This guide walks through all of the stages of a runZero implementation, provides links to relevant documentation and videos, and gives some sample questions you can use to test your knowledge.
To follow along with the hands-on portions, you can either:
- Use your company’s existing runZero implementation as a reference to see what was done, or
- Set up a personal runZero account to scan your home network
Most of the hands-on work can be the same either way, but some tasks have adjustments for cases where you likely don’t want to make changes in your corporate environment.
Prerequisites
- Review the glossary to understand the runZero specific terms you will come across
- Watch the demos to understand how different teams use the platform
Planning
The planning stage is mostly about strategizing your deployment. You should familiarize yourself with the standard deployment plan, use cases, key stakeholders, and sample network scenarios in the documentation.
Learning
Hands-on
If you are using your personal account, you won’t need any special configurations if your home network is a single subnet. But you should still check out the challenge questions to get an idea of things that are relevant for a corporate environment.
If you’re using your company’s runZero account, you should look at the Organizations, Sites, and Explorers that are configured. This will give you an idea of how runZero has been configured to match your organization’s network.
Challenge questions
Use this questions to increase your knowledge about runZero’s features and capabilities.
- Why would I use the self-hosted console instead of the SaaS platform?
- To meet compliance or data sovereignty requirements.
- How many organizations do I need?
- Usually just one, unless you are a service provider or require RBAC to the asset data internally.
- When do I use sites?
- When you have overlapping IP space. You might also use them to organize data in highly complex networks.
- Should I be using an Explorer or scanner?
- Usually an Explorer unless you have an air-gapped environment.
- What’s the difference between an Explorer and scanner?
- Explorers are connected to the console, and the scanner is a standalone command-line tool.
- When might I need more than one Explorer?
- When dealing with network segmentation that doesn’t allow routing between different networks.
Configuration
The configuration stage is all about taking the plan and putting it into action. It sets the environment up for success.
Learning
Hands-on
If you are using a personal runZero account:
If you are using your company’s runZero account:
Challenge questions
- How long will my scans take?
- It depends on the configuration and number of devices scanned.
- How do I speed up my scans if my network can handle it?
- Increase packets per second, increase max host group size, or enable subnet sampling.
- How do I slow my scans down if my network has low bandwidth?
- Decrease packets per second or max host group size.
- How do I make an Explorer to gather screenshots?
- Install Chrome on the device the Explorer is installed on.
- Can I include more than one CIDR block in one scan?
- Yes! Just separate CIDR blocks with commas.
- How do I know if my scans are getting blocked by a firewall/proxy?
- You will have no data for devices that you are confident exist.
Analysis
Now that we have data, you can start digging through the inventory. The analysis stage is mostly about understanding the views in runZero, expanding your scans by finding gaps, and understanding your network topology.
Learning
Hands-on
For our analysis stage, you should:
Challenge questions
- What’s the process for doing an initial review of my data?
- Where can I see how many assets I have?
- Where do I see the most commonly used ports?
- How do I search for a specific hostname?
- Use
name:<hostname> in a filter line.
- Can I change the asset inventory view columns?
- Yes! Click the
cols dropdown and add or remove. Columns can also be dragged to reorder them.
- Can I do a relative time search on things like
mac_age?
- What are the secondary addresses on an asset and how do you get them?
- They are other IP addresses found during the scanning process for a device. It means we scanned one IP but found others while probing.
- What is RTT?
- Round-trip time - also known as ping time, RTT is the time it takes for the network packet to reach its destination and for the reply to get back to the sender.
- What should I do if an asset has a high outlier score?
- Verify that it belongs on the network.
Optimization
After you have run some scans and understands how to review the results, it’s time to optimize the scans for your environment and configure integrations.
Learning
Hands-on
For this stage, you should:
Challenge questions
- What does subnet sampling do?
- Scans a random sample of each CIDR range to test whether any hosts exist in the range prior to doing a full scan of each IP address.
- Why would I want to only scan ping-able hosts?
- To increase the speed of the scans.
- Where do I set up SNMP credentials and other integration credentials?
- What do I get with the cloud provider integrations?
- Inventory imports from the cloud providers.
- How do I avoid scanning too many hosts at a time in low bandwidth environments?
- Decrease the
max group size in your Advanced scan options.
- Does anything happen with SNMP if I don’t have my communities configured?
- The default public/private credentials are used.
Automation
After everything is configured and optimized, it’s time to automate as much as possible so runZero just works.
Learning
Hands-on
If you’re working on your personal account:
If you are using your company’s runZero account:
Challenge questions
- What is the format of adding tags in runZero?
- Use the format
tag=value to add tags.
- How do I make it so queries automatically run after scans?
- Where can I forward alerts with rules?
- Can I be alerted when there is a new asset?
- How do I create an alert when my Explorer goes offline?