General
1. What is the Network Configuration Management feature?
The Network Configuration Management is a comprehensive Network Change and Configuration Management (NCCM) solution that enables the Network Administrator to efficiently and effortlessly manage the configurations of Network Devices. This Network Configuration Management feature offers multi-vendor network device configuration, continuous monitoring of configuration changes, notifications on respective changes, detailed operation audit and trails, examining device configurations for compliance to a defined set of policies and standards, real-time compliance status reporting, easy and safe recovery to trusted configurations, automation of configuration tasks and insightful reporting
2. What does the NCM feature do?
The NCM feature can manage network devices such as switches, routers, firewalls wireless access points and integrated access devices etc. from multiple vendors such as Cisco, HP, Nortel, Force10, D-Link, Juniper, NetScreen, Juniper, NETGEAR, Dell, 3Com, Foundry, Fortinet, ADTRAN, Enterasys, Huawei, Extreme, Proxim, Aruba and Blue Coat. It discovers network devices, builds up an inventory database and allows IT administrators to take control of configuring the devices from a central console. The web-based administrator console provides the User Interface to perform all the configuration operations. Additionally, it can be accessed from anywhere using any standard web browser
3. How does the Network Configuration Management work?
The Network Configuration Management feature establishes SSH / Telnet connection by using the IP address and credentials provided. After that, commands like "show running-config" is executed in device to fetch configuration. If TFTP / SCP protocol is used, configuration will be pushed to TFTP / SCP server after establishing connection with device. Later, it will be dumped in our database after encryption
4. Can the Network Configuration Management feature manage Cisco device configurations?
Yes, the NCM feature can manage Cisco device configurations, Cisco router configuration, Cisco switch configuration and Cisco firewall configuration. Apart from Cisco devices, the Network Configuration Management feature can be used to manage the configurations of switches, routers, firewalls, wireless access points and integrated access devices from other vendors such as HP, 3com, Foundry, FortiGate and NetScreen
5. Can the Network Configuration Management feature be used to manage router configuration / switch configuration / firewall configuration?
Yes, the Network Configuration Management feature can be used to manage router configuration, switch configuration and firewall configuration from multiple vendors such as Cisco, HP, 3Com, Foundry, FortiGate and NetScreen
6. What are the devices supported by the Network Configuration Management feature?
The NCM feature of RMM supports switches, routers, firewalls, wireless access points and integrated access devices. For new device support, please reach out to us
7. Who are the vendors supported by the Network Configuration Management feature?
The Network Configuration Management feature at present supports Cisco, HP, Nortel, Force10, D-Link, Juniper, NetScreen, Juniper, NETGEAR, Dell, 3Com, Foundry, Fortinet, ADTRAN, Enterasys, Huawei, Extreme, Proxim, Aruba and Blue Coat. For new vendor support, please reach out to us
8. What is network backup ?
Network backup is a process of saving your existing configuration files of network switches, routers, firewalls and load balancers
9. What does network backup mean in network configuration management?
The NCM feature will backup configuration files of network devices like switches, routers, firewalls and load balancers. it will also create a repository with all versions stored in incremental versions
10. What is network automation?
Network automation is way of automating networks and security in a network environment to maximize efficiency by reducing human workload along with human errors
11. Why is network automation through a network configuration management feature important?
Network automation enables seamless configuration, management, testing, and deployment of network changes and other IT operations. It improves the efficiency of your network admin team and helps ensure that your network is responsive to business needs
12. What are some benefits of using the network configuration management feature?
Reduced costs Reduced errors Improve service levels Improved analytics Admin efficiency Increased business agility
Inventory (Devices)
1. What is Config Conflict and how to resolve it?
A configuration conflict occurs when there is a difference between the start-up and running configuration of your device. the Network Configuration Management feature will indicate a conflict by showing "Conflict Detected" status in the "Config Conflict" column of the device list. Your admin can click the status to see the difference between the two configurations. This can have a huge impact if something goes wrong and you want to reset the device. The device will always start with the Start-up Configuration after reset and all the changes made in running configuration will be lost. To resolve this conflict, or to sync the running and start-up configuration, please follow the steps given below: Please select one or more devices from the list in Inventory. Click on the 3 horizontal dots on the top right corner of the page to get more options. Click on "Sync Configuration"
2. What does Compliance Status mean in the network configuration management feature?
A set of rules can be defined for the configuration of any device. These rules can be anything like, a particular keyword or line(s), must or must not be present in a particular configuration. One or more of these rules can be combined into a Compliance policy and then these policies can be associated with a particular device or a group of devices. If any particular device configuration is violating the associated rules, The NCM dashboard will show a compliance violation for that particular device. To resolve the compliance status, please change the device configuration accordingly. Alternatively, if any remediation configlet is associated with the said rule, you can choose to execute that to make the required changes to the configuration automatically
3. What is Baseline Conflict and How to resolve it?
If there is any difference between the baseline configuration and the running configuration of your device,the Network Configuration Management feature will consider that as a baseline running conflict. This will be shown as "Conflict Detected" status in the "Baseline Conflict" column of device list. To resolve such conflict you need to label your running configuration as baseline configuration
4. Can I apply the same credentials to multiple devices?
Yes, the same set of credentials can be provided to any number of devices. You can also choose to create a device group with a set of devices and then apply the credential to that group from the Device Group page in inventory. Also if you find yourself using the same credentials multiple times, please save those credentials as a credential profile, and next time while applying the credential just select the profile and the Network Configuration Management feature will fill all the necessary details
5. What happens if I unmanage a device?
If a device is in the unmanaged state, you won't be able to perform any important operations like Configuration Backup, Upload Config, Automatic Change Detection, Sync Configuration, Compliance Management or Change Management etc. Any schedule that contains the unmanaged device won't perform the scheduled task for the said device, even if the schedule was created when the device was in the managed state
6. How to check notification for a device?
Click on the device from Inventory to open device snapshot. Then click on the "Notification" icon to open a slide with all the associated change notifications. You can also add a new notification from the same slide
7. How to check alarms for a device?
Click on the device from Inventory to open device snapshot. Then click on the "Alarm" icon to open a slide with all the alarms ever triggered by the said device
8. How to check workflow associated with a particular device?
Click on the device from Inventory to open device snapshot. Then click on the "Workfflow" icon to open a slide which contains all the associated workflows
9. How to check if a device is reachable?
Click on the device from Inventory to open device snapshot. Then click on the "Ping" icon to ping the device and see the response. If you get a "Timed Out" error, it means the device is not reachable
