Centra Security Platform 5.

0
Release 39

User Manual
Contents
HOW CENTRA WORKS.................................................................................................................................... 11
AGENTS COLLECT INFORMATION ON YOUR IT INFRASTRUCTURE ..................................................................................... 11
AUTOMATED LABELING OF YOUR ASSETS ................................................................................................................... 11
A COMPREHENSIVE VISUAL MAP OF YOUR ENTIRE IT INFRASTRUCTURE........................................................................... 11
INCIDENT REPORTS AND LOGS.................................................................................................................................. 12
SEAMLESS INTEGRATION WITH ANY PLATFORM ........................................................................................................... 12
CORE CAPABILITIES ................................................................................................................................................ 12
ARCHITECTURE .............................................................................................................................................. 14
CENTRA COMPONENTS .................................................................................................................................. 15
MANAGEMENT SERVER .......................................................................................................................................... 15
AGGREGATORS ..................................................................................................................................................... 15
COLLECTORS......................................................................................................................................................... 15
AGENTS............................................................................................................................................................... 16
DECEPTION SERVER ............................................................................................................................................... 16
How it Works................................................................................................................................................ 16
SUPPORTED PLATFORMS ............................................................................................................................... 17
Supported Hypervisors for ESX Collectors .................................................................................................... 17
Supported Public Clouds............................................................................................................................... 17
Supported Systems ....................................................................................................................................... 17
Intelligence sharing export protocols ........................................................................................................... 17
Browsers for web console ............................................................................................................................ 17
SYSTEM AND MEMORY REQUIREMENTS ....................................................................................................... 17
Management Server .................................................................................................................................... 17
Deception Server .......................................................................................................................................... 17
Aggregator ................................................................................................................................................... 17
Collector ....................................................................................................................................................... 17
CENTRA UI HOME .......................................................................................................................................... 18
DASHBOARD .................................................................................................................................................. 20
ADMIN (USER) MENU .................................................................................................................................... 26
MENU OPTIONS.................................................................................................................................................... 26
Change Password ......................................................................................................................................... 26
Manage 2-Step Verification ......................................................................................................................... 26
End User License Agreement ........................................................................................................................ 27
Help .............................................................................................................................................................. 28
Release Notes............................................................................................................................................... 28
Log out ......................................................................................................................................................... 28
Version Info .................................................................................................................................................. 28
REVEAL .......................................................................................................................................................... 29
REVEAL ARCHITECTURE .......................................................................................................................................... 30
LABELS ............................................................................................................................................................... 30
What Kind of Labels Can You Create? ......................................................................................................... 31
SEGMENTATION RULES .......................................................................................................................................... 31
Override Rules .............................................................................................................................................. 32
Allow Rules ................................................................................................................................................... 32
Alert Rules .................................................................................................................................................... 32
Block Rules ................................................................................................................................................... 32
FLOW MATCHING ORDER ...................................................................................................................................... 33

2
 EXPLORE.............................................................................................................................................................. 34
TOOLBAR ............................................................................................................................................................. 35
MAP ICONS AND FLOW TYPES ................................................................................................................................. 38
Icons Used in Reveal .................................................................................................................................... 38
LABELED ASSETS INFORMATION ............................................................................................................................... 38
CONNECTION INFORMATION ................................................................................................................................... 39
PROCESS INFORMATION ......................................................................................................................................... 39
ASSET INFORMATION ............................................................................................................................................ 40
SUBNET INFORMATION .......................................................................................................................................... 40
FLOW COLOR SCHEMES ......................................................................................................................................... 41
Reveal Map Color Scheme .......................................................................................................................... 41
Policy Overlay Map Color Scheme ............................................................................................................... 41
NATIVE DOCKER VISIBILITY IN REVEAL MAPS ............................................................................................................... 42

LABELS .................................................................................................................................................. 43
OVERVIEW ......................................................................................................................................................... 43
HOW LABELS ARE BUILT ........................................................................................................................................ 44
EXPLICIT LABELS AND DYNAMIC LABELS ................................................................................................................... 44
CREATING LABELS ................................................................................................................................................ 44
LABELING SCHEME EXAMPLE .................................................................................................................................. 46
HOW REVEAL DISPLAYS THE LABELING HIERARCHY ...................................................................................................... 47
LABEL DATA SOURCES ............................................................................................................................................ 48
COMPARE LABEL IMPORTING METHODS .................................................................................................................... 49
WORKING WITH REVEAL MAPS ..................................................................................................................... 50
WORKING WITH MAPS WITH UNLABELED ASSETS ....................................................................................................... 50
WORKING WITH MAPS WITH LABELED ASSETS ........................................................................................................... 51
Selecting Assets to Display More Information ............................................................................................ 51
DRILLING DOWN .................................................................................................................................................. 53
DISPLAYING CONNECTION INFORMATION .................................................................................................................. 55
FILTERING THE MAP .............................................................................................................................................. 56
Filtering the Map Using the Filter Button ................................................................................................... 56
Right-click a Connection to Filter by Source and Destination ..................................................................... 57
Filter Options for a Selected Item ............................................................................................................... 58
DISPLAYING FLOWS TABLE VIEW ............................................................................................................................. 58
DISPLAYING ASSET PROCESSES ................................................................................................................................ 59
CREATING FLOW POLICIES FROM REVEAL MAPS ......................................................................................................... 60
Creating an Allow rule for individual IPs/Assets and Subnets ...................................................................... 61
BUILDING A MICRO-SEGMENTATION POLICY .............................................................................................................. 62
SAVED MAPS ................................................................................................................................................. 64
OVERVIEW .......................................................................................................................................................... 64
SCHEDULED DAILY/HOURLY MAPS .......................................................................................................................... 64
DEFAULT MAP DISPLAY ......................................................................................................................................... 64
CREATE A NEW REVEAL MAP .................................................................................................................................. 66
POLICY RULES ................................................................................................................................................ 68
MATCHING ORDER................................................................................................................................................. 69
POLICY LEARNING MODE ............................................................................................................................... 70
POLICY SUGGESTIONS TAB IN THE REVEAL MAP POLICY EDITOR OVERLAY ........................................................................ 70
Creating or Dismissing Individual Rules ....................................................................................................... 72
Viewing More Information for a Suggested Rule ......................................................................................... 74
Policy Rules Tab............................................................................................................................................ 74
Dismissed Rules Tab ..................................................................................................................................... 75

3
POLICY ........................................................................................................................................................... 76
CREATE POLICY .............................................................................................................................................. 77
TEMPLATES .......................................................................................................................................................... 77
CREATING POLICIES WITH THE CREATE POLICY SCREEN ................................................................................................. 77
Step 1: Configure an Application Label Key (Recommended) ..................................................................... 77
Step 2: Select a Template to Achieve your Security Goal. ........................................................................... 78
Step 3: Select the Assets to be secured. ...................................................................................................... 81
Step 4: Refine the Policy .............................................................................................................................. 83
LABEL GROUPS............................................................................................................................................... 85
EXCLUDE ASSETS FROM A LABEL GROUP .................................................................................................................... 85
CREATE A LABEL GROUP ......................................................................................................................................... 85
USE LABEL GROUPS IN POLICY ................................................................................................................................. 86
LABEL GROUPS ARE PART OF POLICY REVISIONS .......................................................................................................... 86
POLICY RULES SCREEN ................................................................................................................................... 87
Creating Policy Rules ................................................................................................................................... 88
Filtering the List of Rules ............................................................................................................................. 91
Bulk Operations ........................................................................................................................................... 92
Using the Hit Counter to Reformulate Policy Rules ..................................................................................... 92
Role Based Access ........................................................................................................................................ 94
REVISIONS ..................................................................................................................................................... 96
USER GROUPS ................................................................................................................................................ 98
IMPORTANT RESTRICTIONS REGARDING USER GROUPS ................................................................................................. 98
USER GROUPS AND THE MICROSOFT ACTIVE DIRECTORY .............................................................................................. 98
CREATING USER GROUPS ........................................................................................................................................ 99
Step 1: Create Groups on an Active Directory Domain Controller................................................................ 99
Step 2: Configure AD Integration with Centra.............................................................................................. 99
Step 3: Add a New User Group to Centra ................................................................................................... 101
INCLUDING A USER GROUP IN AN ALLOW RULE ......................................................................................................... 102
FILTERING THE NETWORK LOG BY USER IDENTITY ...................................................................................................... 103
FILTERING THE REVEAL MAP BY USER...................................................................................................................... 104
SPECIAL BEHAVIOR FOR SMB RULES AND CONNECTIONS ............................................................................................ 105
How Windows Handles SMB Connections and its Effect on User Identity ................................................. 105
How Centra Handles SMB Connections and its Effect on Policy ................................................................. 106
PROJECTS SCREEN ........................................................................................................................................ 107
INCIDENTS ................................................................................................................................................... 109
TYPES OF SECURITY INCIDENTS AND PREDEFINED FILTERS ........................................................................................... 109
INCIDENT DETAILS .............................................................................................................................................. 109
Acknowledging an Incident ....................................................................................................................... 109
Acknowledging Multiple Incidents at Once ............................................................................................... 110
ALL INCIDENTS SCREEN ................................................................................................................................ 111
INTEGRITY VIOLATIONS INCIDENTS (FIM) .................................................................................................... 113
Integrity Violations Incident Screen Areas ................................................................................................. 113
LATERAL MOVEMENT (DECEPTION) ............................................................................................................. 114
INCIDENT REPORT ............................................................................................................................................... 114
Left Side of the Report .............................................................................................................................. 115
Report Tabs ............................................................................................................................................... 116
TABS DISPLAYED ONLY WHEN RELEVANT INFO EXISTS ............................................................................................... 118
ACKNOWLEDGE BUTTON ..................................................................................................................................... 118

4
 IOC TYPES EXPORTED BY CENTRA .......................................................................................................................... 118
NETWORK SCANS INCIDENTS ....................................................................................................................... 119
POLICY VIOLATIONS INCIDENTS ................................................................................................................... 119
INCIDENT SCREEN ................................................................................................................................................ 120
Incident Screen Areas and Buttons ............................................................................................................ 121
ASSETS ......................................................................................................................................................... 125
ASSET DASHBOARD ............................................................................................................................................. 125
MULTI TENANT SUPPORT...................................................................................................................................... 127
Tenant configuration ................................................................................................................................. 127
NETWORK LOG AND POLICY CREATION ....................................................................................................... 130
Export to CSV.............................................................................................................................................. 136
Temporary Storage in Saved Maps ............................................................................................................ 136
INTEGRITY VIOLATIONS LOG ........................................................................................................................ 137
LABELS LOG.................................................................................................................................................. 138
REDIRECTIONS LOG ...................................................................................................................................... 138
REPUTATION LOG ........................................................................................................................................ 139
INSIGHT ....................................................................................................................................................... 140
OS SUPPORT ...................................................................................................................................................... 140
RUNNING A QUERY.............................................................................................................................................. 140
QUERY EXAMPLES ............................................................................................................................................... 143
Example 1: Get logged on users ................................................................................................................. 143
Example 2: Top 5 processes by resident memory size ................................................................................ 144
Example 3: List all the patches applied (Windows) .................................................................................... 144
INSIGHT SCHEDULED QUERIES ..................................................................................................................... 145
EXAMPLE 1: DETECT SECURITY VIOLATIONS.............................................................................................................. 145
EXAMPLE 2: ENSURE COMPLIANCE ......................................................................................................................... 145
CREATE OR EDIT A QUERY ..................................................................................................................................... 146
USING FILTERS FOR SCHEDULE QUERIES................................................................................................................... 148
INSPECTION POLICY ..................................................................................................................................... 149
INNOCENT FAILED CONNECTIONS ........................................................................................................................... 149
Rule Fields .................................................................................................................................................. 150
DETECTORS .................................................................................................................................................. 150
REPUTATION SERVICES ................................................................................................................................ 151
Reputation Services for Files, IP Addresses and Domain Names................................................................ 152
Sample Reputation Incidents ..................................................................................................................... 152
Configure Reputation Services ................................................................................................................... 153
Configure Trusted Indicators ...................................................................................................................... 153
Classify specific IPs as Internal IPs.............................................................................................................. 154
Classify Specific Domains as Legitimate ..................................................................................................... 155
Advanced ................................................................................................................................................... 156
Turning Off Reputation Services................................................................................................................. 156
Customer IoCs Integrated into Guardicore Reputation Services ................................................................ 157
FILE INTEGRITY MONITORING (FIM)............................................................................................................. 157
What is File Integrity Monitoring? ............................................................................................................. 157
FIM is a Mandatory Compliance Requirement........................................................................................... 157
FIM Capabilities in Centra .......................................................................................................................... 157

5
 Supported Operating Systems.................................................................................................................... 157
ACTIVATING FIM ................................................................................................................................................ 157
Monitor File Changes ................................................................................................................................. 159
FILE INTEGRITY LOG ............................................................................................................................................. 159
INTEGRITY VIOLATIONS INCIDENTS .......................................................................................................................... 159
AGENT MODULE: DETECTION ................................................................................................................................ 160
STALE HASHES CLEANUP ....................................................................................................................................... 161
CUSTOMER THREAT FEEDS INTEGRATION .................................................................................................... 161
SUPPORTED INDICATORS OF COMPROMISE TYPES ...................................................................................................... 161
File IoCs ...................................................................................................................................................... 161
IP IoCs ......................................................................................................................................................... 162
GUARDICORE THREAT INTELLIGENCE FIREWALL .......................................................................................... 162
GUARDICORE THREAT INTELLIGENCE LABELS ............................................................................................................. 162
VERIFYING THAT THE THREAT INTELLIGENCE FIREWALL IS FUNCTIONING ......................................................................... 164
REVIEWING WHAT WAS BLOCKED/ALERTED BY THE THREAT INTELLIGENCE FIREWALL ....................................................... 164
DISABLING THE DAILY UPDATES ............................................................................................................................. 164
CHANGING THE RULES FROM BLOCK TO ALERT .......................................................................................................... 164
RECEIVING A BLOCKING ALERT CONCERNING A MALICIOUS IP...................................................................................... 165
REMOVING AN IP FROM THE LIST ........................................................................................................................... 165
PREVENTING THE BLOCKING OF INTERNAL IPS ........................................................................................................... 165
MITIGATION & IOCS ..................................................................................................................................... 165
AGGREGATORS ........................................................................................................................................... 168
AGGREGATORS AND AGENTS ................................................................................................................................ 168
AGGREGATORS SCREEN ....................................................................................................................................... 168
Configuration Options .............................................................................................................................. 170
OVERRIDE CONFIGURATION OPTION ...................................................................................................................... 171
AGGREGATOR CLI .............................................................................................................................................. 173
COLLECTORS ............................................................................................................................................... 175
TYPES OF COLLECTORS ......................................................................................................................................... 175
SPAN Collector .......................................................................................................................................... 177
VPC Flow Logs Collector ............................................................................................................................ 178
Additional Information About the AWS VPC Flow Logs Collector .............................................................. 178
DECEPTION SERVERS.................................................................................................................................... 180
How does Deception work?........................................................................................................................ 180
Deception Server features .......................................................................................................................... 180
DECEPTION: UPDATED LOGIC AND BEHAVIOR ........................................................................................................... 181
COMPONENT DIAGNOSTICS AND UI CONTROLS .......................................................................................... 181
DISPLAY A LIST OF RUNNING SERVICES FOR EACH COMPONENT .................................................................................... 181
CONTROL THE AGENT FROM THE UI ........................................................................................................................ 181
AGENTS ...................................................................................................................................................... 182
Agent Modules ........................................................................................................................................... 182
AGENT CONNECTIONS ......................................................................................................................................... 183
AGENTS SCREEN .......................................................................................................................................... 184
Agents Screen Columns ............................................................................................................................. 184
Note: Temporary Disappearance of Agents from the Agents Screen ........................................................ 186
Agents Flags .............................................................................................................................................. 186
MORE BUTTON ............................................................................................................................................ 193

6
GET AGENT DIAGNOSTICS ............................................................................................................................ 194
ENFORCEMENT MONITORING MODES ......................................................................................................... 195
MONITORING MODE ........................................................................................................................................... 195
REVEAL ONLY MODE ........................................................................................................................................... 195
ENFORCING MODE .............................................................................................................................................. 195
DISABLED .......................................................................................................................................................... 196
AGENT ROAMING: ENFORCEMENT MODE OUTSIDE OFFICE ......................................................................................... 197
DELETING AGENTS FROM THE SYSTEM ........................................................................................................ 199
Deleting Agent files after Uninstall ............................................................................................................ 199
REMOTE AGENT UPGRADE .......................................................................................................................... 200
Upgrading Agents from the Agents Screen ............................................................................................... 200
INSTALLATION PROFILES .............................................................................................................................. 202
Installation Profiles List ............................................................................................................................. 202
Default Installation Profile ........................................................................................................................ 203
Create a New Profile ................................................................................................................................. 203
Agent Installation ..................................................................................................................................... 204
Install Windows Agent with an Installation Profile ................................................................................... 205
Install a Linux Agent with an Installation profile ...................................................................................... 205
Edit an Installation Profile ......................................................................................................................... 205
Reset Configuration to Profile ................................................................................................................... 205
AGENTS LOG ................................................................................................................................................ 207
Free Text Search Tool ................................................................................................................................. 208
DATA CENTER .............................................................................................................................................. 209
DEPLOYMENT .............................................................................................................................................. 209
ORCHESTRATIONS ....................................................................................................................................... 210
SUPPORT FOR MULTIPLE ORCHESTRATIONS ............................................................................................................... 210
AWS ORCHESTRATION ................................................................................................................................ 211
MANAGING AWS ACCESS .................................................................................................................................... 211
EC2 IAM Role .............................................................................................................................................. 211
GUARDICORE DELEGATE ACCESS ............................................................................................................................ 211
CUSTOMER CREDENTIALS...................................................................................................................................... 211
AWS Policy definition ................................................................................................................................. 211
STARTING AWS ORCHESTRATION CONFIGURATION .................................................................................................. 212
CONFIGURING AWS AUTHENTICATION ................................................................................................................... 212
Configuring EC2 IAM Role Authentication ................................................................................................ 213
Configuring Guardicore Delegate Access Authentication ......................................................................... 213
Configuring Customer Credentials Authentication ................................................................................... 213
Creating an AWS IAM role ........................................................................................................................ 214
ORCHESTRATION INFORMATION APPEARS ON THE ASSETS PAGE ................................................................................ 214
AZURE ORCHESTRATION .............................................................................................................................. 215
HOW TO CONFIGURE AZURE ORCHESTRATION .......................................................................................................... 215
Configure a read-only user in the Azure account ....................................................................................... 215
Add permissions to application user .......................................................................................................... 215
Configure Azure orchestration in the Centra management ....................................................................... 215
Important notes ......................................................................................................................................... 215
F5 INTEGRATION .......................................................................................................................................... 217
CONFIGURATION AND SETUP ................................................................................................................................ 217

7
 Stage 1: Guardicore IPFIX Collector Installation ....................................................................................... 217
Stage 2: Specify Orchestration Parameters in Centra ............................................................................... 217
Stage 3: IPFIX Reporting Setup in the F5 Device ....................................................................................... 220
F5 ASSETS ........................................................................................................................................................ 228
IPFIX COLLECTOR INSTALLATION ........................................................................................................................... 228
Advanced Setting Configuration ................................................................................................................ 229
GCP (GOOGLE CLOUD PLATFORM) ............................................................................................................... 231
INTRODUCTION ................................................................................................................................................... 231
CONFIGURING GCP ORCHESTRATION ...................................................................................................................... 231
Step 1: Set Up a Read Only Service Account in GCP ................................................................................... 231
Step 2: Add GCP Orchestration to Centra .................................................................................................. 232
INVENTORY API ........................................................................................................................................... 234
WHEN TO USE THE INVENTORY API? ...................................................................................................................... 234
WHY USE THE INVENTORY API? ............................................................................................................................ 234
HOW IT WORKS .................................................................................................................................................. 234
TO CONFIGURE THE INVENTORY API ....................................................................................................................... 234
REST API EXAMPLE ........................................................................................................................................... 237
LIMITATIONS ..................................................................................................................................................... 238
HOW TO GET BIOS UUID ................................................................................................................................... 238
KUBERNETES ................................................................................................................................................ 239
Configure Kubernetes Orchestration in Centra .......................................................................................... 239
Stage 1: Setting up a Kubernetes Service Account Authentication ............................................................ 239
Stage 2: Configure Kubernetes Orchestration in Centra. ........................................................................... 241
OCI (ORACLE CLOUD INFRASTRUCTURE) ...................................................................................................... 243
INTRODUCTION ................................................................................................................................................... 243
CONFIGURING OCI ORCHESTRATION....................................................................................................................... 243
STEP 1 - IN OCI, CREATE AN ORCHESTRATION USER FOR CENTRA .................................................................................. 243
STEP 2 - IN CENTRA, CONFIGURE THE OCI ORCHESTRATION ......................................................................................... 243
OPENSTACK ................................................................................................................................................. 246
SETTING UP OPENSTACK ORCHESTRATION .............................................................................................................. 246
Step 1: Configure a read-only user on the OpenStack platform................................................................. 246
Step 2: Configure OpenStack Orchestration in Centra ............................................................................... 246
Basic Configuration ................................................................................................................................... 248
Advanced Configuration ........................................................................................................................... 249
API COMMANDS ................................................................................................................................................ 251
VSPHERE ORCHESTRATION .......................................................................................................................... 253
FIREWALLS INTEGRATION ............................................................................................................................ 256
INTEGRATION WITH PALO ALTO NETWORKS FIREWALL ............................................................................................... 256
HOW IT WORKS .................................................................................................................................................. 256
BEFORE YOU BEGIN: REQUIREMENTS FOR SUCCESSFUL INTEGRATION ............................................................................ 257
CONFIGURATION ................................................................................................................................................. 257
Troubleshooting ......................................................................................................................................... 260
DATA EXPORT .............................................................................................................................................. 262
Incident Log................................................................................................................................................ 263
EMAIL .......................................................................................................................................................... 264
SAAS USERS ....................................................................................................................................................... 264
ON-PREMISES USERS ........................................................................................................................................... 265

8
SLACK .......................................................................................................................................................... 267
STIX ............................................................................................................................................................. 268
SYSLOG ........................................................................................................................................................ 270
CONFIGURING SYSLOG EXPORT .............................................................................................................................. 270
EVENTS SYSLOG EXPORTER.................................................................................................................................... 271
Network Log Syslog Exporter ..................................................................................................................... 276
COMMON EVENT FORMAT (CEF) SENT BY CENTRA .................................................................................................... 276
ENABLING THE NETWORK LOG REPORTER ................................................................................................................ 277
SYSTEM USERS ............................................................................................................................................. 278
TO ADD, MODIFY OR DELETE A USER: ....................................................................................................................... 278
PERMISSION SCHEMES ............................................................................................................................... 280
WHY CREATE PERMISSIONS? ................................................................................................................................ 280
CREATE A PERMISSION SCHEME ............................................................................................................................ 280
ROLES BASED PERMISSIONS TO CENTRA'S FEATURES ................................................................................................. 283
SCOPED APPLICATION OWNER ROLE ...................................................................................................................... 288
ASSIGN A PERMISSION SCHEME TO A USER .............................................................................................................. 289
USER DIRECTORIES....................................................................................................................................... 290
ADDING A NEW USER DIRECTORY .......................................................................................................................... 290
Configuring LDAP ...................................................................................................................................... 290
Configuring SAML 2.0 SSO ........................................................................................................................ 292
ASSIGN PERMISSIONS TO ACTIVE DIRECTORY GROUPS ............................................................................................... 292
EDIT USER DETAILS IN A USER DIRECTORY................................................................................................................ 292
CONFIGURING FORTIAUTHENTICATOR SAML 2.0 WITH GUARDICORE CENTRA ........................................... 293
OVERVIEW OF CONFIGURATION STAGES .................................................................................................................. 293
STAGE 1: CONFIGURE SSO AND IDP SETTINGS IN FORTIAUTHENTICATOR ....................................................................... 293
CONFIGURING SAML 2.0 SSO WITH OKTA .................................................................................................... 296
STEP 1: CONFIGURE THE OKTA GUARDICORE APP ..................................................................................................... 296
STEP 2: CONFIGURE THE USER DIRECTORY IN CENTRA ............................................................................................... 300
STEP 3: CONFIGURE THE OKTA GROUP IN CENTRA .................................................................................................... 302
CONFIGURING SAML 2.0 SSO WITH RED HAT ............................................................................................... 305
STAGE 1: CONFIGURE THE IDENTITY PROVIDER (IDP) ................................................................................................ 305
STAGE 2: CONFIGURE THE SERVICE PROVIDER .......................................................................................................... 309
SAML Directory Configuration ................................................................................................................... 309
STAGE 3: CONFIGURE THE ENCRYPTION KEY ............................................................................................................ 310
STAGE 4: CONFIGURE THE PERMISSION SCHEME IN CENTRA ....................................................................................... 310
CREATE KERBEROS AUTHENTICATION IN CENTRA ........................................................................................ 310
STEP 1: CREATE A KEYTAB FILE .............................................................................................................................. 311
A: Create the User ...................................................................................................................................... 311
B: Create the Keytab File ............................................................................................................................ 312
STEP 2: CONFIGURE CENTRA ................................................................................................................................ 313
STEP 3: TEST THE CONFIGURATION ........................................................................................................................ 314
MANAGEMENT CONFIGURATION ................................................................................................................ 315
GENERAL ........................................................................................................................................................... 315
AUTHENTICATION ................................................................................................................................................ 320
DASHBOARD....................................................................................................................................................... 324
DOMAIN CLASSIFICATION...................................................................................................................................... 326
SYSTEM INFO ............................................................................................................................................... 328

9
AUDITING .................................................................................................................................................... 328
EXPORTING TO A CSV FILE .................................................................................................................................... 328
SYSTEM LOG ................................................................................................................................................ 329

10
How Centra Works
The Guardicore Centra Security Platform is a comprehensive data center and cloud security
solution that provides a single console for managing segmentation, access control, and
security policies throughout your entire environment. Centra makes visualizing and securing
on-premises and cloud workloads fast and simple. It creates human-readable views of your
complete infrastructure – from the data center to the cloud – with fast and intuitive workflows
for segmentation policy creation.

Agents Collect Information on Your IT Infrastructure

Guardicore Centra collects detailed information about an organization’s IT infrastructure
through a mix of agent-based sensors, network-based data collectors, and virtual private
cloud (VPC) flow logs from cloud providers.

Automated Labeling of Your Assets

This information is then placed into context through a flexible and automated labeling
process that includes integration with any existing data sources such as orchestration
systems and configuration management databases.

A Comprehensive Visual Map of Your Entire IT

Infrastructure
The result is a dynamic visual map of the entire IT infrastructure that allows security teams to
view activity down to the individual process level and user on both a real-time and historical
basis. The map provides clarity and an intuitive interface for quickly implementing
segmentation policies.

11
Incident Reports and Logs
Through a highly versatile map of your assets and traffic, and a set of user friendly incidents,
logs and reports screens, Centra provides deep visibility into application dependencies and
flows, and facilitates enforcement of network and individual process-level policies to isolate
and segment critical applications and infrastructure, reducing the attack surface and
detecting and controlling breaches within east-west traffic. Centra’s segmentation
capabilities are also complemented by an innovative set of breach detection and response
capabilities.

Seamless Integration with Any Platform

Centra protects workloads in hybrid environments with any combination of legacy systems,
bare-metal servers, virtual machines, containers, and cloud instances. In a single distributed
software platform, Guardicore Centra provides comprehensive security controls that reduce
security management complexity and eliminate the need for multiple point solutions in hybrid
cloud environments. Centra protects workloads in hybrid cloud environments that span on-
premises workloads, VMs, containers and public clouds including Amazon Web Services
(AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure
(OCI).

Core Capabilities
Centra's core capabilities include flow visualization, application level segmentation and
micro-segmentation, breach detection, and automated analysis and response:

Flow visualization Centra's user friendly interface provides automatic discovery and a
dynamic, visual map into all applications and workloads, down to the process level with user
identity. This allows IT teams to easily view and monitor communication flows inside the data
center.

Application segmentation and micro-segmentation Centra's flow map, and policy

creation and editing screens, enable IT and security teams to easly define granular security

12
policies between applications, and monitor them for non-compliant flows and suspicious
activity that could indicate a breach.

Multi-method breach detection features several distinct detection methods including

dynamic deception, policy-based detection, integrity monitoring, and reputation analysis. The
methods are all centrally managed and distributed throughout the data center to catch
breaches more quickly, virtually in real time as they occur. An optional Threat Intelligence
Firewall provides blocking policies against a list of malicious IPs that is updated daily by
Guardicore's security team.

Automatic analysis enables security teams to quickly prioritize security incidents requiring
immediate response that would otherwise involve hours of human analysis using traditional
tools and techniques.

Incident response allows for real-time attack isolation and remediation of infected systems,
stopping an attack early in the kill chain.

13
Architecture
Guardicore Centra is a distributed software platform designed to address the security
requirements of clouds and data centers. The Guardicore Centra Security Platform provides
a unique combination of process-level segmentation, threat deception, semantics-based
analysis, and automated response in modern data centers.

Centra can be deployed as a software as a service (SaaS) or as on-premises solution. In on-

premises installations all components are rolled out in the customer environment while in
SaaS deployments the Management and Deception are installed in the Guardicore cloud.

Guardicore Centra architecture is based on:

• Distributed Collectors and Agents. Collectors are deployed at infrastructure level,

while Agents are deployed at guest level.

• Centralized management, deception and aggregation components.

14
Centra Components
Management Server
Provides a single point of control for all data received by the solution components, provides
UI, alerting and automatic reporting, monitoring, configuration and patching of all
components.

Aggregators
Aggregators are points of communication and control for associated Agents. Aggregators
provide the following functionalities:

• Manage Agent installation, patching and configuration.

• Receive and aggregate Agent data before forwarding it to the Management layer.
• Continuously derive per-agent policy published by Management and populate it to
Agents.

Aggregators can be deployed in clusters. This provides automatic load balancing capabilities
between Aggregators within the cluster, resulting in a uniform load distribution.

Depending on allocated compute resources, a single Aggregator can support between 200 to
2000 Agents with a micro-segmentation feature set (Reveal + Enforcement + Detection
modules active on agent, Deception module disabled) or an average of 100 Agents (all
modules, including Deception, are active on Agents). See Aggregators for more information.

Collectors
Collectors are virtual machines that gather information on flows in environments where
Agents cannot be deployed. Such environments include legacy systems incompatible with
Agent software, as well as environments outside of your system that interface with your
network. Collectors relay data to the Guardicore Management server for further analysis and
integration into Guardicore’s Reveal charts. Collectors are also able to detect suspicious
flows, redirect them to a SPAN port for further analysis, and, where warranted, divert them to
the Deception server (honeypot). Unlike Agents, Collectors cannot enforce policy, but they
can alert regarding policy violations.

There are three types of collectors: ESX, SPAN and AWS VPC Logs. For more information
see Collectors.

Both Aggregators and Collectors integrate with various orchestration layers including
VMWare, AWS, Kubernetes etc. This allows the automated pulling of asset information,
labels and more into Centra.

15
Agents
Agents are deployed on Windows and Linux based guest systems, including VMs, bare-metal
servers, cloud compute and container worker nodes. Agent software packages are served
directly from the Aggregator but can also be delivered via an offline installation package.
Agents have four modules: Reveal, Enforcement, Deception, and Detection.

Agent What it does

module

Reveal Collects process-aware network flow events, including protocols, ports and
corresponding processes (path, user, command line, hash etc.), enabling
process-level visibility and file reputation.

Enforcement Enables control over network flows - allowing / alerting / blocking flows,
in accordance with the defined policy.

Detection Performs file integrity monitoring (FIM).

Deception Captures and routes failed traffic to deception servers. It is an alternative to

the Deception functionality of a Collector.

Deception Server
Deception Servers receive live, suspicious connections from across the data center and
generate matching deceptive environments to lure attackers. The matching is done against the
Server that manages a farm of multiple honeypot instances of different flavors (Windows and
Linux). The Deception Server can be deployed as a virtual machine or a physical appliance
and can operate as a single node or as part of an array of Deception Servers, depending on the
customer's deployment scale.

How it Works

Within the Deception Server there are virtualized machines that interact with the suspected
attacker. Each virtualized machine is referred to as a service provider. The Deception server
supports many flavors of Windows and Linux service providers. When a new attacker comes
in with a new source and Destination IP, the system allocates a new service provider based on
what the attacker expects to meet. This means that the allocation algorithm will try to keep
the network deception engine as consistent as possible (i.e a machine deceived as Linux Web
Server with hostname "server1" will look the same even after a period of time). In addition,
the allocation algorithm will try to maximize the neutrality of the OS distribution among
potential victims, so that an attacker scanning the network will come across a variety of fake
machines.

16
Supported Platforms
Centra is tightly integrated into different controllers and orchestration components for object
identification and reporting. It provides full coverage of all VMs and VM-to-VM traffic,
including on-the-same hypervisor. Designed to accommodate the most demanding
environments, a 3-tier architecture is scalable to meet the performance and security
requirements of data centers at any size, with very low impact on hypervisor performance.

Supported Hypervisors for ESX Collectors

VMware ESX 5.1 or later for each server.

Supported Public Clouds

Amazon Web Services, Microsoft Azure, Oracle OPC, Google Cloud Platform.

Supported Systems

VMware vSphere and VMware vCenter Server 5.5.x and later, VMware NSX Manager 6.1.x,
Nuage Networks, CloudStack, Mission Critical Cloud, Microsoft Hyper-V, Openstack
(Vanila/Mirantis), Kubernetes, OpenShift

Intelligence sharing export protocols

STIX, Syslog, Open REST API.

Browsers for web console

Google Chrome 50 or above, Edge, Mozilla Firefox 47 or above

Screen resolution: 1920x1024.

