Note: In the FAQ, NetSkateKoban Nano and NetSkateKoban Nano(V) will be collectively referred to as Nano.
By registering the "MAC address", "IP address", and "VLAN ID" (note: only for Nano(V)) of authorized terminals with ATL (Allowed Terminal List), you will be able to detect unknown terminals connecting to the network as "Unregistered Terminal".
It has ATL (Allowed Terminal List) information for determining legitimate terminals, and is used when a terminal is detected. It identifies unauthorized terminals based on the MAC address, IP address, and detected VLAN ID (in the case of Nano(V)) information.
Specifically, the following ATL information can be registered, and a terminal that does not match any of these will be determined to be an unauthorized terminal.
(1) "MAC address"
If the MAC address of the detected terminal matches the registered "MAC address", it is a legitimate terminal.
(2) "IP address"
If the IP address used by the detected terminal matches the registered "IP address", it is a legitimate terminal.
(3) "MAC address and IP address pair"
If the MAC address and the IP address being used by the detected terminal match a registered "MAC address and IP address pair", then it is considered a legitimate terminal.
(4) "Pair of the above information and VLAN ID" (for Nano(V))
If the information in (1) to (3) matches the VLAN number to which the terminal is connected, it is a legitimate terminal.
The upper limit for the number of simultaneous blocking changes depending on the setting status of "Power Blocking" on the "Action Settings" screen.
If you use Nano Manager, you can operate multiple Nanos at once.
Customers who have subscribed to maintenance can download it free of charge from the NetSkate Service Center.
Yes, it is available.
The Nano itself can only be connected to a wired network, but by operating the wired network to which the Nano is connected and the wireless LAN as the same broadcast network, wireless LAN devices can also be managed.
For detailed network settings, please refer to the manual for your network device or wireless LAN device.
We support the latest versions of Google Chrome, Microsoft Edge, and Mozilla Firefox.
If the PC running Nano Manager and the Nanos installed at each site can communicate directly using each other's IP addresses, monitoring is possible even if the connection between the sites is a VPN.
No, it will not.
Nano detects devices on the network by passively monitoring packets broadcast on the Ethernet, so it does not affect the communication of your network equipment or existing devices.
Yes. It is possible.
By setting your browser's language settings to English, the page will be displayed in English.
Nano is initially set to obtain an address from DHCP.
If your network does not have a DHCP server, addresses will be automatically assigned using a process called APIPA. Therefore, by directly connecting the HUB to a PC that is also configured to obtain an address using DHCP, you can access kobannano.local and make any settings using the steps described in the "Quick Start Guide".
| Compatible OS | Windows 10 (64bit), Windows11, Windows Server 2022 |
| Dependent Software | Java 8 (Java used by Nano Manager is included in Nano Manager setup file, no separate installation required) |
| CPU | Intel Core i5 3.2GHz equivalent or higher |
| Memory | 2GB or more free memory |
| Disk Capacity | During installation: 500MB or more free space(Additionally 100MB or more free space for each Nano registered) |
Yes, compatible with Windows Server 2022.
This is possible by starting the Nano Manager, logging in, and continuing to run it without logging out or shutting down.
If you restart Windows, you will need to log in to Windows again to start and log in to Nano Manager.
On the detected terminal list screen, you can check the following information about the terminal. (*)
* Since these are inferred from packet information, MIB information, etc., it may not necessarily match the actual OS name or device type.
Yes. It is possible.
The "Active Detection" function (enabled by default) enables highly accurate detection of terminals that do not perform much active communication, such as printers.
Yes. Even on the same terminal, it is possible to detect and block terminals with an IPv6 interface turned on. It can also detect and block IPv6 connections used by smartphones, tablets, and Windows devices.
Yes, you can set whether to execute "Mail" notifications and "Blocking" on the "Action Settings" screen.
Since the ATL (Allowed Terminal List) is empty, all devices will be detected with an "unregistered" status.
No, blocking action is set to OFF in the initial state, so blocking will not start.
Yes. A list of terminal connections can be output for up to two weeks.
You can check not only the presence of connections, but also the time periods of the connections, which can be used to check suspicious connection times or unnecessary connections. Starting from version 2.8, even if there are many device detection histories, old histories are now included in the report.
When used in conjunction with Nano Manager, it is possible to generate reports up to 2 months ago.
In the "[Vendor]" section of the "Mac address [Vendor]" column on the Detected Terminal List of Nano1 and Nano Manager2, information indicating whether the target MAC address is randomized is displayed as shown below, allowing you to check whether the MAC address of the monitored terminal is randomized.
When managing terminals with randomized MAC addresses with Nano, it is recommended to disable the MAC address randomization feature on the terminal, fix the MAC address, and register the fixed MAC address in ATL (Allowed Terminal List) of Nano for management. This is because accurate terminal identification can be difficult when using randomized MAC addresses.
