ExtraHop Trace Admin UI User manual
ExtraHop 8.8
ExtraHop Trace Admin UI Guide
© 2022 ExtraHop Networks, Inc. All rights reserved.
This manual in whole or in part, may not be reproduced, translated, or reduced to any machine-readable
form without prior written approval from ExtraHop Networks, Inc.
For more documentation, see https://docs.extrahop.com/.
Published: 2022-03-22
ExtraHop Networks
Seattle, WA 98101
877-333-9872 (US)
+44 (0)203 7016850 (EMEA)
+65-31585513 (APAC)
www.extrahop.com
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 3
Contents
Introduction to the ExtraHop Trace Admin UI 6
Supported browsers 6
Status and Diagnostics 7
Health 7
Audit Log 8
Fingerprint 8
Support Scripts 9
Run the default support script 9
Run a custom support script 9
Exception Files 9
Network Settings 10
Connect to ExtraHop Cloud Services 10
Configure your firewall rules 11
Connect to ExtraHop Cloud Services through a proxy 11
Bypass certificate validation 12
Connectivity 12
Configure an interface 12
Interface throughput 14
Set a static route 14
Enable IPv6 for an interface 15
Global proxy server 15
ExtraHop Cloud proxy 15
Bond interfaces 16
Create a bond interface 16
Modify bond interface settings 16
Destroy a bond interface 17
Notifications 17
Configure email settings for notifications 17
Add a new notification email address on an Explore or Trace appliance 18
Configure settings to send notifications to an SNMP manager 18
Download the ExtraHop SNMP MIB 19
Send system notifications to a remote syslog server 19
SSL Certificate 20
Upload an SSL certificate 20
Generate a self-signed certificate 20
Create a certificate signing request from your ExtraHop system 20
Trusted Certificates 21
Add a trusted certificate to your ExtraHop system 21
Access Settings 23
Passwords 23
Change the default password for the setup user 23
Support Access 23
Generate SSH key 23
Regenerate or revoke the SSH key 24
Users 24
Add a local user account 24
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 4
Users and user groups 25
Local users 25
Remote Authentication 25
Remote users 25
User groups 26
User privileges 26
Sessions 31
Remote Authentication 31
Configure remote authentication through LDAP 31
Configure user privileges for remote authentication 33
Configure remote authentication through RADIUS 34
Configure remote authentication through TACACS+ 35
Configure the TACACS+ server 36
API Access 37
Manage API key access 37
Configure cross-origin resource sharing (CORS) 37
Generate an API key 38
Privilege levels 38
Appliance Settings 41
Running Config 41
Save system settings to the running config file 41
Edit the running config 42
Download the running config as a text file 42
Disable ICMPv6 Destination Unreachable messages 42
Disable specific ICMPv6 Echo Reply messages 42
Services 43
Configure the SNMP service 43
Firmware 44
Upgrade the firmware on your ExtraHop system 44
Pre-upgrade checklist 44
Upgrade the firmware on Command and Discover appliances 45
Upgrade the firmware on Explore appliances 45
Upgrade the firmware on Trace appliances 46
Upgrade connected sensors in Reveal(x) 360 46
System Time 47
Configure the system time 48
Shutdown or restart 48
License 48
Register your ExtraHop system 49
Register the appliance 49
Troubleshoot license server connectivity 49
Apply an updated license 50
Update a license 50
Disks 51
Encrypt the packetstore disk 51
Change the packet capture disk encryption key 52
Add storage capacity to the ExtraHop Trace appliance 52
Compatibility 52
Installation prerequisites 53
Set up the extended storage unit 53
Shut down the Trace appliance 53
Connect the extended storage unit 53
Attach the extended storage unit 54
Managing extended storage units with a foreign packetstore status 55
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 5
For extended storage units disconnected and then reconnected to the
same Trace appliance 56
For extended storage units configured on a device other than the Trace
appliance 56
Reset Packetstore 56
Trace Cluster Settings 57
Manager 57
Packet Query Status 57
Remove packet queries 58
Manage with a Command appliance 58
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 6
Introduction to the ExtraHop Trace Admin UI
The ExtraHop Trace Admin UI Guide provides detailed information about the administrator features and
functionality of the ExtraHop Trace appliance.
In addition, this guide provides an overview of the global navigation and information about the controls,
fields, and options available throughout the Trace Administration settings.
After you have deployed your Trace appliance, see the Trace Post-deployment Checklist .
