Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

iQSonar ScanEngine can be use as IP discovery tool in your Estate and we will look on requirements and setup of the Project to scan an IP space for Devices.


Before we dive into the setup lets focus on what IP Discovery is/does and what it is not/does not do.


By IP Discovery we mean that given IP space (Single IP Address or Subnet or Range of IP's) will be scanned by iQSonar in order to find out, if an IP address does have an Device attached to it, secondly, if so what basic ports is this device listen to on.

As we can see there are two parts to IP Discovery.

1: ICMP Discovery:

    ScanEngine will PING an given IP address and awaits an respond, if there is an Device capable to respond to PING ScanEngine will mark the IP in question as success and move to the second part of the IP Discovery.

2: TCP Discovery or PORT Scan.

    Once we know that there is actual Device using the IP discovered in step 1, ScanEngine will scan Basic/Common PORT's in order to "guess" what type of the Device is it.

    The Basic/Common PORT's we will scan by default are: 22,23,80,443,135,139,445,5985,5986,902, but this can be adjusted if needed to include any unusual Port's used in the Estate.

    Based on the outcome of the Port scan we will "guess" what type of the Device it is and append an Suspected OS to it, if applicable or, if the certainty is high enough to guess the OS.


NOTE: As mentioned above we really guess the OS and that is due to fact that ScanEngine will NOT ATTEMPT to log in into the found Device.



How to set up an IP Discovery Project.

Prerequisites: 


It's highly recommended to use one ScanEngine per 0.5 million IP's or /13  Subnet, per Location. This will speed up the Discovery process.

We recommend to disable Target logging as well, so the ScanEngine performance on Disk IO will be as minimal as possible. There will be nothing to report in the Targets logs anyway and therefore are not required for any troubleshooting purpose.


Target logging disable:


1: Navigate to: C:\Program Files\iQuate\iQSonar ScanEngine 4.0\bin\  and open the iQSonar config file  iQuate.iQSonar.ScanEngine.exe.Config

2: In the Config navigate to part where appender-ref part is as shown bellow and comment out the part for <appender-ref ref="TargetFileAppender"/> shown in green

    NOTE: This is ordinary XML file format and there for XML stile is required.

</appender>
<root>
    <level value="FATAL"/>
    <!--<appender-ref ref="TargetFileAppender"/>-->
    <appender-ref ref="LogFileAppender"/>
    <appender-ref ref="ConsoleAppender"/>
    <appender-ref ref="TraceAppender"/>
    <appender-ref ref="ContextAppender"/>
    <appender-ref ref="EventLogAppender"/>
</root>

3: Once done, save file and restart the iQSonar service to pick up the new change we did.

4: Target log creation is disabled now.



Let's now focus on how to create and set up the Location with all necessary Connections and Product Adapters for IP Discovery only.

Locations:



  1. Lets add an Subnet we would like to scan, create a Sub-Location (One Location per ScanEngine) Details page can be left as is, Scan Window can be setup if needed. Target sets, click on Create
    Choose Target as Device
    Type as Subnet
    Name is mandatory: We will use IPSubnet24 in this example.
    Start IP will be Subnet first IP: 192.168.1.0                            NOTE: https://kthx.at/subnetmask/  List of Subnets with all details
    Subnet Mask Bits: 24
    Click on Save & Close

          

           

     

         


2. Connections setup.

    For IP Discovery we need to disable all Connections and Enable only ICMP Provider and TCP Provider and save the changes.


3. Product Adapters set up.

Once again we disable all adapters and enable only Device Discovery, save changes.


4. Locations are set up now, we wont be adding any Credentials as we don't need these. Now we can set up an Project as usually and start our IP Discovery scan.

Make sure that ALL Product Adapters are disable and only DEVICE DISCOVERY is enabled. Finish the Project setup and now we can run our IP Discovery for 192.168.1.0 /24 Subnet IP space.


Results diagnostics:


  1. Project Summary page will show how many Targets we setup to scan and how many Devices scan did find.

  2. Diagnostics page will show more details about each found device as shown bellow

     

     3. Getting the results from the iQSonarSE DB.

         To get the list of Found Devices run the SQL query against the iQSonarSE DB. The query will give us list which can be saved as CSV with Headers.

         

         SELECT j.JobID, j.IPAddress, j.StartDate AS [Scan Start],j.EndDate AS [Scan Ends], fd.SuspectedOS FROM jobs.t_job j
         join history.t_ArtifactHistory ah ON ah.JobID = j.JobID
         join model.t_FoundDevice fd ON fd.FoundDeviceID = ah.ObjectID
         WHERE ObjectType = 'FoundDevice'
         and DeviceID is null




















  • No labels