Skybox

Installation and Administration Guide

10.0.600

Revision: 11
Proprietary and Confidential to Skybox Security. © 2019 Skybox Security,
Inc. All rights reserved.
Due to continued product development, the information contained in this
document may change without notice. The information and intellectual property
contained herein are confidential and remain the exclusive intellectual property of
Skybox Security. If you find any problems in the documentation, please report
them to us in writing. Skybox Security does not warrant that this document is
error-free.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means—electronic, mechanical, photocopying,
recording, or otherwise—without the prior written permission of Skybox Security.
Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network
Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox
Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the
Skybox Security logo are either registered trademarks or trademarks of Skybox
Security, Inc., in the United States and/or other countries. All other trademarks
are the property of their respective owners.

Contact information
Contact Skybox using the form on our website or by emailing
[email protected]
Customers and partners can contact Skybox technical support via the Skybox
Support portal
Contents
Intended audience .................................................................................... 7
Related documentation .............................................................................. 7
Technical support ..................................................................................... 7

Introduction ........................................................................................... 9
Skybox platform ....................................................................................... 9
Skybox architecture ................................................................................ 11
Platform technology ................................................................................ 13

Part I: Installation .................................................................................. 14

Installing Skybox ................................................................................... 15

Installation overview .......................................................................... 15
Installation environment comparison.................................................... 16
Downloading installation files .............................................................. 17

Skybox Manager installation .................................................................... 18

Installing Skybox Manager .................................................................. 18
Skybox Manager system requirements ................................................. 18

Server installation .................................................................................. 20

Installation instructions for different environments ................................ 20
Installation workflow .......................................................................... 21
Skybox Server system requirements .................................................... 21
Installing the Skybox Server on Windows ............................................. 22
Silent installation ............................................................................... 22
Installing the Skybox Server on Linux .................................................. 26
Starting and stopping components via the Windows system tray ............. 27
Skybox Server post-installation steps ................................................... 28
Elasticsearch and Skybox ................................................................... 31

Skybox Collector installation .................................................................... 33

Installation environment ..................................................................... 33
Installing the Collector on Windows...................................................... 33
Installing the Collector on Linux .......................................................... 34
Collector system requirements ............................................................ 34
Connecting Skybox Collectors ............................................................. 35

Installing Additional Skybox Servers ......................................................... 37

Multi-tiered servers for Change Manager ................................................... 38

Skybox version 10.0.600 3

Skybox Installation and Administration Guide

Autonomous collection units .................................................................... 39

Autonomous collection unit hardware requirements ............................... 39
Installing autonomous collection units .................................................. 39
Installing Skybox Manager for autonomous collection ............................. 41
Autonomous collection post-installation steps ........................................ 42
Collecting device data using autonomous collection units ........................ 42
Exporting autonomous collection unit data ............................................ 42

Skybox connectivity requirements ............................................................ 43

Updating Skybox .................................................................................... 44

Updating Skybox ............................................................................... 44
Skybox update file ............................................................................. 45
Downloading the update file ................................................................ 45
Preparing to update ........................................................................... 46
Updating the Server and local components ........................................... 46
Updating remote components.............................................................. 47
Updating multi-tiered servers .............................................................. 48
Major version updates ........................................................................ 48

Migrating the Collector infrastructure ........................................................ 49

Skybox licenses ..................................................................................... 51

Managing licenses.............................................................................. 51
Invalid licenses.................................................................................. 51
Node-count violations......................................................................... 52

Uninstalling Skybox ................................................................................ 53

Product security ..................................................................................... 54

Communication and certificates ........................................................... 54
Mutual authentication between Skybox Servers and Collectors ................ 60
Encryption ........................................................................................ 60
Using FIPS mode ............................................................................... 61
Limiting login attempts ....................................................................... 61
Security check: Last login message...................................................... 61
Customizable login warning messages .................................................. 62
User session timeout .......................................................................... 62

Part II: Administration ............................................................................ 63

User management .................................................................................. 64

User roles ......................................................................................... 64
Managing users and user groups ......................................................... 71
Working with external authentication systems ....................................... 78
Managing users externally using LDAP.................................................. 79
Changing the password for database clients .......................................... 81

Skybox version 10.0.600 4

 Contents

Backup and restore ................................................................................ 82

Backup and restore scenarios .............................................................. 82
About the model ................................................................................ 83
Backing up the model......................................................................... 83
Backing up to an external location ....................................................... 85
Loading a model ................................................................................ 85
Restoring the model ........................................................................... 86

Administration via CLI commands ............................................................ 87

Package firewall configurations ............................................................ 87
Launch tasks ..................................................................................... 88
Load the latest Dictionary (deprecated) ................................................ 88
Package log files ................................................................................ 88
Scan log files .................................................................................... 89
Save the model to an XML file ............................................................. 93
Load the model from an XML file ......................................................... 94
Save the model to a SQL file ............................................................... 94
Load the model from a SQL file ........................................................... 95
Restore model settings ....................................................................... 96

Manager Options .................................................................................... 97

Access Analyzer: Manager .................................................................. 97
Messages.......................................................................................... 97
Model Validation Status Settings .......................................................... 98
Proxy Settings (Manager) ................................................................... 98
Regional Settings: Manager ................................................................ 99
Reports Configuration ........................................................................ 99
Risks Configuration ............................................................................ 99
View Settings .................................................................................... 99

Server Options..................................................................................... 101

Access Analyzer: Server ................................................................... 102
Access Compliance .......................................................................... 102
Archiving ........................................................................................ 103
Asset Modification Settings ............................................................... 103
Attack Simulation Configuration ........................................................ 104
Business Attributes .......................................................................... 104
Change Manager Settings ................................................................. 105
Change Tracking Settings ................................................................. 113
Customization ................................................................................. 113
Dictionary Settings .......................................................................... 114
Elasticsearch Export Settings ............................................................ 115
Entity Settings ................................................................................ 115
License ........................................................................................... 116
Proxy Settings (Server) .................................................................... 116
Regional Settings: Server ................................................................. 116
Report Configuration ........................................................................ 117
Rule Usage ..................................................................................... 117
Software Update Settings ................................................................. 118
System .......................................................................................... 118
Backup Settings .............................................................................. 120
Task Settings .................................................................................. 120

Skybox version 10.0.600 5

Skybox Installation and Administration Guide

Threat Manager ............................................................................... 121

Ticket Configuration ......................................................................... 122
User Settings .................................................................................. 124
Vulnerability Control ........................................................................ 133

Skybox Web Client ............................................................................... 137

Reports in Skybox Web Client ........................................................... 137

Working with IPv6 ................................................................................ 139

Configuring Skybox using the properties files........................................... 141

Server properties file ....................................................................... 141
Collector properties file .................................................................... 141
Skybox Manager properties file ......................................................... 141
Common properties file .................................................................... 141
Port properties file ........................................................................... 142

Dictionary updates ............................................................................... 143

About Vulnerability Dictionary updates ............................................... 143
Updating the Skybox Vulnerability Dictionary ...................................... 144

Skybox logs......................................................................................... 145

Activity log ..................................................................................... 145
Audit log......................................................................................... 145
Event logging .................................................................................. 145
Log files ......................................................................................... 146
Activity and audit log messages......................................................... 152

Skybox version 10.0.600 6

Preface
Intended audience
The Skybox Installation and Administration Guide includes:

› Comprehensive instructions for installation and migration, including general

system and installation information and detailed procedures
› Topics of interest to system administrators, including user management,
product security, and ticket setup and configuration
The intended audience of the Installation and Administration Guide is:

› Personnel responsible for installing and configuring Skybox components

› All Skybox system administrators

Related documentation
The following documentation is available for Skybox:

› Skybox Reference Guide

› Skybox Developer Guide
› Skybox Release Notes
The entire documentation set (in PDF format) is available here
Note: If you are not using the latest version of Skybox, you can find the
documentation for your version at
http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/<yo
ur major version/<your minor version>/Docs. For example,
http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/10.
0/10.0.600/Docs

You can access a comprehensive Help file from any location in Skybox Manager
by using the Help menu or by pressing F1.

Technical support
You can contact Skybox using the form on our website or by emailing
[email protected]
Customers and partners can contact Skybox technical support via the Skybox
Support portal
When you open a case, you need:

› Your contact information (telephone number and email address)

› Skybox version and build numbers
› Platform (Windows or Linux)
› Problem description
Skybox version 10.0.600 7
Skybox Installation and Administration Guide

› Any documentation or relevant logs

You can compress logs before attaching them by using the Pack Logs tool (see
Packing log files for technical support (on page 150)).

Skybox version 10.0.600 8

Chapter 1

Introduction
This chapter explains the Skybox platform and its basic architecture.

In this chapter
Skybox platform ................................................................... 9
Skybox architecture ............................................................ 11
Platform technology ............................................................ 13

Skybox platform
Skybox® Security arms security professionals with the broadest platform of
solutions for security operations, analytics, and reporting. By integrating with
more than 100 networking and security technologies organizations, the Skybox
Security Suite merges data silos into a dynamic network model of your
organization’s attack surface, giving comprehensive visibility of public, private,
and hybrid IT environments. Skybox provides the context needed for informed
action, combining attack vector analytics and threat-centric vulnerability
intelligence to continuously assess vulnerabilities in your environment and
correlate them with exploits in the wild. This makes the accurate prioritization
and mitigation of imminent threats a systematic process, decreasing the attack
surface and enabling swift response to exposures that truly put your organization
at risk.

Skybox version 10.0.600 9

Skybox Installation and Administration Guide

Skybox arms security leaders with a comprehensive cybersecurity management

platform to address the security challenges of large, complex networks. The
Skybox Security Suite breaks down data silos to build a dynamic network model
that gives complete visibility of an organization’s attack surface and the context
needed for informed action across physical, multi-cloud, and industrial networks.
We leverage data by integrating with 120 security technologies, using analytics,
automation, and advanced threat intelligence from the Skybox Research Lab to
continuously analyze vulnerabilities in your environment and correlate them with
exploits in the wild. This makes the prioritization and mitigation of imminent
threats an efficient and systematic process, decreasing the attack surface and
enabling swift response to exposures that truly put your organization at risk. Our
award-winning solutions automate as much as 90 percent of manual processes
and are used by the world’s most security-conscious enterprises and government
agencies, including Forbes Global 2000 companies. For additional information
visit the Skybox website

Skybox version 10.0.600 10

 Chapter 1 Introduction

The Skybox Security Suite includes:

› Skybox Vulnerability Control: Powers threat-centric vulnerability management

by correlating intelligence on vulnerabilities in your environment, the
surrounding network and security controls and exploits in the wild focusing
remediation on your most critical threats
› Skybox Threat Manager: Consolidates threat intelligence sources and
prioritizes advisories in the context of your attack surface, automatically
analyzing the potential impact of a threat and providing remediation guidance
› Skybox Firewall Assurance: Brings multi-vendor firewall environments into a
single view and continuously monitors policy compliance, optimizes firewall
rule sets and finds attack vectors that others miss
› Skybox Network Assurance: Analyzes hybrid environments end to end across
physical, virtual and cloud – even operational technology – networks,
illuminating complex security zones, access paths and policy compliance
violations
› Skybox Change Manager: Ends risky changes with network-aware planning
and risk assessments, making firewall changes a secure, consistent process
with customizable workflows and automation
› Skybox Horizon: Visualizes an organization’s unique attack surface and
indicators of exposure (IOEs), giving threat-centric insight to critical risks,
visibility across an entire organization or down to a single access rule and
metrics to track risk reduction over time
The products share common services, including modeling, simulation, analytics,
reporting, and automated workflow management.

Skybox architecture
The Skybox platform includes all Skybox products, so there is a single installer
for all products. Your license controls the products that are available.
The platform uses a 3-tiered architecture with data collectors, a centralized
server, and a user interface. Skybox can be scaled to suit the complexity and the
size of any infrastructure.
Skybox includes:

› Skybox Server: Running on a dedicated server, the Skybox Server merges

all collected data, builds the Skybox model, and maintains an up-to-date
snapshot of the network environment. The Skybox Server is the central
coordination point for all data elements in the model, the analytic engine, and
the report generator.
› Skybox Collector: Deployed in various network segments, Skybox Collectors
discover network topology and collect configuration data from network
devices, vulnerability scanners, and network management frameworks.
› Skybox Manager: A Java client application, Skybox Manager is the
management interface to the Skybox Server. There is a Skybox Manager for
Skybox Firewall Assurance and Skybox Network Assurance, and a separate
Skybox Manager for Skybox Vulnerability Control and Skybox Threat

Skybox version 10.0.600 11

Skybox Installation and Administration Guide

Manager. Multiple instances of Skybox Manager can run concurrently across

the network.

Note: Skybox Web Client, Skybox Horizon, and Skybox Change Manager
are web-based; they do not require installation of Skybox Manager.

› Skybox Vulnerability Dictionary: A central repository of definitions and

profiles for Vulnerability Definitions, threats, and network security policies.
With a dedicated team of security professionals, Skybox continually monitors
a wide array of security bulletins, alerts, and publications to provide clients
with timely updates to the dictionaries.
The following figure shows the basic architecture of Skybox.

Skybox version 10.0.600 12

 Chapter 1 Introduction

Platform technology
The following figure shows the relationships between the software components in
Skybox.

Skybox version 10.0.600 13

Part I: Installation
This part provides comprehensive instructions for installation and migration,
including general system and installation information and detailed procedures.
Chapter 2

Installing Skybox
This chapter provides an overview of Skybox installation.

In this chapter
Installation overview ........................................................... 15
Installation environment comparison ..................................... 16
Downloading installation files ............................................... 17

INSTALLATION OVERVIEW
There are different types of Skybox platform installation, depending on:

› The component or components that you need to install

› Where you are installing—on a Skybox Appliance, in a virtual environment, or
on a standard computer
Various installation scenarios are described in the following table, with links to
instructions or additional information.
Component Where / Why you want to Instructions or additional
install it information
Skybox Manager Your organization is already Skybox Manager installation (on page
only working with Skybox and you 18)
need to work with it also
Skybox Server For organization or enterprise Skybox Server installation (on page
deployment 20)
All components In trial situations, or as an Installing the Skybox Server on
auditor who must run Skybox Windows (on page 22)
on a laptop
Skybox Collector After the Skybox Server is set Skybox Collector installation (on page
only up and you need another 33)
Skybox Collector for off-
loading or for a segmented
network

Installation environment comparison (on page 16) shows the benefits of each
installation environment.

Skybox version 10.0.600 15

Skybox Installation and Administration Guide

INSTALLATION ENVIRONMENT COMPARISON

The benefits of each installation environment are listed in the following table.
Feature Physical Virtual Windows Linux
Applianc Appliance Installer Installer
e
Skybox High Availability    
(active/passive)
Syslog facility for Rule Usage    
Analysis and log-based change
tracking
SNMP monitoring of physical    
machine components
SNMP monitoring of Skybox    
processes and OS components
Secured (hardened) via    
iptables
Webadmin utility for managing    
system configuration including
network interfaces, DNS, NTP,
date/time, system mode,
LDAP, RADIUS, SSH, Skybox
services, and syslog
Built-in Python and Perl    
(including packages) for
Skybox plug-in connector
architecture
Collectors that must reside on    
a Windows platform:
• Microsoft WSUS
• Active Directory
• Retina 4.9 (higher versions
are OK for Linux also)
Linux libraries   NA 

Collectors that must reside on    

a Linux platform:
• Blue Coat
• McAfee Enterprise
• A10 Networks
• Cisco ACE
• Cisco CSS
• Citrix NetScaler
• F5 BIG-IP
• Radware Alteon
• Radware AppDirector
• HP ProCurve
Skybox facilities for OS update    

Skybox version 10.0.600 16

 Chapter 2 Installing Skybox

DOWNLOADING INSTALLATION FILES

Access to the installation files is always available at
http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/<ma
jor version>/<minor version>/
For example,
http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/10.
0/10.0.200/
A text file containing the MD5 checksum is in the same folder.

To verify that the installation file has not been corrupted or tampered with
1 Run md5sum from the folder to which you downloaded the installation file.
2 Check that the value you receive matches the value in the checksum file in
the same folder.

Note: The checksum file contains checksums for both Linux and Windows
downloads.

Skybox version 10.0.600 17

Chapter 3

Skybox Manager installation

This chapter explains how to install Skybox Manager by itself.

In this chapter
Installing Skybox Manager ................................................... 18
Skybox Manager system requirements .................................. 18

INSTALLING SKYBOX MANAGER

Note: Skybox Manager runs on most Microsoft Windows operating systems. For
details, see Skybox Manager system requirements (on page 18).
Installing Skybox Manager requires administrator privileges.

To install Skybox Manager

1 Run the installation file (SkyboxManager-<version#>-<build>.exe).
2 Follow the directions in the wizard.

Note: Installation under <Drive>:\Program Files (or any other path

containing a space) is not supported.

Post installation notes

› Skybox Manager is configured to communicate with the server over

8443/TCP. If there is a firewall between Skybox Manager and Skybox Server,
access on this port must be explicitly permitted.
› The user running Skybox Manager must have Modify permissions for the
directory where Skybox Manager is installed.

SKYBOX MANAGER SYSTEM REQUIREMENTS

Skybox Manager is a Java client application that connects to the Skybox Server
(through port 8443).
You can install multiple Skybox Managers on a single computer; this is useful
when connecting to Skybox Servers of different versions.

Operating system
The following operating systems are supported for Skybox Manager:

› Windows 7
› Windows 10 (64bit only)
› Windows Server 2012

Skybox version 10.0.600 18

 Chapter 3 Skybox Manager installation

› Windows Server 2016

Browser
The following browsers are supported for Skybox Manager:

› Microsoft Internet Explorer 9 and higher

Note: Microsoft Edge is not supported.

› Google Chrome
› Mozilla Firefox
› Safari (for Skybox Horizon)

Hardware
The hardware requirements for Skybox Manager are listed in the following table.
Item Minimum Recommended

CPU Intel i3 or Intel i5 or

equivalent equivalent
RAM 2 GB 4 GB
Available disk 1 GB 2 GB
space

Skybox version 10.0.600 19

Chapter 4

Server installation
There are several possible Server installation scenarios; each scenario requires a
different installation process.

In this chapter
Installation instructions for different environments .................. 20
Installation workflow ........................................................... 21
Skybox Server system requirements ..................................... 21
Installing the Skybox Server on Windows .............................. 22
Silent installation ................................................................ 22
Installing the Skybox Server on Linux ................................... 26
Starting and stopping components via the Windows system tray27
Skybox Server post-installation steps .................................... 28
Elasticsearch and Skybox ..................................................... 31

INSTALLATION INSTRUCTIONS FOR DIFFERENT ENVIRONMENTS

If you are installing in
this environment...
Skybox Appliance
Skybox Virtual Appliance
(ISO installed in a VMware
environment)
Windows for corporate
environment
Windows all-in-1: For a trial Installing the Skybox Server on Windows (on
or as an auditor using a
laptop
Linux
FIPS
Refer to...
Skybox 5500/6000/7000/8000 Appliance Quick
Start Guide
Skybox Virtual Appliance Quick Start Guide
• Installing the Skybox Server on Windows (on
page 22) (via a wizard)
• Silent installation (on page 22) (via a script;
full installation or only Collector)
page 22)
Installing the Skybox Server on Linux (on page
26)
Silent installation (on page 22) and Using FIPS
mode (on page 61)

Skybox version 10.0.600 20

 Chapter 4 Server installation

INSTALLATION WORKFLOW
The general workflow for installing the Skybox Server is:
1 Check that the machine on which you are installing meets the system
requirements (see page 21).
2 Follow the installation instructions that are described in:
• (Windows) Installing the Skybox Server on Windows (on page 22)
• (Linux) Installing the Skybox Server on Linux (on page 26)
• Silent installation (on page 22) (without user intervention)
3 Perform any necessary post-installation steps (see page 28).
Note: If Skybox is already installed, you can download an update package from
the Skybox update management server and install it (see Updating Skybox (on
page 44)).

SKYBOX SERVER SYSTEM REQUIREMENTS

Install the Skybox Server on a server-class machine. The size and complexity of
your network might require a powerful server with a multiprocessor and a large
amount of memory. For very large deployments, you might need multiple Skybox
Servers (each running on a separate server). Skybox Manager and Collector are
usually installed with the Server, but additional Skybox Managers and Collectors
might be required.
The Skybox Server communicates through ports 8443 (between Server and
Skybox Manager) and 9443 (between Server and Collector). We recommend that
you permit communication through these ports only.

Installing multiple Skybox Servers

Install each Skybox Server on a separate machine. If you do install 2 Skybox
Servers on the same machine, change the ports used by 1 of them to prevent
port collision (see Installing multiple components on a single machine (on page
28)).

Operating system
The operating systems supported for the Skybox Server are listed in the
following table.

Note: The Server must run on a 64bit operating system.

Operating system
Windows 7
Windows 10
Windows Server 2012
Windows Server 2016
Red Hat Enterprise Linux 6 (for existing installations only)
Red Hat Enterprise Linux 7
CentOS 6 (for existing installations only)
CentOS 7

Skybox version 10.0.600 21

Skybox Installation and Administration Guide

Hardware
Server hardware requirements are listed in the following table. If you need help,
contact Skybox technical support
Item Standard deployment Large deployment
(over 250 firewalls)
CPU 8 cores 16 cores
RAM 32 GB 128 GB
Available disk 500 GB 1 TB
space

INSTALLING THE SKYBOX SERVER ON WINDOWS

Installing and running the Skybox Server on Windows requires administrator
privileges. When you install Skybox Server, Skybox Manager and Collector are
installed on the same machine by default.
Before installing Skybox Server, check that the machine on which you are
installing meets the system requirements (see page 21).

To install Skybox
1 Run the installation file (SkyboxInstaller-<version#>-<build>.exe).
2 Follow the directions in the wizard.
Mandatory options are listed in the following table. In all other places, either
use the default option or make the necessary change.
At the end of the installation, Skybox is launched. To log in requires a valid
Skybox license file.
3 Navigate to the location where you stored the Skybox license file.
Note: If you have a licensing problem, you cannot log in until the problem
is resolved. Contact Skybox Support for assistance.
Page Action
Choose Install Specify the installation directory.
Folder Note: Installation under <Drive>:\Program Files (or
any other path containing a space) is not supported.
If another (previous) version of Skybox is installed, do not
install to the same directory.
Preferences By default, the Skybox Server and Collector run as
services. If the target platform is used for running Skybox
only occasionally, you can choose to run them as batch
processes.

SILENT INSTALLATION
Use silent installation to:

› Install Skybox on Linux machines

› Install Skybox on Windows without user intervention

Skybox version 10.0.600 22

 Chapter 4 Server installation

› Install Skybox on either Linux or Windows in FIPS mode

Note: Only install Skybox in FIPS mode if required to do so (see Using

FIPS mode (on page 61)).
Before running a silent installation, ensure that:

› You have administrator privileges

› If you previously installed Skybox (any version), you specify a different
directory for this installation

To prepare for silent installation

1 Download the installation file (on page 17) or locate it on the file system if it
was already downloaded:
• (Windows) SkyboxInstaller-<version#>-<build>.exe
• (Linux) SkyboxInstaller-<version#>-<build>.bin
2 Copy the file to your computer.
3 Select a properties file from the file system or from an email if it was sent to
you:
• installer.properties: For full installation (all 3 components)
• installer-collector.properties: For Collector installation; contains
properties required for Collector installation only
If no such file exists, create a properties file (see page 23).
4 Copy the properties file to the directory on your computer that contains the
installation program (see step 1).
5 (Collector-only installation) Rename the copied installer properties file
(installer-collector.properties) to installer.properties
6 If necessary, customize the properties file (see page 23) for your installation.

To run a silent installation

› Run the installation program:

• (Windows) Execute the command: SkyboxInstaller-<version#>-
<build>.exe -f installer.properties
• (Linux) Execute the command: ./SkyboxInstaller-<version#>-
<build>.bin -f installer.properties

Note: During silent installation, the file that is required for silent
uninstallation is created.

Properties file for silent installation

The properties in installer.properties that are used for a full installation are
described in the following table. For silent installation of the Collector, the file
contains a subset of these properties.
Property Description
INSTALLER_UI Use the default value (silent)

Skybox version 10.0.600 23

Skybox Installation and Administration Guide

Property Description
SB_SERVER_HOST The Skybox Server host IP address
If Skybox Server and Skybox Manager are on the same
machine, use localhost
USER_INSTALL_DI The directory into which to install Skybox. The default is
R c:\\Skybox
Note: For Windows installations, change the value to
C:\\Program Files\\Skybox
CHOSEN_INSTALL The set of Skybox components to install
_SET • (Default) Server(Full): Install all components:
Skybox Server, Skybox Manager, and Skybox
Collector
• Collector: Install only the Collector
SB_LICENSE_FILE The Skybox license file name. The default name is
license.xml
This property is used only if you are installing the Skybox
Server.
Note: Do not change the value of this property (the file
name) or the Skybox Server cannot start.
SB_PATH_OF_LICE The directory-level path to the license file. There is no
NSE_FILE default value.
This property is used only if you are installing the Skybox
Server.
Note: If you do not provide a value for this property,
add the license file manually (after the installation) to
<Skybox_Home>\server\conf
SB_FIPS140_MOD Specifies whether to install in approved (FIPS) mode:
E • 1: Yes
• 0: No (default)
SB_SERVER_SERV If you are installing the Skybox Server, specifies whether
ICE to install it as a service:
• 1: Yes (default)
• 0: No
SB_COLLECTOR_S If you are installing the Skybox Collector, specifies
ERVICE whether to install it as a service:
• 1: Yes (default)
• 0: No
SB_SERVER_SERV If you are installing the Skybox Server as a service,
ICE_START specifies whether to start it after installation:
• 1: Yes
• 0: No (default)
SB_COLLECTOR_S If you are installing the Skybox Collector as a service,
ERVICE_START specifies whether to start it after installation:
• 1: Yes
• 0: No (default)
SB_SERVER_MAIL Mail server name or IP address for sending reports and
alerts.
There is no default value.
This property is used only if you are installing the Skybox
Server.

Skybox version 10.0.600 24

 Chapter 4 Server installation

Property Description
Note: This information can be added later using Skybox
Manager.
SB_MAIL_ADDRES Mail server name or IP address for sending Admin email
S The default address is
[email protected]
This property is used only if you are installing the Skybox
Server.
Note: This information can be added later using Skybox
Manager.
SB_MANAGER_AC Specifies whether to install Adobe Reader on the Skybox
ROBAT Manager machine:
• 1: Yes
• 0: No (default)
This property is used only if you are installing Skybox
Manager.
USER_SHORTCUTS (Windows only) Location of the user shortcut
The default location is:
C:\Documents and Settings\All Users\Start
Menu\Programs\Skybox
Note: By default, this property is commented out—there
is no user shortcut.
SHORTCUT_NAME (Windows only) The name of the user shortcut
The default name is skyboxview
Note: By default, this property is commented out—there
is no user shortcut.
SB_INSTALL_NEW Specifies whether to perform a new installation:
• 1: Yes (default)
• 0: No
Do not change this value.
SB_INSTALL_UPGR Do not change this value.
ADE
SB_PREV_HOME_D Do not change this value.
IR

Example of installer.properties
INSTALLER_UI=silent
SB_SERVER_HOST=localhost
USER_INSTALL_DIR=c:\\Skybox
# -- Manager, Collector, Server(Full)
CHOSEN_INSTALL_SET=Server(Full)
# -- License file name and location
SB_LICENSE_FILE=license.xml
SB_PATH_OF_LICENSE_FILE=
SB_FIPS140_MODE=0
SB_SERVER_SERVICE=1
SB_COLLECTOR_SERVICE=1
SB_SERVER_SERVICE_START=0
SB_COLLECTOR_SERVICE_START=0
SB_SERVER_MAIL=
[email protected]
SB_MANAGER_ACROBAT=0
Skybox version 10.0.600 25
Skybox Installation and Administration Guide

SB_INSTALL_NEW=1
SB_INSTALL_UPGRADE=0
SB_PREV_HOME_DIR=/opt/Skybox

INSTALLING THE SKYBOX SERVER ON LINUX

Before installing Skybox
Before installing the Skybox Server, you must:
1 Be the root user
2 Install CentOS 7 (see page 26)
3 Install required packages (see page 27)
4 Harden platforms according to your hardening policy
5 Know the location of the Skybox license file
Note: If you do not have a license file, you can complete the installation
without it; the 1st time that you log in to Skybox Manager, you are asked
for the location of the license. (If you have a licensing problem, you
cannot complete the login until the problem is resolved. Contact Skybox
Support for assistance.)