We value your feedback. Please let us know how we can improve this document. Send your comments or
suggestions to [email protected].
Supported browsers
The following browsers are compatible with all ExtraHop systems. Apply the accessibility and compatibility
features provided by your browser to access content through assistive technology tools.
• Firefox
• Google Chrome
• Microsoft Edge
• Safari
Important: Internet Explorer 11 is no longer supported. We recommend that you install the latest
version of any supported browser.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 7
Status and Diagnostics
The Status and Diagnostics section includes metrics and logging data about the current state of the Trace
appliance and enables system administrators to view the overall system health.
Health
Provides metrics about the operating efficiency of the Trace appliance.
Audit Log
Enables you to view event logging data and to change syslog settings
.
Fingerprint
Provides the unique hardware fingerprint for the Trace appliance.
Support Scripts
Enables you to upload and run support scripts.
Exception Files
Enable or disable the Trace appliance exception files.
Health
The Health page provides a collection of metrics that enable you check the operation of the Trace
appliance.
The metrics on this page can help you troubleshoot problems and determine why the ExtraHop appliance is
not performing as expected.
System
Reports the following information about the system CPU usage and disk drives.
CPU User
Displays the percentage of CPU usage associated with the Trace appliance user.
CPU System
Displays the percentage of CPU usage associated with the Trace appliance.
CPU Idle
Displays the CPU idle percentage associated with the Trace appliance.
CPU IO
Displays the percentage of CPU usage associated with the Trace appliance IO functions.
Service Status
Reports the status of Trace appliance system services.
exadmin
Displays the time the Trace appliance web portal service started.
exconfig
Displays the time the Trace appliance config service started.
excap
Displays the time the Trace appliance capture service started.
Interfaces
Reports the status of Trace appliance network interfaces.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 8
RX packets
Displays the number of packets received by the Trace appliance on the specified interface.
RX Errors
Displays the number of received packet errors on the specified interface.
RX Drops
Displays the number of received packets dropped on the specified interface.
TX Packets
Displays the number of packets transmitted by the Trace appliance on the specified interface.
TX Errors
Displays the number of transmitted packet errors on the specified interface.
TX Drops
Displays the number of transmitted packets dropped on the specified interface.
RX Bytes
Displays the number of bytes received by the Trace appliance on the specified interface.
TX Bytes
Displays the number of bytes transmitted by the Trace appliance on the specified interface.
Partitions
Reports the status and usage of Trace appliance components. The configuration settings for these
components are stored on disk and retained even when the power to the appliance is turned off.
Name
Displays the Trace appliance settings that are stored on disk.
Options
Displays the read-write options for the settings stored on disk.
Size
Displays the size in gigabytes for the identified component.
Utilization
Displays the amount of memory usage for each of the components as a quantity and as
percentage of total disk space.
Audit Log
The audit log provides data about the operations of your ExtraHop system, broken down by component.
The audit log lists all known events by timestamp, in reverse chronological order.
If you experience an issue with the ExtraHop system, consult the audit log to view detailed diagnostic data
to determine what might have caused the issue.
Fingerprint
Fingerprints help secure appliances from machine-in-the-middle attacks by providing a unique identifier
that can be verified when connecting ExtraHop appliances.
When connecting an Explore or Trace appliance with a Discover appliance or Command appliance, make
sure that the fingerprint displayed is exactly the same as the fingerprint shown on the join or pairing page.
If the fingerprints do not match, communications between the devices might have been intercepted and
altered.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 9
Support Scripts
ExtraHop Support might provide a support script that can apply a special setting, make a small adjustment
to the ExtraHop system, or provide help with remote support or enhanced settings. The Administration
settings enable you to upload and run support scripts.
Run the default support script
The default support script gathers information about the state of the ExtraHop system for analysis by
ExtraHop Support.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Status and Diagnostics section, click Support Scripts.
3. Click Run Default Support Script.
4. Click Run.
When the script completes, the Support Script Results page appears.
5. Click the name of the diagnostic support package that you want to download. The file saves to the
default download location on your computer.
Send this file, typically named diag-results-complete.expk, to ExtraHop Support.
The .expk file is encrypted and the contents are only viewable by ExtraHop Support. However, you
can download the diag-results-complete.manifest file to view a list of the files collected.
Run a custom support script
If you receive a custom support script from ExtraHop Support complete the following procedure to make a
small adjustment to the system or apply enhanced settings.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Status and Diagnostics section, click Support Scripts.
