Now with version 3.0 of SolarWinds User Device Tracker (UDT) you can define a set of rules to determine if a network device belongs on your white list. If so, the device appears in UDT resources list as a safe device. Devices connected to your network that are not on the white list will appear in the Rogue Devices resource list and an alert will be automatically generated for each of them. You can also define a set of rules that determine if a network device should be ignored by UDT. If so, UDT discards all related data. This is handy for HSRP and VRRP MAC addresses.
Although the purpose of whitelisting seems crystal clear at first, you quickly realize that its possibilities extend far beyond 'a list of devices'. This is certainly a big feature, so let’s talk about some of the common questions you may have when getting familiar with this new functionality.
What is the Default Setting?
By default we whitelist everything. Therefore, when you install / upgrade to UDT 3.0.x, the white list contains three rules: Any hostname, Any IP address, and Any MAC address. These rules mark any connected endpoint as safe, thus preventing your new UDT 3 system from being flooded by rogue device alerts. When you want to actually use the white list, you have to disable some of the rules first.
Another part of this feature, that comes pre-configured with the installation, is the list of ignored MAC addresses. It includes both HSRP and VRRP ranges.
When is an Endpoint 'Safe'?
An endpoint is considered safe (i.e. not marked as rogue) when its hostname, IP address, and MAC address are all on the white list. In other words, if e.g. the MAC address in on the white list but the hostname not, an alert will be generated.
I Only Want to White List MAC Addresses
If you don't care about hostnames and IP addresses, simply leave the default rules 'Any hostname' and 'Any IP address' active and disable/delete the 'Any MAC address' rule. Then create your own rules for MAC address.
Can I Create a Black List?
No. The current logic considers rogue every endpoint not on the white list. If you are interested in the other approach (everything is safe and only listed devices are rogue), please vote here: http://thwack.solarwinds.com/ideas/1367.
I Would Like UDT to Automatically Shut Down the Port Where a Rogue Endpoint is Connected
This is currently a feature request: http://thwack.solarwinds.com/ideas/2328.
It can be achieved via Orion SDK/API plus advanced alert manager, but this approach is not officially supported as functionality like this would have to be used with extra care -- for example, you probably don't want to shut down a trunk port.
How Do I Specify White List Items? How Do I List the Safe Devices?
On the 'Included' tab click on 'Add new':
and then you have several options:
You can add individual MAC addresses, IP addresses, or hostnames:
For one rule you can only add one type (e.g. MAC addresses).
IP Address and MAC Address Range
The last option gives you very high flexibility. You can enter IP addresses, MAC addresses, or hostnames. Again, only one type per rule.
How Do I Import My List of Safe Devices?
If you have e.g. a list of MAC addresses that represent safe devices on your network and want to add them to the white list. How do you do it?
- If there is a pattern in the list, you can use the MAC Range or Custom entry with wildcards.
- If there is no pattern, then it's probably best to format the list as a plain text file and copy-paste the content to the Custom entry field.
This blog post will be updated regularly based on the question we receive. If you have a question that is not answered here, please let us know.