Security Center Getting Started Guide · 1 day ago · DASHBOARD TAB AT THE ALL LEVELS LEVEL ........
Transcript of Security Center Getting Started Guide · 1 day ago · DASHBOARD TAB AT THE ALL LEVELS LEVEL ........
ICS SHIELD
R 510.2
Security Center
Getting Started Guide
CS-ICSW400en-510B
June 2020
DocID CS-ICSW400en-510B 2
Notices
Trademarks Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the trademark
owner, with no intention of trademark infringement.
Third-party licenses This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor
DocID CS-ICSW400en-510B 3
About this Guide
This guide is intended to serve as an introduction for using the Security Center.
Scope This guide details essential concepts and functionalities of Security Center. In
addition, the guide introduces a set of ICS Shield Add-ons, namely: product lines and
ESPs that require dedicated licenses. Each add-on is described briefly in a dedicated
chapter, followed by a reference to the individual guide that provides in-depth
descriptions and instructions for using the add-on.
Intended audience This guide is for Security Center operators, who are responsible for monitoring and
supporting an ICS Shield network.
Using this guide requires a basic knowledge of Operational Technology (OT) and
Information Technology (IT) infrastructures and operations.
Related documents The following list identifies publications that may contain information relevant to the
information in this document.
Document Name Document Number
ICS Shield R510.2 - VSE User Guide CS-ICSW601en-510B
ICS Shield R510.2 - VSE Administrator Guide CS-ICSW701en-510B
Performance Analyzer Installation and Configuration
Guide PZDOC-X578-en-150
ICS Shield R510.1 - Linux Machine PL User Guide CS-ICSE604en-510A
ICS Shield R510.1 - Network Device PL User Guide CS-ICSE605en-500A
ICS Shield R510.1 - Windows Machine PL User Guide CS-ICSE606en-510A
ICS Shield R510.1 - ePO ESP User Guide CS-ICSE609en-510A
ICS Shield R510.1 - WSUS Sync ESP User Guide CS-ICSE610en-510A
DocID CS-ICSW400en-510B 4
Revision history
Revision Supported Release Date Description
B R 510.2 June 28, 2020 Revised version of 510.2.
B R 510.2 September
26, 2019
Updated release of ICS Shield
documentation, with Security Center
documents only
A R 510.1 August 8,
2019
Updated release of ICS Shield
documentation
A R 500.1 February 27,
2019
First release of the ICS Shield
documentation
DocID CS-ICSW400en-510B 5
Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 9
1.1 Physical security ...................................................................................................................................... 9
1.2 Separate security zone ......................................................................................................................... 9
1.3 Limiting access ........................................................................................................................................ 9 1.3.1 At the Security Center level .............................................................................................. 9 1.3.2 At the directory or file level ............................................................................................... 10
1.4 Encryption and validation................................................................................................................... 11
1.5 Possible security risks .......................................................................................................................... 12
2. TERMS AND DEFINITIONS .............................................................................................. 13
3. OVERVIEW ............................................................................................................................. 15
4. CONCEPTS ............................................................................................................................. 16
4.1 VSE and site ............................................................................................................................................... 16
4.2 Device ........................................................................................................................................................... 16
4.3 Entity ............................................................................................................................................................. 17
5. BASIC FUNCTIONALITY .................................................................................................... 20
5.1 Accessing the Security Center ......................................................................................................... 20
5.2 My Day .......................................................................................................................................................... 22 5.2.1 Opening My Day.................................................................................................................... 23 5.2.2 Remote access connections ........................................................................................... 23
5.3 Sites ............................................................................................................................................................... 28 5.3.1 Navigating to an entity ...................................................................................................... 30 5.3.2 Context sensitivity ................................................................................................................ 32 5.3.3 Dashboard ............................................................................................................................... 35 5.3.4 Alarms......................................................................................................................................... 35 5.3.5 Data ............................................................................................................................................. 36
5.4 Remote access to a single VSE or device.................................................................................... 37 5.4.1 Installing and upgrading Secure Connect .............................................................. 38 5.4.2 Installing VNC Player .......................................................................................................... 39 5.4.3 Opening a remote access connection from Sites ................................................ 40 5.4.4 Closing connections ........................................................................................................... 43 5.4.5 Remote Connections .......................................................................................................... 44 5.4.6 Remote access session recording ............................................................................... 44
5.5 Remote activities on multiple VSEs and devices .................................................................... 45 5.5.1 Remote activities .................................................................................................................. 45 5.5.2 Running diagnostic activities......................................................................................... 52
DocID CS-ICSW400en-510B 6
5.5.3 Running fix activities .......................................................................................................... 54 5.5.4 Running instant commands ........................................................................................... 55
5.6 Transferring files ..................................................................................................................................... 56 5.6.1 Getting files ............................................................................................................................. 56 5.6.2 Sending files ........................................................................................................................... 57 5.6.3 Distributing software .......................................................................................................... 59
5.7 Reports ......................................................................................................................................................... 60 5.7.1 Inventory ................................................................................................................................... 60 5.7.2 Healthcheck ............................................................................................................................ 61 5.7.3 Performance ........................................................................................................................... 62 5.7.4 System........................................................................................................................................ 62 5.7.5 Custom ...................................................................................................................................... 63
5.8 User profile ................................................................................................................................................. 64 5.8.1 Details ........................................................................................................................................ 64 5.8.2 Permissions ............................................................................................................................. 65 5.8.3 Notifications ........................................................................................................................... 66
DocID CS-ICSW400en-510B 7
List of Figures FIGURE 4-1. ENTITY HIERARCHY EXAMPLE ................................................................................ 19
FIGURE 5-1. LOGGING OUT OF ICS SHIELD ................................................................................. 22
FIGURE 5-2. MULTIPLE REMOTE ACCESS CONNECTIONS IN MY DAY PAGE ........... 22
FIGURE 5-3. FAVORITES AND RECENT HISTORY SECTIONS............................................... 24
FIGURE 5-4. REMOTE ACCESS CONNECTION ICONS ............................................................ 26
FIGURE 5-5. SECURITY CENTER - SITES SECTION PAGE ELEMENTS ........................... 28
FIGURE 5-6. DEVICE LIST NOT AVAILABLE ................................................................................... 31
FIGURE 5-7. DASHBOARD TAB AT THE ALL LEVELS LEVEL ................................................ 34
FIGURE 5-8. DASHBOARD TAB AT THE GROUP LEVEL .......................................................... 34
FIGURE 5-9. DASHBOARD TAB AT THE SITE LEVEL ................................................................. 34
FIGURE 5-10. DASHBOARD TAB AT THE DEVICE LEVEL ....................................................... 35
FIGURE 5-11. REMOTE CONNECTIONS TAB................................................................................ 40
FIGURE 5-12. ESTABLISH REMOTE ACCESS CONNECTION ............................................... 41
FIGURE 5-13. ADDING REMOTE CONNECTION PARAMETERS ......................................... 42
FIGURE 5-14. ACTIVITY LOG DETAILS .............................................................................................. 49
FIGURE 5-15. ACTIVITY LOG TAB ........................................................................................................ 52
TABLE 5-4: INVENTORY REPORTS ..................................................................................................... 60
TABLE 5-5: HEALTCHECK REPORTS ................................................................................................ 61
TABLE 5-6: PERFORMANCE REPORTS ........................................................................................... 62
TABLE 5-7: SYSTEM REPORTS ............................................................................................................. 62
TABLE 5-8: CUSTOM REPORTS ........................................................................................................... 63
DocID CS-ICSW400en-510B 8
List of Tables TABLE 1-1. LIST OF PORTS .................................................................................................................... 10
TABLE 5-1. OPENING A REMOTE ACCESS CONNECTION .................................................... 24
TABLE 5-2. SECURITY CENTER UI FEATURES ACCORDING TO CONTEXT................... 32
TABLE 5-3. DEFAULT REMOTE ACCESS PROTOCOLS ........................................................... 37
TABLE 5-4: INVENTORY REPORTS ..................................................................................................... 60
TABLE 5-5: HEALTCHECK REPORTS ................................................................................................ 61
TABLE 5-6: PERFORMANCE REPORTS ........................................................................................... 62
TABLE 5-7: SYSTEM REPORTS ............................................................................................................. 62
TABLE 5-8: CUSTOM REPORTS ........................................................................................................... 63
SECURITY CONSIDERATIONS
DocID CS-ICSW400en-510B 9
1. Security Considerations
This chapter outlines the security measures for Security Center.
1.1 Physical security
CAUTION
Security Center is a mission-critical component.
Take all necessary physical measures to prevent attacks or disasters.
Ensure that the server where the product is installed is located in an approved
physically secure location that is accessible only to authorized personnel. 1.2, Separate
security zone
1.2 Separate security zone Security Center contains sensitive information, such as cryptographic keys for the
secure tunnel. Loss of such information could lead to catastrophic consequences, and
therefore there is a need to protect the sensitive information and prevent attacks
against the product. To do that, the server where Security Center is installed must be
part of a secure network, with strict access control lists and appropriate
firewall/routing rules.
