Home > User Interface > Configuration > Compliance > Fingerbank

Fingerbank

Menu path: Configuration > Compliance Overview > Fingerbank.

Fingerbank performs device profiling or fingerprinting using the Fingerbank system. It accurately identifies endpoints on your network including type, operating system, and class. Fingerbank updates are downloaded automatically. Local device definitions are also supported.

The general format and usage of this page is discussed in General GUI Usage.

The tabs available for Fingerbank Profiling are:

Client Change Detection - specifies when a device class change alert should be triggered.
Combinations -defines combinations of Fingerprint specifications.
Devices - lists and defines a tree of known device types.
DHCP Fingerprints - lists and defines known DHCP fingerprints.
DHCP Vendors - lists and defines known DHCP vendors and versions.
DHCPv6 Fingerprints - lists and defines known DHCPv6 fingerprints.
DHCPv6 Enterprises - lists and defines known DHCPv6 enterprises.
MAC Vendors - lists and defines known MAC vendors.
User Agents - lists and defines known User Agents.

Client Change Detection

Fingerbank can trigger alerts related to a change in device class for a client, which can indicate a security event. A whitelist and a set of manual triggers are provided for full control. The controls on this tab are:


Field	Usage	Example
Enabled	If enabled, the Fingerbank device change feature is enabled.
Trigger on Client Class Change	If enabled, the fingerbank_device_change condition is triggered.
Client Class Change Whitelist	A comma-separated list of transition indicators that should not trigger a device change. Each transition indicator is of the form previous->new, where previous and new are device class IDs from the Fingerbank database. The common IDs are listed below the manual trigger box.	33453->33450,8238->12
Manual Client Class Change Triggers	A comma-separated list of transition indicators that should trigger a device change. Each transition indicator is of the form previous->new, where previous and new are device class ID from the Fingerbank database. The common IDs are listed below.	21->13

Combinations

Multiple data points can be combined into a named Combination ID that is used in the device profile within a security event trigger (Configuration > Compliance Overview > Fingerbank > Combinations).

New combinations are added using the new combination icon button. Only those fields shown below can be used in a custom combination signature. The fields in the resulting dialog are:


Field	Usage	Example
DHCP Fingerprint	An item from the DHCP Fingerprints list indicating which parameters the device's DHCP client can provide. A3 offers matching database entries as a value is entered.	1,2,3,15,6,12,44
DHCP Vendor	An item from the DHCP Vendors list indicating the DHCP client's vendor and version. A3 offers matching database entries as a value is entered.	MSFT 5.0
DHCPv6 Fingerprint	An item from the DHCPv6 Fingerprints list indicating what parameters the device's DHCPv6 client can provide. A3 offers matching database entries as a value is entered.	12362,16999,3095,24,39,7
DHCPv6 Enterprise	The DHCPv6 enterprise number.	12
MAC Vendor (OUI)	An item from the MAC Vendors list indicating the organizational unit identifier (OUI) for the MAC address for a node.	00100
User Agent	The name of the user agent on the node.	HiveClient/1.0
Device	The name of the device.	Microsoft Windows Kernel 10.0
Version	The version number.	12
Score	A number between 0 and 100 indicating the confidence of the combination.	50

Devices

Three lists are displayed here for entries in the global Fingerbank database (Upstream), locally defined (Local), and all entries (All). Devices are organized in a tree with parents and children.

Upstream

The Upstream display initially shows top-level entries by Identifier and Device name. Each identifier is displayed in a box with a + sign: for example add . Clicking on the plus igon expands all nested device categories and devices, if there are any. The path to the current entries is displayed above the list. Select any member of the path or the delete icon to collapse the list.


Field	Usage	Example
Identifier	A unique identifier assigned for the device.	7
Name	Name of the device ID shown in the dialog header.	Projector
Parent Device	The name of the device ID's parent.	Audio
Mobile	If checked, the device is a mobile device.	0
Tablet	If checked, the device is a tablet.	0

Each entry has clone icon buttons to create a new device at the same level or as a child of the current device.

