SkyboxReference Guide10.0.300Revision: 11

Proprietary and Confidential to Skybox Security. 2019 Skybox Security,Inc. All rights reserved.Due to continued product development, the information contained in thisdocument may change without notice. The information and intellectual propertycontained herein are confidential and remain the exclusive intellectual property ofSkybox Security. If you find any problems in the documentation, please reportthem to us in writing. Skybox Security does not warrant that this document iserror-free.No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means—electronic, mechanical, photocopying,recording, or otherwise—without the prior written permission of Skybox Security.Skybox , Skybox Security, Skybox Firewall Assurance, Skybox NetworkAssurance, Skybox Vulnerability Control, Skybox Threat Manager, SkyboxChange Manager, Skybox Appliance 5500/6000/7000/8000/8050, and theSkybox Security logo are either registered trademarks or trademarks of SkyboxSecurity, Inc., in the United States and/or other countries. All other trademarksare the property of their respective owners.Contact informationContact Skybox using the form on our website or by [email protected] and partners can contact Skybox technical support via the SkyboxSupport portal

ContentsIntended Audience . 9How this manual is organized . 9Related documentation . 9Technical support . 9Part I: Tasks . 11Managing tasks . 12Requirements. 12User roles and tasks . 13Working with tasks . 14Task properties . 17Task messages . 19Device access management . 19Using CyberArk for device password management . 21Quick reference for data collection . e:reference:reference:reference:reference:Firewall configuration collection . 24Firewall traffic log and audit log collection . 29Proxies, VPN devices, and IPS devices. 30Load balancers . 31Routers, switches, and controllers . 32Scanners and operational technology . 35File import tasks . 38Import directory tasks . 38Data formats for file import tasks . 42Basic file import tasks . 46Advanced file import tasks . 48Collector file import tasks . 50Advanced collector file import tasks . 51Generic CSV file import tasks . 51Juniper SA files import tasks . 56Script invocation tasks . 57Importing interface and routing configuration. 59Firewall configuration tasks . 60Blue Coat proxy . 61Check Point FireWall-1 firewall . 63Check Point Provider-1 CMA . 76Check Point Gaia firewall . 83Check Point Security Management . 85Cisco Firepower Management Center . 89Cisco PIX/ASA/FWSM firewall . 90Cisco Security Manager . 96Skybox version 10.0.3003

Skybox Reference GuideDell SonicWALL firewall . 98DioNIS firewall . 99DPtech firewall . 100Forcepoint NGFW appliance . 102Fortinet FortiGate firewall . 103Fortinet FortiManager Security Management appliance . 108Genband firewall . 111Huawei Eudemon firewall . 113Juniper Networks Junos firewall . 115Juniper Networks Junos Space Network Management Platform . 118Juniper Networks NetScreen firewall . 120Juniper Networks Network and Security Manager. 123Linux iptables firewall. 125McAfee Enterprise (Sidewinder) firewall . 125Palo Alto Networks firewall . 127Palo Alto Networks Panorama . 132Sidewinder G2 (McAfee Enterprise) firewall . 134Sophos Unified Threat Management firewalls. 136VMware vShield Edge firewall . 137Firewalls implemented in software . 137Firewall rule usage analysis tasks . 140Syslog traffic events . 140Check Point FireWall-1 activity log data (LEA collection) . 149Examples of syslog records for rule usage analysis . 153Firewall change tracking tasks . 156Importing syslog change tracking events . 156Check Point FireWall-1 change events (audit log data) . 161Examples of syslog records for change tracking . 163IPS tasks . 164Trend Micro (HP) TippingPoint IPS devices . 164McAfee IPS devices . 167IBM Proventia G appliances . 168Load balancer tasks . 170A10 Networks load balancer . 170Brocade ADX load balancer . 173Cisco ACE load balancer . 174Cisco CSS load balancer . 176Citrix NetScaler load balancer . 178F5 BIG-IP load balancer. 180Pulse Secure vTM load balancer . 184Radware Alteon load balancer . 185Radware AppDirector load balancer . 187Radware WSD load balancer . 189Router, switch, and wireless controller tasks. 192Arista Networks router . 192Aruba Networks wireless controller . 195Skybox version 10.0.3004