3. Click Run Custom Support Script.
4. Click Choose File, navigate to the diagnostic support script you want to upload, and then click Open.
5. Click Upload to run the file on the ExtraHop system.
ExtraHop Support will confirm that the support script achieved the desired results.
Exception Files
Exception files are a core file of the data stored in memory. When you enable the Exception File setting,
the core file is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop
Support diagnose the issue.
• Click Enable Exception Files or Disable Exception Files to enable or disable the saving of exception
files.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 10
Network Settings
The Network Settings section provides the following configurable network connectivity settings.
Connectivity
Configure network connections.
SSL Certificate
Generate and upload a self-signed certificate.
Notifications
Set up alert notifications through email and SNMP traps.
The Trace appliance has two 10/100/1000baseT network ports and four 10 GbE SFP+ network ports. By
default, the Gb3 port is configured as the management port and requires an IP address. Port 5 is the default
monitor (or capture) interface.
Before you begin configuring the network settings, verify that a network patch cable connects the
Gb3 port on the Trace appliance to the management network. For more information about installing a
Trace appliance, see the ExtraHop Trace appliance deployment guide or contact ExtraHop Support for
assistance.
For specifications, installation guides, and more information about your appliance, see the complete
ExtraHop documentation set at docs.extrahop.com .
Connect to ExtraHop Cloud Services
ExtraHop Cloud Services provides access to ExtraHop cloud-based services through an encrypted
connection. The services you are connected to are determined by your system license.
After the connection is established, information about the available services appear on the ExtraHop Cloud
Services page.
• ExtraHop Machine Learning Service enables detections for your ExtraHop system. In Reveal(x)
Enterprise, you can enable security-only or security and performance detections. In addition, you can
allow the ExtraHop Machine Learning Service to access pre-filtered, plaintext external IP addresses as
well as plaintext domains and hostnames. These settings enable the system to identify new categories
of detections and improve the accuracy of existing detections. See the Collective Threat Analysis FAQ
for more information.
• ExtraHop Update Service enables automatic updates of resources to the ExtraHop system, such as
ransomware packages.
• ExtraHop Remote Access enables you to allow ExtraHop account team members, ExtraHop Atlas
analysts, and ExtraHop Support to connect to your ExtraHop system for configuration help. If you have
signed up for the Atlas Remote Analysis service, ExtraHop analysts can perform an unbiased analysis of
your network data and report on areas in your IT infrastructure where improvements can be made. See
the Remote Access FAQ for more information about remote access users.
Before you begin
• Reveal(x) 360 systems are automatically connected to ExtraHop Cloud Services, however, you might
need to allow access through network firewalls.
• You must apply the relevant license on the ExtraHop system before you can connect to ExtraHop
Cloud Services. See the License FAQ for more information.
• You must have unlimited privileges to access Administration settings.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click ExtraHop Cloud Services.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 11
3. Click Terms and Conditions to read the content.
4. Read the terms and conditions, and then select the checkbox.
5. Click Connect to ExtraHop Cloud Services.
After you are connected, the page updates to show status and connection information for each service.
6. (Optional) In the Machine Learning Service section, select the checkbox for Contribute to the Machine
Learning Service for collective threat analysis and then select one of the following options:
• External IP addresses
• External IP addresses, domains, and hostnames
If the connection fails, there might be an issue with your firewall rules.
Configure your firewall rules
If your ExtraHop system is deployed in an environment with a firewall, you must open access to ExtraHop
Cloud Services. For Reveal(x) 360 systems that are connected to self-managed sensors, you must also open
access to the ExtraHop Cloud Recordstore.
Open access to Cloud Services
For access to ExtraHop Cloud Services, your sensors must be able to resolve DNS queries for
*.extrahop.com and access TCP 443 (HTTPS) from the IP address that corresponds to your sensor license:
• 35.161.154.247 (Portland, U.S.A.)
• 54.66.242.25 (Sydney, Australia)
• 52.59.110.168 (Frankfurt, Germany)
Open access to Cloud Recordstore
For access to the ExtraHop Cloud Recordstore, your sensors must be able to access outbound TCP 443
(HTTPS) to these fully-qualified domain names:
•bigquery.googleapis.com
•oauth2.googleapis.com
•www.googleapis.com
•www.mtls.googleapis.com
•iamcredentials.googleapis.com
You can also review the public guidance from Google about computing possible IP address ranges for
googleapis.com.
