDAP

• LDAP + RSA Two-Factor Authentication

ICS Shield Release 500 introduces the option of adding an additional layer of

security by configuring the Security Center to use RSA Two-Factor Authentication

in addition to LDAP.

NOTE

• If your Security Center installation is configured to use RSA Two-Factor Authentication, you need a security token generated by either a USB device or an application installed on your computer/smartphone.

• The Security Token field is only displayed on the ICS Shield login page if your installation is configured for Two-Factor authentication.

To log in to the Security Center by using native (default) authentication:

1. In a browser, navigate to the login page (https://<server-name> or <IP>).

2. If you are logging in to a Security Center installed in the same Windows domain as

your Windows account., in the Username and Password fields, enter your

credentials and click LOGIN.

Alternatively, if you are logging in to a Security Center installed in a different

Windows domain than your Windows account., in the Username field enter your

username preceded by the domain and a backslash (<domain>\<username>). In

the Password field, enter your password and click LOGIN.

To log in to the Security Center by using LDAP or SAML authentication:

1. In a browser, navigate to the login page (https://<server-name> or <IP>).

BASIC FUNCTIONALITY


If Two-Factor Authentication is enabled, the Security Token field is displayed, in

which case proceed to step 2 Otherwise, proceed to step 3.

2. In the Security Token field, enter the Security Token generated by your RSA

application.

3. Use one of the following login options:

SC domain

Logging in as Current User Logging in as Different User

A Security Center installed in the same Windows domain as your Windows account.

Click LOGIN AS CURRENT USER.

1. Click LOGIN AS ANOTHER USER.

2. In the Login Credentials

dialog box, enter the

required credentials.

3. Click LOGIN.

A Security Center installed in a different Windows domain than your Windows account.

1. Click LOGIN AS CURRENT USER.

2. In the Login Credentials dialog box, in the Username

field, enter your username

preceded by the domain and

a backslash

(<domain>\<username>).

3. In the Password field enter

your password.

4. Click LOGIN.

1. Click LOGIN AS ANOTHER USER.

2. In the Login Credentials dialog box, in the Username

field, enter your username

preceded by the domain and

a backslash

(<domain>\<username>).

3. In the Password field enter

your password.

4. Click LOGIN.

CAUTION

The first time you log in as the current user to a Security Center installed in a different Windows domain than your Windows account your credentials are saved locally, and you will not be prompted to enter them again.

Anyone using this computer can log in to the Security Center with these credentials by clicking LOGIN AS CURRENT USER.

BASIC FUNCTIONALITY


To log out of ICS Shield:

1. On the top right corner of the screen, click the user initials.

2. Select Logout.

5.2 My Day The My Day page allows you to focus on your currently-open remote access

connections by offering two major features:

• Open connections-only view

You can only view your currently open connections (unlike the Sites page, which

displays all connections made by all operators during the selected time range).

• Context-free navigation

You can go directly to the requested device or site and open several entities on the

same screen (unlike the Sites page, which is context-dependent – that is, each

device or site is shown in a full-screen view within its place in the navigation

hierarchy).

Figure 5-1. Logging out of ICS Shield

Figure 5-2. Multiple remote access connections in My Day page

BASIC FUNCTIONALITY


To view or manage remote access connections started by other operators, go to the

Sites page. For more information see section 5.4.35.3, Sites.

By default, the current working day in the My Day page consists of 12 hours, starting

at 7:30 AM. If required, these values can be changed. The maximum number of days

for which an unfinished remote access activity is displayed is 7 days.

5.2.1 Opening My Day

To open the My Day module for the first time:

1. Log on to the Security Center application.

By default, the first time you log on to the Security Center application the UI opens

to the My Day module.

The first time the My Day module is accessed for the day, it opens to the Welcome

screen.

2. Click START YOUR DAY.

5.2.2 Remote access connections From My Day it is possible to establish a remote access connection to an entity (site or

device), using any of the following operations:

• Searching for the site or device name in the search bar.

• The entity icon (in a remote access connection activity).

• Clicking one of the entries in the Favorites or Recent History sections:

Clicking pulls down or hides a list of favorites and recent history.

Clicking saves the current location as a favorite (available only from Sites

and Devices).

Clicking removes the current location from the favorites list.

BASIC FUNCTIONALITY


• A breadcrumb located in the search results obtained from the Search for a Device

or Site text box.

• An entity obtained from the Advanced Search dialog box

Use the following table for suggestions of which method is the easiest for opening a

connection in a particular situation with the particular entity.

Table 5-1. Opening a remote access connection

Do you know the entity name?

Was there a remote access connection to this entity in the past? If yes, when?

Do you need the same connection type as in the past?

For the most direct method…

Yes Today Yes Click the remote access connection

icon next to the remote access

connection activity. For details, see To

open the same type of connection to

the same entity as was performed

earlier today.

Yes Today No Click the entity icon in the remote

access connection activity. For details,

see To open a remote connection from

a remote connection activity.

Figure 5-3. Favorites and Recent History sections

BASIC FUNCTIONALITY


Do you know the entity name?

Was there a remote access connection to this entity in the past? If yes, when?

Do you need the same connection type as in the past?

For the most direct method…

Yes Recently Possibly Go to the Recent History section in the

Favorites and Recent History drop-

down list. For details, see To open a

remote connection from the Favorites

and Recent History drop-down list.

Yes Not recently Possibly Go to the Favorites section in the

Favorites and Recent History drop-

down list.

Yes Not recently, but

it’s not a Favorite

Possibly Enter search criteria in the Search for a Device or Site text box. For details, see

To open a remote connection from the

Search for a Device or Site text box.

Yes No Possibly Click Advanced Search. For details, see

To open a remote connection from the

Advanced Search dialog box.

No No Possibly Click Advanced Search.

To open the same type of connection to the same entity as was performed earlier

today:

1. Click the remote access connection icon to the left of the remote access

connection activity.

A message box opens with the following message: Remote Access Session in

Progress…

(Executing)

After a few seconds it closes and the InstallSecureConnect.exe? message box

opens.

2. Click InstallSecureConnect.exe.

The connection opens (such as a command line window or a Windows VNC,

depending on the connection type).

BASIC FUNCTIONALITY


To open a remote connection from a remote connection activity:

1. Click the entity icon to the left of the remote access connection activity.

The appears at the top of the page. Do one of the following:

If the requested remote access connection icon is also displayed, proceed to

step 2.

If the requested remote access connection icon is not displayed, Click .