ContentsAvaya router . 196Avaya ERS routing switch . 197Brocade VDX router . 200Cisco IOS router . 202Cisco Nexus router. 208Cisco Wireless LAN Controller . 212Dionis NX router . 214Enterasys router . 215Extreme Networks router . 217Juniper Networks MX router . 219HP ProCurve router . 219Huawei router . 221H3C router. 223Nortel Passport 8600 router . 225Vyatta router . 227Scanner tasks . 229Guidelines for setting up scanner tasks . 229BeyondTrust Retina scanner. 230McAfee Vulnerability Manager (Foundstone) scanner . 231IBM Security AppScan . 232IBM Security SiteProtector System. 234Qualys QualysGuard scanner. 235Rapid7 Nexpose scanner. 239Tenable Network Security Nessus scanner . 241Tenable Network Security . 243Tenable Network Security . 244Tripwire IP360 scanner. 246WhiteHat Sentinel scanner . 247Blacklists . 248Operational technology tasks . 251Claroty operational technology . 251CyberX operational technology . 252Indegy operational technology . 253SecurityMatters operational technology . 254Cloud and virtualization tasks . 256Amazon Web Services . 256Cisco ACI . 259Microsoft Azure . 260VMware NSX and vSphere . 262Management systems tasks . 265BMC BladeLogic Network Automation . 265ForeScout . 267HPE Network Automation . 268IBM BigFix . 270IBM z/OS . 271McAfee ePolicy Orchestrator . 271Microsoft SCCM . 272Microsoft WSUS . 274Skybox version 10.0.3005

Skybox Reference GuideRed Hat Satellite . 276SolarWinds NCM . 277Symantec Altiris . 279Trend Micro Deep Security . 280Twistlock . 281Microsoft Active Directory . 282CiscoWorks . 283HP Software & Solutions (OpenView) . 283Portnox Platform . 284Symantec Endpoint Management . 284Alerts and Vulnerability Definition feed tasks . 285Symantec DeepSight alert services . 285VeriSign iDefense alert services . 286Analysis tasks . 288Change tracking tasks . 288Exposure tasks . 289False positive reduction tasks . 290Policy compliance tasks . 291Rule recertification tasks . 292Security Metrics calculation tasks . 292Rule optimization status tasks . 292Vulnerability detection tasks: Patch data . 293Vulnerability detection tasks: Device configuration. 294Model maintenance tasks . 296Model completion and validation tasks. 296Copy model tasks . 300Model integrity tasks . 300Delete outdated entities tasks . 301Back up model and settings tasks . 302Server software update tasks . 303Collector software update tasks . 303Dictionary update tasks . 303Export tasks . 305Report generation tasks . 305Ticket creation tasks . 306CSV access rule review export tasks . 306CSV analysis export tasks . 308CSV change tracking export tasks . 309CSV compliance results export tasks . 310CSV Configuration Compliance export tasks . 311CSV exception export tasks. 313CSV Firewall Assurance export tasks . 314CSV optimization and cleanup export tasks . 316CSV security metrics export tasks . 317Elasticsearch index export tasks . 318Splunk export tasks . 319Qualys format XML vulnerability occurrences export tasks . 319Skybox version 10.0.3006

ContentsPart II: Tickets, reports, and notifications . 321Analyses . 322Skybox analyses . 322Customizing the display of an analysis . 322Types of analyses . 323Tickets reference . 329Tickets . 329Policies . 335Reports reference. 341Working with reports. 341Report properties. 347Tickets reports . 348Skybox Vulnerability Control and Skybox Threat Manager reports . 350Skybox Firewall Assurance reports . 370Skybox Network Assurance reports . 385Triggers reference . 388Triggers. 388Customizing notification templates . 396Selecting the correct template . 397Editing templates. 400Exportable data . 406CSV-exportable data . 406Other exports . 408Part III: Tools . 409Access Control List Editor . 410Using the Access Control List Editor . 410Access rule properties . 411Access rule properties: Rule review . 413Working with routing rules . 417Managing routing rules . 417Replicating routing rules . 420Troubleshooting missing devices (advanced) . 421Access Analyzer . 422Access Analyzer query fields: Vulnerability Control. 422Access Analyzer query fields: Firewall Assurance and Network Assurance 424Network Map . 427Network Map control panel . 427Network Map filter toolbar . 430Properties of single maps. 431Skybox version 10.0.3007

Skybox Reference GuideLayout properties . 434Part IV: Entities . 436Model entities . 437Entity relationships . 438Locking entity properties . 438Assets . 438Asset groups . 442Business Asset Groups . 442Business Units . 446Clouds . 447Locations . 451Networks . 451Network groups . 452Network interfaces . 453Services . 455Threat Origins . 456Vulnerability occurrences . 458Skybox version 10.0.3008

