Claroty Edge Installation

Guide
Edge Version 1.4.12

Confidential & Proprietary | Copyright © 2023 Claroty Ltd. All rights reserved
02-Apr-2023
 Edge Installation Guide

TABLE OF CONTENTS

1. Claroty Edge Overview ...................................................................................................... 3

2. System Requirements ....................................................................................................... 4
2.1. Dependencies ........................................................................................................ 4
3. Configuration Options ....................................................................................................... 5
3.1. General User Interface Configuration Options ........................................................ 5
3.2. Advanced User Interface Configuration Options ..................................................... 9
3.2.1. Local Network Discovery Advanced Configuration Options .......................... 9
3.3. Command Line Execution Options ....................................................................... 12
3.3.1. Execution Parameters ............................................................................... 12
3.3.2. Collection Parameters ............................................................................... 12
3.3.3. Output Parameters ................................................................................... 13
3.3.4. Example Commands ................................................................................. 13
3.4. Running Edge With Token-Based Authentication .................................................. 14
3.4.1. Creating the Token .................................................................................... 14
3.4.2. Using the Token ........................................................................................ 14
3.4.3. Using the Token on Multiple Sites .............................................................. 15
4. Deployment Instructions ................................................................................................. 16
4.1. Manual Collection Directly to CTD ........................................................................ 16
4.2. Offline Collection to a File ..................................................................................... 16
4.3. Automated Running (e.g. GPO, SCCM) .................................................................. 17

02-Apr-2023 Edge Version 1.4.12 Page 2 of 19

 Edge Installation Guide Claroty Edge Overview

1. Claroty Edge Overview

Claroty Edge is designed to bring fast, easy, and simple visibility into the OT environment. Claroty
has used all of its deep knowledge of OT, IT, and IOT environments to design a probe that gathers
rich information from assets, in a safe and secure manner. From a high level, Claroty Edge will
install onto Windows hosts throughout the OT / IT / IOT environment, and gather the following
data:

• Local Windows host information, such as:

• IP address
• MAC address
• Windows version
• Installed patches
• Installed programs
• USBs connected
• Identify all neighboring network assets
• Gather configuration information for neighboring OT assets, such as:
• IP address
• MAC address
• Asset type (for example, PLC, HMI, Engineering workstation)
• Model number
• Serial number
• Firmware version

All of this data is then sent to an upstream CTD site, where this data will be aggregated from
multiple Edges to give the following:

• Full asset identification of the environment

• Visibility into IT / OT / IOT assets
• Vulnerability information for assets (for example, CVEs)
• Risk identified for assets (for example, misconfigurations)

02-Apr-2023 Edge Version 1.4.12 Page 3 of 19

 Edge Installation Guide System Requirements

2. System Requirements

Claroty Edge is designed to be a low-impact and efficient process. For any of the deployment
scenarios above, see the CTD Architecture Guide CTD Server for the minimum specifications for the
CTD Site Server.

Claroty Edge requires a minimum CTD site version of 4.2.3 or greater.

For the Windows host running Claroty Edge, it simply requires:

• Windows Operation System, compatible with:

• Windows 7 and later
• Windows Server 2012 and later
• A web-browser if a User Interface is required, compatible with:
• Google Chrome
• Mozilla Firefox
• Microsoft Edge
• Microsoft Internet Explorer of version 11 or greater
• A command line window if a User Interface is not required

2.1. Dependencies
JavaScript is required to be enabled on the browser to successfully run Edge.

02-Apr-2023 Edge Version 1.4.12 Page 4 of 19

 Edge Installation Guide Configuration Options

3. Configuration Options

The Edge system has a simple configuration setup, designed to allow for quick execution. There is
both a UI execution method and a command line execution method.