In addition to configuring access to these domains, you must also configure the global proxy server settings.
Connect to ExtraHop Cloud Services through a proxy
If you do not have a direct internet connection, you can try connecting to ExtraHop Cloud Services through
an explicit proxy. If your proxy acts as a "man-in-the-middle", ensure that CONNECT requests are allowed
over port 22.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click Connectivity.
3. Click Enable ExtraHop Cloud Proxy.
4. Type the hostname for your proxy server, such as proxyhost.
5. Type the port for your proxy server, such as 8080.
6. (Optional) If required, type a user name and password for your proxy server.
7. Click Save.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 12
Bypass certificate validation
Some environments are configured so that encrypted traffic cannot leave the network without inspection
by a third-party device. This device can act as an SSL/TLS endpoint that decrypts and re-encrypts the traffic
before sending the packets to ExtraHop Cloud Services.
If the ExtraHop system cannot connect to the proxy server because the certificate validation has failed, you
can bypass certificate validation and then connect to ExtraHop Cloud Services.
Note: The following procedure requires familiarity with modifying the ExtraHop Running
Configuration file.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Appliance Settings section, click Running Config.
3. Click Edit config.
4. Add the following line to the end of the Running Config file:
"hopcloud": { "verify_outer_tunnel_cert": false }
5. Click Update.
6. Click View and Save Changes.
7. Review the changes and click Save.
8. Click Done.
Connectivity
The Connectivity page contains controls for your appliance connections and network settings.
Interface Status
On physical appliances, a diagram of interface connections appears, which updates dynamically
based on the port status.
• The blue Ethernet port is for management
• A black Ethernet port indicates a licensed and enabled port that is currently down
• A green Ethernet port indicates an active, connected port
• A gray Ethernet port indicates a disabled or unlicensed port
Network Settings
• Click Change Settings to add a hostname for your ExtraHop appliance or to add DNS servers.
Proxy Settings
• Enable a global proxy to connect to an ExtraHop Command appliance
• Enable a cloud proxy to connect to ExtraHop Cloud Services
Bond Interface Settings
• Create a bond interface to bond multiple interfaces together into one logical interface with a
single IP address.
Interfaces
View and configure your management and monitoring interfaces. Click any interface to display
setting options.
•Collect traffic from NetFlow and sFlow devices
•Packet Forwarding with RPCAP
Configure an interface
1. In the Network Settings section, click Connectivity.
2. In the Interfaces section, click the name of the interface you want to configure.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 13
3. On the Network Settings for Interface <interface number> page, select one of the following options
from the Interface Mode drop-down:
Option Description
Disabled The interface is disabled.
Monitoring Port (receive only) Monitors network traffic.
Management Port Manages the ExtraHop appliance.
Management Port + Flow Target Manages the ExtraHop appliance and captures
traffic forwarded from a flow network.
Note: If you enable NetFlow on the EDA 1100
or EDA 1000v, you must disable Interface
2. These appliances cannot process
NetFlow and wire data simultaneously.
Management Port + RPCAP/ERSPAN/VXLAN
Target
Manages the ExtraHop appliance and captures
traffic forwarded from a packet forwarder,
ERSPAN*, or VXLAN**.
While 10 GbE management + capture interfaces
on the EDA 10200, EDA 9200, and ETA 8250
can conduct management functions at 10 Gbps
speeds, processing traffic such as ERSPAN is
limited to 1 Gbps.
Tip: In environments with asymmetric
routing adjacent to the high-
performance interfaces, ping replies
might not get back to the sender.
High-Performance ERSPAN/VXLAN Target Captures traffic forwarded from ERSPAN* or
VXLAN**. This interface mode enables the port to
handle more than 1 Gbps. Set this interface mode
if the ExtraHop appliance has a 10 GbE port. This
interface mode only requires that you configure
an IPv4 address.
*The ExtraHop system supports the following ERSPAN implementations:
• ERSPAN Type I
• ERSPAN Type II
• ERSPAN Type III
• Transparent Ethernet Bridging. ERSPAN-like encapsulation commonly found in virtual switch
implementations such as the VMware VDS and Open vSwitch.
**Virtual Extensible LAN (VXLAN) packets are received on UDP port 4789.
Note: For Amazon Web Services (AWS) deployments with one interface, you must select
Management Port + RPCAP/ERSPAN/VXLAN Target for Interface 1. If you are
configuring two interfaces, you must select Management Port + RPCAP/ERSPAN/
VXLAN Target for Interface 1 and Management Port + RPCAP/ERSPAN/VXLAN Target
for Interface 2.