Installation
You install Skybox on Linux silently (see page 22).

Users
The following users are set up during the installation of Linux and Skybox:

› root: Created by Linux installation

› %user_name%: During installation, you must give a non-root user access to
the Skybox Server
› skyboxview: Created by Skybox installation

Linux (CentOS 7) installation

The topics in this section explain how to install CentOS 7 to work with Skybox
Appliance.
Initial setup

To download and install CentOS 7

1 Download the operating system:
a. Go to http://isoredirect.centos.org/centos/7/isos/x86_64/
b. Select the nearest mirror site for downloading the Centos ISO file.
c. Download the most recent full version of the ISO file
The file is approximately 4 GB and has DVD in its name.
2 Install CentOS with the following parameters:
• Language + Keyboard: US English
• Software selection:

Skybox version 10.0.600 26

 Chapter 4 Server installation

— Base Environment: Server with GUI

— Add-Ons for selected Environment: Java platform, KDE
• Installation destination (Partitions):
— /boot 500MB
— / - LVM <all free disk space>
Installing packages
After installing Linux and before installing Skybox, you must install additional
software packages. These packages can be installed from the EPEL repository.

To enable the EPEL repository

› Enable the EPEL repository by running:

1. yum install epel-release
2. yum repolist

Packages to install

› Add the following packages using yum.

Note: This requires internet connection.

Package For Command

glibc 64bit Skybox yum install glibc

glibc.i686 glibc- Skybox yum install glibc.i686

devel.i686 glibc-devel.i686

pam.i686 Skybox yum install pam.i686

numa MySQL yum install numactl-libs

wget HTTP file retrieval yum install wget

STARTING AND STOPPING COMPONENTS VIA THE WINDOWS

SYSTEM TRAY
If you are working in Windows, you can start or stop the Server or Collector from
the Skybox icon in the Windows system tray. You can launch Skybox Manager in
the same way.

To start or stop a Skybox component from the Windows system tray

› Right-click the Skybox icon ( ) in the system tray and select the desired
option.

Displaying the system tray icon after it was hidden

To display the system tray icon

› At the command line, run:

<Skybox_Home>\server\bin\startservertray.exe (or
startservertray.bat if Skybox is installed as a program).
Skybox version 10.0.600 27
Skybox Installation and Administration Guide

SKYBOX SERVER POST-INSTALLATION STEPS

After installing Skybox:

› If you installed 2 Skybox Servers or 2 Skybox Collectors on the same machine

(not recommended), check that you specified a unique set of ports for each
installation (see Installing multiple components on a single machine (on page
28)).
› (Linux) Check that the machine’s resource limits are configured optimally for
running Skybox (see Verifying resource limits in Linux (on page 29)).
› Start the Server and the Collector (see Starting and stopping the Server and
Collector (on page 29)) if they did not start automatically.
The Server and the Collector start automatically:
• After installation completes (unless you cleared this option in the wizard)
• At system startup (unless you chose, in the wizard, to install either as a
batch program)

› Set the time zone used by Skybox for logging and task scheduling. The
default time zone is GMT (see Setting the time zone (on page 31)).
› (The 1st time that you log in to Skybox) If the location of the license file was
not provided during installation, specify its location during the login process.

Note: You cannot log in to Skybox until the license is added.

› After logging in to Skybox, specify the SMTP server for Skybox to use and the
Skybox administrator email address (see Email Configuration (on page 118)).
Without this, Skybox cannot send alerts or receive emails.
› Enable event logging (to syslog or Windows Event Viewer) for system events
(see System Events (on page 119)).

Installing multiple components on a single machine

You can install multiple Skybox components of a single type on a single machine.
Required configuration changes are listed in this section.

Skybox Servers
We recommend that you install each Skybox Server on a separate machine. If
you install multiple Skybox Servers on a single machine:

› Each installation must use a unique set of ports. These ports are set in the
port properties file (see page 142).
› Only one Skybox Server per machine can run as a service; additional Skybox
Servers must run as batch programs (see Starting and stopping the Skybox
Server and Collector (on page 29)).

Skybox Managers
You can install and run multiple Skybox Managers on a single machine.

Skybox Collectors
We recommend that you install each Collector on a separate machine. If you
install multiple Collectors on a single machine:

Skybox version 10.0.600 28

 Chapter 4 Server installation

› Each installation must use a unique set of ports. These ports are set in the
port properties file (see page 142).
› Only one Collector per machine can run as a service; additional Collectors
must run as batch programs (see Starting and stopping the Skybox Server
and Collector (on page 29)).

Verifying resource limits in Linux

After installing Skybox on a Linux machine, make sure that the resource limits of
the main Skybox user match the recommended resource limits for Skybox.

To check resource limits

1 Switch from the root user to the skyboxview user (su - skyboxview).
2 Under /usr/bin, execute:
ulimit -a
3 Compare the output results with the recommended values in the table that
follows this procedure.
4 If the output results do not match the values in the table, edit
/etc/security/limits.d/10-skybox.conf for the skyboxview user only.
Each line in this file specifies a limit for the user, with the format:
• #<domain> <type> <item> <value>

Note: Changing the values of resources in this file can cause changes to
other values due to dependencies between the resources; after changing
values, check that none of the other values are set higher than
recommended.
Recommended resource limits are listed in the following table.
Resource Recommended Description
value
core 0 Limits the core file size (kB)
data unlimited Maximum data size (kB)
size unlimited Maximum file size (kB)
memlock unlimited Maximum locked-in-memory address
space (kB)
nofile 65536 Maximum number of open files
stack unlimited Maximum stack size (kB)
cpu unlimited Maximum CPU time (minutes)
nproc unlimited Maximum number of processes

Starting and stopping the Server and Collector

You can install the Server and the Collector as services or they can run as regular
programs. If you install them as services, they usually start automatically.
If a component does not start automatically, you can start it manually.

Skybox version 10.0.600 29

Skybox Installation and Administration Guide

Starting the Server and Collector on Windows

To start the Server or Collector

› Right-click the Skybox icon ( ) in the system tray and select Start
<Component>.

To start the Server or Collector program from the command-line interface

› Server: <Skybox_Home>\server\bin\startserver.bat
› Collector: <Skybox_Home>\collector\bin\startcollector.bat

Stopping the Server and Collector on Windows

To stop the Server or Collector

› Right-click the Skybox icon ( ) in the system tray and select Stop
<Component>.

To stop the Server or Collector program from the command-line interface

› Server: <Skybox_Home>\server\bin\stopserver.bat
› Collector: <Skybox_Home>\collector\bin\stopcollector.bat

Starting the Server and Collector on Linux

To start the Server as a service

› Execute one of:

• service sbvserver start
• /etc/init.d/ sbvserver start

Note: Additional keywords available when executing these commands are stop,
status, and restart.

To start the Collector as a service

› Execute one of:

• service sbvcollector start
• /etc/init.d/ sbvcollector start

Note: Additional keywords available when executing these commands are stop,
status, and restart.

To start the Server as a program on Linux

1 Log in to the Linux machine as user skyboxview and open a terminal
window.
2 From the <Skybox_Home>/server/bin directory, execute:
./startserver.sh&

Skybox version 10.0.600 30

 Chapter 4 Server installation

To start the Collector as a program on Linux

1 Log in to the Linux machine as user skyboxview and open a terminal
window.
2 From the <Skybox_Home>/collector/bin directory, execute:
./startcollector.sh&

Stopping the Server and Collector on Linux

To stop the Server

› From the <Skybox_Home>/server/bin directory, execute:

./stopserver.sh&

To stop the Collector

› From the <Skybox_Home>/collector/bin directory, execute:

./stopcollector.sh&

Setting the time zone

By default, Skybox uses GMT for logging and task schedules.

To change Skybox time to local time

1 Add a property, user.timezone, to
<Skybox_Home>\server\conf\system.properties
2 Set the property to:
• A GMT offset
For example, user.timezone=GMT-8

Note: Reset the GMT offset when switching to or from daylight saving
time (summer time).

• A location
For example, user.timezone=America/Los_Angeles
Possible values are listed at
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaha/g
ettime.htm

Storing your files

Skybox installation creates an empty directory under <Skybox_Home> named
integration. Use this directory to store all external files that you want to keep
in the installation (for example, files required for model building or updating),
including configuration files from data sources that you imported into the model.

ELASTICSEARCH AND SKYBOX

The Skybox Server supports the export of data into an external instance of
Elasticsearch.

Skybox version 10.0.600 31

Skybox Installation and Administration Guide

Prerequisites for working with Elasticsearch

› Configure Skybox to work with Elasticsearch

› The hosted Elasticsearch version must be any 6.x.y version from 6.4.2 and
up. We recommend that you use version 6.4.2.

Configuring Skybox to work with Elasticsearch

Set up Skybox to work with Elasticsearch at Tools > Options > Server Options
> Elasticsearch Export Settings (on page 114).

Elastic Cloud
Skybox can export data to a hosted Elastic Cloud running on AWS or GCP. For
further information, see https://www.elastic.co/guide/en/cloud/current/getting-
started.html
Skybox can export data to Elastic Cloud Enterprise running on-premises. For
further information, see https://www.elastic.co/guide/en/cloud-
enterprise/current/ece-overview.html

Using Elasticsearch with Skybox

Indexing Skybox data into Elasticsearch
Skybox data can be indexed into Elasticsearch in any of 3 ways:

› Running a Skybox task of type Elasticsearch – Index Export

For more information about this task, see Elasticsearch index export tasks, in
the Skybox Reference Guide.

› Running any CSV export task in Skybox with Export to Elasticsearch

selected
› Invoking es documents Skybox REST API calls at
https://<host>:8443/skybox/webservice/swagger-ui/index.html;
<host> is the IP address or host name of the Skybox Server

IP address search
Fields of the IP address type can be searched as follows:

› In the query search bar, fieldName:10.125.0.0\/8

› In Add filter, fieldName is one of 10.125.0.0/8
Region Map visualization can be used the field hostLocationCountry.

Kibana
Kibana is no longer distributed with Skybox installations.

To install Kibana
1 Follow the directions in
https://www.elastic.co/guide/en/kibana/6.4/setup.html
2 Replace the contents of the Kibana configuration with the files from
<Skybox_Home>/server/conf/kibana

Skybox version 10.0.600 32

Chapter 5

Skybox Collector installation

This chapter explains how to install the Skybox Collector by itself. There are
several possible Collector installation scenarios; each scenario requires a
different installation process.
Before you start, check Collector system requirements (on page 34).
After you install a Collector, you must connect it to the Skybox Server. See
Connecting Skybox Collectors (on page 35).

In this chapter
Installation environment ...................................................... 33
Installing the Collector on Windows ....................................... 33
Installing the Collector on Linux ............................................ 34
Collector system requirements ............................................. 34
Connecting Skybox Collectors ............................................... 35

INSTALLATION ENVIRONMENT
If you are installing in
this environment...
Skybox Appliance
Skybox Virtual Appliance
(ISO installed in a VMware
environment)
Windows
Linux
Refer to...
Skybox 5500/6000/7000/8000 Appliance Quick
Start Guide
Skybox Virtual Appliance Installation Guide
Installing the Collector on Windows (on page
33)
Installing the Collector on Linux (on page 34)

INSTALLING THE COLLECTOR ON WINDOWS

To install the Skybox Collector on Windows:

› Turn off previously installed versions of Skybox to prevent port collision

› Have administrator privileges

To install the Skybox Collector on Windows

Note: To install the Collector on Windows without user interaction, use the
procedure in Silent installation (on page 22).

Skybox version 10.0.600 33

Skybox Installation and Administration Guide

1 Run the installation file (SkyboxInstaller-<version#>-<build>.exe).

2 Follow the directions in the wizard.
Mandatory options are listed in the following table. In all other places, either
use the default option or make any necessary changes.
Page Action
Choose Install Set Select Collector.
Choose Install Specify the installation directory.
Folder Note: Installation under <Drive>:\Program Files (or
any other path containing a space) is not supported.
If another (previous) version of Skybox is installed, do not
install to the same directory.
Preferences To run the Collector as a batch program rather than an
OS service, clear Install as operating system service.

For instructions about starting the Collector, see Starting and stopping the
Skybox Server and Collector (on page 29).

INSTALLING THE COLLECTOR ON LINUX

Before installing the Collector
Before installing the Collector on Linux:

› Turn off previously installed versions of Skybox to prevent port collision

› Be the root user
› Install all required packages (see Installing packages (on page 27))

To install the Skybox Collector on Linux

› Use the installation procedure provided in Silent installation (on page 22).
For instructions about starting the Collector, see Starting and stopping the
Skybox Server and Collector (on page 29).

COLLECTOR SYSTEM REQUIREMENTS

The Skybox Collector does not need a powerful machine because there is no
heavy processing or data storage on the Collector side; the collected data is
moved to the Skybox Server machine for processing.
We recommend that you permit communication through ports 22 and 9443 only.
Note: Install each Skybox Collector on a separate machine (to prevent port
collision). If you do install 2 Collectors on the same machine, you must change
the ports used by 1 of them (see Installing multiple components on a single
machine (on page 28)).

Operating system
The operating systems supported for the Collector are listed in the following
table.

Note: The Collector must run on a 64bit operating system.

Skybox version 10.0.600 34

 Chapter 5 Skybox Collector installation

Operating system
Windows 7
Windows 10
Windows Server 2012
Windows Server 2016
Red Hat Enterprise Linux 6 (for existing installations
only)
Red Hat Enterprise Linux 7
CentOS 6 (for existing installations only)
CentOS 7

Hardware
The hardware requirements for a Collector machine are listed in the following
table.
Item Minimum Recommended
CPU 4 cores 8 cores
RAM 16 GB 32 GB
Available disk 100 GB 500 GB
space

Note: Syslog collection requires the resources specified in the Recommended

column. For additional information, contact Skybox Support.

CONNECTING SKYBOX COLLECTORS

After installing a Skybox Collector:

› Add it to Skybox so that the Skybox Server can connect to it to collect data
› Connect it to the networks from which it is to collect data

Note: The current SSH client used by the Skybox Collector for remote collection
can only use a Diffie-Hellman key of up to 2048 bits. Collection from remote
devices that use a larger key will fail.

Adding a new Collector to Skybox

Only Admins can add Collectors to Skybox.

To add a Collector to Skybox

1 In the Operational Console, right-click Collectors and select New Collector.
2 In the New Collector dialog box, define the Collector.
Note: If you change the port value, change the Collector’s listening port
on the Collector machine.
3 Click OK.
After you add Collectors to Skybox (or at any other time), you can verify
connectivity between the Skybox Server and the Collectors.
Skybox version 10.0.600 35
Skybox Installation and Administration Guide

To verify connectivity from the Skybox Server to Collectors

1 In the Operational Console:
• To check all Collectors: In the tree, right-click Collectors and select
Update All Statuses.
• To check a single Collector: In the Table pane, right-click the Collector and
select Check Status.
2 Check the Status column in the Table pane; if the status is Up, the Skybox
Server is connected to the Collector and you can use it to retrieve data.

Skybox version 10.0.600 36

Chapter 6

Installing Additional Skybox

Servers
In some cases, it is neither possible nor desirable to manage your whole
enterprise network as a single model on a single Skybox Server. Possible reasons
for this include:

› Skybox is managing unrelated networks or enterprises.

› Different business units require autonomy in managing their security risks
and you have decided to deploy a separate Skybox Server for each business
unit.
› Security reasons dictate full separation between different parts of your
enterprise network, even within the model.
› The full enterprise network cannot be conveniently handled as a single model
in Skybox.
If any of these reasons apply, as required:

› Include multiple models on a single Skybox Server.

Only one model can be active at any time, but you can switch between the
different models at any time.

› Deploy multiple Skybox Servers within your enterprise network.

You can either manage all the Skybox Servers from the same Skybox
Manager or use a separate Skybox Manager for each Skybox Server.
The following figure shows an example of a multiple-server deployment.

Skybox version 10.0.600 37

Chapter 7

Multi-tiered servers for Change

Manager
In some scenarios, organizations want Skybox Change Manager to run on
separate web servers, not on the main Skybox Server.

To add web servers for Skybox Change Manager

1 Install an additional Skybox Server (on page 37) on each machine that you
want to use as a web server for Change Manager.
2 On each web server machine, in
<Skybox_Home>\server\conf\sb_server.properties, set the value of
web_remote_skybox_server to be the IP address or full path name of the
main Skybox Server.
3 On the main Skybox Server, add each web server as a Skybox Collector: In
the Operational Console, right-click Collectors and select New Collector;
add the web server IP address and a name for this Collector.
Users running Skybox Change Manager must log in to a web server rather than
the Skybox Server.
Note: The following scenarios are not supported: a Skybox Server running on
Linux and web servers running on Windows, and vice versa.

Skybox version 10.0.600 38

Chapter 8

Autonomous collection units

If your organization’s network is an air-gapped system, you cannot use Skybox
Collectors in the network. Instead, you can install a Skybox autonomous
collection unit.
Autonomous collection units include collection capabilities, tasks, and user
administration. Collected data is saved locally. The data can be saved to a
removable storage device (for example, a USB disk on key or a DVD) for later
upload to a Skybox Server at a different location.
The data can be imported to a Skybox Server using an Import – Directory task
(see the Importing data from Skybox autonomous collection units topic in the
Skybox Reference Guide).

In this chapter
Autonomous collection unit hardware requirements................. 39
Installing autonomous collection units ................................... 39
Installing Skybox Manager for autonomous collection .............. 41
Autonomous collection post-installation steps ......................... 42
Collecting device data using autonomous collection units ......... 42
Exporting autonomous collection unit data ............................. 42

AUTONOMOUS COLLECTION UNIT HARDWARE REQUIREMENTS

Hardware requirements for autonomous collection units are listed in the following
table.
Item Requirement
CPU 8 cores
RAM 32 GB
Available disk 1 TB
space

INSTALLING AUTONOMOUS COLLECTION UNITS

Note: At least one Skybox Manager (Java client) must be installed on a Windows
machine to operate the autonomous collection unit (for example, to run the tasks
and manage users). See Installing Skybox Manager for autonomous collection
(on page 41).)

Skybox version 10.0.600 39

Skybox Installation and Administration Guide

To install an autonomous collection unit

1 Download the installation file (on page 17) or locate it on the file system if it
was already downloaded:
• (Windows) SkyboxInstaller-<version#>-<build>.exe
• (Linux) SkyboxInstaller-<version#>-<build>.bin
2 Copy the file to your computer.
3 Create a file named installer.properties in the directory on your computer
that contains the installation program. Use the sample text following these
instructions as the basis for the file.
4 Customize the properties file (see page 23) for your installation.
5 Run the installation program:
• (Windows) Execute the command: SkyboxInstaller-<version#>-
<build>.exe -f installer.properties
• (Linux) Execute the command: ./SkyboxInstaller-<version#>-
<build>.bin -f installer.properties

Note: During silent installation, the file that is required for silent
uninstallation is created.

Sample installer.properties file for autonomous collection unit

installation
SB_OEM=AUTONOMOUS_COLLECTION
INSTALLER_UI=silent
#SB_INSTALL_USER=skybox
SB_SERVER_HOST=localhost
# (For Windows installation, change USER_INSTALL_DIR to C:\\Program
Files\\Skybox)
USER_INSTALL_DIR=/opt/skyboxview
# -- Manager, Collector, Server(Full)
CHOSEN_INSTALL_SET=Server(Full)
# -- License file name and location
SB_LICENSE_FILE=license.xml
SB_PATH_OF_LICENSE_FILE=
# -- Install as services and start after the installation options (1=yes,
0=no)
SB_SERVER_SERVICE=1
SB_COLLECTOR_SERVICE=1
SB_SERVER_SERVICE_START=0
SB_COLLECTOR_SERVICE_START=0
# -- Mail server IP/name address for sending reports/alerts, and admin
email
SB_SERVER_MAIL=
[email protected]
# -- Option to install Acrobat Reader on the Manager (1=yes, 0=no)
SB_MANAGER_ACROBAT=0
# (Windows only)
#USER_SHORTCUTS=C:\\Documents and Settings\\All Users\\Start
Menu\\Programs\\Skybox
#SHORTCUT_NAME=skyboxview
SB_PS_VISTA=0

#Upgrade Settings
SB_INSTALL_NEW=1
SB_INSTALL_UPGRADE=0
Skybox version 10.0.600 40
 Chapter 8 Autonomous collection units

#Skybox Previous Home Directory

# * We recommend that USER_INSTALL_DIR and SB_PREV_HOME_DIR are not the
same
SB_PREV_HOME_DIR=/opt/Skybox
# (for Windows, the default is: C:\\Program Files\\Skybox)

INSTALLING SKYBOX MANAGER FOR AUTONOMOUS COLLECTION

Note: At least one Skybox Manager (Java client) must be installed on a Windows
machine to operate the autonomous collection unit (for example, to run the tasks
and manage users).
Use the same installation file that you used to install the autonomous collection
unit.

To install Skybox Manager for autonomous collection

1 Replace installer.properties in the directory on your computer that
contains the installation program. Use the sample text following these
instructions as the basis for the file.

Note: This is not the same as the file for installing the autonomous
collection units.

2 Customize the properties file (see page 23) for your installation.
Make sure to set the value of SB_SERVER_HOST to the IP address of the
autonomous collection unit.
3 Run the installation program:
• (Windows) Execute the command: SkyboxInstaller-<version#>-
<build>.exe -f installer.properties
• (Linux) Execute the command: ./SkyboxInstaller-<version#>-
<build>.bin -f installer.properties

Note: During silent installation, the file that is required for silent
uninstallation is created.

Sample installer.properties file for Skybox Manager installation

SB_OEM=AUTONOMOUS_COLLECTION
INSTALLER_UI=silent
#SB_INSTALL_USER=skyboxview
SB_SERVER_HOST=localhost
USER_INSTALL_DIR=/opt/skyboxview
CHOSEN_INSTALL_SET=Manager
SB_MANAGER_ACROBAT=0
#USER_SHORTCUTS=C:\\Documents and Settings\\All Users\\Start
Menu\\Programs\\Skybox
#SHORTCUT_NAME=skyboxview
SB_PS_VISTA=0

#Upgrade Settings
SB_INSTALL_NEW=1
SB_INSTALL_UPGRADE=0

#Skybox Previous Home Directory

Skybox version 10.0.600 41

Skybox Installation and Administration Guide

# * We recommend that USER_INSTALL_DIR and SB_PREV_HOME_DIR are not the

same
SB_PREV_HOME_DIR=/opt/Skybox
# (for Windows, the default is: C:\\Program Files\\Skybox)

AUTONOMOUS COLLECTION POST-INSTALLATION STEPS

To complete the autonomous collection installation
1 For each installation of a Skybox autonomous collection unit or Skybox
Manager, edit the following files in a text editor:
• <Skybox_Home>\collector\conf\.oem.properties
• <Skybox_Home>\app\conf\.oem.properties
• <Skybox_Home>\server\conf\.oem.properties
2 Change the content of each file to:
oem=autonomous_collection

COLLECTING DEVICE DATA USING AUTONOMOUS COLLECTION

UNITS
Use Skybox collection tasks to collect configuration and other data from devices
in your network. These tasks are describe in the Tasks part in the Skybox
Reference Guide.
Note: The documentation of the collection tasks refers to Skybox Collectors. All
such references include Skybox autonomous collection units.

Note: Skybox autonomous collection units do not support Firewalls – Check

Point FireWall-1 LEA Collection tasks.

EXPORTING AUTONOMOUS COLLECTION UNIT DATA

All collected data in Skybox autonomous collection units is saved locally under
<Skybox_Home>\data\collector\offline_collection.

› When you want to transfer the collected data to a Skybox Server at a

different location, save the data to a removable storage device (for example,
a USB disk on key or a DVD).
› Due to the likely volume of the collected data, we recommend that you zip
the data before saving it to the storage device.
For information about importing the data to a Skybox Server, see the Importing
data from Skybox autonomous collection units topic in the Skybox Reference
Guide).

Skybox version 10.0.600 42

Chapter 9

Skybox connectivity
requirements
The connectivity requirements for Skybox installations are described in the
following table.
From... To... Port / service Additional information

Skybox Skybox Appliance 22/TCP and

administrator 444/TCP
workstation
Skybox Manager Skybox Servers 8443/TCP

Skybox Servers Skybox Collectors 9443/TCP

Skybox Appliance NTP server 123/UDP

Skybox Servers Internal syslog 514/UDP

server
Skybox Servers LDAP 389/TCP or Used for Skybox application
636/TCP (for authentication
LDAPS)
Skybox Servers RADIUS server 1812/TCP and Used for Skybox application
1813/TCP authentication
Skybox Appliance LDAP 389/TCP Used for authenticating the
underlying OS to LDAP
Skybox Appliance RADIUS server 1812/TCP and Used for authenticating the
1813/TCP underlying OS to RADIUS
Skybox Server SMTP server 25/TCP

SNMP monitoring Skybox Appliance 161/UDP

platform
Skybox Appliance DNS server 53/UDP

Skybox Server or Skybox Internet 443/TCP Configure the proxy with

Collector on which update services https://*.skyboxsecurity.com
the Dictionary (dictionary and / to collect data from all assets
Update task is update URLs) in the skyboxsecurity.com
configured domain
Skybox Servers Skybox Internet 443/TCP URL:
from which services https://dictionary.skyboxsec
statistical feedback urity.com/telemetry
is sent
Firewalls / Syslog Skybox Collectors 514/UDP
server

Skybox version 10.0.600 43

Chapter 10

Updating Skybox
You can update Skybox without uninstalling the current version; software
updates for Skybox are issued periodically.
To update the Skybox Vulnerability Dictionary, see Dictionary updates (on page
143).

In this chapter
Updating Skybox ................................................................ 44
Skybox update file .............................................................. 45
Downloading the update file ................................................. 45
Preparing to update ............................................................ 46
Updating the Server and local components............................. 46
Updating remote components ............................................... 47
Updating multi-tiered servers ............................................... 48
Major version updates ......................................................... 48

UPDATING SKYBOX
To update Skybox:
1 Download a software update file (see page 45) from the Skybox update
management server.

Important: If you are updating from one major version to the next (for
example, from version 9.0.xxx to 10.0.xxx), there may be 2 steps
involved. See Major version updates (on page 48) for further information.
2 Make any necessary preparations (see page 46).
3 Run the update tool (see page 46) (included in the Skybox installation) to
apply the update file to Skybox.
The Server and other local components are updated, and then the remote
Skybox Managers and Collectors are updated.
Note: If you need to roll back to a previous version for any reason, contact
Skybox Support

Skybox version 10.0.600 44

 Chapter 10 Updating Skybox

Server memory configuration changes

The upgrade from 9.0.xxx to 10.0.xxx overwrites the memory configuration
parameters in <Skybox_Home>/server/conf/jvmargs.properties, which is a
system file. If you customized any memory parameters in jvmargs.properties,
make sure to copy this information to jvmargs.user.properties before starting
the upgrade.

Collector infrastructure changes

In Skybox version 9.0.700 and higher, the infrastructure of the Collector was
migrated from a JBoss application server deployment to a new infrastructure,
based on Spring Boot version 1.5.17 with an embedded Tomcat servlet
container, version 8.5.34. If you have done any customization of the old JBoss
Tomcat server.xml file or the TLS setting in
<Skybox_Home>/collector/conf/jvmargs.properties for any existing
Collectors, you must customize the new infrastructure. For additional
information, see Migrating the Collector infrastructure (on page 49)

SKYBOX UPDATE FILE

A Skybox update can be a patch to the current version or an upgrade to a newer
version. Each downloaded update file is a compressed file that contains updates
for all supported operating systems.
Update files are cumulative—each file contains all published updates for the
current version.
Each update file has an accompanying file, Readme.txt, that contains information
about the update.