3.1. General User Interface Configuration Options

When executing the Claroty_Edge.exe, a command line window will be open (which contains
log messages for the system), and the primary Edge UI will pop up in the host's default web-brows-
er:

By default, the system is pre-configured to perform local host discovery for Windows information,
and network discovery for neighboring asset discovery. The general configuration options here
are as follows:

• Host Discovery
• This identifies local Windows configuration information.
• Network Discovery
This will by default perform the following series of discoveries:
• IT/OT/IoT Broadcast Discovery
• This will perform UDP broadcast discoveries for assets in the environment. This will capture
initial information about these devices, and identify equipment that can be queried directly
for more information
• Subnet Identification (ICMP)
• This will perform a ping sweep of the local network, looking for any neighboring devices
• IT/OT/IoT Direct Discovery
• These are more direct queries based on the information captured in the broadcast discov-
ery and ICMP discoveries, which will capture detailed information on IT, OT, and IoT equip-
ment

02-Apr-2023 Edge Version 1.4.12 Page 5 of 19

 Edge Installation Guide General User Interface Configura-
tion Options

By default the system will send results directly to a CTD site, and requires the following informa-
tion:

• CTD address
• The IP address of the upstream CTD
• User (default admin)
• Username of the built-in administrator account

NOTE
User created administrator accounts are not supported.

• Password (default Claroty1!)

• Password for the administrative user on the upstream CTD
• Verify
• This allows the user to validate the connection parameters set above are correct, and that the
CTD can be connected to.
• CTD Network
• After the user verifies the CTD information, the system will automatically identify all of the
Networks available on the CTD Server. This allows the user to choose which Network the Edge
data will be tagged with.

If data cannot be sent directly to an upstream CTD, the results can be saved to a file for later
ingestion:

02-Apr-2023 Edge Version 1.4.12 Page 6 of 19

 Edge Installation Guide General User Interface Configura-
tion Options

After selecting Run Now, the scan will be performed, and the user will be presented with the
completion screen:

The available options here are:

• Download Log
• This will download the logs from the previous Edge execution through the web-browser
• View in CTD
• This will automatically connect to the upstream CTD to see the results of the successful
execution

If the user has a file from a previous Edge execution that they wish to upload to a CTD, they can
select the Upload File to CTD menu from the top of the Edge user interface:

02-Apr-2023 Edge Version 1.4.12 Page 7 of 19

 Edge Installation Guide General User Interface Configura-
tion Options

The user can then choose the appropriate .ctd file from their local system, and input the
following information:

• CTD address
• The IP address of the upstream CTD
• User (default admin)
• Username of the built-in administrator account

NOTE
User created administrator accounts are not supported.

• Password (default Claroty1!)

• Password for the administrative user on the upstream CTD
• Verify
• This allows the user to validate the connection parameters set above are correct, and the CTD
can be connected to.
• CTD Network
• After the user verifies the CTD information, the system will automatically identify all of the
Networks available on the CTD Server. This allows the user to choose which Network the Edge
data will be tagged with.

After selecting Upload to CTD, Edge will process the file and send it to the upstream CTD, and the
completion screen will be shown:

The user can then use the View in CTD option to see the results.

02-Apr-2023 Edge Version 1.4.12 Page 8 of 19

 Edge Installation Guide Advanced User Interface Configura-
tion Options

3.2. Advanced User Interface Configuration Options

If the user wants to perform an advanced user configuration option, they can click the Settings
button under Host Discovery or Local Network Discovery to customize the Edge configuration.

The Host Discovery advanced configuration options can be seen here:

Options:

• Collect local host Information

• This will capture local Windows information for the host that is running the Claroty_Edge
collector.
• Add custom attributes to local asset
• This allows the user to add a custom attribute into CTD for the local Windows host asset that
is running the Claroty_Edge collector. Examples of this could be:
• Attribute: Physical_Location
• Value: Equipment_Room_3b

• Identify Configured ICS Devices

• This will search the local host for ICS Configuration files, which will be processed to provide
additional visibility into the local network.
• The Local Network Discovery advanced configuration options can be seen here:

3.2.1. LOCAL NETWORK DISCOVERY ADVANCED CONFIGURATION OP-

TIONS

• IT/OT/IoT Broadcast Discovery

• This will perform UDP broadcast discoveries for assets in the environment. This will capture
initial information about these devices, and identify equipment that can be queried directly for
more information.

02-Apr-2023 Edge Version 1.4.12 Page 9 of 19

 Edge Installation Guide Advanced User Interface Configura-
tion Options

• If the user wants to select which specific discoveries will be run, they can select Edit to see the
following to enable / disable specific discoveries:

For more information about these discovery methods, see Appendix A of the CTD Reference
Guide.