PrefaceIntended AudienceThe Skybox Reference Guide is the reference companion to the Skybox FirewallAssurance User Guide, the Skybox Network Assurance User Guide, the SkyboxVulnerability Control User Guide, the Skybox Threat Manager User Guide, and theSkybox Change Manager User Guide.The intended audience is readers of the User Guides who want additionaltechnical and in-depth information.How this manual is organizedThis manual:›››Contains reference information about Skybox, including the configuration ofcomponents and devicesProvides descriptions of the properties of analyses, tasks, and model entitiesDefines access, dependency, and routing rulesThe manual includes the following parts:››››Tasks (on page 11)Analyses, tickets, reports, and triggers (on page 321)Tools (on page 409)Entities (on page 436)Related documentationThe following documentation is available for Skybox:›››Skybox Installation and Administration GuideSkybox Developer GuideSkybox Release NotesThe entire documentation set (in PDF format) is available hereYou can access a comprehensive Help file from any location in Skybox Managerby using the Help menu or by pressing F1.Technical supportYou can contact Skybox using the form on our website or by [email protected] and partners can contact Skybox technical support via the SkyboxSupport portalSkybox version 10.0.3009

Skybox Reference GuideWhen you open a case, you need:›››››Your contact information (telephone number and email address)Skybox version and build numbersPlatform (Windows or Linux)Problem descriptionAny documentation or relevant logsYou can compress logs before attaching them by using the Pack Logs tool (seePacking log files for technical support, in the Skybox Installation andAdministration Guide).Skybox version 10.0.30010

Part I: TasksThis part describes Skybox tasks and their properties.

Chapter 1Managing tasksThis chapter gives an overview of how to set up and use Skybox tasks.In this chapterRequirements . 12User roles and tasks . 13Working with tasks . 14Task properties. 17Task messages . 19Device access management . 19Using CyberArk for device password management . 21REQUIREMENTSPythonMany collection tasks use scripts that are written in Python; to import devicedata to a Skybox model, you must have Python version 2.7 or higher installed onthe machine that is running the task (as specified by the Run in field of thetask).››If the Skybox Collector or Skybox Server for these tasks is running on aSkybox Appliance, you can install Python using an Install Python Tools forSkybox Appliance task (see Python installation task (on page 12)).To install Python manually, see Installing Python manually (on page 13).Note: Some collection tasks require the installation of additional Pythonpackages. These requirements are documented in the individual tasks.SSHThe connection type between a Skybox Collector and a device is provided in thedocumentation of each task.If the connection is over SSH, the Skybox Collector can only use a Diffie-Hellmankey of up to 2048 bits. Collection from a remote device that uses a larger key willfail.Python installation taskThe Install Python Tools for Skybox Appliance task installs the Pythoninfrastructure that is required by a number of collection tasks. The requirementfor Python is documented in the individual tasks.Skybox version 10.0.30012

Chapter 1Managing tasksRun this task once only for each Skybox Collector and Skybox Server running ona Skybox Appliance that is used for these tasks.Task propertiesThe properties that control Install Python Tools for Skybox Appliance tasksare described in the following table.PropertyDescriptionBasic tabRun inWhere to install Python.Python versionThe version of Python to install.Advanced tabLocation HintThe location of the Server or Collector on which to installPython.Note: Use this property when different locations use thesame set of IP addresses, so that devices running Skyboxcomponents at different locations can have the same IPaddress.Installing Python manuallyTo download and install Python on SkyboxNote: If you are using Skybox Appliance, you can install Python by running anInstall Python Tools for Skybox Appliance task (see Python installation task(on page 12)).1 Download and install Python from If you did not install Python to the default location, specify the location of thePython executable in Skybox Home \ component \conf\sb (where component is server or collector, depending on the value of the Run infield): (Windows) ScriptTask.WIN.PYTHON EXEC (Linux) ScriptTask.LINUX.PYTHON EXECUSER ROLES AND TASKSOnly Admins and Users have access to the Operational Console where Skyboxtasks are managed.Admins can create, manage, and run all tasks.Users can view tasks that add information to the model, delete information fromthe model, or save the model. They can create, manage, and run:››All analysis tasks››Ticket creation tasksAll report tasks, including CSV export tasks and XML vulnerability occurrenceexport tasksCopy model tasks (which copy model data from one model to another)Skybox version 10.0.30013

Skybox Reference GuideWORKING WITH TASKSThe Task dialog box is described in Task properties (on page 17).For information about the properties specific to each Skybox task, see the sectionrelating to the task.Tip: If you mouse over a field, a tooltip listing the values selected for that fi

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any f