DOWNLOADING THE UPDATE FILE

You can query the Skybox update management server to check whether an
update to the installed version of Skybox is available and then download the
update file.
Note: If the Skybox Manager machine is configured to connect to the internet via
a proxy, configure the proxy settings before you download an update file
(navigate to Tools > Options > Manager Options > Proxy Settings
(Manager)).

To download an update file

Note: You can download the latest update file in the background by running (or
scheduling) a Tools – Server Software Update task. For information about
Tools – Server Software Update tasks, see the Skybox Server software
update tasks topic in the Reference Guide.
1 Select Help > Check for updates.
In the About Skybox dialog box, Version Information is selected in the tree.
Skybox connects to the Skybox update management server; a Check for
update progress bar is displayed in the dialog box.
When the check is complete, the version number of the update file is
displayed in the Available version field.

Skybox version 10.0.600 45

Skybox Installation and Administration Guide

Note: If the installed version of Skybox is current, no new version

available is displayed in the Available version field.
2 Click Download.
The update file starts to download; a progress bar is displayed in the dialog
box.
When the download completes, the progress bar closes and the version
number is displayed in the Ready for installation field.
To apply the update file to the Skybox Server, see:
• Preparing to update (on page 46)
• Updating the Skybox Server and local components (on page 46)

PREPARING TO UPDATE
Before updating the Skybox Server:
1 Read the Readme.txt file that comes with the update file; it might specify
additional steps required during the update that are not included in the
standard update instructions.
The readme file also includes the MD5 checksum for the update file (at the
start of the Fix installation section).

Note: If you received the update via Help > Check for updates, you can
view the readme file from Skybox by clicking Help > Check for updates
and then clicking View release notes.
The readme file is available online at the same location as the update
files: https://update-
us1.skyboxsecurity.com/updates/releases/oem1/10.0.0/
Take the file whose name exactly matches that of your update file. For
example, Readme-10.0.106-74.txt matches upgrade-10.0.106-74.sbu.

2 Verify the security of the downloaded update file:

a. Run md5sum on the file from the directory to which you downloaded the
update file: md5sum <filename>.
b. Check that the value you receive matches the checksum value specified in
the readme file.
3 If you work with the What If and Forensic models, back up a copy of each of
them (File > Models > Save) as a precautionary measure before applying an
update (see Backing up the model (on page 83)).

Note: If the Skybox Server is running, Skybox backs up the Live model as
part of the update; Skybox does not back up the What If and Forensics
models.

UPDATING THE SERVER AND LOCAL COMPONENTS

The Update tool updates the Server and any other components on the Server
machine in the same installation directory as the Server.

Skybox version 10.0.600 46

 Chapter 10 Updating Skybox

To update the Server

1 (Recommended) Make sure that the Server is running so that Skybox can
back up the model as part of the update process.
2 If Skybox Manager is running on the Server machine, shut down Skybox
Manager before running the Update tool.
3 Copy the update file to <Skybox_Home>\utility\bin
4 Run the Update tool:
• (Windows) <Skybox_Home>\utility\bin\updatetool.bat
• (Linux) <Skybox_Home>/utility/bin/updatetool.sh
Any Skybox user can execute the update; there is no need to log in as
root.
5 Before applying the update, the Skybox Server backs up the Live model to
<Skybox_Home>\data\xml_models\update_backup<MMddyyyyHHmm>.xmlx

Note: If the Server is not running, the Live model is not backed up and
your data might be lost in the event of a system failure during the
update. In some cases, the Update tool does not continue until the Server
backs up the Live model. Restart the Server and run the Update tool
again.
6 Most Server updates take between 5 and 8 minutes. During this time, the
Update tool stops the Server (and, if present, the local Collector), applies the
update, and restarts the Server (and Collector).
As part of the update, the following occur:
• The files in the update package (1 for each operating system that has
separate update instructions) are copied to the
<Skybox_Home>\data\fixes directory. These files are used to update
remote Skybox Managers and Collectors.
• The files necessary to restore the previous version are saved in the
<Skybox_Home>\updates\<update directory name>\backup directory
(<update directory name> includes the version and operating system).

UPDATING REMOTE COMPONENTS

When the Server machine is updated, remote Skybox Managers and Collectors
cannot work with the Server until they are updated to the same version as the
Server.

Updating remote Skybox Managers

Remote Skybox Managers are updated as part of the login procedure.

Updating remote Collectors

The Server checks the version of all running Collectors on an hourly basis to see
whether they need updating. If the Server detects that a Collector needs
updating, it sends the appropriate update file for the Collector operating system
and updates the Collector.

Skybox version 10.0.600 47

Skybox Installation and Administration Guide

You can update a Collector by running a Tools – Collector Software Update

task. This is useful if you do not want to wait until the next update check or if a
Collector was down during the scheduled update.

UPDATING MULTI-TIERED SERVERS

If you work with multi-tiered servers, the remote web servers are not updated as
remote Collectors; you must update them separately.

To update a remote web server

1 Copy the update file to <Skybox_Home>\utility\bin on the remote server
machine.
2 Run the Update tool:
(Windows) <Skybox_Home>\utility\bin\updatetool.bat
(Linux) <Skybox_Home>/utility/bin/updatetool.sh
Any Skybox user can execute the update; there is no need to log in as root.
3 Verify that the server restarted.

MAJOR VERSION UPDATES

Updating from one major version to another (for example, from 9.0.xxx to
10.0.xxx) requires updating to the GA release of the first minor version of that
major version, and then updating once more to the current release. For example,
to update from version 9.0.8xx to version 10.0.3xx, you must first update to
10.0.201, and then to 10.0.3xx. For each update, following the regular update
instructions in this chapter, and in the Readme file.
For example, here is how you would update from a 9.0.800 version to 10.0.303.

› Copy upgrade-9.0.201-27_to_10.0.202-76.sbu to
<Skybox_Home>\utility\bin
› From <Skybox_Home>\utility\bin, run: updatetool.bat (updatetool.sh
for Linux)
› Copy upgrade-10.0.303-81.sbu to <Skybox_Home>\utility\bin
› From <Skybox_Home>\utility\bin, run: updatetool.bat (updatetool.sh
for Linux)
If you get an error message similar to the following when you update, it is quite
likely that you tried to do a regular update when a major version update was
required.
/opt/skyboxview-9.0.826-183/utility/bin/working_dir/upgrade-
flow.xml:1003: This upgrade does not support the version 9.0.826 of
Skybox currently in use.

Skybox version 10.0.600 48

Chapter 11

Migrating the Collector

infrastructure
As of version 9.0.700, the Collector infrastructure was migrated from a JBoss
application server deployment to one based on Spring Boot version 1.5.17 with
an embedded Tomcat servlet container version 8.5.34.

General changes

› The configuration for Tomcat and Spring Boot is in the spring boot section in
<Skybox_Home>/collector/conf/sb_collector.properties
› The default port is set to 9443; the shutdown port is set to 9099 and is bound
to localhost.
› Logging configuration is set in <Skybox_Home>/collector/conf/log4j-
collector.xml, which gets sampled every minute.
› Java garbage collection logs have changed location to
<Skybox_Home>/collector/log/debug/gc
› On Windows, when the Collector is running as an operating system service,
the service is reinstalled on every update.
For this reason, if you changed the service logon options to use a service user
for collection, you must specify the service user again after every update.

› Any messages in the Collector logs that are marked as “(mock msg)” are
intended for backward compatibility and can be safely ignored.

Changes for customized Collectors

The following information is relevant for any Collectors in which the old JBoss
Tomcat server.xml file or the TLS settings in
<Skybox_Home>/collector/conf/jvmargs.properties were customized:

› Copy any customization of the old JBoss Tomcat server.xml file or the TLS
settings in <Skybox_Home>/collector/conf/jvmargs.properties to the
spring boot section in
<Skybox_Home>/collector/conf/sb_collector.properties.
› Updates overwrite conf/jvmargs.properties for the Collector, and
recalculate the memory settings—add any customization to
conf/jvmargs.user.properties, which is not modified by updates.

Main Spring Boot parameters

The following is a list of the main parameters in the spring boot section of
<Skybox_Home>/collector/conf/sb_collector.properties:

Skybox version 10.0.600 49

Skybox Installation and Administration Guide

springboot.server.port=9443
springboot.server.session.timeout=3600
springboot.server.ssl.key-store=classpath:server.keystore
springboot.server.ssl.keyStoreType=JKS
springboot.server.ssl.protocol=TLS
springboot.server.ssl.enabled-protocols=TLSv1.2
#springboot.server.ssl.enabled-protocols=TLSv1.2,TLSv1.1,TLSv1
springboot.server.session.cookie.http-only=true
springboot.server.session.cookie.secure=true

A full list of Spring Boot settings is available at:

› https://docs.spring.io/spring-
boot/docs/1.5.17.RELEASE/reference/htmlsingle/#common-application-
properties

Skybox version 10.0.600 50

Chapter 12

Skybox licenses
The Skybox license controls the Skybox products that are available, the license
expiration date, and the maximum size of the network model.

In this chapter
Managing licenses ............................................................... 51
Invalid licenses ................................................................... 51
Node-count violations .......................................................... 52

MANAGING LICENSES
Viewing license information

To view license information

1 Select Help > About Skybox.
2 In the tree, select License Information.

Installing a license
If you receive a new license from Skybox, save it on your file system and upload
it to the Skybox Server.

To upload a license
1 Select Help > About Skybox > License Information.
2 Click Update License.
3 In the dialog box, navigate to the file location and click Open.

INVALID LICENSES
If you try to launch Skybox with an invalid license, the Skybox Server does not
start.
A license is invalid if:

› It has expired
› It does not match the Skybox product being launched
› The license hardware ID does not match the server that is trying to run
Skybox
› The grace period has expired for an old license version

Skybox version 10.0.600 51

Skybox Installation and Administration Guide

Sometimes, when a new version of Skybox is released, it has a new license

scheme. In this case, you have a grace period (usually 30 days) to install a
new license. If you launch Skybox during the grace period, Skybox displays a
warning message.

› The grace days have expired for a license node-count violation

License node-count violations are described in the following section.

NODE-COUNT VIOLATIONS
Each Skybox license limits the number of nodes that you can include in the
model of your network. When you launch a Skybox product, Skybox checks the
number of nodes in the model. If the number of nodes exceeds the license limit,
Skybox displays a warning message.
Skybox provides a 30-day grace period for violations in the number of licensed
nodes in Skybox products. Each day that there is a violation in any product uses
up a day of the grace period. The purpose of the grace period is to enable you to
continue working with Skybox while you either fix the violation by deleting
unnecessary nodes or upgrade your license to include additional nodes. After the
grace period expires, the Skybox Server is locked; you must get a new license to
continue working with Skybox.
The entities that are limited per Skybox product are listed in the following table.
Product Limited entities
Firewall Assurance Physical and virtual devices in the Firewall
Assurance workspace
Note: The Add Firewalls Wizard does not
permit you to exceed the licensed number of
firewall nodes
Network Assurance Network devices in the model
Virtual assets in clouds and virtualized
environments
Vulnerability Control Number of assets in the model

Note: These limits apply to the Live model only.

Skybox version 10.0.600 52

Chapter 13

Uninstalling Skybox
To uninstall Skybox from a Linux machine
The commands in this procedure require root permissions.
1 Uninstall the Skybox Server service and the Skybox Collector service:
• <Skybox_Home>/server/bin/uninstall_service_server.sh
• <Skybox_Home>/collector/bin/uninstall_service_collector.sh
2 Delete the entire Skybox directory:
• rm -rf <Skybox_Home>/
3 Delete the Skybox user and the Skybox home directory:
• userdel –r skyboxview
4 Delete the Skybox group:
• groupdel skyboxview

To uninstall Skybox from a Windows machine

The commands in this procedure require administrator permissions.
1 Uninstall the Skybox Server service and the Skybox Collector service:
• <Skybox_Home>\server\bin\ uninstall-server-service.bat
• <Skybox_Home>\collector\bin\ uninstall-collector-service.bat
2 Delete the entire Skybox directory <Skybox_Home>

Skybox version 10.0.600 53

Chapter 14

Product security
This chapter explains steps that Skybox takes to ensure that the Skybox platform
and its data are kept secure.

In this chapter
Communication and certificates ............................................ 54
Mutual authentication between Skybox Servers and Collectors . 60
Encryption ......................................................................... 60
Using FIPS mode ................................................................ 61
Limiting login attempts ........................................................ 61
Security check: Last login message ....................................... 61
Customizable login warning messages ................................... 62
User session timeout ........................................................... 62

COMMUNICATION AND CERTIFICATES

Communication between Skybox Managers and the Skybox Server, and between
the Skybox Server and Skybox Collectors is via an SSL service. The SSL service
requires that each device have a certificate store protected by a password.

› For information about using your own certificates, see Using your own
certificates (on page 54)
› For information about viewing certificates, see Viewing certificates (on page
59).
› For information about changing the default keystore password, see Changing
the default password of the keystore (on page 59).

Important: If any Skybox users connect using Google Chrome, see Certificates
for Google Chrome (on page 55).

Using your own certificates

Skybox has a default certificate store per Server and per (remote) Collector. The
values in this store are the same for all Skybox products. However, you can use
your own certificates.

Note: If any Skybox users connect using Google Chrome, see Certificates for
Google Chrome (on page 55) before starting.

Skybox version 10.0.600 54

 Chapter 14 Product security

To use your own certificates

1 Do one of the following for the Server machine:
• Generate and install a certificate using the Java keytool (on page 55)
• Install a certificate that you created using a different tool (on page 57)
2 On the local Collector (the Collector on the Server machine):
a. Navigate to <Skybox_Home>/collector/conf
b. Back up the following files:
— server.keystore
— cacerts_customer.keystore
c. Copy server.keystore and cacerts_customer.keystore from
<Skybox_Home>/server/conf to <Skybox_Home>/collector/conf,
replacing the original files.
3 Install a certificate on each remote Collector:
a. Navigate to <Skybox_Home>/collector/conf
b. Do one of the following to install a new certificate in this location:

Note: Use <Skybox_Home>/collector/conf for the whole procedure;

do not use <Skybox_Home>/server/conf.

— Generate and install a certificate using the Java keytool (on page 55)
— Install a certificate created using a different tool (on page 57)
4 Restart the Server, all Collectors (local and remote), and the Manager.
Certificates for Google Chrome
From version 65, Google Chrome enforces the existence of the SAN (Subject
Alternative Name) attribute in server certificates. By default, Skybox certificates
do not include this attribute. For Skybox users to connect via Google Chrome,
regenerate your certificates to include the attribute (or include it when
generating a new certificate).
Generating and installing a certificate using the Java keytool
This section explains how to generate and install a certificate using the Java
keytool.

To generate and install a certificate for Skybox

1 Connect to the server as the skyboxview user.
2 Navigate to <Skybox_Home>/server/conf

Important: Work in this directory only; all commands use relative paths.
3 Back up the following files:
• server.keystore
• cacerts_customer.keystore

Skybox version 10.0.600 55

Skybox Installation and Administration Guide

4 Create a new key by running the following command.

• Replace each instance of the term <string> in the command with the
relevant text.
• In this step and all subsequent steps, replace <version#> with the JDK
version (for example, 1.8.0_152d).
• The keysize value and algorithm number (-sigalg) may vary.
Unless your users are working with Google Chrome, use this command to
create the new key:
../../thirdparty/jdk<version#>/bin/keytool -genkey -keyalg rsa -keysize
2048 -sigalg SHA256withRSA -dname "CN=<string>, OU=<string>, O=<string>,
L=<string>, S=<string>, C=<string>" -alias <mykey> -keypass skyboxview -
keystore server.keystore -storepass skyboxview -validity 365

Google Chrome requires an additional attribute in this command. If your users

are working with Google Chrome, use this command in place of the previous
one:
../../thirdparty/jdk<version#>/bin/keytool -genkey -keyalg rsa -keysize
2048 -sigalg SHA256withRSA -dname "CN=<string>, OU=<string>, O=<string>,
L=<string>, S=<string>, C=<string>" -alias <mykey> -keypass skyboxview -
keystore server.keystore -storepass skyboxview -validity 365 -ext
san=dns:<website>

5 Review the server.keystore file to confirm that the key was successfully
added:
../../thirdparty/jdk<version#>/bin/keytool -list -v -keystore
server.keystore -storepass skyboxview

The relevant information appears under the alias <mykey>.

6 Generate the certificate request file, making sure that the alias is the same as
in step 4.
Unless your users are working with Google Chrome version 65 or higher, use
this command to generate the certificate request:
../../thirdparty/jdk<version#>/bin/keytool -certreq -file <file name> -
alias <mykey> -keystore server.keystore -storepass skyboxview

Google Chrome versions 65 and higher require an additional attribute in this

command. If your users are working with Google Chrome version 65 or
higher, use this command in place of the previous one:
../../thirdparty/jdk<version#>/bin/keytool -certreq -file <file name> -
alias <mykey> -keystore server.keystore -storepass skyboxview -ext
san=dns:<website>

7 Using the generated request file, follow the internal certificate request
procedure to sign and receive the certificate. Make sure that the certificate
format is PEM, Base64 encoded.
8 Add the CA root certificate to the keystore:
../../thirdparty/jdk<version#>/bin/keytool -import -alias root -file <CA
root certificate file> -keystore server.keystore -storepass skyboxview

Skybox version 10.0.600 56

 Chapter 14 Product security

9 Add the intermediate certificate to server.keystore:

../../thirdparty/jdk<version#>/bin/keytool -import -alias inter -file
<intermediate certificate file> -keystore server.keystore -storepass
skyboxview

10 Install the CA signed certificate in the keystore. Make sure that the alias is the
same as in step 4:
../../thirdparty/jdk<version#>/bin/keytool -import -alias <mykey> -file
<certificate file> -keystore server.keystore -storepass skyboxview

11 Delete the predefined key:

../../thirdparty/jdk<version#>/bin/keytool -delete -alias <skyboxkey> -
keystore server.keystore -storepass skyboxview

12 Add the CA root certificate to your cacerts keystore:

../../thirdparty/jdk<version#>/bin/keytool -import -alias root -file <CA
root certificate file> -keystore cacerts_customer.keystore -storepass
skyboxview

13 Add the intermediate certificate to your cacerts keystore:

../../thirdparty/jdk<version#>/bin/keytool -import -alias inter -file
<intermediate certificate file> -keystore cacerts_customer.keystore -
storepass skyboxview

Installing a certificate created using a different tool

The following instructions explain how to install a certificate when your
organization generated the private key, certificate request, and server certificate
using a tool other than Java keytool.
The following file names are used for convenience:
• Server certificate: server.crt
• Private key: private.key
• Intermediate CA certificate: intermediate.crt
• Root CA certificate: root.crt

Note: Make sure that the certificate format is PEM, Base64 encoded.

When referring to the JDK (in steps 8, 9, and 10), replace <version#> with the
JDK version, such as 1.8.0_152d.

To install a certificate you created using a different tool

1 Connect via SSH to the Skybox server.
2 Navigate to <Skybox_Home>/server/conf

Important: Work in this directory only; all commands use relative paths.
3 Back up the following files:
• server.keystore
• cacerts_customer.keystore
4 Move your root CA certificate, intermediate CA certificate, server certificate,
and private key to <Skybox_Home>/server/conf

Skybox version 10.0.600 57

Skybox Installation and Administration Guide

5 When using an intermediate CA certificate, concatenate the root CA certificate

and intermediate CA certificate into a single chain file:
cat intermediate.crt root.crt > chain.pem

6 Create a P12 file from the server certificate, private key and chain files:
a. Enter the command:
openssl pkcs12 -export -in server.crt -inkey private.key -chain -CAfile
chain.pem -name "<alias>" -out skybox.p12

<alias> is the name for the P12 file.

Note: If you are not using an intermediate CA certificate, then -

CAfile takes the root CA certificate file and not the chain.pem file.

b. When requested to enter the passphrase for the private key, use the
passphrase that you used when creating the key.
c. When requested to enter and verify the export password, use skyboxview

Important: Do not use a different password.

A file named skybox.p12 is created.
7 Enter the following command to import the server certificate, the private key,
and the intermediate and root CA certificates.
../../thirdparty/jdk<version#>/bin/keytool -importkeystore -destkeystore
server.keystore -srckeystore skybox.p12 -srcstoretype PKCS12

• When prompted, enter the destination keystore and source keystore

passwords. Both passwords are skyboxview.
8 Review server.keystore to confirm that the certificate request was
successfully added:
../../thirdparty/jdk<version#>/bin/keytool -list -v -keystore
server.keystore -storepass skyboxview

You should see 2 entries—an entry for the chain you just imported and
another entry with the default skybox predefined key.
9 Delete the Skybox predefined key:
../../thirdparty/jdk<version#>/bin/keytool -delete -alias skyboxkey -
keystore server.keystore -storepass skyboxview

10 Add the CA root certificate to your cacerts keystore:

../../thirdparty/jdk<version#>/bin/keytool -import -alias root -file
root.crt -keystore cacerts_customer.keystore -storepass skyboxview

11 Add the intermediate certificate to your cacerts keystore:

../../thirdparty/jdk<version#>/bin/keytool -import -alias inter -file
intermediate.crt -keystore cacerts_customer.keystore -storepass skyboxview

Skybox version 10.0.600 58

 Chapter 14 Product security

Separate web servers for Change Manager

If your organization has separate web servers for Change Manager (not the main
server running the database), import the root CA certificate to
cacerts_customer.keystore on each web server.
You can check whether there are separate web servers for Change Manager by
checking the web_remote_skybox_server property in
<Skybox_Home>\server\conf\sb_server.properties
A value of anything other than 127.0.0.1 (localhost) means that separate web
servers are used for Change Manager.

Viewing certificates

To view the content of a certificate

1 Go to <Skybox_Home>\thirdparty\jdk<version#>\bin
2 Run the command: keytool.exe -v -list -keystore
..\..\..\server\conf\client.keystore -keypass skyboxview

Changing the default password of the keystore

You must change the default password of the keystore after installation, before
starting the Skybox Server.

To change the default keystore password after installation

Note: Throughout this procedure, replace <version#> with the JDK version (for
example, 1.8.0_152d).

1 Move to the directory containing the files:

cd /opt/skyboxview/server/conf/
2 Execute the command:
../../thirdparty/<version#>/bin/keytool -keypasswd -keystore
server.keystore -alias <skyboxkey>

Note: If the Change certificate procedure was done before this procedure,
change the alias to <mykey>.

3 Enter the keystore password: (skyboxview).

4 Enter a new key password for <skyboxkey>.
5 Execute the command:
../../thirdparty/<version#>/bin/keytool -storepasswd -keystore
server.keystore
6 Enter the keystore password: (skyboxview).
7 Enter a new key password for <skyboxkey>.
8 Modify secret.keyStorePassword in
<Skybox_Home>/server/conf/sb_common.properties
9 Start the Skybox Server.

Skybox version 10.0.600 59

Skybox Installation and Administration Guide

Replacing basic authentication for Web Client users

For users of Skybox Web Client, you can replace basic authentication with client-
side authentication.

To replace basic authentication with client-side authentication

1 Generate a client-side certificate according to your organization’s guidelines.
2 Install the certificate in each web browser that will be used for the Skybox
Web Client.
3 Set the value of client_cert in
<Skybox_Home>\server\conf\sb_server.properties to true.
Now, each user who connects to Skybox Web Client must select the certificate to
use each time that they log in.

MUTUAL AUTHENTICATION BETWEEN SKYBOX SERVERS AND

COLLECTORS
Skybox provides an encrypted shared key (collector_pre_shared_text) for
mutual authentication between the Skybox Server and any Skybox Collectors.
The key is stored in:

› (Server) <Skybox_Home>\server\conf\sb_common.properties
› (Collector) <Skybox_Home>\collector\conf\sb_common.properties

To change the key value

1 Change the value of collector_pre_shared_text in the
sb_common.properties file in the Server and in each Collector. Use the same
clear text string in each one.
2 Restart the Server and each Collector to encrypt the key in each one.
A random value is used to encrypt the shared key. This value is sent along with
the authentication request to be used for decryption. If the key sent does not
match the stored key, authentication fails.

ENCRYPTION
XML files and secret properties are encrypted for security reasons.

XML encryption
By default, when you back up a model to an XML file, the XML file is encrypted as
an XMLX file as a security precaution. (To back up the model, select File >
Models > Save. For additional information, see Backing up the model (on page
83).)

To enable or disable file encryption when backing up a model to an XML

file

› Set the value of encrypt_xml_files in

<Skybox_Home>\server\conf\sb_server.properties to true
(recommended) or false.

Skybox version 10.0.600 60

 Chapter 14 Product security

USING FIPS MODE

In specific circumstances (for example, if you are a US government employee)
you might be required to work in FIPS (Federal Information Processing
Standards) mode.
Using FIPS mode has the following limitations:

› Old models saved in Skybox running in non-FIPS mode cannot be imported

into Skybox running in FIPS mode (because they were encrypted using non-
approved cryptographic ciphers).
This means that there is no way to migrate directly from a non-FIPS mode
installation.

› After Skybox is installed in a certain mode (FIPS or not FIPS), there is no way
to switch between them, even during upgrades.
› If your organization uses self-signed certificates (cacerts), add the CA to
thirdparty/jdk*/jre/lib/security/cacerts again after each major
upgrade.
› Elasticsearch is automatically disabled.

LIMITING LOGIN ATTEMPTS

By default, after 3 failed login attempts by a Skybox user, their account is locked
for 30 seconds. This limits the possibility of a non-user hacking into an account.
You can change the number of failed attempts and the time for which the
account is locked by modifying the values of elapsed_lock_milliseconds and
retry_allowed in <Skybox_Home>\server\conf\sb_server.properties.

Unlocking a locked user

An administrator can unlock a locked user.

Locked users are shown as in the Locked column of the list of users.

To unlock a user before the defined lockout time is reached

› In Skybox – Admin, right-click the user in the Table pane and select Unlock.

SECURITY CHECK: LAST LOGIN MESSAGE

During the login process, Skybox Manager displays the date and time of the most
recent successful login using your user name. For security reasons, check the
date and time of this login to verify that the most recent use of your user name
is legitimate.
Note: The same message (“Welcome <user name>, your last login was at
<date> <time>”) is displayed in the status bar at the bottom of the Skybox
Manager window.

Skybox version 10.0.600 61

Skybox Installation and Administration Guide

CUSTOMIZABLE LOGIN WARNING MESSAGES

You can add a customized warning message to the login screen. All users who
log in to Skybox see the message.

To add a warning message to the login page

› Set login_warning_banner in
<Skybox_Home>\server\conf\sb_server.properties to the required text.
Skybox adds <html> and </html> tags to this text; you can add other HTML
tags.

USER SESSION TIMEOUT

User sessions (in Skybox Manager and in Skybox Web Client) automatically time
out after a period of inactivity.
By default, user sessions time out after 30 minutes. You can change the timeout
by changing the value of client_session_timeout in
<Skybox_Home>\server\conf\sb_server.properties

› A value of -1 disables the timeout feature.

Note: After logging in again, the user’s previous point of reference in Skybox is
restored.

Skybox version 10.0.600 62

Part II: Administration
This part includes topics of interest to system administrators, including user
management, product security, and ticket setup and configuration.
Chapter 15

User management
Skybox is a multi-user system. There is a predefined Admin (skyboxview).
After installation, this user can add additional users with different roles.
This chapter explains the different user roles, how to manage users in Skybox
and externally, and how to work with external authentication systems.
Note: Only Admins can manage Skybox users. However, every user who has
access to Skybox and who authenticates using the Skybox login mechanism can
change their own password by selecting File > Change My Password.