• Subnet Identification (ICMP)

• This will perform a ping sweep of the local network, looking for any neighboring devices
• If the user wishes to limit the maximum subnet range that can be executed during the query,
they can select Edit to enter the highest CIDR range that will be queried:

• IT/OT/IoT Direct Discovery

• These are more direct queries based on the information captured in the broadcast discovery
and ICMP discoveries, which will capture detailed information on IT, OT, and IoT equipment

02-Apr-2023 Edge Version 1.4.12 Page 10 of 19

 Edge Installation Guide Advanced User Interface Configura-
tion Options

• If the user wants to select which specific discoveries will be run, they can select Edit to see the
following to enable / disable specific discoveries:

For more information about these discovery methods, see Appendix A of the CTD Reference
Guide.

If the user wishes to configure advanced runtime parameters for the entire Edge process, they
can uncheck the Use default EDGE parameters checkbox to present the following advanced
configuration screen:

• Vlan
• This will add the entered VLAN tag into all of the data captured by this Edge run

02-Apr-2023 Edge Version 1.4.12 Page 11 of 19

 Edge Installation Guide Command Line Execution Options

• Limit RAM utlization to (MBs) (default 2048)

• This limits the RAM utilization on the local Windows host to the specified MB's
• Perform Edge synchronization check
• This will send an Edge synchronization packet out to ensure only one Edge is running in the
network at a time
• Add firewall rule to allow Edge communication
• This temporarily enables the Edge communication requirements in the local Windows firewall
settings
• Rockwell FactoryTalk AssetCentre
• This allows the user to query a local or remote Rockwell FactoryTalk AssetCentre server for
additional visibility into Rockwell assets.
The user can then click Next Step to move on to the Output (page 13) format.

3.3. Command Line Execution Options

3.3.1. EXECUTION PARAMETERS

The following parameters of Edge may be used to control its execution parameters (resources,
logs, etc.):

• logfile - Path to logfile

• input-file - Path to saved results that should be uploaded to CTD
• input-file-password - Password to decrypt input results file
• web-port - Set port for Web application
• d, debug - Set log level to DEBUG
• memory-limit - Limit on memory usage, in bytes
• no-memory-limit - Flag to indicate no memory usage limitation
• dont-apply-firewall-rule - Flag to indicate not to apply the firewall rule
• web-serve-all - Flag to indicate to open the Web UI to remote connections
• accept-eula - Accepts the Claroty EULA which is required for running Edge (claroty.com/eula).
• excluded ips - For specifying a list of IP ranges for Edge to ignore.
Example: --excluded-ips 192-168.0.0/24
Does not scan the whole 192.168.0.0/24 subnet
• status-file-path - Enables writing the Edge status (as displayed in the web GUI) into a progress
file. The default is none.
• Example:
--status-file-path C:\Users\user\AppData\Local\Temp\test.txt
• output-file - Chooses a local path to send the output file e.g: c:\users\user\desktop\output.ctd
• input-file - Chooses a local path to use as an input for an Edge execution

3.3.2. COLLECTION PARAMETERS

The following controls which actions Edge takes to collect information:

02-Apr-2023 Edge Version 1.4.12 Page 12 of 19

 Edge Installation Guide Command Line Execution Options

• command - Command to run: setup_ctd, app_db, active, discover, asset_center,

from_file, web
• cip-scan-method - Can be used to change from the default mode of CIP "hybrid" scanning to
the CIP "deep" scanning. Syntax to change to CIP deep is: --cip-scan-method deep Note that the
"deep" method can significantly increase the scan time for Edge, and can only be executed from
the command line.
• cip-scan-depth - Used to choose the depth on a CIP deep scan. Default depth is 4.
• allowed-methods - Allowed methods for local discovery (relevant when the command selected
is discover)
• host_info - Allow local WMI queries to collect information about the local host
• app_db - Allow local parsing of ICS project files. Requires host_info to be specified as well
• active - Allows use of active methods. This is a precondition for the following methods:
• active_broadcast - Allow broadcast vendor specific queries
• active_subnet_id - Allow subnet identification through ICMP request
• active_unicast - Allow unicast Active queries through vendor specific queries

