After you discover your interfaces, the Interfaces pages list the interfaces with the following icons:
- : Managed interfaces that have Tanium Client installed.
- : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
- : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. To mark interfaces as unmanageable based on custom criteria, use the Mark Unmanageable label activity.
Interfaces can be easier to manage if you apply labels to split them into logical groups. You might create labels based on the following attributes:
Label interfaces to group them by physical location.
Organization and team
Label interfaces to identify the department that owns them.
Label interfaces to classify them into management groups. For example, you can label laptop computers as mobile devices.
Devices excluded from management
Label devices that are not managed by Tanium. For example: printers, IP phones, and networking devices such as routers and switches.
On the Interfaces pages, you can view your interfaces in many different ways (managed interfaces, unmanaged interfaces, labeled interfaces, and so on). You can customize and filter these views, then export the results to a .csv file.
- To customize an Interfaces page, click the menu on a column. From there, you can sort the results on that column, add columns to the data grid, and filter the results.
- To export the current data grid of interfaces to a .csv file, click Export Data .
You can define multiple labels for a single interface. Label information is stored with your inventory in Discover and is preserved from one scan to the next.
You can label interfaces in several of the views. Select the interfaces that you want to label and then click Label. From there, you can create a label or apply an existing label to the selected interfaces.
To create a label from the Labels page, click Create.
You cannot manually add an automatic label to an interface. Automatic labels are only applied to interfaces based on the label conditions. See Automatically label interfaces.
After you define labels and assign them to your interfaces, you might want to change or remove labels. You can manage your labels in the Labels view.
- View all labels on the Labels page.
- Click a label to view the label details. If you delete a label, the label is removed from all the related interfaces.
Ignoring an interface removes it from the list of interfaces and adds it to the list on the Ignored Interfaces page. An interface that is ignored is not included in views or counts other than the Ignored Interfaces page. To ignore interfaces, select interfaces and click the Ignore button, or create an automatic label to ignore interfaces. If you want to start tracking an interface again, you can update the interface on the Ignored Interfaces page.
When you have many interfaces to label, you might want to consider setting up automatic labeling on your interfaces. Automatic labels are applied to interfaces each time the discover unmanaged interfaces operation runs. In addition to applying a label on interfaces, you can also set actions to ignore, purge, mark unmanageable, or send notifications on the interfaces that match the conditions of the label.
- Set up automatic labeling with one of the following methods:
- Add conditions on which to apply the label. The conditions include Computer ID, Device Type, Discovery Method, First Seen, Hostname, IP Address, Labels, Last Discovered, Last Managed, Last Seen, MAC Address, NAT IP Address, Open Ports, OS Generation, OS Platform, and Unmanageable.
The IP Address, Hostname, Labels, and Open Ports conditions support matching on patterns and ranges. Each of these conditions has a corresponding negative version. Regular expressions are not supported.
Has a <value> that equals: An exact match, such as 192.168.1.195
Has an address in the range: For IP Address, a range (CIDR included), such as 192.168.1.195-192.168.1.197 or 192.168.1.0/24.
Has a <value> that matches pattern: A glob match that supports * (multiple characters) and ? (single character), such as 192.168.1.??? matches IP that have three digits in the last octet
Has a <value> that contains: A partial match for a value
Has <value>: A match for at least one value
The following conditions are valid only with Nmap scan discovery:
- Open Ports: The most common 1000 ports that get scanned by Nmap, or from a list of ports provided in the discovery method configuration.
- OS Platform: The operating system, as determined by Nmap.
- OS Generation: A "best guess" of OS version from OS fingerprinting. Consider carefully if you choose OS Generation as a label condition.
- Set an activity that runs when the conditions in the label are matched.
- Label: Apply a label to the interface.
- Ignore: Add the interface to the list of Ignored Interfaces.
- Mark Unmanageable: Mark interface as unmanageable (cannot run Tanium Client).
- Notify: Send a notification about the interface.
- Purge: Remove interfaces that match the criteria from the Discover database.
Labeling is applied to interfaces each time the results from the discovery methods are imported.
After you make a label automatic, the color of the label in the Interface Labels view is displayed in a darker gray color. If the label is set to ignore, it displays as red.
