Nectus installation

How to install SSL Certificate for Nectus GUI

,

This guide explains how to generate the CSR code and install a commercial SSL certificate for Windows Apache so that you could access your Nectus GUI page securely via HTTPS.

It assumes that during Nectus installation, you selected the default location which is C:\Program Files\Nectus.

If you installed Nectus in a different folder, make sure to adjust the commands and locations given in this guide accordingly.

In general, in order to have a website accessible using secure HTTPS connection, the web server must have a pair of public and private keys configured.

The public key must be signed by a trusted Certificate Authority and added to a digital SSL certificate.

To obtain that certificate, you will need to send the certificate signing request (CSR) code to your SSL provider. Please refer to instructions below:

Generating CSR using OpenSSL

  1. On your Windows server, press Win+R, enter cmd and hit OK

 

2. Enter the following command to run OpenSSL: “C:\Program Files\Nectus\Web\Apache24\bin\openssl.exe”

 

 

3. The prompt will change to OpenSSL>. This means we can run the OpenSSL commands now.

To generate a new CSR/Key pair for your future SSL certificate, execute the following this command:

 

req -new -newkey rsa:2048 -nodes -keyout “C:\Program Files\Nectus\Web\Apache24\conf\yourdomain.key” -out “C:\Program Files\Nectus\Web\Apache24\conf\yourdomain.csr” -config “C:\Program Files\Nectus\Web\Apache24\conf\openssl.cnf”

 

4. You will be prompted to enter certain information related to your domain.

The commentaries for each field are provided after the // sign.

Country Name (2 letter code) [AU]:US // enter the ISO 3166-2 compliant country code here

State or Province Name (full name) [Some-State]:California // the field for the state

Locality Name (eg, city) []:Los Angeles // the field for the city

Organization Name (eg, company) [Internet Widgits Pty Ltd]:NA // the name of your company. If you do not have a company or do not wish to indicate it, simply put NA

Organizational Unit Name (eg, section) []:NA // a department of your company. NA can be used here

Common Name (e.g. server FQDN or YOUR name) []:example.com // this is the field for your domain

Email Address []:. // this field is not required generally so you can leave it blank

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:. // can be left blank

An optional company name []:. // can be left blank

 

5. Once done, the C:\Program Files\Nectus\Web\Apache24\conf\ directory will have two new files, the file with the CSR code (.csr) and the file with the private key (.key).

We’ll leave the private key for the time being. The CSR code has to be provided to your certificate vendor — this code is the base for your commercial SSL certificate.

Please contact your SSL vendor for instructions with SSL activation.

6. When the SSL is issued, you should receive at least two files: SSL certificate in a .crt (or .pem, .cer) file, and the CA-bundle (also can be called intermediate CA, root CA certificates) with extensions like .ca-bundle, .crt.

Please note that Apache requires only PEM-encoded certificates, so PKCS#7 or PKCS#12 encoded SSLs won’t work.

Configuring SSL for Apache

7. Upload those files to the C:\Program Files\Nectus\Web\Apache24\conf\ directory.

8. Then, go to the C:\Program Files\Nectus\Web\Apache24\conf\extra folder, and open the httpd-ssl.conf file in Notepad.

9. Find and edit the following directives and make sure that they point to the SSL certificate, Private Key, and the CA-bundle files accordingly:

 

SSLCertificateFile “${SRVROOT}/conf/yourdomain.crt”

SSLCertificateKeyFile “${SRVROOT}/conf/yourdomain.key”

SSLCACertificateFile “${SRVROOT}/conf/yourdomain.ca-bundle”

 

Note that the SSLCACertificateFile directive is commented out by default. You need to delete the # sign at the beginning of the string to uncomment the directive.

10. Save the configuration file

11. Return back to the C:\Program Files\Nectus\Web\Apache24\bin folder and double-click on ApacheMonitor.exe

 

12. The ApacheMonitor app will appear in the system tray at the lower right corner of your screen. Find and click it there.

13. Hit “Restart”

 

14. Now you can try accessing your Nectus GUI page in the browser via HTTPS: https://yourdomain.com

Device View Auto Population Rules

, ,

Device View Auto Population Rules

Device View is the logical grouping of the devices that can be used in different places within the Nectus application. In the previous versions of Nectus, the user would manually add devices into device views which may become a significant management overhead.

In Nectus version 1.55 we introduced an ability to automatically populate device views based on specific conditions such as device names, types, etc.

User can define a set of conditions which has to be true for Nectus to automatically add devices to device views.

This article will guide you through the process of defining the auto population rules for device views.

To access your SNMP Device Views go to Inventory Views SNMP Device View

 

 

To add a new Device View, click Create in the upper right hand corner of the SNMP Devices Views page.

 

Give a name to your new Device View.

 

.

Press Save button to finish creation of Device view.

 

Open again newly created device view and in the upper right-hand corner, select Edit Rules.

This will open the Devices View Auto Population Rules page.

 

Select the plus sign to add a new Auto Population Rule.

 

Add all the required Auto-population rules and press Ok button to Save.

If multiple rules are defined all the rules must be TRUE for device to be automatically added. (Logical AND).

Your rules will be processed daily at 3:00 PM.

If you would like to apply your rules immediately, press the Apply Rules button.

 

ClickHouse DB Installation for Nectus Netflow & Syslog Storage

, ,

ClickHouse Database Installation for Nectus Netflow & Syslog Storage

Requirements: Ubuntu Server 18.04.2 LTS (with SSH access)

NOTE: Although ClickHouse can be installed on several different flavors of Linux, Ubuntu Server 16.04 & 18.04 are the only supported Linux distributions for Nectus at this point.