The Establish Remote Access Connection drop-down icon collection

appears.

2. Click the requested remote access connection icon.

To open a remote connection from the Favorites and Recent History drop-down list:

1. Click the down arrow icon to the right of the Search text box to display a drop-

down list of breadcrumbs.

2. All breadcrumbs that belong to the Favorites list are indicated with a blue star.

Click the star icon on the right end of each row to toggle between adding or

removing a breadcrumb to and from the Favorites list.

3. Repeat steps 1 and 2 from the instructions To open a remote connection from a

remote connection activity.

Figure 5-4. Remote access connection icons

BASIC FUNCTIONALITY


To open a remote connection from the Search for a Device or Site text box:

1. Enter search criteria in the Search for a Device or Site text box to the left of .

A drop-down list opens, displaying all the entities that meet the criteria.

2. Click the requested entity.


If the requested remote access connection icon is also displayed, continue

with next step.

If the requested remote access connection icon is not displayed, Click


appears.


To open a remote connection from the Advanced Search dialog box:

1. Click Advanced Search.

The Advanced Search dialog box (with Sites and Devices tabs) opens.

2. Select one of the tabs for your search.

3. Enter search criteria and click APPLY.

A list of entities that meet the criteria is displayed.

4. Select the requested entity.

5. Click Select.


If the requested remote access connection icon is also displayed, continue

with next step.

If the requested remote access connection icon is not displayed, Click .


appears.


BASIC FUNCTIONALITY


5.3 Sites The figure below shows the UI page elements of a typical Sites module.

Below is a brief description of the page elements in the Sites module of the Security

Center.

• Search

Clicking replaces the breadcrumbs with a text box and the Advanced Search

option. In the text box enter the search criteria. A space between each entry acts

as a logical AND.

Clicking Advanced Search opens a pop-up with Sites, Systems, and Devices tabs.

• Breadcrumbs

Clicking on a breadcrumb pulls down a list of available elements below it. Select

an element.

• Favorites/History

Clicking pulls down a list of favorites and recent history.

Clicking saves the current location as a favorite (available only from Sites

and Devices).

Clicking removes the current location from the favorites list

Figure 5-5. Security Center - Sites section page elements

BASIC FUNCTIONALITY


• Site Status/Name/permalink/Time/ID

This section of the screen contains the following components:

The status icon

This icon indicates whether the VSE is up , down , or offline .

Hovering the mouse pointer over this icon displays additional status

information.

Offline is a special VSE mode for a VSE that is defined and presented in the

Security Center but is deliberately restricted from sending any reports or data

to the Security Center.

NOTE

The status icon is only displayed in the Site, System, and Device context levels.

For details about navigating to these context levels, see section 5.3.1, Navigating to an entity and section 5.3.2, Context sensitivity.

The Group/Site/System/Device name.

Permalink – a link that, when clicked, copies a permanent identifier of the

URL, which can be saved as a bookmark and used for returning to the exact

web page. It is also possible to send the URL via email.

The time at the site.

The site ID.

• Tabs

The following tabs are available from the Sites module:

Dashboard – see section 5.3.3, Dashboard

Alarms – see section 5.3.35.3.4, Alarms

Summary - displays a summarized information about the site, the site

license, and the contact person, as well as custom fields and labels

Device List – a list of all devices, including details such as product line,

model, and version

Remote Connections – see section 5.3.35.3.4, Remote Connections

Data – see section 5.3.35.3.4, Data

BASIC FUNCTIONALITY


5.3.1 Navigating to an entity You can navigate to any entity in the hierarchy by using any one of the following

features (located at the top of the Security Center UI page, see Figure 5-5):

• Search

• Advanced Search

• Breadcrumbs

• Favorites and History

To navigate to an entity in the hierarchy by using search:

1. Click .

A search text box appears, replacing the breadcrumb trail.

2. Enter search criteria in the text box. A space between each entry acts as a logical

AND.

3. Use the drop-down list of breadcrumb trails that appears to navigate to the

requested entity.

To navigate to an entity in the hierarchy by using Advanced Search:

1. Click .

A search text box and the Advanced Search option appear, replacing the

breadcrumb trail.

2. Click Advanced Search to open the Advanced Search dialog box.

3. Search for the requested entity as follows:

a. Select the relevant tab – Sites/Systems/Devices.

b. Enter the search criteria in one or more of the filter text boxes.

c. In the Devices tab, you can narrow the search further by selecting Filter by

Product Line and using the filter boxes select the product line name and

version(s), and/or by entering the model name.

4. Click APPLY.

5. Select the requested entity from the list that displays the search results.

Several tabs may be unavailable, depending on the context selected in the

breadcrumbs above; for example, the Device List tab is irrelevant in device

context. As a result, if the cursor is positioned in a specific tab and you use the

BASIC FUNCTIONALITY


breadcrumbs to navigate to another context which this tab is irrelevant, a

message like the one shown below appears.

6. Click Select to open the page of the requested entity.

To navigate to an entity in the hierarchy by using breadcrumbs:

1. Use either of the following methods:

Click an entity in the breadcrumb trail to open the page of the selected entity.

Do the following:

i. Click the appropriate breadcrumb separator arrow to display the drop-

down list of entities located under the current entity page.

ii. Select the appropriate entity to open the page of the selected entity.

2. Repeat step 1 as needed to reach the requested entity.

To navigate to an entity in the hierarchy using favorites and recent history:

1. Click. , to display a drop-down list of breadcrumb trails.

2. Select the breadcrumb trail that contains the requested entity.

NOTE

• Clicking saves the current location, or selected breadcrumb trail, as a favorite (available only from the Site and Device contexts, from which Remote Access Connections can be invoked.)

• Clicking removes the current location, or selected breadcrumb trail, from the favorites list.

In the example of a paper company mentioned above, it is possible to navigate to the

Thermostat page by entering Dryer or selecting the following breadcrumb trail:

All Levels > Canada > Quebec > Cardboard production > Montreal Plant > Dryer

Figure 5-6. Device list not available

BASIC FUNCTIONALITY


5.3.2 Context sensitivity As described above, there are five types of levels in the entity hierarchy, which are as

follows: All Levels, Group, Site, System, and Device. These types of levels are called

contexts.

The Security Center UI is context sensitive, meaning that the displayed information

and functionality in the browser tabs change according to the context that is being

displayed. In the table below, checkmarks indicate in which contexts various features

are applicable.