10. What is the "Show Commands" option for a device?
Show Commands give you the ability to run a few pre-defined commands on a particular device. You can select and execute any command from a given list and check the device's response in a console window. This response can also be exported to a file using the "Export" option provided in the show command slide
11. Where can I check all the audits for a particular device?
Please follow the steps given below to check the audits for a particular device: Click on a device to open the device snapshot with all the device details Click on the action button on the top right of snapshot page Select "Audit History" from the newly opened list This will open up a slide with all the device history in a timeline format
Discovery
1. What happens when existing devices are rediscovered?
If a device is already discovered and added to the Network Configuration Management feature successfully, there will not be any effect if you run the discovery process again and try to discover the same device. The device will be shown as 'Already Exist in Inventory' in the discovery report
2. Why are the reachable devices not added to the Network Configuration Management feature?
A device will be shown as 'not reachable' in discovery reports and won't be added to the Network Configuration Management feature in case of the following errors: Device is not reachable: Make sure the device is up and running and is reachable via ping. SNMP is not enabled: the Network Configuration Management feature can discover only SNMP enabled devices, so make sure that SNMP is enabled for the device. Wrong credentials: Make sure the selected credential profile applies to the device you are trying to discover. SysObjectID is not present in the Network Configuration Management feature's database
3. Where can I view / edit the credential profiles for discovery?
To view/edit any credential profile use the following steps: Go to Settings > Discovery > Credentials All the available credentials will be displayed under SNMP tab. You can click on any of the credential to open the edit wizard. You can also delete a particular credential by clicking the bin icon
4. Can I choose multiple credential profiles while creating a discovery profile?
Yes, there is no restriction on the number of credential selection, so you can select as many credentials as you like
5. Can I apply the same set of credentials to multiple devices as a bulk operation?
Yes. You can apply the same set of credentials 'as they are' to multiple devices. In such cases, to avoid the cumbersome task of entering the credentials for each device separately, the Network Configuration Management feature offers the flexibility of creating common credentials and sharing the common credentials among multiple devices. This is called a 'Credential Profile'
6. Why are some reachable devices not added to the Network Configuration Management feature?
A device will be shown as unknown in discovery notification and won't be added to the Network Configuration Management feature if any of the following condition is met: Device is not reachable: Make sure the device is up and running and is reachable via ping. SNMP is not enabled:the Network Configuration Management feature can discover only SNMP enabled devices, so make sure that SNMP is enabled for the device. Wrong credentials: Make sure the selected credential profile applies to the device you are trying to discover
7. Where can I find and edit all the added discovery profiles?
Go to Settings > Discovery > Discovery Reports There you can see the list of all the discovery profiles created earlier. You can click on any profile to edit it. You can also delete the profile by clicking on the bin icon for the respective row
8. Can I reschedule the already added profile?
Yes, to reschedule a profile, use the following guidelines: Go to Settings > Discovery > Discovery Reports Click on the profile you want to reschedule, this will open the edit discovery page, at the bottom of the page, expand the schedule section and edit the parameters as required. Click Save to save the changes
9. Where can I view/edit the credential profiles for discovery?
To view/edit any credential profile use the following steps: Go to Settings > Discovery > Credentials All the available credentials will be displayed under SNMP tab. You can click on any of the credential to open the edit wizard. You can also delete a particular credential by clicking the bin icon
10. Is there any report where I can check the status of previous discoveries?
Yes, you can always check the details like no of devices added, deleted or the time it took to discover all the device etc. under Settings > Discovery > Discovery Reports > Select Reports from the top right corner
11. Can I choose multiple credential profiles while creating a discovery profile?
Yes, there is no restriction on the number of credential selection, so you can select as many credentials as you like
Credentials
1. What should be done if the protocol needed is not listed for the chosen Device(s)?
After adding the device, while applying the credentials, if you don't find the protocol that you need, listed in the apply credential slide, then it means the Device Template used to add the device, does not support that particular protocol. To resolve the issue please contact RMM Central's support team and we will create a new device template for you, which can then be used to get the desired results
2. What is the purpose of additional credentials for a device?
Additional credentials option can be used to provide following additional details: TFTP/SCP Server Public IP: When the device is present outside the private network (i.e. when the private IP of the Network Configuration Management feature is not reachable for the device) this parameter can be used to provide the public IP of the the Network Configuration Management feature server (NAT'ed IP of the Network Configuration Management feature). This IP will be used in Configuration backup via TFTP / SCP. In case you have not chosen any TFTP or SCP protocol, this field can be ignored. Telnet/SSH Port: By default the Network Configuration Management feature uses port number 23 for Telnet protocols and 22 for SSH protocols, if you wish to change it, you can change this field. If you choose to change this field, the change will be effective only for the selected device. Login Prompt: The text/symbol that appears on the console to get the typed login name is referred as login prompt. For example, "Username@" here '@' is the login prompt. Another example is "Login:" here ':' is the login prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for the Network Configuration Management feature to access the device properly. Password Prompt: The text displayed on the console when asking for the password. For example, "Password:" has ':' as the password prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for the Network Configuration Management feature to access the device properly. Enable User Prompt: The text displayed on the console when asking for Enable UserName. For example, "Username@" here '@' is the login prompt. Another example is "Login:" here ':' is the login prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for the Network Configuration Management feature to access the device properly. Enable Password Prompt: The text displayed on the console when asking for password. For example, "Password:" has ':' as the password prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for the Network Configuration Management feature to access the device properly
3. What is "Prompt" in Credentials?
Prompt is a text/symbol that appears on the console after successfully logging into a device. Please refer the image given below for more details. In the image given above, after providing the correct username and password the device name is shown with '#' symbol which is the indicator that the user can now enter commands to use the device. That '#' symbol is the prompt in this case, and shall be provided while applying the credentials. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for the Network Configuration Management feature to access the device properly
4. What is "Enable Prompt" in Credentials?
Enable Prompt is a text/symbol that appears on the console after you have successfully entered into the enable mode of device. Please refer the image given below for more details. In the image given above, after providing the correct username and password and executing the 'enable' command, user is in enable mode and the device name is shown with '#' symbol which is the indicator that the user can now execute commands in enable mode. That '#' symbol is the enable prompt in this case, and shall be provided while applying the credentials. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for the Network Configuration Management feature to access the device properly
5. What is the difference between Telnet and Telnet-TFTP protocol in credentials?
Telnet-TFTP has one advantage over Telnet protocol and that is, it allows you to do file transfers. So any operations which operate with a file transfer will not work with Telnet protocol but will work on Telnet-TFTP. One such important operation is uploading a configuration to the device
6. What is the difference between SSH and SSH-TFTP / SSH-SCP protocol in credentials?
SSH-TFTP and SSH-SCP protocols allow file transfers for various operations like uploading a configuration to the device. These operations cannot be performed with SSH protocol. SSH-SCP is a more secure protocol than SSH-TFTP
7. What is a Credential Profile?
A credential profile is a set of credentials that can be saved and then can be used later to apply credentials to a particular device or to a group of devices at a time. Following are some of the benefits of creating a credential profile: It eases the process of applying credentials to multiple devices at a time. You can name common credentials, to make them easily identifiable. You won't have to provide every single parameter multiple times for devices that are using the same credentials. If any parameter for accessing multiple devices is changed and all those devices are associated with a single credential profile, then you can simply edit the credential profile instead of changing credentials for each device one by one
8. What to do if Enable Username and password are not configured?
If your device doesn't use any username or password for entering the enable mode, you can simply configure the "Enable Prompt" value in credentials and ignore the "Enable Username" and "Enable Password" fields
9.What to do if Enable Username is configured without a password?