Ensure that Security Center is installed in a directory that is only accessible to
authorized personnel responsible for the product.
CAUTION
If Security Center is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.
1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for
limiting access to sensitive information as specified below.
1.3.1 At the Security Center level The user management at the host running the Security Center must follow the
principles of need to know and least privilege: Only users who absolutely must have
access to the computer are granted access, and these users are assigned the minimal
set of permissions allowing them to perform their job.
SECURITY CONSIDERATIONS
DocID CS-ICSW400en-510B 10
1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles
of need to know and least privilege: Only Users who absolutely must have access to the
requested directory and file are granted access, and these Users are assigned the
minimal set of permissions allowing them to perform their job.
Use the built-in file access audit logging of the OS to monitor unauthorized changes to
sensitive files.
1.3.2.1 Ports used by Security Center
The ports used for Security Center are listed in the table below.
Table 1-1. List of ports
Port Number Direction Used for
8447 Outbound Communication server –
used in TCP
8448 Inbound Access Gateway (RAG).
443 Outbound Web UI
1935 Inbound The address for the
streaming server machine as
IP:port. Usually the same as
RAG IP + port 1935 (default
RTMP port, used for RDP
recording).
Note
This port is optional and is only
used if session recording is
enabled.
9999 Outbound The address for the
streaming server HTTP
control module as IP:port.
Usually the same as RAG IP +
the port defined in nginx.conf.
Note
SECURITY CONSIDERATIONS
DocID CS-ICSW400en-510B 11
Port Number Direction Used for
This port is optional and is only
used if session recording is
enabled.
10000 - 16000
Inbound High ports used by the
Remote Access feature.
Notes
• The use of high ports is only relevant when the Security Center is not configured in SAAS mode.
• This is the default port range; the port range can be modified based on the customer needs
389 Outbound Connection to LDAP server.
Note
This port is optional and is only
used if Active Directory is
enabled.
389 Outbound Connection to SLDAP server.
Note
This port is optional and is
only used if Custom
authentication is enabled.
1.4 Encryption and validation All cryptographic keys generated for the encrypted communication must follow the
current industry standards, including key size, encryption suites, certificate swapping
and so on.
Operators and other personnel who have a low authorization level are advised to
ensure that they only run software provided from the Headquarters as a code-signed
execution file, such as Secure Connect, VNC Player, and Hyper Tunnel. A code-signed
software displays the signed by notification when it starts to run.
It is recommended to use a valid certificate issued by a trusted Certificate Authority
(CA), either the organization’s internal CA or an external CA.
SECURITY CONSIDERATIONS
DocID CS-ICSW400en-510B 12
1.5 Possible security risks Note the following best practices:
• Ensure that directories used for storing remote access session recordings are
handled as containing sensitive information. If these directories are located in a
shared drive, the location needs to have the least privileges assigned to both the
NTFS permissions and the share permissions.
• Change the initial passwords of the database schemas.
• Create HTTPS certificate for Security Center web server.
NOTE
A full procedure explaining the process of creating a valid and CA-signed
HTTPS certificate can be found in section Security Center with HTTPS/SSL in
the Security Center installation guide, which is to be released later this year.
TERMS AND DEFINITIONS
DocID CS-ICSW400en-510B 13
2. Terms and Definitions
NOTE
The terms and definitions table is sorted by alphabetical order.
Term Definition
add-on An umbrella term for product lines and ESPs.
analysis rule The user-defined range of values for a specific metric, such as
CPU utilization or buffer cache hit ratio.
analysis rule violation
If the value collected meets the criteria defined by the analysis
rule, this triggers an analysis rule violation.
asset Any site component that is connected to the network and is
accessible from the VSE
corrective action A collection profile that performs an action to correct a
problem detected by other collection profiles; for example, if a
monitoring profile detected a low disk space issue, a
corrective action will delete obsolete and large temporary files
device A representation of a physical or virtual server or machine in
the VSE
diagnose routine (DR)
A collection profile that runs on demand and is intended to
collect in-depth diagnostic data.
Essential security policy (ESP)
A set of actions and scripts that together instruct the VSE to
perform certain procedures on devices that are defined in the
VSE.
execution profile A collection of scripts related to one logical area, such as
machine security status, hardware information, event logs, or
storage information; these scripts can either be run on
demand (Diagnose Routine or Corrective Action) or based on
a predefined schedule.
knowledge alarms Alarms defined within a specific product line, which are
triggered by analysis rules and concern the device handled by
the product line; for example, if the CPU temperature of a
network switch exceeds a predefined threshold.
TERMS AND DEFINITIONS
DocID CS-ICSW400en-510B 14
Term Definition
monitoring profile (MP)
A collection profile configured to run at set time intervals,
such as Every day at 18:00.
product line A set of actions and scripts that together instruct the VSE to
perform certain procedures on devices that are defined in the
VSE.
reverse tunnel A secured connection initiated by the VSE to the Security
Center.
site A remote physical location, such as an industrial plant, which
includes one or more network environments and has at least
one VSE.
tunnel A secure connection established from the Security Center to
the VSE.
Virtual security engine (VSE)
The ICS Shield component that is installed at the remote site,
monitors the assets at the site, and provides additional
functionalities such as remote access.
OVERVIEW
DocID CS-ICSW400en-510B 15
3. Overview
The ICS Shield Security Center allows operators to perform all troubleshooting,
monitoring, remote activity management and software distribution functions assigned
to them.
From the Security Center, an operator can do the following:
• Perform health check monitoring on systems installed at customer sites, based on
site reports arriving at the Security Center.
• Perform basic technical support operations, such as requesting remote access to
supported devices, collecting data and performing remote activities
• Manage the installed base by viewing an inventory of all existing systems,
performing different activities and distributing software modules to systems in the
field.
From the search and breadcrumbs area at the top (available on all screens) and the
tree in the left pane (not available on all screens), you can create new remote activities
for specific VSEs and devices as needed, as well as view the latest data available for
any device. As in all components, you use the navigation area to navigate between the
different items, and you can use the navigation map link to navigate to any part of the
Sites, Reports, Builder, or Administration components.
In addition, the ICS Shield Security Center homepage provides up-to-date system
health status and quick access tools for prompt engagement.
CONCEPTS
DocID CS-ICSW400en-510B 16
4. Concepts
This chapter presents several key concepts that help understanding the role of the
Security Center in ICS Shield.
4.1 VSE and site The terms VSE and site, which are basic to understanding ICS Shield, are at times used
interchangeably:
• A site is a physical location, such as an industrial plant or a warehouse.
• The VSE is the ICS Shield software component that is installed at the site for
monitoring the devices at the site.
Usually, when the term site is used in the context of ICS Shield, it refers to the VSE
software installed at the site. This is because data about objects at the site is only
collected if the objects are represented as devices in the VSE, and therefore a physical
site is usually meaningless in describing ICS Shield processes.
Typically, the Security Center is located at an organizational data center that is
physically located separately from the industrial plant sites. Therefore, the sites and
their associated VSEs are considered remote from the Security Center. As a result,
tasks performed by the Security Center on one or more VSEs installed at remote sites
are referred to as remote connections and remote activities.
4.2 Device A site typically consists of many hardware and software components – network
switches, routers, virtual machine hosts, and so on – that fulfill various functions
required for the site’s performance. While performing its designated function, a
component might generate data that can be very valuable for the organizational
enterprise. This data can be collected by a VSE, provided that the component is
connected to the network and defined in the VSE. A network componant defined in the
VSE is called a device and is identified by its IP address. The set of actions, rules, and
scripts that together instruct the VSE to perform various procedures on a device is
called a product line.
In summary:
CONCEPTS
DocID CS-ICSW400en-510B 17
A device is a representation at the VSE of a physical or virtual server or machine. The
essential parameters in the device definition (the product line and the IP address)
determine how the VSE acts on the device.
4.3 Entity In the ICS Shield, data is associated with the following set of entities:
• Devices
• Systems
• VSEs
• Groups
• All Levels
Data is generated by devices and collected by VSEs; all additional entities are logical
entities that can be very useful in organizing the data. Combining entities can save
considerable time and effort by avoiding repetitive work; for example, you can perform
the same task on the entire group instead of on single entities, or examine the status
of multiple entities.
The Security Center organizes these entities in a hierarchy consisting of several levels
of entities. These entities are displayed below in ascending order:
• Device - the lowest level of the hierarchy; for example, in a paper mill, a sawing
machine can be one device, and it can be called the Saw.
• System – an optional logical grouping of several devices.
For example, if several devices (a heater, a fan, and a thermostat) are used as part
of a drying process, they can be grouped together in a system called the Dryer.
• Site – the name denoting VSE in the hierarchy.
