Run Discovery in OC

uim203
OC_Discovery
The first time when you open the Operator Console (OC), the Discovery Wizard is automatically launched.
Subsequently, when you open the OC, you can launch the Discovery Wizard manually if you want to run discovery or change your discovery settings to run discovery automatically on a set schedule. You can launch the Discovery Wizard from the Setup Wizard or from the Inventory View in the left navigation.
The Discovery Wizard will not run after an update of UIM if there are existing range scopes that define
excluded
IP addresses. You must either accept the system prompt to delete excluded range scopes or remove them manually from the database before discovery will run.
Review the following when using the Discovery Wizard:
  • If valid information is entered in the required fields of an authentication profile or network scope, the information is automatically saved when you click
    Next
    .
  • Passwords for authentication profiles are displayed as asterisks. If you want to see a password as you enter it, click the
    Show Password
     option. When you click
    Next
    , the password is displayed as asterisks.
Once you have run the discovery, you can update the inventory list manually by selecting a root, agent, or scope and clicking on the discovery icon at the top of the inventory list.
Contents
Launch the Discovery Wizard
Follow these steps:
  1. Click the
    Setup Wizard
    option the left menu of the OC. The Setup Wizard opens.
  2. Click the
    Discover Devices
    button to start the Discovery Wizard.
OR
  1. Click the
    Inventory
    option in the left menu in the OC. The
    Inventory
    view opens.
  2. Click the Edit metrics icon (pencil icon) in the right of the Inventory page. The
    Inventory Tree
    dialog opens.
  3. Click the
    Inventory
    node.
  4. Select the required discovery agent.
  5. Select the
    Discovery Wizard
    option from the global three-dot Actions menu at the top-right corner of the Inventory page. The Discovery Wizard opens.
Create Authentication Profiles
Authentication profiles allow you to create, edit, view, and delete authentication profiles for discovery. An authentication profile contains credential information necessary for discovery to access and gather information about computer systems and devices in your network.
You can create one or more authentication profiles under each of the WMI, Linux/Unix, and SNMP tabs.
Creating authentication profiles is not required for discovery. However, only IP discovery is used if no authentication profiles exist, and information about discovered systems might be limited.
Follow these steps to create an authentication profile:
  1. Navigate to Discover Devices and select the desired Discovery agent.
  2. Click
    New  (+)
    in the left pane.
  3. Enter information in all of the required fields.
  4. Click
    Next
    . The information that you enter is saved when you click
    Next
    and move through the Discovery Wizard.
  • To view the properties of an existing profile, select the appropriate authentication tab, and select a profile in the left pane.
  • To modify an existing authentication profile, select it and edit the fields as necessary, then click
    Save
    . To delete an authentication profile, click the trash can icon next to the name of the profile in the left pane, and click
    Update
    .
Configuration details are specific to each protocol, such as acceptable credential formats.
Linux/Unix
Linux/Unix authentication profiles use SSH or Telnet to access and discover Linux and Unix systems.
  • Name
    - Name for the authentication profile.
  • ID
    - This read-only field is the UIM system ID for this authentication profile, assigned when the profile is saved. It identifies the profile uniquely for reuse in other areas of OC that reference authentication profiles.
  • User
    - User name.
  • Password
    -nThe user password. Check the
    Show Passwords
    option to verify the text as you enter it.
  • SSH or Telnet
    - Select the communication protocol to use, SSH (Secure Shell) or Telnet (no secure authentication or encryption).
    Discovery Agent uses password authentication to connect to a target device over SSH. Discovery Agent cannot communicate with a device where SSH is configured for other authentication methods, such as keyboard-interactive or challenge-response authentication.
SNMP
Discovery supports SNMP versions 1, 2c, and 3. SNMP v3 provides security features that are not available in v1 and v2c. As a result, authentication profile configuration fields in the Discovery Wizard that deal with security and privacy (encryption) are only active when you select
3
in the
Version
pull-down menu.
SNMP authentication profiles can also be imported from an XML file. See Run File-based Import for details.
We recommend the following best practices:
  • Create a minimal set of SNMP authentication profiles that will, in aggregate, provide SNMP access to all your network devices and hosts that support SNMP.
  • Set up as many of your network devices as possible to use "universal" read-only credentials. For example, you could define a read-only (get-only) credential to be
    nms_get_only
    . Then set up every device possible to allow read-only SNMP access via this universal credential. This minimizes the number of SNMP authentication credentials that must be attempted on network nodes, and simplifies your discovery configuration.
