Passive Collectors

Passive collectors are initiated based on network events or timer events. For example, a new DHCP packet is received from the network which triggers the DHCP collector to profile the device.

User Agent Collector

Some devices, like mobile phones, may not be profiled exactly with DHCP fingerprints. For example, an iPhone 6s phone is profiled as an iOS device or a Samsung Android 5.1 phone is profiled as Generic Android. The user agent information (contains granular information about the operating systems / OS versions) helps to profile these types of devices with more precision. The Profiler uses HTTP User Agent data that is captured from network traffic of the device to classify the devices.

DHCP collector

The profiler uses DHCP fingerprinting for endpoint classification of the end points such as laptops and desktops that are configured to have a DHCP IP address. One or more switched or WLAN controllers must be configured to forward all DHCP packets for each VLAN to the internal interface of the Ivanti Policy Secure appliance. This enables the on-box Profiler to profile endpoints by parsing the DHCP packets arriving at the Ivanti Policy Secure appliance.

In some environments, it is easier to forward DHCP traffic to the Profiler using the SPAN/RSPAN configuration.

Network Infrastructure Device Collector

While DHCP fingerprinting is useful for endpoints with a DHCP-assigned IP address, it cannot detect devices that are assigned static IP addresses. The Profiler can detect statically addressed endpoints by fetching the ARP/CAM table from Network Infrastructure Device using SNMP or SSH.

The ARP/MAC tables are fetched from the Network Infrastructure Device periodically. The poll interval can be configured by the administrator.

CDP and LLDP collection methods is also supported by any other devices that send CDP or LLDP announcements. CDP and LLDP data provide more accurate version of OS, model, and category information. The discovery protocols are enabled by default in most of the network infrastructure devices.

Network Infrastructure Device Collector -- SNMP

Network Infrastructure Devices that support standard SNMP MIBs are queried through SNMP to get the list of endpoints connected to them. The list of managed or unmanaged devices is available by querying the MAC table and ARP tables.

Network Infrastructure Device Collector -- SSH

For Network Infrastructure Devices that do not support standard SNMP MIBs, the Profiler uses SSH sessions to read the ARP/CAM tables.

In this release, this feature is supported for Palo Alto Network vendors only.

SNMP Trap

Profiler supports SNMP Trap based discovery which helps to accurately detect when the endpoint is connected to or disconnected from the switch using link down, link up and mac change notification SNMP traps. This specifically helps in detecting the endpoints that are connected to the switches for brief period of times that are in between Profiler Poll interval for Network Infrastructure Devices.

SMB Collector

Profiler passively parses the Server Message Block (SMB) packets to get the operating system and host-name of the endpoints. The SMB protocol allows computers connected to the same network or domain to access files from other local computers as easily as a local hard drive. SMB also allows computers to share printers and serial ports from other computers within the network. SMB provides host name that is used by LDAP collector to collect the information from LDAP server.

SMB collector runs only on external interface. SMB collector needs an external interface dedicated to port mirroring and directly connected to the switch port mirroring destination. Since, switches do not allow ingress packets on destination mirrored port, internal or management interface is used for regular traffic.

In some environments, it is easier to forward traffic to the Profiler using the SPAN/RSPAN configuration.

TCP Collector

Profiler uses TCP SYN/SYN-ACK packets to profile the devices. Profiler discovers the devices when the device transmits TCP Syn/Syn-ACK packets instead of waiting for SNMP polling to begin and also trigger active collectors to fetch the information.

The profiler discovers and classifies the unrouted mirror traffic received by external interface. For routed traffic, the profiler only classifies the endpoints already discovered by other collectors. TCP connections do not require to keep a port always open. Endpoints may open or close TCP connections as required. The TCP/IP packets helps to identify the various configuration attributes of a networked device along with the OS of the endpoint.

TCP collector runs only on external interface. TCP collector needs an external interface dedicated to port mirroring and directly connected to the switch port mirroring destination. Since, switches do not allow ingress packets on destination mirrored port, internal or management interface is used for regular traffic.

In some environments, it is easier to forward traffic to the Profiler using the SPAN/RSPAN configuration.