System and Memory Requirements

Management Server
32 GB RAM, 8 vCPUs, 530GB storage

Deception Server
32 GB RAM, 8 vCPUs, 100GB storage

Aggregator
4 GB RAM, 4 vCPUs, 30GB storage

Collector
2 GB RAM, 2 vCPUs, 30GB storage

17
Centra UI Home
Note: the default UI inactivity for a session is 12 hours. Changes to the default setting can
only be done via mgmtctl (not the UI itself).

Guardicore Centra's Home page provides you with a UI with access to both User and
Administration pages. The left side of the screen displays a panel with the following screens:

Dashboard Displays statistics about failed connections, assets at risk, incident analysis by
incident type, system health, top incident tags, top services and operating systems
used etc.

Network Displays north-south vs east-west (lateral) connections, misconfigurations, unsolved

Statistics domains, domain usage anomalies etc.

Reveal Displays a data center map down to the process level.

Policy Provides the ability to segment the network to applications and then to micro segment
application flows.

Incidents Displays information on security incidents and affected assets.

Incident Displays information based on attributes shared by a number of incidents.

Groups

Assets Displays orchestration information and all incidents reported for the protected assets.

Activity Log pages that provide information on the following: Integrity, Network, Redirections
and Reputation.

At the right side of the ribbon at the top of the screen the following buttons are displayed:

18
Reload Data

System Log Notifications

Administration (displays the Administration screen)

19
Dashboard
The dashboard enables security administrators to easily keep track of information vital for
the security of your system:

The Dashboard displays information on applications, traffic flows, malicious domains, the
state of Agents, and the health of the system. Information can be displayed for the last hour,
day, or week by clicking the buttons at the right top of the screen:

The screen includes the following areas:

First Row

The most active applications that display East-

West traffic for the specified time period. Source,
Destination, and Port of the traffic are displayed,
as well as the number of connections (Count).
Clicking on Count displays the Network log with
more details.

20
The number of flows allowed by the policy
compared with the total number of flows for the
specified time period. Clicking the title displays
the Network log.

Displays the number of Enforcing Agents for the

specified time period. Clicking on the title
(number of enforcing Agents) displays the Agents
screen listing the enforcing Agents. Clicking the
subtitle (total number of Agents) displays the
Agents screen listing all the Agents (enforcing as
well as not enforcing). Hovering over a bar on the
green part of the graph displays the number of
enforcing Agents for a point in time. Hovering
over a bar on the gray part of the graph displays
the total number of Agents for a point in time.

Displays the percentage of Assets covered by

Agents. Clicking on the Percent displays the
Agents screen listing the Agents involved.
Clicking on the number of assets displays the
Assets screen.

21
 Displays the Health of the system. Hovering over
a button displays information for one of the
following: Resources, Components, Agents,
Integrations. For example:

When a button is green, it indicates that there are

no issues.

The total number of health issues is indicated at

the bottom.

Second Row

The traffic blocked by Centra the greatest number

of times for the specified time period. The display
show the source and destination of the flow and
the applications and processes involved.

Windows users for the specified time period. The

number of users and a list of users are displayed.
Hovering over a user displays information on the
processes run by the user:

22
Applications covered by the policy. Each dot
represents an application. Green dots stand for
applications that are covered by a policy. The
size of the dot indicates the number of assets for
the application. Hovering over a dot displays the
name of the application and the number of assets
involved, for example:

A gray dot indicates an application not covered

by a policy.

Environments covered by the policy. Each dot

represents an environment. Green dots stand for
environments that are covered by a policy*. The
size of the dot indicates the number of assets in
the environment. Hovering over a dot displays the
name of the environment and the number of
assets involved, for example:

*Note: Environment labels that do not have

assets are not counted, even though they may
have a policy.

23
 Displays the activated Centra features for the
system. Features with a green icon indicate that
they are activated. Hovering over the feature's
icon displays more information and links to
screens that provide more details.

Third Row

The traffic that raised the most alerts by Centra

for the specified time period. The display shows
the source and destination of the flow and the
applications and processes involved.

Malicious domains identified by Guardicore's

Reputation service. Hovering over the area
displays the entire list of malicious domains.

Clicking a domain displays a message.

24
Malicious IP addresses identified by Guardicore's
Reputation service. Hovering over the area
displays a list of malicious addresses.

Clicking an address displays a message.

Validated Processes. Hovering over the areas

displays the entire list of processes.

Lateral movements that were detected in the

system during the specified time period. Clicking
the link displays the Lateral Movements Incident
screen with more information.

25
Admin (User) Menu
The Admin Menu (also referred to as the User menu) is the menu that drops down when you
click admin or guest (name) (depending on your permissions) in the upper right corner of
your Centra page:

Menu Options
Options in this menu include the following:

Change Password

Type a new password with a minimum of 3 characters, including a number and a symbol.

Manage 2-Step Verification

When you enable 2-Step Verification you add an extra layer of security to your account. You
sign in with something you know (your password) and something you have (a code sent to
your phone). 2-step verification is also referred to as two factor authentication (2FA).

26
User Preferences

Enables you to set the Reveal Map to Color blind mode so that the flows in the map can be
distinguished by those with color blindness:

End User License Agreement

Displays the End User Legal Agreement (EULA).

27
Help
Link to the current version's installation guides and user guide.

Release Notes
Link to the release notes of the currently installed version.

Log out
Log out from Centra. For example, you may wish to log in as a different role (admin instead
of guest and vice versa).

Version Info
Includes version number, build number, current system time etc.

28
Reveal
Guardicore Reveal provides a visual map of all the applications running in the data center,
all the way down to the process level. Reveal allows you to build segmentation and micro-
segmentation policies around these applications with one-click enforcement. Below is a
Reveal map displaying ungrouped assets and flows:

(Subsequent articles explain how to clarify the map using labels that enable you to group
assets.)

Guardicore Reveal is designed to address the needs of large and complex customer
environments and deploy micro-segmentation across all types of environments, from bare
metal to virtualized machines, through public cloud instances and recently to containerized
environments.

Reveal is based on the concept of visualization. Visualizing the network, its assets,
processes, and traffic flows, is the first step to efficiently creating useful segmentation and
micro-segmentation policies. Reveal maps clearly display your network and enable you to
group network components in a way that enables high level views that can be drilled down,
greatly facilitating your understanding of the network.

But Reveal maps are more than a visual display; they also enable you to establish flow
policies as you inspect the map, making segmentation and micro-segmentation an efficient
process and a practical and effective strategy for establishing network security.

Reveal maps serve two purposes:

29
 • They show the traffic flows occurring in your network, enabling you to spot problems,
security incidents, etc.

• They enable you to formulate and implement flow policies based on your expanded
knowledge of the network.

Reveal Architecture
Reveal maps consist of data from three main components: Management Server, Aggregator
and Guest Agents.

Reveal Agents: Agents collect traffic flow information that is used for building the process-
level Reveal maps. After installing Agents on assets, traffic should be collected for a
reasonable period of time to identify rare flows.

Aggregator Server: The Aggregator is a VM that receives information from Guardicore Guest
Agents. After aggregating the connection data it sends it to the Management Server.

Management Server: The Management Server receives, correlates, analyzes, and enriches
info collected by Reveal Agents and turns it into actionable, natural language incident
reports. For Agent-less environments, Reveal can leverage a Guardicore Collector, a VM
that connects to virtual and physical switches to provide Flow visibility (L4 only).

Labels
To help you manage assets and simplify the creation of policy rules, Guardicore uses labels
in Reveal maps. Labels allow you to assign your own metadata to each asset and enable
you to categorize your assets in different ways, for example, by role, application, or
environment. This is helpful when you have many assets of the same type - you can quickly
identify a specific asset based on the labels you've assigned to it.

30
What Kind of Labels Can You Create?
Centra's flexible Labeling mechanism enables you to create your own labeling scheme. You
can create whatever labels and labeling scheme best accords with the way you think of your
organization's assets and workloads.

Many Guardicore clients use a hierarchical labeling scheme. By successively assigning

hierarchically arranged labels to an asset, you can hide the information of a tier and display it
when required. For example, a highly recommended labeling scheme is the following:
Environment, Application, Role. To implement this scheme you would label each asset by its
environment, application and role.

The Reveal map would show these labels as three nested groups - role within application,
within environment. You can then open and close these groups as needed to get to the level
of detail - and the information - that you need. So you can go all the way from a high level
map of your data center to process-level data of each individual asset.

The nested representation of labels is automatically translated into AND rules that
dramatically reduce the number of micro-segmentation rules required for creating an
effective policy.

Nested Grouping: Environment, Application, Role

For information on how to create and use labels, see Labels.

Segmentation Rules
Reveal maps enable you to easily formulate and implement flow policies straight from the
map. Policies are built of four types of segmentation rules: Override, Allow, Alert, and Block
rules.

These are explained below.

31
Override Rules
Override rules include Override Allow, Override Alert, and Override Block rules. These rules
take precedence over any Allow/Alert/Block rules.

Example: Block all outgoing traffic from database servers to the Internet.

Allow Rules
These rules are used to build a whitelist of allowed flows. Traffic matched by these rules will
be explicitly allowed. Allow rules take precedence over Alert and Block rules.

Example: Allow Tomcat to MongoDB traffic between App Servers and Database Servers.

Alert Rules
These rules are used to for building a monitoring segmentation policy. Traffic matched by
these rules will be allowed, but will trigger a "Policy Violation" incident.

Alert rules take precedence over Block rules.

Example: Alert on any incoming traffic to DatabaseVMs (that did not match any Allow rule).

Block Rules
These rules are used to build an enforcement policy. Traffic matched by these rules will be
blocked; if action is "block and alert", a "Policy Violation" incident will also be triggered.

Example: Block any incoming traffic to PCI Servers (that did not match any Allow or Alert
rule).

32
Flow Matching Order
Traffic is matched against the rules in the following order:

Override Rules: If traffic is matched by an Override rule it takes precedence over any other
rule.

Allow Rules: If traffic is matched by an Allow rule, the traffic is allowed

Alert rules: If traffic is matched by an Alert rule, a policy violation incident is created.

Alert and Block: If traffic is matched by an Alert and Block rule, a security incident is
recorded and the traffic is blocked.

33
Explore
The Explore window displays the most recent hourly or daily map along with detailed
information about any asset, process or subnet.

A Reveal map can be filtered by any of the following:

Last Map tab (blue, Last uploaded map. Click it to create a new map, view one of the
farthest to the left) three last uploaded, or search a map.

Ungrouped/Group By An ungrouped map displays assets by their names. To simply a

map and gain more perspective, it is recommended to use the
Group By option.

NOTE: The labeling scheme can be easily configured in

System/Configuration/Reveal.

Grouping assets by labels provides a clearer, more useful map

and greatly simplifies the creation of policy rules.

Time Range Indicates the start and end time of map creation.

Rebuild current map with data of the last hour.

34
 Indicates the filter or filters selected for the map.
Filter

Rearrange button Centra allows you to choose between two modes of graph
arrangements: Hierarchy and Radial. The Rearrange button
positions the nodes in the most readable layout. Select an item on
the graph and click the Rearrange button.

Right-Clicking an See Working with Reveal Maps.

Item or Connection

Here's an example of a radial layout:

To save the map layout, click the Save current map layout button .

Toolbar

The toolbar is displayed at the bottom right of the Reveal screen. Use the toolbar to navigate
Reveal using shortcuts, switch between modes, and get a quick view of the flows lined up in
a table. You can also get permanent links of a specified view that can be used for permanent
access.

35
Displays the following keyboard shortcuts:

Switch to graph selection mode/graph dragging mode

Displays the Reveal graph legend:

Get a permanent link of the current view so you can use it for permanent access

Display the Flows Table that includes per every connection: Source, Destination,
Destination ports and the number of times the flow has been documented. Every
table can be exported as a CSV file.

36
Resets the Reveal graph to initial grouping

Undo last grouping/ungrouping action

Show processes for visible assets

37
Map Icons and Flow Types
Clicking any asset, process, connection or subnet on the Reveal map displays important
metrics on the right-hand side bar including its IP address, related applications, information
from orchestration, and labels. This article covers the following:

Icons Used in Reveal

Labeled Assets Information

Clicking a label on the graph displays the Label, the Assets that are assigned that label, and
any IP Addresses, Container Groups, or Pod Groups that are included in the label definition.

38
Connection Information
Clicking any flow on the graph displays its Connection Type, Destination Port, Source IP,
Destination IP, Destination Domains, IP Protocol, Policy Rules, and Identity (i.e., the identity
of the one who initiated the flow). The number on the flow represents the destination port:

Process Information
Clicking any process on the graph displays its related application, process name, path,
process group, and hash (Hash information is displayed for all Linux based assets while for
Windows based assets only the hash for non system processes is displayed). Asset
information such as Asset Name and Asset IP addresses are also displayed:

39
Asset Information
Clicking an unlabeled asset displays the Asset Name, and some, or all, of the following:
Tenant Name, IP addresses, associated Applications, and Orchestration Information. A
Labels section at the bottom of the screen enables you to add a label to the Asset:

Subnet Information
Clicking a subnet displays the IP addresses assigned to the subnet:

40
Flow Color Schemes
Reveal maps use various color schemes to indicate the status of traffic flows. There are two
color schemes: a scheme for the Reveal map that shows flows that have occured during the
specified time period, and a scheme for the Policy Overlay Map that is displayed in the
Policy Editor.

Reveal Map Color Scheme

Reveal maps use the following color scheme to clarify traffic flows:

Flow Meaning
Color

Grey Successful flow.

Solid red Problematic flow. This may be due to an incident such as bad reputation,
lateral movement, etc. In a historical map, this may indicate a policy violation.

Dotted red Blocked flow. The flow has been blocked by Guardicore due to a Block policy.

Dotted Failed connection (Not caused by Guardicore. This may be due to a third party
orange such as a firewall, closed port, etc.).

Example of a Red Flow

Policy Overlay Map Color Scheme

The map displayed in the Policy Editor follows a different color scheme:

Flow Color Meaning

Grey Successful flow, but not covered by any policy.

Green Allowed flow.

41
 Orange The flow violates an Alert policy rule.

Red The flow violates a Block policy rule and is blocked by Guardicore.

Note: Policy Overlay mode assumes that DNS rules match any destination so the graph
might color some flows green even though they won't be allowed in the policy.

Native Docker Visibility in Reveal maps

After you perform the required configuration and labeling, containers (as container groups)
can be viewed on the Reveal map. Container Groups are represented with the Docker
container icon: . Pod groups are represented by this icon: . Centra supports both
Host and Bridge modes. A host mode container is represented by this icon: .

The map can show the following traffic patterns:

• Container to Container

• VM\BM (covered\uncovered) to Container

• Container to VM\BM (covered\uncovered)

The following map is an example of how containers are represented on the Reveal map:

42
Labels
Overview
To help you manage assets and simplify the creation of policy rules, Reveal maps use
labels. Labels enable you to group assets that share common attributes which greatly
simplifies the map. For example, you can categorize assets by role, application, or
environment. This is helpful when you have many assets of the same type - you can quickly
identify a specific asset based on the labels you've assigned to it. Using labels makes your
work easier and more efficient.

There are several very good reasons for using labels:

Labels Promote Visualization - Assets represent workloads in a protected data center

which can be considerable. Assigning labels to assets allows you to group assets that share
the same value, reducing the number of map elements and allowing 'high level' exploration.
Many Guardicore customers use a hierarchical labeling scheme consisting of three label
keys: Environment, Application, and Role, but you can use any scheme based on your data
center requirements. Here's a before and after - an unlabeled map vs a label based

map. Labeled assets are marked by the icon on Reveal maps.

Labels Assist Policy Creation - Labels are the preferred method to use in creating policy
segmentation rules rather than assets. Due to the complexity of most data centers, using
labels to create policies is much more efficient. Formulating segmentation rules that use
labels as source/destination vastly reduces the complexity of creating a policy for a group of
assets. For example, clicking any flow on the map allows you to add an Allow rule that uses
the labeling info to automatically create comprehensive rules (AND policy) that use the entire
labeling path (environment-app-role).

Labels Help Manage Assets - in case of a breach, labels allow you to easily isolate the
breached asset without impairing data center performance:

43
How Labels Are Built
Each label consists of a key and value, both of which you define (e.g. key = database; value
= splunk). You can edit label keys and values and remove labels from an asset at any time.
There is no limitation on the number of labels, though it is recommended to use no more
than a few. Use the label key field to indicate the asset's environment, application, or role,
and the label value field to indicate the specific type within those keys. For example, if you
define a label's key as Application (App), the label's value might be Accounting, Billing,
CRM, etc.

For each key use only a single value.

Explicit Labels and Dynamic Labels

• Explicit labels are attached to managed assets (listed in the Assets screen) using their
asset IDs. Explicit labels can be automatically imported using orchestration
integration (AWS/Azure/Kubernetes).
• Dynamic labels can be assigned to both managed and unmanaged assets. Unmanaged
assets are assets discovered when they participate in traffic flows and shown as an IP
address on the Reveal map. Dynamic assets are not listed in the Assets screen.

Creating Labels
Creating a label involves specifying the following:

44
A Key such as Environment, Application, or Role.

A Value for the key, such as Production (for the Environment key).

Dynamic Criteria that enables Centra to automatically match assets with those criteria to
the label (optional). Providing dynamic criteria greatly speeds up the process of grouping
assets using labels.

1. From Reveal, select Labels:

2. Click the Label Name field; the following appears:

3. Type a Key for the label: the default keys that were specified in
System/Configuration/Reveal are displayed. The recommended keys are
Environment, Application, and Role.

4. Type a Value for the label key that you just specified. For example, a value for the
label key Environment might be Production, a value for Application might be
Accounting, and a value for Role might be DB (database) or LB (load balancer).

Note: All characters except for the following are allowed: ', ", ?, /, //, ], [

Optionally, in the Dynamic Criteria field add criteria such as "Name starts with..." or
IP address and Subnet, etc. This criteria will be used by Centra to automatically
match assets to the label. Using Dynamic Criteria can greatly speed up the process
of labeling assets.

5. Type a Value for the label key that you just specified. For example, a value for the
label key Environment might be Production, a value for Application might be
Accounting, and a value for Role might be DB (database) or LB (load balancer).

Optionally, in the Dynamic Criteria field add criteria such as "Name starts with..." or
IP address and Subnet, etc. This criteria will be used by Centra to automatically
match assets to the label. Using Dynamic Criteria can greatly speed up the process
of labeling assets.

6. Click the Check symbol at the far right of the label line; the label is added to the
list of labels. Centra automatically matches assets conforming to the criteria that you
specified and indicates the number of matching assets in the Matching Assets field
(clicking on this field displays the first ten assets that match the label):

45
 Note: Centra allows editing up to 500 Dynamic Criteria records per label. Labels with over 500
Dynamic Criteria can be modified via the API.

Create as many labels as necessary to adequately group assets in your system. The
Dynamic Criteria that you define for each label automatically groups assets. Moreover,
because the hierarchical relationship between the label keys is specified in Administration
System/Configuration/Reveal, Centra automatically nests the assets as well within the
hierarchical structure. The result is a layered map clearly showing the flows between groups
of assets and items such as processes, internet, subnets, etc.

Labeling Scheme Example

Here is a common three tiered labeling scheme of Environment, Application, and Role:

Environment: for example, Production, Development, QA, Staging, Sandbox

Application: for example, Billing, SWIFT, DC, Confluence, Splunk

Role: for example, Web Server, DB Server, DC server

Note: Although these default labels are recommended, Centra can adapt to any labeling
structure.

Once these labels are in place, Reveal will automatically group labels accordingly. The
following diagram shows a three-tier labeling scheme of Environment/Application/Role:

46
How Reveal Displays the Labeling Hierarchy
If a hierarchical labeling scheme is used, for example, the Environment/Application/Role
labeling scheme in the example above, the Reveal map displays labels as three nested
groups - role within application, within environment. You can open and close these groups
as needed to get to the level of detail - and the information - that you need. So you can go all
the way from a high level map of your data center to process-level data of each individual
asset:

This nested representation of labels is automatically translated into comprehensive rules that
dramatically reduce the number of micro-segmentation rules required for creating an
effective policy.

Note: flat grouping by a single key (e.g. Environment:Dev; Environment: Prod etc') is always
possible and provided for any new key in the system. Policy rules are automatically suggested
from these nested groups.

The Reveal map also lets you display the map with the assets ungrouped, without labels:

47
Additional labeling hierarchies can also be configured. Default and additional groupings are
configured in the Administration section of Centra under Configuration > Reveal:

Label Data Sources

Labeling can be imported from several sources:

CMDB - Fetch labels from Configuration Management Database (CMDB) using API. CMDBs
are usually used in static environments. Here's the flow:

Orchestration tags - AWS/Azure/Kubernetes integrations have built-in tags to labels import

functionality. If you're using AWS, Kubernetes or Azure you can define whether to import the
orchestration tags into Centra. This is the most effective way to label your assets and build
policies around them. Use label key translation to standardize label keys across
orchestrations.

48
Importing labels using Software Configuration Management (SCM) playbooks - SCM
solutions like Chef, Puppet and Ansible are used in many organizations to provision servers
and maintain software. Playbooks can be used to install GuardiCore agents and update the
asset’s labels using GuardiCore's API.

Other methods include IP subnets, naming conventions and firewall groups.

Compare Label Importing Methods

49
Working with Reveal Maps
Working with Maps with Unlabeled Assets
When you work with a map with unlabeled assets you can assign labels to selected assets in
the panel at the right of the map:

Normally, you will want to simplify the map by applying a labeling scheme to assets. See
labels for more information.

Double-clicking an an unlabeled asset displays its underlying application workloads:

50
Working with Maps with Labeled Assets
If you view the Reveal map with the Group By: Default Grouping option, the initial view will
apply the default labeling scheme specified in the Administration screen in
System/Configuration/Reveal. For example, the map may look like this:

The map shows the flows occurring in the network for the period covered by the current
policy. In the above map, the yellow icons indicate asset labels, while the numbers
attached to them indicate the number of assets matching that label. Centra's coloring
scheme enables you to understand the flows occurring in the network:

Grey arrows indicate successful flows.

A solid red arrow indicates a problematic flow: this indicates a security incident that may be
caused by bad reputation, lateral movement, policy violation, unauthorized flow, etc.

A dotted red arrow indicates a flow that has been blocked by Guardicore due to a Block
policy rule.

A dotted orange arrow indicates a failed connection that has been caused by a third party
such as a firewall.

Selecting Assets to Display More Information

Clicking a label highlights the label and the traffic flows to and from the assets matching the
label and lists these assets at the right of the screen like this:

51
Clicking an asset in the list at the right of the screen displays detailed information about the
Asset on the Assets screen like this:

Other icons on the map indicate cloud, internet connections, etc. See Map Icons and Flow
Types for a complete list.

This map displays assets/servers that have been labeled with a labeling hierarchy of
Environment → Application → Role. This means that every asset is labeled with these
three keys. For example: Environment: production; Application: Splunk; Role: Web
server.

Successively double-clicking an asset on the map opens its three tiers:

52
You can change the default labeling scheme in Administration/System/Configuration/Reveal.

The Time range tab of the Hourly Map displays the last complete hour or day. Note that you
cannot change this and navigate in time - this option is available for user generated maps
only.

Drilling Down
Double-clicking a label on the map enables you to drill down and display the next tier of
labeling. Recall that in the above map we used a labeling scheme with a three-tiered
hierarchy of the following keys: environment, application, and role. In the following picture,
an Environment label has been double-clicked, displaying its application tier:

53
Note that the labels representing application groupings also have numbers attached to them,
indicating the number of assets matching that group. Clicking a label highlights the
connections to and from the label's assets and lists these assets at the right of the screen in
the same way as described above:

Similarly, double clicking the label icon App: Billing in the above figure, displays the
following:

54
Here, the Role tier is displayed. Clicking a Role label (such as Role: WebServer in the
above figure) lists the assets matching that role at the right of the screen. Note that all three
label tiers, Environment, Application, Role, are displayed as concentric circles.

Displaying Connection Information

Similar to displaying information on assets, you can click any of the arrows on the map (on
any tier) and display detailed information about the flows:

From Release 36 and above, clicking a policy rule under Policy Rules displays the rule on
the Policy Rules screen:

55
Filtering the Map
There are many ways to filter a Reveal map to quickly access the information that you need.

Filtering the Map Using the Filter Button

The Filter button at the top of the map provides a comprehensive list of filter options:

Selecting multiple options enables you to filter the map according to more exact
specifications.

56
Filtering According to Policy

When you select Policy from the list of filter options, additional options are displayed at the
top right of the list:

You can then fine-tune the policy filter according to the type of policy that you are want to
filter: "Allowed By", "Alerted By", "Blocked By", or "No Matching Policy".

Right-click a Connection to Filter by Source and Destination

If you right-click a flow line, you can filter the map to display only that flow and its source and
destination.

For example, right-clicking this flow:

results in this display:

57
Clicking the Filter button at the top of the screen enables you to clear the filter and
display all assets and flows again.

Filter Options for a Selected Item

Right-clicking an item on the map displays a menu that contains options for filtering the map
by the item as well as options for filtering according to connections from the item, and to the
item.

Note: Filter Options are available for named items only. They are unavailable for Items that
are marked "unknown".

Displaying Flows Table View

By clicking the Show flows table view button on the toolbar at the bottom of the map, a
table appears that lists all of the flows on the map, displaying their source, destination,
destination port, and number of flows that occurred between the source and destination
within the time period covered by the map:

58
Displaying Asset Processes
For a quick way of displaying the processes of all the assets shown on the map, click the
Show processes for visible assets button on the toolbar at the bottom of the screen:

Selecting a process displays information on the process in the pane at the right:

Note: The user who initiated the process is also displayed under Username.

59
Creating Flow Policies from Reveal Maps
You can create flow policies directly from Reveal maps by clicking the Edit Policy button
at the lower left of the map. The map displays the Policy Editor overlay map and a
panel on the right like this:

The Policy map shows assets and flows similar to the Reveal map but with some changes to
the color scheme for flows:

Grey arrows indicate successful flows not covered by any policy.

Green arrows indicate allowed flows. These may include, for example, those initiated by
authorized users.

Orange arrows indicate flows that violate an Alert policy.

Red arrows indicate flows that violate the current Block policy. In historical maps, solid red
arrows indicate the flows that would have been blocked due to the current Block policy.

You can now right click any flow line on the map to whitelist the flow by selecting Add Allow
Rules:

60
The new rule now appears under the Allow section of the Policy Editor on the right:

Flows affected by the Allow rule now appear Green.

Creating an Allow rule for individual IPs/Assets and Subnets

You can right click a flow line to create an Allow rule for individual IPs/Assets and Subnets:

To formulate other rules such as Alert, Block, etc. click the +Add Rule button of the type of
rule that you want to formulate and fill in the fields (Source, Destination and Ports):

61
For a full discussion of the fields and how to formulate policies see the Policy Guide.

Building a Micro-Segmentation Policy

Once you are content with your application segmentation policy, you might want to internally
segment your applications by limiting traffic between your application's workloads. This helps
in establishing a zero trust strategy to secure east-west traffic within the data center. In
Centra, building a micro-segmentation policy is easy to do and is similar to building an
application segmentation policy.

On the Reveal map:

1. Right click the application for which you want to create the micro-segmentation policy
and select Filter by this item.

2. Right click the application again and select Edit Policy. The Policy Editor wizard
opens.

3. Right click the application again and select Create Micro Segmentation Policy.

62
 The Allow rule which previously allowed all intra-application traffic is automatically
moved to the Alert rules section, alerting on any traffic between the application's
workloads.

Any policy-violating flows appear red on the map, if they were not yet whitelisted.

4. The next step is to whitelist the flows that you want to allow between your application
tiers. To whitelist a flow from the Reveal map, right-click any (red) flow of your
choice. You should whitelist flows between the different tiers inside the application
node.

5. Finally, as in building the segmentation policy, after a period of monitoring the micro-
segmentation policy and revising it based on policy violation alerts, it is time to start
blocking violating intra-application traffic. To do this, move the intra-app Alert rule to
the blocking section and publish your policy.

63
Saved Maps
Overview
The Saved Maps page (Reveal/Saved Maps) allows users to create, save and revisit Reveal
maps of their choice, as well as view maps that are automatically generated by Centra at
predetermined intervals:

These may include maps of specific applications, entire data centers, a specific asset, or any
other combination of filters (ports, IP addresses and more). Users can save commonly used
maps and easily collaborate with other users by sharing named maps. Saving maps reduces
manual work and accelerates micro-segmentation policy creation, forensic analysis and
incident response activities. Performance is also significantly improved when exploring maps
on huge databases.

Scheduled Daily/Hourly Maps

Reveal can be configured to automatically generate and display the map of the last complete
hour or day. The administrator can configure the frequency of automatic map generation
(hourly or daily) in System/Configuration/Scheduled Maps. After configuration, clicking
Explore from the Reveal menu displays the map of the last complete hour or the daily map,
by default. The last three maps are stored in the quick map selector as well as the Saved
Maps page.

Centra's daily indices significantly accelerate map creation. To allow faster generation of
maps, Centra also rounds the map start/end times. This means that Centra provides the
requested time for the map plus some more time before and after. Users can choose to view
accurate times by clicking Accurate connection times in the Create New Map screen.

Note: Choosing Accurate connection times will result in longer build times.

In addition to the interval for map generation, the administrator can configure the time of map
generation, the number of maps to store, process inclusion, and the maximal size of the
map.

Default Map Display

At the top of the map are buttons that enable you to change the display of the map. You can
choose whether to display the map's assets as Grouped or Ungrouped. The Ungrouped

64
option displays assets by name. If there are many assets, this can result in a very
complicated map. To simplify the map, it is recommended to select the Default Grouping
option. When you select this option, the map displays assets/servers that have been labeled
with the default labeling hierarchy specified by the administrator in
System/Configuration/Reveal.

By using a labeling hierarchy, you can considerably simplify the map. For example, by
applying a labeling hierarchy such as Environment, Applicaion, and Role, you can create a
map that hides or reveals information with the click of a button. Successively double-clicking
an asset on the map opens its three tiers:

You can easily create such a hierarchy in Centra by simply creating three labels that have a
hierarchical relationship to each other and successively labeling each asset with these.

Default settings for hourly or daily maps such as time of map generation and number of
maps to store, can be configured by the Administrator in the Scheduled maps tab in the
System/Configuration screen accessible from the Administration panel.

65
All maps (both hourly/daily and user-generated) are stored on the Saved maps page where
you can search, share, and delete maps at any time.

In addition to recurring daily or hourly maps, you can always create custom maps with
customized time ranges, network level or process level maps, with specified exact
connection times, and other options you can choose from. See Saved Maps.

Note: Daily scheduled maps will always start and end at midnight UTC. Setting the map for a
specific start time just refers to when it will be created, not to the actual start and end times
that it will cover. Regardless of the time for which the map is scheduled, the actual map start
and end times will be midnight UTC (of the previous day).

By using Saved Maps, users can accelerate everyday activities:

• Micro-segmentation policy creation is facilitated by saving a specific application's

map across a long time period and reusing it during the process.

• For incident response and forensic analysis, users can create maps of the affected
assets and share them with various teams in the organization.

• To address compliance and audit requirements, users can generate and share maps
of sensitive environments to whitelist their incoming and outgoing flows.

Create a New Reveal Map

Saved Maps enables you to create a map of a specific application, entire data center, a
specific asset, or any other combination of filters (ports, IPs, and more).

To create a Reveal map:

66
1. From Reveal, select Saved Maps and click +Create New Map. The Create new
map screen opens:

2. Build your desired map by specifying the following:

Name The name of the map

Time Range The date and time range that the map covers. In addition to a list
of standard ranges such as "last 24 hours" or "last 7 days", you
can also select "Custom" and specify exact start and stop times.
Maps with exact time ranges take longer to build and require
selecting the Exact Connection Times checkbox under Features.

Filter You can select Unfiltered to see all assets, or select a filter
based on applications, ports, IP, and other types of criteria.

Features Exact Connection Times:

Enables viewing and filtering by flow times.

Connection Occurrences Count

Include occurrences count for connections on the map.

Highlight Incidence Flows

Highlight flows involving incidents on the resulting map.

View Specify who can view the map (public, or administrators only)
Permissions

67
3. Click Create. The map is added to the list of maps.

4. If you are satisfied with the map, click Save Current map layout .

Note: You can further filter the map at any time by clicking the button.

Policy Rules
Centra enables you to create new policies using the following six rules:

Rules Description

Override Allow These rules take precedence over any other rule - both override and all other
rules.

Override Alert These rules take precedence over any Override Block and other rules.

Override Block These rules that take precedence over any Allow/Alert/Block rules.

EXAMPLE: Block all outgoing traffic from database servers to the Internet

Allow Rules These rules are used to build a whitelist of allowed flows. Traffic matched by
these rules will be explicitly allowed. Allow rules take precedence over Alert and
Block rules.

EXAMPLE: Allow Tomcat to MongoDB traffic between App Servers and

Database Servers.

Alert Rules These rules are used to build a monitoring segmentation policy. Traffic matched
by these rules will be allowed, but will trigger a "Policy Violation" incident. Alert
rules take precedence over Block rules.

EXAMPLE: Alert on any incoming traffic to Database VMs (that did not match
any Allow rule).

Block Rules These rules are used to build an enforcement policy. Traffic matched by these
rules will be blocked; if action is "block and alert", a "Policy Violation" incident
will also be triggered.

EXAMPLE: Block any incoming traffic to PCI Servers (that did not match any
Allow or Alert rule).

68
Matching order
Each flow is inspected and evaluated in the following order:

Instructions as to how to use Centra's Policy Rules screen are provided in the Policy Rules
screen and Rule Fields sections.