A site can group together one or more systems and standalone devices. For
example, all devices and systems in a warehouse in Clermont, Quebec, can be
grouped in a site called Clermont Warehouse, while a similar VSE is called
Montreal, Quebec.
• Group level 3 – this is the level where you can add new sites, and it is used for
grouping together several VSEs.
For example, a cardboard manufacturing process might consist of several
manufacturing plants and several warehouses located at several different
physical sites in Quebec, Canada. At each site there is a separate VSE. It might be
CONCEPTS
DocID CS-ICSW400en-510B 18
advantageous to group together all the manufacturing plant VSEs in a group
called Cardboard Production, and all the warehouse VSEs in another group called
Warehouses.
• Group level 2 – allows grouping together several level-3 groups.
For example, the level 3 groups mentioned above - Cardboard Production and
Warehouses - can be grouped, based on their location, in a group called Quebec,
while another level 2 group reflects a similar organizational structure in Ontario
and is called Ontario.
• Group level 1 – allows grouping together several level-2 groups.
For example, all level 2 groups that represent provinces in Canada can be grouped
in a level 1 group called Canada. Another level 1 group reflects a similar
organizational structure in several US states and is called USA.
• All levels – the highest level in the hierarchy; in this example, the name of the
paper company.
In summary, the example of the entity hierarchy is shown in the figure below.
CONCEPTS
DocID CS-ICSE400en-500A 19
Figure 4-1. Entity hierarchy example
DocID CS-ICSW400en-510B 20
5. Basic Functionality
This chapter introduces the basics of the Security Center, namely: the functions that
do not require additional licenses. These functions, available through several
workspaces or modules in the Security Center interface, enable the operator to
accomplish various tasks related to ICS Shield functions.
5.1 Accessing the Security Center The ICS Shield Security Center can be configured by your administrator to use one of
the following authentication methods:
• Native Authentication (Username and Password) - default option
• SAML
• LDAP
• LDAP + RSA Two-Factor Authentication
ICS Shield Release 500 introduces the option of adding an additional layer of
security by configuring the Security Center to use RSA Two-Factor Authentication
in addition to LDAP.
NOTE
• If your Security Center installation is configured to use RSA Two-Factor Authentication, you need a security token generated by either a USB device or an application installed on your computer/smartphone.
• The Security Token field is only displayed on the ICS Shield login page if your installation is configured for Two-Factor authentication.
To log in to the Security Center by using native (default) authentication:
1. In a browser, navigate to the login page (https://<server-name> or <IP>).
2. If you are logging in to a Security Center installed in the same Windows domain as
your Windows account., in the Username and Password fields, enter your
credentials and click LOGIN.
Alternatively, if you are logging in to a Security Center installed in a different
Windows domain than your Windows account., in the Username field enter your
username preceded by the domain and a backslash (<domain>\<username>). In
the Password field, enter your password and click LOGIN.
To log in to the Security Center by using LDAP or SAML authentication:
1. In a browser, navigate to the login page (https://<server-name> or <IP>).
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 21
If Two-Factor Authentication is enabled, the Security Token field is displayed, in
which case proceed to step 2 Otherwise, proceed to step 3.
2. In the Security Token field, enter the Security Token generated by your RSA
application.
3. Use one of the following login options:
SC domain
Logging in as Current User Logging in as Different User
A Security Center installed in the same Windows domain as your Windows account.
Click LOGIN AS CURRENT USER.
1. Click LOGIN AS ANOTHER USER.
2. In the Login Credentials
dialog box, enter the
required credentials.
3. Click LOGIN.
A Security Center installed in a different Windows domain than your Windows account.
1. Click LOGIN AS CURRENT USER.
2. In the Login Credentials dialog box, in the Username
field, enter your username
preceded by the domain and
a backslash
(<domain>\<username>).
3. In the Password field enter
your password.
4. Click LOGIN.
1. Click LOGIN AS ANOTHER USER.
2. In the Login Credentials dialog box, in the Username
field, enter your username
preceded by the domain and
a backslash
(<domain>\<username>).
3. In the Password field enter
your password.
4. Click LOGIN.
CAUTION
The first time you log in as the current user to a Security Center installed in a different Windows domain than your Windows account your credentials are saved locally, and you will not be prompted to enter them again.
Anyone using this computer can log in to the Security Center with these credentials by clicking LOGIN AS CURRENT USER.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 22
To log out of ICS Shield:
1. On the top right corner of the screen, click the user initials.
2. Select Logout.
5.2 My Day The My Day page allows you to focus on your currently-open remote access
connections by offering two major features:
• Open connections-only view
You can only view your currently open connections (unlike the Sites page, which
displays all connections made by all operators during the selected time range).
• Context-free navigation
You can go directly to the requested device or site and open several entities on the
same screen (unlike the Sites page, which is context-dependent – that is, each
device or site is shown in a full-screen view within its place in the navigation
hierarchy).
Figure 5-1. Logging out of ICS Shield
Figure 5-2. Multiple remote access connections in My Day page
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 23
To view or manage remote access connections started by other operators, go to the
Sites page. For more information see section 5.4.35.3, Sites.
By default, the current working day in the My Day page consists of 12 hours, starting
at 7:30 AM. If required, these values can be changed. The maximum number of days
for which an unfinished remote access activity is displayed is 7 days.
5.2.1 Opening My Day
To open the My Day module for the first time:
1. Log on to the Security Center application.
By default, the first time you log on to the Security Center application the UI opens
to the My Day module.
The first time the My Day module is accessed for the day, it opens to the Welcome
screen.
2. Click START YOUR DAY.
5.2.2 Remote access connections From My Day it is possible to establish a remote access connection to an entity (site or
device), using any of the following operations:
• Searching for the site or device name in the search bar.
• The entity icon (in a remote access connection activity).
• Clicking one of the entries in the Favorites or Recent History sections:
Clicking pulls down or hides a list of favorites and recent history.
Clicking saves the current location as a favorite (available only from Sites
and Devices).
Clicking removes the current location from the favorites list.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 24
• A breadcrumb located in the search results obtained from the Search for a Device
or Site text box.
• An entity obtained from the Advanced Search dialog box
Use the following table for suggestions of which method is the easiest for opening a
connection in a particular situation with the particular entity.
Table 5-1. Opening a remote access connection
Do you know the entity name?
Was there a remote access connection to this entity in the past? If yes, when?
Do you need the same connection type as in the past?
For the most direct method…
Yes Today Yes Click the remote access connection
icon next to the remote access
connection activity. For details, see To
open the same type of connection to
the same entity as was performed
earlier today.
Yes Today No Click the entity icon in the remote
access connection activity. For details,
see To open a remote connection from
a remote connection activity.
Figure 5-3. Favorites and Recent History sections
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 25
Do you know the entity name?
Was there a remote access connection to this entity in the past? If yes, when?
Do you need the same connection type as in the past?
For the most direct method…
Yes Recently Possibly Go to the Recent History section in the
Favorites and Recent History drop-
down list. For details, see To open a
remote connection from the Favorites
and Recent History drop-down list.
Yes Not recently Possibly Go to the Favorites section in the
Favorites and Recent History drop-
down list.
Yes Not recently, but
it’s not a Favorite
Possibly Enter search criteria in the Search for a Device or Site text box. For details, see
To open a remote connection from the
Search for a Device or Site text box.
Yes No Possibly Click Advanced Search. For details, see
To open a remote connection from the
Advanced Search dialog box.
No No Possibly Click Advanced Search.
To open the same type of connection to the same entity as was performed earlier
today:
1. Click the remote access connection icon to the left of the remote access
connection activity.
A message box opens with the following message: Remote Access Session in
Progress…
(Executing)
After a few seconds it closes and the InstallSecureConnect.exe? message box
opens.
2. Click InstallSecureConnect.exe.
The connection opens (such as a command line window or a Windows VNC,
depending on the connection type).
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 26
To open a remote connection from a remote connection activity:
1. Click the entity icon to the left of the remote access connection activity.
The appears at the top of the page. Do one of the following:
If the requested remote access connection icon is also displayed, proceed to
step 2.
If the requested remote access connection icon is not displayed, Click .
The Establish Remote Access Connection drop-down icon collection
appears.
2. Click the requested remote access connection icon.
To open a remote connection from the Favorites and Recent History drop-down list:
1. Click the down arrow icon to the right of the Search text box to display a drop-
down list of breadcrumbs.
2. All breadcrumbs that belong to the Favorites list are indicated with a blue star.
Click the star icon on the right end of each row to toggle between adding or
removing a breadcrumb to and from the Favorites list.
3. Repeat steps 1 and 2 from the instructions To open a remote connection from a
remote connection activity.
Figure 5-4. Remote access connection icons
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 27
To open a remote connection from the Search for a Device or Site text box:
1. Enter search criteria in the Search for a Device or Site text box to the left of .
A drop-down list opens, displaying all the entities that meet the criteria.
