05-11-2022 09:34 AM
I see that snmp queries can be used to discover devices for IOT using xsoar engines. I also see that it uses cdp lldp and gathers arp and mac data.
https://docs.paloaltonetworks.com/iot/iot-security-integration/network-management/integrate-iot-secu...
Specifically in the documentation:
The XSOAR engine also queries the entry switch for the IP addresses of neighboring switches on the network. It collects device information from them next and also gets a list of their neighboring switches as well. XSOAR continues collecting device information and learning about other switches until it has queried them all.
What I don't understand is what happens when this engine hits a L3 boundary. Does the discovery continue past/through an MPLS network, or is it simple snmp queries, and will it fail past a routed MPLS connection, not discovering other networks/routers?
06-14-2022 11:54 AM
Spoke with the dev that made the feature. You configure the snmp crawl profile, it will reach out to that switch you configure it for.
From there, it will use LLDP to go switch to switch, up to 5 layers (we can change this if need be). The LLDP discovery gives MAC to port binding (so we know which next targets to find), and after the crawler has exhausted LLDP switch discovery, it will then request ARP tables from each switch to populate MAC to IP for IoT.
He doesn't wish to share how the crawler itself functions in the network, but, that he will show it in PoC.
You can create multiple SNMP profiles, and will need to for each subnet/segment of the network. That is to say, it won't crawl any L3 boundaries.
06-13-2022 05:58 PM
I know the engineer that got this feature built during a PoC. He is on vacation but I've sent this his way to get clarification for you. Will follow up when he does.
06-14-2022 10:52 AM
I also wonder how far it goes switch wise. Does it stop at the distribution switch, or does it go to the access layer switch, and what triggers it to go further?
06-14-2022 11:54 AM
Spoke with the dev that made the feature. You configure the snmp crawl profile, it will reach out to that switch you configure it for.
From there, it will use LLDP to go switch to switch, up to 5 layers (we can change this if need be). The LLDP discovery gives MAC to port binding (so we know which next targets to find), and after the crawler has exhausted LLDP switch discovery, it will then request ARP tables from each switch to populate MAC to IP for IoT.
He doesn't wish to share how the crawler itself functions in the network, but, that he will show it in PoC.
You can create multiple SNMP profiles, and will need to for each subnet/segment of the network. That is to say, it won't crawl any L3 boundaries.
06-15-2022 06:32 AM
I've noticed in some cases it never gets past the distribution switch, that is not 5 hops away. Seems like it stops there, while others it goes all the way down to the access switch. Just not sure what would cause that.
Either way- that is spectacular feedback. Thank you @LAYER_8
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