Local

The Local list displays all locally defined devices. Select new client icon to define a new device which can be a top-level client or a child of an already defined parent device. The fields in this dialog are:


Field	Usage	Example
Name	Name of the client device.	Headphones
Parent Device	The name of the device ID's parent.	Audio

DHCP Fingerprints

Three lists are displayed here for entries in the global Fingerbank database (Upstream), locally defined (Local), and all entries (All).

Upstream

The Upstream display initially shows entries by DHCP Identifier, and DHCP FIngerprint. Each entry has clone icon button to create a new DHCP Fingerprint ID.

Local

The Local list displays locally defined entries by DHCP Identifier ID, and DHCP FIngerprint. Each entry has clone icon button to create a new local DHCP Fingerprint ID as well as a delete icon button to delete the current entry. New entries can also be created via the new DHCP fingerprint icon button.

DHCP Vendors

Three lists are displayed here for entries in the global Fingerbank database (Upstream), locally defined (Local), and all entries (All).

Upstream

The Upstream display initially shows entries by DHCP Identifier, and DHCP Vendor. Clicking on the number provides a dialog with the value as an editable field. Clicking on an identifier provides an editable dialog for the item.

Each entry has clone icon button to create a new DHCP Vendor ID.

Local

The Local list displays locally defined entries by DHCP Vendor ID, and DHCP Vendor. Clicking on an identifier provides an editable dialog for the item. Each entry has clone icon button to create a new local DHCP Vendor ID as well as a delete icon button to delete the current entry. New entries can also be created via the add DHCP vendor icon button.

DHCPv6 Fingerprints

Three lists are displayed here for entries in the global Fingerbank database (Upstream), locally defined (Local), and all entries (All).

Upstream

The Upstream display initially shows entries by DHCPv6 Identifier, and DHCPv6 Fingerprint. Each entry has clone icon button to create a new DHCP Fingerprint ID. Clicking on an identifier provides an editable dialog for the item.

Local

The Local list displays locally defined entries by DHCPv6 Fingerprint ID, and DHCPv6 Fingerprint. Clicking on an identifier provides an editable dialog for the item. Each entry has clone icon button to create a new local DHCPv6 Fingerprint ID as well as a delete icon button to delete the current entry. New entries can also be created via the new DHCPv6 fingerprint icon button.

DHCPv6 Enterprises

Three lists are displayed here for entries in the global Fingerbank database (Upstream), locally defined (Local), and all entries (All).

Upstream

The Upstream display initially shows entries by DHCPv6 Identifier, and DHCPv6 Enterprise. Each entry has clone icon button to create a new DHCPv6 Enterprise ID. Clicking on an identifier provides an editable dialog for the item.

Local

The Local list displays locally defined entries by DHCPv6 Enterprise ID, and DHCPv6 Enterprise. Clicking on an identifier provides an editable dialog for the item. Each entry has clone icon button to create a new local DHCPv6 Enterprise ID as well as a delete icon button to delete the current entry. New entries can also be created via the add DHCPv6 enterprise icon button.

MAC Vendors

Three lists are displayed here for entries in the global Fingerbank database (Upstream), locally defined (Local), and all entries (All).

Upstream

The Upstream display initially shows entries by MAC Identifier, MAC OUI, and MAC Vendor. Clicking on the number provides a dialog with the vendor name and OUI as editable fields. Each entry has clone icon button to create a new MAC Vendor ID.

Local

The Local list displays locally defined entries by MAC Vendor ID, MAC OUI, and MAC Vendor. Clicking on the number provides a dialog with the vendor name and OUI as editable fields.

Each entry has clone icon button to create a new local DHCP Vendor ID as well as a delete icon button to delete the current entry. New entries can also be created via the new DHCPvendor icon button.

User Agents

Upstream

The Upstream list displays locally defined entries by User Agent. Clicking on the number provides a dialog with the User Agent name.

Each entry has clone icon button to create a new local User Agent as well as a delete icon button to delete the current entry.

Local

The Local list displays locally defined entries by User Agent. Clicking on the number provides a dialog with the User Agent name.

Each entry has clone icon button to create a new local User Agent as well as a delete icon button to delete the current entry. New entries can also be created via the new DHCP agent icon button.