Preparing for OmniCenter
OmniCenter uses existing manufacturer APIs to collect data from systems without having to install additional agents. The following is a guide to preparing the devices in your environment to get the best results when deploying OmniCenter.
Whenever practical, Netreo recommends installing OmniCenter on a core network, inside any firewalls used for perimeter protection. Because OmniCenter uses a wide variety of protocols for management (including direct connections to applications for monitoring and management), implementation is greatly simplified by this approach. Firewall port and protocol information is included here for your convenience, and destination port numbers are specified.
Outbound Firewall Configuration
OmniCenter can operate without Internet access, however, licensing, software updates, and remote support are greatly simplified with some basic Internet access.
For remote technical support and customization, allow:
(Application-aware firewalls will need to configure this as SSL/TLS and OpenVPN.)
- Destination host: charon.netreo.net
- Port: TCP/443 (default)
- Port: UDP/1194 (optional)
For automatic OmniCenter licensing, allow:
(Application-aware firewalls will need to configure this as SSL/TLS or HTTPS.)
- Destination host: activation.netreo.net
- Port: TCP/443
For software update support, allow: (Application-aware firewalls will need to configure this as SSL/TLS and YUM.)
- Destination host: updates.netreo.net
- Port: TCP/443
- Port: TCP/80
For high availability cluster communication (only required if using the OmniCenter HA feature set):
- Port: TCP/443
- Port: TCP/4567
- Port: TCP/4568
- Port: TCP/4444
- Port: TCP/48100
For OmniCenter Mobile and Cloud features:
Netreo uses a wide variety of dynamic technologies to route and assign users to the best or closest cloud-hosted server, so it is not possible to restrict access to group of IP addresses. Netreo recommends allowing outbound access for SSL/TLS or HTTPS on port 443. If your firewall allows you to restrict access by domain name, you can use the following destinations (all are port TCP/443):
For geocoding information used by the OmniCenter geographic map feature, allow:
Network Devices (Routers, Switches, UPSs, Load Balancers, Wireless, Firewalls, etc.)
OmniCenter uses SNMP to collect this data. Your devices should be configured to respond to SNMP from the IP address of the OmniCenter appliance. Only read-only access is required. Netreo recommends SNMPv2c for performance reasons. OmniCenter includes a device configuration manager used for backing up device configurations and tracking changes. OmniCenter will need privileged login credentials to these devices in order to use the configuration management features.
OmniCenter uses the Windows Management Interface (WMI) or Windows Remote Management (WinRM) to collect data from these systems. In order to use WMI, you will need to setup a service account in your network that OmniCenter can use to log into your servers. This account should not be shared with other monitoring systems, and should not be restricted as to the number of concurrent logins. The account will need the “DCOM” permission, have local administrative privileges on the system to be monitored, or be part of the “Domain Admins” group. Check the Netreo knowledge base for additional information on Windows account privileges and setup.
Linux / Unix Servers
For these devices OmniCenter uses SNMP and the Host Resources MIB. Most of these servers include a package called “Net-SNMP” to provide SNMP access for management systems. Make sure this package (or similar) is installed and the agent (SNMPD) is running.
To collect metrics for virtual resources in vCenter, OmniCenter uses the APIs VMware has made available for that purpose. OmniCenter invokes a limited number of the API operations available and requires a service account that includes the System.Anonymous, System.Read and System.View privileges. More detailed information can be found in the vSphere 5 Documentation Center.
As with the switches, routers, and servers OmniCenter can also get SNMP status information off your power, HVAC, or environmental monitoring equipment. Make sure an SNMP agent is listening and the proper access-list entries (if applicable) are set up.
Requirements for monitoring specific applications can vary widely, but a few applications which are often mission-critical that you should consider monitoring at the application level include SQL (MSSQL, Oracle, MySQL), Web Applications (including shared or cloud-hosted applications), Email (locally hosted or cloud-based), and DNS. OmniCenter is generally configured to send alerts via email. Our best practice recommendation is to allow OmniCenter to communicate outbound to the Internet on port TCP/25, as this allows direct connections to smartphone gateways that you want to receive alerts. If that access is not possible, you can relay SMTP mail through an internal server, however this creates a single point of failure for alerts if that relay host stops responding, so we recommend this configuration only as a last resort or for testing purposes.
- SQL: OmniCenter will require SQL access to the server in question. MSSQL is often on the default port of TCP/1433. Oracle uses a complex series of ports, documented here. MySQL is often on port TCP/3306.
- Web/Cloud: Port TCP/80 or TCP/443, or occasionally a custom port.
- Email: SMTP on port TCP/25, TCP/587, or TCP/465; and IMAP on port TCP/143 or TCP/993.
- DNS: Port UDP/53
SNMP (Simple Network Management Protocol) is the main protocol used for Linux servers and network devices (such as routers, switches, firewalls, and load balancers). It provides a simple, efficient, standardized way of collecting data from devices. SNMP uses the concept of a “community string” (which functions much like a password) to authorize connections to the device.
- Netreo recommends the use of SNMPv2c for most customer environments.
- Configure the SNMP community string with read-only permissions.
- Restrict SNMP access by using the filter or access-list functionality of the device under management to limit access to the specific IP address of the OmniCenter appliance.
- Note: In “High-Availability” environments, you will want to make sure all of the OmniCenter appliance IP addresses are included on this list.