In this chapter
User roles .......................................................................... 64
Managing users and user groups........................................... 71
Working with external authentication systems ........................ 78
Managing users externally using LDAP ................................... 79
Changing the password for database clients ........................... 81

USER ROLES
The predefined user roles in Skybox are described in the following table.
Role Description
Admin Admins have permissions for all actions, including those
that regular users do not.
Admin – Users Same as Admin but functionality is limited to user
administration only.
Admin – Same as Admin but functionality is limited to everything
Operational except user administration.
Admin – Same as Admin but Skybox access is limited to
Vulnerability Vulnerability Control and Threat Manager.
Control
Admin – Same as Admin but Skybox access is limited to Firewall
Assurance Assurance, Change Manager, and Network Assurance.
User Users have permissions for all actions except
administrative tasks (for example, user management and
model building).
Users can access all Skybox products.
User – Same as User but Skybox access is limited to
Vulnerability Vulnerability Control and Threat Manager.
Control

Skybox version 10.0.600 64

 Chapter 15 User management

Role Description
User – Assurance Same as User but Skybox access is limited to Firewall
Assurance, Change Manager, and Network Assurance.
Read-only User Read-only Users can view the model, but they cannot
make changes to model entities. They have permissions
for all activities required for managing tickets, including
using and creating private analyses for displaying tickets.
Read-only Users can be given access to any
combination of Skybox products.
Read-only User – Same as Read-only User but Skybox access is limited to
Vulnerability Vulnerability Control and Threat Manager.
Control
Read-only User – Same as Read-only User but Skybox access is limited to
Assurance Firewall Assurance, Change Manager, and Network
Assurance.
Ticket User Ticket Users can manage tickets and view (but not
generate) reports. This role is for Vulnerability Control
and Threat Manager; it cannot be used for Change
Manager.
Web Ticket User Web Ticket Users can log in to Change Manager, where
they can manage tickets. They cannot log in to Skybox
Manager.
This role is for Change Manager.
Web Ticket Web Ticket Requestors can create tickets (that is,
Requestor submit change requests) in Change Manager and close
tickets that they created.
This role is for Change Manager.
Recipient Recipients can receive tickets, alerts, and reports. They
cannot log in to Skybox or access any other Skybox
features.

For information about user roles in Change Manager, see the User roles in the
Skybox Change Manager User Guide.

Administrative users
The features and entities that each type of Admin can manage (create, modify,
delete, and read) are listed in the following table. Additional clarification is
provided after the table.
User role / Admin Admin – Admin – Admin – Admin –
Feature or Entity Users Operations Vul Control Assurance
Administration

Users, user groups,   No  (See note)  (See note)

and user roles
Triggers  No   

System logs (read-  No   

only)
Tools > Options >  No   
Server Options

Skybox version 10.0.600 65

Skybox Installation and Administration Guide

User role / Admin Admin – Admin – Admin – Admin –

Feature or Entity Users Operations Vul Control Assurance
Model instances  No   
(Live, What If,
Forensics)
Vulnerability Control and Threat Manager related entities
Business Impact  No   No
Types
Regulations  No   No
Threat Alert Ticket  No   No
Policies
Vulnerability  No   No
Occurrence Ticket
Policies
Firewall Assurance and Network Assurance related entities
Rule Review Policies  No  No 

Rule Recertification  No  No 
Ticket Policies
Operational Console
Collection tasks  No   

Other tasks  No   

Collectors  No   

Reports and analyses

Reports – public and  No   
private
Ticket analyses –  No   
public and private
Vulnerability Control  No   No
and Threat Manager
analyses – public
and private
Firewall Assurance  No  No 
and Network
Assurance analyses
Model analyses  No   

Other
Skybox Horizon  No

Admins can also manage all entities that can be managed by the corresponding
user-type role. For example, Admin – Assure users can manage all entities that
can be managed by User – Assure users.

Notes

› Admin – Vulnerability Control users can only create users with the
following roles:

Skybox version 10.0.600 66

 Chapter 15 User management

• Admin – Vulnerability Control

• User – Vulnerability Control
• Read-only User – Vulnerability Control
• Recipient

› Admin – Assure users can only create users with the following roles:
• Admin – Assure
• User – Assure
• Read-only User – Assure
• Recipient
• Custom user roles

› System logs are created automatically and can be viewed by the specified
Admins.

Users
The features and entities that are available to each type of User user role are
listed in the following table. The table also specifies whether the user can
manage (create, modify, delete, and read) them or only read them.
User role/ User User – User –
Feature or Entity Vul Control Assurance
Tools

Network Map   

Firewall Map  

Access Analyzer   

Attack Explorer   No
Tools > Options >   
Manager Options
Workspaces
Vulnerability Control and   No
Threat Manager
Firewall Assurance and  No 
Network Assurance
Model workspace   

Reports, tickets, and analyses

Public reports Generate Generate Generate
Private reports   

Tickets   

Public ticket analyses Read only Read only Read only

Private ticket analyses   

Vulnerability Control and Read only Read only No

Threat Manager public

Skybox version 10.0.600 67

Skybox Installation and Administration Guide

User role/ User User – User –

Feature or Entity Vul Control Assurance
analyses

Vulnerability Control and   No

Threat Manager public
analyses
Firewall Assurance and  No 
Network Assurance
analyses
Model analyses Read only Read only Read only
Operational Console
Collectors Read only Read only Read only
Collection tasks Read only Read only Read only
Analysis tasks   

CSV export and report   

generation tasks
Ticket generation tasks   

XML Vulnerability   No
Occurrence export tasks
Vulnerability Control and Threat Manager related entities
Deployed products   No
Business units and   No
Business Asset Groups
Threat Origins   No
Firewall Assurance and Network Assurance related entities
Exceptions  

Policy management Edit, export, Edit, export,

(access, rule, and import import
configuration policies)
Application & Service  
repository

Read-only users
The features and entities that are available to each type of Read-only User user
are listed in the following table. A  means that the user can manage (create,
modify, delete, and read) them.

Note: Read-only users have no access to the Operational Console.

User role/ User User – User –
Feature or Entity Vul Control Assurance
Tools
Network Map   
Firewall Map   

Skybox version 10.0.600 68

 Chapter 15 User management

User role/ User User – User –

Feature or Entity Vul Control Assurance
Access Analyzer   
Attack Explorer No No No
Tools > Options >   
Manager Options
Workspaces
Vulnerability Control and   No
Threat Manager
workspaces
Firewall Assurance and  No 
Network Assurance
workspaces
Model workspace   
Reports, tickets, and analyses
Reports – Public Can see
Can see Can see
properties
properties as properties as
as read
read only read only
only
Reports – Private   
Tickets Create Create Read only
manually manually
(for
Vulnerabilit
y Control
only)
Ticket analyses – Public Read only Read only Read only
Ticket analyses – Private   
Vulnerability Control and Read only Read only No
Threat Manager Public
analyses
Vulnerability Control and   No
Threat Manager Private
analyses
Firewall Assurance and  No 
Network Assurance
analyses
Model analyses Read only Read only Read only
Other / Miscellaneous
Sending packlogs   
Firewall Assurance and Network Assurance related entities
Exceptions Read only No Read only
Access Policies, Rule Read only No Read only
Policies, Configuration
Policies
Application & Service Read only No Read only

Skybox version 10.0.600 69

Skybox Installation and Administration Guide

User role/ User User – User –

Feature or Entity Vul Control Assurance
repository

Vulnerability Control and Threat Manager related entities

Business Units and Read only Read only No
Business Asset Groups
Threat Origins Read only Read only No

Custom user roles

Skybox provides the ability to create custom user roles based on existing user
roles.

› For Firewall Assurance and Network Assurance, you can adjust the
permissions for the following features to suit the needs of your organization.
• Exceptions: Full access or view only
• Analyses: Full access or view only
• Rule Policies: Full access or view only
• Access Policies: Full access or view only
• Configuration Policies: Full access or view only
• Configuration files: View only or no access
• Operational Console: Full access, view only, or no access
— Permitted tasks: For any user role with full or viewing access to the
Operational Console, you can select the Skybox tasks that the role is
permitted to run
Users with full access can also edit these tasks
• Reports: Full access, view only, or no access

Note: Because there are permissions for other features that are not
included in the customization, we recommend that you start with the
existing user role that is closest to the role that you are creating.

› For Vulnerability Control, you can create a role based on Read Only User –
Vulnerability Control and adjust the permissions for reports (full access,
view only, or no access).
› For Change Manager, you can create a role based on Web Ticket User and
specify the tickets that users of this role can view (tickets assigned to
themselves, to their group, or to anyone).

To create a custom user role

1 From the Tools menu, select Administrative Tools > User Roles.

2 In the Admin window, click .

3 Provide a name and description for the role.

Skybox version 10.0.600 70

 Chapter 15 User management

4 Select a template.
Select the user role that most closely describes the permissions that this new
role is to have.
5 Adjust the permissions.

MANAGING USERS AND USER GROUPS

You view and manage users and user groups in the Users folder in the Skybox
Admin window.

To open the Admin window

› Select Tools > Administrative Tools > Users.

You can create users and user groups, and you can edit existing users. You can
disable and enable users.

Default user
Skybox includes a predefined Admin named skyboxview. This user cannot be
disabled or deleted, and its user name and role cannot be changed. However,
you can change its password and other user information.

External user management

Usually, users must be explicitly registered in Skybox, but you can have LDAP
users work with Skybox without registering them (see Managing users externally
using LDAP (on page 79)).

User groups
Skybox supports groups for users, so that you can group users in any way that is
convenient for your organization.
The user group All Users is a predefined group that includes all defined users; it
cannot be modified or deleted.

To create a user group

› Right-click the Users node in the Admin tree and select New Group.
The properties of user groups are described in the following table.
Property Description
General
Group Name A name for this user group.
Assign to LDAP The field is displayed only if LDAP authentication is
Group enabled (see page 79).
If users are managed using LDAP, specifies the name of
the LDAP group or groups to match to the Skybox user
group.
Specify the LDAP group name or use a comma-separated
list. You can use * as a wildcard in the group names.
Use Any rather than specifying a specific group name if
the group is intended for all LDAP-managed users.
See also Setting up Skybox user groups for LDAP users

Skybox version 10.0.600 71

Skybox Installation and Administration Guide

Property Description
(on page 79).
Default Role This field is displayed only if LDAP authentication is
enabled (see page 79).
If users are managed using LDAP, specifies the Skybox
role for those users.
Note: If LDAP users belong to multiple Skybox groups,
the highest default role is used.
Group Members The users who are members of the group.
Default Member If a ticket is promoted to the user group,
Skybox assigns it to the selected user.
User Comments Information to be listed next to the User Group name
when the Users node is selected in the workspace.
VC Permissions Note: This tab is displayed only if permissions are
enabled in Tools > Options > User Settings > User
Permissions.
Filter By Specifies whether to provide permissions for Skybox
Vulnerability Control based on Business Units or locations.
(Permission) Each permission consists of:
• Type: Business Unit or Location
• Entity Name: The name of the Business Unit or
location
• Path: The path of the Business Unit or location in the
tree
FA Permissions Note: This tab is displayed only if permissions are
enabled in Tools > Options > User Settings > User
Permissions.
(Permission) Each permission consists of:
• Entity Name: The name of the firewall folder
• Path: The path of the firewall folder in the tree
NA Permissions Note: This tab is displayed only if permissions are
enabled in Tools > Options > User Settings > User
Permissions.
(Permission) Each permission consists of:
• Entity Name: The name of the location, network, or
asset
• Path: The path of the entity in the tree
CM Permissions Used to set permissions for the user group for phases in
workflows. Non-Admin users in user groups can only work
with tickets in phases for which they have permissions.
Note: This tab is displayed only if permissions are
enabled in Tools > Options > User Settings > User
Permissions.
(Permission) Each permission consists of a workflow or a specific phase
in a workflow.

Skybox version 10.0.600 72

 Chapter 15 User management

To add a user to a user group

› To add a user to a group, right-click the group in the tree and select New
User.
› To add users to a group, select the users, right-click, and then select Add to
User Group.
› To add a user to a group, right-click the group in the tree, select Properties,
click the Browse button next to the Group Members field, and then select
the desired user.

To change the properties of a user group

› Right-click the group in the tree and select Properties.

You can rename the group, change the comment, or change the group’s
permissions (see page 76) in Firewall Assurance, Vulnerability Control, and
Change Manager if permissions are enabled.

To delete a user group

› Right-click the group in the tree and select Delete.

Users who were members of the group can be accessed in the All Users
group.

Users
All users are members of the All Users group, even if you create them as
members of other groups. A user can belong to many user groups.

To create a user

› In the Admin tree, right-click the user group in which to create the user and
select New User.
The properties of users are described in the following table.
Property Description
Externally This field is displayed only if LDAP authentication is
Managed enabled (see page 79).
Specifies whether this user is managed using LDAP.
Note: Users who are managed in LDAP are added to the
Skybox user table on their 1st login. Their properties are
updated every time that they log in to Skybox.
User Name The name this user must use when logging in to Skybox.
This value identifies the user in Skybox and is used, for
example, to assign ticket owners or to assign recipients of
alerts or reports.
Note: For users who are authenticated using SiteMinder
or LDAP, type the user name for the external
authentication system.
Role Sets the user permissions in Skybox (see User roles (on
page 64)).
First Name User first name.

Skybox version 10.0.600 73

Skybox Installation and Administration Guide

Property Description
Last Name User last name.
Authentication The method to use for authenticating this user (Skybox,
Method LDAP, RADIUS, or SiteMinder).
Note: This field is enabled only if an external
authentication system is enabled (Tools > Options >
Server Options > User Settings > Authentication).
For additional information, see Working with external
authentication systems (on page 78).
Password The password this user must use when logging in to
Skybox. The password must contain at least 8 characters,
including:
• At least 1 uppercase letter
• At least 1 lowercase letter
• At least 1 digit
• At least 1 non-alphanumeric symbol
The password must not contain the user name and it
must not contain 5 or more characters that match the
previous password.
Note: This field is disabled for users with non-Skybox
authentication and for Recipients.
Confirm Password Confirmation of the password.
Password Never Specifies whether the user can always log in with the
Expires same password.
Password User passwords expire 60 days after the 1st login using
Expiration Date that password. The next time the user logs in after
(Read-only) password expiration, they must change the password.
Expiration dates are not displayed for users whose
passwords are marked as Password Never Expires or
for users who are externally authenticated.
Email An email address for the user.
Note: If you do not provide an email address for the user
and Skybox tries to send the user a report or an alert, the
report or alert is not sent, and a message is written to the
debug and server logs.
Department The user’s department in your organization.

Phone # A phone number where the user can be reached.

Last Login The most recent time that the user logged in to Skybox.
User Groups The user groups of which this user is a member.
User Comments Additional information about the user.
VC Permissions Note: This tab is displayed only if user permissions are
enabled.
Filter By Specifies whether to provide permissions for Skybox
Vulnerability Control based on Business Units or locations.

Skybox version 10.0.600 74

 Chapter 15 User management

Property Description
(Permission) Each permission consists of:
• Type: Location or Business Unit
• Entity Name: The name of the Business Unit or
location
• Path: The path of the location or Business Unit in the
tree
• Group Permissions: (Read-only) The name of the user
groups from which the user gets this permission
FA Permissions Note: This tab is displayed only if user permissions are
enabled.
(Permission) Each permission consists of:
• Entity Name: The name of the firewall folder
• Path: The path of the firewall folder in the tree
• Group Permissions: (Read-only) The name of the user
groups from which the user gets this permission
NA Permissions Note: This tab is displayed only if user permissions are
enabled.
(Permission) Each permission consists of:
• Entity Name: The name of the location, network, or
asset
• Path: The path of the entity in the tree
• Group Permissions: (Read-only) The name of the user
groups from which the user gets this permission
CM Permissions Used to set permissions for the user for phases in
workflows. Non-Admin users can only work with tickets in
phases for which they have permissions.
Note: This tab is displayed only if permissions for Change
Manager are enabled in Tools > Options > User
Settings > User Permissions.
(Permission) Each permission consists of:
• Phase: The phase of the workflow.
For Web Ticket Requestors, no phases are selected;
the permission is for the first and last phase of the
selected workflow.
• Workflow: The name of the workflow
• Group Permissions: (Read-only) If the permission was
assigned to a user group and not directly to the user,
the name of the user group from which this permission
was inherited

To update the properties of a user

› Right-click the user in the Table pane and select Properties.

You cannot rename users, but you can change all other user properties.

To add users to a user group

› Select the users, right-click, and select Add to User Group.

To disable or enable a user

› Right-click the user name and select Disable or Enable.

Skybox version 10.0.600 75
Skybox Installation and Administration Guide

A disabled user cannot log in to Skybox and does not receive any Skybox
emails (alerts or reports). Disabling a user has no effect on their tickets or on
policies that the user owns; they are not reassigned to different users.

To delete a user

› Right-click the user in the Table pane and select Delete.

If the user owns tickets or policies, select a new owner.

To change a user password

› Right-click the user in the Table pane and select Change Password.
The user can use their current password for the next login but is asked to
change the password as part of the login process.
Note: You can only change passwords of users who are authenticated and
managed internally.

Permissions
Note: Permissions are available for Firewall Assurance, Network Assurance,
Vulnerability Control, and Change Manager; permissions for Firewall Assurance,
Network Assurance, and Vulnerability Control are disabled by default.
After permissions are enabled (see page 132), Admins can specify permissions
for each user group and for each user. WE recommend that you specify group-
wide permissions on user groups, and specific permissions only on users who
require separate permissions or are not part of a group.

› Firewall Assurance users can view firewall folders (and their firewalls) in the
Firewall Assurance tree according to their permissions and the permissions
specified for the groups to which they belong.
› Network Assurance users can view locations, networks, and assets in the
Network Assurance tree according to their permissions and the permissions
specified for the groups to which they belong.
› Vulnerability Control users can view Business Units and locations (and their
subentities) according to their permissions and the permissions specified for
the groups to which they belong:
• The Exposure tree is filtered to include only the attacks and exposed
vulnerability occurrences related to the user’s permitted Business Units.
• Analysis views are filtered to list only permitted entities.
• In Access Analyzer queries, users can select the source and destination
from their permitted locations and Business Units only. The query results
are filtered to display only entities from their permitted locations and
Business Units.
• The security metrics tree is filtered to include only the user’s permitted
Business Units.

› Change Manager users can edit tickets (change requests) in specific ticket
workflows and phases according to their permissions and the permissions
specified for the groups to which they belong.

Skybox version 10.0.600 76

 Chapter 15 User management

› Change Manager Ticket Requestor users can edit their own tickets in the
first and last phases only.

Enabling and disabling permissions

To enable or disable permissions

1 From the Tools menu, select Options > Server Options > User Settings >
User Permissions.
2 Select the required permissions:
• Permissions for Firewall Assurance, Network Assurance (Access
Analyzer) & Vulnerability Control
• Permissions for Change Manager

Managing permissions
After permissions are enabled, specify them for each user or user group.
If no permissions are specified for a user or any of that user’s groups, the user
cannot:

› View any firewall folders (in Firewall Assurance)

› View any Business Units or locations (in Vulnerability Control)
› View or edit any Change Request tickets (in Change Manager)

Note: Admins have full permissions for all entities; no configuration is required.

To specify permissions for a user or user group

1 Right-click the user or group in the Admin tree and select Permissions.
2 Specify the permissions for the user or group:
• In the VC Permissions tab, specify the Business Units and locations that
this user or group can view.
• In the FA Permissions tab, specify the firewall folders that this user or
group can view.
• In the NA Permissions tab, specify the locations, networks, and assets
that this user or group can view.
• In the CM Permissions tab, specify the workflow phases (of Access
Change tickets) that this user or group can edit or view.

Unlocking a locked user

Local users who try unsuccessfully to log in get locked out after 3 attempts.

Locked users are shown as in the Locked column of the list of users.
An administrator can unlock a locked user before the defined lockout time is
reached.

To unlock a user

› Right-click the user in the Table pane and select Unlock.

Skybox version 10.0.600 77

Skybox Installation and Administration Guide

Disabling and deleting inactive user accounts

Skybox provides an option to automatically disable users who are inactive for a
specified period and then delete them from Skybox after an additional period.
The option is disabled by default.

To disable users automatically

1 From the Tools menu, select Options > Server Options > User Settings >
Disabling Inactive Users.
2 Define the period after which inactive users are disabled, and the period after
which users who have remained inactive are deleted from Skybox.
3 Specify the user to receive all tickets belonging to users who were disabled or
deleted.

WORKING WITH EXTERNAL AUTHENTICATION SYSTEMS

By default, the Skybox internal authentication mechanism authenticates users,
but you can set up Skybox to work with the following external authentication
systems:

› LDAP, including Microsoft Active Directory

› RADIUS
› CA SiteMinder®
› SAML 2.0 (for SSO to Skybox Web Client)
When Skybox is integrated with these systems, their users log in to Skybox using
their SiteMinder, RADIUS, SSO, or LDAP user name and password, and the
external system authenticates them. All other user management (for example,
setting up user groups and permissions) is done either in Skybox or using an
external user management system (which is separate from the external
authentication system).
Note: You can use a mixed authentication mode—some users authenticate
against Skybox and others authenticate against an external system. The
skyboxview user can only log in to Skybox using Skybox authentication.

To set up Skybox to use external authentication (except SSO)

1 Navigate to Tools > Options > Server Options > User Settings >
Authentication.
2 Select Support External Authentication and then select the external
authentication to use.
3 Fill in the fields as described in Authentication (on page 124).

To set up Skybox to use SSO authentication

1 Navigate to Tools > Options > Server Options > User Settings > Single
Sign-On (SSO).
2 Fill in the fields as described in Single Sign-On (on page 130).

Skybox version 10.0.600 78

 Chapter 15 User management

Handling expired passwords

If a user who is authenticated in an external system tries to log in to the Skybox
web interface with an expired password (or using a locked account), Skybox can
display a message specifying what happened and a link to the appropriate URL.
To add a link, modify the following properties in
<Skybox_Home>\server\conf\sb_server.properties:

› webapp_login_expired_message_link=
› webapp_login_expired_message_label=Account Management
If you add a value for the link, webapp_login_expired_message_label is
displayed and points to webapp_login_expired_message_link.

MANAGING USERS EXTERNALLY USING LDAP

You can enable LDAP users to log in to Skybox. Skybox supports Active Directory
2003 and higher, as well as generic LDAP servers. Multiple servers can be
configured to support multiple domains.

To integrate an external user management system with Skybox

1 Enable user management using LDAP (see page 79).
2 Set up Skybox user groups for the LDAP users (see page 79).
These user groups define the role of the LDAP users in Skybox.

Enabling user management using LDAP

To enable user management using LDAP

1 Navigate to Tools > Options > Server Options > User Settings >
Authentication. Make sure that at least 1 LDAP server is defined.
2 Navigate to Tools > Options > Server Options > User Settings >
External User Management.
3 Select LDAP.
4 Click Configure.
5 Type the Global User and Global Password.
6 If you want LDAP users to authenticate using RADIUS, set Default
authentication Method to RADIUS.

Setting up Skybox user groups for LDAP users

Set up Skybox user groups for all LDAP users who log in to Skybox, so that when
users log in, Skybox knows how to manage them and the permissions that they
have.
If all LDAP users have the same Skybox user role, you can create a single
Skybox user group to match all LDAP user groups.

Skybox version 10.0.600 79

Skybox Installation and Administration Guide

To set up a Skybox user group for LDAP users

1 Create a new user group in Skybox.
2 In the Assign to LDAP Groups field, type the comma-separated names of
the LDAP user groups to associate with this Skybox group.
The following example demonstrates how to use * as a wildcard in this field to
match multiple user groups.
3 In the Default Role field, select the role to which these users are assigned
when they are working in Skybox.
If there are several groups of LDAP users and they require different roles (that is,
different permissions) in Skybox, create a separate Skybox group for each
Skybox role that is used.

Default group
There are 2 ways to enable all Active Directory users to log in to Skybox:

› Create a group in Skybox. Next to the Assign to LDAP Group field, select
Any.
› Create a group in Skybox. In the Assign to LDAP Group, specify the default
LDAP user group in your organization; in most cases, Default Users. In
<Skybox_Home>\server\conf\sb_server.properties, set the
LDAP_default_group_name property to be the name of the default LDAP user
group.
You can then assign the necessary permissions to the Skybox group.

LDAP users who are members of multiple LDAP user groups

If an LDAP user is a member of several LDAP groups, each of which matches a
separate Skybox group, the LDAP user becomes a member of all the matching
Skybox groups.

Example
Skybox includes the user groups listed in the following table for LDAP users.
Skybox group Assigned to LDAP group whose name matches this
pattern
GroupA *
GroupB Dev*
GroupC IT*
GroupD USA*_hr
GroupE USA*admin or IT_World

In this organization, if an LDAP user is a member of the IT_Europe, IT_World,

and Everybody LDAP user groups, then in Skybox, this user is a member of the
GroupA, GroupC, and GroupE Skybox user groups.

Skybox version 10.0.600 80

 Chapter 15 User management

Authentication to a super domain

If Active Directory includes multiple forests, you can represent the domain name
in Skybox using an asterisk in the LDAP_root_DN property. The asterisk is
replaced by the domain name. In such cases, the user must login with <domain
name>\<user name>.

CHANGING THE PASSWORD FOR DATABASE CLIENTS

This section explains how to change the database password for database clients.
Default passwords after installation are:

› User: root Password: manager

› User: skyboxview Password: skyboxview

To change the database password

1 Shut down the Skybox Server.
2 Make sure that MySQL is running.
3 In SQLyog or another SQL client, connect as root and run the following
commands to set the new password:
• For the root user:
ALTER USER 'root'@'localhost' IDENTIFIED BY '<new root
password>';
ALTER USER 'root'@'127.0.0.1' IDENTIFIED BY '<new root
password>';
ALTER USER 'root'@'::1' IDENTIFIED BY '<new root password>';
• For the skyboxview user:
ALTER USER 'skyboxview'@'localhost' IDENTIFIED BY '<new Skybox
password>';
ALTER USER 'skyboxview'@'127.0.0.1' IDENTIFIED BY '<new Skybox
password>';
ALTER USER 'skyboxview'@'::1' IDENTIFIED BY '<new Skybox
password>';
ALTER USER 'skyboxview'@'localhost.localdomain' IDENTIFIED BY
'<new Skybox password>';
4 In <Skybox_Home>\server\conf\sb_server.properties, update the values
of the following properties with the new passwords (as clear text values):
• For the root user: secret.db_administrator_password
• For the skyboxview user: secret.db_client_password
The values are encrypted in SHA2 and AES256 when the Skybox Server
boots.

Skybox version 10.0.600 81

Chapter 16

Backup and restore

This chapter explains how Admins can back up and restore the model.

In this chapter
Backup and restore scenarios ............................................... 82
About the model ................................................................. 83
Backing up the model .......................................................... 83
Backing up to an external location ........................................ 85
Loading a model ................................................................. 85
Restoring the model ............................................................ 86

BACKUP AND RESTORE SCENARIOS

This chapter explains how to prepare for and deal with:

› Restoring the model on a working Skybox Server

You can load an old version of the model to see how the network looked some
time ago (for example, to compare it to the current network or to view the
properties of specific devices)
To be able to restore the model, back it up on a regular basis as described in
Backing up the model (on page 83).

› Restoring a Skybox Server following a hardware failure (disaster recovery)

To be able to restore a Skybox Server, back up all relevant data (not the
Skybox model only) to another location on a regular basis. This data includes:
• Skybox Server configuration files
• The Skybox model
• Skybox property (configuration and settings) files
• Attachments
• Device certificates
• Reports
For additional information, see Backing up to an external location (on page 85)
and Restoring the model (on page 86).

Skybox version 10.0.600 82

 Chapter 16 Backup and restore

ABOUT THE MODEL

Skybox can maintain up to 3 model instances in the Skybox database:

› The Live model represents the current state of your network. It is updated by
automated data collection activities.
› The What If model is used to validate changes virtually and check possible
scenarios. It is generated from the Live model.
Changes made to the What If model are not copied to the Live or Forensics
models.

