How can we help?

A note about port scans and login attempts by the Auvik collector

Follow

When you first deploy Auvik on a network, it attempts to figure out as much it possibly can about the network’s devices without additional input. In that process, it classifies and picks up on devices that respond to default SNMP and login credentials.

Devices like printers and uninterruptible power supplies typically ship with SNMP enabled using default credentials. That’s why they’re usually among the first devices to be classified and monitored using Auvik.

During discovery, Auvik attempts to port scan each device to detect what services are running (e.g., Telnet, SSH, HTTP). Once a device is classified, any rules specified in the discovery settings are applied.

Note: The cloud ping servers in the Auvik environment have assigned static IP addresses. Refer to Auvik’s network address translation (NAT) gateway for more information.

Take the discovery lifecycle of a UPS, for example:

  1. Auvik scans the subnet containing the UPS for the first time. It sends a ping to the IP address of the UPS, which is echoed back.
  2. Receiving the echo, Auvik attempts further discovery on the device. A port scan is executed.
  3. Inputted SNMP credentials are applied against the device for further classification. Assuming the UPS is using the standard public credential, the device is recognized automatically.
  4. Recognizing the device as a UPS based on the object identifier returned by SNMP, Auvik stops port scans against the UPS. But health checks (ICMP and TCP pings) continue to run against the device.

Since there’s always at least one port scan executed during discovery, a device or software package with native port scan or login attempt alerting may raise an alert. It’s a one-time notification and shouldn’t occur repeatedly. Commonly known hardware and software packages that may raise such an alert include:

  • Fortinet firewalls
  • APC UPSs
  • Symantec Endpoint Protection

For these devices, we recommend you whitelist the IP address of any Auvik collector (virtual or Windows service) you have running. This will inform your device that Auvik is a trusted party with permission to initiate port scans and complete network discovery.

 

Was this article helpful?
3 out of 5 found this helpful
Have more questions? Submit a request