Plugins

Skylar Compliance automates multi-vendor network device backup, compliance auditing, and change management. Skylar Compliance has been tested with the network device vendors and product types listed below, but may also be compatible with other products not listed.

The Skylar Compliance network device plugins are written to not only manage network configuration backup, but also to gather useful network inventory information. Each plugin is fully tested for disaster recovery, to ensure you can restore network services as quickly as possible during an outage or following a bad change.

Supported Vendors

Skylar Compliance has been tested with the network device vendors and product types listed in this section. Please note that Skylar Compliancet might also be compatible with other products not listed.

For more information on Plugins to enable your Skylar Compliance appliance, see Skylar Compliance Plugins at the ScienceLogic Support Center. For additional information, see the Knowledge Base article https://support.sciencelogic.com/s/article/14984 .

The configuration backup process for the vendors listed below creates a copy of the complete configuration and settings of the devices for that vendor. Configuration backups allow network administrators to recover quickly from a device failure, roll back from misconfiguration, or revert a device to a previous state.

Because configurations change in time, you should create configuration backups on a regular basis and store the backups in a secure location for any of the vendor plugins listed below.

3Com

Skylar Compliance includes support for the following 3Com device types:

• SuperStack 4400

• SuperStack 5500

A10 Networks

Skylar Compliance includes support for the following A10 Networks device types:

• Thunder SeriesA

• Galaxy Management System

APC

Skylar Compliance includes support for the following APC device types:

• APC Network Management Card (NMC)

AVI Networks

Skylar Compliance includes support for the following AVI Networks device types:

• AVI Networks Vantage

Accedian Networks

Skylar Compliance includes support for the following Accedian device types:

• Accedian VCX

• Accedian LTS

• Accedian GX

Alcatel

Skylar Compliance includes support for the following Alcatel device types:

• Omnistack

• Omniswitch

Allied Telesis

Skylar Compliance includes support for the following Allied Telesis device types:

• Switches

Arbor Networks

Skylar Compliance includes support for the following Arbor Networks device types:

• TMS

• SP

• APS

• AED

Arista

Skylar Compliance includes support for the following Arista device types:

• Arista Switches EOS

• Arista

Array Networks

Skylar Compliance includes support for the following Array Networks device types:

• SPX

Aruba

Skylar Compliance includes support for the following Aruba device types:

• Aruba Controllers

• Aruba Virtual Controllers (IAP)

• Airwave

• ArubaOS-CX

Additional Information About Using the Aruba Plugin

Review the following additional information about Aruba Controllers & Switches:

• Aruba Controllers require an additional password (the "enable" password). When Aruba Controller is selected in the Type drop-down field, an additional Secondary Password field is displayed; use this field to enter the "enable" password.

• For ArubaOS version 8 and newer, you should select the "Backup" option instead of the individual "Startup" or "Running" configurations. Selecting "Flash" will additionally back up all files in flash memory.

• The backup operation saves the device running configuration, not the startup configuration.

• The restore operation copies the backup to the startup configuration.

• Skylar Compliance can use Telnet or SSH to connect to the device. The device will use SCP (if SCP is selected in the Protocol drop-down field) or TFTP (if SSH or Telnet are selected) to transfer its configuration to Skylar Compliance.

  Ensure that the following ports are not blocked by any firewalls between Skylar Compliance and the Aruba Controller or Switch device:

  • 23/TCP (for Telnet)

  • 22/TCP (for SSH)

  • 69/UDP

Review the following additional information about Aruba Virtual Controllers (IAP)

• Skylar Compliance uses SSH to connect to the device; the device uses TFTP to transfer its configuration to Skylar Compliance.

• Ensure that the following ports are not blocked by any firewalls between Skylar Compliance and the Aruba Virtual Controller:

  • 22/TCP (for SSH)

  • 69/UDP

Astaro

Skylar Compliance includes support for the following Astaro device types:

• Security Gateway

Audiocodes

Skylar Compliance includes support for the following Audiocodes device types:

• Mediant

Avocent

Skylar Compliance includes support for the following Avocent device types:

• Advanced Console Server (ACS)

BalaBit

Skylar Compliance includes support for the following Balabit device types:

• SCB - Shell Control Box

• SSB - Syslog-ng

• STORE BOX

Barracuda Networks

Skylar Compliance includes support for the following Barracuda Networks device types:

• NG Firewall

• Web Application Firewall

• Load Balancer

• SPAM Firewall

• Web Filter

Big Switch Networks

Skylar Compliance includes support for the following Big Switch Networks device types:

• Big Monitoring Fabric (BMF)

Bloxx

Skylar Compliance includes support for the following Bloxx device types:

• Web Filter

Blue Coat

Skylar Compliance includes support for the following Blue Coat (Symantec) device types:

• Content Analysis System (CAS)

• ProxySG/ASG

• ProxyAV

• Management Server

• Director

• PacketShaper

Because Skylar Compliance backs up the ProxySG full configuration, including the appliance certificates, it can fully restore a configuration to either the same device, or a different one, without the need to re-generate the SSL certificates. The latter operation would be required if you manually restored a configuration to a new device.