Table 5-2. Security Center UI features according to context

Feature All Levels

Group Site System Device Comments

Dashboard

tab

For each context, the

dashboard can be

customized

differently. However,

a customized

dashboard appears

the same in all Group

contexts. Therefore,

an operator can use a

maximum of five

different dashboards.

Alarm tab

Activities Log tab

Summary

tab Site: Site Summary

Device: Device Summary

Device List

tab

Site: Devices

connected to VSE

System: Devices

grouped under the

system

BASIC FUNCTIONALITY


Feature All Levels

Group Site System Device Comments

Remote Connections

tab

Data tab

Remote

Activities

The Remote Activities

include:

• Diagnose

• Fix

• Command

• Get File

• Send File

• Software

• Import

In all contexts, the

site and the device

must be specified,

either implicitly or

explicitly.

Remote

Access

Connections

Remote Access

Connections include:

• Remote Terminal

• Remote Desktop

• Remote Browser

The following series of figures show how the default dashboard appears in each of the

context levels:

BASIC FUNCTIONALITY


Figure 5-7. Dashboard tab at the All Levels level

Figure 5-8. Dashboard tab at the Group level

Figure 5-9. Dashboard tab at the Site level

BASIC FUNCTIONALITY


5.3.3 Dashboard The Dashboard tab provides operators with a graphic display of the current network

status, alarms, and remote activities, enabling them to make quick assessments of the

overall network situation. The customizable graphic display can contain several

customizable widgets, each of which can be configured to show a different set of

parameters relevant to the currently selected context.

Following are a few examples of basic widgets:

• The Sites Count widget indicates how many sites are currently accessible from the

current context. If a VSE is down, the reduced site count can alert the operator to

the issue.

• The Device Count widget which indicates how many devices are currently

accessible from the current context. If the number of devices is greater than for

what the network was designed, the performance might be degraded.

• The Sites Status widget displays, in a pie chart, the percentage of sites that are in

each of the four possible statuses: Up, Down, Offline, and Manual. The actual

number of sites in each status is displayed in the sections of the pie chart. To

determine which specific sites are included in each of the statuses, the operator

can navigate through the entity hierarchy, as described in section 5.3.1, Navigating

to an entity.

5.3.4 Alarms The Alarms tab displays the following types of alarms:

• System alarms

Figure 5-10. Dashboard tab at the Device level

BASIC FUNCTIONALITY


• Knowledge alarms

System alarms are predefined alarms triggered by conditions in ICS Shield

components. Knowledge alarms are defined in the product lines.

The Alarms tab displays the alarm information in the following columns:

• Status — Not Ack (not acknowledged - default value), Assigned, Closed (a

checkmark is also added within the Severity circle).

• Case — unique identifier of this alarm in an external ticketing system.

• Severity — Info (blue), Warning (yellow), Error (orange), Critical (red).

• Site — available for All Levels and Group contexts; unnecessary for Site, System,

and Device contexts.

• Description — description of alarm as defined in the product line.

• System — collection of devices that includes the device that is triggering the alarm.

• Device — the device that is triggering the alarm.

• Detected Time (User) — the time that the alarm was detected, according to the

time zone of the Security Center operator.

5.3.4.1 Full-screen mode

For easier monitoring, users with the View Alarms (Full Screen) permission can switch

the display to full screen.

NOTE

To enter full screen mode, press F11. Alternatively, click in the Alarms Tasks

menu. To exit full screen mode, press Esc or click. . These options are only

displayed for users with the View Alarms (Full Screen) permission.

View Alarms (Full Screen) mode:

• Automatically refreshes the alarms list at a set interval (default is 60 seconds).

• Displays a count-down timer indicating the amount of time until the next refresh.

5.3.5 Data The Data tab displays the data derived from product lines and is accessible from the

Site and Device contexts.

In the Data tab you can view all the compliance and property statistics for devices and

sites. The default view displays recently accessed devices in the pane on the left side of

the data display area. Clicking displays the Compliance and Device

BASIC FUNCTIONALITY


Properties lists in this pane. Select any property to display its collected data

information in the data display area.

5.4 Remote access to a single VSE or device A remote access connection is used when a real-time, interactive remote connection to

a single site or device is required.

Below are several scenarios and their possible handling:

• A network connection issue

The operator can investigate by issuing the netstat command through the Telnet

remote terminal connection.

• An alarm alerts the operator that at a certain site the database is 90% full.

The operator can remotely delete unnecessary data or add more disk space. These

operations can both be performed by using the RDP remote desktop connection.

The Security Center provides the remote access connection protocols listed in Table

5-3. The operator can initiate a connection using the required protocol, by clicking the

protocol’s icon. If necessary, custom protocols can also be defined and added to the

available protocols. Connections using the custom protocols can similarly be initiated

by clicking the custom protocol icons.

Table 5-3. Default remote access protocols

Type To Sites and Devices Only to Devices

Terminal Telnet SSH

Desktop RDP VNC

Browser Http Https WMI

Remote access connections can be established either from the My Day module or

from the Sites module. Similarly, information about the remote connections can be

obtained from either module. The main difference between the two modules is that the

My Day module is context-free, and displays a shorter, current list of remote

connections. From My Day, operators who have logged on can only see the current

remote connections they have established today (or that are still open from previous

days), whereas from the Sites module, operators see the remote connections (both

BASIC FUNCTIONALITY


current connections that are still open and those that have already been closed for

months) that have been made by other operators as well.

All remote access connections, whether established from the My Day module or the

Sites module, require an installation of Secure Connect, as described in the next

section.

NOTE

You might need to enable pop-ups. The procedure might differ depending on the

browser.

5.4.1 Installing and upgrading Secure Connect To establish a remote connection, Secure Connect must be installed on your

computer.

NOTE

Secure Connect, as well as all other files stored in the Resources folder, only supports

64-bit version.

To install Secure Connect:

1. Click .

2. Click Resources.

3. Click Secure Connect.

InstallSecureConnect.exe is downloaded and appears in the lower left corner of

the browser.

4. Click the InstallSecureConnect.exe file. The User Account Control message box

opens.

5. Click Yes to run the InstallAnywhere self-extractor. The Secure Connect

installation wizard opens.

6. Click Next to run the installation wizard.

7. Click Next, Continue, Install, and Done to complete the installation.

5.4.1.1 Updating Secure Connect

Ensure that the most up-to-date version of Secure Connect is installed.