4. (Optional) Select an interface speed. Auto-negotiate is selected by default, however, you should
manually select a speed if it is supported on your appliance, network transceiver, and network switch.
•Auto-negotiate
•10 Gbps
•25 Gbps
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 14
•40 Gbps
•100 Gbps
Important: When you change the interface speed to Auto-negotiate, you might need to restart
the appliance before the change takes effect.
5. DHCPv4 is enabled by default. If your network does not support DHCP, you can clear the DHCPv4
checkbox to disable DHCP and then type a static IP address, netmask, and default gateway.
Note: Only one interface should be configured with a default gateway. Configure static routes
if your network requires routing through multiple gateways.
6. (Optional) Enable IPv6.
For more information about configuring IPv6, see Enable IPv6 for an interface.
7. (Optional) Manually add routes.
8. Click Save.
Interface throughput
ExtraHop appliance models EDA 6100, EDA 8100 and EDA 9100 are optimized to capture traffic
exclusively on 10GbE ports.
Enabling the 1GbE interfaces for monitoring traffic can impact performance, depending on the ExtraHop
appliance. While you can optimize these appliances to capture traffic simultaneously on both the 10GbE
ports and the three non-management 1GbE ports, we recommend that you contact ExtraHop Support for
assistance to avoid reduced throughput.
Note: EDA 4200, EDA 6200, EDA 8200, EDA 9200, and EDA 10200 appliances are not
susceptible to reduced throughput if you enable 1GbE interfaces for monitoring traffic.
ExtraHop Appliance Throughput Details
EDA 9100 Standard 40Gbps throughput If the non-management 1GbE
interfaces are disabled, you can
use up to four of the 10GbE
interfaces for a combined
throughput of up to 40Gbps.
EDA 8100 Standard 20Gbps throughput If the non-management 1GbE
interfaces are disabled, you can
use either one or both of the
10GbE interfaces for a combined
throughput of up to 20Gbps.
EDA 6100 Standard 10Gbps throughput If the non-management 1GbE
interfaces are disabled, the
maximum total combined
throughput is 10Gbps.
EDA 3100 Standard 3Gbps throughput No 10GbE interface
EDA 1100 Standard 1Gbps throughput No 10GbE interface
Set a static route
Before you begin
You must disable DHCPv4 before you can add a static route.
1. On the Edit Interface page, ensure that the IPv4 Address and Netmask fields are complete and saved,
and click Edit Routes.
2. In the Add Route section, type a network address range in CIDR notation in the Network field and IPv4
address in the Via IP field and then click Add.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 15
3. Repeat the previous step for each route you want to add.
4. Click Save.
Enable IPv6 for an interface
1. In the Network Settings section, click Connectivity.
2. In the Interfaces section, click the name of the interface you want to configure.
3. On the Network Settings for Interface <interface number> page, select Enable IPv6.
IPv6 configuration options appear below Enable IPv6.
4. (Optional) Configure IPv6 addresses for the interface.
• To automatically assign IPv6 addresses through DHCPv6, select Enable DHCPv6.
Note: If enabled, DHCPv6 will be used to configure DNS settings.
• To automatically assign IPv6 addresses through stateless address autoconfiguration, select one of
the following options from the Stateless Address Autoconfiguration list:
Use MAC address
Configures the appliance to automatically assign IPv6 addresses based on the MAC address
of the appliance.
Use stable private address
Configures the appliance to automatically assign private IPv6 addresses that are not based
on hardware addresses. This method is described in RFC 7217.
• To manually assign one or more static IPv6 addresses, type the addresses in the Static IPv6
Addresses field.
5. To enable the appliance to configure Recursive DNS Server (RDNSS) and DNS Search List (DNSSL)
information according to router advertisements, select RDNSS/DNSSL.
6. Click Save.
Global proxy server
If your network topology requires a proxy server to enable your ExtraHop system to communicate either
with a Command appliance or with other devices outside of the local network, you can enable your
ExtraHop system to connect to a proxy server you already have on your network. Internet connectivity is
not required for the global proxy server.
Note: Only one global proxy server can be configured per ExtraHop system.
Complete the following fields and click Save to enable a global proxy.
• Hostname: The hostname or IP address for your global proxy server.
• Port: The port number for your global proxy server.