Bomgar

Skylar Compliance includes support for the following Bomgar device types:

• Bomgar

Brocade

Skylar Compliance includes support for the following Brocade device types:

• EdgeIron

• FastIron

• Fabric Switches

• VDX Vyatta

• NOS

Carbon Black

Skylar Compliance includes support for the following Carbon Black device types:

• Carbon Black Response

Check Point

Skylar Compliance includes support for the following Check Point device types:

• GAIA

• Scalable Platform

• SecurePlatform based devices

• IP Series - IPSO (Nokia)

• SmartCenter

• Provider-1

• Smart-1

• VSX

• UTM Edge X

• Connectra

• SG80/1100 Series

Skylar Compliance can use SCP, SSH, Telnet and TFTP to retrieve the configuration.

Usage Scenario: Skylar Compliance and SmartCenter Failure

The Check Point SmartCenter is an integral component in a Check Point firewall deployment. It enables organizations to perform all aspects of security management via a single, unified console. However, even if the SmartCenter contains all the security policy information for all the gateways, it does not store critical configuration information about a SecurePlatform-based appliance, in particular:

• Gateway interface IP addresses (although this information is available in the SmartCenter, it cannot be "pushed" by the SmartCenter to the gateway)

• Routing tables

• Secure Internal Communication (SIC) Certificates

• SSH keys

• Local Secureplatform administrator accounts

In practice, the SmartCenter can only install a security policy on a new gateway (for instance, in a disaster recovery scenario) after all the interfaces and routing tables have been configured, and the SIC trust have been established. In a disaster scenario where the SmartCenter server needs to be completely rebuilt, the lack of a full configuration backup could make the difference between being back up and running in a few minutes and an extended outage.

For example, the lack of a backup of the SIC data requires re-initializing SIC on the SmartCenter, and reset/re-initialise SIC on all gateways (which causes a gateway restart). Skylar Compliance performs a full configuration backup, and can restore on to a newly installed Secureplatform server, making it virtually identical to the original server before the failure.

Additional Information About Using the Check Point Plugin

Skylar Compliance can back up the following:

• Full Backup. The full Check Point and operating system configuration. This is recommended for disaster recovery, because it includes both the operating system and network configuration, and the Check Point software configuration (for example security policy, objects, SIC, revision control database, and so forth). Unlike a snapshot, it does not include the operating system, product binaries, and hotfixes.

• Operating System Configuration. Allows saving Gaia OS configuration settings as a ready-to-run command-line interface script. This lets you review your current setup and quickly restore the Gaia OS configuration. When restoring, these commands are read from the configuration file and executed. Skylar Compliance uses the clienv on-failure continue clish command, so if conflicting settings are encountered (for instance, an attempt to create an already existing user account), the restore will continue, but the conflicting setting might not restore. This is caused by the Gaia command-line interface and is not a limitation of Skylar Compliance.

• Snapshot. The snapshot creates a binary image of the entire root disk partition. This includes Check Point products, configuration, and operating system. The log partition is not included in the snapshot. As a result, any locally stored firewall logs will not be saved. Be advised that snapshots can be very large. Starting in R77.10, exporting an image from one machine and importing that image on another machine of the same type is supported. Restoring from a snapshot is not yet supported in Skylar Compliance.

• Database Export. The backup created by the Check Point migration tools. Database Export can only be used on SmartCenters, and it can be used for hardware migration or software upgrades. Logs can optionally be backed up by selecting the Include Logs checkbox.

• CP Info. The CP Info output, which can be used to submit software/hardware debugging information to Check Point. You must have the latest version of the CP Info tool installed.

• Additional Files. You can also back up custom files that are not normally included in the Check Point backup. Skylar Compliance requires full path names.

Review the following additional information about using the Check Point Plugin:

• Skylar Compliance uses SSH to connect to the device. When transferring the backup, Skylar Compliance uses a secondary connection either in the same direction (if SCP is selected), or a back-connection from the device back to Skylar Compliance (if SSH is selected).

• If you select SCP, the user account used to connect to the device must be a full administrator with the "bash" shell:

  • Navigate to User Management > Users in the Gaia user interface and create or edit a user account.