To ensure that Secure Connect is up to date:

1. Click .

2. Click Resources.

BASIC FUNCTIONALITY


3. Click Secure Connect.

InstallSecureConnect.exe is downloaded and appears in the lower left corner of

the browser.

4. Click the InstallSecureConnect.exe file. The User Account Control message box

opens.

5. Click Yes.

The installer begins to install the software with one of the following outcomes:

If the software is up to date an Abort message box opens with the following

message:

One or more newer versions of the product are already installed. An upgrade

is not applicable.

Click Abort. The upgrade process ends.

If there is a difference between the installed and the latest versions, the

Update Secure Connect pop-up opens.

Follow the instructions in this pop-up to update Secure Connect.

5.4.2 Installing VNC Player For viewing recorded remote access sessions, the VNC Player application must be

installed on your computer.

To install VNC Player:

1. Click .

2. Click Resources.

3. Click VNC Player. The InstallVNCPlayer.exe file is downloaded and appears at the

lower left corner of the browser.

4. Click the InstallVNCPlayer.exe file. The User Account Control message box

opens.

5. Click Yes to run the InstallAnywhere self-extractor. The VNC Player installation

wizard opens.

6. Click Next to run the installation wizard.

7. Click Next, Continue, Install, and Done to complete the installation.

BASIC FUNCTIONALITY


5.4.3 Opening a remote access connection from Sites Remote access connections can be managed in the Sites module either from the

Remote Connections tab or from the Activity Log tab.

The Remote Connection tab is available from all contexts, so that the remote

connections can be monitored from any context. However, remote access connections

can only be established to sites or devices from the sites or device contexts. In these

contexts, the remote connection icons are displayed on the upper right side of the

page, above the tabs.

If a remote connection button is not displayed at the top of the page, it can be

accessed from the remote connection pallet.

To open a remote access connection:

1. Click at the upper right corner of the page, above the tabs, to display the

Establish Remote Access Connection drop-down list.

Figure 5-11. Remote Connections tab

BASIC FUNCTIONALITY


2. Click the requested connection type.

A message box opens with the following message: Remote Access Session in

Progress…

(Executing)

After a few seconds it closes and the InstallSecureConnect.exe? message box

opens.

3. Click InstallSecureConnect.exe.

The connection opens (such as a command line window or a Windows VNC,

depending on the connection type).

A remote connection icon appears in the area on the right above the tabs, with the

tooltip: Executing <connection type>.

For HTTP and HTTPS connections, an attention message box appears in the

lower-right corner of screen.

The default timeout for remote access connections is 6 hours. However, it can be

changed, from a minimum of 1 hour to a maximum of 72 hours, using the following

procedure.

To add parameters before opening a remote access connection:

4. Hover the cursor over the row of stars at the bottom of the requested remote

connection icon.

The background of the stars is highlighted in turquoise and a tooltip appears with

the following text: Add Params to <remote connection type>.

Figure 5-12. Establish Remote Access Connection

BASIC FUNCTIONALITY


5. Click on the row of stars.

The Execute <remote connection type> on <entity name> dialog box opens.

6. Specify the following:

Case

Description

Timeout (in hours. Default is 6 hours)

7. Click Run Connection.

To initiate a remote access connection:

1. Click , and in the pop-up, click the requested connection type (Remote

Terminal—Telnet or SSH, Remote Desktop—VNC, RDP, or Remote Browser—HTTP,

HTTPS, or WMI).

2. In the pop-up that appears, click Open Secure Connect.

The icon appears on system tray.

Rolling your mouse over this icon opens an identification pop-up, with the

options to Show Diagnostic Dialog, or Disconnect.

Figure 5-13. Adding Remote Connection parameters

BASIC FUNCTIONALITY


Left-clicking this icon opens a Secure Connect pop-up showing the site and

device information, with options to:

o disconnect

o open connection log to help in connection troubleshooting

o display compact mode —a smaller, always-on-top version of the pop-

up

o restore the pop-up to the Secure Connect icon on system tray

3. Click to invoke the relevant application (if the application is HTTP or HTTPS

this opens a new tab in the browser).

4. Use your credentials to log in on the login screen for the device that opens.

5. The Remote Connection is displayed to the left of , where the green dot

indicates that the remote connection is active.

NOTE

The remote web connection disconnects and disappears if you force a refresh (click

reload, or F5), or navigate away from the application.

5.4.4 Closing connections This section describes several ways of closing connections.

5.4.4.1 Closing a session

To close a Telnet session:

1. Click X on top of window or type in Exit.

An Exit confirmation message box opens.

2. Click OK.

The Telnet window closes.

Icon in task tray (or in hidden icons) vanishes.

5.4.4.2 Closing a connection

1. Go to Remote Connections tab.

2. Click the lightning bolt icon (with tooltip: Terminate Connection).

BASIC FUNCTIONALITY


The Remote Access Connect messages box appears, asking: You are about to

terminate and immediately disconnect all users from this activity. Are you sure?

3. Click OK.

Message box appears in right bottom corner of screen: All selected Activities

were marked as completed

Lightning bolt icon on left end of row in Remote Connections tab changes

from green to black.

Green dot in remote connection icon disappears.

Tooltip for remote connection icon changes to: Request Connection via…

5.4.4.3 Closing activity, connection, and session simultaneously

1. Go to Activity Log tab.

2. Click check icon on right-end of row (with tooltip: Mark as Complete).

Message box appears in right bottom corner of screen: All selected Activities

were marked as completed

Clock icon on left end of row in Activity Log tab changes to a green blip

signal icon.

Green dot in remote connection icon disappears.

Tooltip for remote connection icon changes to: Request Connection

5.4.5 Remote Connections The Remote Connections tab (see Figure 5-11) displays the remote terminal, desktop,

and browser connections established with VSEs and devices.

Remote access connections are available only from the site and device contexts and

require the Secure Connect application to be installed on your PC.

5.4.6 Remote access session recording Remote access sessions are automatically recorded in .vncs files and can be

downloaded from the Remote Connections tab by clicking located in the

ACTIONS column. The recorded sessions can be viewed with the VNC Player.

BASIC FUNCTIONALITY


5.5 Remote activities on multiple VSEs and devices Security Center operators can provide support to sites by remotely running the

following:

• Diagnostics activities

• Fix activities routines

• Instant commands

By performing these activities (tasks), the operator can gain a clearer understanding of

issues affecting the ICS Shield network and remotely solve the issues.