› The Forensics model is a snapshot of an earlier model that you can load for
comparison or review.
Back up and load each model separately. In general, changes made to one model
are not copied to the other models; the only exception is that any changes in the
structure of the Access Policy are made in all the models.
Using Skybox Manager, you can switch between models at any time. Different
users can work with the same or different models simultaneously.

BACKING UP THE MODEL

You back up the model in SQLX (encrypted SQL) format.

› Fast backup (default) saves the model as a SQLX (encrypted SQL) file. It is
much faster than the regular backup and is intended for large models that
must be saved frequently
› Regular (XMLX) backup is necessary for longer term backups, since SQL
backups cannot be used if there were changes to the database structure.

Note: We recommend that you save the model using regular (XMLX) backup on a
regular basis (at least once a week) in addition to the fast backups, so that you
can use this model after an upgrade.
When you back up the model, you can choose any of 4 components: Model, Task
and Report Definitions, Users, and Dictionary. Only the selected components are
saved, and only these components can be loaded from the file.

Backing up the model using tasks

You can back up the Live model using a task of type Backup Model and
Settings. The task saves the model itself and Skybox settings files.

› SQLX models are saved as

<Skybox_Home>\data\sqlx_models\sqlx_backup_task_<date>--
<time>.sqlx
› XMLX models are saved as
<Skybox_Home>\data\xml_models\xml_backup_task_<date>--<time>.xmlx
› The settings files are saved as
<Skybox_Home>\data\settings_backup\settings_backup_<date>--
<time>.zip
Schedule a task (for example, the predefined Backup Data – Weekly task) to
back up the Live model on a weekly basis. You can change the schedule so that
the task runs daily rather than weekly.

Skybox version 10.0.600 83

Skybox Installation and Administration Guide

You can add a custom list of additional files and directories to be backed up by
the task. Specify these files and directories in
<Skybox_Home>\server\conf\user_backup_list.txt. Instructions and format
examples are included in the file.

Backing up the model manually

You can back up all models manually. When you back up a model manually, no
settings files are saved.

To back up a model manually

1 Select File > Models > Save.
2 In the Save Model dialog box:
a. Select the model to back up (Live, What If, or Forensics).
b. Select the backup type to use: Fast or Regular.
c. Type a name for the file.
d. Clear any types of data that you do not want to back up.
e. To back up an additional copy of the model to the Skybox Manager file
system, select Save copy to a local directory and specify a directory.
f. To save the model for Skybox support, select Save without credentials
and passwords.
Note: This feature removes important information (user names and
passwords in Skybox tasks) and should only be used if you need to
send the model to Skybox support.
g. Click OK.
The file is saved (on the Skybox Server) in <Skybox_Home>\data\xml_models
with the extension xmlx. If you are using fast backup, the file is saved in
<Skybox_Home>\data\sqlx_models with the extension sqlx.
If you selected Save copy to a local directory, the file is also saved in the
directory that you specified.
The properties of the Save Model / Load Model dialog box are described in the
following table.
Property Description
Model The type of model to be backed up or loaded.
Type The backup type.
File Name (Save Model only) Type a name for the file to contain the
backup.
File (Load Model only) Select the file to load.
Save Scope / Load Scope
Model Specifies whether to back up or load the main part of the
model, including all network, security, and business data.
Tasks and Report Specifies whether to back up or load tasks and report
Definitions definitions (which are not part of the model).
Users Specifies whether to back up or load Skybox users.

Skybox version 10.0.600 84

 Chapter 16 Backup and restore

Property Description
Dictionary Specifies whether to back up or load the Skybox
Vulnerability Dictionary. Usually, unnecessary—it is better
to update the Dictionary (see page 143).
Save copy to a (Save Model only) Specifies whether to back up an
local directory additional copy of the model to the Skybox Manager file
system and the backup location.
Save without (Save Model only) Specifies whether to save the model
credentials and without user names and passwords for Skybox tasks.
passwords Note: Do not use this option when backing up the model
for your organization; it is intended only for sending the
model to Skybox support.

BACKING UP TO AN EXTERNAL LOCATION

We recommend that you back up (copy) the model and related data to an
external location on a regular basis, so that you can restore the model after a
disaster or if you need to uninstall and reinstall the Skybox Server for any
reason.

To back up the model

1 Run a Back Up Model and Settings task to back up the model. Files
generated using the task include a timestamp in their name.
2 Back up the following directories (on the Skybox Server machine) to an
external location:
• <Skybox_Home>\data\xml_models
• <Skybox_Home>\data\sqlx_models (when using fast backup)
• <Skybox_Home>\data\settings_backup (created in step 1; it contains
tasks, report definitions, users, system settings, ticket attachments, and
recent reports)

LOADING A MODEL
You can load a backed-up model to the What If or Forensics model for additional
investigation or to try out changes. You can reload the most recent model to the
Live model after a system crash or other problem that made the Skybox
database unusable.
You can load XMLX backups of the model even after upgrading Skybox to a
newer version.

To load a model
1 Select File > Models > Load.
2 In the Load Model dialog box:
a. Select the model (Live, What If, or Forensics) to which you want the file
loaded.
b. Select the file to load.
If there are many files, use the date filter to narrow your selection.

Skybox version 10.0.600 85

Skybox Installation and Administration Guide

c. If necessary, change the parts of the data to load.

d. Click OK.

RESTORING THE MODEL

You can restore the model on any machine on which the Skybox Server is
installed.

To restore the model

1 Make sure that the Skybox Server and the Skybox Collector are not running.
2 (Linux only) Make sure that the system account skybox exists on the Server
machine.
3 Copy the latest versions of xml_backup_task_<date>--<time>.xmlx (or
sql_backup_task_<date>--<time>.sqlx) and settings_backup_<date>--
<time>.zip from the external location where you saved them.
4 Run the restore_settings utility, providing the location of
settings_backup_<date>--<time>.zip as an argument:
• (Windows) <Skybox_Home>\server\bin\restore_settings.bat
• (Linux) <Skybox_Home>/server/bin/restore_settings.sh
5 If Skybox Collectors are running on any other machines:
a. Copy settings_backup_<date>--<time>.zip to each Collector machine.
b. Run the restore_settings utility on each Collector machine.
6 Create and start the Skybox Server service and the Skybox Collector service:
• On Windows, run:
— <Skybox_Home>\server\bin\install-server-service.bat
— <Skybox_Home>\collector\bin\install-collector-service.bat
— <Skybox_Home>\server\bin\startserver.exe
— <Skybox_Home>\collector\bin\startcollector.exe
• On Linux, run (as root):
— <Skybox_Home>/server/bin/install_service_server.sh
— <Skybox_Home>/collector/bin/install_service_collector.sh
— service sbvserver start
— service sbvcollector start
7 Log in to Skybox Manager as the skyboxview user.
8 Select File > Models > Load. In the Load Model dialog box, select the Live
model and select the file that you restored in step 3.
The system is fully restored.

Skybox version 10.0.600 86

Chapter 17

Administration via CLI

commands
You can perform some common administrative tasks either via Skybox Manager
or via utilities run from the command line.
This chapter documents the CLI utilities.
Launch utilities from <Skybox_Home>\server\bin unless otherwise noted. In
Windows, commands are run with a bat extension; in Linux, with an sh
extension.

In this chapter
Package firewall configurations ............................................. 87
Launch tasks ...................................................................... 88
Load the latest Dictionary (deprecated) ................................. 88
Package log files ................................................................. 88
Scan log files ...................................................................... 89
Save the model to an XML file .............................................. 93
Load the model from an XML file ........................................... 94
Save the model to a SQL file ................................................ 94
Load the model from a SQL file ............................................. 95
Restore model settings ........................................................ 96

PACKAGE FIREWALL CONFIGURATIONS

The firewall_config utility packages firewall configuration files into ZIP files
that you can send to Skybox for troubleshooting.
The output is split into 5 MB ZIP files; the files are named
firewall1_<date>_<organization name>.zip,
firewall2_<date>_<organization name>.zip, and so on.

Syntax
firewall_config [-s] [-c <case ID>] [-f "<list of firewall IDs>"]
[-g <number of generations>]

Arguments
The arguments of this command are described in the following table.

Skybox version 10.0.600 87

Skybox Installation and Administration Guide

Argument Description
-c <case ID> A string value representing the support case number. This
string is added to the name of the output files. For
example, if the support case number is 12345, the 1st file
is named firewall1_<date>_<organization
name>_12345.zip.
-f <firewall IDs> (The EID is the Skybox ID number of the firewall in the
model.)
A comma-separated list of firewall EIDs. The list must be
enclosed in double quotes.
To find the EID of a firewall:
• Open Skybox Manager to any table of firewalls; right-
click in the header row of the table and select
Customize Current View; select EID from the list of
possible columns.
-g <generations> The number of generations of firewall configuration files
to include in the ZIP file.
The default value is 2.
-s Generate a single ZIP file even if the output is over 5 MB.

LAUNCH TASKS
The launchtask utility launches a Skybox task.
Specify the name of the task. If the name includes spaces, surround it with
double quotes.

Syntax
launchtask.bat ["]<task name>["]

LOAD THE LATEST DICTIONARY (DEPRECATED)

Note: This utility is deprecated starting in version 10.0.200.

The loaddictionary utility loads the latest Skybox Vulnerability Dictionary from
the internet.
This utility has no arguments.

Syntax
loaddictionary.bat

PACKAGE LOG FILES

The packlogs utility packages relevant log and properties files for all Skybox
components installed on the selected machine (and, optionally, the latest saved
model) into a ZIP file that you can send to Skybox for troubleshooting.
If the Skybox Server, the Skybox Collector, and Skybox Manager are on separate
machines, run the utility separately for each component. The utility is in the bin
directory of each product (<Skybox_Home>\<component>\bin; <component> is
server, collector, or app).

Skybox version 10.0.600 88

 Chapter 17 Administration via CLI commands

The output file is named <component>_packlogs_<date>_<organization

name>[_caseID].zip

Syntax
packlogs [-s | -p] [-c <case ID>] [-o <offset>] [-m | -q]

Arguments
The arguments of this command are described in the following table.
Argument Description
-m Include the latest XMLX model found under
<Skybox_Home>\data\xml_models.
If you specify -m and -q, the utility packages the latest
SQLX model only.
-q Include the latest SQLX model found under
<Skybox_Home>\data\sqlx_models.
-c <case ID> A string value representing the support case number. This
string is added to the name of the output files.
-o <offset> A numeric offset limiting the age of log files to include in
the ZIP files. Only log files created or modified within the
previous specified number of days are included.
The default value is 30.
-p Split the output into ZIP files of 5 MB or less; the files are
named:
<component>_packlogs1_<date>_<organization
name>.zip,
<component>_packlogs2_<date>_<organization
name>.zip, and so on.
This is useful if the output is very large.
-s (Default) Generate a single ZIP file.

SCAN LOG FILES

The scanlogs utility scans the content of any packlogs ZIP file found in the same
local directory and lists any system issues that were found.
The utility, which is in <Skybox_Home>\<component>\bin (<component> is
server, collector, or app), has no arguments.

Syntax
scanlogs

The issues listed in the following table can be detected using this utility.
# Name Description Comments
1 OOM The Java process ran out of If the OOM incidents are
incidents memory. Each such incident is recent and have occurred
documented in a histogram file that multiple times, open a bug for
lists the counts of and memory used Skybox R&D
by all instantiated Java class types.

Skybox version 10.0.600 89

Skybox Installation and Administration Guide

# Name Description Comments

2 High A high thread count means that the Contact Skybox R&D
thread Java process is overloaded and
count trying to handle too many
concurrent execution flows. This
may cause a slowdown or even total
hang in extreme cases.
3 JVM crash The Java process often creates a Contact Skybox R&D
incidents crash file just before it unexpectedly
shuts down. A crash might indicate
memory issues, OS issues, Java
software bugs, or even hardware
instability.
4 Encrypted The scanner failed to unzip a Try to unzip the file manually
or packlogs file. This may happen and contact the file sender
corrupted either because the file is protected
packlogs with a password, or because it is
files truncated or corrupted.
5 Long Very long debug lines indicate that Contact Skybox R&D
debug very large data is being mistakenly
lines written into the debug log.
6 Debug The debug log files might be rotating Contact Skybox R&D
message very fast, with too many debug
flood messages being written in a very
short time.
7 Low RAM The host machine has a relatively If the host is a virtual
size small RAM. This may cause OOM machine, increase the RAM.
incidents. Otherwise, contact Skybox
Professional Services
8 Low swap The host machine has a small swap The error can be ignored if no
size space, which might cause instability other symptoms are present.
if memory use spikes. On Linux, this Otherwise, swap space should
might trigger OOM killer incidents be modified (if necessary,
that can be seen in contact Skybox Professional
/var/log/messages. Services).
• On Windows, the swap
area should default to
automatic management.
• On Linux, set 8 GB swap
on 32 GB RAM, 32 GB
swap on 128 GB RAM.
9 Low disk A partition on the host machine is Depending on which partition
space nearing its disk capacity. is reported, consult Skybox
Professional Services.
Important: If the partition is
hosting a Skybox installation,
the issue is of critical
importance.
10 Corrupt A Skybox property file was Contact Skybox Professional
property corrupted. Services.
files The file may have to be
restored from backup.

Skybox version 10.0.600 90

 Chapter 17 Administration via CLI commands

# Name Description Comments

11 Slow tasks Extremely slow tasks. Contact Skybox Professional
Services
12 Low Xmx The Server may be misconfigured to Contact Skybox Professional
use a low Xmx memory limit in Services
jvmargs.properties, although the
host machine has much more RAM
available.
13 High Xmx The Server may be misconfigured to Contact Skybox Professional
use a high Xmx memory limit in Services
jvmargs.properties, but the host
machine has much less RAM
available.
14 MySQL MySQL usually leaves evidence in its Contact Skybox R&D
crash logs just before it unexpectedly
incidents crashes. Possible reasons are varied.
15 Mismatche The effective memory limit that the Contact Skybox Professional
d server Server is seeing is not the limit Services
Xmx configured in jvmargs.properties.
This typically happens on Windows if
the Skybox service was not
reinstalled after changing the value.
16 Multiple Multiple Skybox Servers are running Contact Skybox Professional
servers concurrently on the host machine. Services
This may cause strange errors.
17 Multiple Multiple Collectors are running Contact Skybox Professional
collectors concurrently on the host machine. Services
This may cause strange errors.
18 Server There was a port clash because If the incident is recent,
port multiple Skybox Servers were contact Skybox Professional
already in running. Services.
use
19 Collector There was a port clash because If the incident is recent,
port multiple Collectors were running. contact Skybox Professional
already in Services.
use
20 Permission There is a file permission issue with Check which user is running
denied the Skybox installation. the process and verify that
their permissions for
installation files are
appropriate.
If necessary, contact Skybox
Professional Services.
21 Unknown A problem with the DNS setup may Skybox Professional Services
host cause failed connections. If the error should check
refers to the local host name, the C:\Windows\System32\drive
DNS settings of the host machine rs\etc\hosts (on Windows)
might be incorrect. or /etc/hosts (on Linux).

Skybox version 10.0.600 91

Skybox Installation and Administration Guide

# Name Description Comments

22 Unassociat There might be a problem in the Usually should be handled as
ed entities referential integrity of the Skybox a bug by Skybox R&D to find
model and a potential corruption to the root cause.
data. This might be caused by sub-
entities left behind after the deletion
of a parent entity or it could be
caused by inadvertent
disappearance of model entities.
23 No daily No daily backups of model data have Contact Skybox Professional
backups taken place recently. Services
24 Slow Lists all slow interactive calls from Frequent calls that have a
interactive clients. Each call is listed with its long average duration should
calls most recent duration, and the be handled as a bug by
average duration and number of Skybox R&D.
worst calls processed recently by the
server.
25 Failed Lists all Skybox tasks that have Contact Skybox Professional
tasks failed recently. Services
26 Server There are errors in Skybox Server Contact Skybox R&D
logic errors logic. A count of each error type is
provided. The severity of this error
varies depending on the context and
may well be inconsequential.
27 Collector There are errors in Skybox Collector Contact Skybox R&D
logic errors logic. A count of each error type is
provided. The severity of this error
varies depending on context and
may well be inconsequential.
28 App logic There are errors in Skybox Manager Contact Skybox R&D
errors logic. A count of each error type is
provided. The severity of this error
varies depending on context and
may well be inconsequential.
29 MySQL The size of a specific MySQL column Contact Skybox R&D for a
data is too small for the intended data, temporary MySQL schema
truncation which may result in localized data workaround and a permanent
corruption. fix
30 Server There is a problem with the Java Contact Skybox Professional
linkage class files of the Skybox Server, Services to check the file
errors possibly due to a deployment issue. integrity, and contact Skybox
For example, multiple Skybox R&D.
Servers running, a defective
installation, or a build problem.
31 Collector There is a problem with the Java Contact Skybox Professional
linkage class files of the Collector, possibly Services to check the file
errors due to a deployment issue. For integrity, and contact Skybox
example, multiple Collectors R&D.
running, a defective installation, or a
build problem.

Skybox version 10.0.600 92

 Chapter 17 Administration via CLI commands

# Name Description Comments

32 Server The Server failed to start correctly. Contact Skybox Professional
deploymen There are many possible causes. Services
t errors
33 Collector The Collector failed to start Contact Skybox Professional
deploymen correctly. There are many possible Services
t errors causes.
34 Server Lists occurrences of Server Contact Skybox Professional
disk space shutdowns due to lack of free disk Services
shutdowns space.

SAVE THE MODEL TO AN XML FILE

The save2xml utility saves a Skybox model to an XML file. You can select the
parts of the model to save and the model to save; (by default, the Live model is
saved).

Syntax
save2xml.bat <file name> [-model] [-core] [-coreusers] [-dic]
[-whatif | -forensics] [-plaintext]

The command to export all the information in the Live model and your task
definitions is:

› save2xml.bat <file name> -model -core -coreusers -dic

Arguments
The arguments of this command are described in the following table.
Argument Description
<file name> The name of the file in which to save the data. The data is
saved as an XMLX file. (If you include the -plaintext
option, the data is saved as an XML file.)
Note: The default path for the file is
<Skybox_Home>\data\xml_files. To save the file in a
different location, include the full path name.
-model Include the main part of the Skybox model, including all
network, security, and business data.
-core Include task and report definition data from the Skybox
model.
-coreusers Include user data from the Skybox model.
-dic Include the Skybox Vulnerability Dictionary from the
Skybox model.
Note: Unless you need this specific Dictionary, do not
save it. You can always load the latest Dictionary via
loaddictionary.bat.
-forensics Save the specified data from the Forensics model rather
than from the Live model.
-whatif Save the specified data from the What If model rather
than from the Live model.

Skybox version 10.0.600 93

Skybox Installation and Administration Guide

Argument Description
-plaintext Do not encrypt the XML file.

LOAD THE MODEL FROM AN XML FILE

The load utility loads a saved XML model file to Skybox. You can specify the
parts of the model to load and to which model in Skybox to load them.
By default:

› Only the model part is loaded

› Models are loaded to the Live model

Syntax
load.bat <filename> [-model] [-core] [-coreusers] [-dic]
[-whatif | -forensics]

Arguments
The arguments of this command are described in the following table.
Argument Description
filename The name of the model file to load.
Note: The default path for the file is
<Skybox_Home>\data\xml_files. To load the file from a
different location, include the full path name.
-model Load the main part of the model, including all network,
security, and business data to your Skybox model.
-core Load task and report definition data to your Skybox
model.
-coreusers Load user data to your Skybox model.
-dic Load the Skybox Vulnerability Dictionary (from the file) to
the Live model in Skybox.
Note: Unless you need a specific Dictionary that was
saved, it is better to load the latest Dictionary via
loaddictionary.bat (on page 88).
Note: This argument cannot be used with -whatif or -
forensics.
-whatif Load the specified data to the What If model rather than
the Live model in Skybox.
Note: This argument cannot be used with -dic.
-forensics Load the specified data to the Forensics model rather than
the Live model in Skybox.
Note: This argument cannot be used with -dic.

SAVE THE MODEL TO A SQL FILE

The sqlxdump utility saves a Skybox model to a SQLX file. You can select
whether to exclude specific data, and the model to save (by default, the Live
model is saved).

Skybox version 10.0.600 94

 Chapter 17 Administration via CLI commands

Syntax
sqlxdump [-noserver] [-exclude_rua] [-exclude_ct] [-forensics | -whatif]
filename

Arguments
The arguments of this command are described in the following table.
Argument Description
-noserver Run the command directly in MySQL, bypassing the
server.
-exclude_rua Do not save rule usage analysis data.
-exclude_ct Do not save change tracking data.
-forensics Save the data from the Forensics model rather than from
the Live model.
-whatif Save the data from the What If model rather than from
the Live model.
filename The name of the file in which to save the data. The data is
saved as a SQLX file.
Note: The default path for the file is
<Skybox_Home>\data\sqlx_files. To save the file in a
different location, include the full path name.

LOAD THE MODEL FROM A SQL FILE

The sqlxrestore utility loads a saved SQL model file to Skybox. You can specify
the parts of the model to load and to which model in Skybox to load them.
By default:

› Only the model part is loaded

› Models are loaded to the Live model

Syntax
sqlxrestore [-noserver] [-forensics | -whatif] [-user_tables] [-
definition_tables] [-dictionary_tables] [-model_tables] [-ticket_tables]
filename

Arguments
The arguments of this command are described in the following table.

Note: If no table options are specified, all tables are restored.

Argument Description
-noserver Runs the command directly in MySQL, bypassing the
server.
-forensics Load the specified data to the Forensics model rather than
the Live model in Skybox.
-whatif Load the specified data to the What If model rather than
the Live model in Skybox.
-user_tables Load user data to your Skybox model.

Skybox version 10.0.600 95

Skybox Installation and Administration Guide

Argument Description
-definition_tables Load task and report definition data to your Skybox
model.
-dictionary_tables Load the Skybox Vulnerability Dictionary (from the file) to
the Live model in Skybox.
Note: Unless you need a specific Dictionary that was
saved, it is better to load the latest Dictionary via
loaddictionary.bat (on page 88).
-model_tables Load the main part of the model, including all network,
security, and business data to your Skybox model.
-ticket_tables Load ticket-related tables.
Note: This argument cannot be used with other table
arguments.
Note: This argument is supported only when restoring
from the current build. It cannot be used to restore
tickets from any previous build.
filename The name of the model file to load.
Note: The default path for the file is
<Skybox_Home>\data\sqlx_files. To load the file from a
different location, include the full path name.

RESTORE MODEL SETTINGS

The restore_settings utility restores (loads) configuration and other settings to
Skybox that were saved by a Back Up Model and Settings task. The backed-up
files are saved under the <Skybox_Home>\data\xml_models\ directory; file
names have the format xml_backup_task_<date>--<time>.xmlx.
Restore this file after a disaster or if you need to uninstall and reinstall the server
for any reason; the model is not complete without this information.

Syntax
restore_settings <file name>

For additional information about this process, see Restoring the model (on page
86).

Skybox version 10.0.600 96

Chapter 18

Manager Options
This chapter explains how to configure options for Skybox Manager.
To configure the options, navigate to Tools > Options > Manager Options.

In this chapter
Access Analyzer: Manager.................................................... 97
Messages ........................................................................... 97
Model Validation Status Settings ........................................... 98
Proxy Settings (Manager) .................................................... 98
Regional Settings: Manager.................................................. 99
Reports Configuration .......................................................... 99
Risks Configuration ............................................................. 99
View Settings ..................................................................... 99

ACCESS ANALYZER: MANAGER

The properties in the Access Analyzer page define how results are displayed in
Access Analyzer. These properties are described in the following table.
Property Description
Use existing Specifies whether to display results using only assets and
entities only services that exist in the model.
• If cleared, the results of access analysis include IP
addresses that might be added to the network.
• Select this option if you made a significant scan of the
network (that is, if most of your organization’s
network is included in the model) and you want to
filter the results based on this scan.
Display all Specifies whether, for blocked routes all access rules that
blocking rules potentially block traffic on the selected route are
displayed
If cleared, only the 1st access rule that blocks traffic on
the selected route is displayed.

MESSAGES
The properties in the Messages page specify the circumstances under which
warning messages are displayed to the Skybox user.

Skybox version 10.0.600 97

Skybox Installation and Administration Guide

MODEL VALIDATION STATUS SETTINGS

The properties in the Model Validation Status Settings page specify whether to
display model validation messages for assets. These properties are described in
the following table.
Property Description
Show severity Specifies whether, in assets analyses, the Validation
indication for the Indication column displays the highest severity
relevant entities indication from collection messages for that asset.
Show related Specifies whether, in assets analyses, the Messages tab
validation status is enabled to display collection messages for that asset.
messages of an Note: You must enable messages before you can display
entity them (see Enabling device messages (on page 98)).

Enabling device messages

You can configure Skybox to list information messages about device updates (by
default, these messages are not displayed). The messages are useful when
device updates are unsuccessful; they explain what went wrong and at which
point in the update (offline file import or online collection) process.

To enable device messages

1 Enable saving the messages during device updates in Skybox by setting
max_num_of_validation_messages_per_entity to the required value in
<Skybox_Home>\server\conf\sb_common.properties.
2 Enable displaying the messages in Skybox:
a. Navigate to Tools > Options > Manager Options > Model Validation
Status Settings.
b. Select both check boxes and click OK.
The Messages tab of the Details pane is enabled.

PROXY SETTINGS (MANAGER)

The properties in the Proxy Settings (Manager) page configure a proxy server for
HTTP connections to the internet.
If the Skybox Manager machine is configured to connect to the internet via a
proxy, configure these settings before downloading Skybox update files (see
Downloading the update file (on page 45)).
The Proxy Settings (Manager) properties are described in the following table.
Property Description
Proxy Server The IP address of the proxy server.
Proxy Port The TCP port on which the proxy listens for HTTP requests
User Name The user name to use for proxy authentication
Password The user password to use for proxy authentication

Skybox version 10.0.600 98

 Chapter 18 Manager Options

REGIONAL SETTINGS: MANAGER

The properties in the Regional Settings page specify how Skybox displays
numbers, dates, and time.
A value selected here overrides the value specified in the Regional Settings:
Server page (see page 116).
The Regional Settings properties are described in the following table.
Property Description
Locale Specifies how Skybox displays numbers, dates, and time
of day

REPORTS CONFIGURATION
The properties in the Reports Configuration page specify whether reports are
generated in the background as a task or in the foreground, and where to save
the generated reports. These properties are described in the following table.
Property Description
Default Report Specifies whether default report generation is in the
Generation foreground or in the background (report generation can
Method take several minutes for large reports).
To set properties of the Report Task, see the Report
generation tasks topic in the Skybox Reference Guide.
Save generated Specifies whether to save generated reports in the user
reports in the home directory (as well as the Skybox directory).
%HOMEPATH%
directory

RISKS CONFIGURATION
The properties in the Risks Configuration page specify how risk values are
displayed in Skybox. These properties are described in the following table.
Property Description
Risk Value Style Specifies how risk values are presented in Skybox.
• Level: Risk values are presented as icons.
• Monetary (value): Risk values are presented as
monetary values. Only an Admin can specify the
currency unit, see Regional Settings (on page 116).
• Score (0-100): Risk values are presented as a score
between 0 and 100.
Show Implicit
Dependency Rules

VIEW SETTINGS
The properties in the View Settings page specify how Skybox Manager is
displayed on your screen. These properties are described in the following table.
Property Description
Enable scaling Specifies whether to scale the Skybox Manager window
according to (including font size) for the size of your screen. If cleared,
screen size you might need to scroll to see the entire display.

Skybox version 10.0.600 99

Skybox Installation and Administration Guide

Property Description
Include server Specifies whether to include the server name and port in
name in the the title of the Skybox Manager window.
application
window title

Skybox version 10.0.600 100

Chapter 19

Server Options
This chapter explains how to use Skybox Manager to configure options for the
Skybox Server.

Note: Only an Admin can change Server options.