• Username: The name of a user that has privileged access to your global proxy server.
• Password: The password for the user specified above.
ExtraHop Cloud proxy
If your ExtraHop system does not have a direct internet connection, you can connect to the internet
through a proxy server specifically designated for ExtraHop Cloud services connectivity. Only one proxy
can be configured per system.
Note: If no cloud proxy server is enabled, the ExtraHop system will attempt to connect through
the global proxy. If no global proxy is enabled, the system will connect through an HTTP
proxy to enable the services.
Complete the following fields and click Save to enable a cloud proxy.
• Hostname: The hostname or IP address for your cloud proxy server.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 16
• Port: The port number for your cloud proxy server.
• Username: The name of a user that has for access to your cloud proxy server.
• Password: The password for the user specified above.
Bond interfaces
You can bond multiple 1 GbE interfaces on your ExtraHop system together into a single logical interface
that has one IP address for the combined bandwidth of the member interfaces. Bonding interfaces enable
a larger throughput with a single IP address. This configuration is also known as link aggregation, port
channeling, link bundling, Ethernet/network/NIC bonding, or NIC teaming. Only 1GbE interfaces are
supported for bond interfaces. Bond interfaces cannot be set to monitoring mode.
Note: When you modify bond interface settings, you lose connectivity to your ExtraHop system.
You must make changes to your network switch configuration to restore connectivity. The
changes required are dependent on your switch. Contact ExtraHop Support for assistance
before you create a bond interface.
• Bonding is only configurable on 1 GbE Management or Management+RPCAP/ERSPAN interfaces.
•Port channeling on traffic monitoring ports is supported on the Discover appliance.
Interfaces chosen as members of a bond interface are no longer independently configurable and are shown
as Disabled (bond member) in the Interfaces section of the Connectivity page. After a bond interface is
created, you cannot add more members or delete existing members. The bond interface must be destroyed
and recreated.
•Create a bond interface
•Modify a bond interface
•Destroy a bond interface
Create a bond interface
You can create a bond interface with at least one interface member and up to the number of members that
are available for bonding.
1. Click Create Bond Interface.
2. Configure the following options:
• Members: Select the checkbox next to each interface you want to include in the bonding. Only ports
that are currently available for bond membership appear.
• Take Settings From: Select the interface that has the settings you want to apply to the bond
interface. Settings for all non-selected interfaces will be lost.
• Bond Type: Specify whether to create a static bond or a dynamic bond through IEEE 802.3ad Link
Aggregation (LACP).
• Hash Policy: Specify the hash policy. The Layer 3+4 policy balances the distribution of traffic more
evenly across interfaces; however, this policy is not fully compliant with 802.3ad standards. The Layer
2+3 policy balances traffic less evenly and is compliant with 802.3ad standards.
3. Click Create.
Refresh the page to display the Bond Interfaces section. Any bond interface member whose settings were
not selected in the Take Settings From drop-down menu are shown as Disabled (bond member) in the
Interfaces section.
Modify bond interface settings
After a bond interface is created, you can modify most settings as if the bond interface is a single interface.
1. In the Network Settings section, click Connectivity.
2. In the Bond Interfaces section, click the bond interface you want to modify.
3. On the Network Settings for Bond Interface <interface number> page, modify the following settings as
needed:
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 17
• Members: The interface members of the bond interface. Members cannot be changed after a bond
interface is created. If you need to change the members, you must destroy and recreate the bond
interface.
• Bond Mode: Specify whether to create a static bond or a dynamic bond through IEEE 802.3ad Link
Aggregation (LACP).
• Interface Mode: The mode of the bond membership. A bond interface can be Management or
Management+RPCAP/ERSPAN Target only.
• Enable DHCPv4: If DHCP is enabled, an IP address for the bond interface is automatically obtained.
• Hash Policy: Specify the hash policy. The Layer 3+4 policy balances the distribution of traffic more
evenly across interfaces; however, it is not fully compliant with 802.3ad standards. The Layer 2+3
policy balances traffic less evenly; however, it is compliant with 802.3ad standards.
• IPv4 Address: The static IP address of the bond interface. This setting is unavailable if DHCP is
enabled.
• Netmask: The network netmask for the bond interface.
• Gateway: The IP address of the network gateway.
• Routes: The static routes for the bond interface. This setting is unavailable if DHCP is enabled.
• Enable IPv6: Enable configuration options for IPv6.