If your device is configured to use only a username to enter enable mode and not the password, please provide the "Enable Username" and "Enable Prompt" while applying credential and you can provide any dummy value in the "Enable Password" field
10. Can we have multiple values for prompts?
Yes, multiple values in the form of a regular expression can be provided for prompts while applying credentials. the Network Configuration Management feature will determine the appropriate prompt value from the ones provided in the regular expression. Note: Multiple values can only be provided for SSH protocol. If you wish to use Telnet protocol, kindly provide the exact prompt value
11. Can we have one profile for SNMP/SSH/Telnet protocols?
Yes multiple protocols can be included and configured in a single credential profile. Once the profile is configured with multiple protocols, you can use it to apply the credentials and while applying credentials, you can select the appropriate protocol for that particular device or set of devices
12. I have applied credentials for a set of devices using a credential profile. How do I change credential for a single device out of that set?
When credentials are applied to multiple devices using a credential profile, it is easy to edit the credential profile to edit credentials for all the associated devices. But in case if you want to change credential for a single device out of that set, you will have to remove the association from the credential profile first. Please follow the steps given below to change credential for a single device associated to a credential profile along with other devices. Click on the credential icon for the said device from device list. Alternatively you can select the device and click on the 3 horizontal dots on top right and click on "Apply Credentials". Select the desired protocol Select "---Select---" option from "Use Credential Profile" dropdown to disassociate the device from the credential profile Make the necessary changes to credential parameters. Click on Save
Credential Rule
1. What is a credential Rule?
the Network Configuration Management feature already has a feature know as Credential Profiles, where the user can set up a profile with all the required credential parameters for different protocols and then the credential profile can be associated with the devices and based on the protocol selected in device credentials, appropriate credentials will be applied to the device automatically. Now with credential rules, the process of applying the credential profiles to the devices can be automated by creating a credential rule and providing either a particular device group(s) or a criteria to select devices based on multiple parameters. User will also need to provide the protocol and the credential profile that will be applied to the devices which fulfil the criteria for the particular credential rule. Any new device that is added into the Network Configuration Management feature will go through all the credential rules available in the product at the time and if the device fulfills the criteria for a particular credential rule, the associated credential profile will be applied to the device. If a device fulfills criteria for multiple rules, the rule with the lowest rule order will be selected
2. Can I set a priority for a credential rule when a device is fulfilling criteria for multiple credential rules?
the Network Configuration Management feature tries to match devices with credentials rules starting from the lowest rule order. Hence, a priority can be set by giving a small rule order number to a particular rule. Rule orders can be changed by dragging and dropping the rows in the Credential Rules grid
3. Can I run a credential rule for existing devices in Inventory?
Any non-disabled credential rule can be executed for existing devices. Please follow the steps given below to run a credential rule through selected devices: Go to Config Automation > Credentials > Credential Rules Click on the "Run Through" icon in the grid for particular Credential Rule Select the devices in the newly opened slide Click on Run
4. What is the protocol field while adding/modifying the credential rules?
Credential Rules work hand in hand with Credential Profiles. A Credential profile may contain credentials for multiple protocols (SSH, Telnet etc...). While creating/modifying credential rules, users can select the particular protocol credentials to be associated with the device if the device fulfills the criteria for the particular credential rule
5. Can I apply REST credentials using Credential Rules?
As of now, REST credentials profile cannot be created in the Network Configuration Management feature, hence we cannot use the Credentials Rule to apply REST Credentials. We are working on bringing support for features like these and we will be adding REST credentials to credential profiles soon
6. What happens when I disable a credential rule?
A disabled credential rule will not be considered while applying credentials to devices, even if the device fulfills the credential rule criteria
SysObjectID
1. What is a SysObjectID?
SysOID or System Object ID is an id provided to all the SNMP agents. This ID is used by Network Management systems like the Network Configuration Management feature to automatically detect the monitoring capabilities of the given device and some other useful information about the device
2. What is the use of SysOID in the Network Configuration Management feature?
the Network Configuration Management feature uses SysOID for mainly 2 operations as described below: Discovery: To add a device in the Network Configuration Management feature it must be associated to one of the device templates available in the Network Configuration Management feature, and during discovery the Network Configuration Management feature use device's SysOID to determine the appropriate template for the given device. EOL/EOS Information: the Network Configuration Management feature also determines the EOL (End of Life) and EOS (End of Sale) dates for a particular device based on its SysOID. Although this information can also be gathered using the Series and Model of the device but it may not be accurate. So please keep the SysOID mapping updated for your devices under Settings > the Network Configuration Management feature > Device SysOID Mapping page
3. Where can I find the manually added SysOIDs?
You can find all the manually added SysOIDs under Settings > the Network Configuration Management feature > SysObjectID Finder > Click on Custom on the top right corner
4. Can I edit/delete the already added SysOID?
You can't edit the default SysOIDs present in the Network Configuration Management feature but you can always edit or delete the SysOIDs which are added manually. To edit SysOIDs please follow the steps given below: Go To Settings > Network Configuration Manager > SysObjectID Finder Click on Custom in the top right corner Click on the SysOID entry you want to edit Provide the new device template, series and model information (latter two are optional) Click save You can also delete a particular entry by clicking the bin icon given in front of it