The method for disabling MAC address randomization varies depending on the operating system and terminal. Therefore, we kindly ask that you check the configuration procedure through your terminal manufacturer's support contact or via the internet.
No, after the blocking is finished, Nano detects that the device is still connected and resumes the blocking process, so it will not become possible to communicate.
The number of devices that can be monitored simultaneously is as follows for each model.
Up to 20,000 items can be registered to the ATL (Allowed Terminal List).
If you replace the router on the network segment to which Nano is connected, blocking will occur if the ATL (Allowed Terminal List) information corresponding to the new router is not registered.
If you replace the router on the network segment to which Nano is connected, you will need to do one of the following:
Devices connected in excess of the limit on the number that Nano can detect will not be unable to connect to the network, however, due to the performance of Nano, the reliability of detection and the response of the WebUI etc. cannot be guaranteed.
Obtain the terminal name with the following priority.
Yes, you can set any string to be displayed in Nano's Detected terminal list.
The string registered in the "Terminal Name" field of the ATL (Allowed Terminal List) will be displayed in the "Terminal Name" column of the Detected terminal list.
Yes, it is possible.
It has been verified that Nano works properly by properly configuring the SubGate security switch.
Verification was performed on the following models. Please contact us for other models.
For terminals that exceed the maximum number, communication will not be blocked with and communication will be possible. In this case, "Blocked" will not be displayed in the status of the device in the "Detected terminal list".
There are two LEDs on the top panel of Nano (NSK-NANO-BB0AX) and Nano(V) (NSK-NANO-VB0AX, NSK-NANO-VB4AX).
The "Status 1" LED on the left is green, and the "Status 2" LED on the right is red.
The LEDs indicate the following operations depending on their lighting status.
| Status1 LED (green) | Status2 LED (red) | Operating status | |
|---|---|---|---|
| Startup | ■On | ■On | System initializing |
| ■■Blinking | ■off | Sensor function startup processing | |
| ■■Blinking | ■On | Fatal Error during the sensor function startup process | |
| Running | ■On | ■Off | Operating normally |
| Shutdown | ■■■Blinking | ■■■Blinking | Recognises that the Reset button has been pressed |
| ■■■Blinking | ■Off | Shutdown processing | |
| ■Off | ■Off | Shutdown completed (The AC adaptor can be safely disconnected) |
|
| Initialize | ■Off | ■■■Blinking | Recognises that the Reset button has been pressed twice |
| ■Off | ■■Blinking | Initialization in progress (automatic reboot after completion) | |
| Update | ■■blinking | ■On | Firmware update failed (only lights on for 60 seconds) |
To turn off Nano, operate the Reset button on the main unit or shut it down from the WebUI.
Safe mode is the mode that Nano is in after it is started until you log in for the first time. During this time, email notifications and communication blocking actions will not occur. This is a mode to prevent accidents such as when moving Nano in operation to another segment, all terminals connected to the destination segment violate the ATL (Allowed Terminal List) and are blocked.
If the Nano is restarted due to a power outage, etc. in the operating network, and safe mode is set, no notification will be sent properly even if an unregistered terminal is connected. At the time of initial installation, maintenance, network configuration changes, etc., Safe Mode is turned on and Nano is installed. We assume that Safe Mode will be turned OFF when the segment is finalized, ATL (Allowed Terminal List) settings, etc. are completed, and operations start.
We recommend unchecking "Safe Mode" on the "Action Settings" screen. It is checked in the initial state, and if Nano restarts with it checked, all communication blocking and email notification actions will be disabled and stopped until an administrator accesses the Nano WebUI and logs in.
When a customer requests Nano support, we or our agency support may ask the customer to obtain the Nano technical support log. The method to obtain the Nano technical support log is as follows.
Please note that depending on the size of the logs stored by Nano, it may take several minutes after clicking the "Download" button for the log download to begin.
By default, Windows OS, etc. may use an IPv6 anonymous (temporary) address that is automatically changed periodically. When operating a ATL with IPv6 addresses, please use it with a fixed IP attached.
Please try directly connecting the setup PC and Nano using the Ethernet cable included with Nano.
Note: Accessing http://kobannano.local/ uses the mDNS (Multicast DNS) communication protocol, so you may not be able to access it if the setup PC and Nano are connected to different network subnets, or if the setup PC or any network device in use is configured to filter UDP port 5353.
If you are unable to resolve the issue, please contact "Support Desk" (Sales Agent) as listed in the "Support & Upgrade Service Registration Confirmation" document you have.
When you access the Nano screen from an iPhone/iPad, the display will be in English instead of Japanese.
We plan to improve this in future releases.
When you initialize the settings, the IP address set on Nano and the NetSkateKoban sensor function setting information will return to their initial state (factory settings).
To initialize the settings, shut down the Nano, then disconnect the AC adapter power cord and Ethernet cable from the Nano to turn the power off.