  • Change the user shell from /etc/cli.sh to /bin/bash.

  • Ensure that the user is assigned the adminRole.

  • Select the Command Line checkbox under Access Mechanisms.

• When restoring, you must ensure that the target system is running the same software version and hotfixes as the system from which the backup was taken. Even if the full backup normally contains all hotfixes, restoring to a different version may still fail. This is a Check Point restriction, which may be overridden if required with this command: dbset backup:override_hfs .

• When restoring, a reboot is not usually needed, because the Check Point configuration is reloaded on completion. However, a reboot might be necessary to reload the operating system network settings.

• After restoring a firewall module, the connection between Skylar Compliance and the device might be terminated, because the security policy is reloaded or the gateway was rebooted. In this case, Skylar Compliance tries to reconnect to the device and verify that the Skylar Compliance operation was successful.

• Skylar Compliance can update the Deployment Agent software and install hotfixes. These must be imported on the Software tab of the device. Hotfixes must be CPUSE packages. The software update has been tested with R77.30.

• Ensure that port 22/TCP (for SSH) is not blocked by any firewalls in either direction between Skylar Compliance and the device. You will also need to enable SSH in the Gaia user interface under System Management > Host Access.

• If you are backing up or restoring a Check Point SmartCenter, ensure that no SmartCenter clients are connected to the device, otherwise the operation will fail because the configuration is locked.

Cisco

Skylar Compliance includes support for the following Cisco device types:

• ACE (including contexts)

• ADE

• ACS

• APIC

• ASA and FWSM (including contexts)

• CatOS (Catalyst) based switches

• CBS - Cisco Business Switches

• CSR/ASR

• CSS

• DNA Center (DNAC)

• ESA

• ENCS - Enterprise Network Compute System

• FireSIGHT IPS & Management Center (NGIPS)

• FirePower Gateway & Management

• FXOS

• IOS / IOS-XE / IOS-XR based devices

• ISE

• IMC

• Ironport

• ISE - Identity Service Engine

• Meraki GS

• MDS storage switches

• NX-OS Nexus switches

• PIX

• SG/SF

• UCS - Cisco Unified Computing System

• Unity Express

• Viptela vManage

• WAAS

• WLC - Wireless LAN Controllers

• WSA

Cisco Prime Cisco Unified Communications Manager Suite:

• Cisco Enterprise License Manager

• Cisco Unified Presence

• Cisco Emergency Responder

• Cisco Unified Contact Center Express

• Cisco Unity Connection

Wherever possible, Skylar Compliance will back up both the running and the startup configuration and notify when they do not match.

For Ironport appliances, Skylar Compliance also backs up the users' Safelists and Blacklists in addition to the configuration file. Skylar Compliance can use SSH, SCP, telnet and TFTP to retrieve the configuration.

Cisco Meraki

Skylar Compliance includes support for the following Cisco Meraki device types:

• Meraki MR

• Meraki MX

• Meraki MS

• Meraki Networks

Additional Information About Using the Cisco Meraki Plugin

Review the following information about using the Cisco Meraki Plugin with Cisco Meraki MX appliances:

• Your Skylar Compliance appliance needs access to https://api.meraki.com on port 443.

• The Meraki MX plugin and the accompanying import tool require Skylar Compliance version 5.4 or later.

• Cisco Meraki devices require an API Key of a user account created on the Cisco Meraki dashboard. The API key should be entered into the password field. An account with read-only access to the organization will only be able to backup, not restore configuration.

• The Meraki MX appliance must have a private IP address assigned to an uplink interface. Skylar Compliance does not directly connect to this IP address, but Skylar Compliance uses the address to populate device information.

• The Organization ID is required by Skylar Compliance. To find your Organization ID, visit the Meraki API Developer page, click the Configuration button and enter your API key. Click Save, then Run.

• Some restore functions will restore the configuration as shown in Skylar Compliance in its entirety. This will remove configuration data that was added after the backup was taken. This affects:

  • Management Interface

  • Uplinks

  • Cellular Firewall Rules

  • Inbound Firewall Rules

  • Layer 3 Firewall Rules

  • Layer 7 Firewall Rules

  • One To One NAT Rules

  • One To Many NAT Rules

  • Port Forwarding Rules

• Some restore functions will update or restore all individual parts of the configuration type. Specific, arbitrary configurations (an individual VLAN, for example) cannot be chosen in Skylar Compliance. When restoring, this will not delete configuration data added after the backup was taken. This affects:

  • LAN Configuration

  • Firewalled Services

  • Static Routes

• The Meraki API has a limit of ten requests per second. ScienceLogic recommends spreading out scheduled backups for all Meraki Networks & Devices in Skylar Compliance as much as possible to avoid API failures and locking out Skylar Compliance from backing up your other devices.