To configure the Server options, navigate to Tools > Options > Server
Options.

In this chapter
Access Analyzer: Server ..................................................... 102
Access Compliance ............................................................. 102
Archiving ..........................................................................103
Asset Modification Settings.................................................. 103
Attack Simulation Configuration ........................................... 104
Business Attributes ............................................................ 104
Change Manager Settings ................................................... 105
Change Tracking Settings ................................................... 113
Customization ...................................................................113
Dictionary Settings............................................................. 114
Elasticsearch Export Settings............................................... 115
Entity Settings ...................................................................115
License .............................................................................116
Proxy Settings (Server) ...................................................... 116
Regional Settings: Server ................................................... 116
Report Configuration .......................................................... 117
Rule Usage........................................................................117
Software Update Settings ................................................... 118
System .............................................................................118
Backup Settings.................................................................120
Task Settings ....................................................................120
Threat Manager .................................................................121
Ticket Configuration ........................................................... 122
User Settings ....................................................................124
Vulnerability Control........................................................... 133

Skybox version 10.0.600 101

Skybox Installation and Administration Guide

ACCESS ANALYZER: SERVER

The properties in the Access Analyzer page are described in the following table.
Property Description
Create Specifies whether to create a speculative routing table for
Speculative each asset if no routing table exists.
Routing Table
Show Location Specifies whether to display the location path of each
Path in Network network node as part of the node name when locations
Names are hidden in the results tree.

ACCESS COMPLIANCE
The properties in the Access Compliance page are described in the following
table.
Property Description
Comments for Specifies whether Skybox requires users to add
Access Check comments when they create Access Check exceptions.
Exceptions
Show Access Specifies whether to display the Access Policy
Policy Exceptions Exceptions tab in the <firewall name> Exceptions dialog
box.
Maximum Number The maximum number of ports or IP addresses to be
of Entities displayed in the text of the violation details.
Maximum Number The maximum number of network entities permitted per
of Zone Entities zone.
Analyze Non- Specifies whether, when analyzing compliance for
Firewalls for Network Assurance, Skybox analyzes the access rules of
Violating Rules non-firewall devices.

Firewall Compliance
The properties in the Access Compliance > Firewall Compliance page are
described in the following table.
Property Description
Action The action Skybox takes to assign the IP addresses
behind the network interfaces of each firewall.
• Disabled: The Addresses Behind Interface fields
are empty on all interfaces (that is, Skybox uses
Default Gateway/Unknown Addresses).
• No Speculation: Addresses behind interfaces are
assigned, based on the routing table of the firewall,
but there is no routing speculation. If there are
destination IP addresses that are not found in the
routing table, they do not appear behind any interface.
• Full: Addresses behind interfaces are assigned, based
on the routing table of the firewall. There is routing
speculation for destination IP addresses that are not
found in the routing table; these addresses are added
to all interfaces.

Skybox version 10.0.600 102

 Chapter 19 Server Options

For additional information about addresses behind interfaces, see the Addresses
behind network interfaces topic in the Skybox Firewall Assurance User Guide.

ARCHIVING
The properties in the Archiving page specify:

› How long to keep archived files

› The behavior of Model – Outdated Removal tasks
These properties are described in the following table.
Property Description
Files Archiving
Archive backups Specifies how long to retain automatic backup files.
threshold (days) Note: This setting does not affect backup files generated
manually.
Archive reports Specifies how long to retain reports.
threshold (days)
Outdated Removal Settings
Outdated Networks that were not scanned for this length of time
Removal Ignore are ignored by Model – Outdated Removal tasks (which
Threshold (days) mark old entities for deletion).
Statistics Archiving
Number of daily The number of daily statistics snapshots to keep (1 per
statistics day).
snapshots to keep See the note following this table.

Number of weekly The number of weekly statistics snapshots to keep (1 per

statistics week).
snapshots to keep See the note following this table.

Number of The number of monthly statistics snapshots to keep (1

monthly statistics per month).
snapshots to keep See the note following this table.

Note: The Statistics Archiving properties specify the number of statistics

snapshots to keep, not how long to keep them.

ASSET MODIFICATION SETTINGS

The properties in the Asset Modification Settings page specify whether users are
notified if another user changes an asset that they are editing. These properties
are described in the following table.
Property Description
Mark Changed (In What If and Forensics models)
Assets Specifies whether users are notified if another user
changed an asset that they are editing.

Skybox version 10.0.600 103

Skybox Installation and Administration Guide

ATTACK SIMULATION CONFIGURATION

The properties in the Attack Simulation Configuration page are described in the
following table.
Property Description
Attack Simulation The maximal quantitative impact of Business Asset
Max Impact Groups. (This property has no effect when the risk is set
to be qualitative.)

BUSINESS ATTRIBUTES
The properties in the Business Attributes pages configure business attributes for
various entities. Business attributes are metadata that provide additional
information about an entity.

Access Rules
The properties in the Business Attributes > Access Rules page are described in
the following table.
Property Description
(Business Skybox includes predefined business attributes for access
Attributes) rules.
Click Add to add a new business attribute (see Adding
custom business attributes, in the Skybox Firewall
Assurance User Guide).

Assets
The properties in the Business Attributes > Assets page are described in the
following table.
Property Description
(Business • Skybox includes predefined business attributes for
Attributes) assets.
• Business attributes are added automatically to assets
via CMDB import.
Click Add to add a new business attribute.

Asset Groups
The properties in the Business Attributes > Asset Groups page are described in
the following table.
Property Description
(Business Skybox does not include predefined business attributes
Attributes) for asset groups; if required, organizations must create
their own.
Click Add to add a new business attribute.

Networks
The properties in the Business Attributes > Networks page are described in the
following table.
Property Description
(Business Skybox does not include predefined business attributes
Skybox version 10.0.600 104
 Chapter 19 Server Options

Property Description
Attributes) for networks; an organization that wants to use them
must create their own.
Click Add to add a new business attribute.

Services
The properties in the Business Attributes > Services page are described in the
following table.
Property Description
(Business Skybox does not include predefined business attributes
Attributes) for services; an organization that wants to use them must
create their own.
Click Add to add a new business attribute.

Vulnerability Definitions
The properties in the Business Attributes > Vulnerability Definitions page are
described in the following table.
Property Description
(Business Skybox does not include predefined business attributes
Attributes) for Vulnerability Definitions; an organization that wants to
use them must create their own.
Click Add to add a new business attribute.

Vulnerabilities
The properties in the Business Attributes > Vulnerabilities page are described in
the following table.
Property Description
(Business Skybox does not include predefined business attributes
Attributes) for vulnerabilities; an organization that wants to use them
must create their own.
Click Add to add a new business attribute.

CHANGE MANAGER SETTINGS

The properties in the Change Manager Settings page are described in the
following table.
Property Description
Optimization Access Update change requests and Add Rule change
settings requests can sometimes be optimized to Modify Rule
change requests. This section specifies how requests are
optimized.
Identical Match Specifies whether 2 fields of the change request must
match the corresponding fields of the access rule exactly.
Contained within Specifies whether 2 fields of the change request must be
contained within the corresponding fields of the access
rule.

Skybox version 10.0.600 105

Skybox Installation and Administration Guide

Property Description
Include contained Specifies whether to include matches for fields of the
in Any change request that are contained within a field whose
value is Any.
Change Manager Mode
(Firewall Controls whether firewalls in change requests are
identification identified in Firewall Mode or Network Mode.
mode)
Firewall Mode For models that do not include routers or are not fully
connected.
Identifies firewalls based on a comparison between the
relevant fields of the change request and the addresses
behind the firewalls in the Firewall Assurance tree.
Note: In firewall mode, access requests to a network
device’s interface cannot be used as a source or
destination.
Network Mode For models that include routers and are fully connected.
Identifies firewalls by running access analysis. Enables
users to view the routes that a change request would take
in the network.
Use best match For very large change requests (with “Any” or many IP
coverage for addresses), specifies whether to use a faster calculation
change requests method that covers a high percentage of the difference
with large IP between the change requested and the actual
ranges environment, rather than the regular calculation method.
Note: This method may not provide 100% coverage. This
is not a precise match (as is used for standard change
requests) but a partial coverage match that is the best
option for this particular request.
Use wide range The maximum number of source IP addresses for which to
logic for requests calculate the source of the change request using the
with over N standard method. Change requests with more source
Source addresses addresses are calculated using the best match coverage
method.
Use wide range The maximum number of destination IP addresses for
logic for requests which to calculate the destination of the change request
with over N using the standard method. Change requests with more
Destination destination addresses are calculated using the best match
addresses coverage method.
Networks are When calculating reconciliation of change requests,
considered networks are considered to match the change request
matching when when at least this percentage of their addresses match
they have at least the addresses in the derived change request.
N % of addresses
that match the
derived request
(Policy Controls whether policy compliance violations in Change
compliance Manager are calculated in Firewall Mode or Network
calculation mode) Mode.
Firewall Mode Calculates violations by checking the access of firewall
network interfaces.

Skybox version 10.0.600 106

 Chapter 19 Server Options

Property Description
Network Mode Calculates violations by checking network access.
Access Policy This field is enabled only if you select Network Mode.
Scope The parts of the Public Access Policies (policy folders,
policy sections, or specific Access Checks) to use when
calculating policy compliance violations.
Verification
Source and For Add Rule change requests, specifies whether to verify
destination that the source and destination interfaces in the new rule
interface match those in the change request. The interfaces in the
change request are calculated by Skybox to be those that
produce the requested access.
Note: For firewalls that support zones, specifies whether
to verify that the source zone and destination zone in the
new rule match those in the change request.
Expiration date For Add Rule change requests that include an expiration
date, specifies whether to verify that the expiration date
specified in the change request matches the expiration
date entered in the new rule.
Note: If selected, reconciliation of change requests (in
change tracking) also takes expiration dates into
consideration.

Change Requests
The properties in the Change Manager Settings > Change Requests page are
described in the following table.
Property Description
Upload Change Requests from File
Enable uploading Enables users in Change Manager to upload Access
change requests Update change requests to a ticket from a file. After
from files checking this box, map the parameters of the change
request to the column names in the file specified in File
Name.
For more information about uploading change requests
from a file, see Configuring upload of change requests
from files, in the Skybox Change Manager User Manual.
File Name The file to upload as the template for change requests.
Users in Change Manager can download this template, fill
in their change requests, and then upload the file to a
ticket.
General
Users The name of the column that contains users for each
change request.
Source The name of the column that contains the source for each
change request.
Destination The name of the column that contains the destination for
each change request.
Services The name of the column that contains the services for
each change request. (You can specify separate column
Skybox version 10.0.600 107
Skybox Installation and Administration Guide

Property Description
names for port and protocol.)
Applications (For next-generation firewalls) The name of the column
that contains the applications for each change request.
Expiration Date The name of the column that contains the expiration date
for each change request.
Comment The name of the column that contains the comment for
each change request.
Rule Business The names of the columns that contain rule business
Attributes attributes for each change request.
Advanced
Excel Sheet The name of the sheet in the Excel file that contains the
change requests. The default is the 1st sheet.
Date Format The date format used in the Excel file.
Custom Change Requests
Custom Change Click Add to add a new type of change request. All
Request Types custom types are available in Change Manager by clicking
Custom Changes.

Display Settings
The properties in the Change Manager Settings > Display Settings page are
described in the following table.
Property Description
Records Per Page
Records per page Specifies how many entries are shown per page in Change
Manager tables.
Custom Fields
Number of Specifies the number of custom fields to use in each row.
custom fields in a If any custom fields have very long names, put fewer
row fields per row.

Automatic Implementation
The properties in the Change Manager Settings > Automatic Implementation
page are described in the following table.
Property Description
Enable automatic Specifies whether Change Manager automatically
implementation of implements pending change requests for Check Point,
pending requests FortiManager, and Panorama devices.
Suggest Specifies whether, when implementation is requested,
implementing Change Manager asks the user whether to implement
relevant requests other pending change requests for the same management
server
Set the default Set default values for rule fields that are not specified in
values to be used the change request.
for new rules

Skybox version 10.0.600 108

 Chapter 19 Server Options

Property Description
Rule Position (Read-only) The position of the rule in the ACL.
Note: The default position for new rules is at the end of
the policy. However, when possible, new rules are added
directly before the first rule that would block them.
Rule VPN (Read-only) The VPN that the rule uses.
Note: New rules are set with VPN=Any.
Rule Comment The formula for comments that are added to each rule
implemented by Change Manager. You must include at
least 1 tag (<DATE>, <USERNAME>, or <TICKET_ID>) in
the formula.
Modify Rule The formula for comments that are added to each rule
Comment modified by Change Manager. You must include at least 1
tag (<DATE>, <USERNAME>, or <TICKET_ID>) in the
formula.
Firewall specific configuration
Panorama Add Specifies whether the new rules are added in Panorama
Rule Location as Pre Rules or Post Rules.

For additional information about automatic implementation, including how to set

it up in the Check Point SmartDashboard application, and the types of change
requests that can be implemented automatically, see the Configuring automatic
implementation section in the Skybox Change Manager User Guide.

Object Suggestion
The properties in the Change Manager Settings > Object Suggestion page are
described in the following table.
Property Description
Convert Specifies whether to convert all addresses and services in
addresses and change requests to objects.
services to Note: Skybox uses existing objects when an exact match
objects is found. Otherwise, new objects are created.
Naming The following fields set the naming conventions for new
conventions objects.
Host Asset object names must include the <IP> tag.
IP Range IP address range object names must include the
<IP_RANGE> tag.
Network Network object names must include the <NETWORK> tag.
Service Service objects must include the <SERVICE> tag.
Object Comment The formula for comments that are added to each object
created by Change Manager. You must include at least 1
tag (<DATE>, <USERNAME>, or <TICKET_ID>) in the
formula.

Permissions
The properties in the Change Manager Settings > Permissions pages configure
permissions for Change Manager Requestors and how to handle attachments to
Change Manager tickets.
Skybox version 10.0.600 109
Skybox Installation and Administration Guide

Attachment Permissions
The properties in the Change Manager Settings > Permissions > Attachment
Permissions page are described in the following table.
Property Description
Ticket Specifies whether files that were added to tickets can be
attachments can deleted.
be deleted
The following If ticket attachments can be deleted, this option specifies
users are the users that are permitted to delete them.
permitted to
delete ticket
attachments

Requestor Permissions
The properties in the Change Manager Settings > Permissions > Requestor
Permissions page are described in the following table.
Property Description
Permitted request types for Web Ticket Requestor role
Select the The types of change requests that Web Ticket
permitted request Requestors can open.
types for the Web
Ticket Requestor
role
Due Date Permissions
Allow to view and Specifies whether Web Ticket Requestors can view and
revise due dates revise due dates.
Ticket Permissions
Allow all The submitters whose tickets Web Ticket Requestors
requestors to can view.
view all tickets
submitted by ...
Allow to view Specifies whether Web Ticket Requestors can view
access status access status details.
details
Allow requestors Specifies whether Web Ticket Requestors can use
to use firewall firewall objects.
objects

Risk Assessment
The properties in the Change Manager Settings > Risk Assessment page are
described in the following table.
Property Description
Risk Assessment
Enforce Risk Specifies whether it is mandatory to add a comment
Justification (explaining how the risk is justified) in the Risk pane
comment before promoting the ticket.

Skybox version 10.0.600 110

 Chapter 19 Server Options

Property Description
Use the (For licenses that include only Firewall Assurance)
Vulnerability Specifies whether vulnerability occurrence information is
Dictionary and collected and displayed when working with Skybox
enable import of Change Manager.
vulnerability
information
Show Exposed Specifies whether to show exposed vulnerability
Vulnerability occurrences in the Risk Assessment phase.
Occurrences
Show risk Specifies whether risk assessment information is
assessment for displayed for change requests that were already
already allowed permitted.
change requests
Approve Risk
Set the default The default expiration date of exceptions for each risk
approval level.
expiration date ...
based on risk
levels

Approve Risk
When you approve the risk of a change request in the Risk Assessment ticket
phase, the Approve Request dialog box provides an approval expiration date
based on the highest violation severity caused by the change request. Skybox
uses these expiration dates for the corresponding exceptions that are created
based on the approval. For each risk level, a specific length of time is specified
for the expiration date; when you approve a change request, this time is added
to the current date to calculate the expiration date.
You can change the expiration time for each severity according to your policy.

Tickets
The properties in the Change Manager Settings > Tickets page affect tickets in
Skybox Change Manager.
The Tickets properties are described in the following table.
Property Description
Automatic closure of tickets
Automatically Specifies whether Access Change tickets are closed
close resolved automatically after all their change requests are
tickets if all implemented.
change requests
were
implemented
Automatically Specifies whether Access Change tickets are closed
close tickets in automatically if they are in the final phase (usually named
the last phase for Verified) for more than a given number of days.
more than <n>
days

Skybox version 10.0.600 111

Skybox Installation and Administration Guide

Property Description
Set status of Specifies the status to which tickets are set when they are
automatically automatically closed.
closed tickets to
Default ticket priority
Default priority of Specifies the default priority for new tickets.
newly created
tickets
Rule logging default settings
Rule logging Specifies whether new rules implemented on firewalls
have logging enabled by default.
Panorama default settings
Create shared Specifies whether new objects created for Panorama are
objects created as shared by default.
Note: Users can change this per request.
Install on any Specifies whether to add the requested change to all
firewalls in the specified device group by default.
Note: Users can change this per request.

Workflows
The properties in the Change Manager Settings > Workflows page are described
in the following table.
Property Description
(Workflows) Click Add to add a new workflow using the wizard. Select
Add > Template Workflow to add another standard
workflow (which you can then edit). Double-click a
workflow to edit it.
For information about workflows, see the Customizing
ticket phases and workflows section in the Skybox Change
Manager User Guide.
Default Work Time
Work Week Specifies the work week for your organization. Skybox
only uses these days to calculate ticket due dates for
workflows based on the default work time.
Holiday Dates (Optional) Specifies the dates in the year that are non-
working holidays for your organization.
• Enter these dates in the regional format that you
chose, comma-separated.
• You can create a text file of the dates and import the
file into Skybox. The values in the text file must be
comma-separated or on new lines.
Work Hours Specify the working hours for your organization. Skybox
only uses these hours to calculate ticket due dates for
workflows based on the default work time.

Skybox version 10.0.600 112

 Chapter 19 Server Options

CHANGE TRACKING SETTINGS

The properties in the Change Tracking Settings page are described in the
following table.
Property Description
Extract ticket ID Specifies whether to extract the (external) ticket ID of the
requested change from the Comments field of access rules
and objects.
Ticket ID Regex Specifies the regular expression used to extract the ticket
ID.
Note: The default regular expression represents a 5-digit
number.
For information about regular expressions, see
http://www.regular-expressions.info/
Note: Changes to the regular expression are relevant for
future change tracking records only. Existing records are
not affected.
Change Reconciliation
Enable change Specifies whether to enable the Change Reconciliation
reconciliation feature.
Note: Selecting this property enables the other fields in
this section.
Authorized Specifies whether a change can be authorized if no
changes must matching tickets (in Skybox) are found for the change.
have tickets
Pending changes Specifies the number of days to leave changes in the
are automatically Pending state. After this number of days, the status of
unauthorized Pending changes becomes Unauthorized.
within <n> days
Pending changes Specifies whether pending changes that are not even
that haven't partially reconciled are automatically marked as
started the Unauthorized and, if so, within how many days.
reconciliation
process are
automatically
unauthorized
within <n> days
Enable auto- Specifies whether change tracking analysis attempts to
matching by match changes and Skybox tickets by external ticket IDs.
ticket ID
Enable auto- Specifies whether change tracking analysis attempts to
matching by match changes and Skybox tickets by IP addresses and
addresses & ports ports.

CUSTOMIZATION
These properties enable you to customize the look and feel of Skybox Change
Manager and Skybox Horizon to better match your organization.

Note: Click Reset to Default to restore the Skybox look and feel at any point.
The properties in the Customization page are described in the following table.
Skybox version 10.0.600 113
Skybox Installation and Administration Guide

Property Description
Logo
Company Name The company name to display; default is SKYBOX.
Website Address Specifies the URL that opens when users click the logo at
the top left of the Change Manager or Skybox Horizon
page; default is www.skyboxsecurity.com
Logo Image The logo to be shown at the top left of the Change
Manager or Skybox Horizon page.
Note: The logo must be in PNG format and should be 75
x 43 pixels. Larger images are resized to 75 x 43 for
display.
Welcome Logo The logo to be shown at the top of the Change Manager
Image home page.
Note: The logo must be in PNG format and should be 250
x 101 pixels. Larger images are resized to 250 x 101 for
display.
Login Screen The logo to be shown on the login screen of Change
Image Manager and Skybox Horizon.
Note: The logo must be in PNG format and should be 500
x 305 pixels. Larger images are resized to 500 x 305 for
display.
Toolbar The colors to display on the Change Manager or Skybox
Background Horizon toolbar.
Colors
Toolbar The colors of the text to display on the Change Manager
Foreground Colors or Skybox Horizon toolbar. Note: Each text color is
displayed directly underneath the background color on
which it will be used. (There is no text on the 3rd section
of the toolbar.)
Message of the Day
Enter message of The message to display after a user logs in to Skybox
the day in HTML Change Manager.
format Note: The <html>, <body>, <header>, and <script>
tags cannot be used in the message.
Dashboards
Maximal number The maximum number of dashboards in a Skybox web
of dashboards interface.

DICTIONARY SETTINGS
The properties in the Dictionary Settings page are described in the following
table.
Property Description
Severity Score Specifies whether the source of the severity score is the
CVSS Base Score or the CVSS Temporal Score.
Severity Levels Specifies the severity ranges per level.
For example, any severity score between 9 and 10 has
Skybox version 10.0.600 114
 Chapter 19 Server Options

Property Description
the level Critical (by default) and is displayed in Skybox
Manager as, for example, Critical (9.1).

About the severity levels

› Level names cannot be changed, only upper and lower bounds.

› Modification of these levels also affects the security metric severity levels in
Security Metric Properties dialog boxes, and security metrics analysis.

ELASTICSEARCH EXPORT SETTINGS

The properties in the Elasticsearch Export Settings page are used to describe an
external Elasticsearch instance to which Skybox exports information. The
properties are described in the following table.

Note: Changing these properties requires a Server restart.

Property Description
External The host name of your Elasticsearch server.
Elasticsearch Note: Do not use localhost.
Hostname
HTTP Port The HTTP port for connecting to Elasticsearch.
Note: When working with Elastic Cloud, this is the REST
endpoint port (443 or 9243).
HTTP Protocol The HTTP protocol for connecting to Elasticsearch.
HTTP Specifies whether HTTP authentication is used when
Authentication connecting to Elasticsearch.
HTTP Username The username to use when connecting to Elasticsearch.
The clear text is encrypted after the Server restarts.
HTTP Password The password to use when connecting to Elasticsearch.
The clear text is encrypted after the Server restarts.

ENTITY SETTINGS
The properties in the Entity Settings page specify the number of days that
entities are marked as new or modified. These properties are described in the
following table.
Property Description
Mark Entity as The number of days that an asset, vulnerability
New for <n> occurrence, policy violation, or access rule is marked as
Days New.
Mark Access Rule The number of days that an access rule is marked as
as Modified for Modified.
<n> Days
Exception about
to be expired <n>
Days

Skybox version 10.0.600 115

Skybox Installation and Administration Guide

LICENSE
The properties in the License page define how many days of notification are
given before the Skybox license expires. These properties are described in the
following table.
Property Description
Notify on license The number of days before the license for Skybox expires
expiration <n> that user notifications are given.
days before
expiration date

PROXY SETTINGS (SERVER)

The properties in the Proxy Settings (Server) page configure a proxy server for
HTTP connections to the internet.
If the relevant Skybox Server or Collector machine is configured to connect to
the internet via a proxy, configure these settings before downloading Skybox
dictionary update files (see Dictionary updates (on page 143)).
These settings are also used by some collection tasks (if they are configured to
use proxy settings that are not defined in the task properties).
The Proxy Settings (Server) properties are described in the following table.
Property Description
Proxy Server The IP address of the proxy server
Proxy Port The TCP port on which the proxy listens for HTTP requests
Local IP The local IP address of the interface to use for updating
the Skybox Vulnerability Dictionary
User Name The user name to use for proxy authentication
Password The user password to use for proxy authentication
NTLM authentication
Domain The domain to use for NTLM authentication
Client Host Name The name of the client host for NTLM authentication
Enable NTLM v2 Specifies whether to enable NTLM v2

REGIONAL SETTINGS: SERVER

The properties in the Regional Settings page specify how Skybox displays
numbers, dates, time, and currency values. These properties are described in the
following table.
Property Description
Locale Specifies how Skybox displays numbers, dates, and time
of day.
Currency Specifies how Skybox displays monetary values (for
example, currencies, prices, and quantitative risks).

Note: By default, all users of Skybox work with the locale (and currency) set
here, but they can change the locale using Manager Options > Regional Settings
(see page 99).
Skybox version 10.0.600 116
 Chapter 19 Server Options

REPORT CONFIGURATION
The properties in the Report Configuration page are described in the following
table.
Property Description
Reports Footer The text to display at the bottom of each page of
Text generated reports, to a maximum of 60 characters.
Max Number of The maximum number of vulnerability occurrences in
Vulnerability vulnerability occurrences overview reports.
Occurrences
(Overview)
Max Number of The maximum number of vulnerability occurrences in
Vulnerability vulnerability occurrences detailed reports.
Occurrences
(Detailed)
Show PDF (If PDF format is selected for a report)
Bookmarks Specifies whether to display the table of PDF bookmarks.
Paper Size The paper size to use when formatting the reports.

CSV Export
The properties in the Report Configuration > CSV Export page define the format
of the CSV files generated when Skybox tables are exported to CSV files. These
properties are described in the following table.
Property Description
CSV line Specifies how to terminate each line of the CSV files.
termination • LF ('\n'): Line feed
• CRLF ('\r\n'): Carriage return + line feed
Note: Line termination might be important if the
exported files are processed in a 3rd-party program.

RULE USAGE
Rule Usage shows the actual use of each access rule for all the addresses and
ports in the rule. Addresses and ports that are never used or used very little are
potential candidates for cleanup. You can edit the definitions of the percentage
that is considered poor (Critical), fair, and good.
The properties in the Rule Usage page are described in the following table.
Property Description
Do not show Specifies that disabled access rules are not shown in rule
disabled rules in usage views, reports, or counters.
rule usage views
or reports
Usage Levels Specifies usage levels as rule usage percentages.
For example:
• A rule for which only 0% of its addresses and 10% of
its ports are used has poor rule usage.
• A rule that has over 40% of its addresses and ports
used is a well-used rule.

Skybox version 10.0.600 117

Skybox Installation and Administration Guide

Property Description
(These examples are based on the default values.)
Rule Usage Period These fields enable you to define a custom rule usage
period
Starting on The start date for the custom rule usage period.
Ending on The end date for the custom rule usage period.

SOFTWARE UPDATE SETTINGS

The properties in the Software Update Settings page specify whether automatic
software updating of Skybox Managers and Collectors is enabled. These
properties are described in the following table.
Property Description
Enable automatic Specifies whether automatic (remote) software updating
software updates is enabled.
Note: If remote software updating is disabled, the Server
does not check whether the versions of the Skybox
Managers and Collectors match its own version; you must
apply patches for Skybox Managers and Collectors locally.
Enable automatic Specifies whether Skybox checks Collector versions and
update of Skybox update Collectors after the Server is updated.
Collectors

SYSTEM
The properties in the System pages configure system-level settings.
Property Description
Block Specifies whether a single user is permitted to be logged
simultaneous in on more than one machine at the same time. In many
sessions of a organizations, this is forbidden for security reasons.
single user on
different
machines

Email Configuration
The properties in the System > Email Configuration page define how Skybox
sends email messages (for example, alerts) to users. These properties are
described in the following table.
Property Description
SMTP Server The server used by Skybox to send messages.
SMTP Port The SMTP server port used by Skybox.
Mail Server Authentication
Username The user name for mail server authentication.
Password The password for mail server authentication.
Confirm Password The password for mail server authentication.
(Email)

Skybox version 10.0.600 118

 Chapter 19 Server Options

Property Description
Email Address The email address from which Skybox messages are sent.
Email Caption The email caption from which Skybox messages are sent.
Test Message Opens the Test Message dialog box from which the
administrator setting up emails in Skybox can send a test
message to validate the email configuration settings.