5. Can I update SysOID for a whole group of devices?
Yes, you can update SysOIDs group wise. Please select the 'Select Device Group option' under Update SysOID page and select the group you want to update from the given drop down. Only public groups will be shown in the drop down, so make sure the group you are trying to update is marked public. Alternatively you can select multiple devices from the given list of devices
6. I have triggered the update option from Update SysOID page but still I can't see the SysOID mapping in Device SysOID Mapping page
Updation of SysOID may take several minutes depending upon the no. of devices you have selected and also the no. of SNMP profiles you have selected. So please wait for some time and if you still don't see the SysOID's updated in the mapping table, please make sure you have chosen the right SNMP profiles to update the information. Also make sure that the devices you are trying to update the information for, are SNMP enabled. If none of the above mentioned troubleshooting methods works for you, kindly contact the RMM Central support team and we will be happy to help you
7. While adding new SysOID after providing the device hostname/IP address, system is not proceeding to next step
Please make sure the device is reachable and also the SNMP is enabled for the device. Also make sure the credentials provided to find the SysOID are correct. If any of the reasons mentioned above is the root cause for your issue, then you will receive an error message after the time-out exceeds. If this information doesn't help and you are still facing the issue in finding SysOID, feel free to contact RMM Central support team, we will be happy to help you
Device Template
1. What is a device template?
Device Template is a set of configurations, which contains some device specific commands to enable the Network Configuration Management feature to perform backups and other device specific actions on a particular device. the Network Configuration Management feature comes bundled with over 200 device templates which in turn supports over 4000 devices. You can also add custom device templates according to your requirements to manage additional devices, or a new device template can be requested from RMM Central's support team
2. What are all the important information one needs to know before creating / editing a device template?
Try to gather following information about your device, before you try to edit/create a device template: Mandatory: Command to disable pagination in the devices. Command to fetch the startup configuration. (Only if the device supports startup configuration) Command to fetch the running configuration. Command sequence to fetch the configuration using Telnet or SSH. Command sequence to show the configuration version information. Optional: Command to enter configuration mode on the device. Command to exit configuration mode. Command sequence to upload configuration using Telnet or SSH. Command sequence to commit a configuration change on the device
3. What are the command template variables used by the Network Configuration Management feature?
Following is the list of all the command template variables used by the Network Configuration Management feature in device templates:
| Variable |
Description |
| ${UserInput:tftp_server_address} |
IP Address of TFTP Server which can be found under Settings > Network Configuration Manager > Server Settings > TFTP Server |
| ${UserInput:file_name} |
Filename to save the configuration on TFTP or SCP server |
| ${UserInput:HostIpAddress} |
IP Address of Syslog Server which can be found under Settings > Network Configuration Manager > Server Settings > Syslog Server |
| ${UserInput:LoggingLevel} |
Syslog level on or above which |
| ${UserInput:scp_server_address} |
IP Address of SCP Server which can be found under Settings > Network Configuration Manager > Server Settings > SCP Server |
| ${UserInput:scp_username} |
SCP server username |
| ${UserInput:scp_password} |
SCP server password |
4. What are some of the best practices while creating/editing a device template?
Please go through the following best practices: Try to check multiple device templates to get a hang of all the appropriate command syntax. Gather all the information required for your device template. Find out whether you need to use any pre-command or command variable while creating/editing the device template, if yes what are they and where to use them. Try to create a device template tweaking existing device templates instead of going for a completely new device template from scratch. Always make a backup copy of a device template before modifying it
5. What is prompt ActionID? When do we mention them and when do we not?
Prompt ActionID is a command mapped to a prompt, which gets automatically executed when a prompt match is found, during an operation execution. Example: Consider a command that has prompt "[yes/no]"(this prompt might be mapped to a promptActionId) asking whether to proceed to the next command. When this prompt appears, we check if any promptActionId has been provided and if the prompt that appeared is mapped to this ActionId. In that case, the command (either yes or no) mapped to this prompt will get executed. If that prompt's value is "yes", we proceed to next command and if it is a "no" , the execution stops there. Also, if there is no definition of that prompt, the operation will wait till a response is provided. NOTE: If a prompt Action ID is not defined for a prompt, the operation will not continue. This is why it is essential to map a prompt Action ID to a prompt, for commands that require a response/action
6. What does operation mean? What are the supported DT Operations?
Operation refers to any device configuration activity. the Network Configuration Management feature supports the following operations: Backup Startup Configuration Backup Running Configuration Upload Startup Configuration Upload Running Configuration Enable Change Detection Disable Change Detection Sync Configuration Get Hardware Props
7. What if the Device Template XML file gets imported with just one protocol (Telnet)? Can I use the same commands for SSH protocol?
Yes, you can use the same Device Template for SSH protocol. In order to make the operations available for SSH, go to Settings -> DeviceTemplate and click on the template which needs to be changed to SSH protocol. Once the protocol is changed, click on save icon. This template can now be used for both the protocols (SSH/Telnet)
8. What does Backup Response mean? Why do we have it only for Backup Operation of SSH/Telnet protocol?
Backup Response is an action which triggers a backup from a particular configuration command, if enabled. The response of the command whose backup response is true is read and downloaded from the device. (For the command from which you want a back up to be triggered, enable the radio button for BackupResponse). BackupResponse is available only in SSH/Telnet Protocol for Backup Operation because, in file-transfer protocols such as TFTP, and SCP, the configuration file will be automatically downloaded from the device in a file format. Since SSH/Telnet are not file transfer protocols, we can only read the response of the command. Hence, Backup Response must be given in order to trigger a backup of a configuration file
Inventory & Change Detection
1. How does the Network Configuration Management feature help me in keeping track of configuration changes?
One of the ways to detect configuration changes in a device is by monitoring syslog messages. Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes. the Network Configuration Management feature leverages this change notification feature of devices to provide real-time change detection and tracking. A syslog server comes in-built with the Network Configuration Management feature. It occupies port 514. Besides the real-time change detection, configuration changes could also be tracked through scheduled, periodic backup of device configuration
2. What is real time change detection?
Real time change detection is a feature provided by the Network Configuration Management feature which allows you to monitor every single change made to a device's configuration and trigger an automatic backup and can notify you about any unauthorized change. How does it work? Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. the Network Configuration Management feature leverages this change notification feature of devices to provide real-time change detection and tracking How does it benefit me? This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes. By enabling this, you can: a. Capture configuration as and when changes happen b. Get real-time notifications on change detection c. Find information on who carried out the change and from where (the IP address) d. Detect unauthorized changes on real-time
3. What are some troubleshooting steps if real time change detection is not working for my device?
If you have configured the device for real time change detection, but you are not receiving the expected notifications and the backups are not working, please check following things once: Configured syslog server is up and running. Syslog services are running. You can check this and start the service if not running by going to Settings > Basic Settings > Server Settings. Check if the proper port is configured for the server. Check if the device is forwarding syslogs or not. You can use the ManageEngine's Syslog forwarder feature to detect this. It's free to use. If all the above mentioned troubleshooting steps returns positive results and if change detection is still not working, please contact RMM Central's support team, we will be more than happy to help you out
4. The Network Configuration Management feature is showing that 'The selected device(s) do not support Configuration Detection through Syslog'. What should be done?