Review the following information about using the Cisco Meraki Plugin with Cisco Meraki Networks:

• Your Skylar Compliance appliance needs access to https://api.meraki.com on port 443.

• The Meraki Network plugin (and accompanying import tool) require Skylar Compliance version 5.4 or later.

• Cisco Meraki devices require an API Key of a user account created on the Cisco Meraki dashboard. The API key should be entered into the password field. An account with read-only access to the organization will only be able to backup, not restore configuration.

• Meraki Networks do not have an IP address, but Skylar Compliance requires every 'device' to have one. An unused, private IP should be used. Multiple Networks can use the same IP.

• The Organization ID is required by Skylar Compliance. To find your Organization ID, visit the Meraki API Developer page, click the Configuration button and enter your API key. Click Save, then Run. Networks can be found using the Get Organization Networks API endpoint.

• Network Switch configurations backed up include: Access Control Policies, Access Control Lists, OSPF Configuration.

• Network Wireless configurations backed up include: non-default SSIDs, SSID Layer 3 & Layer 7 Firewall Rules.

• Restoring Meraki Network configurations is not currently supported.

• The Meraki API has a limit of ten requests per second. ScienceLogic recommends spreading out scheduled backups for all Meraki Networks & Devices in Skylar Compliance as much as possible to avoid API failures and locking out Skylar Compliance from backing up your other devices.

Review the following information about using the Cisco Meraki Plugin with Cisco Meraki MS Switches:

• Your Skylar Compliance appliance needs access to https://api.meraki.com on port 443.

• The Meraki MS plugin (and accompanying import tool) require Skylar Compliance version 5.4+ or later.

• Cisco Meraki devices require an API Key of a user account created on the Cisco Meraki dashboard. The API key should be entered into the password field.

• The Meraki switch must have a private IP address applied to its management interface. Skylar Compliance does not directly connect to this IP address, but it is required for filtering device information.

• The Organization ID is required by Skylar Compliance. To find your Organization ID, visit the Meraki API Developer page, click the Configuration button and enter your API key. Click Save, then Run.

• Some restore functions will restore the configuration as shown in Skylar Compliance in its entirety. This will remove configuration data that was added after the backup was taken. This affects:

  • Management Interfaces

• Some restore functions will update or restore all individual parts of the configuration type, and specific, arbitrary configurations (an individual switchport, for example) cannot be chosen in Skylar Compliance. When restoring, this will not delete configuration data added after the backup was taken. This affects:

  • Switchports

  • Layer 3 Interfaces

  • Static Routes

• The Meraki API has a limit of ten requests per second. ScienceLogic recommends spreading out scheduled backups for all Meraki Networks & Devices in Skylar Compliance as much as possible to avoid API failures and locking out Skylar Compliance from backing up your other devices.

Review the following information about using the Cisco Meraki Plugin with Cisco Meraki Access Points:

• Your Skylar Compliance appliance needs access to https://api.meraki.com on port 443.

• The Meraki MR plugin (and accompanying import tool) require Skylar Compliance version 5.4 or later.

• Cisco Meraki devices require an API Key of a user account created on the Cisco Meraki dashboard. The API key should be entered into the password field. An account with read-only access to the organization will only be able to backup, not restore configuration.

• The Meraki MR AP must have a private IP address assigned to an uplink interface. Skylar Compliance does not directly connect to this IP address, but it is used for populating device information.

• The Organization ID is required by Skylar Compliance. To find your Organization ID, visit the Meraki API Developer page, click the Configuration button and enter your API key. Click Save, then Run.

• Some restore functions will restore the configuration as shown in Skylar Compliance in its entirety. This will remove configuration that was added after the backup was taken. All individual parts of the configuration will be restored and specific, arbitrary configurations (an individual SSID, for example) cannot be chosen individually in Skylar Compliance. This affects:

  • Management Interfaces

• The Meraki API has a limit of ten requests per second. ScienceLogic recommends spreading out scheduled backups for all Meraki Networks & Devices in Skylar Compliance as much as possible to avoid API failures and locking out Skylar Compliance from backing up your other devices.

