Performing active polling of devices

Support

Support for business applications

Kaspersky Industrial CyberSecurity for Networks

Administration of Kaspersky Industrial CyberSecurity for Networks

Performing active polling of devices

March 22, 2024

ID 236044

When working with Kaspersky Industrial CyberSecurity for Networks, you can conduct active polling of devices to receive the most accurate and complete information about devices and their configurations directly from the devices. Active polls are performed by using connectors. To conduct active polling of devices, one or more Active poll connectors must be added to the application.

Connectors provide various methods for conducting active polling. The available active polling methods depend on the utilized protocols and the commands and functions of these protocols. The application's built-in Active poll connector type contains a set of methods that support active polls over application-layer protocols and common protocols. Kaspersky Industrial CyberSecurity for Networks supports the following methods to actively poll the devices:

Receiving information about the operating system via the SMB protocol.
Receiving information about the device via the Beckhoff (UDP) protocol.
Receiving information about the device via the CIP (EthernetIP) protocol.
Receiving information about the device via the DNP3 protocol.
Receiving information about the device via the MMS protocol.
Receiving information about the device via the modbus protocol.
Receiving information about the device via the s7comm (Ethernet) protocol.
Receiving information about the device via the s7comm (TCP) protocol.
Receiving information about the device via the SNMP v1, v2c, v3 protocol.
Receiving general information about the device via SSH.
Receiving general information about the device via WInRM (HTTP).
Receiving general information about the device via WInRM (HTTPS).
Receiving general information about the device via WMI.
Receiving information about the device vendor by MAC address via ARP (only for the computers with kernel version 4.3 and later).
Receiving information about the device via the Profinet-DCP protocol (only for the computers with kernel version 4.3 and higher).
Scanning an industrial configuration and getting a list of tags (only for the computers with kernel version 4.3 and higher).

The methods are distinguished by the specific device information that they obtain. You can select the relevant information you need and the methods you want to use when configuring the active polling settings.

When using these methods, the application can automatically update the following device information based on the active polling results:

Name used to represent a device in the application.
Name used to represent the device in the network (network name).
Name of the device hardware vendor.
Device model name.
Device hardware version number.
Name of the device software vendor.
Device software name.
Device software version number.
Address information for network interfaces of the device.
Name of the operating system installed on the device (only for devices running Windows and Linux operating systems).
Configuration of Process Control settings and tags.

The list of operating systems supported by the application for active polling of devices is provided in the Appendix.

The application does not update data for which the automatic update function was disabled using the Auto update toggle button when the device was added or when device information was edited. The application also evaluates the authenticity of received device information and in some cases may reject unreliable updates of previously received information.

Some active polling methods support the capability to detect risks and to make changes to the topology map based on obtained device information.

Only users with the Administrator role can run active polling of devices.

To utilize active polling functionality, you need to take into account the following special considerations and limitations:

This functionality is available after a license key is added.
Application modules of the connectors used to conduct active polling of devices must have network access to the devices so that they can send requests and receive data from the devices. If application modules are running on a node that has application components installed, to ensure network access to devices this computer must have a network interface with a connection to the network of these devices. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored industrial network traffic (for example, from SPAN ports of network switches).
Active polling may result in some unforeseen issues with devices due to the possibility that these devices may incorrectly interpret the incoming active polling commands. These issues may be caused by an inappropriate or highly specialized configuration of devices. Issues may also arise due to latent errors in the network configuration that are not apparent during normal interactions between the devices. Consequently, active polling poses the following risks of potential impact on devices:
- Device shutdown
- Loss of connectivity with the device
- Impaired performance of the device
- Other potential malfunctions in the network and equipment

In this section:

Configuring and starting active polling

Performing update polling based on the results of active polling

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.