  • If there are devices that accept unique SNMP credentials, create one authentication profile for each of those. You can specify a unique port within the range of 1 to 65535 for the profile. If no port is specified, the default port 161 is used.
  • For network devices such as routers and switches, SNMP is the sole source for detailed discovery information. For host systems such as Windows, Unix, or Linux servers, it is recommended that you use WMI or SSH discovery in addition to SNMP. While SNMP provides the most complete network interface information for devices and systems, the host system information available from SNMP, such as processor attributes, is less complete than the information obtained from WMI or SSH discovery.  Enabling the combination of WMI or SSH discovery plus SNMP discovery for host systems provides the most comprehensive set of host and network interface information.
  • For devices that are enabled with the CA SystemEDGE agent, you can create SNMP authentication profiles and monitor them with the snmpcollector probe (v3.0 and later). For more information, see Monitor SystemEDGE-enabled Devices with the snmpcollector Probe in the How to Articles section of the Probes Documentation Space.
SNMP v1 or v2 Fields
Field
Required
Description
Description
Yes
Name for the authentication profile
ID
Auto-generated
This read-only field is the UIM system ID for this authentication profile, assigned when the profile is saved. It identifies the profile uniquely for reuse in other areas of OC that reference authentication profiles.
Version
No
The SNMP version that is supported by the monitored device. When version 1 or 2 is selected, only the Community field is active.
Community
Yes
The SNMP community string. Select
Show Password
to verify the text as you enter it. This string is sent across the network in clear text as part of SNMP v1 or v2c requests, which might pose a security risk.
SNMP v3 Fields
Field
Required
Description
Description
Yes
Name for the authentication profile
ID
Auto-generated
This read-only field is the UIM system ID for this authentication profile, assigned when the profile is saved. It identifies the profile uniquely for reuse in other areas of OC that reference authentication profiles.
Version
Yes
SNMP version that is supported by the monitored device. Versions 1, 2c, and 3 are supported. When v3 is selected, other fields for security and privacy are enabled.
Password
Enabled and required if
AuthNoPriv
or
AuthPriv
is selected (see
Security
description).
The password that is associated with the SNMP v1/v2c device or SNMP v3 user. Check
Show new passwords
to verify the text as you enter it. This field is enabled and required if either AuthNoPriv or AuthPriv security is selected. See the following description for the Security field .
User
Yes
SNMP v3 user name that is used to access the monitored device. Required for all SNMP v3 security levels. See the description for the Security field below.
Method
Yes
SNMP v3 method of encryption, when AuthNoPriv or AuthPriv security is selected (see the following description for the Security field):
  • MD5
    - MD5 Message-Digest Algorithm (HMAC-MD5-96).
  • SHA
    - Secure Hash Algorithm (HMAC-SHA-96).
Security
Yes
SNMP v3 security level of the user. Depending on what level of security is selected, other security fields are enabled or disabled:
  • NoAuthNoPriv
    - messages sent unauthenticated and unencrypted.
  • AuthNoPriv
    - messages sent authenticated but unencrypted.
  • AuthPriv
    - messages sent authenticated and encrypted.
Priv.Password
Enabled and required if
AuthPriv
is selected.
SNMP v3 privacy password to use if
AuthPriv
security level is selected. Must be at least eight characters. Do not confuse with the user password (authentication).
Priv.Protocol
Enabled and required if
AuthPriv
is selected.
SNMP v3 privacy (encryption) protocol to use.
  • DES
    - Data Encryption Standard.
  • AES
    - Advanced Encryption Standard.
WMI
WMI (Windows Management Interface) discovery scans servers and hosts running Windows to gather system information. WMI discovery runs only on discovery agents that are hosted on Windows systems.
  • Name
    - Name for the authentication profile.
  • ID
    - This read-only field is the system ID for this authentication profile, assigned when the profile is saved. It identifies the profile uniquely for reuse in other areas of OC that reference authentication profiles.
  • User
    - User name in the form of
    Domain\user name
    .
    user_name
    and
    IP_address\user_name
    are also allowable.
  • Password
    - User password. Check the
    Show Passwords
    option to view the text as you enter it.
Define Scopes
Use the
Define Scopes
tab of the Discovery Wizard to define network seed devices, addresses, ranges, or masks where devices are to be discovered. At least one network range must be entered for discovery to run.
You can assign any combination of SNMP, Linux/Unix, and WMI authentication profiles to a range scope. The discovery process records
any
device within a range that responds to a request on any protocol, including a simple ICMP ping. This means you can include end nodes (such as servers, network printers, network storage systems, or workstations) in a range, even if they don't respond to requests using SNMP or other management protocols.