Events and Triggers

The properties in the System > Events and Triggers page are described in the
following table.
Property Description
System Events
Send System Specifies whether to send Skybox events to remote
Events logging servers.
Remote Logging A comma-separated list of the names or IP addresses of
Server the remote logging servers, with the format <server
name>[:<port>] or nnn.nnn.nnn.nnn[:<port>].
The default port is 514.
The type of • System: Specifies whether to send system events.
events to send System events include starting and stopping the
Skybox Server and Collector, and the start and finish
of each task that runs.
• Audit log: Specifies whether to send user-related
events events that go to the audit log.
• Activity log: Specifies whether to send activity log
events. These events include many Skybox actions.
The format of the Specifies whether to send messages that match the
sent messages format of the Skybox Server operating system.
Triggers
Controls the Specifies how often overdue notifications for tickets are
frequency at sent. Select a frequency and then define the schedule.
which overdue
notifications are
sent

For additional information, see Skybox logs (on page 145).

Feedback
Skybox uses statistical feedback to allow better understanding of customer
requirements and needs, enabling more accurate product design decisions to
improve the product experience. We recommend that you enable statistical
feedback.

› The feedback includes only statistical meta-data from the Skybox model. It
does not include any personally identifiable information.
› The retention period of the data is up to 1 year.
› Enabling the feedback does not cause any overhead to the Skybox Server.
› The data is sent to the dictionary server
(https://dictionary.skyboxsecurity.com/telemetry) over port 443.
Skybox version 10.0.600 119
Skybox Installation and Administration Guide

The first Admin user (other than skyboxview) to log in to Skybox is asked to
enable (recommended) or disable this feedback. After that, administrators can
enable or disable the feedback from Tools > Options > Server Options >
System > Feedback.

BACKUP SETTINGS
The properties in the System > Backup Settings page define how Skybox saves
and loads the model. These properties are described in the following table.
Property Description
Model Encryption Skybox encrypts the model with a password when saving
Password it and uses the same password to decrypt it when loading
the model. If this field is empty, Skybox uses the default
password.
You can change the password for security purposes.
However, if you change the password you cannot load
models encrypted with the previous password.

Warning: We recommend that you do not change this password unless required
by your organization security policy.

TASK SETTINGS
The properties in the Task Settings pages configure task settings and task alert
settings.

Global Task Settings

The properties in the Task Settings > Global Task Settings page specify settings
for multiple Skybox tasks. These properties are described in the following table.
Property Description
Exclude Devices A list of devices that are not to be imported into the
model. These devices are ignored when you run an offline
file import task.
Click Add to add names of devices to exclude. This
creates a basic exclude list.
Select Add > Advanced Exclude to create a list of
assets to exclude based on specific filters.
Double-click an entity in the list (single device or filter
list) to edit it.
CyberArk Settings used by all tasks that authenticate via CyberArk.
Authentication
CyberArk Folder The CyberArk directory.
CyberArk The application ID to use for connecting to CyberArk.
Application ID

The filters that can be used in an advanced exclude list are described in the
following table.
Filter Description
Asset Name The names of assets to exclude from the model (regular
expression).

Skybox version 10.0.600 120

 Chapter 19 Server Options

Filter Description
Network Scope The networks to exclude from the model.
Asset Type The types of assets to exclude from the model.
Operating The operating systems to exclude from the model.
Systems
OS Vendor The OS vendors to exclude from the model.
Features Assets with the selected features are excluded from the
model.
No Services Only exclude assets from the model if they have no
services. (If you select No Services, the Services filter
cannot be used.)
Services Assets with the specified services are excluded from the
model.
Products Assets with these products are excluded from the model.

Task Alert Settings

The properties in the Task Settings > Task Alert Settings page specify the global
conditions and recipients of email messages that are sent when Skybox tasks
finish. These properties are described in the following table.
Note that:

› Alerts are enabled by default for all new tasks (and all predefined tasks), but
you can turn off alerts for specific tasks. In this case, no alerts are sent for
the task.
› In each task, you can set specific conditions and users for the task alert
messages. If present, these settings override the global settings.
Property Description
Email to The Skybox users and external email addresses that
receive task alert emails.
Email on The task exit codes for which to send task alert emails.
Message Count The maximum number of most recent task messages to
include in the text of task alert emails.

THREAT MANAGER
The properties in the Threat Manager page configure some default values of
security metrics in Skybox Vulnerability Control.
The Vulnerability Control properties are described in the following table.
Property Description
External Alert The alert source for which Vulnerability Definitions are
Source displayed in the Threat Manager workspace.

Skybox version 10.0.600 121

Skybox Installation and Administration Guide

Property Description
Threat Alert Mode If the alert source is Skybox, this parameter controls
whether threat alerts in Threat Manager are managed as
security bulletins and advisories, or as stand-alone
Vulnerability Definitions.
Note: For other alert sources, the threat alerts are
managed as stand-alone Vulnerability Definitions.
Custom Vulnerability Definitions
Source Name The source name to display for custom Vulnerability
Definitions.
Source Prefix The 3-letter prefix to use for custom Vulnerability
Definitions.

For additional information, see the Setting up the Threat Manager environment
topic in the Skybox Threat Manager User Guide.

TICKET CONFIGURATION
The properties in the Ticket Configuration page are described in the following
table.
Property Description
Synchronize model with tickets
Synchronize Specifies whether to synchronize the model with changes
Model with resulting from processed tickets.
Processed Tickets If selected, closing a vulnerability occurrence ticket
causes changes in the model, including changing the
status of the vulnerability occurrence to Fixed and
changing the asset or service to reflect the selected
solution. (A vulnerability occurrence ticket usually lists
several solutions, one of which is specified as the selected
solution for that specific vulnerability occurrence
problem.)
Attachments
Max File Size The maximum size of files that can be attached to tickets
(MB) in Skybox.
External Ticketing System Synchronization
Manual Specifies whether external ticket IDs and statuses can be
Synchronization changed manually in Skybox tickets.
Use this option when the Skybox ticketing system is not
integrated with the external ticketing system.

About ticket priority levels

If you disable a priority level, you also disable all lower levels (that is, the levels
representing less important tickets). If there are any tickets with these priority
levels, the tickets are reassigned to the lowest remaining priority level.
If you enable a priority level, you also enable any higher levels that are disabled.
For example, if levels P3, P4, and P5 are disabled and you enable level P5, levels
P3 and P4 are also enabled.

Skybox version 10.0.600 122

 Chapter 19 Server Options

Custom Fields
The properties in the Ticket Configuration > Custom Fields page define additional
(custom) fields for tickets. You can use custom fields in all ticket types. These
properties are described in the following table.
Property Description
(Field list) The details of each custom field, including the title of the
field, the type of the field, and the ticket types to which
the field applies.

Custom Ticket Statuses

The properties in the Ticket Configuration > Custom Ticket Statuses page define
custom ticket statuses for Skybox.
Skybox supports up to 5 custom ticket statuses in addition to the predefined
ticket statuses.
When you define custom ticket statuses, specify a status group value (Open,
Done, or Invalid) for each custom status.
Custom Ticket Status properties are described in the following table.
Property Description
Custom Status A custom ticket status name. You can add up to 5 custom
<n> ticket statuses.
If empty, this custom ticket status is not supported and
does not appear in the list of statuses displayed to users.
Status Group The status group for each Custom Ticket Status. Ticket
status groups (Open, Done, and Invalid) classify
tickets.

General
The properties on the Ticket Configuration > General page provide control over
ticket priorities and phases, and how to handle email cc lists.
Ticket priority and phase properties are described in the following table.
Property Description
Ticket Priority The name of each priority level.
Levels You can disable lower priority levels if they are not
necessary. For example, if your organization only uses 3
priority levels, you can disable levels 4 and 5.
Note: If you disable a priority level, all lower levels are
also disabled; when you enable a priority level, any higher
levels that are disabled are also enabled.
Ticket Phases
Ticket Type The type of tickets for which to use the phases specified
in Phase List.
Each ticket type can have a separate phase list.

Skybox version 10.0.600 123

Skybox Installation and Administration Guide

Property Description
(Phase List) This table is not displayed if Ticket Type = Access
Change.
A list of information about each phase of the selected
ticket type, including number (that is, order in the list),
name, default owner, and user comments. The final phase
(named Verification by default) is added automatically
and can only be deleted after all other phases are deleted.
Ticket CC List
Manage ticket cc Specifies whether to add users to the cc list of tickets
lists automatically automatically.
If selected, the following users are added to the cc list:
• Ticket creator
• Ticket owner
• Rule owners
• Users in the Email field of rule business attributes (for
tickets opened on specific access rules)
• Users in custom fields in Change Manager

For information about ticket phases, see:

› The Ticket phases and due dates section in the Skybox Threat Manager User
Guide.
› The Defining ticket phases topic in the Skybox Reference Guide.
For information about ticket phases and priorities for Skybox Change Manager,
see the Creating ticket phases and workflows section in the Skybox Change
Manager Guide.

Threat Alert
The properties in the Ticket Configuration >Threat Alert page are described in
the following table.
Property Description
(Custom Skybox includes predefined fields for custom solutions.
Solutions) You can use these and add your own.
Click Add to add a new custom field.
The details of each custom field include the title of the
field, the type of the field, the size of the field, and an
optional hint for the field.

USER SETTINGS
The user settings properties are described in the following topics.

Authentication
The properties in the User Settings > Authentication page specify how Skybox
authenticates users.
These properties are described in the following table.
Property Description
Skybox (Read-only) Skybox authentication is always enabled. You
can use it in conjunction with external authentication

Skybox version 10.0.600 124

 Chapter 19 Server Options

Property Description
systems.
Support External Specifies whether to use an external method of
Authentication authentication in addition to Skybox authentication.
LDAP Specifies whether authentication using LDAP is enabled.
Note: Before using LDAP, set the necessary LDAP
properties on the External User Management page (see
page 130).
LDAP server The properties of the LDAP servers. Skybox supports up
properties (on to 10 LDAP servers for different domains.
page 125) Double-click a server in the table to define its properties;
click Add to add an additional server.
Note: You must define the properties of the default LDAP
server before you can use it.
RADIUS Specifies whether authentication using RADIUS is
enabled.
Note: To use RADIUS authentication, configure the
primary and secondary servers, as explained following
this table.
Port Number The RADIUS server port. Do not change this value.
Server The name or IP address of the primary RADIUS server.
Secondary Server The name or IP address of the secondary RADIUS server.
SiteMinder Specifies whether authentication using SiteMinder is
enabled.
Note: Before using SiteMinder, set up integration with
SiteMinder (see page 126).

To configure the primary or secondary server for RADIUS

1 Click Configure.
2 In the Configure Radius Server dialog box, type the name or IP address of the
server and provide the shared secret for the selected server.
3 Click Test.
Skybox attempts to connect to the server and retrieve its certificate.
If the certificate is not trusted by Skybox, a message with the main details of
the certificate is displayed.
4 If you trust the certificate, it is added to the Skybox Web Client keystore.
5 Click OK.
LDAP server properties
The properties of the LDAP server for each domain are described in the following
table.
Property Description
Port Number The LDAP server port. The default is 389.
Server The name or IP address of the primary LDAP server.
• Click Test to test connection to the server.

Skybox version 10.0.600 125

Skybox Installation and Administration Guide

Property Description
Secondary Server (Optional) The name or IP address of the secondary LDAP
server.
• Click Test to test connection to the server.
Default Domain The initial domain to use when defining new LDAP-
authenticated users.
(In Microsoft Active Directory, each user is associated
with a domain.)
LDAP UID The attribute in the LDAP server that stores a user’s login
name.
Note:
• If you are using multiple LDAP servers,
userPrincipalName is the only supported uid after
the first LDAP server.
• If you use userPrincipalName for any LDAP server,
you must define an external user.
LDAP root DN The DN to use when connecting to the LDAP server. For
example, DC=il,DC=skyboxsecurity,DC=com
Connection Type The connection to use when connecting to the LDAP
server.
Enabled Specifies whether this server is enabled for
authentication.

Before using LDAP authentication, configure the primary server for each domain
and, if necessary, the secondary server.

To configure the primary or secondary server for a domain

1 In the Server (or Secondary Server) field, type the name or IP address of
the server.
2 Click Test. Skybox attempts to connect to the server and retrieve its
certificate.
If the certificate is not trusted by Skybox, a message with the main details of
the certificate is displayed.
3 If you trust the certificate, it is added to the Skybox Web Client keystore.
4 Click OK.

Troubleshooting LDAP authentication

If the primary LDAP server does not respond within a specified period, Skybox
tries to log in to the secondary LDAP server. You can change the timeout for
login using LDAP by changing the value of LDAP_connection_timeout in
<Skybox_Home>\server\conf\sb_server.properties

Setting up integration with SiteMinder

Note: Integration with SiteMinder is supported only when Skybox Server is
installed on a Linux machine.

Skybox version 10.0.600 126

 Chapter 19 Server Options

To set up integration with SiteMinder

1 Install the SiteMinder agent (see page 127) on the Server machine.
2 Configure SiteMinder (see page 127) to permit communication with Skybox.
3 Create a SiteMinder properties file (see page 128). Copy the file to the
<Skybox_Home>/server/conf directory.
4 Enable Skybox to work with SiteMinder:
a. Navigate to Tools > Options > Server Options > User Settings >
Authentication.
b. Select Support External Authentication.
c. Select SiteMinder.
Installing the SiteMinderagent
You must install the SiteMinder agent on the Skybox Server machine.

To install the communication agent

1 Copy the SMAgent binary file from <Skybox_Home>/data/others/sm/bin to
<Skybox_Home>/server/bin
2 Add this directory to LD_LIBRARY_PATH.
For example, LD_LIBRARY_PATH=/smagent:$LD_LIBRARY_PATH
3 Execute the command: export LD_LIBRARY_PATH
4 Install the libgcc standard package on the Skybox Server machine.
Configuring SiteMinder to communicate with Skybox
For SiteMinder to communicate with Skybox, you must define a type 5.x agent in
SiteMinder.

Note: In production environments, 5.x is required. In other environments, you

can configure a 4.x agent if 5.x configuration fails.

To define a 5.x agent

1 In SiteMinder, create an agent.
2 Create a host configuration object (you can duplicate it from
DefaultHostSettings). The PolicyServer field must contain the IP address
of the SiteMinder server.
3 Create an agent configuration object (you can duplicate it from another
configuration object). Fill the fields AgentName and DefaultAgentName
with the value <new agent name>.
4 Register the host on which SMAgent is to run (that is, the Skybox Server):
• smreghost –i <SM server IP address> -u <admin name> -p <admin
password> -hn <host name> -hc <host configuration object name>
SmHost.conf is created.

Skybox version 10.0.600 127

Skybox Installation and Administration Guide

5 Create a WebAgent.conf file that includes the following lines:

agentconfigurationobject=<agent configuration object name>
hostconfigfile=<path to SmHost.conf>
enablewebagent=YES

To define a 4.x agent

1 In SiteMinder, create an agent.
2 Select 4.x Support.
3 Type the IP address of the host on which SMAgent is to run.
4 Provide a shared secret.

Additional steps after the agent is defined

Under Domains, create a Realm. Type <new agent name> as the name of the
agent.

› Use the resource filter here as the value of the resource property in the
properties file to be created in the next section.
SiteMinder properties file
SiteMinder integration requires the file
<Skybox_Home>/server/conf/sm_properties.txt. This file must have the
format:
<key1>=<value1>
<key2>=<value2>

The properties to include in the file depend on the version of the agent (5.x or
4.x).
Properties common to 4.x and 5.x agents are described in the following table.
Key Description Mandatory
server_ip The IP address of the SiteMinder Yes
Policy Server.
agent_name The agent name defined on the Yes
SiteMinder Server.
resource The resource protected by the agent. Yes
max_cookie_size Advanced: The memory allocated for No
updated cookies. The default value is
4096.
user_attrib Advanced: The attribute number in No
which to look for the user name. You
might have multiple entries of
user_attrib.

Properties for 5.x agents only are described in the following table.
Key Description Mandatory
agent_version The agent version. Set to 5. Yes
sm_host_conf_file The path to the WebAgent.conf file. Yes

Properties for 4.x agents only are described in the following table.

Skybox version 10.0.600 128

 Chapter 19 Server Options

Key Description Mandatory

agent_version The agent version. Do not change the No
default value (4).
shared_secret The shared secret defined on the Yes
SiteMinder Server side.
agent_ip The IP address of the host that runs Yes
the agent.

Additional configuration properties for SiteMinder

The SiteMinder properties in
<Skybox_Home>/server/conf/sb_server.properties are described in the
following table.

Note: There is usually no reason to change the values of these properties.

Property Description Default Value
SM_authenticatio Specifies whether to enable user <disabled>
n_enabled authentication using SiteMinder
(Controlled by selecting Tools >
Options > Server Options > User
Settings > Authentication)
SM_properties_fil The name of the SiteMinder properties sm_properties.txt
e file under
<Skybox_Home>/server/conf
SM_agent_name The name of the SiteMinder agent smagent
utility under
<Skybox_Home>/server/bin
SM_agent_param For internal use only
s
SM_session_cooki The name of the SiteMinder cookie SMSESSION
e that stores the SiteMinder SSO Token
SM_cookie_max_ The maximum age of the session 3600
age cookie in seconds

Testing communication
You can test communication between SiteMinder and Skybox after you finish the
setup.

To test communication

› On the Server machine, launch SMAgent by running:

smagent sm_properties.txt –user nofile
The message Initializing Agent is Successful means that the SMAgent
was configured successfully.

Disabling Inactive Users

The properties in the User Settings > Disabling Inactive Users page specify how
Skybox handles inactive users.
These properties are described in the following table.

Skybox version 10.0.600 129

Skybox Installation and Administration Guide

Property Description
Automatically Specifies whether Skybox disables and deletes inactive
Disable Inactive user accounts.
Users Note: The other fields are disabled if this flag is cleared.
In this case, delete and disable inactive users manually
(for additional information, see Users (on page 73)).
Disable inactive The number of days of inactivity before a user account is
users after <n> disabled.
days
Delete accounts The number of days a user account is disabled before it is
of disabled users deleted.
after <n> days
Reassign tickets When a user is automatically deleted, any tickets they
of deleted users own are reassigned to this user.
to Note: This user is never deleted even if their account
becomes inactive.

External User Management

To use LDAP to manage users:

› Define the LDAP server on the Authentication page (see page 124).
› Create a Skybox user group to correspond to the LDAP users (see page 79).
› Define the properties explained here.
The properties in the User Settings > External User Management page are
described in the following table.
Property Description
LDAP Specifies whether external user management via LDAP is
enabled.
Global User Click Configure to specify the global user name and
password.
Default The default method to use for authenticating LDAP users
Authentication who are managed externally.
Method
Advanced The names of attributes used in user records in LDAP,
used for pulling user information from the LDAP server.
Note: The attribute names provided are standard in
LDAP; only change them if your organization uses other
or customized attribute names.

Single Sign-On (SSO)

The properties in the User Settings > Single Sign-On (SSO) page define how
users (of Skybox Web Client and Change Manager) connect to the SSO provider.
These properties are described in the following table.
Property Description
SSO Login Prompt The SAML message to display on the Login page. For
example, “Login via an external SSO provider”.
The URL address of the SSL provider

Skybox version 10.0.600 130

 Chapter 19 Server Options

Property Description
Web Client Direct The direct access URL to log in to Skybox Web Client
Access URL using the SSO.
Change Manager The direct access URL to log in to Skybox Change
Direct Access URL Manager using the SSO.

Default User Role for SAML login

Default User Role The default user role for all users logging in to
Skybox via the SSO.
Note: Additional configuration (on page 131) is necessary before using SSO for
user management.
Enabling user management via SAML (SSO) authentication
Enabling Skybox Web Client users to log in via their organization’s single sign-on
(SSO) system, such as Okta, requires setup of the SSO and of Skybox.

Setting up the SSO

› Configure the SSO as specified in the following example, replacing <server>

with the Skybox Server DNS name or IP.
<?xml version="1.0" encoding="UTF-8" ?>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id5309842914368903509183731" IssueInstant="2019-05-27T14:13:20.424Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">http://www.okta.com/Issuer</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">userName</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2019-05-
27T14:18:20.425Z" Recipient="https://<server>:8443/skybox/saml/saml/sso"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-05-27T14:08:20.425Z"
NotOnOrAfter="2019-05-27T14:18:20.425Z">
<saml2:AudienceRestriction>

<saml2:Audience>https://<server>:8443/skybox/saml/saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-05-27T14:11:10.955Z">
<saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password
ProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">user.email

Skybox version 10.0.600 131

Skybox Installation and Administration Guide

</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="samaccountname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">user.samaccountname
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">"ADMIN"
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>

Note: The line xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:type="xs:string">"ADMIN" logs each user in to Skybox as an admin. If it is
empty, users are given the default role selected in Single Sign-On (SSO) (on
page 130).

Setting up Skybox
1 Make sure that you have configured the parameters for Single Sign-On (on
page 130) (in Tools > Options > Server Options > User Settings >
Single Sign-On (SSO)).
2 Obtain the SSO URL and certificate (CERT file).
3 Put the certificate in a temporary directory on the server.
4 Run the following keytool command (<sso.cert> is the certificate from step
2):
keytool -importcert -file <sso.cert> -keystore saml.jks -alias
saml
5 When prompted, enter the keystore password.
6 Re-enter the keystore password.
7 Put the saml.jks file in <Skybox_Home>/server/conf/.
8 Restart the Skybox Server.

User Permissions
The properties in the User Settings > User Permissions page limit the parts of the
model to which users have access. These properties are described in the
following table.
Property Description
Firewall Assurance, Network Assurance (Access Analyzer) & Vulnerability
Control Permissions
Permissions for Specifies whether Skybox limits the parts of the model
Firewall that users can view.
Assurance,

Skybox version 10.0.600 132

 Chapter 19 Server Options

Property Description
Network
Assurance
(Access Analyzer)
& Vulnerability
Control
Apply Firewall Specifies whether users handling Change Manager tickets
Assurance are only able to view change requests for firewalls for
permissions to which they have Firewall Assurance permissions.
Change Manager
tickets
Change Manager Permissions

Permissions for Specifies whether Skybox limits the phases of Access

Change Manager Change tickets that users can change.
Tickets can only Specifies whether users, even with Change Manager
be edited by their permissions, can only edit their own tickets.
owner

Permissions are available for:

› Skybox Firewall Assurance: Firewall folders

› Skybox Network Assurance: Devices shown in Access Analyzer
› Skybox Vulnerability Control: Business Units and locations
› Skybox Change Manager: Phases of Access Change tickets
If permissions are enabled, Admins must set permissions for each User type
user and for each user group. If no permissions are set for a User-type user or
for any of that user’s user groups, the user cannot see any information in Skybox
Firewall Assurance or Skybox Vulnerability Control, and cannot make any
changes to tickets in Skybox Change Manager. All Admins have full permissions.
Note: For Skybox Change Manager, you can apply additional editing restrictions
on the phases themselves from Tools > Options > Server Options > Change
Manager > Workflows. Additional permissions related to Change Manager
users are defined in Tools > Options > Server Options > Change Manager >
Permissions > Requestor Permissions.

VULNERABILITY CONTROL
The properties in the Vulnerability Control page are described in the following
table.
Property Description
Unassigned Assets
Maintain Sites and site asset groups are primarily used for Skybox
'Unassigned Horizon.
Assets' Site Asset Skybox can include a group for all assets that are not part
Group of any other site asset group. This can be used to
troubleshoot your group definitions.
Note: This group is also part of the security metric
calculations.
Maintain Skybox can include a group for all assets that are not part
Skybox version 10.0.600 133
Skybox Installation and Administration Guide

Property Description
'Unassigned of any other Business Asset Group. This can be used to
Assets' Business troubleshoot your group definitions.
Asset Group Note: This group is also part of the security metric
calculations.
Standards How data is presented in the Vulnerability Control centers.
Definition
Default SLA The default values when creating a new security metric.
Values for New You can leave fields empty.
Security Metrics
Critical The number of days within which a vulnerability
occurrence with Critical severity should be fixed.
High The number of days within which a vulnerability
occurrence with High severity should be fixed.
Medium The number of days within which a vulnerability
occurrence with Medium severity should be fixed.
Low The number of days within which a vulnerability
occurrence with Low severity should be fixed.
Info The number of days within which a vulnerability
occurrence with Info severity should be fixed.
Business Asset Groups Update Warning
Warn users when Specifies how many days after the Business Asset Groups
Business Asset were most recently updated until a warning is shown in
Groups have not Skybox Manager. The warning is shown on the Summary
been updated in page and in the Discovery Center, Analytics Center, and
<n> days Remediation Center.
Analytics Center
Display the Specifies whether to display the old Center page in
Analytics Center Vulnerability Control.
pages (for Note: The information on this page is also found on the
backward Prioritization and Remediation pages; the page is
compatibility) generally considered redundant.

Discovery Period for Web Client

The properties in the Vulnerability Control > Discovery Period for Web Client
page configure the mapping between when an asset was last discovered and its
score. This is used in the Discovery module of Skybox Web Client – Vulnerability
Control.
Property Description

Discovery Period Maps discovery ranges (in days) to discovery levels. You
– Mapping can edit the upper bound of any level except the highest
level.

Risk Score for Web Client

The properties in the Vulnerability Control > Risk Score for Web Client pages
configure the default values to use in calculating risk scores in Skybox Web Client
– Vulnerability Control.

Skybox version 10.0.600 134

 Chapter 19 Server Options

Property Description

Risk Score – Maps risk score ranges to severity levels. You can edit the
Severity Mapping upper bound of any level except the highest level.

Assets
The properties in the Vulnerability Control > Vulnerability Control > Assets page
define parameters used in calculating the risk for assets and vulnerability
occurrences.
These properties are described in the following table.
Property Description
Asset Importance
Asset Importance A score (by default from 1-5) that reflects how important
Scale an asset is to the organization. Asset importance is a
factor in the vulnerability occurrence and asset risk score
equations. Either numbers or ranges can be used.
Default Asset The default importance to be assigned to new assets.
Importance
Asset Importance Maps the score levels of the asset importance scale to
Range Mapping names. For example, 1=Very Low; 5=Very High.
Asset vulnerability Rating
Asset The formula to use for calculating an asset’s vulnerability
Vulnerability rating and risk score.
Rating
Vulnerability When using the weighted calculation method, the weight
Rating Weight to use for each vulnerability rating (or each vulnerability
Mapping risk score divided by 10) in the function.

Vulnerabilities
The properties in the Risk Score for Web Client > Vulnerability Control >
Vulnerabilities page are described in the following table.
Property Description

Risk Scoring for Vulnerabilities

Exposure to Risk Maps the exposure levels of vulnerability occurrences to

Score Mapping the risk score ranges.
Vulnerability Rating
Vulnerability Specifies the formula to use for calculating the
Rating Formula vulnerability rating, which is used to calculate asset and
vulnerability risk.
Note: The vulnerability rating equation defined in this
table is not relevant when the formula chosen consists of
only the CVSS score.
Vulnerability Rating Equation

Skybox version 10.0.600 135

Skybox Installation and Administration Guide

Property Description

Equation when Displays the equation used for calculating the

there is some vulnerability rating when there is some exposure, and
exposure specifies the ratios of exposure, CVSS, and exploitability
to use in the equation.
Note: The sum of the coefficients must equal 1.
Equation when Displays the equation used for calculating the
there is no known vulnerability rating when the exposure is unknown or not
or computed computed, and specifies the ratios of CVSS and
exposure exploitability to use in the equation.
Note: The sum of the coefficients must equal 1.
Exploitability Maps the exploitability levels of vulnerability occurrences
Weight Mapping to weights that are used in the vulnerability rating
equation.
Exposure Weight Maps the exposure levels of vulnerability occurrences to
Mapping weights that are used in the vulnerability rating equation.