This message appears for one of the two reasons: The device is configured with SNMP credentials: If you have added the device using the Network Configuration Management feature discovery, then the device will be configured with SNMP credentials or if you have manually applied SNMP credentials to the device then the change detection can't be enabled for the said device. the Network Configuration Management feature can't detect syslog messages with SNMP credentials. Please change the credential protocol to either SSH or Telnet. If it still doesn't work, please contact RMM Central's support team. Configured device template doesn't support real time change detection: If the selected device template which was used to add the device to the Network Configuration Management feature does not support real time change detection, you will be shown this message. Please contact RMM Central's support team to help you with the issue
5. What is logging level and what its value must be set to while enabling real time change detection?
Each device has a pre-configured list of log levels or log types. These log levels are used to determine the severity of the change for which the syslog message is generated. Following are some example of syslog levels: Informational: These types of logs can be generated by the device to provide some basic information. Notice/Notification: These types of logs can be generated to provide a notification to the user. Warning/Alert: These are the most severe types of log and are generated to notify that something unusual has occurred with the device for example an unauthorized change. Based on your need, you can set a level of logging while enabling real time change detection. This setting can be changed later using the same option. Once the logging level is set, the Network Configuration Management feature will notify you and will trigger a backup for all the logs that have the same or higher level as the one you have chosen. Note: The above given list of log levels is just for example, and the actual type of log levels may differ for your device
6. Can I enable/disable real time change detection for multiple devices at a time?
Yes you can enable/disable real time change detection for any number of devices simultaneously
7. Why does the Syslog Change Detection Status show "Enable Now" even if Change Detection is enabled in the device?
Change Detection Status will be marked as enabled when the current configuration has the line matching the pattern provided under Config Automation -> Device Template -> Enable Change Detection Status. If you are not able to find the matching pattern by default, then we can add a new one
8. Can more than one Regex Pattern be configured to show "enabled" status?
Yes, more than one regex pattern can be configured for the same device type. However, all the regexes should have their current configuration matching to show the Change Detection Status as "enabled"
Label Configurations
1. What is labelled configuration?
Labelled configurations are normal device configurations but with a name (label) assigned to them. This helps us in distinguishing a configuration from all the other configurations for a particular device and allows us to find the necessary configuration easily. Any configuration that seems important, or may be needed in future, or if you want to save it as a fall back option if something goes wrong, can be associated with a label
2. What is the benefit of using labels for configuration?
You can label a configuration to distinguish it from all the other configurations for a particular device. For example, you can label a very stable configuration as 'Stable' before making a critical change in the configuration. So if anything goes wrong, you can easily find your labelled device and revert to it. Since there are lot of configuration backups for a particular device, labeling a configuration helps you to easily identify a particular configuration among the hundreds of configurations for a specific device
Scheduling
1. What are the different types of operations that can be scheduled via the Network Configuration Management feature?
The following type of tasks can be scheduled using the Network Configuration Management feature: Configuration Backup Report Generation Compliance Check Configlets Sync Configuration PCI Review
2. Can I disable an already scheduled task for a temporary period?
Yes, a schedule can be disable temporarily without removing it permanently. To do so, go to Settings > Schedule > All Schedules. Click on the Enable/Disable toggle button under Status column for the schedule which you want to Enable or Disable
3. Can I execute a schedule on demand?
Yes, a schedule can be executed on demand before its scheduled time. To execute a Schedule on demand, go to Schedules page from Settings > Schedule > All Schedules. Click the "Execute Now" option from the Action column for the schedule you want to execute
4. Can I see the history of Schedule Execution?
Yes, schedule execution history can be accessed from Settings > Schedule > Schedule Audit
5. Can a task be scheduled for multiple devices?
Yes, you can schedule a task for as many devices as you wish at a time. You can also select a device group for scheduling a task while creating the schedule
6. I have scheduled a task, but I am not receiving any email notification. What shall I do?
If any of the email addressees mentioned while creating the schedule are not receiving the notifications, then check the mail server settings under Settings > Basic Settings > Mail Server Settings. You can also send a test mail to ensure that the mail server is configured properly. If the mail server settings are working fine and if you are receiving the test mail without any issue, but you are still not getting the schedule notification, then please contact RMM Central's Support team for further help
Configlets
1. What is a configlet?
A configlet is a configuration script that is transformed to a CLI configuration string before being applied to a device. The dynamic elements (strings) in configlets are defined using variables. These variables act as an input to the process of transformation to construct the CLI configuration string. These variables can contain anything: the interface name, device name, description text, or any similar dynamic values. The values of these variables are either defined by the user or system, or determined by the context at the time of execution. The Configlets help in automating repetitive and time-consuming configuration tasks. All you need to do is to create a small Configlet containing the required commands and then execute the Configlet for carrying out repetitive tasks for many devices, multiple times. The Configlets can also be scheduled for execution at a certain point of time in future. This helps in executing the tasks without the intervention of the administrators. The Configlets enable the network administrator to apply the changes to multiple devices at one go. Also, the Configlets provide the benefit of carrying out exact changes with precision
2. Can I import/export a configlet?
Yes a configlet can be imported/exported from and to a file. Go to Settings > Configlets page Click on "Import" to import a configlet. Provide a XML file containing configlet details, and click on Import. To export a configlet, select the configlet from the list and click on "Export"
3. Can I schedule a configlet execution?
Yes a configlet execution can be scheduled. To schedule a "configlet execution" please click on the Schedule icon in the last column of Configlet list under Settings > Configlets. This will open up a slide to add the schedule. Provide the necessary details for the schedule and click on save to save the Scheduled task. Results of every schedule execution can be seen under the "Execution History" tab
4. What is 'Add To Snapshot' option in the Configlet page?
You can add a particular configlet or a group of configlets to the Action menu of device snapshot using this option. Once you select a configlet or multiple configlets, click on 'Add to Snapshot'. This will open a slide where you can choose the device template which you want to associate the configlet(s) with. Once associated, configlet option can be seen in the Action Menu of Device Snapshot page under "Configlet Actions" section. This is useful if you execute the said configlet(s) very often for a particular device or device type
5. Where can I check the history of Configlet Execution?
Configlet Execution History can be checked under Settings > Configlets > Execution History tab. A report can be exported as PDF for each record in history. Click the PDF icon provided in the last column of the record to export the report