Citrix

Skylar Compliance includes support for the following Citrix device types:

• NetScaler (ADC) VPX, VDX

• XenServer

Claroty

Skylar Compliance includes support for the following Claroty device types:

• Continuous Threat Detection (CTD)

• Clarity SRA

ConSentry

Skylar Compliance includes support for the following ConSentry device types:

• LANShield

Crossbeam

Skylar Compliance includes support for the following Crossbeam device types:

• C-Series

• X-Series

Cumulus (NVIDIA Networks)

Skylar Compliance includes support for the following Cumulus device types:

• Cumulus Switches

D-Link

Skylar Compliance includes support for the following D-Link device types:

• DGS 3100

• Dell Networking N-Series

• Dell OS10

Dell

Skylar Compliance includes support for the following Dell device types:

• N-Series

• S-Series

• SonicWall NSA

• Dell Networking OS10

Digi

Skylar Compliance includes support for the following Digi device types:

• PortServer TS

• ConnectPort LTS

• Digi CM

EfficientIP

Skylar Compliance includes support for the following EfficientIP device types:

• SOLIDServer

Enterasys

Skylar Compliance includes support for the following Enterasys device types:

• Enterasys Switches

Extreme Networks

Skylar Compliance includes support for the following Extreme Networks device types:

• ExtremeWare Switches

• Extreme XOS Devices

• Extreme BOSS

• Extreme VOSS

• Extreme WING

Additional Information About Using the Extreme Networks Plugin

Review the following information about using the Extreme Networks Plugin:

• Skylar Compliance backs up the following:

  • The main Extreme switch XML configuration; this is usually primary.cfg, but Skylar Compliance will detect the file name from the switch.

  • Any policy files that are referenced by the configuration.

  • A plain text representation of the active configuration (Running Config). This cannot be restored to the switch; the XML configuration should be used instead.

• Skylar Compliance will use Telnet to connect to the device, and the device will use TFTP to transfer its configuration to Skylar Compliance. Ensure that ports 23/TCP and 69/UDP are not blocked by any firewalls between Skylar Compliance and the device.

• If no virtual router is specified, Skylar Compliance uses vr-default.

F5

Skylar Compliance includes support for the following F5 device types:

• BigIP Series

• F5OS

Additional Information About Using the F5 Plugin

Review the following information about using the F5 Plugin:

• Skylar Compliance can back up and restore the configuration in both UCS and the SCF (Single Configuration File) formats. The SCF format is useful when restoring to a different device or platform, where the UCS format may not be used.

• The Firmware Push has been tested with F5 BigIP software versions 14 and 15. Clustered F5 systems are not supported.

• Skylar Compliance uses SSH and SCP to connect to the device and download the configuration as a UCS archive, which includes the following:

  • All BIG-IP specific configuration files

  • BIG-IP product licenses

  • User accounts and password information

  • SSL certificates and keys

• Ensure that port 22/TCP is not blocked by any firewalls between Skylar Compliance and the device.

• When entering the login credential, use an account with the advanced shell enabled.

• Skylar Compliance has been tested with F5 BigIP software version 9-15.

FarSite Communications

Skylar Compliance includes support for the following FarSite Communications device types:

• FarSite FarLinx Gateways

FireEye

Skylar Compliance includes support for the following FireEye device types:

• EX Series

• FX Series

• HX Series

• AX Series

• CM Series

Forcepoint

Skylar Compliance includes support for the following Forcepoint device types:

• Web Security (previously WebSense)

• Mail Security (previously Websense Email Security Gateway)

Fortinet

Skylar Compliance includes support for the following Fortinet device types:

• FortiAnalyzer

• FortiAuthenticator

• FortiADC

• FortiGate

• FortiMail

• FortiManager

• FortiProxy

• FortiSandbox

• FortiSwitch

• FortiWeb

Fujitsu

Skylar Compliance includes support for the following Fujitsu device types:

• Fujitsu Fabric Eternus

Genie Networks

Skylar Compliance includes support for the following Genie Networks device types:

• GenieATM series

Genua

Skylar Compliance includes support for the following Genua device types:

• genucenter

Gigamon

Skylar Compliance includes support for the following Gigamon device types:

• GigaVUE

HP

Skylar Compliance includes support for the following HP device types:

• A-Series Switches

• Blade System

• Comware Switch

• G-Series Switches

• GbE2c

• OfficeConnect

• Procurve Switches

• Synergy Switch Module

• Virtual Connect Manager

Hillstone

Skylar Compliance includes support for the following Hillstone device types:

• NG Firewall (StoneOs)

Hirschmann (Belden)

Skylar Compliance includes support for the following Hirschmann device types:

• RS

• RSR

• MS

• OCTOPUS

• PowerMICE

• MACH

Huawei

Skylar Compliance includes support for the following Huawei device types:

• Huawei Switches (VRP)

• Huawei Routers (VRP)

IBM

Skylar Compliance includes support for the following IBM device types:

• IBM SAN Volume Controller

• IBM DataPower

• Integrated Management Module (IMM)

• QRadar

Imperva

Skylar Compliance includes support for the following Imperva device types:

• SecureSphere

Indeni

Skylar Compliance includes support for the following Indeni device types:

• Indeni Virtual Appliance

Infoblox

Skylar Compliance includes support for the following Infoblox device types:

• NetMRI

• Network Appliance

• WAPI

Juniper

Skylar Compliance includes support for the following Juniper device types:

• JUNOS

• JUNOS SPACE

• SRX

• J-series

• M-series

• Juniper MAG

• Network Security Manager (NSM)

• ScreenOS-based devices (SSG, ISG, Netscreen Firewall, etc)

• Secure Access Series (Binary & XML)

• SA IVS

• WLC (Trapeze)

• WXOS

Additional Information About Using the Juniper Plugin

Review the following information about using the Juniper Plugin:

• Skylar Compliance backs up both the binary configuration files and the XML configuration for the Juniper Secure Access (SA) configuration.

• Skylar Compliance can use several methods to back up Juniper devices, including Telnet, SSH, HTTPS, TFTP.

Kemp

Skylar Compliance includes support for the following Kemp device types:

• LoadMaster

KeySight Technologies

Skylar Compliance includes support for the following Keysight Technologies device types:

• Keysight Vision ONE

• IXIA Vision One

Lantronix

Skylar Compliance includes support for the following Lantronix device types:

• Lantronix SLC Console Manager

Lenovo

Skylar Compliance includes support for the following Lenovo device types:

• Flex System Fabric Scalable Switch

Linux

Skylar Compliance includes support for the following Linux device types:

• Most Linux variants (for instance, RHEL, CentOS, OpenSUSE)

Backup options include:

• Apache

• BIND

• SNMP

• OpenLDAP

• OpenSSH

• DHCP

• Squid

• Splunk

• FreeRADIUS

• OpenVPN

• Log files

• Additional files or directories can also be collected

Skylar Compliance can back up and restore the configuration of individual applications running on a Linux host, such as OpenLDAP, BIND, DHCP, Squid and so forth.

MRV Communications

Skylar Compliance includes support for the following MRV Communications device types:

• LambdaDriver Management Module

• OptiDriver

Macmon

Skylar Compliance includes support for the following Macmon device types:

• macmon appliances

McAfee

Skylar Compliance includes support for the following McAfee device types:

• Firewall Enterprise (SideWinder)

• Web Gateway (inc. WebWasher)

Mellanox Onyx

Skylar Compliance includes support for the following Mellanox Onyx device types:

• Mellanox Onyx Advanced Ethernet Operating System

Microsens

Skylar Compliance includes support for the following Microsens device types:

• Microsens Switch

MikroTik

Skylar Compliance includes support for the following MikroTik device types:

• Mikrotik RouterOS

Mirapoint

Skylar Compliance includes support for the following Mirapoint device types:

• Message Server

• RazorGate

Moxa

Skylar Compliance includes support for the following Moxa device types:

• Moxa Industrial Ethernet Switches

NetApp

Skylar Compliance includes support for the following NetApp device types:

• NetApp FAS

• NetApp ONTAP

Netscout

Skylar Compliance includes support for the following NetScout device types:

• NetScout PFOS

Netgate

Skylar Compliance includes support for the following Netgate device types:

• pfSense Firewall

Nokia

Skylar Compliance includes support for the following Nokia device types:

• IP Series (IPSO)

• SAR

Nomadix

Skylar Compliance includes support for the following Nomadix device types:

• Nomadix Access Gateway

Nortel/Avaya

Skylar Compliance includes support for the following Nortel/Avaya device types:

• 4500 Series

• 5600 Series

• 8300 / 8600 Series

• Baystack

• Ethernet Routing Switches (ERS)

Nozomi

Skylar Compliance includes support for the following Nozomi device types:

• Nozomi N2OS devices

OPNsense

Skylar Compliance includes support for the following OPNsense device types:

• OPNsense Firewall

Opengear

Skylar Compliance includes support for the following Opengear device types:

• IM4200

• IM7200

Oracle

Skylar Compliance includes support for the following Oracle device types:

• PDG

• Session Router

• SBC

• SLB

• SMX

Palo Alto

Skylar Compliance includes support for the following Palo Alto device types:

• Firewall Platforms

• Panorama Management

Palo Alto Plugin Use Case One

Challenge: Back up/restore network devices

In the event of failure due to network connectivity issues or other outages, Skylar Compliance can be configured to retry the backup and generate alerts. The number of retries, interval and alerts can be set as required for the Palo Alto environment. For convenience, backups can be configured so that files created by Skylar Compliance are automatically prefixed with the Device ID or the Device Name, or any other custom prefix as required.

