IOT SNMP Queries using Xsoar and L3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IOT SNMP Queries using Xsoar and L3

L4 Transporter

I see that snmp queries can be used to discover devices for IOT using xsoar engines.  I also see that it uses cdp lldp and gathers arp and mac data.

https://docs.paloaltonetworks.com/iot/iot-security-integration/network-management/integrate-iot-secu...

Specifically in the documentation:

The XSOAR engine also queries the entry switch for the IP addresses of neighboring switches on the network. It collects device information from them next and also gets a list of their neighboring switches as well. XSOAR continues collecting device information and learning about other switches until it has queried them all.



What I don't understand is what happens when this engine hits a L3 boundary.  Does the discovery continue past/through an MPLS network, or is it simple snmp queries, and will it fail past a routed MPLS connection, not discovering other networks/routers?


1 accepted solution

Accepted Solutions

L5 Sessionator

Spoke with the dev that made the feature. You configure the snmp crawl profile, it will reach out to that switch you configure it for. 

 

From there, it will use LLDP to go switch to switch, up to 5 layers (we can change this if need be). The LLDP discovery gives MAC to port binding (so we know which next targets to find), and after the crawler has exhausted LLDP switch discovery, it will then request ARP tables from each switch to populate MAC to IP for IoT. 

 

He doesn't wish to share how the crawler itself functions in the network, but, that he will show it in PoC. 

 

You can create multiple SNMP profiles, and will need to for each subnet/segment of the network. That is to say, it won't crawl any L3 boundaries. 

Help the community! Add tags and mark solutions please.

View solution in original post

4 REPLIES 4

L5 Sessionator

I know the engineer that got this feature built during a PoC. He is on vacation but I've sent this his way to get clarification for you. Will follow up when he does. 

Help the community! Add tags and mark solutions please.

@LAYER_8 

 

I also wonder how far it goes switch wise.   Does it stop at the distribution switch, or does it go to the access layer switch, and what triggers it to go further?

L5 Sessionator

Spoke with the dev that made the feature. You configure the snmp crawl profile, it will reach out to that switch you configure it for. 

 

From there, it will use LLDP to go switch to switch, up to 5 layers (we can change this if need be). The LLDP discovery gives MAC to port binding (so we know which next targets to find), and after the crawler has exhausted LLDP switch discovery, it will then request ARP tables from each switch to populate MAC to IP for IoT. 

 

He doesn't wish to share how the crawler itself functions in the network, but, that he will show it in PoC. 

 

You can create multiple SNMP profiles, and will need to for each subnet/segment of the network. That is to say, it won't crawl any L3 boundaries. 

Help the community! Add tags and mark solutions please.

I've noticed in some cases it never gets past the distribution switch, that is not 5 hops away.   Seems like it stops there, while others it goes all the way down to the access switch.  Just not sure what would cause that.

Either way- that is spectacular feedback.  Thank you @LAYER_8 

  • 1 accepted solution
  • 2216 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!