6. How to enable SNMP on Cisco switch?
SNMP can be enabled on Cisco switch by using automation templates called as configlets. You can select script execution mode and enter device-specific commands and execute it. This will instantly enable SNMP on Cisco switch
7. How to configure SNMP on Cisco switch?
There are certain device-specific commands that need to be executed to configure SNMP on Cisco switch
8. Can I enable SNMP with Configlets?
Yes, SNMP can be enabled or disabled using Configlets. Refer to your device specific command to enable SNMP and use the same command to create the configlet using Script Execution Mode
9. Can I apply same configuration commands in multiple devices using Configlets?
Yes, the basic idea behind configlets is to allow users to perform various bulk operations on multiple devices at the same time. Following are few practical applications of the same: Changing Passwords Getting 'show version' output of all devices Updating NTP server entries on your devices Synchronizing Running & Startup Configurations
10. What are the types of Configlets execution mode?
Configlets offered by the Network Configuration Management feature are of two types: TFTP Mode - for uploading a partial configuration change to a device/devices through TFTP. Script Execution Mode - commands are executed on the CLI console one after another. Script execution is divided further into two types as below - Simple Script Execution Advanced Script Execution The following table provides information about the each type of configlet and when to use them:
| TFTP Mode | Simple Script Mode | Advanced Script Mode |
|---|
|
TFTP mode is for uploading a partial configuration change to a device/devices through TFTP.
|
To execute a single command on the CLI console. |
To execute a series of inter-connected commands on a device in command line. After the execution of one command, some input has to be provided before the next command is invoked. In such a situation, advanced scripting would be useful.
|
|
example
- Enabling TELNET service
- Changing SNMP Community
- Forwarding Syslog messages
- Changing the interface
|
Example: Synchronizing Running & Startup Configurations. Through a single line in the script containing the command copy running-config startup-config, you can synchronize the startup and running configurations of any number of devices.
Other Examples:
- Changing Passwords
- Updating NTP Server Entries
- Getting 'show version' output
|
Example: Backing up your current IOS image to a TFTP server. To do this, the following sequence would be used:
- Command to be used copy flash tftp - the location of your current IOS image
- TFTP server's IP has to be specified
- The file where it has to be copied has to be specified
|
|
In all the above case, TFTP mode of configuration upload could be used. In general, for carrying out changes to existing configuration, this mode could be used.
|
|
The above sequence of command execution could be transformed into an advanced script as below:
copy flash:/$SOURCE_FILE_NAME tftp $TFTP_SERVER_IP $DESTINATION_FILE_NAME
|
|
For other cases like executing a command on device, Script execution mode has to be used.
|
|
- Uploading OS images / firmware upgrade
- Configuring banner message
- Resetting passwords of HP ProCurve and Exteme Summit devices
- Deleting files from flash
|
11. What happens when the configuration command changes the command prompt?
At any step of configlet execution, if the command prompt changes then this change must be explicitly handled while creating the configlet. You can add an attribute called "Prompt" for the command which will use a different prompt value, and mention the prompt as the value to the attribute. Example: copy startup-config tftp (Here, the prompt ? is placed within single quotes and following a closing square bracket. Everytime "copy startup-config tftp" command runs, it will run with the prompt value '?') Note: "Prompt" attribute is supported only in Advanced Script Mode
12. How to provide/define the user input parameters in configlets?
While creating the configlet, in the text field 'Configlet Content', enter the configuration commands that are to be uploaded to the device. While entering the configuration command, use $ to create a Variable. For instance: snmp-server community $COMMUNITY RO. Here, "COMMUNITY" will act as a variable for the command. If a variable has been created/defined in the configlet. You have two options here to enter the desired value for the respective configlet variables. Same value for all devices: If you want to specify the same value for a particular configlet variable for all devices, choose this option and enter the value. For example, for '$COMMUNITY', you can provide 'public' as the value. After entering the values(s), you can preview the actual configuration with full configuration commands and value for community variable(s). A different value for each device: In case, you want to specify a different value for different devices, provide your input in the form of a text file. This option will be highly useful in cases such as providing passwords. You assign a unique password to each device in a single click through this option. Ensure that the entries in the text file are in the following format: Column headers should be the same as that of the Configlet Parameters defined in the configlet with the entries separated by a comma. "RESOURCE" column is mandatory and it should be the first column in the file to identify the devices on which the script needs to be executed. The value for RESOURCE should be either host name / ip address. One line can hold the entries for one device. Format: RESOURCE,, Examples: RESOURCE,PASSWORD 192.168.1.1,password-0 de-host,password-1
13. What are flow export configlets and how to use them?
Flow Export Configlets are used to export the flow from the device to a particular server. You can create a flow export configlet and assign it to a particular device template. How to create and assign a flow export configlet: Go to Settings>Configlet>All Configlets from Main Menu. Click on Add. Enter all the necessary details for the configlet. Save the configlet using the Save button. Go to Settings > Device Management > Device Template Click on the Device Template to which you want to assign the newly created configlet Go to "Flow Export Configlet" tab. Click on "Add Flow Configlet" Choose the newly created configlet and move it to the right hand side of the select box. Click on save How to use the assigned Flow Export Configlet: Go to Inventory > Devices Select the device for which you want to export the flow Click on the 3 horizontal dots at the top right corner to get device option list. Click on Export Flow If the credentials are not assigned to the device, you will have to provide the device credential, if the credentials are already present, then this step will be skipped automatically. Select the interfaces in next step. Interfaces will be listed only after successful configuration backup for the device. You can skip interface selection if you do not want to configure interfaces. Select the newly created 'Export Flow Configlet' in next step. Check all the ip addresses and interface values are populated successfully in the configlet Click on Apply
14. Can I use $variable in all Configlets?
Yes, $Variable can be used in Script Execution and Advanced Script Execution Mode Configlets. These variables are used to define dynamic data to be used for Configlet execution
15. How to escape '$' in Configlets?
We use ‘$’ to define variables in Configlets. To use '$' without variable definition, you must escape ‘$’ using this format "#[[$]]#"
REST Configlets
1. What are REST configlets?
A REST API is an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows interaction with RESTful web services. When it comes to configurations, most of the device vendors provide REST API support on different levels for reading and writing the device configuration in parts or as a whole during the backup process. the Network Configuration Management feature uses the REST APIs to allow users to have a simplified UI experience. The users can focus on a particular part of the configuration without worrying about the command syntax and configuration hierarchy. On top of that, the REST API's GUI has been designed to resemble the device GUI for users' better understanding. In NCM, REST API based configuration management works with REST Configlets. Rest configlets are configuration objects such as address, policy, security rules etc. You can access Rest Configlets by going to Config Automation > Configlets > Rest Configlets. Each configlet comes with a different set of operations such as Add, Edit, View, Delete, Rename, View All, Clone, Execute etc.