Palo Alto Plugin Use Case Two

Challenge: Detect changes and automate compliance analysis for audit and security purposes

The compliance feature of Skylar Compliance allows configuration and status checks to be run for each registered Palo Alto Networks device to assess conformance to a target baseline. These checks can inspect backed-up configuration files, and if required, can also include commands and scripting (LUA), utilizing additional device controls during backup runtime (or scheduled), to interrogate each device and report findings by analyzing the output with regular expression.

Additional Information About Using the Palo Alto Plugin

Review the following information about using the Palo Alto Plugin:

• When adding a Palo Alto firewall, you must use a super-user account. A read-only super-user account is sufficient for the default configuration backup, but not for the Device State backup.

• Backups might fail if the administrator account on the device is configured with the default password.

• If you are adding a Panorama-managed Palo Alto firewall, you can also back up the state information, which includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information.

• When Panorama is selected, do not select Device State for backup, because this configuration type is not available on the device.

• During a restore operation, Skylar Compliance will restore and commit the saved configuration.

• Skylar Compliance can back up the device either using the XML API over HTTPS, or an SSH connection. When using SSH, the device uses either SCP or TFTP to transfer its configuration to Skylar Compliance. Ensure that ports 443/TCP (when using the API) or 22/TCP and 69/UDP (when using SSH) are not blocked by any firewalls between Skylar Compliance and the device.

• Skylar Compliance can upgrade the PanOS software. This has been tested with PanOS 8.

• Skylar Compliance supports real-time change detection using syslog. Before enabling this in the Skylar Compliance user interface, you first need to define a Syslog Profile in the Palo Alto user interface with the Skylar Compliance IP address (Device tab > Server Profiles > Syslog), then add this profile to the Configuration section on the Log Settings page, so that any configuration change or commit sends a syslog message to Skylar Compliance.

• By default, the device uses the management interface to transfer its configuration via SCP/TFTP. If you want to use a different interface, it must be specified by the source IP in the Source IP field on the Connection tab. This setting is ignored when using the XML API.

Phoenix Contact

Skylar Compliance includes support for the following Phoenix Contact device types:

• mGuard

PineApp

Skylar Compliance includes support for the following PineApp device types:

• Mail-SeCure

Proofpoint

Skylar Compliance includes support for the following Proofpoint device types:

• Proofpoint Enterprise Protection

PulseSecure

Skylar Compliance includes support for the following Pulse Secure device types:

• Pulse Connect Secure

Qiata

Skylar Compliance includes support for the following Qiata device types:

• Qiata File Transfer Appliances

RSA

Skylar Compliance includes support for the following RSA device types:

• RSA Authentication Manager

RUGGEDCOM (Siemens)

Skylar Compliance includes support for the following RUGGEDCOM device types:

• Siemens RUGGEDCOM Routers and Switches (ROS & ROX)

Radware

Skylar Compliance includes support for the following Radware device types:

• Alteon

• AppDirector

• LinkProof

• vADC

Raisecom

Skylar Compliance includes support for the following Raisecom device types:

• Raisecom RAX devices

Riverbed

Skylar Compliance includes support for the following Riverbed device types:

• SteelHead

• SteelFusion Core

Skylar Compliance can back up both the binary and text configurations of the devices running RiOS versions 5, 6 and 7.

Ruckus Wireless

Skylar Compliance includes support for the following Ruckus Wireless device types:

• ZoneDirector

• Ruckus SmartZone

SEPPmail

Skylar Compliance includes support for the following SEPPMail device types:

• SEPPMail Appliances

Additional Information About Using the SEPPmail Plugin

Review the following information about using the SEPPmail Plugin:

• Skylar Compliance backs up both the encrypted and cleartext configurations of the SEPPMail appliance using HTTPS.

• Skylar Compliance has been tested with SEPPMail version 6.1.4.

SafeNet

Skylar Compliance includes support for the following SafeNet device types:

• SafeNet DataSecure

• SafeNet Network HSM (formerly Luna SA)

SentinelOne

Skylar Compliance includes support for the following SentinelOne device types:

• SentinelOne Hologram (previously Attivo BOTsink)

Silver Peak

Skylar Compliance includes support for the following Silver Peak device types:

• NX Appliances

• VX Appliances

Skylar Compliance

Skylar Compliance supports additional devices not listed here, using SCP/SFTP/FTP file copy and CIFS

Skylar Compliance supports additional devices not listed in this guide through the generic device plugin, where Skylar Compliance works as a secure FTP server. In order to use the generic push device plug-in, the device must be capable of uploading its configuration at regular intervals using FTP. Be advised that device clusters, or devices that upload multiple files are not supported by the Generic plug-in.