Skybox version 10.0.600 136

Chapter 20

Skybox Web Client

This chapter provides set up information for Skybox Web Client.

Supported web browsers

The following browsers are supported when working with the Web Client:

› Firefox
› Google Chrome
› Microsoft Edge (version 40 and up)

Privacy settings
Only Admin users are permitted to create, edit, and delete public filter sets,
dashboards, and Network Maps. All other users can only create private ones, or
clone the public ones and save them (as private). (Reports do not have privacy
settings—all reports are public.)

Permissions
Permissions in the Web Client are equivalent to those in the Java Client. For
example, only administrators and users have access to the admin console, and
users can only run tasks for which the user role has permissions, such as report
generation and analysis.

REPORTS IN SKYBOX WEB CLIENT

Scheduling reports
The reports feature in Skybox Web Client supports scheduled tasks that can be
configured from Skybox Manager (the Java client). Each scheduled report
requires a separate task.

To configure a scheduled report

1 Create a task of type Reports – Auto Generation.
2 Select Web Client Reports as the type.
3 In the Web Client Reports field, select the report to schedule.

Reports in Skybox Web Client running on Linux servers

Note: The reporting engine requires Linux V7; it does not work on Linux V6.
If your Skybox Server is running on Linux, an administrator (as root user) must
do the following to support the reporting engine in Skybox Web Client:

Skybox version 10.0.600 137

Skybox Installation and Administration Guide

1 Install additional packages by running:

yum -y install libX11 libXcomposite libXcursor libXdamage libXext
libXi libXtst cups-libs libXScrnSaver libXrandr alsa-lib pango atk
at-spi2-atk gtk3
2 Run:
a. echo user.max_user_namespaces=1000 >> /etc/sysctl.conf
b. sysctl -p

Skybox version 10.0.600 138

Chapter 21

Working with IPv6

Skybox provides support for IPv6 for:

› Palo Alto Networks devices

› Cisco Firepower devices
› Qualys scanners

Limitations on support for IPv6

Skybox support for IPv6 has the following limitations:

› Change Manager does not support IPv6

› Skybox Appliance on IPv6 is not supported
› For Qualys scans, only Host List Detection reports support IPv6, not JSON
› Interoperability of IPv4 and IPv6 is not supported

How to enable IPv6

IPv6 support is disabled by default. To enable it, set the following flags and then
restart the Server, the Collector, and Skybox Manager (the Java client).

Server

› /server/conf/sb_server.properties
• model_ipv6=true

› /server/conf/sb_common.properties
• ipv6_collection_toggle=true
• paloalto.shouldModelIPv6=true
• qualys.shouldModelIPv6=true
• cisco_firepower.shouldModelIPv6=true

Collector

› /collector/conf/sb_collector.properties
• model_ipv6=true

› /collector/conf/sb_common.properties
• ipv6_collection_toggle=true
• paloalto.shouldModelIPv6=true
• qualys.shouldModelIPv6=true
• cisco_firepower.shouldModelIPv6=true
Skybox version 10.0.600 139
Skybox Installation and Administration Guide

Skybox Manager

› \app\conf\sb_common.properties
• ipv6_collection_toggle=true
• paloalto.shouldModelIPv6=true

Skybox version 10.0.600 140

Chapter 22

Configuring Skybox using the

properties files
This chapter describes the main Skybox properties files, which configure and
fine-tune the behavior of Skybox components.
Edit the properties files using a standard text editor. Unless specified otherwise
(in the file), all changes to these files are applied as soon as the file is saved.

In this chapter
Server properties file .......................................................... 141
Collector properties file ....................................................... 141
Skybox Manager properties file ............................................ 141
Common properties file ...................................................... 141
Port properties file ............................................................. 142

SERVER PROPERTIES FILE

The file <Skybox_Home>\server\conf\sb_server.properties contains options
that control Server activity.
You can modify many of the properties in this file in Skybox Manager (Tools >
Options).

COLLECTOR PROPERTIES FILE

The file <Skybox_Home>\collector\conf\sb_collector.properties contains
options that control the Collector’s activity. These options can change the
behavior of online collection or offline file import tasks.

SKYBOX MANAGER PROPERTIES FILE

The file <Skybox_Home>\app\conf\sb_app.properties contains options that
control Skybox Manager activities and change the display in the Skybox Manager
window.
You can modify most of the properties in this file in Skybox Manager (Tools >
Options).

COMMON PROPERTIES FILE

The sb_common.properties file contains properties used by the Skybox Server
and the Collector; some properties are also used by Skybox Manager.
There are 3 sb_common.properties files:

Skybox version 10.0.600 141

Skybox Installation and Administration Guide

› (Server) <Skybox_Home>\server\conf\sb_common.properties
› (Collector) <Skybox_Home>\collector\conf\sb_common.properties
› (Manager) <Skybox_Home>\app\conf\sb_common.properties
If multiple Skybox components are installed on the same machine, changes to an
sb_common.properties file affect only the relevant Skybox component.

PORT PROPERTIES FILE

The sb_ports.properties file specifies the ports used by Skybox components
for communication between themselves.

Caution: Do not change the default ports. This is only necessary if 2 Skybox
Servers or 2 Skybox Collectors are running on the same machine (not
recommended).

There are 2 sb_ports.properties files:

› (Server) <Skybox_Home>\server\conf\sb_ports.properties
› (Collector) <Skybox_Home>\collector\conf\sb_ports.properties

Note: Restart the relevant Skybox component to apply port changes.

Synchronize changes made to the sb_ports.properties file on the Skybox

Server machine and on the Collector machines to enable communication. For
example, if the Collector expects the Skybox Server to work on a specific port,
set the Skybox Server to listen on that port.

Note: If you change the Skybox Server port, inform all Skybox users so that they
can modify the login from Skybox Manager.

Note: If you change the value of skyboxview.ssl.port in the Collector file, you
must also change the value of springboot.server.port in
sb_collector.properties.

Skybox version 10.0.600 142

Chapter 23

Dictionary updates
The Skybox Vulnerability Dictionary contains information about Vulnerability
Definitions and IPS signatures. Skybox uses the Vulnerability Dictionary for
Security Risk Management.
Skybox includes the most up-to-date Vulnerability Dictionary at the time of
release, but new updates are released 6 days a week. Keep the Vulnerability
Dictionary up-to-date to detect and handle new Vulnerability Definitions and IPS
signatures as they are published.
This chapter contains information about updating the Vulnerability Dictionary.

In this chapter
About Vulnerability Dictionary updates ................................. 143
Updating the Skybox Vulnerability Dictionary ........................ 144

ABOUT VULNERABILITY DICTIONARY UPDATES

You retrieve a new (updated) Vulnerability Dictionary from Skybox by running
the Dictionary Update – Daily task. During this task, the Skybox Server
retrieves updates from the internet.
Dictionary updates include:

› Updated Vulnerability Definition information

› Updated IPS signatures for supported devices.

Checking the Vulnerability Dictionary version

To view information about the Vulnerability Dictionary version

› Select File > Dictionary > Show Dictionary Info.

Frequency of Vulnerability Dictionary updates

Usually, Dictionary updates are released 6 days a week; an additional Dictionary
update is released whenever a new critical Vulnerability Definition is published. A
critical Vulnerability Definition is a severe Vulnerability Definition on a popular
product.

Configuring Vulnerability Dictionary updates

You can modify all Dictionary update access properties in the dictionary auto
update section of <Skybox_Home>\server\conf\sb_server.properties

Skybox version 10.0.600 143

Skybox Installation and Administration Guide

UPDATING THE SKYBOX VULNERABILITY DICTIONARY

To update your Vulnerability Dictionary automatically

› Use a Dictionary – Auto Update task, described in the Skybox Reference

Guide.
Skybox comes with a predefined daily task named Dictionary Update –
Daily, but you can change the task schedule as described in the Scheduling
task sequences topic in the Skybox Reference Guide.

Note: To run the task, enable auto-launch in the General tab of the
task’s Properties dialog box.
By default, Dictionary – Auto Update tasks use an auto-update process run by
the Skybox Server. However, there is an option for the auto-update process to
be run by a Skybox Collector. This option is required if the Skybox Server cannot
access the update server (for example, when the Skybox Server is protected
behind a firewall and cannot access the internet).

To use the Skybox Collector for a Dictionary update task

1 Open the task’s Properties dialog box.
2 In the General pane, select the Collector to use for this task.
3 In the Properties pane, select Collector via internet.

Updating the Vulnerability Dictionary manually

If neither the Skybox Server nor the Skybox Collector can access the update
server (for example, when they are behind firewalls and cannot access the
internet), use the Skybox Manager machine or another computer to download
the latest Vulnerability Dictionary and then update the Dictionary manually.
Download the Vulnerability Dictionary from
https://dictionary.skyboxsecurity.com/dictionary/10.0.0/LatestDictionary.sbd

Note: Some web browsers download the Dictionary file with the extension zip;
change the extension to sbd before updating the Dictionary.

To update the Vulnerability Dictionary manually

1 Select Tools > Administrative Tools > Update Dictionary.
2 In the Update Dictionary dialog box:
a. Select the model whose Dictionary is to be updated.
b. Navigate to the location of the new Dictionary file.
c. Select the file.
d. Click Update Dictionary.
For additional help with manual updates, contact Skybox Support.

Skybox version 10.0.600 144

Chapter 24

Skybox logs
Log information is available in the System folder in the Admin tree, via event
logging, and in Skybox log files.

In this chapter
Activity log ........................................................................145
Audit log ...........................................................................145
Event logging ....................................................................145
Log files ............................................................................146
Activity and audit log messages ........................................... 152

ACTIVITY LOG
User actions that change the model are logged in the activity log. Actions logged
include:

› Changes to and creation or deletion of assets, networks, network interfaces,

tickets, security metrics, and notifications
› Vulnerability Dictionary updates and alert service feeds
› Online updates of Skybox

To view the activity log

1 Select Tools > Administrative Tools > System.
2 Click Activity Log.

AUDIT LOG
The audit log includes all important user management and login actions for all
users, and messages about the creation, modification, and deletion of tasks.

To view the audit log

1 Select Tools > Administrative Tools > System.
2 Click Audit Log.

EVENT LOGGING
Skybox can write messages to Event Viewer (Windows) and syslog (Linux) for
the following events:

› Starting and stopping the Skybox Server

› Starting and ending a task
Skybox version 10.0.600 145
Skybox Installation and Administration Guide

› User actions (see Audit log messages (on page 155) for a list of these
actions)
› Actions performed by Skybox (see Activity log messages (on page 152) for a
list of these actions)

To enable event logging

1 From the Tools menu, select Options > Server Options > System >
Events and Triggers.
2 Select Send System Events.
3 In the Remote Logging Server field, specify the host name or address of
the remote logging server.
• If the logs are to go to a port other than the default system UDP port
(514), add a colon and the port number after the host name.
• To send events to multiple remote servers, use a comma-separated list.
4 Specify the events that are logged to syslog or Event Viewer.
For additional information about enabling event logging, see System Events (on
page 119).

Troubleshooting event logging

By default, Skybox events are sent to the syslog server in the following format:

› %r [%t] %p %c %x - %m%n
%r is a timestamp for the event. In some cases, the external parser is not
expecting the timestamp and cannot parse it. The following instructions explain
how to configure Skybox to send events without the timestamp.

To send syslog events without the timestamp

1 Add the following parameter (the value is the same as the default, but without
the timestamp) to the file
<Skybox_Home>\server\conf\sb_server.properties
• syslog_message_pattern=[%t] %p %c %x - %m%n
2 Restart the Skybox Server.

LOG FILES
Skybox creates many different log files. These include:

› Startup log files (see page 148): These files can help you if you have trouble
running Skybox.
› Skybox task output log files (see page 149): These files contain the output of
tasks.
› Troubleshooting log files: Skybox produces log files that the Skybox technical
support team use for troubleshooting, see Packing log files for technical
support (on page 150).
The main log files that may be helpful if something goes wrong are listed in the
following table. If a location is not specified, the files are in
<Skybox_Home>\server\log.
Skybox version 10.0.600 146
 Chapter 24 Skybox logs

File path name File description

activity.log Includes changes to and creation or deletion of assets, networks,
network interfaces, tickets, security metrics, and notifications;
Vulnerability Dictionary updates and alert service feeds; and
online updates of Skybox (for additional information, see Activity
log (see page 145) and Activity log messages (on page 152))
aging\aging.log Output of Model – Outdated Removal tasks
For information, see Task output logs (see page 149)
app.log <Skybox_Home>\app\log\app.log
ERROR, FATAL, WARNING, and INFO operational messages
Note: This file is located on the Skybox Manager machine
audit.log Includes all important user management and login actions for all
users, and messages about the creation, modification, and
deletion of tasks (for additional information, see Audit log (see
page 145) and Audit log messages (on page 155))
boot.log Skybox boot log
collector.log <Skybox_Home>\collector\log\collector.log
ERROR, FATAL, WARNING, and INFO operational messages
Note: This file is located on the Collector machine
debug\banners.log Banner translation log
debug\debug.log Includes:
• General information (for example, memory consumption)
• Internal debug ERROR, FATAL, WARNING, INFO, and DEBUG
messages
If verbose logging is enabled for the merging process, the
messages are stored at
<Skybox_Home>\app\log\debug\debug.log For additional
information, see Task output logs (see page 149)
debug\mail_trace.l Mail event log
og
debug\requests.log Request and response log
debug\session.log Login and logout events
debug\table.log Table record count log
debug\tasks.log Includes information about the Skybox Server starting and
stopping, and tasks starting and stopping
debug\vul_detectio Vulnerability detection log
n.log
error.log ERROR and FATAL errors reported by the Skybox Server

install-collector.log Log messages from Collector installation when the Collector is

installed as a service
Note: This file is located on the Collector machine
install-service.log Log messages from the Skybox Server installation when the
Skybox Server is installed as a service
model.log Model entity count log

Skybox version 10.0.600 147

Skybox Installation and Administration Guide

File path name File description

restclient\debug.lo Debug log for Skybox Web Client
g
server.log ERROR, FATAL, WARNING, and INFO operational messages and
output from all tasks except Model – Outdated Removal and
Model – Completion and Validation
validation.log Output of Model – Completion and Validation tasks
For information, see Task output logs (see page 149)
webapp\debug.log Debug log for Skybox Change Manager

webapp\requests.l Requests log for Skybox Change Manager

og

Startup log files

Skybox creates log files at startup. These files contain information that can help
you to troubleshoot problems running Skybox.

Server startup
If the Skybox Server runs as a service, it has no console. However, the startup
procedure creates a log file, <Skybox_Home>\server\log\install-
service.log, that contains the output (for example, warning and error
messages) that normally is sent to the console.
If there is a problem at Server startup, you can check this log file for possible
causes of the problem.

Collector startup
If the Skybox Collector runs as a service, it has no console. However, the startup
procedure creates a log file, <Skybox_Home>\collector\log\install-
collector.log, that contains the output (for example, warning and error
messages) that normally are sent to the console.
If there is a problem at Collector startup, you can check this log file for possible
causes of the problem.

Memory consumption
You can view snapshots of the memory consumed by a Skybox component in
that component’s debug log file:

› (Server) <Skybox_Home>\server\log\debug\debug.log
› (Collector) <Skybox_Home>\collector\log\debug\debug.log
› (Manager) <Skybox_Home>\app\log\debug\debug.log
You can modify the memory consumption statistics that are logged and the
frequency at which they are logged in the gauge properties section of the
component’s sb_common.properties file:

› (Server) <Skybox_Home>\server\conf\sb_common.properties
› (Collector) <Skybox_Home>\collector\conf\sb_common.properties
› (Manager) <Skybox_Home>\app\conf\sb_common.properties
Skybox version 10.0.600 148
 Chapter 24 Skybox logs

Task output logs

Task output

› Output of Delete outdated entities tasks, which are described in the Skybox
Reference Guide
All task messages are written to the log file on the Skybox Server at
<Skybox_Home>\server\log\aging\aging.log
A new log file is created for each run of a Model – Outdated Removal task;
older log files are renamed with a sequential numeric extension. Although the
Messages tab of the Operational Console is limited to 2000 lines of output,
the aging log file contains all output of the task.

› Output of Model completion and validation tasks, which are described in the
Skybox Reference Guide
All task messages are written to the log file on the Skybox Server at
<Skybox_Home>\server\log\validation.log
A new log file is created for each run of a validation task; older log files are
renamed with a sequential numeric extension. Although the Messages tab of
the Operational Console is limited to 2000 lines of output, the validation log
file contains all output of the task.

› Output from all other tasks

All task messages are written to the log file on the Skybox Server at
<Skybox_Home>\server\log\server.log

Skybox messages
These log files are in <Skybox_Home>\server\log unless otherwise specified.

› activity.log: Includes changes to and creation or deletion of assets,

networks, network interfaces, tickets, security metrics, and notifications;
Vulnerability Dictionary updates and alert service feeds; and online updates of
Skybox (for additional information, see Activity log (see page 145) and
Activity log messages (on page 152))
› audit.log: Includes all important user management and login actions for all
users, and messages about the creation, modification, and deletion of tasks
(for additional information, see Audit log (see page 145) and Audit log
messages (on page 155))
› error.log: Includes ERROR and FATAL errors reported by the Server
› Component logs:
• (Manager) <Skybox_Home>\app\log\app.log: Includes ERROR, FATAL,
WARNING, and INFO operational messages
• (Collector) <Skybox_Home>\collector\log\collector.log: Includes
ERROR, FATAL, WARNING, and INFO operational messages
• (Server) <Skybox_Home>\server\log\server.log: Includes ERROR,
FATAL, WARNING, and INFO operational messages and output from tasks

› debug.log: Includes internal debug ERROR, FATAL, WARNING, INFO, and

DEBUG messages

Skybox version 10.0.600 149

Skybox Installation and Administration Guide

› <Skybox_Home>\server\log\debug\tasks.log: Includes information about

the Server starting and stopping, and tasks starting and stopping

Verbose logging for the merging process

You can enable verbose logging for the merging process. Messages are saved to
<Skybox_Home>\app\log\debug\debug.log
The log provides essential information about decisions made by Skybox during
the merging process, including:

› Merging candidates for networks and assets

› Decision making during the merge
› Information about overlapping networks
This information can be useful when troubleshooting merging problems
encountered when constructing the model.

To enable verbose log messages for the merger

› Set com.skybox.view.logic.discovery.ModelsMerger.verbose_log to
true in <Skybox_Home>\server\conf\sb_common.properties.

Packing log files for technical support

Skybox produces log files that Skybox technical support uses for troubleshooting.
The Pack Logs tool (Tools > Pack Logs) packs the relevant log and properties
files for all Skybox components installed on the selected machine into a ZIP file,
which can then be sent to technical support. The Pack Logs tool stores a copy of
the ZIP file on the Skybox Server file system and another copy in a specified
directory.
Pack Logs properties are described in the following table.
Property Description
Logs from The Skybox component for which to collect logs.
Note: If you select a component on a machine that has
multiple Skybox components installed, logs are collected
for all the Skybox components on the machine.
Split output into Specifies whether to split the packed logs into separate
files of 5MB or ZIP files of 5 MB.
less
Add Case Number If selected, you can add a case ID of up to 8 characters to
the name of the ZIP file.
Include Latest This field is not displayed if Logs from = Firewall
Saved Model Configurations.
This field is enabled only if Logs from = Server and
Local Collector.
Specifies whether to include the latest XMLX model in the
ZIP file.

Skybox version 10.0.600 150

 Chapter 24 Skybox logs

Property Description
Include Latest This field is not displayed if Logs from = Firewall
SQLX model Configurations.
This field is enabled only if Logs from = Server and
Local Collector.
Specifies whether to include the latest SQLX model in the
ZIP file.
Number of Days This field is not displayed if Logs from = Firewall
Back Configurations.
Some logs are included in the ZIP file only if they were
created within the specified number of days. Other logs
are included no matter when they were created.
Firewall Scope This field is displayed only if Logs from = Firewall
Configurations.
The firewalls and firewall folders to include in the ZIP file.
Generations This field is displayed only if Logs from = Firewall
Configurations.
The number of generations of firewall configuration files
to include in the ZIP file.
Save copy to a The directory on the local machine where a copy of the
local directory packed logs is saved.

Sending the packed logs to technical support

After packing the logs, open a support site case at the Skybox Support portal and
attach the ZIP files.

Advanced options
By default, the logs are packed in a single ZIP file named
packlogs_<yyMMdd>_<organization name>[_<case>].zip but this might result
in a very large file, which might be difficult to send or upload. The logs can be
packed in multiple files of no more than 5 MB each (by selecting Split output
into files). The files are named sequentially:
packlogs01_<yyMMdd>_<organization name>[_<case>].zip,
packlogs02_<yyMMdd>_<organization name>[_<case>].zip, and so on.
If remote connection to the Skybox Server or Collector is down, you can access
the packed logs at:

› (Server) <Skybox_Home>\server\bin\packlogs_<yyMMdd>_<organization
name>[_<case>].zip
› (Collector)
<Skybox_Home>\collector\bin\packlogs_<yyMMdd>_<organization
name>[_<case>].zip
(Or packlogs01_<yyMMdd>_<organization name>[_<case>].zip,
packlogs02_<yyMMdd>_<organization name>[_<case>].zip, and so on.)

Running the utility from the command line

You can run the <Skybox_Home>\<component>\bin\packlogs.bat utility locally
on any component’s machine (<component> is server, collector, or app). For
additional information, see Package log files utility (on page 88).
Skybox version 10.0.600 151
Skybox Installation and Administration Guide

ACTIVITY AND AUDIT LOG MESSAGES

This section details the messages shown in the activity log and audit log.

Activity log messages

The following event types can be included in the activity log:

› Configuration Item event types specify changes to entities in the

Application & Service repository.
• Configuration_Item Configuration Item Created
• Configuration_Item Configuration Item Deleted
• Configuration_Item Configuration Item Updated
• Configuration_Item Configuration Item Enabled
• Configuration_Item Configuration Item Disabled
• Configuration_Item Configuration Item Renamed

Example of a configuration item message

2019-03-18 12:06:54,961 INFO Configuration_Item Configuration Item
Disabled - <[email protected]:SFA:1> Application Object Disabled:
Development Machines

› Host event types specify changes to assets in the model.

• Host Access Rules Modification
• Host Routing Rules Modification
• Host Virtual Routing Setting Modification
• Host Dynamic Routing Setting Modification
• Host Layer2 Setting Modification
• Host Vpn Update
• Host Virtual Routers Update
• Host Asset Manually Created
• Host Asset Manually Deleted

Example of a host message

2019-03-16 22:23:34,021 INFO Host Asset Manually Deleted -
<[email protected]:SFA:1> Asset deleted. Name: vlab-cisco, Type:
Firewall

› Network Interface event types specify changes to network interfaces.

• Network Interface Zone Mapping
• Network Interface Network Assignment Modification
• Network Interface Address Behind Interface Modified
• Network Interface IP Address Modification
• Network Interface Status Change

Skybox version 10.0.600 152

 Chapter 24 Skybox logs

Example of a network interface message

2019-03-16 22:46:11,796 INFO Network Interface Zone Mapping -
<[email protected]:SFA:1> Zone mapping of Interface: netIterface2088
192.170.33.1/24 (asset: prod FW) was modified to Zone=Partners

› Network event types specify changes to networks.

• Network Zone Mapping
• Network IP Address Modification

Example of a network message

2019-03-16 23:04:56,862 INFO Network Zone Mapping -
<[email protected]:SFA:1> Zone mapping of Network: nocServers
192.170.23.0/24 was modified to Zone=Internal

› Online updates events specify software update changes:

• Online-updates Check for Updates
• Online-updates Blocked
• Online-updates Update Available Status
• Online-updates Uptodate Status
• Online-updates Get Release Notes
• Online-updates Get Hot Fix
• Online-updates Download Update Started
• Online-updates Download Update Ended

› SPA (Security metric) events specify changes to security metrics.

• SPA Analysis_Security Metric_Calculation_Started
• SPA Analysis_Security Metric_Calculation_Ended
• SPA Security Metric_Level_Increase_Notification
• SPA Security Metric_Level_Decrease_Notification

Example of a SPA message

2019-03-17 11:34:46,676 INFO SPA Analysis_Security
Metric_Calculation_Started - <> Analysis - Security Metrics task started
running on the Live model

› TAM events specify changes to entities in the model that are not covered by
the other event types.
• Dictionary Auto Update • Dictionary Auto Update
Started Ended
• New Dictionary • Alert Service Deepsight
Collection Started
• Alert Service Deepsight • New Vulnerability
Collection Ended Definition
• Vulnerability Definition • Vulnerability Definition
Status Updated Details System
Updated
Skybox version 10.0.600 153
Skybox Installation and Administration Guide
• Vulnerability Definition
Details User Updated
• Unhandled Vulnerability
Definition More
• Ticket Deleted
• Ticket Reopened
• Product Details
Updated
• Product Request
Deleted
• Updated Vulnerability
Notification
• Updated Vulnerability
Status Notification
• Ticket Phase Deleted
• Updated Ticket
Notification
• Predue Ticket
Notification
• Deleted Ticket
Notification
• Promoted Ticket
Notification
• Request To Close
Ticket Notification
• Reassigned Ticket
Notification
• Alert Service Idefense
Collection Started
• New Custom VT
• Deleted Custom VT
• Access Policy Deleted
• Access Policy Renamed
• Access Policy Enabled
• Access Policy Section
Changed
• Access Policy Section
Deleted
• Access Policy Section
Enabled
• Access Check Changed
Skybox version 10.0.600
• Unhandled Vulnerability
Definition
• New Ticket
• Ticket Closed
• New Product
• Product Deleted
• New Vulnerability
Notification
• Unhandled Vulnerability
Notification
• New Ticket Phase
• New Ticket Notification
• Overdue Ticket
Notification
• Closed Ticket
Notification
• Cloned Ticket
Notification
• Demoted Ticket
Notification
• Reopened Ticket
Notification
• Minor Ticket Updates
Notification
• Alert Service Idefense
Collection Ended
• Modified Custom VT
• Access Policy Added
• Access Policy Changed
• Access Policy Disabled
• Access Policy Section
Added
• Access Policy Section
Renamed
• Access Policy Section
Disabled
• Access Check Added
• Access Check Renamed
154
 Chapter 24 Skybox logs

• Access Check Deleted • Access Check Disabled

• Access Check Enabled
• Rule Policy Changed
• Rule Policy Disabled
• Rule Check Added
• Rule Check Renamed
• Rule Check Disabled
• Configuration Policy
Added
• Configuration Policy
Renamed
• Configuration Policy
Disabled
• Configuration Check
Added
• Configuration Check
Renamed
• Configuration Check
Disabled
• Vulnerability
Occurrence Manually
Added
• Vulnerability
Occurrence status
changed
• Exception Modified
• Rule Policy Deleted
• Rule Policy Renamed
• Rule Policy Enabled
• Rule Check Changed
• Rule Check Deleted
• Rule Check Enabled
• Configuration Policy
Changed
• Configuration Policy
Deleted
• Configuration Policy
Enabled
• Configuration Check
Changed
• Configuration Check
Deleted
• Configuration Check
Enabled
• Vulnerability
Occurrence Manually
Deleted
• Exception Added
• Exception Deleted

Example of a TAM message

2019-03-17 11:06:22,512 INFO TAM New_Dictionary - <> New dictionary
version 75.893, date: 3/16/19 12:00 AM loaded successfully

Audit log messages

The audit log includes:

› System messages
› Messages about task creation, deletion, and modification
› User management messages
A complete message has additional information, including a timestamp.

Sample message for user login

2019-03-16 11:18:01,768 INFO User_Management Login -
<[email protected]:TRAY:1> User skyboxview logged in

Skybox version 10.0.600 155