2. Click the requested entity.
The appears at the top of the page. Do one of the following:
If the requested remote access connection icon is also displayed, continue
with next step.
If the requested remote access connection icon is not displayed, Click
The Establish Remote Access Connection drop-down icon collection
appears.
3. Click the requested remote access connection icon.
To open a remote connection from the Advanced Search dialog box:
1. Click Advanced Search.
The Advanced Search dialog box (with Sites and Devices tabs) opens.
2. Select one of the tabs for your search.
3. Enter search criteria and click APPLY.
A list of entities that meet the criteria is displayed.
4. Select the requested entity.
5. Click Select.
The appears at the top of the page. Do one of the following:
If the requested remote access connection icon is also displayed, continue
with next step.
If the requested remote access connection icon is not displayed, Click .
The Establish Remote Access Connection drop-down icon collection
appears.
6. Click the requested remote access connection icon.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 28
5.3 Sites The figure below shows the UI page elements of a typical Sites module.
Below is a brief description of the page elements in the Sites module of the Security
Center.
• Search
Clicking replaces the breadcrumbs with a text box and the Advanced Search
option. In the text box enter the search criteria. A space between each entry acts
as a logical AND.
Clicking Advanced Search opens a pop-up with Sites, Systems, and Devices tabs.
• Breadcrumbs
Clicking on a breadcrumb pulls down a list of available elements below it. Select
an element.
• Favorites/History
Clicking pulls down a list of favorites and recent history.
Clicking saves the current location as a favorite (available only from Sites
and Devices).
Clicking removes the current location from the favorites list
Figure 5-5. Security Center - Sites section page elements
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 29
• Site Status/Name/permalink/Time/ID
This section of the screen contains the following components:
The status icon
This icon indicates whether the VSE is up , down , or offline .
Hovering the mouse pointer over this icon displays additional status
information.
Offline is a special VSE mode for a VSE that is defined and presented in the
Security Center but is deliberately restricted from sending any reports or data
to the Security Center.
NOTE
The status icon is only displayed in the Site, System, and Device context levels.
For details about navigating to these context levels, see section 5.3.1, Navigating to an entity and section 5.3.2, Context sensitivity.
The Group/Site/System/Device name.
Permalink – a link that, when clicked, copies a permanent identifier of the
URL, which can be saved as a bookmark and used for returning to the exact
web page. It is also possible to send the URL via email.
The time at the site.
The site ID.
• Tabs
The following tabs are available from the Sites module:
Dashboard – see section 5.3.3, Dashboard
Alarms – see section 5.3.35.3.4, Alarms
Summary - displays a summarized information about the site, the site
license, and the contact person, as well as custom fields and labels
Device List – a list of all devices, including details such as product line,
model, and version
Remote Connections – see section 5.3.35.3.4, Remote Connections
Data – see section 5.3.35.3.4, Data
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 30
5.3.1 Navigating to an entity You can navigate to any entity in the hierarchy by using any one of the following
features (located at the top of the Security Center UI page, see Figure 5-5):
• Search
• Advanced Search
• Breadcrumbs
• Favorites and History
To navigate to an entity in the hierarchy by using search:
1. Click .
A search text box appears, replacing the breadcrumb trail.
2. Enter search criteria in the text box. A space between each entry acts as a logical
AND.
3. Use the drop-down list of breadcrumb trails that appears to navigate to the
requested entity.
To navigate to an entity in the hierarchy by using Advanced Search:
1. Click .
A search text box and the Advanced Search option appear, replacing the
breadcrumb trail.
2. Click Advanced Search to open the Advanced Search dialog box.
3. Search for the requested entity as follows:
a. Select the relevant tab – Sites/Systems/Devices.
b. Enter the search criteria in one or more of the filter text boxes.
c. In the Devices tab, you can narrow the search further by selecting Filter by
Product Line and using the filter boxes select the product line name and
version(s), and/or by entering the model name.
4. Click APPLY.
5. Select the requested entity from the list that displays the search results.
Several tabs may be unavailable, depending on the context selected in the
breadcrumbs above; for example, the Device List tab is irrelevant in device
context. As a result, if the cursor is positioned in a specific tab and you use the
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 31
breadcrumbs to navigate to another context which this tab is irrelevant, a
message like the one shown below appears.
6. Click Select to open the page of the requested entity.
To navigate to an entity in the hierarchy by using breadcrumbs:
1. Use either of the following methods:
Click an entity in the breadcrumb trail to open the page of the selected entity.
Do the following:
i. Click the appropriate breadcrumb separator arrow to display the drop-
down list of entities located under the current entity page.
ii. Select the appropriate entity to open the page of the selected entity.
2. Repeat step 1 as needed to reach the requested entity.
To navigate to an entity in the hierarchy using favorites and recent history:
1. Click. , to display a drop-down list of breadcrumb trails.
2. Select the breadcrumb trail that contains the requested entity.
NOTE
• Clicking saves the current location, or selected breadcrumb trail, as a favorite (available only from the Site and Device contexts, from which Remote Access Connections can be invoked.)
• Clicking removes the current location, or selected breadcrumb trail, from the favorites list.
In the example of a paper company mentioned above, it is possible to navigate to the
Thermostat page by entering Dryer or selecting the following breadcrumb trail:
All Levels > Canada > Quebec > Cardboard production > Montreal Plant > Dryer
Figure 5-6. Device list not available
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 32
5.3.2 Context sensitivity As described above, there are five types of levels in the entity hierarchy, which are as
follows: All Levels, Group, Site, System, and Device. These types of levels are called
contexts.
The Security Center UI is context sensitive, meaning that the displayed information
and functionality in the browser tabs change according to the context that is being
displayed. In the table below, checkmarks indicate in which contexts various features
are applicable.
Table 5-2. Security Center UI features according to context
Feature All Levels
Group Site System Device Comments
Dashboard
tab
For each context, the
dashboard can be
customized
differently. However,
a customized
dashboard appears
the same in all Group
contexts. Therefore,
an operator can use a
maximum of five
different dashboards.
Alarm tab
Activities Log tab
Summary
tab Site: Site Summary
Device: Device Summary
Device List
tab
Site: Devices
connected to VSE
System: Devices
grouped under the
system
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 33
Feature All Levels
Group Site System Device Comments
Remote Connections
tab
Data tab
Remote
Activities
The Remote Activities
include:
• Diagnose
• Fix
• Command
• Get File
• Send File
• Software
• Import
In all contexts, the
site and the device
must be specified,
either implicitly or
explicitly.
Remote
Access
Connections
Remote Access
Connections include:
• Remote Terminal
• Remote Desktop
• Remote Browser
The following series of figures show how the default dashboard appears in each of the
context levels:
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 34
Figure 5-7. Dashboard tab at the All Levels level
Figure 5-8. Dashboard tab at the Group level
Figure 5-9. Dashboard tab at the Site level
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 35
5.3.3 Dashboard The Dashboard tab provides operators with a graphic display of the current network
status, alarms, and remote activities, enabling them to make quick assessments of the
overall network situation. The customizable graphic display can contain several
customizable widgets, each of which can be configured to show a different set of
parameters relevant to the currently selected context.
Following are a few examples of basic widgets:
• The Sites Count widget indicates how many sites are currently accessible from the
current context. If a VSE is down, the reduced site count can alert the operator to
the issue.
• The Device Count widget which indicates how many devices are currently
accessible from the current context. If the number of devices is greater than for
what the network was designed, the performance might be degraded.
• The Sites Status widget displays, in a pie chart, the percentage of sites that are in
each of the four possible statuses: Up, Down, Offline, and Manual. The actual
number of sites in each status is displayed in the sections of the pie chart. To
determine which specific sites are included in each of the statuses, the operator
can navigate through the entity hierarchy, as described in section 5.3.1, Navigating
to an entity.
5.3.4 Alarms The Alarms tab displays the following types of alarms:
• System alarms
Figure 5-10. Dashboard tab at the Device level
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 36
• Knowledge alarms
System alarms are predefined alarms triggered by conditions in ICS Shield
components. Knowledge alarms are defined in the product lines.
The Alarms tab displays the alarm information in the following columns:
• Status — Not Ack (not acknowledged - default value), Assigned, Closed (a
checkmark is also added within the Severity circle).
• Case — unique identifier of this alarm in an external ticketing system.
• Severity — Info (blue), Warning (yellow), Error (orange), Critical (red).
• Site — available for All Levels and Group contexts; unnecessary for Site, System,
and Device contexts.
• Description — description of alarm as defined in the product line.
• System — collection of devices that includes the device that is triggering the alarm.
• Device — the device that is triggering the alarm.
• Detected Time (User) — the time that the alarm was detected, according to the
time zone of the Security Center operator.
5.3.4.1 Full-screen mode
For easier monitoring, users with the View Alarms (Full Screen) permission can switch
the display to full screen.