More information about installation on other OS’s can be found here: https://clickhouse.yandex/docs/en/getting_started/

Step 1

Import the public key:

apt-get update

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv C8F1E19FE0C56BD4

NOTE: It is recommended to import the public key if it’s a fresh Ubuntu install.

Otherwise you may get the following error when adding the repository:GPG error: http://repo.yandex.ru/clickhouse/deb/stable main/ Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C8F1E19FE0C56BD4

Optional commands to run:

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv E0C56BD4

Step 2

Create Clickhouse repository:

sudo apt-get install dirmngr

sudo apt-add-repository “deb http://repo.yandex.ru/clickhouse/deb/stable/ main/”

NOTE: Please edit the sources.list file if you receive the following error:

“E: Mailformed entry 55 in list file /etc/apt/sources.list”.

Delete the entry XX and save/exit the file. Perform the update (and upgrade if you wish):

sudo apt-get update

Step 3

Get the packages list for the latest updates and the dependencies:

apt-get update && apt-get upgrade

Step 4

Download and Install the ClickHouse packages:

sudo apt-get install -y clickhouse-server clickhouse-server-common clickhouse-client

sudo apt-get install –allow-unauthenticated clickhouse-server-common clickhouse-client clickhouse-server

Step 5

Start the Clickhouse server as a daemon:

sudo service clickhouse-server start

Step 6

Now that we have installed the ClickHouse, it is time to test:

NOTE: TCP ports 8123 & 9000 must be open.

Start the Client:

clickhouse-client

Step 7

Create the Netflow/Syslog database.

In this example we are creating the netflow database named NETFLOW (database name is arbitrary):

clickhouse-client

create database NETFLOW

Step 8

We will now add the Clickhouse internal user “root” with password “nectus” to the Users.xml file located at: /etc/clickhouse-server/users.xml

NOTE: Paste the snippet of the code below starting at line 31 after “<users>” in the users.xml file. You can use vi or nano text editor to edit the file. WinSCP can also be used to accomplish this task. Use the file change owner command if needed “sudo chown -R xxxx users.xml”, where “xxxx” is the user that will take over the ownership of the file.

<root>

<password>nectus</password>

<networks incl=”networks” replace=”replace”>

<ip>::/0</ip>

</networks>

<profile>default</profile>

<quota>default</quota>

</root>

Save the file and exit.

Step 9

Restart the ClickHouse Server:

clickhouse-server restart

Step 10

Now that the ClickHouse Server has been restarted, we can start the ClickHouse client using the internal user that we created in step 8:

clickhouse-client –user default –password nectus

Step 11

We have completed the ClickHouse installation. This last step requires login to Nectus to finish the Netflow/Syslog integration.

Open to “Nectus Settings -> General Settings -> Netflow Integration” page

Enter the required information and click Test DB Connection (Remote Server IP is the IP address of the Ubuntu/ClickHouse server). The result should be “Test DB Connection OK”

Click “Run Integration Scripts” and finally Save.

 

Step 12

Restart Nectus NetFlow and Syslog Services.

Nectus Installation Procedure

,

Nectus Installation Procedure

Server Requirements:   Windows Server 2012 or newer.  8GB of RAM.

1. File Preparation

You start with downloading Nectus Distribution File from www.nectus5.com

Download the ZIP file called Nectus 1.2.51.zip and extract it to a temporary folder.

In the folder you will find two files:

 

Keep the htdocs.zip file compressed. Start installation by launching file Nectus Setup 1.2.51.exe

2. Nectus Installation

Accept the license agreement on the first page.

 

Choose an application installation folder.

 

Choose whether you want Nectus to discover Network devices or not.

 

If you selected “Yes” for the Network Device Discovery, Specify the version of the SNMP Protocol.

 

Then specify SNMP credentials.

 

Specify up to 10 IP Subnets where Nectus will be performing Network Discovery.

 

 

Setup an Administrator account.

 

Then click install, which will automatically complete installation.

 

When the installation Is complete, you will see the following page.

 

After you click Finish, the Nectus login page will come up, where you need to provide the credentials of the admin account you created during Installation.

 

when you log into Nectus you will see a Network Discovery Progress page.

 

Click “OK” to close it.

3. License Generation

Next, the license page will come up.

If you do not have a permanent license ready, Click “Generate Temporary License” button.

 

Complete the “Temporary License” Form and press the “Generate Temporary License” button.

Nectus server must have an Internet access to successfully generate the temporary license.

After temporary license is generated, Nectus is fully operational and ready to be used.

 

Challenges with deploying SNMP v3 based monitoring tools in diverse environments

, ,

One of the biggest challenges with SNMP v3 deployments in diverse environments is a lack of consensus

among hardware manufactures on what set of Privacy Ciphers has to be supported/included in standard SNMP v3 stack.

Even Cisco was unable to unify list of supported v3 Ciphers in different product lines (ASA vs NX-OS vs IOS-XR).

Partially this was caused by the lack of RFC that defined AES-192 and AES-256 implementations  for SNMP v3 but this didn’t stop top-tier hardware

vendors from implementing  those Ciphers internally and partially it was  caused by slow v3 adoption rate that put very low pressure on hardware vendors.

In any case it is very unlikely that you will be able to pick single set of  SNMP v3 Authentication/Encryption parameters that will be supported on all of the devices

in a good sized enterprise network. This results in having to use and support different encryption ciphers in different devices and what most important this

will require your Network monitoring tool to support multiple SNMP profiles based on device type. Your monitoring tool has to discover what SNMP profile

is compatible with each device, “remember” it and only use compatible SNMP parameters when communicating with specific device.

Nectus is the only tool that was built from ground up with support for device specific SNMP profiles and it deploys patented discovery logic that allows it to match

compatible SNMP profile to each device in sub-seconds. Nectus supports up to 1000 SNMP profiles and used by multiple customers with 10K+ routers.

60 days Nectus Trial