4. Click Save.
Destroy a bond interface
When a bond interface is destroyed, the separate interface members of the bond interface return to
independent interface functionality. One member interface is selected to retain the interface settings for
the bond interface and all other member interfaces are disabled. If no member interface is selected to retain
the settings, the settings are lost and all member interfaces are disabled.
1. In the Network Settings section, click Connectivity.
2. In the Bond Interfaces section, click the red X next to the interface you want to destroy.
3. On the Destroy Bond Interface <interface number> page, select the member interface to move the
bond interface settings to. Only the member interface selected to retain the bond interface settings
remains active, and all other member interfaces are disabled.
4. Click Destroy.
Notifications
The ExtraHop system can send notifications about configured alerts through email, SNMP traps, and syslog
exports to remote servers. If an email notification group is specified, then emails are sent to the groups
assigned to the alert.
Configure email settings for notifications
You must configure an email server and sender before the ExtraHop system can send alert notifications or
scheduled reports.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click Notifications.
3. Click Email Server and Sender.
4. In the SMTP Server field, type the IP address or hostname for the outgoing SMTP mail server. The
SMTP server should be the fully qualified domain name (FQDN) or IP address of an outgoing mail
server that is accessible from the ExtraHop system. If the DNS server is set, then the SMTP server can
be a FQDN, otherwise you must type an IP address.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 18
5. In the SMTP Port field, type the port number for SMTP communication. Port 25 is the default value for
SMTP and port 465 is the default value for SSL/TLS encrypted SMTP.
6. Select one of the following encryption methods from the Encryption drop-down list:
•None. SMTP communication is not encrypted.
•SSL/TLS. SMTP communication is encrypted through the Secure Socket Layer/Transport Layer
Security protocol.
•STARTTLS. SMTP communication is encrypted through STARTTLS.
7. In the Alert Sender Address field, type the email address for the notification sender.
Note: The displayed sender address might be changed by the SMTP server. When sending
through a Google SMTP server, for example, the sender email is changed to the
username supplied for authentication, instead of the originally entered sender address.
8. (Optional) Select the Validate SSL Certificates checkbox to enable certificate validation. If you select
this option, the certificate on the remote endpoint is validated against the root certificate chains
specified by the trusted certificates manager. Note that the host name specified in the certificate
presented by the SMTP server must match the hostname specified in your SMTP configuration or
validation will fail. In addition, you must configure which certificates you want to trust on the Trusted
Certificates page. For more information, see Add a trusted certificate to your ExtraHop system
9. In the Report Sender Address field, type the email address responsible for sending the message. This
field is only applicable when sending scheduled reports from a Command appliance or Reveal(x) 360.
10. Select the Enable SMTP authentication checkbox and then type the SMTP server setup credentials in
the Username and Password fields.
11. (Optional) Click Test Settings, type your email address, and then click Send. You should receive an
email message with the subject title ExtraHop Test Email.
12. Click Save.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes
through system restart and shutdown events by saving the Running Config file.
Add a new notification email address on an Explore or Trace appliance
You can send system storage alerts to individual recipients. Alerts are sent under the following conditions:
• A physical disk is in a degraded state.
• A physical disk has an increasing error count.
• (Explore appliance only) A virtual disk is in a degraded state.
• (Explore appliance only) A registered Explore node is missing from the cluster. The node might have
failed, or it is powered off.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click Notifications.
3. Under Notifications, click Email Addresses.
4. In the Email address text box, type the recipient email address.
5. Click Save.
Configure settings to send notifications to an SNMP manager
The state of the network can be monitored through the Simple Network Management Protocol (SNMP).
SNMP collects information by polling devices on the network or SNMP enabled devices send alerts to
SNMP management stations. SNMP communities define the group that devices and management stations
running SNMP belong to, which specifies where information is sent. The community name identifies the
group.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 19
Note: Most organizations have an established system for collecting and displaying SNMP traps in a
central location that can be monitored by their operations teams. For example, SNMP traps
are sent to an SNMP manager, and the SNMP management console displays them.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click Notifications.
3. Under Notifications, click SNMP.
4. On the SNMP Settings page, in the SNMP Monitor field, type the hostname for the SNMP trap
receiver. Multiple names can be entered, separated by commas.
5. In the SNMP Community field, enter the SNMP community name.
6. In the SNMP Port field, type the SNMP port number for your network that is used by the SNMP agent
to respond back to the source port on the SNMP manager.
The default response port is 162.
