Lab 4
Scenario: Identity tracking

Overview

Description
This lab introduces you to identity tracking in Pravail NSI. You will learn
about configuration of identity tracking and how user identities appear in
Pravail NSI. This lab is divided into the following parts:
• Manual static user mapping
• AuthX integration for dynamic user mapping
• Using user identities in traffic and security analysis

Setup

Internet

flow0

LAN
AuthX agent
on AD controller

L4-1
Student 17
Identity tracking in Pravail NSI
Lab 4

In this scenario, customer network is using Microsoft Active Directory.

AuthX agent of Active Directory Primary Controller will have access to
flow0 interface of Pravail NSI controller.

Objectives
After completing this lab, you will be able to do the following:
• Setup identity tracking;
• Use identity tracking information in traffic and security analysis.

Equipment/Tools
The following equipment is required to complete this lab:
• web browser
When accessing training labs, you will be prompted for Training Portal
Authentication. Use following credentials:
• Login: student17
• Password: 44AYJCgf82

Estimated Completion Time

• The estimated completion time for this lab is 30 minutes.

Pravail NSI configuration

Defining static identity tracking records

In some cases dynamic identity tracking is not available or does not cover
entire network. In this example we will define identity tracking records for
two servers.
1. Log into https://pod17.training.arbor.net/
using credentials you have configured in lab 1. Note that you will be
presented with proxy authentication first, use your student login:
student17
2. Navigate to Settings->Identity Tracking
3. Click Add Identity Mapping
4. Specify DNS@ENTERPRISE as Username and 192.168.201.1 as IP.
Save changes
5. Click Add Identity Mapping

L4-2 Student 17 Pravail NSI 5.5

Lab 4 Identity tracking in Pravail NSI

6. Specify Oracle@ENTERPRISE as Username and 192.168.201.2 as

IP. Save changes

Enabling dynamic identity tracking mapping with AuthX

Enabling AuthX does actually not require any configuration on Pravail NSI
controller side.

1. Ask instructor to start AuthX feed for your NSI Controller

2. Wait for few minutes and check AuthX agent state on Summary page
3. Navigate to Settings->Identity Tracking, and check Current
Identity Mapping to see new entries.

Using use identities in traffic analysis

After Identity tracking was setup, wait 10 minutes for Pravail NSI to collect
traffic statistics for newly defined identities
Let’s check connections to DNS server.
1. Navigate to Explore->Connections
2. Change selector to From All Hosts To DNS@ENTERPRISE
3. Click Search
Let’s see summary of network activity of user Ann@Enterprise.
1. Navigate to Explore->Traffic
2. Type Ann@Enterprise in search field and click Update
3. Study results
Let’s see information about TCP/80 flows of user John@Enterprise.
1. Navigate to Explore->Flows
2. Change selector to From John@ENTERPRISE and All Hosts on
service TCP/80
3. Click Search
4. Note that you can export table details using Export Data icon on Arbor
Smart Bar

Using use identities in security analysis

Let’s check users violating security policies.
1. Navigate to Explore->Risk Index

Student 17 L4-3
Identity tracking in Pravail NSI
Lab 4

2. Change View by selector to Identity

3. Use More buttons to see alerting rules and reasons for certain Risk
Index. Note that you can Approve or Clear Alerts from this screen
4. Click on any alerting rule. Note that this report is now specific to a
chosen user - search string is pre-populated.
This completes the lab exercise.

L4-4 Student 17 Pravail NSI 5.5