Agent Sensor

The Agent Sensor plug-in performs basic node detection on network segments without network sensors.

The agent sensor receives information contained in packets such as DHCP, NetBIOS, UPNP, and mDNS that occur periodically on the network, but does not perform active scanning or enforcement. It is ideally used for monitoring only, and installation in networks where full sensor deployment may be inconvenient.

The agent sensor receives information contained in packets such as DHCP, NetBIOS, UPNP, and mDNS that occur periodically on the node, so that it can gather information without affecting the node. Information gathering using nmap, snmp, etc. is collected by physical sensor equipment with registered agent sensors.

  • Monitor nodes in network segments where network sensors are difficult to install
  • Network segment that only wants to perform node monitoring without network control

Technical Details:

  • This plug-in does not require a separate setup.
  • No enforcement actions are conducted by this plugin.
  • The agent-based sensor plugin communicates directly to the Policy Server but is not registered as a full Network Sensor.
  • The agent-based sensor can be operated regardless of Windows login (service)
  • Agent plugin Functions:
    • New Node Registration: Registers nodes based off of recieved traffic.
    • Subnet Scanner: Detects new nodes based on the result of ARP Request transmission for the entire subnet (C class) every 6 hours
    • Node Health Check: Updates the node link status by sending a ping once every 10 seconds and checking the ARP table in Windows.
    • If a node is not identified in the ARP table for 3 minutes, it is shown as having a link status of Down.
    • If a node is not identified in the ARP table for 2 minutes, a ping is sent every 10 seconds.
    • The plugin will listen on port 3771 to see if a full Network Sensor is deployed in ther network.
      • If a Full Network Sensor is detected, the agent based sensor will go into standby.
      • When multiple window sensors are operating in the same band, transmission is performed to distinguish them.

How to use the Agent Sensor

  1. Set the agent sensor band on a physical network sensor so that the agent sensor can be added as a child of that network sensor.
  • Go to System in the top panel.
  • Select a network sensor from the list of equipment.
  • Go to the Appliance tab and enter the network for the agent sensor in Other Settings Item > Agent Sensor Network.
  1. Assign a sensor node action to the node policy in the band where you want to use the agent sensor.
  • Go to Policy in the top panel.
  • Go to Node Policy in the left Policy panel.
  • Click the Default Policy or another Policy in Node Policy window.
  • Find Agent Action. Click Assign.
  • Find Agent Sensor in the Available section. Select and drag it into the Selected section.
  • Click Add.
  • Click Update.

Note

When the plug-in is installed and operational on the agent installed on the node, a virtual agent sensor is added to the policy server.