NOTE
To enter full screen mode, press F11. Alternatively, click in the Alarms Tasks
menu. To exit full screen mode, press Esc or click. . These options are only
displayed for users with the View Alarms (Full Screen) permission.
View Alarms (Full Screen) mode:
• Automatically refreshes the alarms list at a set interval (default is 60 seconds).
• Displays a count-down timer indicating the amount of time until the next refresh.
5.3.5 Data The Data tab displays the data derived from product lines and is accessible from the
Site and Device contexts.
In the Data tab you can view all the compliance and property statistics for devices and
sites. The default view displays recently accessed devices in the pane on the left side of
the data display area. Clicking displays the Compliance and Device
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 37
Properties lists in this pane. Select any property to display its collected data
information in the data display area.
5.4 Remote access to a single VSE or device A remote access connection is used when a real-time, interactive remote connection to
a single site or device is required.
Below are several scenarios and their possible handling:
• A network connection issue
The operator can investigate by issuing the netstat command through the Telnet
remote terminal connection.
• An alarm alerts the operator that at a certain site the database is 90% full.
The operator can remotely delete unnecessary data or add more disk space. These
operations can both be performed by using the RDP remote desktop connection.
The Security Center provides the remote access connection protocols listed in Table
5-3. The operator can initiate a connection using the required protocol, by clicking the
protocol’s icon. If necessary, custom protocols can also be defined and added to the
available protocols. Connections using the custom protocols can similarly be initiated
by clicking the custom protocol icons.
Table 5-3. Default remote access protocols
Type To Sites and Devices Only to Devices
Terminal Telnet SSH
Desktop RDP VNC
Browser Http Https WMI
Remote access connections can be established either from the My Day module or
from the Sites module. Similarly, information about the remote connections can be
obtained from either module. The main difference between the two modules is that the
My Day module is context-free, and displays a shorter, current list of remote
connections. From My Day, operators who have logged on can only see the current
remote connections they have established today (or that are still open from previous
days), whereas from the Sites module, operators see the remote connections (both
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 38
current connections that are still open and those that have already been closed for
months) that have been made by other operators as well.
All remote access connections, whether established from the My Day module or the
Sites module, require an installation of Secure Connect, as described in the next
section.
NOTE
You might need to enable pop-ups. The procedure might differ depending on the
browser.
5.4.1 Installing and upgrading Secure Connect To establish a remote connection, Secure Connect must be installed on your
computer.
NOTE
Secure Connect, as well as all other files stored in the Resources folder, only supports
64-bit version.
To install Secure Connect:
1. Click .
2. Click Resources.
3. Click Secure Connect.
InstallSecureConnect.exe is downloaded and appears in the lower left corner of
the browser.
4. Click the InstallSecureConnect.exe file. The User Account Control message box
opens.
5. Click Yes to run the InstallAnywhere self-extractor. The Secure Connect
installation wizard opens.
6. Click Next to run the installation wizard.
7. Click Next, Continue, Install, and Done to complete the installation.
5.4.1.1 Updating Secure Connect
Ensure that the most up-to-date version of Secure Connect is installed.
To ensure that Secure Connect is up to date:
1. Click .
2. Click Resources.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 39
3. Click Secure Connect.
InstallSecureConnect.exe is downloaded and appears in the lower left corner of
the browser.
4. Click the InstallSecureConnect.exe file. The User Account Control message box
opens.
5. Click Yes.
The installer begins to install the software with one of the following outcomes:
If the software is up to date an Abort message box opens with the following
message:
One or more newer versions of the product are already installed. An upgrade
is not applicable.
Click Abort. The upgrade process ends.
If there is a difference between the installed and the latest versions, the
Update Secure Connect pop-up opens.
Follow the instructions in this pop-up to update Secure Connect.
5.4.2 Installing VNC Player For viewing recorded remote access sessions, the VNC Player application must be
installed on your computer.
To install VNC Player:
1. Click .
2. Click Resources.
3. Click VNC Player. The InstallVNCPlayer.exe file is downloaded and appears at the
lower left corner of the browser.
4. Click the InstallVNCPlayer.exe file. The User Account Control message box
opens.
5. Click Yes to run the InstallAnywhere self-extractor. The VNC Player installation
wizard opens.
6. Click Next to run the installation wizard.
7. Click Next, Continue, Install, and Done to complete the installation.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 40
5.4.3 Opening a remote access connection from Sites Remote access connections can be managed in the Sites module either from the
Remote Connections tab or from the Activity Log tab.
The Remote Connection tab is available from all contexts, so that the remote
connections can be monitored from any context. However, remote access connections
can only be established to sites or devices from the sites or device contexts. In these
contexts, the remote connection icons are displayed on the upper right side of the
page, above the tabs.
If a remote connection button is not displayed at the top of the page, it can be
accessed from the remote connection pallet.
To open a remote access connection:
1. Click at the upper right corner of the page, above the tabs, to display the
Establish Remote Access Connection drop-down list.
Figure 5-11. Remote Connections tab
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 41
2. Click the requested connection type.
A message box opens with the following message: Remote Access Session in
Progress…
(Executing)
After a few seconds it closes and the InstallSecureConnect.exe? message box
opens.
3. Click InstallSecureConnect.exe.
The connection opens (such as a command line window or a Windows VNC,
depending on the connection type).
A remote connection icon appears in the area on the right above the tabs, with the
tooltip: Executing <connection type>.
For HTTP and HTTPS connections, an attention message box appears in the
lower-right corner of screen.
The default timeout for remote access connections is 6 hours. However, it can be
changed, from a minimum of 1 hour to a maximum of 72 hours, using the following
procedure.
To add parameters before opening a remote access connection:
4. Hover the cursor over the row of stars at the bottom of the requested remote
connection icon.
The background of the stars is highlighted in turquoise and a tooltip appears with
the following text: Add Params to <remote connection type>.
Figure 5-12. Establish Remote Access Connection
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 42
5. Click on the row of stars.
The Execute <remote connection type> on <entity name> dialog box opens.
6. Specify the following:
Case
Description
Timeout (in hours. Default is 6 hours)
7. Click Run Connection.
To initiate a remote access connection:
1. Click , and in the pop-up, click the requested connection type (Remote
Terminal—Telnet or SSH, Remote Desktop—VNC, RDP, or Remote Browser—HTTP,
HTTPS, or WMI).
2. In the pop-up that appears, click Open Secure Connect.
The icon appears on system tray.
Rolling your mouse over this icon opens an identification pop-up, with the
options to Show Diagnostic Dialog, or Disconnect.
Figure 5-13. Adding Remote Connection parameters
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 43
Left-clicking this icon opens a Secure Connect pop-up showing the site and
device information, with options to:
o disconnect
o open connection log to help in connection troubleshooting
o display compact mode —a smaller, always-on-top version of the pop-
up
o restore the pop-up to the Secure Connect icon on system tray
3. Click to invoke the relevant application (if the application is HTTP or HTTPS
this opens a new tab in the browser).
4. Use your credentials to log in on the login screen for the device that opens.
5. The Remote Connection is displayed to the left of , where the green dot
indicates that the remote connection is active.
NOTE
The remote web connection disconnects and disappears if you force a refresh (click
reload, or F5), or navigate away from the application.
5.4.4 Closing connections This section describes several ways of closing connections.
5.4.4.1 Closing a session
To close a Telnet session:
1. Click X on top of window or type in Exit.
An Exit confirmation message box opens.
2. Click OK.
The Telnet window closes.
Icon in task tray (or in hidden icons) vanishes.
5.4.4.2 Closing a connection
1. Go to Remote Connections tab.
2. Click the lightning bolt icon (with tooltip: Terminate Connection).
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 44
The Remote Access Connect messages box appears, asking: You are about to
terminate and immediately disconnect all users from this activity. Are you sure?
3. Click OK.
Message box appears in right bottom corner of screen: All selected Activities
were marked as completed
Lightning bolt icon on left end of row in Remote Connections tab changes
from green to black.
Green dot in remote connection icon disappears.
Tooltip for remote connection icon changes to: Request Connection via…
5.4.4.3 Closing activity, connection, and session simultaneously
1. Go to Activity Log tab.
2. Click check icon on right-end of row (with tooltip: Mark as Complete).
Message box appears in right bottom corner of screen: All selected Activities
were marked as completed
Clock icon on left end of row in Activity Log tab changes to a green blip
signal icon.
Green dot in remote connection icon disappears.
Tooltip for remote connection icon changes to: Request Connection
5.4.5 Remote Connections The Remote Connections tab (see Figure 5-11) displays the remote terminal, desktop,
and browser connections established with VSEs and devices.
Remote access connections are available only from the site and device contexts and
require the Secure Connect application to be installed on your PC.