5.5.1 Remote activities In the context of the ICS Shield system, a remote activity is a task sent by the master

Security Center to one or more VSEs, which requests that the VSE performs actions

such as the following:

• Granting remote access to a specific device

• Executing an execution profile from one or more devices

• Importing a product line

• Importing software

• Sending files to the VSE

If the VSE is not configured to accept Remote Activity automatically, each remote

activity must be approved at the VSE before it is executed.

5.5.1.1 Remote activity types

The different remote activity types are:

• Diagnose remote activities – see sections 5.5.1.2, Diagnose/Fix and 5.5.2, Running

diagnostic activities

• Fix remote activities – see sections 5.5.1.2, Diagnose/Fix and 5.5.3, Running fix

activities

• Distribute a product line remote activities – see section 5.5.1.3, Distribute Product

Line

• Distribute software – see sections 5.5.1.4, Distribute Software (or Distribute File)

and 5.6.35.6.3, Distributing software

• Get File remote activities – see section 5.6.1, Getting files

• Send File – see sections 5.5.1.5, Send File and 5.6.2, Sending files

BASIC FUNCTIONALITY


• Remote Access remote activities – see section 5.5.1.6, Remote Access remote

activities

• Instant Command remote activities – see section 5.5.4, Running instant

commands

5.5.1.2 Diagnose/Fix

The Security Center sends a Diagnose or Fix remote activity and requests the VSE to

execute an existing execution profile. If the remote activity is approved, the VSE runs

the specified execution profile.

Viewing execution profile information can help you decide whether to approve a

Diagnose or Fix remote activity. For instructions, see section 5.5.1.14, Viewing

execution profile information.

5.5.1.3 Distribute Product Line

The Security Center sends the remote activity Distribute a Product Line to the VSE, to

install or update a product line on the VSE. If the remote activity is approved, the VSE

imports the product line to the VSE database.

Viewing product line information can help you decide whether to approve a Distribute

Product Line remote activity. For instructions, see section 5.5.1.13, Viewing product

line information.

5.5.1.4 Distribute Software (or Distribute File)

The Security Center sends the remote activity Distribute Software to the VSE, to install

a software module on the VSE. If the remote activity is approved, the VSE imports the

software module and installs it on the appropriate device.

5.5.1.5 Send File

The Security Center sends a Send File remote activity to the VSE, to store a file on a

specific device. If the remote activity is approved, the VSE stores the file in the

specified directory on the device.

5.5.1.6 Remote Access remote activities

The Security Center sends a Remote Access remote activity, to remotely access,

configure, or troubleshoot either a VSE or a device.

BASIC FUNCTIONALITY


The workflow for getting remote access is as follows:

1. The Security Center sends to the VSE a Remote Access remote activity, which

appears in the list under the Remote Activities tab (Operations > Devices >

Remote Activities).

2. In the left pane either select All to see remote activities for the VSE itself or select

a specific device to see remote activities associated with this device.

Unless the VSE is configured to automatically approve remote activities of type

Remote Access, you need to manually approve or reject the remote activity.

For information on automatically or manually approving or rejecting remote

activities see section 5.5.1.15, Approving remote activities and section 5.5.1.16,

Rejecting remote activities.

3. The Security Center receives a notification stating whether the remote activity was

approved or rejected and by whom.

4. If you approved the remote activity (either automatically or manually), the Security

Center user can remotely access the VSE or the requested device at any time, as

long as the remote activity has not completed executing.

NOTE

The VSE and the Security Center exchange information via a secure connection

(SSL over TCP).

5. The Remote Access remote activity ends when one of the following occurs:

The remote activity times out.

The remote activity is aborted by a VSE user; for details, see section 5.5.1.17,

Aborting remote activities.

An active connection for the remote activity is terminated by a VSE user.

You can track the state of the remote activity in the Remote Activities screen.

5.5.1.7 Setting up Remote Access

No preparations are needed for remote access via Telnet or HTTP(S). If you want to

allow remote access via VNC, follow the procedure below.

5.5.1.8 Recorded Sessions

When Security Center users connect via remote access, they are able to compromise

the machine. While it is not possible to prevent users from performing certain

BASIC FUNCTIONALITY


unwanted actions while connected via VNC or RDP, it is possible to record their

sessions for future examination.

5.5.1.9 Remote Activities Monitor

The Remote Activities monitor is used to view, approve, reject, or abort all types of

remote activities (and to supervise in the case of VNC remote access).

5.5.1.10 Remote activity severity

Each remote activity is assigned a severity when it is finished. The severity can be:

• Empty (no severity description)

• Info

• Warning

• Error

• Critical

The severity is determined as follows:

• For remote activities of all types, if the remote activity fails to start for some reason,

then immediately the remote activity state changes to Finished, and its severity

changes to Error.

A remote activity can be prevented from starting because:

The VSE administrator rejected the remote activity

The VSE administrator aborted the remote activity

The VSE administrator terminated the remote connection

• For all remote activities other than Diagnose/Fix types, if the remote activity was

approved and ran successfully, the Severity field remains empty.

• For Diagnose/Fix remote activities that have finished executing, the severity of the

remote activity is set to the highest severity of all the executions results.

5.5.1.11 Filtering the list of remote activities

You can filter the list by any of the following:

• Remote Activity type

• Time slot (From the last specified number of minutes, hours, or days)

• Device (From a list of devices defined in the VSE, including the VSE itself)

• Remote activity state

The filters are located at the top of the workspace.

BASIC FUNCTIONALITY


5.5.1.12 Viewing remote activity details

The Activity Log Details provides information on the remote activity you are viewing.

The information is displayed in the following sections:

• Activity details

Displays a brief sentence, which describes the activity with its time and date, as

well as the following data items:

Result message – for example, Activity Completed OK

Last status change – date and time when the activity’s most recent status

change took place

Attach Historical Data – see note

NOTE

Depending on the remote activity type, certain fields might not be displayed; for

example, product line name.

• List of sub-activities

A table displaying a list of all the activity’s sub-activities. This table, which can be

filtered by status, site name, device name, or any possible combination of these

parameters, provides the following information for each sub-activity:

Figure 5-14. Activity Log details

BASIC FUNCTIONALITY


State – shows whether the activity is OK or there is a violation, in which case

the violation’s severity is displayed

Site

Device

Changed – date of the most recent change of the activity’s status

Result – the result message; for example, The activity due date is overdue or

Activity Completed with OK severity

Approved/Rejected by – the name of the person who approved or rejected

the sub-activity

Data – if any data is attached to the sub-activity, clicking the icon

displays the data in the Data Viewer.