If no authentication profile is assigned to either a range scope, basic discovery is performed using protocols that do not require authentication, but discovery might not be complete and information about discovered systems is limited.
You must use IP addresses when populating scopes. Hostnames are not supported.
Best Practices for Creating Scopes
For each discovery agent, review the assigned range scopes to minimize predictable timeouts. To optimize performance and avoid duplicate entries, each discovery agent should discover an exclusive part of the network.
Tips to decrease discovery run time:
  • The discovery agent tries each credential on each IP address and waits for a timeout (or success) with each attempt. Use a single credential in a scope that has a high probability of immediate success on the nodes in that scope to speed up discovery.
  • When you apply an authentication profile to a scope, verify that most, if not all, devices that are defined by that scope accept the authentication profile.
  • If you include devices that do not respond to requests on any management protocol, place them in a discovery range scope with no authentication profiles assigned to the scope.
  • If you use SNMP for a device that accepts only a unique SNMP community string, create a Single type range scope and specify the device IP address. Assign the corresponding authentication profile to the range scope.
  • When using SNMP, to avoid unnecessary authentication traps/alerts, assign only one SNMP authentication credential per discovery range.
Create Range Scopes
Follow these steps:
  1. Click New (
    +
    ) in the left pane of the
    Define Scopes
    tab.
  2. Enter a name for the range scope.
  3. In the Range Scope definition section, specify the area of your network where you want to perform discovery.
    • Mask - Defines a subnet using Classless Inter-Domain Routing (CIDR) notation with a base IPv4 address and a routing prefix. For example, 195.51.100.0/24. The value /24 refers to a Class C subnet of 256 addresses. Other values for reference: /30 (4 addresses) and /16 (65,536 addresses, or a Class B subnet).
      When you enter a subnet mask, the number of IP addresses the mask represents is displayed (the number of effective hosts minus 2). Only /16 subnets or smaller are supported.
    • Range - Range of IPv4 addresses.
    • Single IPv4 or IPv6 address. You can use abbreviated IPv6 address forms, and IPv6 addresses that refer to IPv4 addresses. However, anycast, multicast, link-local, and loopback addresses are not supported.
  4. Click the plus icon (+) to add another IP range, address, or mask if desired.
  5. In the Credentials section, you can assign authentication profiles to the selected range. By default, all of the authentication profiles are selected. If you have many authentication profiles in the list, you can enter the name of a profile to filter the list.
  6. To view only the profiles that are selected, click the
    Hide Unused
    option.
Assign Authentication Profiles
In the Credentials section, you can assign authentication profiles to the selected range. By default, all of the authentication profiles are selected. Seed scopes require at least one SNMP credential. If the LAN checkbox is selected, you must assign the authentication profiles that are applicable to all devices in the local subnets covered by the seed device.
When you have finished defining scopes, click
Next
.
Remove a Scope
You can remove a scope by clicking on the trashcan icon next to a scope on the
Scopes
tab of the Discovery Wizard.
View Discovered Systems
The Inventory Tree section in the Inventory view in the OC allows you to view computers and devices that have been discovered on your network. It contains discovery agents, with network scopes under each discovery agent. The tree also has an Automatic node.
The following example screenshot shows the Inventory Tree dialog:
  • Click a node in the tree to view associated systems and their properties in the table to the left. To view properties for all discovered systems, click the Inventory node in the tree.
  • A quick filter field at the top of the table allows you to filter for text in the table columns (for example, Name, IP Address, OS Name, and Origin).
  • Click a column header to sort the table by the column.
  • A key icon (USM--discoveryKeyIcon_ICO) in the table indicates that a discovery agent authenticated with the system using one of the defined authentication profiles. Hover over the key icon to view the type and name of the authentication profile used.
  • You can export data for a discovery agent or network range scope. To export data, click a discovery agent or network range scope in the tree, then select
    Export
    from the global three-dot Actions menu at the top-right corner of the Inventory page.
Discover Now
You can focus discovery on an agent or subset of scopes independently of the Discovery Wizard. This allows you to discover devices on a portion of the inventory—for example, to update the inventory after maintenance.
Follow these steps:
  1. Select an
    agent
    or
    scope
    in the Discovery Wizard from the Settings view in OC.
  2. Select
    Run Discover now
    .
  3. Click the
    Finish
    button.
Only one discovery can be run at a time. Starting a new discovery preempts a currently running discovery.