5.4.6 Remote access session recording Remote access sessions are automatically recorded in .vncs files and can be
downloaded from the Remote Connections tab by clicking located in the
ACTIONS column. The recorded sessions can be viewed with the VNC Player.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 45
5.5 Remote activities on multiple VSEs and devices Security Center operators can provide support to sites by remotely running the
following:
• Diagnostics activities
• Fix activities routines
• Instant commands
By performing these activities (tasks), the operator can gain a clearer understanding of
issues affecting the ICS Shield network and remotely solve the issues.
5.5.1 Remote activities In the context of the ICS Shield system, a remote activity is a task sent by the master
Security Center to one or more VSEs, which requests that the VSE performs actions
such as the following:
• Granting remote access to a specific device
• Executing an execution profile from one or more devices
• Importing a product line
• Importing software
• Sending files to the VSE
If the VSE is not configured to accept Remote Activity automatically, each remote
activity must be approved at the VSE before it is executed.
5.5.1.1 Remote activity types
The different remote activity types are:
• Diagnose remote activities – see sections 5.5.1.2, Diagnose/Fix and 5.5.2, Running
diagnostic activities
• Fix remote activities – see sections 5.5.1.2, Diagnose/Fix and 5.5.3, Running fix
activities
• Distribute a product line remote activities – see section 5.5.1.3, Distribute Product
Line
• Distribute software – see sections 5.5.1.4, Distribute Software (or Distribute File)
and 5.6.35.6.3, Distributing software
• Get File remote activities – see section 5.6.1, Getting files
• Send File – see sections 5.5.1.5, Send File and 5.6.2, Sending files
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 46
• Remote Access remote activities – see section 5.5.1.6, Remote Access remote
activities
• Instant Command remote activities – see section 5.5.4, Running instant
commands
5.5.1.2 Diagnose/Fix
The Security Center sends a Diagnose or Fix remote activity and requests the VSE to
execute an existing execution profile. If the remote activity is approved, the VSE runs
the specified execution profile.
Viewing execution profile information can help you decide whether to approve a
Diagnose or Fix remote activity. For instructions, see section 5.5.1.14, Viewing
execution profile information.
5.5.1.3 Distribute Product Line
The Security Center sends the remote activity Distribute a Product Line to the VSE, to
install or update a product line on the VSE. If the remote activity is approved, the VSE
imports the product line to the VSE database.
Viewing product line information can help you decide whether to approve a Distribute
Product Line remote activity. For instructions, see section 5.5.1.13, Viewing product
line information.
5.5.1.4 Distribute Software (or Distribute File)
The Security Center sends the remote activity Distribute Software to the VSE, to install
a software module on the VSE. If the remote activity is approved, the VSE imports the
software module and installs it on the appropriate device.
5.5.1.5 Send File
The Security Center sends a Send File remote activity to the VSE, to store a file on a
specific device. If the remote activity is approved, the VSE stores the file in the
specified directory on the device.
5.5.1.6 Remote Access remote activities
The Security Center sends a Remote Access remote activity, to remotely access,
configure, or troubleshoot either a VSE or a device.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 47
The workflow for getting remote access is as follows:
1. The Security Center sends to the VSE a Remote Access remote activity, which
appears in the list under the Remote Activities tab (Operations > Devices >
Remote Activities).
2. In the left pane either select All to see remote activities for the VSE itself or select
a specific device to see remote activities associated with this device.
Unless the VSE is configured to automatically approve remote activities of type
Remote Access, you need to manually approve or reject the remote activity.
For information on automatically or manually approving or rejecting remote
activities see section 5.5.1.15, Approving remote activities and section 5.5.1.16,
Rejecting remote activities.
3. The Security Center receives a notification stating whether the remote activity was
approved or rejected and by whom.
4. If you approved the remote activity (either automatically or manually), the Security
Center user can remotely access the VSE or the requested device at any time, as
long as the remote activity has not completed executing.
NOTE
The VSE and the Security Center exchange information via a secure connection
(SSL over TCP).
5. The Remote Access remote activity ends when one of the following occurs:
The remote activity times out.
The remote activity is aborted by a VSE user; for details, see section 5.5.1.17,
Aborting remote activities.
An active connection for the remote activity is terminated by a VSE user.
You can track the state of the remote activity in the Remote Activities screen.
5.5.1.7 Setting up Remote Access
No preparations are needed for remote access via Telnet or HTTP(S). If you want to
allow remote access via VNC, follow the procedure below.
5.5.1.8 Recorded Sessions
When Security Center users connect via remote access, they are able to compromise
the machine. While it is not possible to prevent users from performing certain
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 48
unwanted actions while connected via VNC or RDP, it is possible to record their
sessions for future examination.
5.5.1.9 Remote Activities Monitor
The Remote Activities monitor is used to view, approve, reject, or abort all types of
remote activities (and to supervise in the case of VNC remote access).
5.5.1.10 Remote activity severity
Each remote activity is assigned a severity when it is finished. The severity can be:
• Empty (no severity description)
• Info
• Warning
• Error
• Critical
The severity is determined as follows:
• For remote activities of all types, if the remote activity fails to start for some reason,
then immediately the remote activity state changes to Finished, and its severity
changes to Error.
A remote activity can be prevented from starting because:
The VSE administrator rejected the remote activity
The VSE administrator aborted the remote activity
The VSE administrator terminated the remote connection
• For all remote activities other than Diagnose/Fix types, if the remote activity was
approved and ran successfully, the Severity field remains empty.
• For Diagnose/Fix remote activities that have finished executing, the severity of the
remote activity is set to the highest severity of all the executions results.
5.5.1.11 Filtering the list of remote activities
You can filter the list by any of the following:
• Remote Activity type
• Time slot (From the last specified number of minutes, hours, or days)
• Device (From a list of devices defined in the VSE, including the VSE itself)
• Remote activity state
The filters are located at the top of the workspace.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 49
5.5.1.12 Viewing remote activity details
The Activity Log Details provides information on the remote activity you are viewing.
The information is displayed in the following sections:
• Activity details
Displays a brief sentence, which describes the activity with its time and date, as
well as the following data items:
Result message – for example, Activity Completed OK
Last status change – date and time when the activity’s most recent status
change took place
Attach Historical Data – see note
NOTE
Depending on the remote activity type, certain fields might not be displayed; for
example, product line name.
• List of sub-activities
A table displaying a list of all the activity’s sub-activities. This table, which can be
filtered by status, site name, device name, or any possible combination of these
parameters, provides the following information for each sub-activity:
Figure 5-14. Activity Log details
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 50
State – shows whether the activity is OK or there is a violation, in which case
the violation’s severity is displayed
Site
Device
Changed – date of the most recent change of the activity’s status
Result – the result message; for example, The activity due date is overdue or
Activity Completed with OK severity
Approved/Rejected by – the name of the person who approved or rejected
the sub-activity
Data – if any data is attached to the sub-activity, clicking the icon
displays the data in the Data Viewer.
5.5.1.13 Viewing product line information
Viewing product line information for a Distribute a Product Line remote activity can
help you decide whether to approve the remote activity. This information includes
details of each execution profile variation and specifies whether it already exists in the
VSE.
You can only view product line information for a Distribute a Product Line remote
activity before approving the remote activity. After approving the remote activity, the
Remote Activities monitor no longer shows this information; however, you can view
product line information through the Product Line View or the Device View.
5.5.1.14 Viewing execution profile information
Viewing execution profile information for a Diagnose/Fix remote activity can help you
decide whether to approve the remote activity.
You can see the following information:
• Profile Name
• Profile Type: Diagnostic, Monitoring, Corrective Action
• Execution Type: Once, Periodic, Scheduled, or On Trap
• Product Line
• Vendor
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 51
• Auto Self-Send: Whether the Security Center sets the execution profile to
automatically send the execution result to the master and subscribed Security
Centers
• Auto Activation: Whether the Security Center sets the execution profile to be
automatically activated on any devices that have the appropriate model/version
combination
• Model Name for which the execution profile is defined
• Model Version for which the execution profile is defined
• All the Scripts appear at the bottom of the web page dialog in the order that they
appear in the execution profile. You can see the following for each Script:
Script name
Protocol used (for example, Telnet or SNMP)
Command type (Perl Script, VBScript, Command Line, get scalar, or get
column)
A box containing the Script itself
5.5.1.15 Approving remote activities
Each remote activity must be approved at the VSE level before it is executed. There are
two types of approval:
• Automatic approval
• Manual approval by a VSE administrator
If the VSE is configured for automatic approval of a particular remote activity type, then
the remote activity is activated on each specified device as soon as it arrives and is
executed when it is scheduled. Otherwise, you must manually approve the remote
activity on each device before it can be activated and executed on that device.
5.5.1.16 Rejecting remote activities
You can reject remote activities that are waiting for approval.
5.5.1.17 Aborting remote activities
You can abort remote activities with the state Scheduled or Executing.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 52
5.5.2 Running diagnostic activities In general, different product lines have different diagnostic routines. Although each
product line has a default diagnostic routine, the particular default diagnostic routines
are different for different product lines.