69
Policy Learning Mode
Centra's Policy Learning mode combines extraordinary visibility into your network's assets
and flows, together with machine learning to suggest rules for handling policy violations and
flows that were alerted or blocked by the current policy. Policy Learning mode makes dealing
with policy violations quick and efficient. The latest Learning Mode features in Centra V37
include the following:

Policy Suggestions Tab in the Reveal Map Policy Editor

Overlay
Policy Learning Mode is part of the Reveal map’s Policy Editor Overlay. To more easily
locate violating flows, you can first click the Review Violations button
on the Project Rules map:

This takes you to the Reveal map’s Policy Editing Overlay with the Policy Suggestions tab
displayed:

70
Alternatively, you can use filters such as Connection Types: Violated Segmentation
Policy directly from the Reveal map.

The Policy Editor Overlay on the Reveal map (Reveal/Explore) displays a pane with three
tabs: Policy Suggestions, Policy Rules, Dismissed Suggestions.

The Policy Suggestions tab displays a list of suggested Allow rules for connections that
violated the policy (i.e. were alerted or blocked) at the time the connection occurred. If no
Allow rules are applied to these flows today, these connections may continue to cause
violations in the policy.

The list of suggested Allow rules corresponds to flows that have violated Alert (orange) or
Block (red) policies on the Overlay map. Clicking a suggested rule displayed on the tab
highlights the flow on the Overlay map. There are no suggestions for flows that are implicitly
allowed (Gray flows), For rules for which there are no suggestions, a message is displayed:

71
 Note: If a flow is Gray in the current draft policy, but violated a policy when it was created,
Centra may still suggest an Allow rule for the flow.

For each rule, the Source, Destination, and Port are displayed, as well as the Ruleset to
which the rule is assigned, and a Decision field. To accept or reject all of the suggested
rules, click the Allow All Pending or Dismiss All Pending buttons at the top of the display.

Note: a suggested rule becomes part of your draft policy if you select Allow in the rule’s
Decision column. The Allow rule is, however, just part of your draft policy and, like other rules
in your draft, will not be implemented until you choose to publish your policy in the Rules
screen, or in the Project Rules screen.

Creating or Dismissing Individual Rules

You can create or dismiss individual rules. When hovering over the Decision field the
following is displayed:

To create an Allow rule from the suggested rule, click Allow; the following is displayed:

To create an Allow rule with the same specifications as the suggested rule, click Allow.

To create an Allow rule with modified settings, click Custom Rule to display the Add Custom
Rule dialog box:

72
To modify the Source, Destination, Ports, or Ruleset parameters, click in the field to display
the Policy Rules tabs:

Click the desired tabs to modify the parameters. When you are satisfied with the parameters,
click the Add Rule button.

After creating an Allow rule, the rule will show up as a Green flow on the Reveal map and
will be added to the rules displayed on the Policy Rules tab.

To dismiss a suggested policy rule, click Dismiss; the rule will be displayed on the Dismissed
Suggestions tab.

73
Viewing More Information for a Suggested Rule
To display more detailed information for a suggested rule, hover over the rule and click the +
button next to the rule:

The Network Log screen is displayed where you can view more detailed information on your
Network’s traffic along with information about the matching rule:

Policy Rules Tab

The Policy rules tab displays lists of rules most recently created, including the Allow rules
from those that were created from the Policy Suggestion tab. Hovering over a rule displays a
bar with buttons enabling you to move the rule to another category (i.e. you can move an
Allow rule to an Alert rule, a Block rule to an Alert rule, etc.), copy the rule, disable it, or
delete it:

You can also modify a rule by clicking in the field that you want to modify (for example
Source or Destination); the tabs of the Policy Rules screen appear enabling you to modify
the rule:

You can filter the Policy Rules tab using the Ruleset button at the top of the tab.

74
Dismissed Rules Tab
This tab displays the rules that you dismissed on the Policy Suggestion tab. You can also
select the Include Dismissed of all Maps checkbox to display a list of rules dismissed from
other maps.

75
Policy
The screens under the Policy section enable you to leverage Guardicore’s new AI Powered
Segmentation feature. The feature revolutionizes the process of segmenting your system
and greatly reduces the time and effort it requires to design and implement an effective
security policy. A new Projects screen automatically saves the policies that you create in the
Create Policy screens so that you can return and continue to refine, manage, and review
them.

The Policy section includes the following screens:

Screen Description

Create Enables you to create security policies by choosing templates for

Policy securing well known applications such as the Active Directory, as well as for
performing specific tasks such as ring fencing an application.

Projects Enables you to access and continue work on projects that you saved in the
Create Policy screen.

Rules The Rules screen enables you to create, modify, and manage segmentation
rules.

Revisions Lists all of the Policy revisions and enables you to revert to a particular
revision.

Label Label Groups allow you to collect several labels under a common name and
Groups use it in a rule's Source and Destination fields, making your policy easier to
maintain and more efficient.

User Enables defining policy action based on a user’s identity, not just a process,
Groups label, or other asset information. Identity rules provide the ability to allow
connections based on the user creating the connection.

76
Create Policy
The Create Policy screen displays a page of templates that represent security goals that you
want to achieve. Clicking a template walks you through a wizard that enables you to choose
the configuration of items (assets, labels, processes, etc.) appropriate to achieving your
security goals. With just a few clicks, the wizard generates a complete list of rules required
for your policy and displays the result graphically on an accompanying Reveal map. You can
then further refine the policy in the Segmentation Rules screen or return later to the Projects
screen where your policy can be reopened for further revision.

Templates
Centra’s policy templates consist of two types:

Templates that Generate Policies for Known Applications

This includes templates for securing applications such as the Active Directory. These
templates are based on Guardicore’s extensive research into the way these applications are
deployed and how to secure them. They appear with #template at the bottom of the icon.

Templates that Generate Policies for Securing Specified Applications

These templates achieve a particular security goal for a specific application. For example,
templates include ring fencing an application, or whitelisting outbound flows for an
application. They appear with #diy at the bottom of the template icon.

Creating Policies with the Create Policy Screen

The Create Policy screen enables you to create security policies with a few simple steps.
Here is a brief overview of the steps (each step is explained in detail in the following
sections):

Step 1 (optional but recommended): Specify an Application Label Key as explained below in
Step 1, so that the AI engine can identify and match applications to the required template.

Step 2: Select a Policy template that enables you to achieve your Security goal.

Step 3: Select the Assets to be secured. This involves continuing with the assets that
Guardicore’s AI recommends to secure, and/or selecting assets that you deem appropriate.

Step 4: Look over the rules that Centra’s AI powered segmentation engine has automatically
generated. Use the Reveal map to inspect the rules and make any changes.

In many cases it only takes a few clicks to go from step 1 to a full security policy in step 4.
The following sections provide detailed instructions for each step.

Step 1: Configure an Application Label Key (Recommended)

To take full advantage of Centra's AI powered segmentation, you should optionally first
define an application label key so that Centra can identify applications and provide
suggestions as to which should be secured.

77
To configure an application label key:

1. In the Administration screen access System/Configuration/Reveal:

2. In the Application Label Key field, type a key that will be used to identify applications.

Step 2: Select a Template to Achieve your Security Goal.

3. In Centra, click Policy/Create Policy to display the Create Policy screen:

78
This screen enables you to decide what security policy you want to produce. The Create
Policy screen displays a list of templates designed to provide the framework required to
create an effective security policy. Some templates may appear with a Recommended logo,
which means that Centra has analyzed your system and recommends that you use this
template so secure your system. Of course, you can decide to use another template that
suits your needs.

The top rows display templates designed to secure well known applications such as
Microsoft’s Active Directory or Sharepoint. Guardicore’s AI has analyzed applications such
as these and their traffic flows, and provides the best way of securing them on your system.

The rest of the screen displays templates for achieving specific security tasks such as ring
fencing or tier segmentation of specific applications. Guardicore’s AI analyzes the
organization’s traffic flows and provides policy recommendations based on the analyzed
traffic and selected use case.

NOTE: You can request additional templates customized to your security needs by
contacting Guardicore Customer Success.

79
4. Clicking a template displays a screen that enables you to choose the assets to which
you want to apply the policy. Clicking on the displayed asset type (for example DNS
server) displays two tabs: AI suggested labels, and Labels existing in your system:

Note that on the Labels Suggestion tab, in addition to selecting a label, you can
rename the auto suggested AI label to any naming convention of your choice by
typing in the Create the label boxes:

The screen varies depending on the policy template that you selected. For example,
if you selected Active Directory Segmentation Policies the following screen appears:

In the above template, the assets to be secured are Active Directory Servers.

Note: You can send the list of suggested assets (or IPs) to a CSV by clicking the
CSV button that appears near the list.

80
Step 3: Select the Assets to be secured.
5. Click the underlined link to display the required Assets to secure. For example, when
you click the Active Directory Servers, a screen like the following is displayed:

In the above example, the labels of the possible assets for achieving your security
goal are displayed. The screen above displays a tab that lists labels that you have
created. Depending on the template, several tabs are displayed consisting of the
following:

Tab Description

Use a Guardicore Guardicore’s AI can auto-classify assets that belong to specific

AI suggested label applications and label them as part of the process. For example,
when choosing the Policy Template: Secure Active Directory,
Guardicore auto-classifies servers that act as active-directory
servers and matches them to the template.

Use an auto- Guardicore’s AI can auto-suggest the next application to secure from
suggested label your existing application labels. Guardicore prioritizes the list of
from a prioritized application labels that you have already created for your system so
list of your existing that you see the most appropriate labels for your task at the top of
application labels. the list.

Important: Make sure to first configure an application label key in

the Administration screen (System/Configuration/Reveal).

Use any of your This is a list of all the labels in the system as in the above example.
existing labels

Some templates first present a list of labels and then present further choices after
you select from the list. This is sometimes achieved through selecting Tweaks as in
the following:

For example, after selecting the within Environment tweak, the screen presents a
link that enables you to select labels that specify Environment:

81
 6. If desired, click Advanced Options for controlling the way processes and flows are
included.

Include processes Include process details in the auto-suggested policy rules.

Ignore all existing allowed Click this option to exclude flows that are already allowed by the
flows policy from the auto-suggested policy rules.

Include rules by individual This option creates rules for unlabeled assets and IPs by individual
IP's and Assets IPs and Assets. Deselecting this option will result in rules generated
by subnets.

82
 Set a custom time range Override the template default of the latest scheduled map. Clicking
this option enables you to set a time range:

7. When you are finished making your selections in the various tabs, click Next to
display the Project Rules screen:

Note: Templates for specific applications may require time to generate the resulting map.

Users may exit the Rules screen for the project and access the project (rules and map) from
the Project screen at a later time.

This screen auto-suggests rules required to effectively implement the policy based on your
choices of Policy template and labeled assets, and auto creates the relevant Reveal map to
show all relevant traffic related to the suggested policy. Rules are displayed on the Reveal
map in a policy overlay to visualize the effect they will have on your real traffic.

Note: If the generated rules and map do not match your expectations, you can click the
button at the bottom of the screen to return to the previous step, change
your selections, and regenerate the policy.

Step 4: Refine the Policy

8. Use the Project Rules screen to refine your policy. You can modify Source,
Destination, and Ports/Protocols directly on the screen. Clicking the Extended Rules
button displays more columns whose values you can revise. Clicking the Modify
button at the left of a rule displays a menu of operations that you can perform on the
rule:

83
 You can create additional rules by clicking the Add New Rule button and choosing
the type of rule to add.

A series of filters at the top of the screen enables you to locate particular rules by
Section (i.e. the type of rule), Source, Destination, and Any Side (whether source or
destination). Clicking More Filters displays Action (Allow or Alert), and State filters.

9. If you want to do more in depth revisions, click the Explore button at the right top
corner of the screen; this displays your policy in the Explore screen where you can
click the Edit Policy button to revise the policy rules in a graphic way on
the Reveal map overlay.

10. After revising the policy rules, click to publish your policy.

Note: If you do not publish your policy, it will still be saved to the Projects screen as a Draft
where you can open it later and continue to revise it.

84
Label Groups
Users can define and use Label Groups in their segmentation policy. Label Groups allow you
to collect several labels under a common name and use it in a rule's Source and Destination
fields, making your policy easier to maintain and more efficient. Defined separately from
Labels, Label Groups can be used in micro-segmentation rules as the rule’s source or
destination. Only a single label group can be used as a rule's source or destination.

Exclude Assets from a Label Group

When you define a Label Group you can also exclude specific assets that belong to a label,
allowing you to build rules which apply exactly to the assets you want. For example, you can
define a new "Non Development" label group which includes multiple labels: "Zone:
Production" and "Zone: DMZ” and exclude "Role: DevTester" machines. Then you can
create a rule which prevents assets in "Zone: Development" from communicating with assets
in the "Non Development" label group. Within the Reveal UI, you can filter by label groups
but cannot use it for grouping.

Create a Label Group

1. Under Policy, select Label Groups:

The Label Groups screen appears:

2. Click +Add Label Group to display the following:

85
 3. Click in the Group Name field and enter a key and value, e.g. Zone:Development.

4. Click in the Label field and select labels to be included in the Label Group.

The Matching Assets field displays all the assets included in the selected Label Group.
Optionally, you can display the first ten assets.

5. Click and at the top of the screen, click the Publish Changes button .

Use Label Groups in Policy

Label Groups can be used in segmentation rules as the rule’s source or destination. Only
one label group is allowed at a time for a rule source or destination.

Label Groups are Part of Policy Revisions

Label Groups are part of policy revisions. This means that you need to click Publish
Changes for the new label group to go into effect. You will be able to publish label group
changes or both label group and policy changes. Reverting policies reverts label groups as
well.

86
Policy Rules Screen
The Policy Rules screen enables you to create and modify segmentation rules, as well as to
manage the rules:

The screen displays a list of segmentation rules and a series of columns with information
about each rule. The Section column indicates the type of rule (Allow, Alert, Block, Override);
the other columns such as source and destination, port, etc. are explained in Rule Fields.

Policy Rules Screen Columns

Column Description

Section The rules section to which the rule belongs: Allow, Alert, Block, etc.

Source The entity that initiates the flow (asset, process, IP, etc.).

Destination The destination of the flow (asset, process, IP, etc.).

Ports/Protocols The ports of the flow's destination.

Action The type of rule: Allow, Alert, Block, etc.

Ruleset The group of rules to which the rule belongs.

Hits Records the number of times the rule was activated. The column
displays “hits” in the following units: 0, 1-1K, 1k-10K, 10k-100K,
100K and more. Hovering over the number displays the exact
number of hits.

Enabled Whether or not the rule is active.

Changed/Unchanged This column indicates whether the rule has been changed.

87
Additional columns can be displayed by clicking the Extended info button at the right top
of the screen:

Author The user who created the rule.

Comments Any comments pertaining to the rule.

Created The time and date when the rule was created.

Modified The last time and date when the rule was modified.

ID The rule ID for identifying the rule.

Creating Policy Rules

When you create rules from the Segmentation Rules screen you need to manually populate
several fields. All rule types - Override rules, Allow, Alert, Block - share the same structure.

1. From the Policy Rules page, click + Add new rule and select the type of rule that
you want to create from the rule section list (Override Allow, Override Alert, Override
Block, Allow, Alert, Block).

2. Start populating the Rule fields by clicking in each field and selecting options (details
on each field are provided in the Rule Fields page):

88
Note: Source, Destination, and Ports/Protocols are required fields.

Rule Operators

There are several operations that can be applied to a rule by clicking the small arrowhead
icon at the left of the rule:

For example, the following options are available (the ↪ Move to .. section option varies, as
explained below):

Icon/Operation What it does

Disable Click to disable/enable a rule.

Enable Note: You still have to publish a disabled/enabled rule to make it go

live.

89
 Delete Removes the rule from the Policy.

Duplicate Click to duplicate a rule.

↪ Move to ... Moves the rule to another rule section. The available options depend
section on the current section in which the rule resides. The following are
available:

Current Section Availablel Section to which to Move

Override Allow → Allow

Allow → Override Allow

Allow → Alert

Override Alert → Alert

Alert → Override Alert

Alert → Allow

Alert → Block

Override Block → Block

Block → Alert

↺ Revert Click to revert to the pre-modified state, e.g., if you performed several
modifications such as moving an Allow rule to Alert and then disabling
it, the Revert option will both restore the rule to the Allow section and
enable it.

੦ Reset Hit Resets the Hit counter for the rule.

Counter

90
Filtering the List of Rules
The top of the Segmentation screen displays a wide range of filters that enable you to easily
locate rules. Filters are important for more than finding rules; they also enable you to filter a
subset of rules for performing Bulk Operations as explained in the next section.

When fully expanded, the filter section looks like this:

Filter Explanation

Section Type of rule: Override rules, Allow, Alert, Block

Source The source of the rule according to Label Group, Label, Asset, Application,
Subnet, User Group, Internet IP, or Any.

Destination The destination of the rule according to Label Group, Label, Asset, Application,
Subnet, Domain, Internet IP, or Any.

Any Side The source and destination of the rule according to Label Group, Label, Asset,
Application, Subnet, User Group, Domain, Internet IP, or Any.

Ruleset Name of a ruleset whose rules you want to display.

Ports/Protocols Has any of the following: TCP, UDP ports, ICMP type/code. Separate entries with
commas.

Action Allow, Alert, Block, Block and Alert

Hits Enables users to filter rules according to their usage. The filter uses the same
calibration units as the Hits column.

is enabled Lets you filter for rules that are enabled/disabled: True, False

State State: Modified, Created, or Unchanged.

Author The author of the rule.

Scope The rule's scope as defined in User Management Permission Schemes.

Rule ID Filters rules according to the rule ID.

Created Date and Time when the rule was created.

After selecting the filter criteria, click Apply to activate the filters. You can select multiple
filters until you display a specific list of rules. To cancel the filters, click Clear.

91
Bulk Operations
You can perform bulk operations on multiple rules by first filtering the rules to obtain those
on which you want to perform the bulk operation, then selecting the Bulk operations button
at the top of the screen and choosing an option:

Bulk operations allow you to Enable, Disable, or Delete a list of rules, Reset Hit Counters for
multiple rules, as well as to either clone or move the rules to a Ruleset. Moving rules to a
Ruleset enables you to organize rules more efficiently as well as permitting you to later filter
the rules according their ruleset and perform further bulk operations on them. Two additional
options, Remove Processes, and Replace Label enables you to quickly revise a list of
rules.

Using the Hit Counter to Reformulate Policy Rules

Centra's Rule Hit Counter displays the number of times a rule is applied. This enables you to
evaluate the efficacy of your rules and revise your policy. For example, you may want to
eliminate rules that have limited or no usage, or revise them so that they are more effective.
Enabling you to keep track of the number of times a rule is used is an important tool for
creating effective policies that reflect the changes to your system.

The Policy screen displays a Hits column for every rule that records the number of times the
rule was activated. The column displays “hits” in the following units:

0, 1-1K, 1k-10K, 10k-100K, 100K and more.

92
The bar appearing next to the number of hits provides a graphic description of the number:

Hovering over the hit number displays a notification of the exact number of hits as well as
when the hit counter was last reset:

Filtering the Rules According to Hits

A Hits filter is available enabling users to filter rules according to their usage. The filter uses
the same calibration units as the Hits column.

Resetting the Hit Counter

Users can reset the Hit counter for a particular rule by selecting the menu button at the left of
the rule and clicking the Reset Hit Counter option:

It is also possible to reset the Hit counter for all the rules listed on the Rules screen by
clicking the Bulk button and choosing Reset Hit Counter:

93
You can also reset the counter for particular sets of rules by using the filters to display a set
of rules according to the filter criteria and then using the Bulk operations button on the
displayed rules. Users can also reset the hit counter when back-porting to an older policy
revision.

Role Based Access

The ability to reset the Hit counter is enabled per user through Role Based Access. Users
with permissions to Publish changes can reset the hit counter. Users can only see the hit
counter of the rules in their scope.

Counters are global, i.e. if a user has permissions to reset the counter, it is reset for all
users.

NOTE: The Hit counter is updated according to Agent verdict, not according to the verdict of
Management. Therefore, if two Agents report the same hit, the rule Hit counter will increment
by +2.

94
Projects Screen

After you choose the labels/assets on the Create Policy screen, the Projects screen stores
your policy, enabling you to later revise it:

Policies are characterized in the State column by one of the following States:

Generating (for policies not yet completed by Centra’s AI generation)

Draft

Published Alert (the policy is based on “Alert”)

Published Block (the policy is based on “Block”)

Other screen columns include the following:

Column Description

Project Goal The name of the project that was created in the Create Policy screen.

Target The assets (labels) that are protected by the policy.

Ruleset The ruleset that contains the policy rules.

Assets The number of assets covered by the policy.

Rules The number of rules that make up the policy.

Violations The number of violations that occurred since the policy was implemented.

Author The author of the policy.

Created The date on which the policy was created.

Last Updated The date of the last update of the policy.

95
Clicking on an item in the Project Goal column (the name of the policy) displays the Project
Rules screen that lists all of the project’s rules like this:

The screen may also display a Reveal map to the right of the list.

Revisions
The Revisions screen displays every change that has been made to the policy to keep track
of the policy life cycle. Policy revisions are saved indefinitely; you can revert to a previous
revision at any time. For example, you may want to do this in case a newly deployed policy
contains a mistake.

96
Note: Publish a revision every time you publish changes.

97
User Groups
User Groups enable defining policy action based on a user’s identity, not just a process,
label, or other asset information. Identity rules provide the ability to allow connections based
on the user creating the connection. This enables creating more fine tuned rules that depend
on the users initiating a communication flow. For example, users that have been assigned to
a certain user group can be allowed to initiate communication to specified destinations while
users outside the group are blocked.

The feature enables you to whitelist groups whose users initiate communication flows to
specified destinations. Once you have created a User Group, you can use it directly from the
Policy Rules page when creating a policy.

Important Restrictions Regarding User Groups

The following restrictions apply to User Groups:

• A User Group can only be used with a source for the rule.

• The rule using the User Group as a source must be an Allow rule.

• The feature works only with a setup in which the source is a Centra Agent installed
on a Windows server.

• Important Note for SMB Rules: For SMB rules (when Destination is TCP port 445),
Centra behaves differently. See SMB Rules for details.

User Groups and the Microsoft Active Directory

User Groups in Centra correspond to directory groups that have been created within a
Microsoft Active Directory Domain Controller (AD DC). In creating the User Group, you
associate it with one or more groups created on the Active Directory Domain Controller.

Active Directory Groups Centra User Groups

Groups created in a Microsoft Active Directory Domain can be associated with User Groups
in Centra

98
Creating User Groups
Creating User Groups involves three steps:

1. Create groups on an Active Directory Domain Controller, or make sure that such
groups already exist. The members of each group should be users who have
particular security privileges (for example, the ability to initiate communication with
specified assets, servers, etc.).

2. Configure AD integration with Centra.

3. Add a new user group to Centra.

These steps are explained in the following sections.

Step 1: Create Groups on an Active Directory Domain Controller

You may either use the default AD groups that come with the Windows OS version that you
are using, or create new groups based on the security needs of your organization. For
example, you may have such groups as RnD, Sales, Finance, Devops, Marketing,
Management, etc.

For instructions on creating or configuring an AD group, see Create a Group in the Active
Directory.

Step 2: Configure AD Integration with Centra

This step involves adding AD orchestration with Centra so that you can associate the AD
groups with Centra User Groups.

To add AD orchestration to Centra:

1. In the Centra Administration menu, select Data Center/Orchestration, and click the
+ Add Orchestration button. The Add New Orchestration dialog box appears.

2. In the Add New Orchestration dialog box, for Type, select Active Directory:

The following fields are displayed:

99
 3. Fill out the fields as described in the following table:

Field Description

Name The name that you want to use to identify the AD orchestration.

GC Cluster The Guardicore Cluster that you want to use for the AD orchestration.

Domain The domain name of the organization for which you are configuring the AD
Name orchestration. This is the root domain of the entire AD tree hierarchy. For a
detailed understanding of AD structure and domains see Active Directory
Structure and Storage Technologies.

Login The user logon name according to the userPrincipalName (UPN) format for
Username the Active Directory as explained in User Naming Attributes. A UPN
consists of a UPN prefix (the user account name) and a UPN suffix (a DNS
domain name).

Login The user logon password.

Password

100
 Base DN The section of the directory where the application will commence searching
(optional) for Users and Groups. For users to be found in an application, they must be
located underneath the base DN. The Base DN speeds up the search for
users.

Servers The domains or IP addresses of the AD servers.

Use SSL Select to use SSL for the orchestration. To use this mode, make sure that
Active Directory Certificate Services are enabled or use Insecure mode.

4. Click Test Connection and if the connection is successful, click Save.

Step 3: Add a New User Group to Centra

To add a new user group to Centra:

5. In the Centra User menu, select Policy/User Groups and click the +Add User Group
button. The Add New User Group dialog box appears:

6. In the New User Group dialog box, type a title for the User Group and click the +Add
button to display a list of groups created on the AD DC.
The Active Directory user groups that are displayed depend on the AD permissions
of the user accessing the Active Directory. By default the pane displays only a
sample of active directory groups; more active directory groups can be found by
searching.

7. Select one or more groups and click Save. The new User Group now appears in the
list on the User Groups page like this:

101
Including a User Group in an Allow Rule
You can include a User Group as a source for an Allow or Override Allow rule. This restricts
the Allow rule to communication flows initiated from a specific group of users. Follow these
instructions:

1. Select Policy/Rules and click +Add New Rule.

2. From the list of rules, select Allow Rule, or Override Allow Rule.

3. In the Source field for the new rule, select Label, Asset, or Subnet and click Apply:

Your selection appears in the Source field together with an Any button:

102
 4. After your selection appears in the Source field, select the Any button to

display additional tabs, and select the User Group tab :

5. On the User Group tab displaying User Groups, select the User Group whose
members you want to specify as the Source for the flow covered by the rule, and
click Apply.

Note: Two User Groups appear in the list by default: Local Users and Local
Administrators. If these groups are selected for the rule, connections matching the
rule made by a local non-domain user or administrator are allowed.

6. Continue to specify other parameters for the Rule such as Destination, Port/Protocol,
etc. as you would any other rule.

Filtering the Network Log by User Identity

You can filter the results of the Network log by individual user, using the tab in the
Source filter:

103
Filtering the Reveal Map by User
You can filter the flows on a Reveal map by user (username) by using the Process Users
filter:

104
Special Behavior for SMB Rules and Connections
SMB rules and connections are handled differently and affect Centra’s behavior with regard
to user identity and policy.

How Windows Handles SMB Connections and its Effect on User Identity
When an SMB connection is made, Windows uses a system service to make the connection,
instead of the process that requested the connection. The connection shows up as having
been made by the System process and System user. As a result, Centra cannot know which
process made the connection or which user initiated it.

105
How Centra Handles SMB Connections and its Effect on Policy
When an SMB connection is made, the Enforcement module checks which users are
currently logged on (via Remote Desktop or a physical console). Any SMB Allow rule
matching one of these users is considered an Allow rule for this connection. If there is no
such matching rule, the connection is blocked.

106
Projects Screen
After you choose the labels/assets on the Create Policy screen, the Projects screen stores
your policy, enabling you to later revise it:

Policies are characterized in the State column by one of the following States:

Generating (for policies not yet completed by Centra’s AI generation)

Draft

Published Alert (the policy is based on “Alert”)

Published Block (the policy is based on “Block”)

Other screen columns include the following:

Column Description

Project Goal The name of the project that was created in the Create Policy screen

Target The assets (labels) that are protected by the policy.

Ruleset The ruleset that contains the policy rules.

Assets The number of assets covered by the policy.

Rules The number of rules that make up the policy.

Violations The number of violations that occurred since the policy was implemented.

Author The author of the policy.

Created The date on which the policy was created.

Last Updated The date of the last update of the policy.

107
Clicking on an item in the Project Goal column (the name of the policy) displays the Project
Rules screen that lists all of the project’s rules like this:

The screen may also display a Reveal map to the right of the list.

108
Incidents
Types of Security Incidents and Predefined Filters
Centra logs five types of security incidents and lists them under predefined filters:

Incident Triggered when...

Lateral Movement An attacker has attempted to access a non existent IP, a non existent
port, or when a malicious file has been detected on an asset.

Policy Violations A connection violates a segmentation policy rule.

Network Scan A scan is detected.

Bad Reputation A domain, file hash, or IP address has been identified as malicious by
Guardicore's Reputation Service server.

Integrity Alert on any unauthorized modification of files.

Violations

The All Incident screen features the list of all incidents in an unfiltered manner.

Incident Details
When you click an incident's ID in the ID column, a page is displayed with detailed
information about the incident. The page format varies depending on the type of incident.
The page format and information for each type of incident is covered in the pages on their
respective filters, i.e. Lateral Movements, Policy Violations, etc.

Acknowledging an Incident
The top of each incident information page displays an Acknowledge button that enables
you to acknowledge the incident:

109
Acknowledging Multiple Incidents at Once
To acknowledge multiple incidents at once, Centra allows you to 'bulk acknowledge' a group
of incidents sharing similar attributes such as Tag, Source Destination, etc.

1. On the Incidents page (or any of the pre-defined incident filtered pages) filter the
incidents by any of the filters or combination of filters. In the example below, the

incidents are filtered by a combination of tags - .

All the incidents that match the selected filter will appear on the screen.
2. Mark all the incidents on the left column and select More > Acknowledge. This will
automatically 'acknowledge' all the incidents, indicating that you have already
addressed these incidents.

110
All Incidents Screen
The All Incidents screen features all the incidents that appear in the predefined filters:

The Incident page contains the following fields:

ID Unique ID number of the incident.

Type Incident type: Reveal, Deception, Network Scan.

Affected The assets (VMs/Machines) involved in the incident.

Assets

111
 Tags A tag is assigned to an attacker’s activity. There are two types of tags:
Service tags indicate which service has been used by the attacker including
SMB, RDP, NetBios, SSH, HTTP and MYSQL. These tags are denoted
by icons with a colored border, but with no background color, like this:
.
Behavior tags allow you to group attacker activities by patterns. Clicking a
behavior tab points to the Session Recordings page where all the activities
grouped under this tag are displayed. An incident can be assigned more than
one tag.

Start The time the incident occurred.

Time

Group The Group to which the incident belongs under the Incident Groups.

Clicking on an incident displays a screen containing more in-depth information. See the
filtered Incidents screens for more information.

112
Integrity Violations Incidents (FIM)
Integrity Violations incidents are triggered when there is a template violation, a missing file, a
file too big to scan or a template conflict. You can review the FIM incident to understand
whether the incident is a result of misconfiguration or potential malicious activity. As a
response to the alert you can whitelist the hash in case of a misconfiguration or a legitimate
change. In case the change is not what you would expect, you can dive deeper into the
incident to detect its source.

An Integrity incident is generated when the following verdicts are logged:

• A template violation

• A missing file

• A file too big to scan

• A template conflict.

Integrity Violations Incident Screen Areas

Associated Template: An Incident is generated per template, not per a specific asset
covered by the template.This means that a violation detected for 100 assets grouped under
a single template generates only one incident.

Tags - 'keywords' appended to FIM incidents. e.g. Violation, Conflict etc.

Summary - The log verdict that has triggered the incident, e.g. Conflict verdict for 1 assets.

Files - List of files that have been changed.

Assets - Assets affected by incident.

Graph View - Displays the the network behavior during the incident.

The right side of the screen displays Affected Assets, the time the incident started and
ended, associated incident groups, and tags. Note that you can manually add a custom Tag

113
by clicking the Add Custom Tag button, typing a Tag, and pressing Enter. The tag is
displayed in a distinct color. Custom tags can be useful for keeping track of incidents. To
remove a custom tag, simply click the Cancellation button in the corner of the tag:

Lateral Movement (Deception)

Lateral movement incidents are deception incidents with:

Medium/High severity.

Internal tag to indicate that the source of the incident is from within the network (east-west).

Centra detects lateral movement using dynamic threat deception that automatically
investigates suspicious traffic and alerts once a connection was made to a non-existing IP or
a blocked port. Detailed forensics reports are also provided per each incident.

Lateral movement incidents are triggered in the following scenarios:

ARP redirections: An attacker has attempted to access a non existent IP.

TCP redirections: An attacker has attempted to access an existing computer over a non-
existent port.

Incident Report
Clicking the ID of a lateral movement incident displays its incident report. The incident report
provides a walkthrough of the attacker's actions in a natural language grouped by tags,
along with screenshots, attacker credentials, and if existing, processes the attacker created:

114
The right side of the screen displays Affected Assets, the time the incident started and
ended, associated incident groups, and tags. Note that you can manually add a custom Tag
by clicking the Add Custom Tag button, typing a Tag, and pressing Enter. The tag is
displayed in a distinct color. Custom tags can be useful for keeping track of incidents. To
remove a custom tag, simply click the Cancellation button in the corner of the tag:

The incident report contains the following information:

Left Side of the Report

Affected The attacking machine, the attacked machine and the port used to start the attack.
Assets

Started Time the incident started.

Ended Time the incident ended.

Associated Link to the group(s) to which the incident belongs.

Incident
Group

Tags There are two types of tags - service tags and behavior tags.

Service tags indicate which service has been used by the attacker, such as
SMB, RDP, NetBios, SSH, HTTP and MYSQL. These tags are denoted by a
color icon with no background.

Behavior tags allow you to group attacker activities by patterns. Clicking a

behavior tag points to the Session Recordings page where all the activities
grouped under this tag are displayed. In Release 22 we added the behavior
WMI tag . Centra can detect an attacker’s attempt to move laterally in the
deception environment using the Windows Management Instrumentation
(WMI) tool. WMI can be manipulated by a malicious actor to gain access to a
specific workload and be used as a persistence vector to move laterally
across the data center.

115
Report Tabs
Tab Description

Summary
Drilldown of the attack by behavior tags explained in natural language. Example:

Centra exports a number of IoC types. See the list at the end of this article.