- Read-write access is not generally required for OmniCenter to fully monitor devices and should not be left enabled.
- Ensure your edge routers or firewalls are blocking SNMP traffic from the Internet and from non-controlled networks.
Although SNMP v2c does not provide encryption, as long as you are monitoring internal systems from inside your security perimeter, this generally does not create a significant security threat, as the information that can be gathered with read-only permissions is fairly limited.
If you are monitoring systems over the public Internet or other shared networks (where packet capture and eavesdropping is a potential security risk), OmniCenter supports the use of SNMPv3 for greater security. Under these conditions, Netreo recommends the use of AUTHPRIV mode only. Be sure to check that the devices you wish to manage support SNMPv3 in the AUTHPRIV mode. Other SNMPv3 modes add overhead without enhancing security.
Due to the higher overhead and lower performance offered by SNMPv3, customers should consider the implications carefully before deciding to standardize on SNMPv3. For assistance and advice specific to your environment and configuration, please review the article SNMP Security Best Practices or feel free to contact Netreo Support.
- SNMP: Port UDP/161 for polled data collection and port UDP/162 for Trap messages (originating from the device to OmniCenter).
WMI / WSMAN
WMI and WSMAN (for WinRM) are protocols used to collect data from Windows servers. WMI is enabled by default on all versions of Windows since 2003. WSMAN is installed by default on Windows servers since 2008, but must be enabled manually. The primary difference is that WSMAN uses an encrypted web API for data collection—which is much simpler to configure if the traffic has to traverse a firewall. WSMAN does not require https for encryption.
Either of these requires an account with administrator privileges or DCOM permissions on the device to be managed. See Limiting WMI permissions for more information on how to use non-administrator accounts to access Windows statistics.
- WMI: Port TCP/135 and all high ports (1024-65535), bidirectionally.
- WSMAN: Port TCP/5985 originating from OmniCenter.
Windows Event Log
In order to collect Windows Event Log (WEL) data, OmniCenter has to retrieve it from the device under management. This is in contrast to Syslog, where the device sends the data to OmniCenter.
- OmniCenter will not generate alerts for WEL messages unless you create specific Alert rules to do so.
- OmniCenter uses the same Windows account credentials for WEL collection as it does for WMI/WSMAN, and the permissions required are the same.
- WEL requires access to port TCP/135 and all high ports (1024-65535), bidirectionally.
Syslog is a protocol used to push messages on demand from the devices under management back to OmniCenter. The biggest issue with syslog is that it can generate a large number of messages, obscuring important details with routine or trivial ones.
Netreo recommends configuring syslog on critical infrastructure devices, but that you configure those devices to limit the messages sent to warning level or higher.
- OmniCenter will collect any syslog messages sent to it, but will not generate alerts for those messages unless you create syslog alert rules to do so.
- It’s good practice to restrict the syslogs being sent to warning or more severe levels.
- Netreo recommends against sending syslogs from firewalls into OmniCenter, as it is not designed to be a dedicated high-volume log processing tool.
- Syslog uses port UDP/514, originates from the device and is received by OmniCenter.
Configuration Management / Looking Glass
OmniCenter provides device configuration management (push/pull) as well as real-time command execution (looking glass and active response) to devices.
OmniCenter can use either SSH or Telnet to connect to CLI devices for these features. Where possible, Netreo recommends the use of SSH since it includes encryption functionality. Telnet is insecure and should only be used if the device under management does not support SSH v2. OmniCenter does not support the SSH v1 protocol, as it is insecure and obsolete.
- Use SSH where supported by the device under management.
- Do not use Telnet unless you must, as it is insecure.
- If your environment uses a centralized login such as Radius or TACACS for authentication, use a dedicated OmniCenter account to manage access.
- If you are using filters or access lists to restrict CLI access, be sure to include the specific IP address of the OmniCenter appliance.
- Note: In High-Availability environments, you will want to make sure all of the OmniCenter appliance IP addresses are included on this list.
- SSH uses port TCP/22
- Telnet uses port TCP/23
Netflow / sFlow / IPFIX
OmniCenter supportsNetFlow (version 5 or 9), sFlow and IPFIX export from devices for traffic and protocol analysis and volume information. Flow export technologies such as these cause the network devices (typically layer 3 devices like routers) to send ‘accounting level’ information to OmniCenter (which includes source and destination address, port, protocol, and volume data) for reporting purposes, in order to provide deeper performance information.
When configuring flow technologies such as these, the goal is to configure the fewest number of exporters possible while still insuring that OmniCenter can collect data on all the required traffic. OmniCenter automatically detects and processes duplicate flows to avoid creating incorrect traffic counts, but this is not always possible in complex network configurations.
- OmniCenter supports multiple versions ofNetFlow, including IPFIX.
- UsingNetFlow Version 5 or greater is recommended.
- ConfigureNetFlow to export to the host address of OmniCenter using port UDP/2055.
- Configure sFlow to export to the host address of OmniCenter using port UDP/2056.
- ConfigureNetFlow on the outbound interfaces of layer 3 devices whenever possible.
- Avoid creating duplicate flow reporting by not configuring flow on every possible interface.
- OmniCenter uses subnet information to correlate traffic with source/destination sites, so ensure that you have configured or detected the required subnets in OmniCenter.
- NetFlow is typically configured on port UDP/2055 originating from the device, but the port number can vary by environment.