5.5.1.13 Viewing product line information

Viewing product line information for a Distribute a Product Line remote activity can

help you decide whether to approve the remote activity. This information includes

details of each execution profile variation and specifies whether it already exists in the

VSE.

You can only view product line information for a Distribute a Product Line remote

activity before approving the remote activity. After approving the remote activity, the

Remote Activities monitor no longer shows this information; however, you can view

product line information through the Product Line View or the Device View.

5.5.1.14 Viewing execution profile information

Viewing execution profile information for a Diagnose/Fix remote activity can help you

decide whether to approve the remote activity.

You can see the following information:

• Profile Name

• Profile Type: Diagnostic, Monitoring, Corrective Action

• Execution Type: Once, Periodic, Scheduled, or On Trap

• Product Line

• Vendor

BASIC FUNCTIONALITY


• Auto Self-Send: Whether the Security Center sets the execution profile to

automatically send the execution result to the master and subscribed Security

Centers

• Auto Activation: Whether the Security Center sets the execution profile to be

automatically activated on any devices that have the appropriate model/version

combination

• Model Name for which the execution profile is defined

• Model Version for which the execution profile is defined

• All the Scripts appear at the bottom of the web page dialog in the order that they

appear in the execution profile. You can see the following for each Script:

Script name

Protocol used (for example, Telnet or SNMP)

Command type (Perl Script, VBScript, Command Line, get scalar, or get

column)

A box containing the Script itself

5.5.1.15 Approving remote activities

Each remote activity must be approved at the VSE level before it is executed. There are

two types of approval:

• Automatic approval

• Manual approval by a VSE administrator

If the VSE is configured for automatic approval of a particular remote activity type, then

the remote activity is activated on each specified device as soon as it arrives and is

executed when it is scheduled. Otherwise, you must manually approve the remote

activity on each device before it can be activated and executed on that device.

5.5.1.16 Rejecting remote activities

You can reject remote activities that are waiting for approval.

5.5.1.17 Aborting remote activities

You can abort remote activities with the state Scheduled or Executing.

BASIC FUNCTIONALITY


5.5.2 Running diagnostic activities In general, different product lines have different diagnostic routines. Although each

product line has a default diagnostic routine, the particular default diagnostic routines

are different for different product lines.

If you want to run a diagnostic routine on one or more devices, which are all based on

one product line, you can specify the product line and a diagnostic routine to run on all

the devices.

However, if you are want to run diagnostic routines on multiple devices, where the

devices are based on different product lines, you can only specify the default

diagnostic routine for each device.

To understand the reason for an alarm, run a diagnostic activity on the device that was

associated with the alarm. To do this you must know the diagnostic routine available

for the product line associated with the device.

To run a diagnostic activity:

1. Go to the context level where the alarm is displayed in the Alarms tab.

2. Click .

The Run Diagnose activity on <group/site/system/device> <name> dialog box

opens.

3. Choose one of the following options:

For devices based on one or more product lines:

Specify the default diagnostic routines, by selecting Basic Diagnosis.

Different default diagnostic routines run on the devices (selected in step 5),

depending on each device’s product line.

Figure 5-15. Activity Log tab

BASIC FUNCTIONALITY


For devices that are all based on one product line:

Specify one diagnostic routine, by selecting

i. Specific Diagnose Routine

and from the drop-down lists that appear:

ii. a product line

iii. a diagnostic routine

The routine that you select runs on all the devices (selected in step 5).

4. To specify which devices the diagnosis is applied to, click .

The Select Devices dialog box opens.

5. Select one or more devices using the Tree (hierarchic navigation method) tab or

the Device (filter search method) tab.

6. Click Select at the bottom of the dialog box.

The Select Devices dialog box closes, and the number of selected devices

appears to the right of .

7. Enter a case ID in the Case field. Optional

8. Enter a description in the Description field. Optional

9. If necessary, mark Attach history date from last and select a time period.

10. Click Run.

To view the results of a diagnostic activity:

1. Go to the Activity Log tab.

2. Select the requested activity.

3. Click , located on the right end of the selected row.

A screen opens with the results. A red circle in the Severity column indicates an

issue that might require further investigation.

4. If necessary, filter the display by severity or category by clicking , selecting the

relevant filter criteria and clicking Apply.

5. To see if the issue has occurred in the past or is a trend, click View Device’s data.

The Data Viewer screen opens, displaying all the data collected in the past 7 days.

6. Click View activity data to return to the diagnostic activity results screen.

BASIC FUNCTIONALITY


5.5.3 Running fix activities Sometimes, based on the results produced by a diagnostic activity, it is evident that a

fix activity is required. For example, the diagnostic results might indicate that a disk is

nearly full. To make more disk space available, you can empty the temporary folder by

running a fix activity.

To run a fix activity:

1. Go to the level where the alarm is displayed in the Alarms tab.

2. Click .

The Run Fix activity on <group/site/system/device> <name> dialog box opens.

3. Select a product line from the Select Product line drop-down list.

4. To specify which devices the diagnosis runs on, under Select devices, click Select.

The Select Devices dialog box opens.




The Select Devices dialog box closes, and the number of devices selected

appears in the Select Devices section next to Select.

7. Select a fix routine from the Select Fix to Apply drop-down list. For example,

Delete Temp Files.



10. Click Run.

The Activity Not Completed icon in the Status column of the Activity Log tab

indicates that the fix activity is running.

11. To see if the activity has completed, select the activity and click (Show details

pane).

The activity details pane opens.

12. Select the requested entity and click APPLY.

13. Repeat the previous step, if necessary.

14. When the activity completes, the status can be one of the following:

BASIC FUNCTIONALITY


The green flag Completed with OK severity icon in the Status column

indicates that the fix activity completed successfully.

The orange Completed with Error severity icon in the Status column

indicates that the fix activity failed to complete.

5.5.4 Running instant commands Sometimes an operator needs to run a command on device. For example, operators

who know the IP address of the device but want to know the hostname can use Instant

Command to run the hostname command by using Telnet protocol.

TIP

If the operator requires an interactive session with the device, the Remote Access feature can be used.

To run a command on a device:

1. Click .

The Run Instant Command on <group/site/system/device> <name> dialog box

opens.

2. Proceed according to the entity on which the Security Center UI is focused:

For group context level go to step 3.

For site or System context level go to step 6.

For device context level go to step 10.