Recommended Actions: provides mitigation and remediation suggestions (if there

are any). Example:

116
Session Raw recording of the attacker’s malicious activity Inside the Honeypot, delivering
Recording visibility into all attacker’s actions as well as forensic analysis for these actions. The
following sessions are recorded (if they are present during the incident):

• Credentials - Credentials used in login attempts

• Commands - Command executions
• RPC - Remote procedure calls, used for running remotely on Windows
machines
• Network - Network operations (Connect, Listen, DNS request-)
• Files - File operation (Create, Rename, Change permissions-)
• Users - Adding/deleting a user
• Processes - Start process (run application), destroy process
• Registry - Change Windows registry configurations Sessions - Windows
login/logout operations
• NTP - Network Time Protocol related events
• IDS - Suspicious activity reported by the IDS
• Services - Operating system services related events (Service
start/stop/restart/configuration)
• Databases - Queries, responses and command executions on MySQL
database.

117
Tabs Displayed Only When Relevant Info Exists
Tab Description

Screenshots The entire attack packet is saved in a PCAP format and can be shared with
forensics tools. Screenshots are available for Windows environments only.

Credentials Username and password used by the attacker, along with the service used in the
attack, for example RDP and the time the attack started.

Processes Process activity during the attacker session, including process creation and
deletion.

IDS Events IDS analysis of the attacker session.

Files Files used in the Honeypot attack.

Network All network connections established during the attacker session.

Registry Changes or modifications made to the Registry settings.

Acknowledge Button
Click the Acknowledge button to mark an incident as 'read and handled'. The Acknowledge
button adds an Acknowledged tag to the incident. Once you acknowledge an incident it will
no longer appear on the Security Summary Dashboard. However, it can still be found by
filtering by Acknowledge Tag on the All Incidents page.

IoC Types Exported by Centra

Centra exports the following IoC types:

Network IoC - An Attacker’s IP

File IoC - A suspicious file details
Domain IoC - Suspicious DNS queries and connection attempts
Login IoC - Details of a successful login attempt
SSH Key IoC - Details of SSH keys (Linux only)
User Operation IoC - User account operations
Group Operation IoC - Operations related to the machine's user groups (Windows only)
Potential Backdoor IoC - A suspicious process that has opened a listening socket
Service IoC - Attacker’s actions on operating system services
Scheduled Task IoC - Operations related to Scheduled Task mechanism (Windows &
Linux)
Registry IoC - Suspicious registry operations
Ransomware IoC - IP of an asset attacked by ransomware

118
Network Scans Incidents
This type of incident is triggered when a scan of multiple IP addresses has been detected by
Centra. In the incident report below, Centra displays Address Resolution Protocol (ARP)
requests sent to specified IP addresses. Note that there are two types of tags - internal and
external - to distinguish between internal and external network scans. Filtering for internal
scans displays only the flows that include internal addresses, as opposed to other scans
reserved for flows that cross the network perimeter.

The right side of the screen displays Affected Assets, the time the incident started and
ended, associated incident groups, and tags. Note that you can manually add a custom Tag
by clicking the Add Custom Tag button, typing a Tag, and pressing Enter. The tag is
displayed in a distinct color. Custom tags can be useful for keeping track of incidents. To
remove a custom tag, simply click the Cancellation button in the corner of the tag:

Acknowledge button

Click the Acknowledge button on the right (see image) to mark an incident as 'read and
handled'. The Acknowledge button adds an Acknowledged tag to the incident. Once you
acknowledge an incident it will no longer appear on the Security Summary Dashboard.

Policy Violations Incidents

Policy Violation incidents are triggered when a connection between two processes has been
identified as violating a segmentation policy rule(s). Any matched Alert or Block rule triggers
a policy violation incident.

119
 Column Description

ID The ID of the incident. Clicking an incident's ID displays the Incident screen with more
detailed information.

Type Policy violations are of type Reveal.

Affected The assets involved in the attack (highlighted).

Assets

Started Time the incident started.

Ended Time the incident ended. If the attack is ongoing, the following symbol is displayed in the

Type column:

Tags An incident can be assigned several tags, for instance both policy violation and
suspicious process tags.

Incident Screen
Clicking the ID of a policy violation incident displays a graph that shows the related policy at
the time of incident and violating connections that triggered the incident. The violating flows
are marked red:

120
The right side of the screen displays Affected Assets, the time the incident started and
ended, associated incident groups, and tags. Note that you can manually add a custom Tag
by clicking the Add Custom Tag button, typing a Tag, and pressing Enter. The tag is
displayed in a distinct color. Custom tags can be useful for keeping track of incidents. To
remove a custom tag, simply click the Cancellation button in the corner of the tag:

Clicking the map may display more flow violations. When you select a violating flow (red
line), more detailed information concerning the policy violation is displayed at the right of the
screen.

Incident Screen Areas and Buttons

Acknowledge Button

Click the Acknowledge button to mark an incident as 'read and handled'. The Acknowledge
button adds an Acknowledged tag to the incident. Once you acknowledge an incident it will
no longer appear on the Security Summary Dashboard. However, the incident appears on
the All Incidents page and can be found by filtering by the Acknowledged tag.

Create Allow Rules Button

Centra allows you to Whitelist a flow from the Policy Violation incident page. In the incident
page, click the Create Allow Rules button. Centra will suggest a new rule which allows the
incident-triggering flow. Once approved, the rule will be added to the policy and the incident
will be acknowledged. Don't forget to publish the policy with the new rule.

121
You can move an incident from Alert to Allow directly from the incident map by clicking the
Allow button. This will instantly allow the traffic and remove the incident from the list. Note
that the Allow rule is automatically suggested, you only need to save it. If the suggested rule
does not solve the policy violation, a warning message is displayed.

Reveal Graph

The graph displays the policy at the time of last violation. All connections related to the
incident will appear under the same incident. The assets related to the incident are
highlighted. Click the shield icon at the left-hand corner to show the policy at the time of
last violation. The shield turns green:

You can click any asset or process on the map for more info on the side bar including host
name, Ip addresses, tenant name, applications etc for asset; click any process to see
process name, path, hash etc.

Tabs

The Policy Violations screen displays a series of tabs with important information relating to
the incident. Specific tabs will only appear when they have information to display. Below are
the tabs that can appear:

Connections Tab

The Connections tab displays connections that violated the policy at the time of the incident:

122
Note: Last Occurence is limited to one month before the current incident.

Recommended Actions Tab

This tab appears when there are relevant remediation steps that can be taken:

Related Policy Tab

The effective policy including Custom Alerts, Allow, Alert, Block and Override rules -
deployed at the time of the incident:

123
Processes Tab

Displays information on the processes involved in the policy violation:

IP Addresses Tab

IP addresses involved in the incident:

124
Assets
Assets are objects in GuardiCore Centra that represent workloads in a protected data
center. There are two types of assets:

Managed assets either have an Agent installed or are reported by orchestration

(VMware, AWS, Azure, Kubernetes). They normally go by name, e.g. Accounting-lb-
1 (see diagram below).

Unmanaged assets are discovered when participating in traffic flows and shown as
an IP address on the Reveal map. Unmanaged assets are not listed on the Assets
screen.

Labels can be attached to both managed and unmanaged assets.

A managed asset (left), and an unmanaged asset (right)

The Assets page features managed assets only.

Asset Dashboard
Clicking any asset on the Assets page displays a dedicated page that contains all the info
related to the asset. The left side of the screen displays key asset stats: operation system,
CPUs, agent version, labels assigned to the asset and more. A series of tabs to the right
displays pages that include segmentation policy applied to the asset, summary of security
incidents (scans, policy violations etc'), a list of all the incidents related to the asset, and a
list of DNS requests made on behalf of the asset:

125
Segmentation Policy Tab - Displays the current policy’s rules that apply to this asset,
meaning that the asset is a source or destination of the rule or included in a label or a subnet
of the rule. Displays all rules pertaining to the asset - Override, Allow, Alert and Block. See
the above figure.

Security Summary Tab - Summary of all incidents in which the asset is involved and
current risk level:

Related Incidents Tab - A list of incidents related to the asset:

126
DNS Requests Tab - A list of DNS requests generated by the asset's processes:

Multi Tenant Support

Centra now supports onboarding multiple tenants with overlapping IP address spaces, on a
single Centra instance. Assets are classified as belonging to individual tenants based on the
Aggregator cluster to which they connect.

Once configured, Centra will handle traffic from each tenant separately, correctly matching
traffic from Agents or Collectors to individual tenants. The tenant to which Assets belong
appears on the Assets screen in the Tenants column:

Note: while multi-tenant support accurately reflects the traffic to individual tenants, it does
not currently permit different policies for the same IP address space.

Tenant configuration
Note: Before you configure the feature, it must be enabled. For SaaS customers, as well as
for on-premises customers, Multi-tenant support can be enabled after the V37 upgrade by
Guardicore Support.

Once the Multi-tenant feature is enabled, an Administrator (global or system) can assign a
Tenant to an Aggregator by clicking the Assign a Tenant option on the Aggregator screen:

127
to display the following dialog box:

Centra assumes no traffic will pass between different tenants, except for traffic between
tenants and the specially allocated "Infra" tenant. For example, in an MSSP environment,
servers of different tenants may use some shared MSSP infrastructure. The infrastructure
servers should then be mapped to the special "Infra" tenant. This can be seen in the Source
and Destination fields of the following Network Log:

(In the second flow, the tenants are appear in Source: and Destination:
)

Note: multiple clusters can be assigned to a single tenant.

After configuring tenants, incoming connections' source and destination will be attributed to a
specific tenant according to the source and destination assets. The tenant association can
be viewed in the network log:

128
Users can use the tenant selector dropbox on the top right to filter connections with a source
or destination of a specific tenant:

Note: When building segmentation policy rules, rules for specific tenants may still affect other
tenants. For example, a "BLOCK ANY → AssetA" rule, with AssetA being part of TenantA, will
create a rule on all assets (even ones not belonging to AssetA) which block access to the IP
address of AssetA. We intend to provide segmentation rule tenant-awareness in the following
Centra versions.

129
Network Log and Policy Creation
Handling violations is an important part of building access policies. If a connection shows
frequent violations, the administrator should decide whether the connection’s block or alert
policy is too restrictive and therefore leads to unwarranted violations, or whether to continue
the policy.

Centra’s Network Log provides a tabular view of all connections in your network and enables
you to filter the list for policy violations along with information on the connections. To start
handling violations and remediating them, the Network Log has now been fully integrated
with Learning Mode. The two features work together seamlessly to identify traffic flows that
violate policies and present suggestions for remediating the situation.

The feature works like this:

1. In the Network log, click the Show Summary link at the right of the screen:

The Show Summary list presents the top 15 labels with the most violations:

130
2. In the Summary list select the label by which to group the flows displayed on the
Network log:

Note: the available Label key groupings by which to group the flows can be
configured in the System/Configuration screen under Reveal, Additional Grouping
Options:

131
For example, entering these Grouping Options:

results in these Label Key grouping options in the Summary Pane:

After selecting a label, you can also select a Ruleset, if if exists, to narrow the map to
more specific flows if desired.

132
 3. The list of connections on the Network log can be filtered if desired:

Note:
• The summary is limited up to 2M flows (alerted and blocked), and by the time
frame. The time frame is limited to the Last 24H or Last 48H only. The feature
will not work for violations older than that.

4. On the Network log, click the Create a Policy button . A message appears
indicating that a policy suggestion map is being generated:

When the map is finished generating, the following message appears:

133
5. Click Explore Map to display the policy map for the labels that you
selected before:

6. Use Learning Mode to review suggestions and remediate when necessary. For
example, clicking the suggestion in the Suggestions tab, highlights the violating flow
on the map:

134
If desired, you can then remediate the situation by clicking Allow in the Decision column on
the Suggestions tab:

The column now displays the new rule with a green checkmark and the map also displays
the green checkmark near the relevant labeled flow.

135
The new Allow rule is now displayed in the Rules screen:

Export to CSV
The administrator can export the aggregated view to a CSV. The flows on the display can be
filtered by label.

Temporary Storage in Saved Maps

The map is stored under Saved Maps with a name indicating it is a map to handle policy
violations. The map name has the following format:

136
Env value/ app value - <ruleset name> -24h Violations Review

For example: Production & Billing - 24h Violations Review

By default, even if opened from Saved Maps, the map will be displayed in the Policy Editor
Overlay along with the Policy Suggestion tab open.

The map will be kept for one week. The timeframe of the map is as chosen by the admin
when reviewing the violations (Last 24H, last 48 hours with T-1 hour presented ).

Integrity Violations Log

A log is recorded for every File Integrity Monitoring (FIM) activity including hash match.

Log Verdicts

The following verdicts may appear in the log:

Template Match - For compliance regulations, a log entry is generated for every scan even
when there is a match.

Template violation - File hash has violated the template.

File too big - Files over 100mb won’t be scanned and will throw a “file too big” error. The
default size is 100mb. This can be changed in the Agent Configuration page (System
Components > Agents):

File Missing - If the full path of the file does not exist we report that the path is missing.

137
Template conflict - Two templates for the same asset - one valid, one in violation. A tooltip
appears next to the verdict in the incident.

File located on NFS path - NFS or SMB Network drives are not scanned by default and will
throw a System Log warning.

File access error - Reported when the module doesn't have read access.

Labels Log
The Labels log displays a record of changes to labels for assets:

The log lists the label changes for assets (identified by name and IP) according to the date
and time when the change occurred. The log notes the component that made the change,
the name and IP of the asset whose label was changed, the type of change (whether a label
was added, removed, renamed, etc.), and the result of the change. Clicking an item in the
Changed by column displays the component's details on the appropriate component screen
(for example, if the component that made the change is an Agent, it is displayed on the
Agents screen). Clicking an item in the Asset column displays the asset's details on the
Asset screen.

Filter buttons enable the log to be filtered according to Asset, Label Changes, Resulting
Labels, Reason, Changed by Type (for example Agent), Changed By (i.e. the component
that made the change), Time of change, and Asset ID or IP. As with other logs, you can also
export the log to a CSV.

Redirections Log
This page logs bypassed connections and connections that were identified as suspicious
and redirected to the Honeypot for attacker engagement and further analysis.

138
Reputation Log
This log is triggered every time Management queries a domain, IP or a file hash against
Guardicore Reputation Services (GCRS). The log is returned with one of the following
verdict replies: Malicious, Clean or Unknown.

139
Insight
Guardicore Insight provides powerful endpoint visibility, better security value, and additional
segmentation use cases. Based on the well known OSQuery, Insight enables writing SQL
queries to explore running processes, loaded kernel modules, open network connections,
browser plugins, hardware events, file hashes, and more.

Users can use SQL queries to extract data from hundreds of tables. Using Insight, users
can perform SQL queries on a vast number of Agents and aggregate the results to
create labels, build policies, and obtain valuable network forensics.

Insight is baked into Guardicore’s Windows and Linux Agents and appears in the Centra
UI as Insight.

OS Support
The following Operating Systems are supported for Insight:

• Windows 2012, 2016, 2019, Window 7, 8, 64bit.

• Any Linux with base install from 2011.

See the Agent OS Support table in Release Notes for V37 for an updated list of
OS support for Insight.

Running a Query
To run a query:

1. On the Centra UI, click the option to display the following screen:

2. Use the Target Agents section on the right to use Label and Operating System
criteria to target Agents that you want to query.

140
 3. Write the query in the box provided on the left. Instructions for writing queries are
contained under Centra's Help menu. See the example queries at the end of this
article.

4. Optionally, you can select general queries from the Catalog at the top of the
screen and type in the values to execute as follows:

Inserts a query for OS Version Information

Inserts a query that returns processes listening on a specific

port.

Inserts a query that returns the latest hotfixes.

Provides a catalogue of useful queries that you can copy and

use.

The official OS query expressions that you can use when

writing queries.

5. Click Run; a list of Agents is returned by the query:

141
 Note: Clicking the CSV button at the top of the list enables you to download the results
to a CSV file.

You can click an Agent's name in the results list and display the Agent's details like this:

You can also assign a label to all the returned Agents on the Insight screen by clicking the
Label all [number of Agents Returned] Agents button:

142
The Agents Labeling dialog box opens enabling you to enter a Label Key and Label Value to
apply to the returned Agents:

Query Examples
The following are examples of queries:

Example 1: Get logged on users

Query: "SELECT * FROM logged_in_users"

Results:

host pid time tty type user

4.4.0-21-generic 0 1592437186 ~ boot_time reboot

4.4.0-21-generic 53 1592437192 ~ runlevel runlevel

1536 1592437192 tty1 login LOGIN

143
Example 2: Top 5 processes by resident memory size
Query: “SELECT pid, name, uid, resident_size FROM processes ORDER BY
percent_processor_time DESC LIMIT 5”

Results:

pid name uid resident_size

9428 chrome.exe 3185 484622336

14460 chrome.exe 3185 396050432

20776 slack.exe 3185 182190080

11756 explorer.exe 3185 177545216

3684 MobaXterm.exe 3185 51896320

Example 3: List all the patches applied (Windows)

Query: "SELECT csname, hotfix_id, description, installed_by, installed_on FROM
patches"

Results:

csname hotfix_id description installed_by installed_on

PC1 KB4552925 Update 5/11/2020

PC1 KB4537759 Security Update 5/11/2020

PC1 KB4557968 Security Update 5/11/2020

PC1 KB4560366 Security Update NT AUTHORITY\SYSTEM 7/17/2020

144
Insight Scheduled Queries
Insight V39 provides the ability to set scheduled queries that enable users to continually
monitor systems in their data center and cloud environments. Centra’s distributed agents
can perform specific queries about installed software, vulnerabilities, hardware state, and
user behavior on individual systems or groups of systems. IT and security administrators can
then harness the insights acquired to create more effective security policies.

Typical examples of using scheduled queries are these:

Example 1: Detect Security Violations

As Centra administrator, you want to detect security violations in your data center. You may
want to set up validations that will be constantly checked against different groups of assets,
and be alerted on every failed validation. Within the alert, you would like to have information
about the violations and assets, to be able to resolve this violation. You can write a query
that checks for Agents that fail the specified validation. You can then review the list of failed
Agents and resolve the violations.

Example 2: Ensure Compliance

As Centra administrator, you want to ensure that all the assets meet the security and
compliance standard of your organization. You want the ability to set a stricter policy for the
assets that do not meet the standard. You can write a query that searches for all Agents that
do not match the compliance criteria and then set stricter policies for those assets.

For example, users can choose to automatically label Agents that match the query.

You access the Scheduled Queries screen under Insight from the Centra Navigation panel:

Under Insight, click Scheduled to display the Scheduled Queries screen:

The screen displays the following:

145
 Title The name of the Query that was scheduled.

Scope The Agents that are target to be queried according to the labels that were
selected under Target Agents (see below).

Author The author of the query.

Actions The actions that will be performed on the Agents that match or do not match
the query. You can specify a label to be applied to Agents that match the
query. You can also specify that the label be removed from Agents that do not
match the query.

Enabled Whether the query will be run.

Interval The interval in hours between query runs.

(Hours)

Status The number of Agents that were returned by the query.

Next run The time of the next run of the query.

Create or Edit a Query

To create a new query, on the Scheduled Query screen, click +Add New Query .
To edit an existing query, hover the mouse pointer to the left of the Query name:

and click the Edit option:

146
A screen enabling you to write and schedule a query is displayed. Fill out or edit the fields as
follows:

Set Label/Remove label: These options enable you to automate the process of labeling
Agents.

• To label Agents returned by the Query, select Set Label and specify the Label that
you want to be applied.

• To remove a label from Agents that do not match the query, specify the label that you
want to be removed and select Remove label from unmatched agents.

Alert to Syslog: It is also possible to specify that after running a Query, if a certain number
of Agents match the Query, a syslog will be exported in CEF & RFC5425 formats.

147
Using Filters for Schedule Queries
The top of the Scheduled Queries screen displays the following filters:

Filter Description

Status Select Succeeded or Warning (or both):

Note that the number of queries conforming to the filter options appears.
Queries marked as Warning are those with no hits and appear with a Warning
icon in the list of queries: .

Author Select the authors by which to filter the queries.

Is Select True to display only queries that are currently enabled.

Enabled

Search Type the name of an Author, Query, or Target Agent by which to filter the
queries.

You can apply operations to all the displayed queries either before filtering, or after filtering
the list. Click the Bulk Operations button:

You can Disable, Enable, or Delete all of the queries displayed in the list. Typically, you use
this feature after carefully filtering the queries to display the queries to which you want to
apply these operations.

148
Inspection Policy
A large amount of seemingly malicious traffic is generated by either repetitive attacks or as a
result of machine misconfigurations that ultimately prove to be harmless. Guardicore Centra
is able to filter the noise by using smart heuristics on the data center traffic, ensuring
uninterrupted traffic flow and minimum impact to the running system.

Innocent Failed Connections

Centra identifies and isolates recurrent connection patterns and misconfigurations that
generate ‘innocent’ failed connections:

• Multiple connections coming from the same IP.

• Connections coming from a misconfigured machine.
• Failed connections made to a non responsive machine (closed port etc).

Centra samples these connections periodically for further inspection by the deception
engine. This leads to major resource savings and focus on 'bad' connections only.

In the Smart Inspection mode, only "new" connection attempts are sent to the Deception
server investigation during a predefined time period. During this time period, "repeated"
connection attempts are excluded from this investigation. This means that the system
investigates any new TCP tuple (src_ip, dst_ip, dst_port) and ARP tuple (src_ip, dst_ip) for a
time of redirect_period and does not redirect connections of the same tuple. This guarantees
that any new unique connection is investigated, while repeated connection attempts
generate a limited number of incidents.

Smart inspection is applied to all incoming and outgoing connections, unless the user has
selected Ignore, Bypass or Inspect rules:

Ignore Matching connection attempts will not be logged nor redirected to the
rules Deception server for inspection. These connections are completely ignored
by the system.

Bypass Matching connections will be logged but not redirected to the Deception
rules server for inspection.

Inspect Matching connections will always be redirected to the Deception server for
rules inspection. Inspect rules apply only if the Aggregator is set to Redirect mode.

149
Rule Fields
A rule is composed of the following fields:

Field Description

Enabled Rule Enabled or Disabled.

ID Unique ID number of the rule.

Source Can be one of the following: VM name, IP, e.g.10.1.2.3 Subnet, e.g.
10.1.2.3/24 ANY.

Destination Can be one of the following: VM name, IP, e.g.10.1.2.3, Subnet, e.g.
10.1.2.3/24 ANY or FQDN (domain name).

Destination An optional field that lets you enter a port or a subset of ports, for example
Ports "80" or "22, 445". If you leave this field empty, the default value is All.

Title An optional field that lets you summarize the rule.

Update Time The time the rule was pushed to the Aggregator.

Detectors
Detectors are used for semantic analysis of the attacker’s actions when an attacker is
redirected to a decoy machine and tries to perform the malicious actions on the decoy. Each
detector performs specialized logic and can be fully configured, including the severity level
that each detector assigns to an incident. The default detector settings provide excellent in-
depth analysis and do not require additional configuration.

To enable a detector, select it from the list of detectors on the left-hand column. Most of the
detectors generate tags as part of the analysis process. For example, the Call from Stack
detector generates the Stack Overflow tag. Some detectors generate several tags, such as
the Linux Service Operation that generates the Kill Process, Malicious Command and
Networking Operation tags. You can also enable/disable various detection algorithms for
each detector:

150
Reputation Services
Guardicore’s Reputation Services identify indicators of compromise (IoCs) based on
suspicious domain names, IP addresses and file hashes associated with known malicious
activity. Guardicore Reputation Services leverages Guardicore’s network of attack sensors
and deception engines, threat intelligence feeds and the insights of our security research
team. A list of IPs identified as malicious by Guardicore’s Reputation Service is visible in the
Incidents/Bad Reputation screen in Centra’s UI:

Reputation analysis identifies threats based on the presence of suspicious domain names,
IP addresses and file hashes - all associated with known malicious activity. Non-
conforming or unauthorized communications are an indicator of compromise, for example
malware installed on a server and attempting to communicate with a known bad IP address
or domain name. IP addresses are considered malicious if detected as part of an attack over
the last 48 hours; Domain names are considered malicious if detected over the last two
weeks or if it’s a newly registered domain (registered in the past 2 months); File hashes are
considered malicious if detected as part of an attack.

151
Reputation Services for Files, IP Addresses and Domain Names
File Reputation

• Only available when Guest Agents are installed (L7 visibility required). Generates
high severity incidents only.

IP Reputation

• Low severity incidents for incoming Internet connections from malicious IPs (targets
are open to internet connections).

• Medium / high severity incidents for outgoing Internet connections.

DNS Reputation

• Only available for outgoing Internet connections

Sample Reputation Incidents

152
Configure Reputation Services
Reputation is enabled by default. However, here is how to configure it manually:

1. From Administration choose Detection > Reputation.

This screen lets you choose what to send to the Reputation server - file hashes, IP
addresses, domain names - and configure a proxy if you are deployed on-premises.

2. In Configuration, mark Enable Reputation Analysis, along with any relevant file
hashes, IPs and DNS IoCs you want to send for analysis. Click Save Changes.

Note: For on-premises deployments, verify q.guardicore.com is open via the customer
firewall.

3. Verify that the Reputation types are selected in the Reputation Service Log as well. A
log entry is generated every time Management queries the Guardicore Reputation
Services (GCRS).

Configure Trusted Indicators

1. Click Reputation > Trusted Indicators:

Centra allows you to create 'allowlist' of IPs, files and domain names you consider legitimate
on your site. Allowlist items are excluded from reputation inspection. A connection that
matches a allowlist is assigned the Clean verdict and will not be sent to Reputation for
analysis. You can either

153
 • Add trusted indicators to the lists manually.

OR

• Report as misclassification from within a Reputation incident.

To add trusted indicators manually, click the items link next to Trusted process file paths
and specify the file paths for the trusted indicators.

To report a misclassification automatically from within a Reputation Incident, click the

Misclassification button. The indicators are automatically added to the local Trusted
Indicators list and a report is sent to Guardicore for analysis.

Classify specific IPs as Internal IPs

This applies to external Internet facing IPs only. Once a public IP is classified under Internal,
no Reputation Services are provided for this IP.

Choose > Configuration > IP Classification and manually update the public IP addresses
list. Once set, these addresses can be added to the Trusted Indicators list.

154
Classify Specific Domains as Legitimate
Similarly to excluding specific IPs from inspection, it is possible to exclude specific domains
and define them as clean. These domains will not be displayed on the Uncommon DNS
Activity widget on Centra's dashboard.

Choose > Configuration > Domain Classification and manually update the Trusted
Domains list. Once set, these domains can be added to the Trusted Indicators list.

These domains WILL NOT appear on the Uncommon DNS Activity dashboard widget.

155
Suspicions DNS Activity pane in Centra Dashboard

Advanced
In this section it is advised to use the default values provided by Guardicore. Consult
Support if you want to make any changes.

Turning Off Reputation Services

If you want to turn off Reputation services, uncheck all four options in Reputation >

Configuration:

156
Customer IoCs Integrated into Guardicore Reputation Services
Starting from release 27, Guardicore enables customers to feed their IoCs into the
Guardicore Reputation Services and enjoy the same rich visual incident experience as with
all Guardicore incidents. The IoC types that are supported are file and IP. The IoCs are
uploaded in a JSON format to Centra REST API. Once uploaded, Centra will alert on the
presence of these IoCs across the entire customer’s data center.

File Integrity Monitoring (FIM)

What is File Integrity Monitoring?
FIM is a change-detection mechanism designed to alert on any unauthorized modification of
critical data files. The way to do this is compare the current file state with a known, good
baseline. By 'baseline' we’re referring to an agreed description of the attributes of the file, at
a point in time, which serves as a basis for defining change. This comparison method
involves calculating a known cryptographic checksum of the file's original baseline and
comparing it with the calculated checksum of the current state of the file.

FIM is a Mandatory Compliance Requirement

FIM plays an essential role in breach investigation. Using FIM data, security teams can
determine which critical files were modified, which assets were involved and the
communication flows at the time of the breach. Compliance frameworks such as PCI DSS
and HIPAA all include a control for file integrity monitoring.

FIM Capabilities in Centra

Using its lightweight agent module, Centra performs integrity checks every 24 hours to
identify file alterations across cloud and data center environments. Organizations that apply
FIM gain increased confidence and assurance that their critical data is secure and that there
is minimal risk of unauthorized changes to the critical data. FIM is supported for both Linux
and Windows operating systems.

Supported Operating Systems

Windows 2016 64 bit

Windows 2012 64 bit

Windows 2008 64 bit

Windows 2008 32bit

Windows 2003 32bit

Activating FIM
The way to protect a file from unexpected changes is to create a FIM policy. A policy is a set
of rules applied to a file/list of files hosted on one or multiple labels or assets. Fill in the
template with the files you want to monitor and their baseline hash values. Centra scans
these files periodically and alerts on any policy violation. You can add, remove and edit FIM
templates via the API or UI. Each host is scanned when it is first discovered by the system

157
and also on a predefined periodic interval.The scan is scheduled every 24 hours by default.
All scans are logged in the Integrity log. A log is recorded for every FIM activity including
hash match.

To setup FIM:

1. Identify the files you want to monitor for changes and the assets (or preferably asset
labels) that contain these files.

2. Select Administration/Integrity Monitoring/Templates and in the Templates screen

click the Add Template button to create a FIM template indicating the files and
services to be monitored:

3. Fill in the Template fields:

Field Explanation

Title The title of the template, such as System Files for PCI
Compliance

Description A short description of the template such as Ingegrity check for

system files.

Enable Template Select to activate the template.

check box

Affected Labels Type the labels for which you want the template to apply.

Affected Assets Type the assets to which you want the template to apply.

Hash Type For example, SHA-256

Files and Hashes Add the file/list to files that need to be monitored along with their
hashes.

158
Monitor File Changes
Once you create and activate the template, Guardicore’s Linux agents will monitor these files
for changes, checking their contents once every 24 hours (configurable). If a change is
detected, a “bad integrity” incident will be created:

As with other incident types, this incident can be sent to your email/SIEM.

File Integrity Log

Every FIM activity is logged in the Integrity log.

Integrity Violations Incidents

Integrity Violations incidents are triggered when there is a template violation, a missing file, a
file too big to scan or a template conflict. You can review the FIM incident to understand
whether the incident is a result of misconfiguration or potential malicious activity. As a
response to the alert you can Allowlist the hash in case of a misconfiguration or a legitimate
change. In case the change is not what you would expect, you can dive deeper into the
incident to detect its source.

159
Agent Module: Detection
The newly added Detection module appears next to the other modules in the Agents
screen.

Here you can filter by module versions, labels, flags and more. Any module configuration
can be overridden by selecting an entry and clicking More > Override Configuration. In this
screen you can configure the module's scan period, skip scanning of files that exceed a size
limit etc. When the Detection module is selected, Active denotes Linux systems while Not
Deployed denotes Windows systems.

160
Stale Hashes Cleanup
The system queries for hashes that haven’t been matched for X days against a specific
template. Hashes that are older than a week can be removed from the system.

Customer Threat Feeds Integration

Guardicore allows its users to upload their internal blacklists of IoCs to the Guardicore
Reputation Service. A user can add an internal threat feed and enjoy the same rich visual
incident experience as with all Guardicore incidents. The IoC types that are supported are
file and IP. The IoCs are uploaded in a JSON format to Centra REST API. Once uploaded,
Centra will alert on the presence of these IoCs across the entire data center. The internal
blacklist is not shared with the global Guardicore Reputation service, it is only accessible by
the customer that uploaded the threat feed. Each IoC can have up to 16 custom tags (API).

Supported Indicators of Compromise Types

The IoC types supported by the internal blacklist are file and IP:

• File IoCs are SHA256 file hashes of malicious processes that will trigger an incident
once they communicate from a server that has a Guardicore agent installed.
• IP IoCs are IPv4/IPv6 IP addresses of malicious servers that will trigger an incident
once Guardicore Centra recognizes traffic with these servers.

File IoCs
• File IoCs need to be uploaded in bulks of 200,000.

161
 • To upload file IoCs create a POST request to /api/v3.0/blacklist?type=file with all the
file IoCs and tags listed in the request payload: "[{\"key\":
\"043A718774C572BD8A25ADBEB1BFCD5C0256AE11CECF9F9C3F925D0E52BE
AF89\", \"tags\": [\"tag1\", \"tag2\"]}, {\"key\":
\"043A718774C572BD8A25ADBEB1BFCD5C0256AE11CECF9F9C3F925D0E52BE
AF88\", \"tags\": [\"tag3\", \"tag4\"]}]"

• In order to overwrite or clean the list, pass an empty list to the API.

IP IoCs
• IP IoCs need to be uploaded in bulks of 300,000.

• To upload IP IoCs create a POST request to /api/v3.0/blacklist?type=ip with all the IP

IoCs and tags listed in the request payload: "[{\"key\": \"10.0.0.0\", \"tags\": [\"tag1\",
\"tag2\"]}, {\"key\": \"10.0.0.1\", \"tags\": [\"tag3\", \"tag4\"]}]"

• This request will overwrite the previous IP IoC list and it supports listing up to
500,000 IP IoCs.

Guardicore Threat Intelligence Firewall

Guardicore's Threat Intelligence Firewall consists of daily updated IP lists that add an
additional security layer to your data center by blocking traffic to these malicious IPs.
Guardicore has spread Guardicore Threat Intelligent sensors throughout the largest cloud
providers around the world. These sensors detect attacks 24/7 and create the following lists:

• Attacking IPs list: created based on IPs that attack our Threat Intelligence sensors.
The most prominent ones are blocked.

• Scanning IPs list: created based on the top scanners which scan our Threat
Intelligence sensors. The most prominent ones are blocked.