If you want to run a diagnostic routine on one or more devices, which are all based on
one product line, you can specify the product line and a diagnostic routine to run on all
the devices.
However, if you are want to run diagnostic routines on multiple devices, where the
devices are based on different product lines, you can only specify the default
diagnostic routine for each device.
To understand the reason for an alarm, run a diagnostic activity on the device that was
associated with the alarm. To do this you must know the diagnostic routine available
for the product line associated with the device.
To run a diagnostic activity:
1. Go to the context level where the alarm is displayed in the Alarms tab.
2. Click .
The Run Diagnose activity on <group/site/system/device> <name> dialog box
opens.
3. Choose one of the following options:
For devices based on one or more product lines:
Specify the default diagnostic routines, by selecting Basic Diagnosis.
Different default diagnostic routines run on the devices (selected in step 5),
depending on each device’s product line.
Figure 5-15. Activity Log tab
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 53
For devices that are all based on one product line:
Specify one diagnostic routine, by selecting
i. Specific Diagnose Routine
and from the drop-down lists that appear:
ii. a product line
iii. a diagnostic routine
The routine that you select runs on all the devices (selected in step 5).
4. To specify which devices the diagnosis is applied to, click .
The Select Devices dialog box opens.
5. Select one or more devices using the Tree (hierarchic navigation method) tab or
the Device (filter search method) tab.
6. Click Select at the bottom of the dialog box.
The Select Devices dialog box closes, and the number of selected devices
appears to the right of .
7. Enter a case ID in the Case field. Optional
8. Enter a description in the Description field. Optional
9. If necessary, mark Attach history date from last and select a time period.
10. Click Run.
To view the results of a diagnostic activity:
1. Go to the Activity Log tab.
2. Select the requested activity.
3. Click , located on the right end of the selected row.
A screen opens with the results. A red circle in the Severity column indicates an
issue that might require further investigation.
4. If necessary, filter the display by severity or category by clicking , selecting the
relevant filter criteria and clicking Apply.
5. To see if the issue has occurred in the past or is a trend, click View Device’s data.
The Data Viewer screen opens, displaying all the data collected in the past 7 days.
6. Click View activity data to return to the diagnostic activity results screen.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 54
5.5.3 Running fix activities Sometimes, based on the results produced by a diagnostic activity, it is evident that a
fix activity is required. For example, the diagnostic results might indicate that a disk is
nearly full. To make more disk space available, you can empty the temporary folder by
running a fix activity.
To run a fix activity:
1. Go to the level where the alarm is displayed in the Alarms tab.
2. Click .
The Run Fix activity on <group/site/system/device> <name> dialog box opens.
3. Select a product line from the Select Product line drop-down list.
4. To specify which devices the diagnosis runs on, under Select devices, click Select.
The Select Devices dialog box opens.
5. Select one or more devices using the Tree (hierarchic navigation method) tab or
the Device (filter search method) tab.
6. Click Select at the bottom of the dialog box.
The Select Devices dialog box closes, and the number of devices selected
appears in the Select Devices section next to Select.
7. Select a fix routine from the Select Fix to Apply drop-down list. For example,
Delete Temp Files.
8. Enter a case ID in the Case field. Optional
9. Enter a description in the Description field. Optional
10. Click Run.
The Activity Not Completed icon in the Status column of the Activity Log tab
indicates that the fix activity is running.
11. To see if the activity has completed, select the activity and click (Show details
pane).
The activity details pane opens.
12. Select the requested entity and click APPLY.
13. Repeat the previous step, if necessary.
14. When the activity completes, the status can be one of the following:
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 55
The green flag Completed with OK severity icon in the Status column
indicates that the fix activity completed successfully.
The orange Completed with Error severity icon in the Status column
indicates that the fix activity failed to complete.
5.5.4 Running instant commands Sometimes an operator needs to run a command on device. For example, operators
who know the IP address of the device but want to know the hostname can use Instant
Command to run the hostname command by using Telnet protocol.
TIP
If the operator requires an interactive session with the device, the Remote Access feature can be used.
To run a command on a device:
1. Click .
The Run Instant Command on <group/site/system/device> <name> dialog box
opens.
2. Proceed according to the entity on which the Security Center UI is focused:
For group context level go to step 3.
For site or System context level go to step 6.
For device context level go to step 10.
3. Click Select Site to open the Select Sites dialog box.
4. Select a site using the Tree (hierarchic navigation method) tab or the Sites (filter
search method) tab.
5. Click Select at the bottom of the dialog box.
The Select Sites dialog box closes, and the name of the site appears in the Select
Site section to the right of the Select button. The Select Devices button appears.
6. To specify which devices the command runs on, click Select Devices to open the
Select Devices dialog box.
7. Select a product line, which supports Telnet connections, from the Select Product
line drop-down list.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 56
8. Select one or more devices using the Tree (hierarchic navigation method) tab or
the Device (filter search method) tab.
9. Click Select at the bottom of the dialog box.
The Select Devices dialog box closes, and the number of devices selected
appears to the right of the Select button. The selected product line name appears
in the Product Line section.
10. Enter one or more commands in the Enter Command text area. Use the Enter key
to separate commands. For example, hostname.
11. Enter a case ID in the Case field. Optional
12. Enter a description in the Description field. Optional
13. Click Run.
A page opens. A list of devices where the command is running appears in the left
pane. The list displays the name and IP address of each device and an execution
state indicator. When the execution terminates, whether successful or not, the
indicator is replaced with a small green circle. The results of the execution appear
in the right pane, showing the command line or an error message with error
details.
5.6 Transferring files This section provides instructions for transferring files between the Security Center
and the VSEs. Bidirectional file transfer allows Security Center operators to receive
data and log files from remote sites for analysis and to send files and utilities, such as
scripts, to the sites. In addition, it is possible to distribute software updates to all sites.
5.6.1 Getting files Typically, an operator requires information from a device’s log file.
To get a file from a device:
1. Click .
The Run Get File activity on <group/site/system/device> <name> dialog box
opens.
2. Repeat steps 2 to 9 of section 5.5.4, Running instant commands.
3. Enter the path to the file in the Full File path field. For example,
./var/logs/server_log1.log
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 57
NOTE
An FTP connection is established to the device’s FTP root directory and
therefore requires the device’s product line to support FTP connections. In the
case of a local device (localhost or 127.0.0.1) the connection is performed
locally by the VSE and therefore FTP support is not required.
4. Enter a case ID in the Case field (optional)
5. Enter a description in the Description field. Optional
6. Click Run to open a page whose left pane displays a list of devices where the get
command is running. For each device, the list shows the name and IP address and
an execution state indicator. When the execution terminates, whether successful
or not, the indicator is replaced with a small green circle. The results of the
execution appear in the right pane, showing a link to the downloaded file or an
error message with error details.
5.6.2 Sending files An operator can send a file to a device by using the Send File activity. For example, to
install a small software update on a remote device, the installation file can be sent to
the device and then the operator can install the software manually.
To enable the Send File activity, the device requires FTP support.
NOTES
An FTP connection is established to the device’s FTP root directory and therefore
requires the device’s product line to support FTP connections. In the case of a local
device (localhost or 127.0.0.1) the connection is performed locally by the VSE and
therefore FTP support is not required.
To send a file to a device:
1. Click .
The Run Send File activity on <group/site/system/device> <name> dialog box
opens.
If the Security Center UI is focused on a Device context level, skip this step and
continue with step 3. Otherwise go to the next step.
2. Specify the file destination(s) by choosing one of the following procedures:
Sending to a list of devices – applicable if the Security Center UI is focused on a
System context level. For details, see To send to a list of devices.
Sending to one or more VSEs, as detailed below.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 58
To send to one or more VSEs:
i. Select Site Server
ii. Click the Select Sites button to open the Select Sites screen.
iii. Select one or more sites from either the Tree or the Sites tabs.
iv. Click Select.
The name of the VSE or, when more than site is selected, the number of
sites appears to the right of Select Sites.
To send to a list of devices:
i. Select List of Devices.
ii. Click the Select Devices button to open the Select Devices screen.
iii. Select one or more devices from either the Tree tab or Sites tabs.
iv. Click Select.
The number of devices appears to the right of Select Devices.
3. Specify the file to be sent by choosing one of the procedures below.
For a local file:
i. Select From your local network.
ii. Click the Browse button and select a file from the Open dialog box.
iii. Click Open.
The file name appears in the Browse field.
For a file in the distribution directory:
i. Select From File Distribution directory.
ii. Click the Select button to open the Select File From Server screen, which
displays a list of folders and files.
iii. Select the requested file.
iv. Click Select.
The Select File From Server screen closes and the file name appears in
the Select field.
4. Proceed according to the destination:
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 59
If the destination is one or more VSEs, select, if applicable, Unzip the file at
the Site Server.