| Operation | Description |
|---|
| Add |
Adds a new object to the device configuration. |
| Edit |
Provides a list of objects available in the device. Users can then select a particular object. The details about the selected object will be fetched from the device and will be shown to the users. Users can update any particular detail/parameter for that object and then execute the configlet to save the changes in device. |
| View |
Provides a list of objects available in the device. Users can then select a particular object. The details about the selected object will be fetched from the device and shown to the user in read only mode. |
| View All |
Shows all the available objects in the device in a grid along with their details |
| Delete |
Provides a list of objects available in the device. Users can select a particular object and execute the configlet to delete the object. |
| Rename |
Users can select a particular object and provide a new name to rename the object in the device. |
| Clone |
Users can select a particular object and provide a new name to clone the object in the device with the name provided along with its properties |
| Execute |
Most of the non-firewall devices have objects that can only be viewed and executed as CLI commands. For such devices and configuration objects, there will be only one operation available, which is "Execute". It will execute the command in the device with the provided parameters. |
2. What are the key benefits of using REST configlets?
While backing up whole configurations, REST APIs are much faster than a normal CLI backup. In fact all REST API operations are faster than CLI operations in general. One does not have to memorize command syntaxes while updating a particular part of a configuration. One does not have to worry about the hierarchy of objects in a configuration. The important objects in a configuration can be viewed in a grid format in NCM. NCM's REST Configlet feature provides a GUI that is similar to the device's GUI (Eg: Firewall GUI) and this makes it easy to update a part of the configuration directly from NCM
3. What are the operations that will be performed using REST once I provide REST credentials?
If REST credentials are provided to a device, NCM will take backup and will upload configuration to the device using REST API's. Additionally user can execute REST Configlets to modify or view a part of configuration
4. Can I use both REST and CLI credentials to manage my device?
Yes, you can use both REST and CLI credentials to manage a device. In fact NCM recommends a user to use a combination of CLI and REST credentials to make the most out of the feature
5. What are REST Device Templates?
Similar to CLI Device Templates, REST Device Templates are a set of instructions that helps NCM in performing the REST API operations on the device. It contains details about the operations that can be performed on a device, the list of parameters for each operation and also the REST Credential parameters that help NCM to connect with device using REST API. One cannot associate a REST Device Template directly with a particular device, instead REST Device Templates are associated with CLI Device Templates and when a device is added with the CLI Device Templates, the respective REST template automatically gets associated with the device
6. Can I map a particular CLI device template to a REST device Template?
As of now, we have automatically mapped few CLI device templates with appropriate REST device Templates and this list cannot be modified. In the future, we may provide an option to create and edit REST device Templates, as well as to add and edit REST Configlets
7. NCM doesn't support the REST feature for my device. How to get support for my device?
Please reach out to NCM support at ncm-support@manageengine.com with Device and Vendor information. We are continuously adding REST API support for more and more vendors and will be happy to prioritize your device once requested
8. What is the base OS version mentioned on the REST Configlets page?
Base OS Version is the firmware version of the device from which the REST device template for that particular vendor is derived. Which means, if any API added, removed or modified before that version, it may not work in NCM
9. Can I use REST configlets for a device with OS version older than the Base OS Version?
Base OS Version is the firmware version of the device from which the REST device template for that particular vendor is derived. Which means, if any API added, removed or modified before that version, it may not work in NCM. We do not recommend to use REST API operations in NCM if the device's firmware version is older than the Base OS version
10. What is object explorer under device snapshot?
Object Explorer is a list of object types (Address, Policy, Schedule etc) from device configuration that can be manipulated using REST API's. Once any of the object types is selected from the Object Explorer list, a new slide will open with the list of objects of the selected type. Here you can select any of the objects from the grid and click on "Hamburger icon" on top right of the grid to see the list of operations that can be performed on the selected object. Add and delete operations are available on top of the grid (These operations will be available only if Add and/or delete operations are supported). Once an operation is selected, a new slide will open to execute the operation. Provide required parameters in the newly opened slide and click on execute. (This option will be available only if the operation is not read-only). Please note that not all the objects that support REST API are listed under Object Explorer. We have listed only the operations that are deemed most important in device configurations. To check the complete list of object types that supports REST API for a particular vendor please go to Config Automation > Configlets > REST Configlets (In case of OPM or NFA, this option is available under Settings > NCM > Configlets > REST Configlets)
Firmware Vulnerability
1. How do I see the severity of a Firmware Vulnerability?
In order to see the severity status of all the vulnerabilities in your devices, you can click on the "Firmware Vulnerability" tab. On the top left corner, under "Firmware Vulnerabilities" you will see all the vulnerabilities in your network along with its severity. Based on the severity, NCM groups vulnerabilities as Critical, Important, Moderate, Low and Unrated. By clicking on the severity, you can see all the vulnerabilities and the number of devices in your network environment which has those vulnerabilities. On top of that, NCM also provides a reference URL which provides the corrective measures to resolve a vulnerability. Note: At present, NCM supports Firmware Vulnerability only for Cisco and Juniper vendors
2. On what basis does NCM show the vulnerability severity as Critical, Important, Moderate, Low and Unrated?
the Network Configuration Management feature categorizes the severity of vulnerabilities based on the "Base score" which is calculated based on a few metrics like Exploitability Metrics(Attack, Complexity, Authentication) and Impact Metrics (Confidentiality, Integrity, Availability). Here is the split up of how the severity is categorized: Base score 9.0 - 10 - Critical Base score 7.0 - 8.9 - Important Base score 4.0 - 6.9 - Moderate Base score 0 - 3.9 - Low
3. What is a Firmware Vulnerability and how we find it?
NCM helps identify risks to network security by detecting potential vulnerabilities in the following device types: Cisco IOS Cisco Adaptive Security Appliance (ASA) Cisco Nexus Juniper NCM imports the firmware vulnerability warnings provided by National Institute of Standards and Technology (NIST), and correlates vulnerability data with nodes that it currently manages. If NCM finds a match, the Firmware Vulnerabilities resource on the Config Summary page displays information about the vulnerability and the number of affected nodes
4. How does the Network Configuration Management feature synchronize the vulnerability data in DB?
the Network Configuration Management feature fetches the data through an open network and updates the latest vulnerability data in NCM. NCM also allows users to set a time of schedule in order to sync data on a daily basis. When a schedule time is given, automatically the synchronization of vulnerability data happens at the exact time of schedule. NCM also allows you to edit/change the time of schedule as per your convenience