3. Click Select Site to open the Select Sites dialog box.

4. Select a site using the Tree (hierarchic navigation method) tab or the Sites (filter

search method) tab.


The Select Sites dialog box closes, and the name of the site appears in the Select

Site section to the right of the Select button. The Select Devices button appears.

6. To specify which devices the command runs on, click Select Devices to open the

Select Devices dialog box.

7. Select a product line, which supports Telnet connections, from the Select Product

line drop-down list.

BASIC FUNCTIONALITY





The Select Devices dialog box closes, and the number of devices selected

appears to the right of the Select button. The selected product line name appears

in the Product Line section.

10. Enter one or more commands in the Enter Command text area. Use the Enter key

to separate commands. For example, hostname.



13. Click Run.

A page opens. A list of devices where the command is running appears in the left

pane. The list displays the name and IP address of each device and an execution

state indicator. When the execution terminates, whether successful or not, the

indicator is replaced with a small green circle. The results of the execution appear

in the right pane, showing the command line or an error message with error

details.

5.6 Transferring files This section provides instructions for transferring files between the Security Center

and the VSEs. Bidirectional file transfer allows Security Center operators to receive

data and log files from remote sites for analysis and to send files and utilities, such as

scripts, to the sites. In addition, it is possible to distribute software updates to all sites.

5.6.1 Getting files Typically, an operator requires information from a device’s log file.

To get a file from a device:

1. Click .

The Run Get File activity on <group/site/system/device> <name> dialog box

opens.

2. Repeat steps 2 to 9 of section 5.5.4, Running instant commands.

3. Enter the path to the file in the Full File path field. For example,

./var/logs/server_log1.log

BASIC FUNCTIONALITY


NOTE

An FTP connection is established to the device’s FTP root directory and

therefore requires the device’s product line to support FTP connections. In the

case of a local device (localhost or 127.0.0.1) the connection is performed

locally by the VSE and therefore FTP support is not required.

4. Enter a case ID in the Case field (optional)


6. Click Run to open a page whose left pane displays a list of devices where the get

command is running. For each device, the list shows the name and IP address and

an execution state indicator. When the execution terminates, whether successful

or not, the indicator is replaced with a small green circle. The results of the

execution appear in the right pane, showing a link to the downloaded file or an

error message with error details.

5.6.2 Sending files An operator can send a file to a device by using the Send File activity. For example, to

install a small software update on a remote device, the installation file can be sent to

the device and then the operator can install the software manually.

To enable the Send File activity, the device requires FTP support.

NOTES

An FTP connection is established to the device’s FTP root directory and therefore

requires the device’s product line to support FTP connections. In the case of a local

device (localhost or 127.0.0.1) the connection is performed locally by the VSE and

therefore FTP support is not required.

To send a file to a device:

1. Click .

The Run Send File activity on <group/site/system/device> <name> dialog box

opens.

If the Security Center UI is focused on a Device context level, skip this step and

continue with step 3. Otherwise go to the next step.

2. Specify the file destination(s) by choosing one of the following procedures:

Sending to a list of devices – applicable if the Security Center UI is focused on a

System context level. For details, see To send to a list of devices.

Sending to one or more VSEs, as detailed below.

BASIC FUNCTIONALITY


To send to one or more VSEs:

i. Select Site Server

ii. Click the Select Sites button to open the Select Sites screen.

iii. Select one or more sites from either the Tree or the Sites tabs.

iv. Click Select.

The name of the VSE or, when more than site is selected, the number of

sites appears to the right of Select Sites.

To send to a list of devices:

i. Select List of Devices.

ii. Click the Select Devices button to open the Select Devices screen.

iii. Select one or more devices from either the Tree tab or Sites tabs.

iv. Click Select.

The number of devices appears to the right of Select Devices.

3. Specify the file to be sent by choosing one of the procedures below.

For a local file:

i. Select From your local network.

ii. Click the Browse button and select a file from the Open dialog box.

iii. Click Open.

The file name appears in the Browse field.

For a file in the distribution directory:

i. Select From File Distribution directory.

ii. Click the Select button to open the Select File From Server screen, which

displays a list of folders and files.

iii. Select the requested file.

iv. Click Select.

The Select File From Server screen closes and the file name appears in

the Select field.

4. Proceed according to the destination:

BASIC FUNCTIONALITY


If the destination is one or more VSEs, select, if applicable, Unzip the file at

the Site Server.

If the destination is a list of devices, use the Destination Dir. field to enter the

path to the destination folder.

5. Optionally, enter a case ID in the Case field.

6. Optionally, enter a description in the Description field.

7. Click Run.

5.6.3 Distributing software Whenever updates to the VSE software are ready, they are placed in a central location

called the Security Center’s file distribution directory. By using the Distribute Software

feature, it is possible to push the updates to all selected VSEs, thereby helping to

automate the software distribution process.

The file distribution operation is identical to sending files, except for the following

differences:

• You cannot select a file from the local network but only from the file distribution

directory

• When the software file is received at the site, it automatically begins running.

For instructions, see section 5.6.2, Sending files.

CAUTION

Usually a software package is zipped to maintain the folder structure and reduce file size. Therefore, you must ensure that the file is unzipped at the destination VSE.

NOTE

An FTP connection is established to the device’s FTP root directory and therefore

requires the device’s product line to support FTP connections. In the case of a local

device (localhost or 127.0.0.1) the connection is performed locally by the VSE and

therefore FTP support is not required.

BASIC FUNCTIONALITY


5.7 Reports Reports can be generated based on the data collected from remote devices.

To access a Report

1. Click the Collapsed Menu Icon .

2. Select Reports.

Reports are generated under the following main report categories described in the

following sections:

• InventoryHealthcheck

• Performance

• System

• Custom

5.7.1 Inventory Table 5-4: Inventory reports

Report Description

Inventory Information about the Sites.

Device Inventory Information about the devices.

Extended Site

Properties

Generates a report of the default properties and the top 15

custom fields for one or all sites.

Installed Software Generates a report of all installed software for one or all Windows

devices in a selected site.

Installed

Windows Patches

Generates a report of all installed Windows patches and their

installation dates for one or all Windows devices in a selected

site.

Get Device Index Returns a list of all devices and related Indexes for a site or all.

Device Properties Returns a list of device properties for a specified site, device or

product line.

BASIC FUNCTIONALITY


5.7.2 Healthcheck Table 5-5: Healtcheck reports

Report Description

Alarm History Detailed information about all the knowledge alarms (not

including system alarms) that occurred in the selected time frame.

