Discovery permissions

Ravish Shetty
Tera Guru

We have been asked to submit all the permissions and access requests needed for the CMDB Discovery initiative.
In scope are Azure, workstations, laptop, load balancers, windows server, Linux servers, network gear, etc
So far, I am aware we need credentials for Azure, domain or local admin account for windows and Linux are required.

Apart from that, do we need permissions or changes on the firewall end? we recently ran a network discovery scan and found a lot of denial requests so maybe we need to open something on that end too?

1 ACCEPTED SOLUTION

John Shores1
ServiceNow Employee
ServiceNow Employee

There's a lot to do to be successful discovering your environment, Ravish.  First, you need to have MID servers installed and configured to support your environment. As a best practice, you should place MID servers close to where the action will happen (e.g., you should place on in Azure, not discover across the WAN). At a high level, this means enabling the application (discovery) and appropriate capabilities (wmi, ssh, vmware, etc.) on each MID server you plan to use for Discovery.  You also need to define IP ranges for your network and associate those IP ranges with one or more MID servers. You'll want to setup Discovery Ranges and associate them with Discovery Schedules to periodically scan your environment for changes.

Assuming all the above is done, access will be the next hurdle. Access comes in two parts: network and system. The network part is about making sure the MID server can communicate with the networks it's associated with. If you have firewalls between your MID server and the hosts you're trying to discover, you'll need to open firewall ports to allow the communication to happen. At minimum, you'll want to make sure WMI, SSH and SNMP are allowed, including the ephemeral ports for WMI. The systems part is about credentials. You need to have a valid credential for each system you plan to discover (SNMP, SSH, WMI, Azure Service Principal). 

The ECC queue logs will be a very important tool while troubleshooting. They'll tell you what phase an issue occurred in, which will help you understand if its a network or credential access issue.

Hope this helps! Good Luck!!!

John

View solution in original post

5 REPLIES 5

DaveHertel
Kilo Sage
Kilo Sage

Yes, whateever device you need to discover will require some type of credential.  So for firewalls, it'll likely be SNMP or SSH, depending on what the object is...  WMI, SSH and SNMP are the most often used, but Azure/AWS/cloud, SQL, etc all have unique permissions / setup needs too.  This doc Data collected by Discovery will lead you down the path and explain more..

Does that help? Hope so..

thanks Dave, very helpful.

John Shores1
ServiceNow Employee
ServiceNow Employee

There's a lot to do to be successful discovering your environment, Ravish.  First, you need to have MID servers installed and configured to support your environment. As a best practice, you should place MID servers close to where the action will happen (e.g., you should place on in Azure, not discover across the WAN). At a high level, this means enabling the application (discovery) and appropriate capabilities (wmi, ssh, vmware, etc.) on each MID server you plan to use for Discovery.  You also need to define IP ranges for your network and associate those IP ranges with one or more MID servers. You'll want to setup Discovery Ranges and associate them with Discovery Schedules to periodically scan your environment for changes.

Assuming all the above is done, access will be the next hurdle. Access comes in two parts: network and system. The network part is about making sure the MID server can communicate with the networks it's associated with. If you have firewalls between your MID server and the hosts you're trying to discover, you'll need to open firewall ports to allow the communication to happen. At minimum, you'll want to make sure WMI, SSH and SNMP are allowed, including the ephemeral ports for WMI. The systems part is about credentials. You need to have a valid credential for each system you plan to discover (SNMP, SSH, WMI, Azure Service Principal). 

The ECC queue logs will be a very important tool while troubleshooting. They'll tell you what phase an issue occurred in, which will help you understand if its a network or credential access issue.

Hope this helps! Good Luck!!!

John

thanks, John. really helpful.