• CnC IP list: created based on resolving the IPs of connections to malicious domains.
Once an attacker infects a Guardicore Threat Intelligence sensor and connects back
to a CnC server, log server, etc. this indicator is added to the list.

Guardicore Threat Intelligence Labels

The Guardicore Threat Intelligence Firewall creates three labels of malicious IPs:

• Top attackers

• Top scanners

• Top CnC

162
Labels Screen Showing the Label “Top Attackers” and the IP list that it Includes

Each label holds a list of malicious IPs, verified to the highest extent by Guardicore’s Threat
Intelligence Feed. The feed leverages a network of attack sensors, and the insights of the
Guardicore Security Research team.

For each label, two rules are created: to block (Override Block) or to Alert-on (Override Alert)
outgoing and incoming communication from these malicious IPs across the whole data
center. The three labels are updated daily with top detected malicious IPs so that the six
rules created provide an effective additional level of security. The Firewall rules can be found
on the Segmentation Rules screen along with any other rules that you may have created:

Segmentation Screen Showing Six Firewall Rules Created from the Three Labels

Note: Why the CnC IP List Results in Alert, not Block

163
The CnC list results in Alert rules rather than Block rules since attackers may use legitimate
websites / hosting servers to deliver their malware or communicate with it. Known legitimate
sites such as Github, Bitbucket, AWS S3 buckets, etc. used by attackers are detected by the
Guardicore Threat Intelligence service but are not added to the CnC list. As an extra
precaution to prevent unnecessary blocking, even detected CnC sites not known to be
legitimate and that are added to the CnC list, result in the creation of Alert rules on outgoing
connections to such IPs, rather than Block rules.

Verifying that the Threat Intelligence Firewall is Functioning

To check whether the Threat Intelligence Firewall is active:

• Access one of the IPs in the labels from an asset covered by a Guardicore Agent,
and check the Centra UI for the blocked/alerted incident.

Reviewing What was Blocked/Alerted by the Threat

Intelligence Firewall
The Threat Intelligence Firewall updates its threat lists daily. There are two ways to review
the IPs that were blocked or alerted:

Review Using the Incidents Screen

Filter the Incidents screen for any threat intelligence rulesets. Any incidents that matched
these rulesets contain alerted/blocked flows by the threat intelligence firewall. In case a
SIEM integration is in place, the incidents will also be exported to your local SIEM and can
be viewed there.

Review Using the Network Log Screen

Filter the Network log screen for any alerted/blocked connections from the threat intelligence
firewall policy rule id. Any matching connection was alerted/blocked by the threat intelligence
firewall.

Disabling the Daily Updates

To disable the daily updates to the Firewall lists:

• In the Segmentation Rules screen, disable the Guardicore Threat Intelligence rules
and let our Customer Success know you wish to opt-out of the daily update service.

Changing the Rules from Block to Alert

If you want to change the Block rules to Alert rules, follow this procedure:

• In the Segmentation Rules screen, move the rules to the Override Alert section.
Guardicore will continue to update the labels with the malicious IPs on a daily basis.

164
Receiving a Blocking Alert Concerning a Malicious IP
This section provides instructions on what to do when receiving a blocking alert concerning a
malicious IP detected by the Threat Intelligence Firewall.

Receiving a blocking alert due to an outbound alerted/blocked connection

This indicates that your environment has been compromised! We recommend verifying the
connection source, process, user and command line. We also recommend engaging with our
Cyber Security Analyst service to help with forensics and further incident response. Contact
[email protected] or Guardicore Customer Success.

Receiving a blocking alert due to an inbound alerted/blocked connection

Malicious traffic is something you can expect when exposing a service to the internet. Centra
blocked this connection attempt and reduced your service exposure to malicious actors over
the internet.

Removing an IP from the List

To remove an IP from the list, contact Guardicore at [email protected] or Customer
Success.

Preventing the Blocking of Internal IPs

Guardicore removes all private IP subnets such as 192.168.0.0/16, 172.16.0.0/16 and
10.0.0.0/8. Guardicore additionally removes APIPA and your personal IP configuration in
Centra for any public IPs that are used as private in your network.

The IP configuration in Centra can be found on the Administration screen by selecting

System/Configuration/IP Classification.

Mitigation & IoCs

Guardicore Centra™ deception engines detect security incidents. The security intelligence
generated from these incidents is transformed into indicators of compromise (IoCs) that we
collect on our servers. These IoCs can be fed into 3rd party security products. We save our
high severity incidents and IoCs directly to MongoDB. If an IoC already exists, its last_seen
field will be updated. Otherwise, a new IoC record will be generated.

The Mitigation & IoCs page displays the mitigation actions the administrator can take against
attacks. Each action can be configured to automatically or manually be enabled, or disabled
altogether.

Centra displays and exports the following IoC types:

Database IoCs- Microsoft SQL (MSSQL) table, function and procedure creation operations:

165
File Mitigation & IoCs - Details of a suspicious file, and details of SSH Key IoCs for Linux
only.

Firewall Mitigation - Integration with Palo Alto firewall. Once an attack is detected, Centra
updates the Palo Alto firewall with the IP address of the compromised host. The Firewall
then blocks connection attempts to and from the compromised asset, blocking its ability to
propagate in the datacenter.

Login IoCs - Details of a successful login attempt.

Network Mitigation IoCs - An attacker’s IP.

Ransomware Mitigation & IoCs - IP of an asset attacked by ransomware.

Centra mitigates ransomware in multiple ways, including pausing the infected machine,
creating a VM snapshot, disconnecting network cards, and executing a script that runs on
management.

What you select on this page appears on the Recommended Actions section of the
incident.

Scheduled Task IoCs - Operations related to the Scheduled Task mechanism (Windows &
Linux).

Domain IoC - Suspicious DNS queries and connection attempts.

User Operation IoC - User account operations.

Group Operation IoC - Operations related to the machine's user groups (Windows only).

166
Potential Backdoor IoC - A suspicious process that has opened a listening socket.

Service IoCs - Attacker’s actions on operating system services.

Registry IoCs - Suspicious registry operations.

167
Aggregators
An Aggregator is a VM that aggregates and de-duplicates data it receives from its
associated Agents and then sends it to the Management Server. To support scaling, a single
Aggregator can be deployed per hundreds of Agents. In addition to gathering and sending
the data to the

Management Server, the Aggregator manages the configuration of associated Agents.

Aggregators and Agents

The following describes how Aggregators connect to Agents and manage them:

• Each Agent connects to a Guardicore Aggregator server over SSL, with a certain SNI
(Server Name Indication). The connection is always initiated by the Agent. The
Aggregator and the Management server differentiate between Agents by a unique ID
generated on the Agent.

• The Aggregator handles new incoming connections with HaProxy, which determines
the Agent type by the SNI and forwards the connection to the relevant service,
depending on the type of Agent (see the section on Agents for a description of the
types of Agents and their associated services).

• The Aggregator sends commands and requests to the Agents and gets responses.
For example, in the case of Reveal modules, the Aggregator sends a start-monitoring
command that starts a monitoring thread. Deception and Enforcement modules can
push messages to the Aggregator as well.

Aggregators can be configured either globally or individually.

Aggregators Screen
The Aggregators screen is accessed from the Admin panel Components/Aggregators and
enables you to perform various operations with the Aggregators in the system:

168
The following columns are displayed on the Aggregator screen:

Column Description

Hostname The name of the host on which the Aggregator is located.

IP The IP address of the Aggregator.

Address

Version The current version of the Aggregator.

Operation The current operation mode of the Aggregator: On, Off, or Monitor. The
operation modes refer to the functionality of the Aggregator.
On = the Aggregator’s functions are turned on.
Off = the Aggregator’s functions are turned off (i.e. it is not performing the
functions of communicating with Agents or relaying data to the Management
server).
Monitor = the Aggregator is gathering information, but is not rerouting
suspicious traffic to the Deception server and is not enforcing policies from
the Enforcement server.

169
 Status This column displays information pertaining to the health of the Aggregator.
Guardicore periodically checks the status of Aggregators. The full list of the
status (health) of Aggregator services is displayed by hovering the mouse
cursor over the column. A plus sign next to an item in the list can be clicked to
display further items. The column also uses the following to indicate the
status of an Aggregator:

Up = All of the Aggregator’s services are functioning.

Partially Up = Some of the Aggregator’s services are functioning.

Down = The Aggregator is not functioning.

Error = Problem with some of the Aggregator’s services. Hovering over the
Error icon will display a list with the problematic services marked with an Error
icon.

Connecting = the Aggregator is trying to connect.

Initializing = the Aggregator services are initializing.

Stopped = the Aggregator was intentionally stopped. None of the services are
functioning.

Cluster The cluster to which the Aggregator belongs. Aggregators belong to a cluster
where they form a Zookeeper leader and quorum. Unless you have more than
one cluster, the value in this column is Default.

Last Seen The time and date when the Aggregator was last visible.

First Seen The time and date when the Aggregator was first visible.

Configuration Options
The Aggregator screen’s More menu enables you to control the operation of Aggregators,
such as starting and stopping their services. It also enables you to change configuration
settings.

To change an Aggregator’s operation mode or to configure it:

1. In the list of Aggregators, select the checkbox next to the Aggregator whose
operation mode you want to change, or that you want to configure.

2. Click the More button.

3. Select one of the displayed options:

170
Option Explanation

Change This refers to the operation of the Aggregator’s services:

Operation Mode On, Off, Monitor: See the previous section on the Aggregator screen for an
explanation of these options.

Start/Stop Start: Start the services for the Aggregator.

Stop: Stop the services for the Aggregator. The component is no longer
functioning and is not communicating with the Management server. You can
start the component again by selecting Start.

Reboot the Aggregator. This is an actual reboot which means that the
Restart component begins functioning anew.

This displays a screen with numerous configuration options. To display all of

Override the options, select the Show Advanced Options checkbox. See below for an
Configuration explanation of the options.

Get debug logs This downloads a compressed tar.gz file that contains detailed debug
information in several files.

Override Configuration Option

The Override Configuration option appears in the More menu for selected Aggregators:

The option enables you to specify important settings for Aggregators. Make sure to check
Show Advanced Options for a full list. Some of the most important options are listed here:

171
Configuration Setting Explanation

Machine Details | Include Guardicore uses unique hardware IDs to identify the machine on
hardware UUID which an Aggregator is deployed. The Include hardware UUID
option can solve the following problem:

When servers are cloned in the environment they carry the same
UUID. Turning this option off will ensure that the machine ID
remains unique.

(Alternatively, if the UUID file is removed before cloning a

machine, there is no need to disable this option.)

Aggregator | Aggregator Explicitly assign this Aggregator/Collector to be part of the

Features | Cluster Zookeeper cluster quorum as a “publisher” (with the other members of the
quorum).

Aggregator | Aggregator Explicitly assign this Aggregator/Collector as the exporter of

Features | Cluster Exporter Syslog data in accordance with the setting of the Syslog
Integration configuration (the Export through Aggegators option
in Integrations | Syslog must first be checked).

If more than one Aggregator/Collector is marked as a “cluster

exporter”, then there will be an election in the quorum to
determine which Aggregator/Collector will take the role of cluster
exporter.

Aggregator | Aggregator Explicitly assign this Aggregator/Collector as the interface to pull

Features | Cluster Orchestration data from the orchestrator (for example, vSphere, AWS
orchestration, etc.) and to publish it for other
Aggregators/Collectors in the cluster to consume.

If more than one Aggregator/Collector is marked as a “cluster

orchestrator”, then there will be an election in the quorum to
determine which Aggregator/Collector will take the role of cluster
orchestrator.

Aggregator | Zookeeper | hosts On occasion, it may be required to explicitly define the IP

addresses of the quorum members of any given
Aggregator/Collector.

Aggregator | Cluster | cluster-id Occasionally there is a need to change the ID of the cluster of
which the Aggregator/Collector is a part. This usually
accompanies some network reorganization or segmentation.

Datapath | General | TCP Typically, these ports are left untouched. However, if there is a
Service Ports special need to define a port for redirection to the Deception
Server, it’s done here.

Aggregator | Aggregator Check If you want this Aggregator to serve Agents in a load
Features | Agents Load balanced arrangement together with other Aggregators in the
Balancer cluster.

172
Aggregator | Aggregator Check the modules that you want this Aggregator to serve.
Features | [Enforcement,
Reveal, Detection, Deception]
Agents Server

Aggregator | Aggregator Check to support Layer 4 visibility in the absence of Agents.

Features | Reveal Datapath
Visibility

Aggregator CLI
Administrators can use CLI commands to access detailed information on Aggregators.

To do this Run on Type this

Find out to which Aggregator an asset’s Agent Management gc-mgmtctl locate_agent --

modules are reporting. CLI agent_filter <hostname or IP
address>

List all Aggregators/Collectors in the environment, Management gc-mgmtctl list_aggregators

their status, hostname, and IP. CLI

List the Reveal Agents served by an Aggregator Aggregator map-workers [hostname]

(and on which worker thread) including Agent CLI
version, up time, and other information.

List the status of the Aggregator/Collector Aggregator/ monicore-ctrl status [-v]

subservices. Collector CLI

Restart an Aggregator/Collector subservice. Aggregator/ monicore-ctrl restart <all |

Collector CLI subservice name>

Full Cluster Diagnostic Aggregator/ gc-cluster-diagnostic

Collector CLI

Confirm message brokering is working and Aggregator/ gc-list-roles

confirm the cluster roles that are assigned. Collector CLI

Display content of the servers in the network Aggregator/ gc-network-db-dump -m

database - also confirm that the network Collector CLI
information is shared with other
Aggregators/Collectors.

173
Display SSL Proxy Configuration and Traffic Aggregator/ gc-lower-hatop
Statistics. Collector CLI
(for communication pathways
downward in the direction of
Agents)

gc-upper-hatop

(for communication pathways

upward in the direction of the
Management server)

174
Collectors
Collectors are virtual machines that gather information on flows in environments where
Agents cannot be deployed. Such environments include legacy systems incompatible with
Agent software, as well as environments outside of your system that interface with your
network. Collectors relay data to the Guardicore Management server for further analysis and
integration into Guardicore’s Reveal charts. Collectors are also able to detect suspicious
flows, redirect them to a SPAN port for further analysis, and, where warranted, divert them to
the Deception server (honeypot).

Types of Collectors
You deploy Collectors during the installation of Guardicore Centra. During Installation you
can choose to deploy Collectors in two ways:

• Use Guardicore’s deployment tool (GuarDeployer) to automatically deploy multiple

Collectors.

–OR–

• Manually deploy and configure each Collector separately.

During installation, Wizards guide you through the steps of deploying the various types of
Collectors. As of release 30, you can choose to deploy three types of Guardicore Collectors:
ESX Collector, SPAN Collector and AWS VPC Flow Logs Collector:

ESX collector: a VM that is responsible for the following:

• Detection of suspicious traffic and redirecting it to the Deception Server for further
investigation.
• Collection of network level information (L4) about all traffic flows. The ESX Collector
also enables reputation on IPs and DNS. An ESX Collector should be deployed as a
VM on each protected hypervisor and fixed to the host (make sure vMotion is
disabled).

SPAN Collector: deployed as a VM for physical networks. It receives traffic for inspection
from SPAN ports, network taps or Network Packet Brokers (NPBs). it requires a return port
back to the network to be able to perform packet redirection.

VPC Flow Logs: provide a way to inspect all the flows between all the different cloud assets
within a given cloud network. Policy-wise this means that only alerts are supported without
enforcement. To allow VPC flow logs, install a dedicated collector during installation and
configure VPC flow logs in AWS orchestration.

175
ESX Collector

The ESX Collector is a VM that integrates with ESX hosts and should be deployed as a VM
on each protected hypervisor and fixed to the host (make sure vMotion is disabled). The
standard ESX Collector analyzes communication flows sent to a SPAN port by a VSS
(Virtual Standard Switch) or VDS (vSphere Distributed Switch) switch. You can also
configure an ESX Collector to work with the less common N1KV switch.

Multiple vSwitches on the same host can be monitored with a single ESX Collector:

ESX Collector Configuration

The ESX Collector is installed on an ESX virtual machine and collects information between
the ESX and systems that interface with it. The datapath implementation uses the vSphere

176
port mirroring feature (new since 5.0) in order to allow Guardicore to analyze the traffic
inside the ESX Host and protect its virtual machines.

SPAN Collector
The SPAN Collector is deployed as a VM for physical networks and analyzes
communication flows sent by a switch to a SPAN port. More specifically, it receives traffic for
inspection from SPAN ports, network taps or Network Packet Brokers (NPBs). This Collector
requires a return port back to the network to be able to perform packet redirection.

Both the ESX and SPAN Collectors gather information from a SPAN port (virtual or
physical) and send that information to the Guardicore Management Server for analysis and
appropriate action.

Span Collector Configuration

For the SPAN Collector, an important setting is to make sure that protected_cidr is
configured. If this option is not set, the Collector will not report any flows and the following
message is displayed:

Port mirroring without any protected CIDR's

To configure a SPAN port with protected_cidr, perform the following:

1. On the Administration panel, select Components, Collectors.

2. From the list of Collectors, select the Collector that you want to configure and click
the More button.

3. On the More button, select Configuration Overrides, then select the Show Advanced
Options checkbox.

4. Under Datapath, select Port Mirror Cloud Driver.

5. Select protected_cidr and supply a list of subnets in CIDR notation.

177
VPC Flow Logs Collector
Guardicore’s AWS VPC Flow Logs Collector provides a way to inspect all the flows between
the different cloud assets within an Agentless cloud network such as AWS. The Collector
gathers logs from the AWS VPC Flow Logs feature (which publishes the information to
Amazon CloudWatch Logs and Amazon S3) and sends it to the Guardicore Management
server. The Management server then integrates the log information into Reveal,
Guardicore’s Visibility module, where it provides a clear view of the flows within the cloud
environment. The VPC Flow Logs Collector enables you to capture information about IP
traffic to and from network interfaces in your VPC:

The integration of the flow logs information into Guardicore’s Reveal module can help you
with a number of tasks:

• Troubleshoot why specific traffic is not reaching a destination, which in turn helps you
diagnose overly restrictive security group rules.

• Use flow logs as a security tool to monitor the traffic that is reaching your
environment.

To allow VPC flow logs, install a dedicated Collector during installation and configure VPC
flow logs in AWS orchestration.

Additional Information About the AWS VPC Flow Logs Collector

1. No need for log persistence in the account.

2. One vpc flow log collector can cover multiple regions on multiple accounts. Currently
there is no way to control which collector takes care of which account.

3. Scale has been tested for a production multi region account with 500K flow per day.

Known AWS Flow Logs limitations

• Flow logs do not capture real-time log streams for the network interfaces, there is an
approx. 10-15 minute delay.

178
• The Flow Logs will not include any of the following traffic:

- Traffic to Amazon DNS servers, including queries for private hosted zones.

- Windows license activation traffic for licenses provided by Amazon.

- Requests for instance metadata.

- DHCP requests or responses.

179
Deception Servers
Deception Servers receive live redirected connections from across the data center and
generate matching deception environments to lure attackers. The Deception Server can be
deployed as a virtual machine or a physical appliance and operate as a single node or as
part of an array of Deception Servers, depending on the customer's deployment scale.
Within the Deception Server there are virtualized machines that interact with the suspect
attacker. Each virtualized machine is referred to as a service provider. The Deception server
supports many flavors of Windows and Linux service providers.

How does Deception work?

When a new attacker comes in with a new source and Destination IP, the system allocates a
new service provider based on what the attacker expects to meet. This means that a
Windows-based attacker will be met with a Windows-based service provider such as SMB.
Guardicore's deception algorithm will also try to keep the network deception engine as
consistent as possible, so a machine deceived as Linux Web Server with hostname
"server1" will look the same even after a period of time. Next, the allocation algorithm will try
to maximize the neutrality of the OS distribution among potential victims, so that an attacker
scanning the network will come across a variety of fake machines. A Deception Server
provides a real world environment for the attacker to interact with. This can be Linux or
Windows with complete sets of services that appeal to the typical attacker including IP
addresses, host names etc. The Deception Server is highly optimized to provide as much
attack surface as possible, with a high number of machines to engage with all potential
attackers. The Servers provide live analysis of the attacker activity across all dimensions
including operating systems and network and file activity.

Deception Server features

Real machines, not emulation: Guardicore uses real servers, not emulation, allowing the
deception systems to engage the attacker in a believable fashion with a robust decoy attack
surface, with extremely low footprint.

Dynamic deception: Guardicore features a dynamic deception system in addition to static

lures. With dynamic deception, we are able to dynamically provision a deception server
wherever the attacker goes. This is important because the chance that the attacker hits a
static Deception Server IP in a network full of hosts is not high.

Distributed redirection: Guardicore automatically redirects suspect sessions to an isolated

and dynamic deception server. This is triggered by any attempt to access closed or blocked
ports on real machines, access as invalid IP address or DNS queries. These types of
connections are normally blocked by conventional network-based tools.

Services supported: Services include RDP, Netbios+RPC, SMB, NBT, SSH, FTP,
TELNET, MSRPC, SQL, HTTP, MSSQL12, MySQL, SMB and netsvc.

Ports redirected for deception to the honeypot: TCP - 21 (FTP), 22 (SSH), 80 (HTTP),
135 (MSRPC), 139 (NetBIOS), 445 (SMB), 1099 (Java RMI), 1433 (MSSQL), 3306
(MySQL), 3389 (RDP), 5985 (Win PowerShell), 5986 (Win PowerShell) + ARP. The ports
redirect are specifically whitelisted in system's configuration. To restrict redirection, configure
the Inspection Policy to bypass a specific port, IP etc.

180
Deception: Updated Logic and Behavior
The mechanism for redirecting traffic to the Deception server was redesigned in Centra
version 36 and moved from the Aggregator to the Agent. This has led to the following
changes:

• Blocked or refused connections to Agents (clients) will be redirected to a Deception

server only if the Agent is in Enforcement mode and a Block policy is in place. An
Agent in Monitor mode will not redirect connections.

• Blocked or refused connections from Agents (servers) will be redirected to the

Deception server.

• Redirection of unanswered ARP to Agents, and Agent ARP scan detection is no

longer supported. However, Collectors will continue to support ARP redirection.

• Redirection of outgoing unanswered SYN is no longer supported.

Component Diagnostics and UI Controls

Diagnostics capabilities to Centra components allows better visibility into Centra's health
status and assists in troubleshooting issues related to Centra components.

Display a List of Running Services for Each Component

All components report to Management, so that for each component - Aggregator, Collector,
Deception Server and Agent - Centra displays a detailed list of all the services running on
top of it along with its status (Up, Down, Error, Connecting etc). This allows security
administrators to Identify failed or malfunctioned components. To further monitor
connectivity, all components run periodic health checks to selected services including
orchestration providers and log services. Click the + sign to get more info about any service.

Control the Agent from the UI

You can pause and resume the Agent from within the Agents page.

181
Agents
The Guardicore Agent is designed to track all network connections of a protected server,
coupled with information on the processes involved in the connection. The Agent validates
each connection against a segmentation policy to allow / alert / block the connection. The
connection metadata and the applied action are reported to Guardicore Centra.

Guardicore’s Agent enables:

Visibility

Gaining visibility of all communications of a protected server. AIX Agent supports L4 +

process-level information using polling mode.

In some edge cases, the Agent will support L4 information only.

Enforcement

Enforcing a segmentation policy by blocking and/or alerting violating traffic. AIX agent
supports L4 rules for Enforcement. The expected behavior of non L4 rules derived to AIX
agents is detailed in the Guardicore Admin Guide.

Analysis

Automatically analyzing traffic flows for malicious processes or malicious IP addresses,

using the Guardicore Reputation Service.

Agent Modules
An Agent consists of four separate modules: Reveal, Deception, Detection, and Enforcement
modules:

Reveal module Provides process-level visibility and file reputation. It collects process-
level information on all connections including protocols, ports, and
corresponding processes (path, user, command line, hash, etc.).

Detection Responsible for File Integrity Monitoring (FIM).

module

Enforcement Blocks traffic based on network-level and/or process-level policy, and

module processes DNS requests and replies.

Deception Detects failed connection attempts and redirect them to a Deception

module Server for further investigation. (The Deception Server manages a farm
of multiple honeypots of different flavors, Windows and Linux.)

Note: Deception Agents have several roles parallel to those of an ESX Collector, and must
not be installed on virtual servers that are hosted on ESXi hypervisors already protected by
ESX Collectors. When installing the system, Guardicore Solution Center decides which is
the optimal deployment for the client.

In addition, there is a Controller module, and two channels, Reveal and Enforcement, that
connect the Agent to an Aggregator.

182
Agents are deployed on Windows, Linux, Solaris, and AIX based virtual servers. Agent
software packages are served from an Aggregator during installation.

Agent Connections
Each Agent connects to a GuardiCore Aggregator server over SSL. The Aggregator and the
Management server differentiate between Agents by a unique ID generated on the Agent.
The Aggregator handles new incoming connections using HaProxy, which determines the
Agent type by the SNI and forwards the connection to the relevant service.

The interface to the Aggregator is implemented using two channels, gc-channel Reveal and
gc-channel Enforcement, which are responsible for communication with the Aggregator. The
Aggregator initiates all communication over the channels, polling Agents on new data and
updating them with configuration and policy changes. The Aggregator sends commands and
requests to the Agents and gets responses. Deception and Enforcement Agents are able to
push messages from the Agent to the Aggregator as well.

In case the Aggregator is disconnected from the Agents, the channels will try to reconnect,
and, if not successful, move to the next Aggregator in the list (if there is one).

For more in depth information concerning Agents and Agent OS Support, see the Admin
Guide.

183
Agents Screen
As an administrator, you use the Agents screen to monitor the health and functioning of
Agents and to perform any necessary operations. The screen displays a list of Agents with

icons at the left of the Agent’s name, indicating whether they are Linux or Windows

Agents:

A row of operation buttons enables configuring, upgrading and running diagnostics on

selected Agents:

Button What it does

More Enables changing configuration and other operations on selected Agents.

Deletes the selected Agents.

Sets the enforcement state.

Generates a diagnostic report on selected Agents.

Upgrades the Agent to the most recent upgrade.

Agents Screen Columns

The Agents columns are as follows:

184
Column Description

Name The name of the device on which the Agent is deployed.

IPs The IPs of the device on which the Agent is deployed.

Modules Four icons appear that represent the following modules:

Reveal

Deception

Enforcement

Detection

Each of these modules execute separate processes that connect to the

appropriate server. Hovering over an icon displays the name of the Aggregator
to which the Agent is attached (the name is a link that displays the Aggregator
details on the Aggregators screen). The icons also indicate the status of the
module:
blue (active), red (active with errors), and gray (not deployed). The
Enforcement module icon has additional states (Enforcement Monitoring
Modes).

Labels The labels assigned to the asset on which the Agent is deployed.

Flags Flags indicate problems of which the administrator should be aware. Hovering
over the notice in this column provides more details. A complete list of flags
is provided in the following section and in the Admin guide.

Kernel The version of the kernel on which the Agent is deployed. This affects
particular Agent modules that work from the kernel.

Agent The version of the Agent software.

Version

185
 Column Description

Last The most recent time that the Agent was detected by the Management server.
Seen

First The first time that the Agent was detected by the Management server.
Seen

Note: Temporary Disappearance of Agents from the Agents Screen

After 24 hours of not being connected to the management, Agents are automatically
removed from the Agent screen. Once management is reconnected, the Agents are
automatically added back to the screen. This behavior may be noticed in the log. This
temporary automatic removal of Agents from the Agents screen prevents seeing lists of
“missing” Agents during situations such as workload re-provisioning.

Even though the Agent is temporarily removed from the Agents screen, the Asset generated
by the Agent is never removed and will always be displayed on the Assets screen.

Agents Flags
The Agents Flags column displays flags that provide information, warning, and error
notifications. Hovering over the flag displays further information. The following table lists the
various flags that can be displayed in the Flags column:

Flag Description and Remediation

Polling Mode (INFO) The Agent collects network events in polling mode due to limited
support for this operating system. No action item required. Visibility
events will be reported.

Polling Mode The Agent collects network events in polling mode due to not
(ERROR) running the Enforcement module.
Suggested Action: Check if there are additional flags that describe
the root cause of the issue. If there is no additional info, collect the
Agent diagnostics package through the Centra UI, and report the
issue to Guardicore support.

186
Outdated Policy The flag reflects one of the following:
(ERROR) The Agent could not fetch the most up-to-date policy due to
compatibility issues with the policy. The policy contains elements
that are not supported by the Agent, or the policy is too large.
Hence, the Agent rejected the policy.
In this case, the flag will present the following: The revision ID that
is actually enforced by the Agent vs. the most recent revision ID,
the list of rules that caused the Agent to reject the policy, and the
missing capability to support this policy.
Suggested Action: Modify the policy to meet the Agent’s missing
capabilities, or upgrade the Agent to the most up-to-date version.
The policy was not adopted by the Agent due to unknown reasons.
The Agent enforces a policy with a revision ID older than the main
one.
Suggested Action: Check overall system health focused on the
Agent and its Aggregator. Contact Guardicore support for more
details.

Outdated The Agent configuration was not adopted by the Agent due to
Configuration unknown reasons.
(WARNING)

No Reveal Received The Aggregator didn’t report Reveal data to the Management in the
(WARNING) last hour. This notification is usually being reported by the
Management.

High ratio of dropped connections.

High Drop Rate
(WARNING) Suggested Action: Check Agent resource consumption and overall
machine state.

Agent Missing Agent was not seen in the last X minutes (configurable).
(ERROR) Suggested Action: Check if the machine exists and has network
connectivity. It usually happens when there is no connectivity to the
Agent, when the Agent is uninstalled, or when the machine is
turned off.

No Reveal Reported Agent didn’t report Reveal data in the last hour. This notification is
(WARNING) usually being reported by the Aggregator.

Reveal Offline The Reveal module cannot connect to Centra. The Agent
(ERROR) continues to monitor network events and stores them locally in a
rotated storage until the connection is restored. No network events
will be reported during the offline period.

Suggested Action: Make sure there are no connectivity issues

between the Agent and the Aggregator, and validate Aggregator
health in the Centra UI.

187
Enforcement Offline The Enforcement module cannot connect to Centra. The Agent is
(ERROR) enforcing the latest policy it received, and cannot get policy
updates.

Suggested Action: Make sure there are no connectivity issues

between the Agent and the Aggregator, and validate Aggregator
health in the Centra UI.

Reveal Module Error The Reveal module responsible for the visibility capabilities cannot
(ERROR) start. Visibility events won't be reported.

Suggested Action: Check if there are additional flags that describe

the root cause of the issue. If there is no additional info, collect the
Agent diagnostics package through the Centra UI, and report the
issue to Guardicore support.

Enforcement Module The Enforcement module which is responsible for visibility and
Error (ERROR) enforcement capabilities cannot start. Visibility capabilities can be
missing or limited, and no policy enforcement will be done on this
server.

Suggested Action: Check if there are additional flags that describe

the root cause of the issue. If there is no additional info, collect the
Agent diagnostics package through the Centra UI, and report the
issue to Guardicore support.

Detection Module The Detection module that is used for FIM (File Integrity
Error (ERROR) Monitoring) cannot start. FIM events won't be reported.

Suggested Action: Check if there are additional flags that describe

the root cause of the issue. If there is no additional info, collect the
Agent diagnostics package through the Centra UI, and report the
issue to Guardicore support.

Deception Module The Deception module cannot start. No redirection to the

Error (ERROR) Deception server, and no Deception incidents will be generated by
the Agent

Suggested Action: Check if there are additional flags that describe

the root cause of the issue. If there is no additional info, collect the
Agent diagnostics package through the Centra UI, and report the
issue to Guardicore support.

188
Controller Module
Error (ERROR)

Memory Limit Due to unusual behavior of the Agent, or misconfiguration of the

Reached (ERROR) Agent resource limitation configuration, the memory usage of more
than one module reached 90% of the configured limit.

Suggested Action: Check the load on the server, and increase the
resource limitation profile to a higher profile as described in the
"Resource Usage Management" section in the Administration
Guide.

Reveal Memory Due to unusual behavior of the Agent, or misconfiguration of the

Limit Reached Agent resource limitation configuration, the memory usage of that
(WARNING) module reached 90% of the configured limit.

Suggested Action: Check the load on the server, and increase the
resource limitation profile to a higher profile as described in the
"Resource Usage Management" section in the Administration
Guide.

Enforcement Due to unusual behavior of the Agent, or misconfiguration of the

Memory Limit Agent resource limitation configuration, the memory usage of that
Reached module reached 90% of the configured limit.
(WARNING)
Suggested Action: Check the load on the server, and increase the
resource limitation profile to a higher profile as described in the
"Resource Usage Management" section in the Administration
Guide.

Detection Memory Due to unusual behavior of the Agent, or misconfiguration of the

Limit Reached Agent resource limitation configuration, the memory usage of that
(WARNING) module reached 90% of the configured limit.

Suggested Action: Check the load on the server, and increase the
resource limitation profile to a higher profile as described in the
"Resource Usage Management" section in the Administration
Guide.

189
Deception Memory Due to unusual behavior of the Agent, or misconfiguration of the
Limit Reached Agent resource limitation configuration, the memory usage of that
(WARNING) module reached 90% of the configured limit.

Suggested Action: Check the load on the server, and increase the
resource limitation profile to a higher profile as described in the
"Resource Usage Management" section in the Administration
Guide.

Controller Memory Due to unusual behavior of the Agent, or misconfiguration of the

Limit Reached Agent resource limitation configuration, the memory usage of that
(WARNING) module reached 90% of the configured limit.

Suggested Action: Check the load on the server, and increase the
resource limitation profile to a higher profile as described in the
"Resource Usage Management" section in the Administration
Guide.

Limited Policy Some policy rules are not supported by that Agent, and those were
(INFO) modified or removed to meet Agent capabilities. The flag contains
the exact rules that were removed or modified, and the limited
capability that caused it.