With the Ethernet cable still disconnected, plug the AC adapter power cord into the Nano and start the Nano startup process.
To initialize, press the Reset button twice before the startup process is completed and the LED (green) lights up. Keep pressing it the second time and do not release it. After a while, LEDs will look like this.
If you release the Reset button in this state, the initialization process will start. LEDs during the initialization process look like this.
* If the LED (green) lights up before you release the Reset button, startup is complete and the initialization process will not be performed.
Changes to Blocking, Mail and Auto Registration settings will only take effect on terminals that are detected "after" the changes are made.
To redetect terminals that were already detected when you changed the settings, please do one of the following.
If you are unable to resolve the issue related to Nano, please contact "Support Desk" (Sales Agent) as listed in the "Support & Upgrade Service Registration Confirmation" document you have.
For any questions regarding the product, please contact "Support Desk" (Sales Agent) as listed in the "Support & Upgrade Service Registration Confirmation" document you have.
We apologize for the inconvenience, but please contact "Support Desk" (Sales Agent) as listed in the "Support & Upgrade Service Registration Confirmation" document you have.
For Nano Manager versions 1.5.0 or higher and Nano versions 3.0.0 or higher, Nano Manager communicates with all managed Nanos using the following destination communication port.
For other combinations, Nano Manager communicates with all managed Nanos using the following destination communication ports.
Yes, it is possible without any problem. However, please note the following points:
You can expect to see improvement by reviewing the "Active Detection" settings.
Please configure the "Terminal Search Range" in the "Active Detection" settings to include the IP host address range for each of your IP networks. Then click "Save" to save the settings and restart the Nano.
No, Nano cannot specify a range of target addresses and exclude others from detection.
In such a network segment, all terminals within the network will be detected.
The following products support TLS 1.2 connections to mail servers.
The following products are not supported.
Please register all MAC addresses and IP addresses assigned to the router.
Protocols such as VRRP (Virtual Router Redundancy Protocol) use virtual MAC addresses and virtual IP addresses, so please make sure to register those as well.
Devices connected via Layer 3 VPN cannot be monitored.
When making a VPN connection to the company LAN from outside the company using a mobile device or laptop, a Layer 3 VPN is generally used.
In this case, the MAC address of the connected device is not used for communication on the company LAN, so it cannot be monitored by Nano.
No, it can not monitor.
Yes, it is possible if you prepare a network connection such as LAN or VPN to enable communication to the IP address set on Nano. In that case, please also make sure that an appropriate "default router" is set for Nano.
The items that can be linked with ForitiGate using Nano's "SNMP trap linkage settings" and "Syslog linkage settings" are as follows. Only one of these combinations can be configured and used on a single Nano. (Example: Syslog - fgTrapAvVirus)
For information on the FortiGate functions and settings, please refer to the FortiOS Handbook, the documentation that comes with the FortiGate product.
It seems that you are connecting a device that is designed to communicate using a single MAC address for all connected VLANs. In this case, there is nothing particularly abnormal. However, when registering such a device to the ATL (Allowed Terminal List) based on its MAC address, please register by specifying all VLANs that may communicate, or "All". It is possible to avoid actions such as detection and blocking in unexpected VLANs.
The following situations may be considered:
If multiple terminals have the same IP address:
Please configure each terminal with a unique and appropriate IP address.
If there is a L3 switch or router with the Proxy ARP function enabled within the network:
If the Proxy ARP function is not needed, please disable it.
The support period for NetSkateKoban Nano/Nano(V) is 5 years from the date of implementation.
Network Map function is available from the following version onwards.
The settings are as follows:
For details, please refer to "5.15.1 Configuration Steps" in the Nano Manager User Manual.
Check the ARP table information (arp -a) and if the MAC addresses of many entries have been replaced with the addresses used for blocking (Cyber Solutions vendor code: 00:1a:b2:xx:xx:xx), the terminal may be being blocked.
arp -a Internet Address Physical address Type 192.168.0.1 00-1a-b2-2a-11-ed dynamic 192.168.0.100 00-1a-b2-2a-11-ed dynamic 192.168.0.129 00-1a-b2-2a-11-ed dynamic
To the terminal suspected of being blocked (e.g. 172.16.0.178), ping it from another terminal on the same segment. Then, check the ARP table information (arp -a) of the other terminal, and if the MAC address in the IP address entry of the terminal suspected of being blocked have been replaced by the addresses used for blocking (Cyber Solutions vendor code: 00:1a:b2:xx:xx:xx), the terminal with that IP address may be being blocked.
arp -a Internet Address Physical address Type 172.16.0.178 00-1a-b2-2a-11-ed Dynamic
We regularly provide version update information under "Latest Information" on the top page of our website, so please take a look there.
You can download the firmware from NetSkate Service Center.
NetSkate Service Center also provides access to release notes, documentation, and other related materials.
For login instructions and important notes, please refer to the top page of NetSkate Service Center.