lookupByIP in L2 discovery

Hi

Is there a way to lookup devices in a trigger by IP address when discovery mode is set to L2 Discovery?

I know you can do such a search using the API interface but from a trigger the lookupbyIP function only seems to work when working in L3 discovery mode.

regards

Rob

Hi @rob,

If this is executing on a protocol/flow event, you should have access to the device endpoints associated with the flow using the Flow.[client/server].device construct.

If that doesn’t help, would you mind providing a little more detail on your trigger, including:

  • On what trigger event are you looking to get access to a device?
  • At a high level, what you are looking to accomplish with the trigger?

Hi

It started with parsing sysflows from firewalls using the UDP_Payloud trigger to put these logs in custom metrics (and records).

We then use these metrcis to display in dashboard to have full visibility: running wire traffic + traffic that is blocked. At the moment this works nice for overall view dashboards and monitoring dashboards of servers (or applications) with fixed IP.

The flow devices in these triggers are now always the sender and the receiver of the sysflow but it woul be nice if we could assign the mertric directly to the corresponding device (in L2 discovery) corresponding with the source or target in the log.

This is intresting for blocked IP’s from devices who’s Ip’s are chaning all the time because of the DHCP. If we can assign the “block” metrics to the L2 device the metrics stays with that device even when it gets a new ip from dhcp.

regards

Rob

Device.lookupByIP()

would be the ideal place to do this, however, it was discovered last week that this is currently broken on EDAs in L2 Discovery mode. A ticket has been filed to address it.