2.8.2 Settings for controlling network connections

By enabling the network monitor feature in a network segment, you can control the network access of all devices in that segment. To control network connections of the devices, an administrator must understand the status of the network segment. Therefore, device network connections are controlled on a management server basis. This section describes how to configure the network monitor feature to control access to the network.

Implementing the network monitor feature

To implement the network monitor feature, enable the network monitor in each segment where you want to monitor network access. You can then configure whether to permit devices to access the network in each of those segments. You can enable the network monitor on one computer in each network segment. The computer must have the agent installed. If you attempt to enable the network monitor on a second computer, an error message is displayed.

Tip: By viewing the Topic panel of the Home module, you can find out if there are any network segments without the network monitor enabled. A warning message appears if there are any such network segments.

Important: Network devices such as routers, switches, and network printers are less likely to communicate with the devices, so it may not be detected by the network monitor immediately after start of operations with enabled network monitor.

Setting the control method for network access

The following settings govern how network connections are controlled in network segments with the network monitor enabled:

Whether newly discovered devices are permitted to connect to the network (network monitor settings)

In the network monitor settings, you can set whether newly discovered devices in each network segment are permitted to connect to the network. Network monitor settings are assigned to computers with the network monitor installed. You can select which network monitor settings to assign when you enable the network monitor. You can later change the network monitor settings assigned to a network segment, or assign a different set of network monitor settings.

For details about how to manage network monitor settings, see 2.8.6 Using network monitor settings to control network access.
Whether specific devices are permitted to connect to the network (network control list)

In a network control list, you can define whether individual devices are permitted to connect to the network. When a device is discovered, it is automatically added to the network control list. Whether that device can connect to the network depends on the network monitor settings. By editing the settings in the network control list, you can control the network connectivity of individual devices. You can also permit a device to connect to the network only within a certain time period by setting a start date/time and end date/time.

Tip

You cannot specify a time period for network access by a management server, relay system, or a computer with network monitor enabled.

Tip

When you designate a discovered device as a management target or exclusion target, that device is automatically granted network access in the network control list. This is because the device is now seen as belonging to your organization.

Important

To prevent routers, printers, servers, and other business-critical devices from being blocked due to automatic update of the network control list, we recommend that you manually enter the IP addresses of these devices in the network control list. When doing so, leave the MAC address field blank. If you enter a MAC address, the device might disappear from the network control list when its device information is updated. For details about the automatic update of the network control list, see 2.8.15 Automatic updating of the network control list.

Tip

When you register new device information or edit existing device information in the network control list, the Reviewed check box of the device in question becomes selected. This check box indicates devices that require the administrator's attention and ensures that devices are not unintentionally blocked or permitted to connect to the network. The administrator must check the devices for which the Reviewed check box is selected, and then clear the check box after verifying that there are no problems. Note that the check box can be cleared at any time.

For details about how to manage the network control list, see 2.8.8 Managing the network control list.

The network monitor settings and the network control list together govern a device's ability to connect to the network. By combining these settings, you can implement the following forms of network control:

Permit newly connected devices to connect to the network, but deny network access to specific devices registered in the network control list (blacklist method)

For Discovered Nodes Option in the network monitor settings, select Allow Network Access. New devices added to the network will have access to the network.
Permit network access by devices registered in the network control list, and deny access to all other newly connected devices (whitelist method)

For Discovered Nodes Option in the network monitor settings, select Deny Network Access.

To automatically grant network access to new devices in this situation, permit connections for devices whose violation level is Safe in Network Connection Control under Action Items in the security policy. New devices are initially blocked from the network when they connect to the management server, but are permitted access to the network as soon as they are judged safe.

Exclusive communication destinations for blocked devices

Devices blocked by the network monitor feature can communicate with only computers with the network monitor enabled in the network segment and computers registered in the Exclusive Communication Destination for Access-Denied Devices list. For details about communication by blocked devices, see 2.8.13 Registering devices that are accessible to blocked devices.

You might have to specify the exclusive communication destination depending on the network environment of the organization. The following describes the cases in which exclusive communication destinations must be specified and examples of Exclusive Communication Destination for Access-Denied Devices settings.

When the exclusive communication destination must be specified	Description	Example of Exclusive Communication Destination for Access-Denied Devices settings
The DNS server is used to resolve the device names in the organization.	If the DNS server is used to resolve the device names in the organization, set the IP address of the DNS server for Exclusive Communication Destination for Access-Denied Devices. If the DNS server's IP address is not set and another IP address is set for Exclusive Communication Destination for Access-Denied Devices, name resolution will fail. As a result, network access using the host name will not be possible when the blocked devices connect to the exclusive communication destinations.	Destination IP Address: IP address of the DNS server Communication Protocol: No specification Destination Port Number: No specification Source IP Address: No specification Source Port Number: No specification
NetBios broadcast is used to resolve the name of a device in the organization.	If NetBios broadcast is used to resolve the name of a device in the organization, set the broadcast address for Exclusive Communication Destination for Access-Denied Devices. If the broadcast address is not set, name resolution will fail. As a result, devices with the network monitor enabled will no longer be able to access the network by using the host name.	Destination IP Address: Broadcast address (example: 192.168.1.255) Communication Protocol: UDP Destination Port Number: 137 Source IP Address: No specification Source Port Number: No specification
A device with the network monitor enabled is the DHCP server^#	If a device with the network monitor enabled is the DHCP server, set IP address `0.0.0.0` for Exclusive Communication Destination for Access-Denied Devices. If `0.0.0.0` is not set, IP address assignment will fail. As a result, the devices with no IP address assigned will no longer be able to access the network.	Destination IP Address: 0.0.0.0 Communication Protocol: UDP Destination Port Number: 68 Source IP Address: Subnet mask in CIDR format (example: 255.255.255.0/24) Source Port Number: 67

#: The DHCP server can automatically assign IP addresses. However, if the network monitor is installed in a Windows environment, the Remote Access feature (Incoming Connections) of Routing and Remote Access Service that is enabled at installation reserves 10 IP addresses. This reduces the number of IP addresses that can be assigned by 10. You can prevent this problem in the following OSs by stopping the Remote Access feature:

Windows Server 2019
Windows Server 2016
Windows 8.1
Windows 8
Windows Server 2012
Windows 7
Windows Server 2008 R2

To stop the Remote Access feature:

Open the command prompt window with Administrator permissions.
Execute the netsh ras show type command at the command prompt.
Confirm that Enabled is displayed for IPv4 Remote Access Server at the command prompt.
Execute the following command at the command prompt to stop the Remote Access feature:
```
netsh ras set type ipv4rtrtype = lanonly ipv6rtrtype = none rastype = none
```
Restart the Routing and Remote Access Service service.
Execute the netsh ras show type command at the command prompt.
Confirm that Disabled is displayed for IPv4 Remote Access Server at the command prompt.

Related Topics:

To Page Top