3.3.3. OUTPUT PARAMETERS

The following parameters control how Edge saves or handles the results:

• output-file - Path to save serialized results

• output-file-max-size - Maximum size for output file, in MB
• output-file-password - Password to protect result file
• ctd-ip - IP to CTD server, if applicable
• ctd-user - Username in CTD (should have administrator privileges)
• ctd-password - Password to the CTD user provided
• ctd-network-name - Name of the network on CTD where the output will be added

3.3.4. EXAMPLE COMMANDS

• Local discovery, including all active methods. Sending the results to a CTD at my_ctd.claroty.com.
Limiting RAM utilization to 1024MB, and not applying the firewall rule:
Claroty_Edge.exe --command discover --allowed-methods active host_in-
fo app_db active_broadcast active_subnet_id active_unicast --ctd-ip
my_ctd.claroty.com --ctd-user admin --ctd-password CTD_PASSWORD --memory-
limit 1024000000 --dont-apply-firewall-rule --accept-eula
• Token-based Edge execution:
Claroty_Edge.exe --accept-eula --command discover --ctd-ip my_ctd.claro-
ty.com --static-token <token>
• Host-only Edge execution:
Claroty_Edge.exe --command discover --allowed-methods host_info app_db --
ctd-ip my_ctd.claroty.com --ctd-user admin --ctd-password CTD_PASSWORD --
accept-eula

02-Apr-2023 Edge Version 1.4.12 Page 13 of 19

 Edge Installation Guide Running Edge With Token-Based
Authentication

• Network-discovery-only Edge execution:

Claroty_Edge.exe --command discover --allowed-methods active active_broad-
cast active_subnet_id active_unicast --ctd-ip my_ctd.claroty.com --ctd-
user admin --ctd-password CTD_PASSWORD --accept-eula
• Full Edge execution:
Claroty_Edge.exe --command discover --allowed-methods active host_in-
fo app_db active_broadcast active_subnet_id active_unicast --ctd-ip
my_ctd.claroty.com --ctd-user admin --ctd-password CTD_PASSWORD --dont-ap-
ply-firewall-rule --accept-eula

3.4. Running Edge With Token-Based Authentication

To run Edge with token-based authentication, you first create the token. You can then use it on
one or multiple sites.

3.4.1. CREATING THE TOKEN

To create the token, run the following command:

lkpocli manager api --worker authentication authentication_service cre-

ate_edge_token

The following occurs:

• The token is output to stdout.

IMPORTANT
The token is displayed upon creation and is never shown again!

• The token is encrypted and stored in the configuration under the key workers.authentica-
tion.edge_token.
• The token is passed to Edge and is used to communicate with CTD.

NOTE
You can “revoke“ the token by running the same command again. This creates a new
token and invalidates the old one.

3.4.2. USING THE TOKEN

When running Edge from the CLI, use the flag --static-token followed by the token created
previously.

./edge.exe --accept-eula --command discover --ctd-ip https://<ip> --static-

token <token>

02-Apr-2023 Edge Version 1.4.12 Page 14 of 19

 Edge Installation Guide Running Edge With Token-Based
Authentication

3.4.3. USING THE TOKEN ON MULTIPLE SITES

The token is encrypted/decrypted using a secret stored in the configuration file. By default, all sites
use the same secret, but this can be changed manually.

To share a token between multiple sites, you must sync the token and the secret between the
sites.

• To get the encrypted token:

lm get_config workers.authentication.edge_token
• To use an existing token on a different site:
lm set_config workers.authentication.edge_token <encrypted-token>

02-Apr-2023 Edge Version 1.4.12 Page 15 of 19

 Edge Installation Guide Deployment Instructions

4. Deployment Instructions

There are three main methods of running the Edge application:

• Running manually and sending the results directly to a CTD site (page 16)
• Running manually and capturing the results to a file, to upload to a CTD site later (page 16)
• Running through an automated means, such as Group Policy or SCCM (page 17)

4.1. Manual Collection Directly to CTD

This method should be utilized if Edge will be executed in an area with direct connectivity to the
CTD that it will be sending data to.