Suggested Action: It is suggested to either modify the policy to

meet the Agent’s capabilities, or upgrade the Agent to the latest
version.

Configuration Recent Agent configuration changes were not applied to the Agent.
Partially Applied
(WARNING) Suggested Action: Open Agent configuration (on the Agents
screen, select the Agent, click the More button and select Override
configuration), and verify that the configured attributes are
supported by the Agent. Unselecting problematic attributes will
clear this flag.

Enforcement Enforcement capabilities are not available, and visibility capabilities

Missing KO are limited (polling mode) because the Agent could not load or
(ERROR) fetch a kernel module for this kernel version or configuration.

Suggested Action: Generate Agent diagnostics package through

the Centra UI, and contact Guardicore support with the package
attached.

Deception Missing Deception capabilities are not available because the Agent could
KO (ERROR) not load or fetch a kernel module for this kernel version or
configuration.

Suggested Action: Generate Agent diagnostics package through

the Centra UI, and contact Guardicore support with the package
attached.

190
 Deprecated Agent The Agent was installed with environment variables that represent
Flag Used (INFO) an installation configuration that is no longer supported. This
configuration was ignored during Agent installation, and the
"Default" installation profile was applied instead.

Suggested Actions:
Create a new installation profile or edit the Default installation
profile according to your configuration requirements. Uninstall the
Agent and re-install it with the desired profile.
Ignore this flag or remove it by marking the "Ignore deprecated
configuration flag warning" configuration attribute in the Agent
configuration (Agents screen, More button/Override configuration)
under the "Agent Controller" settings.

Deception Deception doesn't work because the Agent could not create a
Redirection Channel redirection channel to the Deception server.
Error (WARNING)
Suggested Action: Verify the Deception server state in the Centra
UI, under the administration section. Contact Guardicore support
for further instructions.

Deception Limited The Deception module has limited functionality due to a missing
Capabilities (INFO) WinPCAP installation on the server. ARP redirections won't be
supported.

Suggested Action: Install WinPCAP 4.13 on the server, or use the

Agent’s UI to collect a diagnostics package for a support ticket.

Security Software Agent detects another security software. If this causes compatibility
Detected problems, whitelisting the software is suggested.

Agents Filters
The Agents screen provides a large number of filters to enable you to quickly locate Agents
conforming to your specifications. Filters can be combined to narrow down your search.
Filters include the following:

Filter Filters Agents by

Asset Status Status of the assets on which they are deployed: Offline or Online.

Agent Version Software version.

Label Labels that Agents were assigned.

Label Group Label Group.

Module status Active Agent module: Enforcement, Detection, Deception, Reveal.

Module Agent Modules that are Absent or not functioning.

limitations

191
 Filter Filters Agents by

Aggregator The Aggregator to which the Agent is associated.

Flags Flags raised by the Agents' activity.

OS The operating system of the asset on which the Agent is deployed.

Kernel The operating system kernel (version) of the asset on which the Agent
is deployed.

Activity The time period in which the Agent was active.

Upgrade Enables filtering Agents according to their upgrade (upgrade name and
time)

By combining filters, you can narrow the list of Agents to just those that have the
specifications that you selected. For example, the following screen has filtered Agents by OS
(Windows) and Module Status (Enforcement Module Error):

192
More button
The More button provides the following options for selected Agents:

Options What it does

Set modules state Pause or Run the selected Agents

Override Opens the Agents Configuration screen that enables

configuration administrators to change settings for Enforcement, Reveal, and
Detection modules, as well as the Agent Controller.
The many settings of these options are relevant to particular tasks
that the administrator may wish to perform and are discussed in
the corresponding Administration Guide Articles.

Reset to Profile Resets the configuration of selected Agents to their profile defaults.
Defaults

Add/Remove Label
This option enables you to add or remove labels from multiple
Agents. Type the Key and Value of the label that you want to add
or remove:

193
Get Agent Diagnostics
The Get Agents Diagnostics button enables you to collect diagnostics information for any
Agent or a group of Agents and send it to Guardicore Support. You can do this remotely
from Guardicore Management and collect information for troubleshooting Agent issues. In

the Agents screen, select any Agent and click the Get Agent Diagnostics button .The
diagnostic collection takes a few minutes to generate a compressed archive. Information
collected and saved in the Linux package includes current date and time, kernel version,
system uptime, system load, memory usage, list of processes, list of installed packages and
more. Diagnostics collected from the Window Agent include running processes, installed
services and their status, ETW consumers, connectivity certificate validation, and more.

To run Diagnostics:

1. On the Agents screen, select any Agent for which you want to collect information and
click the Get Diagnostics button.

The Agent Diagnostics window opens:

194
 2. Under Advanced Options select/deselect the relevant diagnostic information.

3. Click Start to start collecting logs, network information, and system status. This may
take a few minutes.

Once the diagnostics collection is complete, you will receive a Zip file that includes the
requested information.

Enforcement Monitoring Modes

Enforcement modules can be installed and/or configured in the following modes: Reveal
Only, Monitoring, Enforcing. The modes enable testing policies without enforcement. You
can change the Agent's Enforcement mode directly from the Agents screen by selecting the
Agent and clicking the Set Enforcement State button :

Monitoring Mode
Monitoring mode enables you to review policy rules and their results before you actually
implement them. Agents set to Monitoring mode will react to violating flows by sending an
Alert (whether the rule was set to Alert or Block) and the violating incident will also appear in
the following:

• As an incident in the All Incidents screen (and in any of the relevant screens under
Incidents).

• In the Reveal map as a red flow.

• In the Network log as a violating incident.

Reveal Only Mode
Reveal Only mode has the same functionality as Monitoring mode, except policy verdicts for
this Agent do not appear in the Network log. This means that Policy mismatches between
the Agent and Management are not recorded (see Network log for more details).

Enforcing Mode
The Agent will enforce Alert and Block rules. Violations will appear in the Reveal map, in the
Incident screens, and in the Network log. The Network log will also show policy mismatches
between Agent and Management when these occur.

195
Disabled
If the Enforcement module is disabled, it cannot monitor or enforce policy rules. By default,
an Agent is installed with its Enforcement module enabled. Only an administrator can disable
an Agent’s Enforcement module. See Agent Administration Lock for details.

Following is a table that summarizes the Enforcement modes:

Icon Reveal capabilities Policy Violation Policy Policy

(deep visibility for Alerts verdicts in the Enforcement
network flows) Network Log

Disabled

Reveal ✓ Only for

Only Block+Alert or
Alert rules: ✓

Monitoring ✓ Only for ✓

Block+Alert or
Alert rules: ✓

Enforcing ✓ Only for ✓ ✓

Block+Alert or
Alert rules: ✓

196
Agent Roaming: Enforcement Mode Outside Office
Centra V39 enables Enforcement policies to be disabled on laptops that are taken out of the
company network. This enables end-users to use their laptops for online activities outside of
the company's home network. The feature is currently supported for Windows Desktop
Agents and configured on the Agents screen for the selected Agents.

To configure the feature, follow this procedure:

1. On the Agents screen, select the Agents that you want to configure. To configure in
Bulk, you can use the filters at the top of the screen to specify the Agents that you
want to configure and select Apply to all.

2. Click the More button and select Override configuration:

The Agents Configuration screen appears:

3. On the Agents Configuration screen, make sure that Enforcement Module is selected
and scroll down to Disable Enforcement module outside the office network:

197
4. Select the Disable enforcement module outside of the office network checkbox.

5. In the Office domain name box, specify a domain name that the Enforcement feature
will use to identify the office network.

6. Click Save changes; the selected Agents are reconfigured to support the feature.

198
Deleting Agents from the System
The Agents screen enables you to delete Agents from the database:

1. On the Agents screen, select the Agent(s) that you want to delete.
2. Click the Delete icon ; the following message appears:

3. Click the Remove from database button. The Agent is removed from the database
but as long as its certificate is not revoked, it can still function and it will attempt to
reconnect to the system and re-register. After a successful connection, the Agent will
appear in the system with a default Agent configuration.

4. To fully remove an Agent and prevent it from reconnecting to the system, the
administrator must uninstall it and optionally revoke its certificate. When an external
Public Key Infrastructure (PKI) is being used, the Agent certificate will be marked as
“pending for revocation”. The system administrator can revoke the Agent’s certificate
which ensures that the Agent is fully removed and cannot reconnect.

Deleting Agent files after Uninstall

The new Purge command enables deleting Agent files after uninstall for both Windows and
Linux. The Purge command removes all Agent installation leftovers:

In Windows:

C:\Program Files\Guardicore\Uninstall.exe /purge

In Linux: gc-agent uninstall --purge

199
Remote Agent Upgrade
Upgrading Agents from the Agents Screen
Administrators can upgrade Agents directly from Centra’s Agents screen. To upgrade, the
administrator simply selects the Agent or Agents to be upgraded and clicks the Remote
Agents Upgrade button:

A dialog box appears enabling the Administrator to type a name (description) for the upgrade
and start the upgrade process:

After the administrator clicks the Start button, the Agent upgrade starts and the upgrade
process is indicated by a revolving arrow icon that turns green when the Agent upgrade is
successful. The arrow is orange if the upgrade is skipped.

On the Agents screen, administrators can filter the list of Agents by Upgrade (according to
the Upgrade description).

Note: You can run one upgrade process on multiple Agents, but you cannot run multiple
upgrade processes (i.e. you cannot simultaneously run two different upgrade versions).

In addition, the Remote Upgrade History screen provides detailed information on each Agent
upgrade. The screen is accessed by clicking Upgrade History under the Centra Agents
menu:

200
After the upgrade, the Agent version is displayed in the Version column:

Remote Upgrade History Screen

The Remote Upgrade History screen displays upgrades that have been performed in the
past and includes information on how many Agents were successfully upgraded (or Failed to
upgrade), how many were Skipped (because they were already upgraded to the upgrade
version), etc.

201
Installation Profiles
Agent installation profiles allow you to customize your initial Agent configuration and provide
the following benefits:

• Allow you to manage all Agent installation configurations from a single location.

• Eliminate the need for using configuration attributes as parameters for the local
installation of Agents on the server.

Installation profiles are relevant for install time only. Agent configuration can always be
changed after installation by selecting “override configuration” from the Agents screen. You
can also reset an Agent’s configuration to its profile as described in the Reset Configuration
to Profile section.

Installation Profiles List

To view and manage your installation profiles, you can open the Installation Profiles page in
Centra’s Administration screen, under Agents/Installation Profiles:

The Installation Profiles screen enables you to browse available profiles, create new ones,
edit existing profiles and delete those that are no longer needed. The screen also enables
you to modify the default installation profile.

The screen displays the following columns:

Column Description

Profile Associates the Agent installation to a profile. See Agent Installation section
Name for detailed explanation.

202
 Usage The number of Agents in the system that were installed and associated with
this profile. The number represents only Agents that are currently registered
in Centra.

Description An optional description of the profile.

Author The name of the user created the profile.

Created The date that the profile was created.

Modified The last date that the profile was modified.

Default Installation Profile

Any Agent that is installed without an installation profile is associated with the default profile.

The default profile is also used as a base profile for any customized installation profile. Each
attribute that was changed in some customized installation profile, overrides the default
profile attribute.

You can edit the default installation profile by clicking on Edit:

Note: Modifying the default profile will not affect installed Agents, but will affect any new
Agent installation, regardless of the defined profile. This is because the default profile is the
base of any custom installation profile. Attributes that were changed in the custom
installation profile won’t be affected by changes in the default profile.

Create a New Profile

You can add a new installation profile by clicking on the Add new profile button:

203
Now you can define the installation profile name that will be used by any Agent installation
procedure. The installation profile name cannot be changed after being created

You can now select which attribute you want to set and override. Any override will override
the value which is defined by the default installation profile. Any unchanged attribute will get
a value which is defined by the default installation profile.

When installed, any new Agent associated with this profile will have attributes as follows:

• Unchanged attributes will get the values of the Default profile.

• Attributes that were modified with override values will get the modified values of the
new customized profile.

Agent Installation
To install an Agent with an installation profile you need to specify it during installation.The
Agent will be installed with the Default installation profile in the following cases:

• No installation profile was specified.

• A previous version (4.31.X.X or older) of the Agent was upgraded.

• A non-existing installation profile was specified.

In each of these cases, a message indicating that an Agent was installed with the Default
profile will be logged in the Agent Log Screen in the Centra UI. Changing an installed
Agent’s attributes by changing its installation profile is not currently supported.

To change an Agent’s attributes, you need to override its configuration through the Override
Configuration option in the Agents screen.

To change an Agent’s installation profile, you’ll need to uninstall the Agent and reinstall it
with the new installation profile.

Note: After installation, it might take up to 5 minutes for the Agent to be initialized with its
installation profile.

204
Install Windows Agent with an Installation Profile
1. You can specify the installation profile through the Agent installer user interface:

2. You can specify the installation profile using the installer CLI interface:
windows_installer.exe /q /a 172.16.100.50 /p <password> /installation-profile
<installation_profile_name>

Install a Linux Agent with an Installation profile

You can set the installation profile for a Linux Agent by specifying the designated
environment variable before the standard installation commands:

export GC_LOGGING_PROFILE=<profile>

Edit an Installation Profile

You can edit installation profiles, but remember, your changes will affect newly installed
Agents only. Editing profiles does not directly affect Agents that are already installed.
However, you can reset an Agent’s configuration to its profile which will reset the
configuration to the most up-to-date profile configuration (i.e., the profile configuration that
you most recently edited).

Note: If you modify the default profile, remember that it also modifies other profiles, as other
profiles are considered as modifications of the default profile.

Reset Configuration to Profile

You can always reset single, or multiple Agents’ configurations to their installation profile
configurations.

205
Selecting Reset to profile defaults will display a description of the operation. The listed
Agents will reset their configuration to the configuration of the profile listed in the Target
Profile column:

When an Agent is installed, its profile appears in the Installed Profile column. If the profile no
longer exists, the value in the Target Profile will be default.

206
Agents Log
The Agents Log screen (Administration/Agents/Agent Log) includes a Message column that
displays all the events related to the Agent such as unsuccessful installation attempts, Agent
flags, etc. When there are events that span multiple Agents, messages are aggregated. This
means that one message may apply to dozens of Agents.

The Reported Agents column displays the number of Agents for whom the message applies.
The number is a link that, when clicked, displays a list of Agents covered by the message:

Clicking an Agent in the list displays the Agent's information on the Agents screen:

207
Use the Agent Log in the following cases:

Failed Agent Your Agent installation has failed and you expect the Agent Log to tell
installation you what the reason was.

Agent flag raised A certain flag has been raised on several Agents. The Agent Log can
provide information on how many agents are involved.

Free Text Search Tool

You can use the free text search to find events related to a specific Agent e.g. failed
installation attempts, removed flags etc. From this log you can understand why these
attempts were unsuccessful.

208
Data Center
The Orchestration screens allow you to connect to the underlying data center and receive
information from the Orchestration (Azure, Kubernetes, etc.). The Deployment screen
displays the list of hypervisor agents installed across the data center along with their
assigned Aggregators.

Deployment
This screen displays the list of hypervisor agents installed across the data center along with
their assigned Aggregators.

209
Orchestrations
An orchestration provides metadata on the assets deployed in your data center environment.
This information complements the information provided by GuardiCore Agents which is
typically more limited in scope. For example, information coming from orchestration may
include the name of the VM host in which the asset resides (vSphere), tags assigned to the
asset, and more. Orchestration enables you to access more information about your assets.
Orchestration is optional; you can deploy GuardiCore Centra without orchestration and rely
on the information coming from the Agents alone.

Support for multiple orchestrations

GuardiCore Centra allows multiple orchestrations, including AWS, vSphere, Kubernetes,
OCI, OpenStack, and Azure to run together. Each orchestration has its own configuration
screen. The orchestration feature is enabled during installation. When any of the supported
cloud orchestration drivers is activated, you can see orchestration data in the Reveal
sidebar. Optional orchestration metadata labels are also supported.

Tip: In AWS, the Add key allows management of several regions. Make sure you have a
valid entry for each region. Fill in the info for each region separately even if the key and ID
are identical.

To select one or more orchestrations:

1. From Administration, click Data Center > Orchestrations.

2. Click and select the type of orchestration.

3. Fill in the fields and click Save. Instructions on how to fill in the fields for each
Orchestration are contained in the following sections.

210
AWS Orchestration
Importing orchestration data helps you label your assets and build policies around them.
Centra enables you to import orchestration data from AWS. Centra's Aggregator connects to
the AWS API to pull metadata on Elastic Compute Cloud (EC2) workloads, VPC flow logs,
and more. This article explains how to configure AWS orchestration.

Managing AWS Access

In order to pull metadata from EC2, you must establish authentication between the
Aggregator and AWS. The authentication method depends on the location and permissions
of the Aggregator.

There are three ways to establish AWS authentication:

• EC2 IAM Role

• Guardicore Delegate Access
• Customer Credentials

EC2 IAM Role

This is the recommended implementation if you have an Aggregator running under a VPC
that belongs to the account that you want to monitor.

The role must have a policy attached with all the authorizations required (See AWS Policy
definition)
Guardicore Delegate Access
This is the recommended implementation if you need to monitor multiple accounts. The
assumed role in these accounts must have a policy attached with all the authorizations
required (See AWS Policy definition)
Customer Credentials
Only available option if the Aggregator is running outside the AWS environment. The
Customer must create an IAM user with programmatic access only (Access/Secret Key). It
does not require console access. The user must have a policy attached with all the
authorizations required (See AWS Policy definition)
AWS Policy definition
In order to authorize the queries that the orchestrator makes you need to create a Custom
policy or use a predefined AWS Policy.

AWS provides a read only policy “AmazonEC2ReadOnlyAccess” that has a superset of the
required permissions.

If you want to create a customer policy with the minimal required authorization, you can use
the following JSON definition:

211
 {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Orchestrator",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRegions",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
}
]
}

Starting AWS Orchestration Configuration

To start configuring AWS orchestration:

1. In the Administration panel, select Data Center/Orchestrations and click the Add
Orchestrations button . The Add New Orchestration dialog box
appears.
2. In the Type field, select AWS, and in the following fields, type a name for the
orchestration and select a GC cluster.

Configuring AWS Authentication

The administrator uses the following section of the Add New Orchestration dialog box to
configure AWS authentication as explained in the sections below:

212
Configuring EC2 IAM Role Authentication
1. Verify that an AWS IAM role has been created. For instructions on how to create an
AWS IAM role, see the section at the end of this article, or refer to AWS
documentation.

2. In the authentication method field, select EC2 IAM Role. There is no need to fill out
any other Authentication fields and you can proceed to the region name field.

Note: If you want to assume a different role, use the role arn field to type a new Amazon
Resource Name (ARN) of the role to assume.

Configuring Guardicore Delegate Access Authentication

Guardicore Delegate Access is configured by Guardicore Support. To configure
authentication, the customer must supply the external id and the arn role to Guardicore
Support.

Configuring Customer Credentials Authentication

1. In the authentication method field, select Customer Credentials.

2. In the access key id field, provide an AWS access key id.

3. In the secret access key field, provide an AWS account secret access key id.

4. Proceed to the region name field.

213
Creating an AWS IAM role
For an explanation of AWS IAM role see What is IAM?

Following are instructions for creating an AWS IAM role from the console:

1. In the AWS console's navigation pane, choose Roles, Create role.

2. For Role type, specify Another AWS account.

3. In Account ID, type the AWS account id to which you want to grant access to your
resources.

4. Choose Next: Permissions, and select a permission policy from the list. To create a
new policy, choose Create Policy.

5. Choose Next: Tags, and add an optional tag.

6. Choose Next: Review, and for Role Name type a unique name for the role (not case
sensitive). Type an optional Description for Role description.

7. Choose Create role.

8. Provide users in the trusted account with permissions to switch to the role in the
console. See Granting a User Permissions to Switch Roles.

Orchestration Information Appears On the Assets Page

Once you have configured Orchestration you will be able to see the information coming from
the orchestration on your Assets page. The Assets page features an Orchestration column
that shows whether it's a VSphere, AWS or K8s asset. Metadata coming from the AWS
orchestration includes IP addresses, MAC addresses, security groups and tags (tag made of
key and value is assigned to any new VM in AWS), instance ID and more. AWS tags are
useful for Reveal grouping (Production, Testing, etc.), segmentation policies (labels) and File
Integration Monitoring (FIM).

214
Azure Orchestration
Azure Orchestration enables you to complement the information provided by GuardiCore
Agents. For example, information coming from Azure orchestration may include Azure tags
assigned to the asset, and more. Find more information about Azure Tags here.

How to Configure Azure Orchestration

To configure Azure orchestration you will need to configure a read-only user in the Azure
account, assign user permissions and configure Azure orchestration in the management.

Configure a read-only user in the Azure account

1. Login to the Azure portal.

2. Choose Azure Active Directory > App Registrations.

3. Click on New application registration and fill in the fields. Note that the URL field is
not important; you only need to add the clients system URL.

4. Configure a key for the application.

Add permissions to application user

1. Locate the subscription you want to cover using the orchestration and click
Access control (IAM).

2. Add the application user you created to the 'Reader' role. Note that you need to
add the reader role to each subscription that you want to cover in the
orchestration.
Configure Azure orchestration in the Centra management
1. From Administration, select Orchestrations.

Note: Each orchestration will be configured per subscription. So for example if

you have 3 subscriptions under your Azure account you will be required to
configure 3 separate orchestrations with the same user.

2. Fill in the fields:

• Name - set a name, makes most sense to use the subscription name.
• GC Cluster - choose the correct cluster the orchestration should run
from.
• Tenant id - add tenant ID of Azure target environment, referred to as
'directory id' in the UI.
• Subscription Id - add target subscription ID within the account.
• Application Id - add the orchestration user application ID.
Important notes
• Tag info is fetched every 30 seconds by default.

• Full VM info is pulled every 30 minutes by default, configured by the new parameter
at the bottom 'Orchestration IP cache timeout'.

215
• The Azure API allows only 12k calls an hour, so for example if you want full data
fetch each minute you are limited to 200 assets before the API starts glitching.

• In release 29, In case of an API error the orchestration will crash and restart. Log
should be visible as any system log.

• Asset info update interval needs to be changed if there are more than 10K assets
within the account.

216
F5 Integration
For networks that use F5 Big-IP Local Traffic Manager (LTM), Centra provides visibility for
flows passing through the Big-IP on monitored virtual servers. After the Centra administrator
configures F5 Orchestration, the virtual servers appear as assets on the Assets screen and
are labeled as Role:F5 Big-IP. Centra then consumes connection events over IPFIX to
display the flows to and from the virtual servers as continuous flows on the Reveal map.

Note: F5 orchestration only pulls virtual servers under the /Common partition. Using other
partitions isn't currently supported.

F5 device integration with Centra consists of three stages:

Stage 1: Install IPFIX collectors in Centra component installation.

Stage 2: Specif orchestration parameters in Centra’s Administration screen (Data

Center/orchestrations/F5).

Stage 3: IPFIX collector setup in F5 (including required iRules).

Note: You can reverse the order of stages 1 and 2 as desired.

Configuration and Setup

Stage 1: Guardicore IPFIX Collector Installation
The first step is to install GC-IPFIX collectors. GC-IPFIX collectors can be installed along
with other Centra components during Centra installation. See the Installation Guide for
details.

Stage 2: Specify Orchestration Parameters in Centra

Orchestration enables importing the following F5 metadata into Centra: Service port, snat
pool, source address pool, f5 version, description, profiles, destination pool name,
destination pool addresses. You can control which metadata is imported as labels, by
following these instructions:

1. Access Centra’s Administration screen and select Data Center > Orchestrations; the
Orchestrations screen is displayed:

217
2. Click the button to display the Add New Orchestration dialog box:

3. In the Type box, select F5; the following screen is displayed:

4. Type a Name for the Orchestration and select a Cluster. Up to 15 devices can be
added to the Orchestration cluster.

5. Click the button next to F5 Big IP Device List; the following section of the
dialog box is displayed:

218
6. To add a device, type an IP address, user name, password, and optional webhook
url.

7. Click to add another device or proceed to the next section of the dialog box:

8. To enable the creation of metadata into Centra as labels, select the Metadata Labels
checkbox.

219
NOTE: the following metadata is imported as labels when selecting the Metadata checkbox:
Service port, snat pool, source address pool, F5 version, description, profiles, destination
pool name, destination pool addresses.

If you do not check this, the metadata is still imported but will not show up as labels. The
metadata may be displayed in other places such as details on the Assets page.

9. For Orchestration Full Report Interval, type the number of seconds to elapse before
another orchestration report is generated.

10. To convert custom Tags into Centra Labels, in Labeling Strategy, select either
Enabled or Predefined. When Enabled is selected, all custom orchestration Tags will
be imported into Centra. When Predefined is selected, you can list the metadata to
import as labels in the Predefined Labels box.

11. If you selected Predefined for Labeling Strategy, click Predefined Labels and list the
Label keys to be imported from Orchestration.

12. If you selected Enabled for Labeling Strategy, click Label Key Translation and list the
label keys to translate on import. Each label key should also list the target label key
like this: F5 Version -> Version.

13. Click Test Connection, and if successful, click Save.

Stage 3: IPFIX Reporting Setup in the F5 Device

This stage configures the logging of network events to the F5 collectors. The configuration
includes the following activities:

1. Download the iRule files supplied by Guardicore. The iRules create IPFIX logs to
record network events, and send them to the IPFIX devices via a publisher as
explained below. Instructions for importing the iRules to the Virtual Server are
provided in a later step.

2. Create a pool of IPFIX collectors.

3. Create a log destination to format the logs in IPFIX templates and forward them to
the IPFIX collectors.

4. Create a log publisher to send logs to a set of specified log destinations.

5. Create a virtual server to process network traffic, or edit an existing virtual server.
Copy the contents of the iRule file and add the iRules to the virtual-server
configuration so that the iRule parses all of the virtual server's network traffic.

Download the iRules file from Guardicore.

Access this link to download the file: https://guardicore.zendesk.com/hc/en-

us/articles/360013447080

Create a Pool of IPFIX Collectors

To create a pool of IPFIX collectors to receive the IPFIX logs, do the following:

220
 1. Before starting the procedure, obtain a list of IP addresses for the F5 IPFIX collectors
that will compose the pool.

2. In the F5 IPFIX Configuration screen, select Local Traffic >Pools > Pool List:

3. Specify a Name for the pool.

4. Under Resources, under New Members, for each F5 IPFIX collector, specify:

• a Node Name (optional)

• an IP address

• Set the Service Port to 4739.

For existing F5 IPFIX collectors, click Node List and select an IP address from the Address
list.

221
Create a Log Destination for the IPFIX Collectors

1. On the Main tab, select System > Logs > Configuration > Log Destinations:

The Log Destinations screen appears:

222
 2. Click the button at the right side of the screen. The General Properties
section is displayed.

3. In the General Properties section, specify a Name for the Log Destination and under
Type select IPFIX:

The IPFIX Settings section appears.

4. Under IPFIX Settings specify the following:

Field Value

Protocol IPFIX

Pool Name Select the name of the pool that you created above.

Transport udp
Profile

Template Number of seconds to wait before retransmitting the Log Destination template.
Retransmit The log destination periodically retransmits all of its IPFIX templates over a UDP
Interval connection. The retransmissions are helpful for UDP connections, which are
lossy.

Template Number of seconds that the BIG-IP device should pause between deleting an
Delete Delay obsolete template and re-using its template ID.

223
 Server SSL Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS
Profile configuration. SSL or TLS requires extra processing and therefore slows the
connection, so this is only recommended for sites where the connections to the
IPFIX collectors have a potential security risk.

5. Click Finished.

Create a Log Publisher

The publisher specifies where the BIG-IP system sends log messages for IPFIX logs.

1. On the Main tab, select System > Logs > Configuration > Log Publisher:

The Log Publishers screen is displayed:

224
 2. Click the button at the right side of the screen. The General Properties and
Log Destinations sections are displayed.

3. Under General Properties, specify a unique name for the publisher and an optional
description.

4. Under Log Destinations, select an existing IPFIX destination by clicking a destination

in the Available list, and clicking << to move it to the Selected list.

5. Click Finished.

Create an iRule

You need to create two iRules to log TCP and UDP events. Follow this procedure twice to
create the iRules in the system:

1. Open the downloaded iRule files in a text editor and replace the text
<GC_Log_Publisher> with the name of the publisher you created.
• Note that the name must have the full path.i.e /common/guardicore_ipfix_pub
• Save the updated file.

225
 2. On the Main tab, click Local Traffic > iRules .
The iRule List screen displays a list of existing iRules®.

3. Click the Create button.

The New iRule screen opens.

4. In the Name field, type a unique name for the iRule:

5. In the Definition field, paste the content of one of the iRule files that was downloaded
from Guardicore.

6. Click Finished and return to step 1 to repeat this procedure for the other irule.

NOTE: It is important to note that the contents of each file should be pasted separately in
different iRules. So, you need to perform the above procedure for each irule.

Attach iRules to Virtual Servers

After creating the IPFIX pool, and the log destination and publisher, you need to attach the
iRule to each virtual server that should be monitored:

226
1. On the Main tab, click Local Traffic > Virtual Servers.
The Virtual Server List screen opens.

2. Click on the name of the virtual server that should be monitored and go to the
“Resources” tab:

3. For the iRules setting, click the button and from the Available list, select
the name of the iRule that creates custom IPFIX logs. Click >> to move the name into
the Enabled list:

227
 4. Click Finished.

The virtual server is now configured to use the iRule for IPFIX logging and sends customized
IPFIX logs for every connection it makes.

F5 Assets
After F5 Orchestration has been configured, F5 Assets appear on the Assets screen. Each
asset appears with a name that is a combination of the device name and the virtual server
name. The assets are labeled with Role:F5 Big-IP and F5-device:<device name>.

IPFIX Collector Installation

Deployment of IPFIX collectors are required if you want to configure Big-IP F5 orchestration
with Centra.

To deploy an IPFIX collector:

1. Login to the collector VM as root, and run aggr-setup.

2. For Component Type, select IPFIX Collector and click OK.

3. Configure the network interface:

4. Choose Static to set the Guardicore Network interface manually:

228
 5. Configure the interface settings:

6. Enter the IP address of the Management Server in the Guardicore network:

7. Enter the Secure Communications password as set in the installation of the

Management Server:

8. Click OK.

9. In Advanced Settings, configure any setting you wish to change/use. Otherwise

select Continue.

Advanced Setting Configuration

Advanced settings are only relevant if you intend to configure a webhook for a collector in
the Centra F5 orchestration. If you intend to configure a webhook, do the following for the
relevant collector:

10. Under Advanced Settings, select Set Aggregator Cluster Roles:

229
11. Click OK and continue to the Cluster Roles dialog box:

12. Select ClusterOrchestrationServiceHost and click OK.

230
GCP (Google Cloud Platform)
Introduction
Importing orchestration data helps you label your assets and build policies around them.
Centra enables you to import orchestration data from GPC (Google Cloud Platform). When
GCP orchestration is configured, Centra's Aggregator connects to the GCP API to pull
metadata on GPC workloads.

Configuring GCP Orchestration

There are two major steps to configuring GCP orchestration:

Step 1: Set Up a Read Only Service Account in GCP.

Step 2: Add GCP orchestration to Centra.

These steps are explained in the following sections.

Step 1: Set Up a Read Only Service Account in GCP

1. Create a Project in GPC (see GCP’s Create a Service Account).

2. In the top-left corner of the GCP console, click Menu and select IAM & Admin/Service
accounts. the Create Service Account dialog box is displayed.

3. Enter a name and description for the service account and click Create.

4. Assign the role of Project viewer to the new account.

5. Click Continue/Create Key.

6. Ensure the key type is set to JSON and click Create.

You'll see a message that the service account JSON file has been downloaded to
your computer.

7. Make a note of the location and name of this file. You will need it later.

8. Assign the service account permissions to the additional projects that need to be
covered with Centra. No need to create a service account per project.

9. Click Close/Done.

10. In the list of service accounts, click the email address that relates to the service
account you created and click Edit.

11. Click View Domain Wide Delegation Client ID.

12. In the Product name for the consent screen field, enter a product name.

13. In the Email address field, use the default email address or assign a new email
address.

14. Click Save.

231
Step 2: Add GCP Orchestration to Centra
1. In Centra’s Administration menu select Data Center/Orchestrations and click the +
Add Orchestration button. The Add New Orchestration dialog box appears:

2. In the Add New Orchestration dialog box specify the following:

Field Value

Type GCP

Name Name of the Orchestration

GC Cluster Aggregator cluster on which this orchestration should be deployed

Service Account Service account email of the account created in the previous section

Project List This option allows you to configure more than one project per
orchestration. Add a comma delimited list of project IDs.

Private Key Paste the private key downloaded in the previous section.

232
 Field Value

Label Key Enables you to control the way imported labels appear in Centra, So,
Translation for example, you can specify that a tag such as
OrchestrationAppName should be imported into Centra as App.

Labeling Strategy This refers to how you want to import custom Tags into Centra.
Three strategies are provided:

Enabled: all custom orchestration Tags will be imported into Centra.

Disabled: no custom orchestration Tags will be imported into Centra.

Predefined: List the custom Tags to import into Centra. This is done
by supplying a list of keys to import.

Note: Labeling Strategy only affects custom tags that users created for
F5 and does not affect the importation of metadata.

Predefined Labels List the keys to import as labels. This only applies to custom tags.

Metadata Labels When this is checked, GCP metadata is imported as labels.

Orchestration Full Number of seconds to elapse before another orchestration report is

Report Interval generated.

As with other Orchestrations, once you have configured the GCP orchestration you will be
able to see the information coming from the orchestration on your Assets page.

