Scope: Director-managed appliances without GPS antenna or WWAN/LTE modem (no CSG770).
Director defaults observed: detection interval 20 min, continuous alarm interval 60 min.
Q1. What is the Stolen Device feature?
Director-side detection + signaling layer. You define rules; if a device matches a theft pattern, Director raises an alarm, logs it, and optionally marks the device "Disabled". Lives under Administration → Inventory → Stolen Branches.
Q2. Without GPS or WWAN, which rule types can I actually use?
Three:
- Unreachable Gap — device offline > N minutes
- Reachable Again Gap — device back online after N minutes offline
- Change in Public IP Address — WAN IP changed or new WAN interface added
GPS-change and Cell-ID-change rules need GPS antenna / LTE modem — skip them.
Q3. What actions can a rule take?
- Send One-Time Alarm
- Send Continuous Alarm
- Disable Device (combined with continuous alarm)
Q4. What does "Disable Device" actually do?
Director-side bookkeeping only:
- Sets
disabledStatus="DISABLED"andstolenSuspected=trueon the appliance record - Writes an audit log entry
- Raises alarm
It does NOT: stop traffic, drop tunnels, revoke certs, kill services, block config push, or disconnect SSH/NETCONF. The device keeps running normally.
Q5. So what's the point of "Disable"?
Signaling + audit trail. Use it to feed external workflows (NOC ticket, SOAR playbook). Don't expect it to neutralize a stolen device on its own.
Q6. What does the manual "Stolen Suspected On" toggle (Administration → Appliances) do?
Same as the rule action — flips the flag, writes a log entry, raises no alarm by itself. "Off" clears the flag and wipes all rule timing data for that device (resets unreachable timers, IP baseline). Use Off only after physical recovery.
Q7. Does the stolen flag show up in Inventory → Hardware?
No. Only in Administration → Appliances dashboard (icon/badge), CSV export, and via REST API. UI gap — file enhancement if visibility there matters.
Q8. Can I still make config changes to a stolen-flagged device?
Yes — fully. Template push, commit, upgrade, snapshot, all work normally. No RBAC or workflow gate keys off the flag.
Q9. Recommended rule setup for our deployment?
- Unreachable Gap — threshold 480 minutes (8 hours), action Send Continuous Alarm
- Reachable Again Gap — threshold 60 minutes, action Send One-Time Alarm
- Change in Public IP — parameter set to allowed-mask list of customer WAN ranges, action Send Continuous Alarm
Skip "Disable Device" action — adds no real protection.
Q10. What's the actual theft response playbook?
When alarm fires:
- NOC validates (call site, check ticket)
- If confirmed stolen:
- Revoke device certificate on Director
- Unbind from device group / blank template
- Remove from controller allowed-peer list
- Open RMA / police report
- Mark "Stolen Suspected On" for audit + dashboard visibility
Q11. Where do alarms appear?
- Director Alarms page (filter by source = device name)
- Director email notifications (if SMTP + notification profile configured)
- SNMP trap (if SNMP receiver configured)
- Webhook (if alarm-forwarding hook configured)
Q12. Can I see stolen events in CSV / report exports?
Yes — appliance CSV export includes a stolenSuspected column. Detailed history at Administration → Inventory → Stolen Devices→ Logs.
Q13. False positive — IP changed legitimately (ISP, failover). What now?
- Add the new WAN range to the rule's allowed-mask list, OR
- Toggle "Stolen Suspected Off" to clear flag and reset baseline
- Adjust Unreachable Gap threshold if maintenance windows trigger it
Q14. Does "Disable Device" cost anything to use anyway?
No harm beyond the misleading name. It sets the flag exactly the same as manual toggle. Just don't rely on it as a security control.
Q15. How often does Send Continuous Alarm fire?
On this Director, detection runs every 20 minutes and continuous alarms re-fire every 60 minutes per stolen-flagged device. First alarm fires on the next detection tick after a rule matches. Both intervals configurable under Administration → System → Settings → Stolen Branch. One-Time Alarm fires once and never repeats.
Q16. Should I set rule thresholds smaller than the detection interval?
No. Rules only evaluate every 20 minutes. An Unreachable Gap of 5 min with a 20-min detection cycle still waits up to 20 min for the next check. Set thresholds ≥ detection interval (20 min) — practical minimum 30 min for reliability.
Q17. Where do I configure detection / alarm intervals?
Administration → System → Settings → Stolen Branch card. Fields: Enable, Detection Interval, Continuous Alarm Interval, Distance Unit (GPS only, ignore). Click Edit, change, save — Director applies changes live, no restart needed.