To configure in this mode, simply:

1. Start the application on the desired host

2. Configure any collection parameters as required, and select the next step
3. Select Send results to CTD from the Select Details menu
4. Enter the CTD address, username and password
5. Accept the license agreement
6. Click Run Now

The system will then automatically run the selected queries on the local host and network, and
send the results directly to the CTD server for processing.

4.2. Offline Collection to a File

This method should be utilized if Edge will be executed in an area without direct connectivity to a
CTD, and will need to have manual file collection completed.

To configure in this mode, simply:

1. Start the application on the desired host

2. Configure any collection parameters as required, and select the next step
3. Select Download results as a file from the Select Details menu
4. Accept the license agreement
5. Click Submit

The system will then automatically run the selected queries on the local host and network, and
generate a file that can be downloaded directly from the User Interface. Once this file is available,
this can be uploaded to a CTD server for processing from another Edge session that has direct
connectivity to the CTD server. To complete this upload, perform the following:

1. Start the application on a host that has connectivity to the CTD server
2. Select the Upload EDGE to CTD menu option

02-Apr-2023 Edge Version 1.4.12 Page 16 of 19

 Edge Installation Guide Automated Running (e.g. GPO,
SCCM)

3. Select the file that will be uploaded

4. Enter the CTD address, username, and password
5. Accept the license agreement
6. Click Submit

The system will then process the file that was loaded in and send the results to the CTD server.

4.3. Automated Running (e.g. GPO, SCCM)

Edge can also be automated through automation.

The following is an example of how to run this through a standard GPO implementation.

Assumptions:

• There is an OU that contains the Windows hosts that Edge will run on·
• These Windows hosts have access to an open network share with the Edge executable on it
• These Windows hosts have SSL access to a CTD server

The following is an example of a script that could be utilized.

NOTE
BOLD sections must be configured with the appropriate information for the envi-
ronment.

@echo off

REM [PATH TO EXECUTABLE IN FILE SHARE]

set FILEPATH=""

REM CTD ip address

set CTDIP=""

REM CTD user name

set CTDUSER=""

REM CTD user password

set CTDPASS=""

REM scheduled task name:

set TASKNAME=""

02-Apr-2023 Edge Version 1.4.12 Page 17 of 19

 Edge Installation Guide Automated Running (e.g. GPO,
SCCM)
IF EXIST "%temp%\Claroty_Edge.exe" goto run

copy /y %FILEPATH% %temp%\Claroty_Edge.exe

:run

"%temp%\Claroty_Edge.exe" --ctd-ip %CTDIP% --ctd-user %CTDUSER% --ctd-pass-

word %CTDPASS% --command discover --accept-eula --logfile %temp%\edge.log

IF ERRORLEVEL 1 goto error

ECHO installationcompleted on %TIME% %DATE% >"%temp%\edge.txt"

:task

schtasks /query /TN %TASKNAME%

if %errorlevel%==0 goto :exit

SCHTASKS /CREATE /SC WEEKLY /TN "%TASKNAME%" /TR ""%temp%\Claroty_Edge.exe"

--ctd-ip %CTDIP% --ctd-user %CTDUSER% --ctd-password %CTDPASS% --command
discover --accept-eula --logfile %temp%\edge.log

" /ST 12:00

:exit

exit

:error

ECHO errorlevel: %errorlevel% >"%temp%\EdgeError.txt"

Exit

Then simply create a .bat file with this script, and place that and the Edge executable file in a
share location that is available to all of the Windows hosts.

Once this script is created, GPO can be configured to execute the script using the following steps:

1. Create the GPO assigned to the assigned OU group:

a. Open the Group Policy Management application
b. Select the designated OU, right click on it and choose Create a GPO in this domain, and
Link it here..
c. Give the new policy a selected name
2. Edit the contents of the GPO:
a. When it’s created - right click on it and Edit
b. Go to: Computer settings > Policies > Windows Settings > Scripts
c. Choose Startup and double click on it

02-Apr-2023 Edge Version 1.4.12 Page 18 of 19

 Edge Installation Guide Automated Running (e.g. GPO,
SCCM)

d. In the Scripts tab add the path to the created script

3. The script will not execute in the next start-up of the target computers. Once executed, it will
run Edge and set a weekly scheduled task.

02-Apr-2023 Edge Version 1.4.12 Page 19 of 19