233
Inventory API
Inventory API is a dedicated Guardicore orchestration designed to create assets in agent-
less environments. To enable scenarios in which asset information is fed to Centra from a
decentralized system (such as Chef recipes running on individual machines), Guardicore
added an API to allow adding new assets or information about assets. "Inventory" refers to
assets, containers etc.

This API enables customers to easily add a large amount of asset information to Centra,
using REST API calls to Aggregators (unlike the REST API that calls Management). Once
enabled, customers' scripts and automations will be able to create and name new Centra
assets (even without Agents) and add labels to existing assets in a distributed fashion. By
replacing IP addresses of agentless workloads with real asset names, customers get more
context when browsing Reveal maps and building segmentation policies. An asset added
through this API will appear on the Assets page with Inventory API in the Orchestration
column.

When to use the Inventory API?

The new orchestration should be used in the following cases:

• The user wants to report workload labels from the workloads themselves (for
example, using Chef recipes) and these labels might change. These workloads can
be with or without Agents.
• Customers have a centralized, continuously updated inventory of assets, which they
want to keep in sync with Centra. The inventory must have, for each server, all of its
IP addresses and a BIOS UUID (in case an Agent is, or will be, deployed on the
asset)..

Why use the Inventory API?

Creating assets using this method results in an improved experience for the customer:

• Users can replace "unknown IPs" with labeled assets, instead of using labels.

• System performance is better when using assets instead of dynamic IP criteria.

How it works
An automation tool, running on the customer premises, calls a REST API method on the
Aggregators. This call contains specific asset parameters: name, IP and more. The
Aggregator then reports these assets to Centra, where they'll appear as if they arrived from
a regular orchestration. As with other orchestrations, these reports are merged with asset
information from other sources (other orchestrations and agent information), so it's safe to
report asset information, regardless of its coverage by other orchestration engines.

To configure the Inventory API

1, From Administration go to Data Center > Orchestrations and select InventoryAPI.

234
• Type - Select InventoryAPI
• Name - Give it a name, preferably descriptive
• Cluster - Here there can be multiple Inventory API Orchestrations per cluster
• Authentication scheme options:

User+Password

User+Password+Token

Token only.

235
 The created users are not related to Centra users in any way; Centra credentials can
not be used as REST API credentials nor vice versa.

Note: you can create multiple user/password credentials by creating multiple

orchestrations of this type.

• Allowed Incoming - Defines who can access this orchestration/sources (optional

field): comma separated list of CIDR blocks from which the aggregators will get the
REST API calls.

• Report expiration: how long (in seconds) an asset is considered "on" after the user
has last reported it to orchestration. After the expiration time is over, if an asset
wasn't reported to the REST API orchestration, it will be marked as "deleted" as we
assume it no longer exists. To prevent an asset from moving to the "deleted" state,
the Inventory API Orchestration must get continuous reports about the asset.

• Metadata Labels - checked by default.

Note: Other fields come pre-configured, so leave as is.

2. To create a Centra asset, call the REST API method on any of the Aggregators in the
defined cluster. The REST API call can contain information about one or more assets. Each
asset should contain the following information:

Asset ID A unique ID for this asset. This unique ID must be created by the customer automation
and must be reused when reporting the same asset on subsequent calls.

Asset This name will appear in Centra's Reveal maps and asset views.
name

List of Asset's IPv4 and IPv6 interface addresses

BIOS The asset's BIOS UUID. Necessary when the asset might have an Agent installed on it
UUID (during report time or in the future). See Appendix for ways to get this value.

Labels A list of label keys and values, attached to the assets.

Metadata Optional parameters which will be attached to the asset and reported to the
management console.

An asset added thorough Inventory API will be displayed on the Assets page with Inventory
API in the Orchestration column:

236
REST API Example
The Aggregator serves the REST API from the same server and certificate as the "Guest
Installer" HTTPS interface (which is used for Agent installation script download). If an FQDN
is used, it can be used for these REST API calls as well (with proper certificate usage).

1. The REST endpoint is https://<aggregator IP or FQDN>/api/v1.0/assets

2. Do a POST REST API call

3. Use HTTP basic authentication to include username+password credentials

4. Add "?token=XXX" to your HTTP query parameters to include a token, if required

5. In the request body, put the asset information as described above. For example:

"assets":[

"id":"422F81AE-781B-4823-F1FD-7E51093BF316",

"bios-uuid":"422F81AE-781B-4823-F1FD-7E51093BF312",

"name":"lin-lin-Agent20",

"addresses":[

"172.17.2.52",

"100.100.102.52",

"200.200.202.52"

],

"labels":[

"key":"Role",

"value":"Server"

},

"key":"Deployment",

"value":"API"

237
 }

CURL usage example for same call (without TLS verification):

curl -k -d '{"assets":[{"id": "422F81AE-781B-4823-F1FD-

7E51093BF316", "bios-uuid": "422F81AE-781B-4823-F1FD-7E51093BF312",
"name":"lin-lin-Agent20", "addresses":["172.17.2.52",
"100.100.102.52", "200.200.202.52"], "labels": [{"key": "Role",
"value": "Server"}, {"key": "Deployment", "value": "API"}]}]}' -u
gc-api:password -H "Content-Type: application/json" -X POST
https://172.16.100.50/api/v1.0/assets

Limitations
• If you report an asset without a BIOS UUID, a subsequent report by an Agent will not
be matched to this asset. The management server does not match assets reported
through this orchestration with Agent information according to IP address. At the
moment there is no way to report AWS instance ID or other matching parameters -
you must use IP & BIOS UUID.

• Assets reported just once using the Inventory API will eventually expire; there is no
way to report assets which will stay 'indefinitely'; the REST API method must be
repeatedly called to keep the asset as "On".

How to Get BIOS UUID

OS How to get BIOS UUID

Linux In this file:

/sys/class/dmi/id/product_uuid

Windows Run this command:

wmic csproduct get "UUID"

238
Kubernetes
Kubernetes is an open-source system for automating the management of containerized
applications. It groups containers that comprise an application into logical units for easy
management. Guardicore Centra supports the Kubernetes open-source system for
containerized applications and can show Kubernetes pods on the Reveal map:

Using Centra’s Kubernetes Orchestration, Centra automatically converts Kubernetes labels

into Centra labels. These include all pod related labels as well as labels for Controllers,
Services and Nodes. The created Labels will use the same key: value used in their
Kubernetes label. For example, the Kubernetes label app=nginx will be created as App:
Nginx with the criteria: kubernetes_label: "app=nginx".

Users can edit Kubernetes labels and add new criteria to them.

Configure Kubernetes Orchestration in Centra

Configuring Kubernetes orchestration with Centra involves two stages:

Stage 1: Set up Kubernetes Service Account Authentication

Stage 2: Configure Kubernetes Orchestration in Centra.

Stage 1: Setting up a Kubernetes Service Account Authentication

Kubernetes orchestration service requires a service account with cluster-wide privileges in
order to read resource information from all k8s namespaces. Follow these steps:

1. Create a new k8s service account:

239
 2. Create new cluster role with cluster-wide read privileges:

Note: For GKE deployment an additional step is needed in order to create cluster roles:

kubectl create clusterrolebinding gc-cluster-admin-binding --

clusterrole=cluster-admin --user=<your_gke_user> (your_gke_user -
guardicore email)

3. Bind the cluster role cluster-reader to the newly created service account:

4. Get the token associated with the service account:

For OPENSHIFT, copy the cluster CA certificate to the Aggregator:

• In GKE the CA certificate can be found under Kubernetes → Clusters →

Show Credentials.

240
 • For K8s you can find the CA certificate file by querying "kubectl config
view"

Stage 2: Configure Kubernetes Orchestration in Centra.

1. In Centra's Administration screen, select Data Center/Orchestrations and click the
Add Orchestrations button .

2. Select Kubernetes to display the Add New Orchestration dialog for Type:
Kubernetes

3. Fill out the fields as follows:

Field Value

Type Kubernetes

Name A friendly name for the orchestration

GC cluster Select a Guardicore cluster.

Auth Host Kubernetes server IP address

Auth Port Kubernetes server authentication port

Validate Certificate Check this if you wish to validate an SSL certificate to the Server.

241
Field Value

Service Account Token Copy the token from step 4 of Stage 1 above.

CA Cert Data Click the not supplied link and copy and paste the CA certificate
from step 5 of Stage 1 above.

Metadata labels Click this if you want Kubernetes metadata to automatically be

converted to Centra labels.

Orchestration Full Interval in seconds in which to run a full report.

Report Interval

242
OCI (Oracle Cloud Infrastructure)
Introduction
Importing orchestration data helps you label your assets and build policies around them.
Centra enables you to import orchestration data from OCI (Oracle Cloud Infrastructure).
When OCI orchestration is configured, Centra's Aggregator connects to the OCI API to pull
metadata on OCI workloads.

Configuring OCI Orchestration

There are two major steps to configuring OCI orchestration:

Step 1: In OCI, create an orchestration user for Centra.

Step 2: In Centra, configure the OCI orchestration.

Step 1 - In OCI, create an orchestration user for Centra

Follow the steps in the OCI guide to create the OCI orchestration user for Centra. This
includes the following steps in the guide:

1. Create a user in IAM for the Centra system who will be calling the API, and provide
the user read only access to the desired tenant\s.

2. Get these items:

1. RSA key pair in PEM format (minimum 2048 bits). See How to Generate an
API Signing Key.

2. Fingerprint of the public key. See How to Get the Key's Fingerprint.

3. Tenancy's OCID and user's OCID. See Where to Get the Tenancy's OCID
and User's OCID.

3. Upload the public key from the key pair in the Console. See How to Upload the
Public Key.

4. Make sure you take note of the user OCID, key pair fingerprint, private key and
tenancy OCID and region.You will need these for the next step.

Step 2 - In Centra, configure the OCI orchestration

1. In Centra’s Administration menu select Data Center/Orchestrations and click the +
Add Orchestration button. The Add New Orchestration dialog box appears:

243
2. In the Add New Orchestration dialog box specify the following:

Field Value

Type OCI

Name Name of the Orchestration

GC Cluster Aggregator cluster on which this orchestration should be deployed.

User OCID OCID of the user calling the API. See Step 1 above.

Key Pair See Step 1 above for how to obtain the key pair fingerprint.
Fingerprint

Private Key Content of the private key in PEM format. See Step 1 above for how to
obtain this.

Private Key Passphrase for the key if it is encrypted.

Passphrase
(optional)

244
 Field Value

Tenancy OCID for the tenancy. See Step 1 above for how to obtain this.
OCID

Region OCI home region. See Regions and Availability Domains for more
information.

Query All When checked, queries all regions subscribed by the

Regions tenancy. Customers that use more than one region can choose to query
all regions which will enable the orchestration to pull information for
assets that are in other regions as well.

As with other Orchestrations, once you have configured the OCI orchestration you will be
able to see the information coming from the orchestration on your Assets page.

245
OpenStack
Importing orchestration data helps you label your assets and build policies around them.
Centra enables you to import orchestration data from the OpenStack cloud operating
system. When OpenStack orchestration is configured, Centra pulls metadata from
OpenStack and converts them to Centra Labels.

Setting Up OpenStack Orchestration

Setting up OpenStack Orchestration consists of two steps:

Step 1: Configuring a read-only user on the OpenStack platform.

Step 2: Configuring OpenStack Orchestration in Centra.

Step 1: Configure a read-only user on the OpenStack platform

The following instructions are performed using the OpenStack CLI.

1. Create a Guardicore user:

user add <user name> --domain <domain>

2. Configure the password for the created user:

user set <user name> --password <password>

3. Add a reader role for the Guardicore user and specify the domain\projects to
be covered by the orchestration. A ‘reader’ role should be configured by
default as part of the OpenStack deployment. If it’s missing please contact the
OpenStack administrator to create one. The following CLI command applies
to the whole domain:

role add reader --domain <domain name> --user <user name>

Step 2: Configure OpenStack Orchestration in Centra

1. Go to Administration > Data Center > Orchestration.

2. Click + Add Orchestration.

3. Select OpenStack. The following dialog box appears:

246
4. Fill out the fields as described in the following tables:

247
Basic Configuration
Field Description

Name A descriptive name for the orchestration

GC Cluster Select the relevant GC cluster.

Admin User The User Name for the Guardicore User created in Step 1 in OpenStack.

Admin The User Password for the Guardicore User created in Step 1 in
Password OpenStack.

Projects List The project list to be covered by the orchestration. The list can be
provided by ‘project ID’ or ‘project name@domain’ name format
delimited by a new line.
Example Project ID: 3e434d8b1aa94b12a21507f6f3577038
Example Project name: @domain example - projectA@default

Auth Url The API public authentication endpoint. The Endpoint can be discovered
by running the following from the console:
endpoint list --service identity --interface public

User Domain The domain of the Guardicore user created in Step 1.

Name User domain can be discovered by running the following:
user show <user name>
and looking at the domain_id value.

User Domain The domain ID of the Guardicore user created in Step 1.

ID (optional)
User domain can be discovered by running the following:

user show <user name>

and looking at the id value.

Metadata Enable/Disable metadata labels

Labels

Labeling Provisioning of orchestration tags in Asset labels:

Strategy Enabled/Disabled/Predefined

Predefined List of label keys to load from orchestration when labeling strategy is set
Labels to predefined

Label Key A list of label keys to translate on import; each origin label key should be
Translation followed by -> and the target label key. For example,
"OrchestrationAppName->App"

248
Advanced Configuration
This configuration is used to mitigate the performance impact on the Openstack controller:

Field Description

Fetch Hosts Whether to fetch hosts

Fetch Users Whether to fetch VMs’ users

Fetch Flavors Whether to fetch VMs’ flavors

Fetch Images Whether to fetch VMs’ images names

Full Port Pull Strategy for full port pull (occurring every Orchestration Full Report
Strategy Interval):

AllAtOnce: Pull all ports at once

AllPulledServersInBulk: Pull ports for all pulled servers, in bulk (bulk
size is set by Ports Pull Bulk Size). For example, if bulk size is 50,
then first, all ports for the first 50 servers will be pulled, then all ports
for the next 50 servers, and so on.

Differential Port Strategy for differential port pull:

Pull Strategy AllAtOnce: Pull all ports at once
AllPulledServersInBulk: Pull ports for all pulled servers (existing +
new), in bulk (bulk size is set by Ports Pull Bulk Size)
NewServersOnlyInBulk: Pull ports for new pulled servers only, in bulk
(bulk size is set by Ports Pull Bulk Size)
NoPull: Do not pull ports differentially

Ports Pull Bulk How many ports to pull in each bulk. Relevant only for
Size AllPulledServersInBulk and NewServersOnlyInBulk modes.
0: special value - fallback to default (50)

Interval Between Sleep interval between per-server ports pulls (in milliseconds)
Ports Pulls

Servers Pull Bulk How many servers to pull in each bulk. Relevant for all modes.
Size 0: pull all servers at once

Interval Between Sleep interval between server's bulk pull (in milliseconds)
Server Pulls

Keystone Version Identity Protocol Version

Nova Version Compute Protocol Version

Orchestration Interval in which to run a full report (in seconds)

Full Report
Interval

249
5. Click Test Connection to verify credentials. The test connects to the API endpoint
and tests connectivity to the nova-client:list-servers and neutron-clients list-networks.

6. If the Test Connection is successful, click Save.

250
API Commands
The following API commands are used by Guardicore:

API Command Respective Command in CLI

neutron_client.list_networks openstack network list

neutron_client.list_ports openstack port list

neutron_client.list_floatingips openstack floating ip list

nova_client.servers.list openstack server list

nova_client.hypervisors.list openstack hypervisor list

nova_client.flavors.list openstack flavor list

keystone_client.projects.get openstack project show <name/id>

keystone_client.users.list openstack user list

nova_client.glance.list openstack image list

251
Field Description

Name A descriptive name for the orchestration

GC Cluster Select the relevant GC cluster.

Admin User The User Name for the Guardicore User created in Step 1 in OpenStack.

Admin The User Password for the Guardicore User created in Step 1 in
Password OpenStack.

Projects List The project list to be covered by the orchestration. The list can be
provided by ‘project ID’ or ‘project name@domain’ name format
delimited by a new line.

Example Project ID: 3e434d8b1aa94b12a21507f6f3577038

Example Project name: @domain example - projectA@default

Auth Url The API public authentication endpoint. The Endpoint can be discovered
by running the following from the console:

endpoint list --service identity --interface public

User Domain The domain of the Guardicore user created in Step 1.

Name
User domain can be discovered by running the following:

user show <user name>

and looking at the domain_id value.

252
 User Domain The domain ID of the Guardicore user created in Step 1.
ID (optional)
User domain can be discovered by running the following:

user show <user name>

and looking at the id value.

Metadata Enable/Disable metadata labels

Labels

Labeling Provisioning of orchestration tags in Asset labels:

Strategy Enabled/Disabled/Predefined

Predefined List of label keys to load from orchestration when labeling strategy is set
Labels to predefined

Label Key A list of label keys to translate on import; each origin label key should be
Translation followed by -> and the target label key. For example,
"OrchestrationAppName->App"

vSphere Orchestration
Vsphere orchestration complements the information provided by Guardicore Agents which is
typically more limited in scope. For example, information coming from orchestration may
include the name of the Vsphere host in which the asset resides, tags assigned to the asset,
and more. The Vsphere information (metadata) that is imported consists of the following:

• Host
• Power state
• Tools running status
• Tools version status

Orchestration is optional. However, after you configure orchestration, the above metadata is
imported into Centra. You can control which metadata, as well as custom tags, appear as
labels by following the configuration instructions provided below.

To configure Vsphere orchestration do the following:

1. In the Administration panel, select Data Center/Orchestrations and click the + Add
Orchestrations button . The Add New Orchestration dialog box
appears.

253
2. In the Type field, select vSphere, and in the following fields, type a name for the
orchestration and select a GC cluster:

3. In the next section of the dialog box, fill out the following information:

254
Field Description

Admin User The name of the vSphere server administrator

Admin Password The password of the vSphere server administrator

Auth Host The vSphere server IP address

Auth Port The vSphere server authentication port

vSphere Type a list of vSphere clusters to which you want to limit the collection of
Clusters orchestration metadata. If you do not list anything, metadata will be collected
from all vSphere clusters.

Nuage Leave his checkbox unchecked.

Integration
Enabled

Label Key Specify how imported metadata will appear as labels in Centra. For example,
Translation you can specify that a tag such as OrchestrationAppName should be imported
into Centra as App.

Labeling This refers to how you want to import custom orchestration tags into Centra:
Strategy
Enabled: all custom orchestration Tags will be imported into Centra.
Disabled: no custom orchestration Tags will be imported into Centra.
Predefined: the user can provide a list of custom Tags to import into Centra.
This is done by supplying a list of keys to import.

NOTE: Labeling Strategy only affects custom tags and does not affect how
metadata is imported.

Predefined Predefined was selected in Labeling Strategy, supply a list of custom tags to
Labels import into Centra as labels.

Metadata Labels Select this checkbox to enable importing some vSphere metadata as labels into
Centra. Only the following vSphere data will be imported as labels: vCenter
host, vCenter folder.

4. Click Test Connection, and if successful, click Save.

255
Firewalls Integration
Integration with Palo Alto Networks Firewall
The integration of Guardicore Centra with Palo Alto Networks leverages Centra unique
breach detection capabilities and Palo Alto Networks firewall access control capabilities. The
joint solution allows security administrators to proactively block IP addresses of
compromised assets to gain control of the attack. As part of the attack mitigation, the IP
address of the compromised asset is automatically forwarded to the Palo Alto firewall from
the Reveal map.

Guardicore Centra uses various techniques to detect zero day attacks in data centers,
including dynamic deception, reputation and policy based micro-segmentation. Once an
attack is detected, Guardicore Centra updates Palo Alto firewall with the IP address of the
compromised host. The Firewall then blocks connection attempts to and from the
compromised asset, blocking its ability to propagate in the datacenter.

How It Works
The process begins with Centra identifying a suspicious IP address that has generated a
High Severity incident. The IP can be either external, i.e. coming from the Internet, or part of
internal, east-west traffic. Once the IP is detected, it is relayed to Palo Alto Networks
Panorama which then blocks all connection attempts to and from the compromised asset
through the NGFW, blocking its ability to propagate in the data center. Centra can be
configured to send this information automatically or manually directly from its Reveal map.
IPs are collected from all Centra’s platforms including deception servers, Reveal maps and
reputation servers.

Guardicore Palo Alto Networks Integration Diagram

The joint solution allows security administrators to proactively block compromised assets
inside the data center from performing data exfiltration or carrying out lateral movement. As
part of the attack mitigation, the IP address of the compromised asset is reported to the Palo
Alto Networks firewall which can cut the attacker’s communication line with its C&C server or
prevent it from exfiltrating previously stolen data.

256
Before You Begin: Requirements for Successful Integration
1. Deploy Guardicore Agent on Endpoints and Ensure Connectivity to Centra Manager.

2. As a best practice, for API access to Palo Alto Networks Panorama, set up a
separate admin account for XML API access to Panorama by following these steps:

a. Select an Admin Role profile.

b. From Panorama>Admin Roles, select or create an admin role.

c. Select features available to the admin role:

i.Select the XML API tab.

ii.Enable or disable XML API features from the list, such as

Report, Log, and Configuration.

iii.Select OK to confirm your change.

Assign the admin role to an administrator account.

Configuration
Configuring Centra and Palo Alto Firewall integration is easily accomplished using Centra's
Admin panel and Palo Alto's Firewall.

To configure integration with Palo Alto, follow these steps:

1. On the Administration menu, select Mitigation & IoCs and click Firewall Mitigation.

257
 The Firewall Mitigation dialog box appears.

2. In the Firewall Mitigation dialog box, check Enabled:

Note that Centra provides separate configuration options for external and internal IPs. The
default value for both External IPs Action Mode and Internal IPs Action Mode is Manual:

In Manual mode you send suspected IPs to the firewall by first selecting incidents in
the Lateral Movement, Policy Violations, or Bad reputation Incident screens (or in All
Incidents), displaying the incident's Report, and then clicking the
button in the report's Recommended Actions section (see Incidents).

Make sure that you use the same tag in Palo Alto Dynamic address group as used in
the Internal IPs Tag and External IPs Tag:

258
Palo Alto UI

3. On the Administration menu, select Integrations > Firewalls.

4. On the Firewalls Integration page, configure the Palo Alto firewall fields and whether
to report to all firewalls or to specific ones.

259
 5. After completing the configuration and clicking Save Changes, you should be able to
see the Report IP to Firewall button in the Recommended Actions section of an
incident's Report page (If you have set Action Mode to Manual in the Firewall
Mitigation page as described above; if you've set it to Automatic, the IP will be
automatically reported):

Similarly, if you have specified Manual mode in the Firewall Mitigation dialog, you can report
an IP of any asset on the Reveal map, even if this asset is not part of an ongoing incident. In
the asset's Asset information panel, click the Report IP to Firewall button as shown in the
following figure:

Troubleshooting
1. Verify connectivity between Centra and Panorama: perform “TEST CONNECTION”
to verify that Centra can access Panorama using REST API.
2. Verify that “show firewall integration” is enabled on Guardicore Centra.

3. Verify that the Dynamic address groups are defined on both systems.

Contact information for support

[email protected]

Guardicore is a TSA Net Limited membership member

260
261
Data Export
Centra can be configured to export audit records, system events, agent log events and
Reveal incidents. Centra provides several ways to export logs:

• Syslog
• Slack
• SMTP
• STIX

To specify how to export logs, in the Administration menu, select Data Export, then select
an export method:

The following logs can be exported:

Audit record - all admin actions that appear on the Auditing page (Admin > System >
Auditing).

System events - all system events in Centra.

Agent log event - all agent log events reported to the management system.

Incidents - all incidents detected by Centra:

• Lateral movements
• Policy violations
• Network scans
• Bad reputation
• Integrity violations

262
Incident Log
To configure the incidents to export, on the System > Configuration page, choose
Exporters and select the minimum severity threshold to export:

263
Email
Centra allows you to subscribe to incidents and/or system alerts. This way you will receive
an email every time an incident or system alert has been logged. Configuration varies
between SaaS users and on-premises users.

SaaS Users
The SMTP configurations are done by GuardiCore so SaaS users don't need to configure
anything. You only need to select the type of alerts you wish to receive - Incident Alerts,
System Alerts or both - and fill out related fields.

1. To choose the alerts you wish to receive, from Email Integration select
Subscriptions > Alerts.

2. Check Enable Incident Alerts and/or Enable System Alerts to subscribe to

the service.

Note: if you check Enable Incident Alerts, go to System > Configuration > Exporters to
set the severity level for incident alerts.

3. In Alert minimum severity select the alert severity level. The severity levels -
Info/Warning/Error - correspond to the severity levels of the System Log

264
 (Administration > System >Log). This configuration defines the minimum
severity that will trigger an email alert.

2. In Email addresses type the email address/addresses to send the incidents and
alerts email to.

3. Click Save Changes.

On-Premises Users
On-premises users need to first set SMTP configurations and then subscribe to the alerts
service.

1. SSH to Management and type the following CLI command: gc-mgmtctl --import_all
set_conf --group email_smtp --option force_show_smtp_configurations --value True.
The SMTP Setup screens appears.

2. Fill in the SMTP Setup page with your organization's details.

3. Next, choose the alerts you wish to receive, from Email Integration select Subscriptions
> Alerts.

265
4. Check Enable Incident Alerts and/or Enable System Alerts to subscribe to the service.

Note: if you check Enable Incident Alerts, go to System > Configuration > Exporters to
set the severity level for incident alerts.

5. In Alert minimum severity select the alert severity level. The severity levels -
Info/Warning/Error - correspond to the severity levels of the System Log (Administration >
System >Log). This configuration defines the minimum severity that will trigger an email
alert.

6. In Email addresses type the email address/addresses to send the incidents and alerts
email to.

7. Click Save Changes.

266
Slack
Integrate with Slack to export Guardicore incident messages to your corporate Slack
platform.

Export Incidents to Slack

Check this box to allow integration with Slack

Export audit log to Slack

Export logs to Slack.

Slack site name

A unique URL used for reporting incidents.

Slack webhook address

This URL accepts notifications from Guardicore and passes it into Slack.

267
STIX
Guardicore uses STIX to export indicators of compromise (IoCs) to security vendors. The
Structured Threat Information eXpression (STIX™) is a language for communicating
standardized cyber threat information. To integrate with STIX, configure the vendor’s
security tool. Files are exported every 24 hours by default. Note that the old IoC file is
overwritten when a new file is uploaded.

Vendor

Name of vendor

Firewall Management IP

IP of Check Point firewall

Username

Firewall username

Password

Firewall password

Remote Path

Specify the full path for the directory on the firewall where the IoC file will be copied.

Run command after uploading the STIX IoC file (Optional):

Check this box if you want to run the IoC file immediately after uploading.

268
Post Upload Command

If you checked the box above, the command will automatically run 5 | Administration 56 Field
Description.

Export IoCs from last (min)

By default, the file is exported over STIX every 1440 min (24 hours), you can change it as
you see fit.

269
Syslog
Syslog is a common format for message logging. The administrator uses the Add New
Syslog integration dialog box to configure Syslog (as described below), and can configure
multiple hosts for Syslog by using the dialog box repeatedly. Each time a Syslog Integration
is configured, the configuration is added as a row in the Syslog Integration screen:

Centra provides two types of Syslog integration:

Events Syslog Exporter: enables you to export a wide range of data to Syslog including
incidents, system alerts, Agent and Audit logs, messages, etc.

Network Log Syslog Exporter: enables exporting the Network log which provides data on
connections including type of connection, how Centra handled the connection, time of
connection, as well as detailed source and destination information. To enable the Network
Log Syslog Exporter, your administrator must execute a few CLI commands.
Configuring Syslog Export
The administrator can configure the incidents to be exported to Syslog by performing the
following:

1. From Administration, select Data Export > Syslog:

The Syslog Integration screen is displayed:

270
 2. Click the + Add syslog Integration button to display the following
dialog box:

3. Select either Events Syslog Exporter or Network Log Syslog Exporter and complete
the fields as explained below:

Events Syslog Exporter

If you selected Events Syslog Exporter, the following dialog box appears:

271
272
 4. Fill in the fields as specified in the following table:

Field Explanation

Name Type a name for the Syslog Integration.

Type Events Syslog Exporter appears here if you selected it in the Add New Syslog
Integration dialog box in step 2 above.

Connection Options

Syslog Host The IP of the target Syslog server.

Syslog Port Different servers might require different ports (syslog UDP is usually 514).

Syslog TCP or UDP

Protocol

Export In some SaaS deployments, in order not to open extra ports, it is possible to
through configure the Aggregators to export the syslog to the syslog server. If this feature
Aggregators is enabled, you must also enable the Cluster Exporter in the Aggregator screen
(From Components/Aggregator select the Aggregator, then select the More
button, Override Configuration, Show Advanced Options. Under Advanced
Options, select Aggregator/Aggregator features, and the Cluster exporter
checkbox:

Use TLS
Encrypt Syslog Traffic with TLS (works only with the TCP protocol). Syslog records
can be sent over a secure channel, as indicated in RFC 5425. This is common
practice when the syslog channel is sent over the public internet or other unsafe
networks. The TLS protocol ensures the syslog messages are securely sent and
received over the network.

273
Field Explanation

After setting the general Syslog settings (host, port and export settings), do the
following to enable TLS encryption for the Syslog channel:
• Make sure your Syslog Protocol is set to TCP.
• Make sure the Use TLS box is checked.

Verify Host
This field should always be checked; it verifies that the host domain presents a
valid certificate. If this box is not checked, the TLS protocol will be used but there
is no guarantee that the data is not intercepted by a third party.

• If the host is a domain name such as "listener.logz.io", Centra will verify a

valid certificate which matches the configured syslog hostname.

• If the host is an IP address, a server CA certificate must be provided in

order to successfully verify the destination IP.

CA Required if the server's certificate is signed by an internal Certificate Authority. In

certificates this case, a custom CA certificate chain must be given for the host verification to
succeed. This is usually not required for syslog servers on the public internet, such
as Sumo Logic or Logz.io. The server CA chain should include all the certificate
chains for each issuer you are willing to trust in a PEM format.

Client
certificate Required if the syslog server performs client authentication. In this case, a specific
client certificate should be given in order for Centra to successfully connect to the
syslog server.

This is usually not required for syslog servers on the public internet, such as Sumo
Logic or Logz.io.

Exporting Options

Export Choose whether to export incident information. Note that Exporting incidents is
Incidents subject to filters defined in System > Configuration > Exporters.

Export system Choose whether to export System alerts to Syslog.

alerts

Alert The minimum alert severity to be exported: completed, info, warning, error
minimum
severity

Export agents Choose whether to export the Agents log to Syslog.

log

Export audit Choose whether to export Audit log information.

log

Export full Export full changes of segmentation policies (may include sensitive information).
changes of
segmentation
policies.

Export label Choose whether to export Label changes log information.

changes log

274
Field Explanation

Log Choose whether to log all sent messages to a local file on the sending machine.
messages to
file

Report agent Produces a report showing events according to Agents.

events
individually

Report agent Includes the Agent labels in the syslog report.

labels to
syslog

Agent labels Enables you to specify the Agent labels that will be reported in syslog.
list reported to
syslog

Message Format

Message Native, CE, or RFC 5424:

Format

Native: Guardicore format

CEF - Common Event Format (CEF) is a Logging and Auditing file format from
ArcSight. CEF is an extensible, text-based format designed to support multiple
device types by offering the most relevant information. The CEF format description
can be reviewed here: CommonEventFormatV25.pdf

RFC 5424
Syslog protocol (RFC-5424) compliant message format. This format can be
applied to all syslog records sent from Centra (including audit logs, system events,
incidents etc.) over Management or Aggregator.

04-23-2019 19:13:26 User.Critical 10.0.1.6 1 2019-04-23T16:13:24Z Guardicore

Guardicore-Centra - Audit - New audit log entry reported by the GuardiCore
Security Suite;;Username: admin;IP Address: 10.15.1.10;;Title: Run Syslog
Integration Test Connections;;Description: None

RFC-5424 Structured data elements as specified in RFC 5424, without brackets. E.g. Sumo
Structured Logic cloud syslog source token.
Data

275
Network Log Syslog Exporter
When Network Log Syslog Exporter is selected in the Type field of the Add New Syslog
Integration dialog box, a dialog box with fields similar to the Events Syslog Exporter dialog
box above appears, with the exception of the Exporting options:

Fields Explanation

Exported Centra’s verdict on how to handle the connection (corresponds to the Action
verdicts filter in the Network log). Possible verdicts are Blocked, Will be Blocked,
Alerted, Could not Block, Allowed.

Filter by Enables filtering log entries whose source or destination belong to the
labels specified label key and value.

Export label Adds label info of specified keys to exported network logs.
keys

5. Click the Test Connection button to test the connection and then click Save; the
configuration is added as a row in the Syslog Integration screen.

