# Rogue Detection Tool

[Rogue Detection tool](https://www.manageengine.com/products/oputils/rogue-detection-and-prevention.html) of OpUtils software helps in detecting unauthorized access of network resources. The tool scans your routers, subnets, switches, gateway servers, etc., periodically and detects the wireless / wired rogue systems, devices, Access Points, and more.

- [Configuring Rogue Detection Tool](#configuring-rogue-detection-tool)
- [Discovered Devices](#discovered-devices)
- [Trusted Devices](#trusted-devices)
- [Guest Devices](#guest-devices)
- [Rogue Devices](#rogue-devices)
- [Block / Unblock Switch Ports](#block--unblock-switch-ports)
- [Configure Alert Notifications](#configure-alert-notifications)

## Configuring Rogue Detection Tool

1. Add all the routers, switches, and gateway servers, in your network from **Settings -> Discovery -> Routers -> Add Device** and schedule scanning.
2. To get the details of the Switch and Port a device is connected, map all your switches using the Switch Port Mapper tool.
3. To automatically move discovered devices to Trusted, add your Active Directory Domain details from **Settings -> Discovery -> Active Directory**. Computer names that matches the AD domains will be automatically marked as Trusted.
4. Import MAC Addresses of trusted devices in the network to mark them as Trusted.

After successful scanning of your network, you can perform the following operations:

- Verify the list of [discovered devices](#discovered-devices) and mark all your network devices as trusted. The devices once marked as trusted, will not be listed in the Discovered tab again.
- Mark an unknown or unauthorized device as Rogue.
- Allow devices for a [temporary period](#guest-devices).
- [Block the switch port](#block--unblock-switch-ports) to which a rogue device is connected.

## Discovered Devices

OpUtils periodically scans the routers, switches, and gateway servers to discover the devices in the network. This includes all the devices in the network irrespective of whether the device is a rogue or not.

All the discovered devices are listed under the Discovered tab in the Rogue Detection tool. The administrator has to verify the device list and mark them accordingly. The following options are available:

- [Mark the systems/devices as trusted](#to-mark-a-device-as-trusted)
- [Mark the systems/devices as guest to allow access for a specified period](#to-allow-devices-for-a-temporary-period)
- [Mark the systems/devices as rogue](#to-mark-a-device-as-rogue) and take appropriate action. The action could be to get the details of the switch and port through which the device is accessing the network and [block the switch ports](#to-blockunblock-a-switch-port) to stop unauthorized access.
- [Configure email alerts](#to-configure-e-mail-alerts) for instant notification

## Trusted Devices

Trusted Devices represents the valid devices in your network. From the **Inventory -> Rogue** tab, you can select the devices and mark them as trusted so that they do not get listed in the Discovered tab again.

### To Mark a Device as Trusted

1. Click the **Rogue Detection** tab.
2. Select the **Discovered** tab. This will list all the discovered devices in the network.
3. Select the valid devices and click **Mark as Trusted** from more actions icon. To mark all the discovered devices as valid, click **Mark All as Trusted**.

The devices that are marked as trusted will be moved from the Discovered tab to the Trusted tab. You also have an option to mark the devices as [Guest](#to-allow-devices-for-a-temporary-period) or [Rogue](#to-mark-a-device-as-rogue) from the Trusted tab.

### To Automatically Mark Devices as Trusted

You can automatically mark devices as Trusted in two ways:

- **By importing the MAC addresses of the trusted devices from a CSV file**

  1. Select the **Trusted** tab and click **Import MAC Details** link.
  2. Browse to select a CSV file that contains the list of MAC and IP Addresses of trusted devices in the network and click **Import**.

- **By adding your Active Directory Domain details**

  1. Click **Settings -> Discovery -> Active Directory**.
  2. Click **Add AD Domain** and specify the Domain Admin Username, Password, Domain name and Domain Controller name.
  3. Click **Add** to add the domain. All computer names that matches with the domain name will automatically be moved to Trusted category.

## Guest Devices

There might be situations where you need to allow certain devices to access your network resources for a temporary period. For example, a personnel from a different branch visits your office for a month or a student enrolled for a semester need to be given access till he/she completes the semester. In such cases, you can specify a period till which a particular device need to be considered as trusted.

### To Allow Devices for a Temporary Period

1. Click the **Rogue Detection** tab.
2. Select the **Discovered** tab. This will list all the discovered devices in the network.
3. Select the devices that have to be given guest access and click **Mark as Guest**. This opens the **Configure Guest Validity Period** dialog with the details of the selected devices.
4. Specify a date until which the selected devices are valid.
5. Specify a comment or description and click **Save**.
6. The devices are moved to the Guest tab with the specified details. You can perform the following actions from here:

   1. [Mark a device as trusted](#to-mark-a-device-as-trusted)
   2. Extend the validity period
   3. [Block/Unblock the switch port](#to-blockunblock-a-switch-port)
   4. [Mark a device as rogue](#to-mark-a-device-as-rogue)

## Rogue Devices

### To Mark a Device as Rogue

1. Click the **Rogue Detection** tab.
2. Select the **Discovered** tab. This will list all the discovered devices in the network.
3. Select the devices that have to be marked as rogue and click **Mark as Rogue** from more actions icon.

The devices that are marked as rogue will be moved to the Rogue tab. The administrator can take appropriate action and delete the device from the rogue list. If the same device is detected in subsequent scans, it will be listed here again.

You can perform the following actions from here:

- [Mark a device as trusted](#to-mark-a-device-as-trusted)
- [Mark a device as guest](#to-allow-devices-for-a-temporary-period)
- [Block/Unblock Switch Ports](#to-blockunblock-a-switch-port)

**Important:** If the device is not deleted from the rogue list, this will not get listed under the Discovered tab upon rediscovery.

## Block / Unblock Switch Ports

### To View the Switch Details

The details of the switch and port to which a device is connected is shown under the **Switch Details** column under the Discovered tab. The switch details could have three different values:

1. **Switch IP, Switch Name, ifIndex, port, and ifName details** – This refers to the actual details where a particular device is connected.
2. **Learned in xyz, but not directly connected** – This refers to the switches through which the device has communicated and are not connected directly to these switches.
3. **Unknown** – The switch details are not known. This can happen when you have not mapped all your switches using the Switch Port Mapper tool or the device is detected after scanning your switches. Mapping your switches again will show the details here.

### To Block/Unblock a Switch Port

1. Select a rogue device for which you need to restrict the access by blocking the port and click **Block/Unblock Switch Port**. This opens the **Block/Unblock Switch Port** dialog with the details of the device and switch details.
2. Specify the SNMP Write Community of the switch and click **Block Port**.

When you block a switch port, the admin status of the port is set to "Down".

To unblock a blocked port, specify the Switch Name/IP Address, ifIndex, SNMP Write Community and click **Unblock Port**. This will set the "admin status" of the port to "Up".

## Configure Alert Notifications

Alerts are generated whenever a rogue device is detected or when the temporary validity expires. The Rogue Detection tool can be configured to notify this through email.

### To Configure E-mail Alerts

1. Click on **Settings -> OpUtils -> Rogue Detection**. This opens the Alert Settings dialog.
2. Select the **Enable Email Alert** check box.
3. Select the **Notify when a Rogue Device is detected** option to notify whenever a rogue device is detected.
4. Select the **Notify when the Guest Validity Expires** option to notify when the guest validity period expires.
5. Specify the recipients email addresses as comma separated.
6. Click **Save**.

**Note:** To configure SNMP properties click **Settings** located at the top right corner or click **Admin -> Settings**. For details read the Configuring SNMP section.