The Information is grouped by each day of the selected time frame.

Product Line

Data Units

This function presents a list of objects, properties, and analysis

rules grouped by product line.

Product Line

Execution

Profiles

This function presents list of collected properties grouped by

monitoring, diagnose and fix profiles.

Diagnose

Results

This function returns data collected by a diagnose activity. The

data includes only data units of type object (not including files,

event logs or alarm tables)

Product Line

Analysis Rules

Information about the analysis rules of all the product lines.

Sites Summary Information about the sites.

Product Lines

Properties

Information about the data units and the properties of all the

product lines.

Site Alarms

Monthly

Statistics

Information about all the knowledge base alarms (not including

system alarms) that occurred in the selected time frame.


Site Alarms

Weekly

Statistics



The information is grouped by each day of the selected time frame.

World Alarms

Monthly

Statistics




BASIC FUNCTIONALITY


Report Description

World Alarms

Weekly

Statistics




World Health

Monthly

Statistics




World Health

Weekly

Statistics




Remote

Activities by

Site

Retrieves a list of activities on site per user. The result is filtered

according to the permissions of the user generating the report.

While Site Manager sees all activities, Label Manager only sees

activities on relevant labels.

Alarms Global

Weekly

Summary

Information about the sites.

5.7.3 Performance Table 5-6: Performance reports

Report Description

Data over

Time

Collected data of specific properties in a site that were collected in the

selected time frame.

5.7.4 System Table 5-7: System reports

Report Description

Users Info Information about all the users of the Security Center

Last Data

Received

Information about the sites.

BASIC FUNCTIONALITY


Report Description

Data Collection

Statistics

Returns number of execution profiles collected, number of

specific protocol failures and successes grouped by device.

Audit Log Returns a list of Audit log system alarms for a specified period.

Operation Log Returns a list of Operational log system alarms for a specified

period.

5.7.5 Custom Table 5-8: Custom reports

Report Description

(Name of user defined report) Added by a user with Report Manager role.

To generate a Report:

1. In the Reports category dropdown, select a report category.

2. In the reports list, select a report.

3. Enter the requested report parameters in the fields displayed.

For reports that accept the Site parameter, in the Site field, click SELECT. The

Select Site dialog opens. To select a site:

a. In the Select Site dialog, select a site by clicking either of the following tabs:

o Tree - use the site hierarchy tree to navigate to the requested site.

o Sites - enter one or more search criteria in the search fields. Alternatively,

to display all sites, leave the search fields blank.

b. Click APPLY.

c. Click the requested site and then click SELECT.

The Select Site dialog closes, and the selected site is displayed in the Site field.

4. Click .

BASIC FUNCTIONALITY


5.8 User profile You can access your User Profile from any module by clicking the Collapsed Menu

icon , and clicking Edit Profile immediately below your name. Your user profile is

displayed with three subtabs:

• Details

• Permissions

• Notifications

5.8.1 Details The Details subtab consists of the following fields:

• First Name

• Last Name

• Username

• Domain

• Email

• Main Phone

• Additional Phone

• Pager

• SMS/Pager Email

In addition, there is a section for time zone adjustment and a button for changing your

password.

To modify your details:

1. Go to Edit Profile > Details.

2. Modify one or more of the fields.

3. If necessary, adjust the time zone difference by doing one of the following:

Select Automatic.

Select Manual and then select a time zone difference from the pop-up list.

4. Click to save the changes, or to revert back to the original values.

BASIC FUNCTIONALITY


To generate a new password:

1. Click .The Change Password pop-up window opens.

2. Enter your current password, and the new password in the fields provided.

3. Click Save.

NOTE

A password must be at least 8 characters in length.

5.8.2 Permissions The Permissions subtab consists of the following options:

• System Roles

• Access Permissions

• Product Line Permissions

NOTE

The contents of the Permissions subtab can only be modified by users with

administrator privileges.

5.8.2.1 System Roles

When you select the System Roles option, the Edit System Roles screen opens, and

details are shown about one or more of the following system role categories: Site

Management, Logs, Settings, Operators, Labels, and Reports.

5.8.2.2 Access Permissions

When you select the Access Permissions option, the Edit Access Permissions screen

opens and details about the access permissions are displayed in a table consisting of

the following columns: Entity Name or Path and Entity Access Permissions.

5.8.2.3 Product Line Permissions

When you select the Product Line Permissions option, the Edit Product Line

Permissions screen opens and details about the product line permissions are

displayed in a table consisting of the following columns: Product Line Name and

Product Line Permissions.

To add product line permissions:

1. Go to Edit Profile > Permissions > Product Line Permissions. The Edit Product

Line Permissions screen opens.

BASIC FUNCTIONALITY


2. Click .

The Access a new product line pop-up opens with a list of available product lines.

3. Locate the requested product line by entering search criteria or by scrolling.

4. Click on the right end of the row of requested product line.

The Edit permissions of Product Line <product line name> pop-up opens.

5. Select one or more permissions from the Permissions Inventory column to

transfer them to the Current Permissions column:

View Product Line

Edit Product Line

Delete Product Line

6. Click OK.

7. Click Close.

8. Click to save the changes, or to revert back to the original values.

5.8.3 Notifications The Notifications subtab consists of the following options:

• Entity-level notifications

• Operational notifications

5.8.3.1 Entity-level notifications

Selecting the Entity-level notifications option opens the Edit Entity-level

Notification screen which displays the Entity Name or Path, Category (such as

storage, system configuration, and compliance), System Type (such as All, Live, and

Test), Email Severity, and SMS/Pager Severity.

5.8.3.2 Operational notifications

Selecting the Operational notifications option opens the Edit Operational

Notification screen which displays the types of alarm, the levels of severity, and the

methods of notification.

The operator can be notified of one or more of the following categories of operational

alarms:

• All Categories

BASIC FUNCTIONALITY


• Activity

• Communication

• Security

• System

• User Action

For each alarm, the level of severity when the operator is notified can be one of the

following:

• None

• All

• Info

• Warning

• Error

• Critical

For each alarm, the operator is notified, according to the severity level associated with

the notification method, as specified by one or more of the following:

• Email Severity

• SMS/Pager Severity

Security Center Getting Started Guide · 1 day ago · DASHBOARD TAB AT THE ALL LEVELS LEVEL ........

Documents

Transcript of Security Center Getting Started Guide · 1 day ago · DASHBOARD TAB AT THE ALL LEVELS LEVEL ........