If the destination is a list of devices, use the Destination Dir. field to enter the
path to the destination folder.
5. Optionally, enter a case ID in the Case field.
6. Optionally, enter a description in the Description field.
7. Click Run.
5.6.3 Distributing software Whenever updates to the VSE software are ready, they are placed in a central location
called the Security Center’s file distribution directory. By using the Distribute Software
feature, it is possible to push the updates to all selected VSEs, thereby helping to
automate the software distribution process.
The file distribution operation is identical to sending files, except for the following
differences:
• You cannot select a file from the local network but only from the file distribution
directory
• When the software file is received at the site, it automatically begins running.
For instructions, see section 5.6.2, Sending files.
CAUTION
Usually a software package is zipped to maintain the folder structure and reduce file size. Therefore, you must ensure that the file is unzipped at the destination VSE.
NOTE
An FTP connection is established to the device’s FTP root directory and therefore
requires the device’s product line to support FTP connections. In the case of a local
device (localhost or 127.0.0.1) the connection is performed locally by the VSE and
therefore FTP support is not required.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 60
5.7 Reports Reports can be generated based on the data collected from remote devices.
To access a Report
1. Click the Collapsed Menu Icon .
2. Select Reports.
Reports are generated under the following main report categories described in the
following sections:
• InventoryHealthcheck
• Performance
• System
• Custom
5.7.1 Inventory Table 5-4: Inventory reports
Report Description
Inventory Information about the Sites.
Device Inventory Information about the devices.
Extended Site
Properties
Generates a report of the default properties and the top 15
custom fields for one or all sites.
Installed Software Generates a report of all installed software for one or all Windows
devices in a selected site.
Installed
Windows Patches
Generates a report of all installed Windows patches and their
installation dates for one or all Windows devices in a selected
site.
Get Device Index Returns a list of all devices and related Indexes for a site or all.
Device Properties Returns a list of device properties for a specified site, device or
product line.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 61
5.7.2 Healthcheck Table 5-5: Healtcheck reports
Report Description
Alarm History Detailed information about all the knowledge alarms (not
including system alarms) that occurred in the selected time frame.
The Information is grouped by each day of the selected time frame.
Product Line
Data Units
This function presents a list of objects, properties, and analysis
rules grouped by product line.
Product Line
Execution
Profiles
This function presents list of collected properties grouped by
monitoring, diagnose and fix profiles.
Diagnose
Results
This function returns data collected by a diagnose activity. The
data includes only data units of type object (not including files,
event logs or alarm tables)
Product Line
Analysis Rules
Information about the analysis rules of all the product lines.
Sites Summary Information about the sites.
Product Lines
Properties
Information about the data units and the properties of all the
product lines.
Site Alarms
Monthly
Statistics
Information about all the knowledge base alarms (not including
system alarms) that occurred in the selected time frame.
The Information is grouped by each day of the selected time frame.
Site Alarms
Weekly
Statistics
Information about all the knowledge base alarms (not including
system alarms) that occurred in the selected time frame.
The information is grouped by each day of the selected time frame.
World Alarms
Monthly
Statistics
Information about all the knowledge base alarms (not including
system alarms) that occurred in the selected time frame.
The information is grouped by each day of the selected time frame.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 62
Report Description
World Alarms
Weekly
Statistics
Information about all the knowledge base alarms (not including
system alarms) that occurred in the selected time frame.
The Information is grouped by each day of the selected time frame.
World Health
Monthly
Statistics
Information about all the knowledge base alarms (not including
system alarms) that occurred in the selected time frame.
The information is grouped by each day of the selected time frame.
World Health
Weekly
Statistics
Information about all the knowledge base alarms (not including
system alarms) that occurred in the selected time frame.
The information is grouped by each day of the selected time frame.
Remote
Activities by
Site
Retrieves a list of activities on site per user. The result is filtered
according to the permissions of the user generating the report.
While Site Manager sees all activities, Label Manager only sees
activities on relevant labels.
Alarms Global
Weekly
Summary
Information about the sites.
5.7.3 Performance Table 5-6: Performance reports
Report Description
Data over
Time
Collected data of specific properties in a site that were collected in the
selected time frame.
5.7.4 System Table 5-7: System reports
Report Description
Users Info Information about all the users of the Security Center
Last Data
Received
Information about the sites.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 63
Report Description
Data Collection
Statistics
Returns number of execution profiles collected, number of
specific protocol failures and successes grouped by device.
Audit Log Returns a list of Audit log system alarms for a specified period.
Operation Log Returns a list of Operational log system alarms for a specified
period.
5.7.5 Custom Table 5-8: Custom reports
Report Description
(Name of user defined report) Added by a user with Report Manager role.
To generate a Report:
1. In the Reports category dropdown, select a report category.
2. In the reports list, select a report.
3. Enter the requested report parameters in the fields displayed.
For reports that accept the Site parameter, in the Site field, click SELECT. The
Select Site dialog opens. To select a site:
a. In the Select Site dialog, select a site by clicking either of the following tabs:
o Tree - use the site hierarchy tree to navigate to the requested site.
o Sites - enter one or more search criteria in the search fields. Alternatively,
to display all sites, leave the search fields blank.
b. Click APPLY.
c. Click the requested site and then click SELECT.
The Select Site dialog closes, and the selected site is displayed in the Site field.
4. Click .
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 64
5.8 User profile You can access your User Profile from any module by clicking the Collapsed Menu
icon , and clicking Edit Profile immediately below your name. Your user profile is
displayed with three subtabs:
• Details
• Permissions
• Notifications
5.8.1 Details The Details subtab consists of the following fields:
• First Name
• Last Name
• Username
• Domain
• Main Phone
• Additional Phone
• Pager
• SMS/Pager Email
In addition, there is a section for time zone adjustment and a button for changing your
password.
To modify your details:
1. Go to Edit Profile > Details.
2. Modify one or more of the fields.
3. If necessary, adjust the time zone difference by doing one of the following:
Select Automatic.
Select Manual and then select a time zone difference from the pop-up list.
4. Click to save the changes, or to revert back to the original values.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 65
To generate a new password:
1. Click .The Change Password pop-up window opens.
2. Enter your current password, and the new password in the fields provided.
3. Click Save.
NOTE
A password must be at least 8 characters in length.
5.8.2 Permissions The Permissions subtab consists of the following options:
• System Roles
• Access Permissions
• Product Line Permissions
NOTE
The contents of the Permissions subtab can only be modified by users with
administrator privileges.
5.8.2.1 System Roles
When you select the System Roles option, the Edit System Roles screen opens, and
details are shown about one or more of the following system role categories: Site
Management, Logs, Settings, Operators, Labels, and Reports.
5.8.2.2 Access Permissions
When you select the Access Permissions option, the Edit Access Permissions screen
opens and details about the access permissions are displayed in a table consisting of
the following columns: Entity Name or Path and Entity Access Permissions.
5.8.2.3 Product Line Permissions
When you select the Product Line Permissions option, the Edit Product Line
Permissions screen opens and details about the product line permissions are
displayed in a table consisting of the following columns: Product Line Name and
Product Line Permissions.
To add product line permissions:
1. Go to Edit Profile > Permissions > Product Line Permissions. The Edit Product
Line Permissions screen opens.
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 66
2. Click .
The Access a new product line pop-up opens with a list of available product lines.
3. Locate the requested product line by entering search criteria or by scrolling.
4. Click on the right end of the row of requested product line.
The Edit permissions of Product Line <product line name> pop-up opens.
5. Select one or more permissions from the Permissions Inventory column to
transfer them to the Current Permissions column:
View Product Line
Edit Product Line
Delete Product Line
6. Click OK.
7. Click Close.
8. Click to save the changes, or to revert back to the original values.
5.8.3 Notifications The Notifications subtab consists of the following options:
• Entity-level notifications
• Operational notifications
5.8.3.1 Entity-level notifications
Selecting the Entity-level notifications option opens the Edit Entity-level
Notification screen which displays the Entity Name or Path, Category (such as
storage, system configuration, and compliance), System Type (such as All, Live, and
Test), Email Severity, and SMS/Pager Severity.
5.8.3.2 Operational notifications
Selecting the Operational notifications option opens the Edit Operational
Notification screen which displays the types of alarm, the levels of severity, and the
methods of notification.
The operator can be notified of one or more of the following categories of operational
alarms:
• All Categories
BASIC FUNCTIONALITY
DocID CS-ICSW400en-510B 67
• Activity
• Communication
• Security
• System
• User Action
For each alarm, the level of severity when the operator is notified can be one of the
following:
• None
• All
• Info
• Warning
• Error
• Critical
For each alarm, the operator is notified, according to the severity level associated with
the notification method, as specified by one or more of the following:
• Email Severity
• SMS/Pager Severity
DocID CS-ICSW400en-510B 68