7. Click Test Settings to verify that your SNMP settings are correct. If the settings are correct, you should
see an entry in the SNMP log file on the SNMP server similar to the following:
Connection from UDP: [192.0.2.0]:42164->[ 192.0.2.255]:162
Where 192.0.2.0 is the IP address of your ExtraHop system and 192.0.2.255 is the IP address of
the SNMP server.
8. Click Save.
Download the ExtraHop SNMP MIB
SNMP does not provide a database of information that an SNMP-monitored network reports. SNMP
information is defined by third-party management information bases (MIBs) that describe the structure of
the collected data.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. Go to the Network Settings section and click Notifications.
3. Under Notifications, click SNMP.
4. Under SNMP MIB, click the Download ExtraHop SNMP MIB.
The file is typically saved to the default download location for your browser.
Send system notifications to a remote syslog server
The syslog export option enables you to send alerts from an ExtraHop system to any remote system that
receives syslog input for long-term archiving and correlation with other sources.
Only one remote syslog server can be configured for each ExtraHop system.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click Notifications.
3. In the Destination field, type the IP address of the remote syslog server.
4. From the Protocol drop-down menu, select TCP or UDP. This option specifies the protocol over which
the information will be sent to your remote syslog server.
5. In the Port field, type the port number for your remote syslog server. By default, this value is set to
514.
6. Click Test Settings to verify that your syslog settings are correct. If the settings are correct, you should
see an entry in the syslog log file on the syslog server similar to the following:
Jul 27 21:54:56 extrahop name="ExtraHop Test" event_id=1
7. Click Save.
ExtraHop 8.8 ExtraHop Trace Admin UI Guide 20
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes
through system restart and shutdown events by saving the Running Config file.
SSL Certificate
SSL certificates provide secure authentication to the ExtraHop system.
You can designate a self-signed certificate for authentication instead of a certificate signed by a Certificate
Authority. However, be aware that a self-signed certificate generates an error in the client browser, which
reports that the signing certificate authority is unknown. The browser provides a set of confirmation pages
to trust the certificate, even though the certificate is self-signed. Self-signed certificates can also degrade
performance by preventing caching in some browsers. We recommend that you create a certificate-signing
request from your ExtraHop system and upload the signed certificate instead.
Important: When replacing an SSL certificate, the web server service is restarted. Tunneled
connections from Discover appliances to Command appliances are lost but then re-
established automatically.
Upload an SSL certificate
You must upload a .pem file that includes both a private key and either a self-signed certificate or a
certificate-authority certificate.
Note: The .pem file must not be password protected.
Note: You can also automate this task through the REST API .
1. In the Network Settings section, click SSL Certificate.
2. Click Manage certificates to expand the section.
3. Click Choose File and navigate to the certificate that you want to upload.
4. Click Open.
5. Click Upload.
Generate a self-signed certificate
1. In the Network Settings section, click SSL Certificate.
2. Click Manage certificates to expand the section.
3. Click Build SSL self-signed certificate based on hostname.
4. On the Generate Certificate page, click OK to generate the SSL self-signed certificate.
Note: The default hostname is extrahop.
Create a certificate signing request from your ExtraHop system
A certificate signing request (CSR) is a block of encoded text that is given to your Certificate Authority
(CA) when you apply for an SSL certificate. The CSR is generated on the ExtraHop system where the SSL
certificate will be installed and contains information that will be included in the certificate such as the
common name (domain name), organization, locality, and country. The CSR also contains the public key
that will be included in the certificate. The CSR is created with the private key from the ExtraHop system,
making a key pair.
1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-
hostname-or-IP-address>/admin.
2. In the Network Settings section, click SSL Certificate.
3. Click Manage certificates and then click Export a Certificate Signing Request (CSR).
Table of contents
Other ExtraHop Network Hardware manuals
ExtraHop
ExtraHop Discover EH3000 User manual
ExtraHop
ExtraHop EDA 10200 User manual
ExtraHop
ExtraHop EDA 6200 User manual
ExtraHop
ExtraHop Discover 8200 User manual
ExtraHop
ExtraHop Trace 6150 User manual
ExtraHop
ExtraHop Discover 1200 User manual
ExtraHop
ExtraHop EDA1100 User manual
ExtraHop
ExtraHop 72 TB ESU User manual
ExtraHop
ExtraHop EDA 6200 User manual
ExtraHop
ExtraHop EDA 1200 User manual