Common Event Format (CEF) sent by Centra

The following are example of CEF messages sent by Centra

Bad reputation
<10>Mar 7 13:45:13 host CEF:0|GuardiCore|Centra|unknown|Reveal Incident|Bad
Reputation|medium|src=172.17.0.22 shost=win-win-Agent2 dst=216.58.208.131 smac=N/A
start=2018-03-06 13:28:46 act=ALERTED_BY_MANAGEMENT msg=Suspicious activity
detected on 172.17.0.22 dhost=N/A

Lateral movement
<10>Mar 7 13:45:13 host CEF:0|GuardiCore|Centra|unknown|Deception Incident|Lateral
Movements|high|src=100.100.100.1 dpt=22 shost=lin-lin-Agent1 proto=TCP
dst=100.100.13.23 start=2018-03-06 16:55:19 act=ALERTED_BY_MANAGEMENT

276
msg=Suspicious network activity detected between 100.100.100.1 and 100.100.13.23
dhost=N/A

Network scan
<10>Mar 7 13:45:13 host CEF:0|GuardiCore|Centra|unknown|Network Scan
Incident|Network Scans|medium|msg=Network scan detected originated by 200.200.200.254
start=2017-08-01 12:25:10 src=200.200.200.254 shost=N/A
act=ALERTED_BY_MANAGEMENT

Integrity
<10>Mar 7 13:45:13 host CEF:0|GuardiCore|Centra|unknown|Integrity Incident|Integrity
Violations|low|msg=Suspicious activity detected on N/A start=2018-03-01 16:24:35 src=N/A
shost=lin-lin-Agent4 act=ALERTED_BY_MANAGEMENT

System Event
<10>Mar 7 13:45:13 host CEF:0|GuardiCore|Centra|unknown|System Event|Exception in
management service 'management'|ERROR|msg=Uncaught exception in service
management\\nTraceback (most recent call last):\\n File '/Applications/Py...<truncated>
id=fdba044b-dcd9-4629-96f2-647cec3df8ab

Audit log
<10>Mar 7 13:45:13 host CEF:0|GuardiCore|Centra|unknown|Audit Record|Audit Rec

Enabling the Network Log Reporter

Before using the Network Log Syslog Exporter, the administrator must enable the Network
Log Reporter that reports logs to the Network Log Syslog Exporter.

Follow these steps:

1. On the MGMT master node, run:

gc-mgmtctl set_conf --group management --option network_log_reporter --value true

2. Run: gc-cluster-cli service-restart --service_name visibility-ingestion-server

277
System Users
This screen allows administrators to:

• Add new users - Local users or Active Directory users based on the selected filter.

• Edit a user name, password and access rights of both guest and administrator users.

• Delete users.

To add, modify or delete a user:

1. Select Administration > User Management > Users.

2. Set the filter to point to the requested group of users (User Directory users, Locally
defined users, etc).

3. Click to add a new user. The following dialog box appears:

4. Type the user information. In the Permission Scheme box, select a Permission
Scheme.

5. Click Save. The user is added to the System Users page:

278
6. Clicking a user displays the user's information and Active Sessions on the right
pane:

279
Permission Schemes
Permission Schemes enables administrators to restrict a user's access to Reveal maps,
Incidents, and Neighboring Assets. Administrators can assign scoped permissions such as
View Reveal Maps or View Incidents. For example, some application owners might be
allowed to view all data pertaining to their application (with all other applications hidden)
while some site owners might be allowed to access only Reveal maps pertaining to their
environment.

Why Create Permissions?

Some of the reasons for creating permission schemes include the following:

• Limit users' view based on asset labels, e.g. service providers may want to provide
their customers access to the information related to their assets only.
• Allow each user to view a limited scope of Centra:

- Reveal Map of user's related assets

- Security incidents related to the user's assets

Create a Permission Scheme

To create a Permission Scheme for a user:

1. From User Management select Permission Schemes.

2. Click and complete the fields in the following screen:

The following table provides information on each field:

280
Field Description

Title The title of the Permission Scheme

Description A short description of the scheme

Role A role is a set of permissions and related allowed actions. The following roles
are available:

Role and Associated Description Global/Custom

Permissions Permission

Global Administrator Provides full access to, and Global

(Full Control) configuration of, all system
data

Guest Provides read permissions to Global

(View All) all system data except for Audit
Log and Users data

Incidents Viewer View incidents only Custom

(View Incidents)

Reveal Map Viewer Access Reveal maps only Custom

(Explore Reveal
Data)

System Custom
Administrator

Application Owner Manage segmentation policy of

application

281
Prevent override The checkbox is available for the Application Owner role only. Selecting the
rules creation or checkbox prevents anyone with the Application Owner role to create or edit
modification Override rules. Override rules appear as read only to the Application Owner.
checkbox

Scope by Labels Defines the scope of the permission, based on labels.

Default View The first Centra screen the user sees after login based on the defined
permission.

Linked Directory Attach custom permission schemes to Active Directory groups. Make sure
Groups you activate the User Directories feature before you activate the new AD
groups in the Linked Directory Groups field.

3. Click Save. The Permission Scheme is displayed in the list of Permission Schemes:

4. Clicking a Permission Scheme in the list displays the scheme's details in the right
pane and enables you to edit the scheme:

282
Roles Based Permissions to Centra's Features
The following table provides details on the default role permissions to Centra's features.

Title Action Glo Guest System Global Policy Application Reveal Incidents
bal Admin Administrator Owner Map Viewer
Ad Viewer
min

Dashboard View ✓ ✓ ✓ ✓

Network View ✓ ✓ ✓ ✓
Statistics

Reveal>Explore Explore ✓ ✓ ✓ ✓ ✓ ✓ ✓
and Saved Maps

Create ✓ ✓ ✓ ✓ ✓ ✓

Delete ✓ ✓ ✓ ✓ ✓

Label ✓ ✓
asset

Set map ✓ ✓ ✓ ✓ ✓ ✓
default
view

Explore ✓ ✓ ✓
Precomp
uted

Explore ✓ ✓
Private

Explore ✓ ✓ ✓ ✓
All
Scoped

Create ✓ ✓
Private

Reveal>Labels View ✓ ✓ ✓ ✓ ✓
labels

Add label ✓ ✓

283
Title Action Glo Guest System Global Policy Application Reveal Incidents
bal Admin Administrator Owner Map Viewer
Ad Viewer
min

Delete ✓ ✓
label

Edit label ✓ ✓

Policy>Create Edit & ✓ ✓

Policy Publish

Policy>Projects View ✓ ✓ ✓ ✓

Edit ✓ ✓

Policy>Rules View ✓ ✓ ✓ ✓ ✓

Publish ✓ ✓
changes

Discard ✓ ✓ ✓
changes

Suggest ✓ ✓ ✓
changes

Policy>Revision View ✓ ✓ ✓ ✓ ✓
s

Revert ✓ ✓
policy

Policy>Label ✓ ✓
Groups

Policy>User View ✓ ✓ ✓ ✓
Groups

Edit ✓ ✓

284
Title Action Glo Guest System Global Policy Application Reveal Incidents
bal Admin Administrator Owner Map Viewer
Ad Viewer
min

Publish ✓ ✓
changes

Discard ✓ ✓
changes

Incidents + View ✓ ✓ ✓ ✓ ✓
Incident Groups ✓

Edit ✓ ✓ ✓

Assets View ✓ ✓ ✓ ✓ ✓

Edit ✓ ✓

Activity>Network View ✓ ✓ ✓ ✓ ✓
Log

Activity>Redirect View ✓ ✓ ✓ ✓ ✓
ion Log

Activity>Reputati View ✓ ✓ ✓ ✓ ✓
on Log

Activity>Integrity View ✓ ✓ ✓ ✓ https://guar

Log dicore.atlas
sian.net/br
owse/GC-
25702

Activity>Label View ✓ ✓ ✓ ✓ https://guar

Log dicore.atlas
sian.net/br
owse/GC-
25702

Inspection policy View ✓ ✓ ✓ ✓

Edit ✓

Detection>Detec View ✓ ✓ ✓ ✓
tors

285
Title Action Glo Guest System Global Policy Application Reveal Incidents
bal Admin Administrator Owner Map Viewer
Ad Viewer
min

Edit ✓

Detection>Reput View ✓ ✓ ✓ ✓
ation

Edit ✓

Integrity View ✓ ✓ ✓ ✓
Monitoring>Tem
plates

Publish ✓
changes

Discard ✓
changes

Suggest ✓
changes

Cleanup ✓
stale
hashes

Mitigation & View ✓ ✓ ✓ ✓

IOCs

Edit ✓

Components>D View ✓ ✓ ✓
eception Servers

Edit ✓ ✓

Components>C View ✓ ✓ ✓
ollectors

Edit ✓ ✓

286
Title Action Glo Guest System Global Policy Application Reveal Incidents
bal Admin Administrator Owner Map Viewer
Ad Viewer
min

Components>Ag View ✓ ✓ ✓
gregators

Edit ✓ ✓

Agents>Agents View ✓ ✓ ✓ ✓

Edit ✓ ✓

Agents>Agent View ✓ ✓ ✓
Installation
Screen

Agents>Agents View ✓ ✓ ✓
Log

Agents>Agent View ✓ ✓ ✓ ✓
installation
profiles

Edit ✓ ✓

Data View ✓ ✓ ✓
Center>Orchestr
ations

Edit ✓ ✓

View ✓ ✓ ✓

Data View ✓ ✓ ✓
Center>Orchestr
ations

Integration View ✓ ✓ ✓

Edit ✓ ✓

User View ✓ ✓
Management>U
sers

287
 Title Action Glo Guest System Global Policy Application Reveal Incidents
bal Admin Administrator Owner Map Viewer
Ad Viewer
min

User View ✓ ✓ ✓
Management>U
ser Directories

Edit ✓ ✓

User View ✓ ✓
Management>P
ermission
Schemes

Edit ✓ ✓

System>Log View ✓ ✓ ✓

System>Configu View ✓ ✓ ✓
ration

Edit ✓ ✓

System>Info View ✓ ✓

System Auditing View ✓ ✓

System Repo Edit ✓ ✓

Key

Scoped Application Owner Role

V31 introduces a new role into the system – Application Owner. The role allows you to
define configuration access only to a specific scope of assets. Scoping in v31 enables users
to create and edit segmentation rules within a particular scope. The scope for creating and
editing these rules is determined by the labels that have been defined within the user’s
scope in the user’s assigned Permission Scheme. Scoping of Segmentation Rules adheres
to the following restrictions:

• Application owners can create new rules that include the scoped labels but cannot
publish the rules. The rules can be reviewed and published by the Administrator or
Global Policy Admin.
• Application owners cannot revert policy.
• Application owners can only discard the changes in the context of their own changes
and cannot affect changes in other user’s contexts.

288
 • Application owners will see unpublished rules only in their scope but will not see
unpublished rules in other user’s scopes unless the unpublished rule directly affects
any of the scoped rules.
• All other aspects of scoping such as scoping for Reveal maps and the ability to view
incidents, assets, activity logs, FIM policy, etc. are as in previous versions.

Assign a Permission Scheme to a User

To assign a permission scheme to a user:

1. From System, select Users and in the Add New User dialog box, fill in the Username,
Email Address and Description fields.

2. In the Permission Scheme field, scroll through the list of Permission Schemes and
select the scheme that you want to assign to the user.

3. Fill out the remaining fields and click Save.

289
User Directories
Centra's User Management features enable you to enroll new users, control authentication,
and create permission schemes that restrict users to particular areas or functions within
Centra. User Management options include the following:

Option Description

Users Displays the System Users screen that enables you to add or delete users, and
edit user name, password and access rights.

User Directories Displays the User Directories screen that enables you to configure LDAP or
SAML 2.0.

Permission Enables administrators to restrict a user's access to Reveal maps, Incidents,

Schemes and Neighboring Assets.

User Directories enables you to choose to configure a user directory using LDAP or SAML
2.0.

Configuring a user directory with LDAP enables you to connect Centra to a Microsoft Active
Directory (AD) for authentication, and user and group management. Integration with a user
directory is useful when your users and groups are stored in a corporate directory. User
permissions are assigned based on user roles (admin/guest). One or more Active Directory
groups can be assigned to system roles. The service is designed for on-premises
deployments and assumes your User Directory server is directly accessible from the
Guardicore Management Server. Currently only Active Directory users are supported, but
more LDAP - based directories will be added in upcoming versions.

Configuring a user directory for SAML 2.0 SSO is possible for RedHat and Okta -- see the
instructions below.

To display the User Directories screen:

• From select User Management > User Directories. The screen displays
existing user directories.

Adding a New User Directory

To add a new User Directory, click and in the Add New User Directory dialog
box, in the Type field, select LDAP or SAML 2.0 SSO; the dialog box displays the fields
appropriate to your selection.

Configuring LDAP
To configure LDAP (default):

1. Fill in the fields in the Add New User Directory dialog box:

290
Field Description

Type LDAP (default)

Name Enter the Fully Qualified Domain Name (FQDN)

Login Username Type the username of the service account that will be used to connect to the
domain.

Login Password Type a password.

Base DN The root distinguished name (DN) to use when running queries against the
directory server.

LDAP Providers A list of servers (domain name or IP) through which the connection to the
domain will be made.

Use SSL Click this checkbox to secure the directory with SSL.

Enable Kerberos Centra FQD: Centra Domain Name, i.e. Centra.domain.com

authentication Realm: Active Directory Domain -- case sensitive and by convention, UPPER
CASE
Keytab: click to upload a new keytab file (All Kerberos server machines need
a keytab file, called /etc/krb5.keytab, to authenticate to the KDC (Key
Distribution Center). See Kerberos Authentication.

2. Click Test Connections.

The user directory is added. Note that you can modify the lookup order with the

exception of Locally Defined Users which is always the first entry on the list.

291
Configuring SAML 2.0 SSO
Centra supports Single Sign On (SSO) with SAML 2.0. For configuration instructions, see
the next sections: Configuring SAML 2.0 SSO with Red Hat, and Configuring SAML 2.0 SSO
with Okta.

Assign Permissions to Active Directory Groups

You can assign permissions schemes to user AD groups from the Permission Schemes by
selecting Linked User Groups at the bottom of the dialog box. This enables granting
permissions to an AD group.

Edit User Details in a User Directory

To access a list of users in a User directory and edit users' details:

1. From the Administration menu , select User Management > Users and select a
User directory from the User Directory filter. A list of users belonging to the directory
is displayed.

2. Select a user from the list that is displayed and edit the user's details. Details include
the user's full name, username, password, email address and other personal
information. For more info, see Users.

292
Configuring FortiAuthenticator SAML 2.0 with
Guardicore Centra
FortiAuthenticator provides secure access and identity management for Fortinet enabled
enterprise networks. This article provides instructions on how to configure FortiAuthenticator
SAML 2.0 with Guardicore Centra.

Instructions for configuring Guardicore Centra as an SP for FortiAuthenticator are standard

and provided below. However, there are two additional “non-standard” settings that must be
configured by Guardicore Support:

In case the IdP entity ID contains a slash character:

If the IdP entity ID contains a slash character / at the end, the UI prevents adding it.

Therefore, this requires manually changing the entity ID in Centra’s configuration

database. Contact Guardicore Support.

Deactivate Guardicore’s encrypted assertion requirement

By default, Guardicore Centra works only with encrypted assertions. However,
currently, FortiAuthenticator does not support encrypted assertions. Although there
are certificate options in the FortiAuthenticator configuration that support certificate
use for encryption, they do not currently support SAML payload encryption as
expected. We are aware that there is a feature request open with FortiNet to rectify
this situation.

Therefore, in the meantime, you must contact Guardicore Support to deactivate the
requirement for encrypted assertions. Please open a support ticket and be sure to
indicate that you are using FortiAuthenticator for SSO/SAML and that you require an
encrypt assertion override.
Overview of Configuration Stages
Configuring FortiAuthenticator requires the following stages:

Stage 1: In FortiAuthenticator, configure IdP settings.

Stage 2: In Centra, configure a User Directory for FortiAuthenticator.

Instructions for each stage are provided below.

Stage 1: Configure SSO and IdP settings in
FortiAuthenticator
1. In FortiAuthenticator, configure SAML Authentication settings using the
FortiAuthenticator wizard.

2. For general IdP settings,enable the SAML identity provider portal and enter the
following:

Server address: Enter the FortiAuthenticator FQDN.

Realms: Add the realm associated with the remote server for G Suite.
Default IdP certificate: Select a default certificate to use.
Click OK to save the settings.
3. Configure Guardicore as a service provider as follows:

293
 1. From Authentication > SAML IdP > Service Providers create a name (for
example, Guardicore) for the service provider (Guardicore) that you will use
as a SAML client.

2. Enter the SP information from the client you will use as the SAML service
provider (enter the Centra URL that you are using).

3. Download the IdP metadata.

This can be used to set up the SAML IdP configuration in your SAML SP
client (i.e. in Guardicore Centra).

4. Under SAML Attribute click Create New, and enter a SAML Attribute name
that your SAML SP is expecting to identify the user. Select a User Attribute
for this selection. If you're unsure of which attribute to pick, select SAML
Username.

5. Click OK to save your settings.

6. Access Guardicore Centra to proceed to the next stage.

Stage 2: In Centra, configure a User Directory for FortiAuthenticator

1. On the Centra Administration screen, access User Management/User Directories:

2. Click + Add User Directory to display the Add New User Directory dialog box:

294
 3. Fill out the fields as follows:

Type SAML 2.0 SSO

Name Enter a friendly name that will help you identify this for your SSO setup.

Idp Entity ID The FortiAuthenticator Identifier (your Centra URL i.e

https://centra.acme.org) that you entered in Stage 1.

Note: If the IdP entity ID contains a slash character / at the end,

the UI prevents adding it. Contact Guardicore Support to manually
change the entity ID in Centra’s configuration database.

Idp SSO URL Paste the login URL that you entered from the previous stage.

Idp Open the certificate from the IdP metadata that you downloaded from
Certificate Stage 1 and paste the contents into this field.

4. Click Verify Configuration and then click Save. The User Directory is listed on the
User Directory screen.

5. Under User Management/Permission Schemes, add a new permission scheme.

6. Configure the options as you would like.

295
Configuring SAML 2.0 SSO with Okta
Configuring SAML 2.0 with Okta comprises 3 steps:

Step 1: Configure the Okta Guardicore app

Step 2: Configure the user directory in Centra

Step 3: Configure the Okta group in Centra

Note: Step 1 is redundant once the Guardicore app is accepted into the Okta application
directory.
Step 1: Configure the Okta Guardicore App
1. In the Okta classic UI, select Applications and click the Add Application button:

2. Click Create New App and in the Create a New Integration dialog box, specify the
following:

Platform: Web

Sign on method: SAML 2.0:

296
3. Click Create and under General Settings, for App Name, specify Guardicore:

4. Click Next and fill in the fields as follows:

297
Field Specify this:

Single Sign on This should be the URL to the Centra system as the client sees it
URL concatenated with the SAML authentication REST endpoint. For example, for
GC-MGMT it's
'https://cus-1801.cloud.guardicore.com/sso-authenticate'.
So the pattern is 'https://{Centra URL}/sso-authenticate'
• Select 'Use this for Recipient URL and Destination URL'

Audience URI (SP The Centra URL. For example for GC-MGMT:
Entity ID) 'https://cus-1801.cloud.guardicore.com'

DefaultRelay Leave empty

State

Name ID format Select EmailAddress

Application User Email

Name

5. Click Advanced Settings and fill in the fields as in the following:

6. Fill in Attribute Statements (Optional) as follows:

Add one attribute named 'userEmail' with Name format set to 'Basic'. Value
should be 'user.email'. The attribute name 'userEmail' is case sensitive so make
sure you are writing it exactly as shown.

298
Note: If a user in the user@domain format has already been configured manually in
Centra, SAML authentication will fail for that user and will default to local authentication.

7. Fill in Group Attribute Statements (Optional):

Add one attribute name 'memberOf' with name format set to 'Basic'. Filter should
be selected to 'Matches regex' and value '.*' (dot and asterisk). 'memberOf 'is
case sensitive:

8. Click Next to finish the Application configuration phase:

9. Click on the Application and navigate to the Sign On tab:

299
 10. Click on View Setup Instructions to open a new page with the SAML details. You will
need to copy some of these details for Step 2 that follows.

Step 2: Configure the User Directory in Centra

1. Click on the newly created Okta Guardicore application and navigate to the 'Sign-On'
tab.

2. In Centra's Admin screen, select User Management, User Directories to display the
Add New User Directory dialog box:

3. Fill in the fields as follows:

300
Field Specify this:

Type SAML 2.0 SSO

Friendly Name Okta

Idp Entity ID Copy from the Okta instruction page.

(Identity Provider Issuer)

Idp SSO Copy from the Okta instruction page.

(Identity Provider Single Sign-On URL)

Idp Certificate Copy from the Okta instruction page.

(X.509 Certificate)

4. Add the assertion signing key to Okta:

• In the User Directories screen, click the provider (Okta) to display User Directory
Details and a Key button:

• Click the Key button to download a PEM file.

5. Return to the Okta UI and click the Edit for SAML settings under the Centra app.

301
 6. Under Advanced Settings, in the Encryption Certificate box, click the Browse button
and upload the PEM file.

The connection between Okta and Centra is now configured.

Step 3: Configure the Okta group in Centra

This step enables configuring the actual users. In the following instructions we will configure
Okta users, but in a real use case it could also be a user that is synced from an internal AD.
All that matters is that the group is configured correctly.

1. In the Okta UI, click Directory/Groups, and click the Add Group button to add a new
group (in this example, GC):

302
2. Click the group and associate users with it. In this example, a user named Test was
associated with the group.

3. In Centra, select Admin/User Management/Permission Schemes, select a

Permission Scheme and add the name of the group in the Linked Directory Groups
box:

303
 Note: Make sure you type the name correctly, as there is no validation feedback on
this field.

4. In the logon screen, run the SAML login flow.

304
Configuring SAML 2.0 SSO with Red Hat
This article provides instructions on how to configure SAML 2.0 for Guardicore Centra in the
Red Hat environment. The instructions comprise four stages:

Stage 1: Configure the IdP

Stage 2: Configure the Service Provider

Stage 3: Configure the Encryption Key

Stage 4: Configure the Permission Scheme in Centra

Stage 1: Configure the Identity Provider (IdP)

1. Sign into the RH-SSO admin console.

2. Make sure you are in the relevant realm that contains the users for the Centra
integration.

3. In the Master menu, under Configure, choose Clients and click the Create button:

The Add Client dialog box appears:

4. In the Add Client dialog box, add Guardicore as a client as follows:

305
 • Client ID - Enter the Centra URL – e.g. https://centra.acme.org.
• Client Protocol - Select SAML.
• In the Root URL (Client SAML Endpoint), enter the Centra URL + /sso-
authenticate – e.g. https://centra.acme.org/sso-authenticate.
• Click Save. A dialog box describing the new SAML client appears:

5. On the Settings tab, fill in the fields as follows:

Field Value

Name A friendly name for the client

Enabled On

Include AuthnStatement On

Sign Documents On

Sign Assertions On

Signature Algorithm SHA256

SAML Signature Key Name CERT_SUBJECT

Canonicalization Method Exclusive

306
 Field Value

Encrypt Assertions On

Client Signature Required On

Force POST Binding On

Front Channel Logout OFF

Force Name ID Format OFF

Name ID Format email

Valid Redirect URLs The client SAML endpoint (in

this example,
http://centra.acme.org/sso-
authenticate)

Base URL For example,

https://centra.acme.org

Master SAML Processing URL The client SAML endpoint (in

this example,
http://centra.acme.org/sso-
authenticate)

5. Select the Roles tab and make sure no roles are assigned to this client.

6. Select the Client Scopes tab and make sure no roles are assigned to this client.

7. Select the Mappers tab and click Create to display the Create Protocol Mapper dialog
box:

8. In the Create Protocol Mapper dialog box, fill in the fields as follows:

307
 Field Value

Name memberOf

Mapper Type Group list

Group attribute name memberOf

Friendly Name memberOf

SAML Attribute NameFormat ON

Single Group Attribute ON

Full Group Path OFF

9. Click Save to save the data and return to the Mappers tab.

10. On the Mappers tab, select the add builtin button to display the Add Builtin Protocol
Mapper dialog box:

11. In the Add Builtin Protocol Mapper dialog box, select x.500 email mapper and click
the Add selected button.

12. On the Mappers tab, edit the x.500 email mapper as follows:

• Change the friendly name to UserEmail.

Note: If a user in the user@domain format has already been configured manually in
Centra, SAML authentication will fail for that user and will default to local authentication.

• Change the SAML Attribute Name to UserEmail.

• Set SAML Attribute NameFormat to Basic.

308
 13. Click Save.

14. On the Installation tab, in the Format Option list, select SAML Metadata
IDPSSODescriptor:

15. Click the Download button to save the xml to a file.

Stage 2: Configure the Service Provider

SAML Directory Configuration
1. Log in as a global administrator to the Centra system.

2. Navigate to the Administration page.

3. Access User Administration>User Management>User Directories.

4. Add a new user directory.

5. Select SAML 2.0 SSO.

309
 6. Idp Entity ID: copy the entityID url from the EntityDescriptor section in the xml from
the previous section.

7. Idp SSO URL: copy the SingleSignOnService Location URL from the
SingleSignOnService section in the xml from the previous section.

8. Idp Certificate: copy the certificate from the dsig:X509Certificate section in the xml
from the previous section.

9. Click Verify.

10. Click Save.

Stage 3: Configure the Encryption Key

1. Click on the newly created entry; a pane should appear on the right.

2. Click the Key icon to download the public key for assertion encryption configuration:

3. Open the RH SSO console and select the clients SAML Keys tab.

4. Click Import under the Encryption Key section and import the PEM file downloaded
from the Centra system.

5. Click Import under the Signing Key section and import the PEM file downloaded from
the Centra system.

Stage 4: Configure the Permission Scheme in Centra

1. In Centra, access the User Permission Schemes and add the desired permissions or
link the SAML directory service to one of the existing permission schemes.

2. Make sure the group name used for the user in the permission scheme is the same
as the one defined in the IdP for the desired roles.

Create Kerberos Authentication in Centra

Creating Kerberos Authentication in Centra consists of three steps:

Step 1: Create a Keytab file.

Step 2: Configure Centra.

310
Step 3: Test the Configuration.

Step 1: Create a Keytab File

Creating a keytab file consists of the following procedures:

A. Create the user.

B. Create the keytab file.

A: Create the User

1. Create 'svc_guardicore' in the Active Directory.

2. Configure it to never expire and save the password for later, let's say the pass is "123456".

311
 3. In User Settings, enable the following: `This account supports Kerberos AES 256 bit
encryption` and 'password never expires'.

B: Create the Keytab File

1. Open CMD (not powershell) on the AD server with admin privileges. Here is a quick
review of the syntax:

2. Execute the following command as an admin on the AD server `ktpass /princ

HTTP/[email protected] /mapuser [email protected] /crypto
AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass 123456 /out c:\centra`

312
3. Move the Centra Keytab file created in the 'C:\' drive to a secure location.

4. If you want to read more on keytab, here's all you need to know about Keytab files.

Step 2: Configure Centra

1. Make sure you already have LDAP configured in the system as the permission group
membership check relies on the LDAP connection

2. Check the 'Enable Kerberos authentication' box:

Note: In our demo, the values in the above figure are replaced with the following:
Centra FQDN is centra.testing.gc
Realm is testing.gc
Keytab is the file that we saved in the previous section; upload it here. Once the file
uploads, the box turns green.

3. After you configure all the Kerberos details, it should look like this:

313
Note that the test connection button only tests the LDAP connection and not the Kerberos
one.
Step 3: Test the Configuration
1. Make sure you have access to a user and an endpoint that are part of the domain.
The user should be part of a group in the AD that is allowed to access Centra.

2. While logged in with the domain user, open a Chrome browser and go to the Centra
address.

3. You should get signed in automatically.

4. If you get signed in automatically but want to use a different built-in user, simply log
out and use the alternative credentials.

314
Management Configuration
Centra offers a series of configuration screens (System/Configuration) in which you can
configure all aspects of the system. Following is a brief description of each screen.

General

Option Description

Show policy rule hit count Enables the rule hit count feature.
calculation

IPv6 enforcement Derive IPv6 enforcement rules to Agents.

315
 Option Description

Show Labs Show the Labs section in the Centra Home page: Enable
Labs > DNS Queries.

Show Cloud Inventory Show Cloud Inventory in the Centra UI. This appears in the
UI under Inventory like this:

Mask passwords from Mask passwords from exported incident PDF or HTML.
exported incidents

Guardicore System Domain Enables manually configuring the Guardicore base URL.

Maximum AD groups to Maximum number of AD groups that will be displayed in

display selected menus.

Reveal

This screen enables configuring the labels used in Reveal Maps:

316
Option Description

Default Grouping The default label keys used for grouping in Explore view; for example,
Environment, Application, Role. Separate the keys by commas to
allow for nested grouping.

Additional In addition to the default grouping, any other grouping for maps is
Grouping Options supported.

Application Label The label key used for applications. For example, Application. It is
Key recommended to configure this before creating a Policy.

Environment The label key used for environment. For example, Environment. It is
Label Key recommended to configure this before creating a Policy.

317
Containers

Option Description

Default The default container fields used for grouping in the Explore view;
Grouping separate multiple fields with commas. Available fields are: image_name,
image_id, container_command, container_id, container_names.

Kubernetes The default container fields used for grouping Kubernetes containers in
Default the Explore view; separate multiple fields with commas. Available fields
Grouping are: pod_name, pod_namespace, pod_id, image_name, image_id,
container_command, container_id, container_names.

Allowed The prefix of docker labels that will be added to connection information.
Docker Label Docker labels that do not match any of these prefixes will be dropped.
Prefixes

The prefix of K8s labels that will NOT be ingested through automatic
K8s Label label creation. K8s labels that match any of these prefixes will be
Prefixes Deny ignored.
List

318
Scheduled Maps

Guardicore Centra provides scheduled Reveal maps generated automatically daily or hourly.
Clicking Explore on the Reveal menu displays the latest map by default. The last three maps
are stored in the quick map selector as well as the Saved Maps page. Guardicore Centra
provides scheduled Reveal maps generated automatically daily or hourly. Clicking Explore
on the Reveal menu displays the latest map by default. The last three maps are stored in the
quick map selector as well as the Saved Maps page. Scheduled maps are unfiltered, with no
special map features (no time resolution, no occurrences count, no incident highlights).

The map is configurable - settings such as time of map generation and the number of maps to
store can be configured in the Scheduled maps tab:

Option Description

Enable scheduled maps Enable daily maps.

generation

Rotation interval Frequency of scheduled map calculation (daily or hourly).

Daily scheduled maps start Start time of map calculation.

time (UTC)

Number of maps to save Number of scheduled maps to save. Older maps will be
automatically deleted.

Alerts

319
 Option Description

Expire alarms after (days) Time elapsed before alarms are expired.

Create system alerts for flags raised whether of not to raised system alerts for missing
by agents components or agents

Component missing notification Seconds elapsed from last component update before
time marking it as missing.

Agent missing notification time Seconds to wait from last agent update before
marking it as missing.

Authentication
Here you can configure 2-step verification, login timeouts and more.

320
 Option Description

Enforce 2-Step Verification When this option is enabled, all users are required to set
Policy up 2 step verification.

User authentication expiration Number of minutes a user stays logged in.

timeout

Authentication soft timeout Number of minutes it takes to disconnect an inactive

user.

Expire audit log entries after Set the number of days before audit log entries expire.
(days)

Minimum interval for token The minimum number of seconds that must elapse from
usage update the last token usage info update to trigger a new update.

Passwords

The Passwords configuration enables determining the password requirements for accessing
Centra. Administrators can specify a wide range of password requirements including the
following:

• Minimal required length of password (maximal length is 40 characters).

• The exact combination of upper case and lower letters, numbers, and symbols.
• Specified time before the password expires.
• Prevention of using previous passwords
• Specified number of permitted login attempts after which the system locks out the
local user.

321
 • Number of minutes that a user is locked out after exceeding the number of wrong
password attempts.

The Password configuration screen looks like the following (continued on the next page):

322
323
Dashboard

Option Description

Show live Incidents first in Show live incidents before other incidents. If not checked,
the dashboard incidents are displayed according to their time.

Dashboard Tag Filter Click and type tags to restrict the incidents displayed in the
dashboard to only those related to these tags (case
sensitive).

Use shortened time

frames

Hide external attackers Hide widget that shows deception incidents from external
widget on dashboard. attackers.

Exclude IPs from DNS Click and type IPs whose traffic will be excluded when
statistics calculating the 'Uncommon Domain Usage' statistics.

324
 Reveal "Active" threshold Percentage of asset to asset flows that will be displayed in
Reveal maps.

Week time frame Enables analysis based on data collected over the last seven
days.

Exporters

Option Description

Severity Threshold Type the minimal threshold for incident severity to export.

Filter incidents for Click and type tags to restrict incidents to export to only those
export by tags that include one or more tags from this list.
To include all tags, leave the list empty.

IP Classification

Option Description

Internal Click and type non-IANA-reserved IP subnets that will be treated as

subnets "internal". Add only subnets that are not IANA-reserved.

325
Domain Classification

Option Description

Trusted domains Click and type a list of trusted domains.

Exclude trusted Exclude traffic from trusted domains when calculating the Uncommon
domains from Domain Usage statistics:
dashboard

Exclude trusted Exclude traffic to trusted domains when querying reputation services.
domains from
reputation

Include all trusted Include traffic to all trusted domains in the reputation log even without
domains in querying to reputation services.
reputation log

Agents Installation

Agents installation password: the password used for installing new Agents.

326
Plugins

Option Description

Enable Plugins Enables plugins. When disabled, all communication with the
plugins will be disallowed.

Enable Guardicore
Query (now called Enables Insight to query Agents and label them based on the
Insight) results. When this option is checked, Insight appears as an
option on the Centra UI like this:

327
System Info
This page enables you to generate debugging info about the system. This is particularly
useful when you need to get access to a system you can't otherwise access.

From System, select Info and click Gather System Information.

The system information consists of multiple files that are included in a single compressed file
that you can download.

Auditing
The Auditing page displays the administrator actions including time, action, username used
and originating IP address per each action. All records or a specific record on this page can
be exported to a CSV file.

Exporting to a CSV File

Clicking the CSV icon opens a dialog box where you can set the number of records you want
to export:

328
A sample CSV file looks like this:

System Log
The System Log provides a list of system events for a specified time range. Events that are
more severe (errors) are indicated by a red dot next their id. A yellow dot indicates a
warning.

The list can be filtered according to severity: warning, error, info. The origin of the event is
also displayed. The events can be filtered by Severity, Origin, andTime period.

329