To handle situations with ephemeral devices that go quickly on and off of the network, you can set up an automatic label that either moves the interface to the Ignored Interfaces page, or removes the interface from Discover.
For example, you might want to ignore any interfaces that have not been discovered in the last 60 days. To set up this label, select: Last Discovered, Older Than, 60 days as the conditions, and choose Ignore as the label activity.
To remove an interface, choose Purge as the label activity. Purging an interface completely removes all historical information about that interface from Discover. If you want to maintain some historical information about the interface, consider using the Ignore label activity.
You can use an underscore (_) character as a wild card in your automatic labels.
For example, you might want to filter the labeling on your interfaces by MAC address. You might have the following MAC addresses:
You can set up an automatic label: Mac Address contains B5-3_-
that matches the following interfaces:
With the Network Quarantine shared service, you can set up a network access control (NAC) solution to block and unblock interfaces based on MAC or IP address.
Configure a NAC
For information about setting up either a Palo Alto Networks Layer 3 firewall or Cisco Identity Services Engine (ISE) to quarantine endpoints, see Tanium Network Quarantine User Guide.
Quarantine or unquarantine interfaces
After you configure a NAC in Network Quarantine, you can quarantine or unquarantine an IP or MAC address from Discover.
You must have Network Quarantine User role to perform the quarantine or unquarantine action. For more information about configuring user roles, see Tanium Core Platform User Guide: Assign roles to a user.
- From the Discover menu, click Interfaces. Select one or more interfaces.
- Click Quarantine or Unquarantine. The menu displays the available NACs that were configured in Network Quarantine.
- After the IP or MAC address is quarantined, the row is highlighted on the Interfaces page.
If you have Palo Alto Networks Dynamic Address Group, Discover can send a request to Palo Alto to block network access for the unmanaged interface.
Use Tanium Connect to communicate with a networking device to block and unblock access to the network.
The following steps are shown using Connect 4, but the steps for configuring blocking and unblocking connections with previous versions of Connect are similar.
You must have Connect User role to create a connection. For more information about configuring user roles, see Tanium Core Platform User Guide: Assign roles to a user.
Configure connections for blocking and unblocking
To configure both blocking and unblocking, you must configure two separate connections. Repeat these steps to configure two different connections: a connection for blocking and a connection for unblocking. The Label value on both connections must be identical.
- Select the connection destination.
From the Discover home page, go to the Configure section. Click Configure Network Access. Click Create a connection to block an unmanaged interface. The Create Connection page opens in Connect. The blocking connection is pre-configured with default settings.
- Name the connection.
In General Information section, confirm that Enable is selected.
- Configure the source and destination.
- In the Source section, the Event source is selected by default.
- In the Event Group field, the Discover Blocking option is selected by default. To configure blocking, select Discover Blocking. To configure unblocking, select Discover Unblocking.
- In the Destination section, accept the default destination of Dynamic Address Group.
- In the Select operation field:
To configure blocking, select Add.
To configure unblocking, select Remove.
- Configure the Host, User Name, and Password for your firewall device.
- For the Label field, enter a text string to label the IP address of the interface to be blocked or unblocked. The Palo Alto Network firewall defines a Dynamic Address Group (DAG) based on this label. A blocking policy is applied to the DAG. You must use the exact same Label value for the blocking and unblocking connections.
- In the Source section, the Event source is selected by default.
- (Optional) Filter the data.
You can optionally filter for new items, regular expressions, numeric operators, or unique values from data columns. For more information, see Tanium Connect User Guide: Filtering options.
Example: Block and unblock connections
When the configuration is complete, you have two connections for blocking and unblocking interfaces. Both connections have similar settings for the server configuration and labels.
Deploy block and unblock actions
After you configure a network device for blocking or unblocking, a check mark is displayed on the Discover home page to show that the Block actions are available. The Block action is available in most interface views.
- From the Discover menu, click Interfaces. Select one or more interfaces that you want to block or unblock.
- Click Block or Unblock. The menu displays the available blocking connections.
- Select the blocking connection you want to use. If the blocking action starts successfully, a success message is displayed.
To follow the progress of the blocking action, click the MAC address of the targeted interface to open the Single Interface view and look at the Notes section. Click refresh to get the latest status of the action.
Last updated: 8/15/2018 2:10 PM | Feedback