Smoothwall

Skylar Compliance includes support for the following Smoothwall device types:

• Secure Web Gateway

Sonus

Skylar Compliance includes support for the following Sonus device types:

• Tenor DX VOIP Switch

Stonesoft

Skylar Compliance includes support for the following Stonesoft device types:

• StoneGate SMC

Stormshield

Skylar Compliance includes support for the following Stormshield device types:

• Stormshield UTM Firewall

Symantec

Skylar Compliance includes support for the following Symantec device types:

• Symantec Encryption Management Server

• Symantec Messaging Gateway (Brightmail)

Synology

Skylar Compliance includes support for the following Synology device types:

• DSM

TP-Link

Skylar Compliance includes support for the following TP-Link device types:

• TP-Link Smart Switch

Tenable

Skylar Compliance includes support for the following Tenable device types:

• Tenable Nessus vulnerability assessment

TippingPoint

Skylar Compliance includes support for the following TippingPoint device types:

• TippingPoint SMS

Trend Micro

Skylar Compliance includes support for the following Trend Micro device types:

• InterScan Web Security Virtual Appliance (ISWSVA)

• InterScan Messaging Security Virtual Appliance (IMSVA)

Tufin

Skylar Compliance includes support for the following Tufin device types:

• T Series Appliances

• Tufin Virtual Appliance

• Tufin Aurora

Skylar Compliance supports the choice of a full Tufin backup or a configuration-only backup. When choosing between configuration-only and full backup, consider the following:

• Configuration-only. Backs up only the SecureTrack configuration information. The backup and restore operations complete very quickly. When you restore from a configuration-only backup, you have everything you need to start collecting revisions, analyzing files, and running reports.

• Full Backup. Backs up the entire SecureTrack database, including configuration, policy revisions and historical reports. Backup and restore operations can be quite time-consuming.

The following items are backed up by Skylar Compliance:

• All settings, including Users, Domains, Zones, Licences, TOP plugins

• Policy Analysis Queries

• Reports and Audit Definitions

• Performance Alerts

• Topology

The following items are backed up by Skylar Compliance when using a full backup:

• All items listed above

• Policy Revisions

• Revision Comments

• Automatic Policy Generator Data Rule Documentation

• Rule and Object Usage Data

• Firewall OS Monitoring Data

• Published Reports

• Plug-n-Play License Information

When restoring from a configuration-only backup, the following items need to be redefined:

• Rule Change Reports

• Security Risk report exceptions

• SecureChange Access Requests

Additional Information About Using the Tufin Plugin

Review the following information about using the Tufin Plugin:

• You must choose at least one of the following configurations to back up:

  • SecureTrack. Select what type of ST backup to perform. Full performs a backup of the SecureTrack database and configuration. Config Only will only include SecureTrack configuration information. None ignores the SecureTrack settings.

  • SecureChange. SecureChange and SecureApp database and configuration.

  • Suite Administration. Includes Suite Administration backup data.

• Use the Temp Dir field to enter a directory on the Tufin appliance to be used for temporary storage during backup. /var/tmp is used if this field is left blank.

• Tufin might occasionally overestimate the amount of storage required to back up the appliance, and refuse to back up as a consequence. Use the Force checkbox to override the disk space check. Be advised, this might result in filling a filesystem on the Tufin appliance.

• Skylar Compliance uses SSH and SCP to connect to the device. Ensure that port 22/TCP is not blocked by any firewalls between Skylar Compliance and the device.

• When entering the login credentials, use the root account with the advanced shell enabled. If you cannot use root, you must use an account that is authorized (via /etc/sudoers) to become root using the sudo command.

Ubiguiti Networks

Skylar Compliance includes support for the following Ubiquiti Networks device types:

• AirOS devices

vArmour

Skylar Compliance includes support for the following vArmour device types:

• Application Controller

VMware

Skylar Compliance includes support for the following VMware device types:

• ESX Hypervisor

Vectra Networks

Skylar Compliance includes support for the following Vectra Networks device types:

• Vectra Networks X-Series

Viptela

Skylar Compliance includes support for the following Viptela device types:

• Viptela vManage

Wallix

Skylar Compliance includes support for the following Wallix device types:

• Wallix Bastion

WatchGuard

Skylar Compliance includes support for the following WatchGuard device types:

• Firebox X

• XTM

ZPE Systems

Skylar Compliance includes support for the following ZPE Systems device types:

• NodeGrid

Zertificon

Skylar Compliance includes support for the following Zertificon device types:

• SecureMail

• Z1

Zhone

Skylar Compliance includes support for the following Zhone device types:

• CPE

• MALC

• Raptor XP