5. Is there a way to update vulnerability data immediately?
If you wish to update the Vulnerability data in the NCM UI immediately instead of the scheduled time, you can give the "Update Now" option. When "Update Now" is given, the latest vulnerability data will be updated in the NCM UI
6. Is there a way to search for firmware vulnerabilities corresponding to a particular vendor?
Yes, with "Advanced CVE search" you can globally search for all the vulnerabilities by searching using the vendor name, CVE id, device OS number, version or a model. For eg: If you search "Cisco IOS 7000", all the vulnerabilities present in that particular model will be listed. On further clicking it, you will be able to see all the details of the vulnerability corresponding to a particular CVE id
7. Where can I see the CVE details of a particular vulnerability and what does it contain?
Under Firmware vulnerabilities, all the vulnerabilities will be listed along with its corresponding CVE id. You can select a required CVE ID and view its details. In the CVE details page, you will be able to see: The date the CVE id was published and the last updation date of the CVE id. Summary of the CVE id which provides information about what the vulnerability is and the device version of the vulnerability. The reference URL, which provides the optimal resolution measures. A comment section which allows users to add a required statement. A select box with options to mark the status of the vulnerability
8. What does State mean in Firmware vulnerability?
Reported - The vulnerability has been reported. Confirmed - The vulnerability is confirmed but no resolution is planned. Resolution planned - Action to resolve the threat is planned but has not been taken. Resolved - The vulnerability is confirmed and the action to resolve the threat has been taken on the selected devices. Not applicable - The vulnerability does not apply to the selected devices
Syslog Blocked Host
1. What is Syslog Flood Prevention?
In an environment where the users login and logout of devices more frequently, flooding of Syslog messages tend to occur. This leads to increased CPU usage of the the Network Configuration Management feature server which in turn affects the performance of the machine. To prevent this, the Network Configuration Management feature blocks the syslog messages from that device and notifies the user about the device that has been blocked. The blocked devices are listed in Settings > Device Management > Syslog blocked hosts. Since backup automation relies on syslog messages, the Network Configuration Management feature does not detect changes automatically for the blocked devices until the devices are unblocked. You can unblock the devices at any point of time from the blocked list and before unblocking any device make sure that the problem is resolved for that particular device
2. What can be done to avoid syslog flooding?
There are two things you can do to avoid syslog flooding: Temporarily turn off syslogs for the blocked devices. Lower the syslog level to restrict the number of syslog messages
3. What is the default block time for any host that is flooding the Network Configuration Management feature with syslogs?
the Network Configuration Management feature will block any host that is flooding the system with syslogs, for two hours. Post 2 hours the host will be unblocked again, and the Network Configuration Management feature will receive the syslogs from the said host. If the number of syslogs are still high, then the host will be blocked again for two hours
4. Can I choose to turn off the syslog flood prevention?
Yes, syslog flood prevention can be turned off at any time, though it's not recommended because a huge number of incoming syslogs will increase the CPU use and will slow down the Network Configuration Management feature. Take extreme precaution before opting to turn off syslog flood prevention. To turn off flood prevention, please go to Settings > Global Settings > Client Server Settings and uncheck the checkbox next to "Enable Syslog Host Blocking" option. Save your changes to turn off the syslog flood prevention. If you wish to turn it on, check the same checkbox again and save your changes
5. What is the threshold to block a device?
A device will be blocked by NCM if it sends more than 200 messages in 2 minutes of time
6. Is threshold for blocking a device configurable?
Yes, threshold for number of messages in 2 minutes, after which the device will be blocked, can be configured by changing the system property "syslog.PER_HOST_MSG_COUNT" in "system_properties.conf" file under "/conf" folder. Please add the property in the file if not already exist
Exclude Criteria
1. What is Exclude Criteria and where it is used?
Exclude Criteria is a line or part of a line or a regex that represents a line from the configuration, and that need not to be considered for calculating differences between two configurations. For example, timestamp for a configuration will change based on the time backup was taken. There may not be any other change between two backups but just because the timestamp is changed, the Network Configuration Management feature will show you difference on that particular line. To avoid this we can create a exclude criteria and assign it to a particular device template and the Network Configuration Management feature will ignore changes on that particular line
2. Can the criteria while creating Exclude Criteria be in Regex form?
Yes, the Network Configuration Management feature supports regex as exclude criteria
3. Can we have multiple exclude criteria for a single device template?
Yes any number of exclude criteria can be created and associated to a particular device template
4. Can exclude criteria be applied to a single device and not a device template?
No, exclude criteria's can only be applied to a device template and not to a particular device or configuration
5. What is Block Exclude Criteria and how it is used?
Block Exclude Criteria is used to exclude a block of configuration from being considered while identifying differences between two configuration versions. This only works when the regular expressions provided match with the start and end of the configuration block
6. What are the uses of Additional Block Criteria?
Additional Block Criteria is used when users want to specify if there is a particular string or regular expression that the configuration blocks should or should not contain for the block to be considered
NCM Terminal feature
1. What is Terminal feature in the Network Configuration Management feature and why is it needed?
Terminal feature provides you functionality to open a terminal session with any network device and perform CLI commands directly from the Network Configuration Management feature. the terminal feature can be used to open terminal sessions with network devices that are not added in inventory, or the devices that you don't wish to add in inventory. For example, if you want to connect to a Linux machine and perform some commands, you can do so by adding the Linux machine directly under Tools > Terminal > Custom. It also allows the user to open terminal sessions for Inventoried devices with just one click
2. What are the types of protocol that can be used to make a terminal connection?
A terminal session can be started using either SSH or Telnet protocol
3. What is the Inventoried tab, and what can be done with the devices listed there?
Inventoried tab lists all the available devices from Inventory > Devices. You can open a SSH or Telnet terminal session for the devices listed under this tab with a single click. You won't be able to add/modify or remove any device from this list directly from Terminal feature
4. Can devices with SNMP credentials use terminal?
No. While adding a Custom Terminal Device, you won't have a option to provide SNMP credential, but there can be an inventoried device with SNMP credentials listed under Inventoried tab. If you try to perform any terminal action for those devices, it will fail after a particular timeout period
5. Is it possible to delete Inventoried devices from Terminal feature?
No, you can't add/modify/delete an inventoried device from Terminal feature. If you wish to delete an inventoried device, delete it from Inventory > Devices
6. What are Terminal Device Groups? How are they used?
Terminal Device Groups are similar to normal device groups in the Network Configuration Management feature, they are used to group similar custom terminal devices together. Now, we are not using the device groups for any particular action, but we have a plan to assign the groups to the users in future. So whenever a new device is added to a certain group, it will be available for all the users who have access to the said group
7. Where can I see the history of all terminal actions performed in the past?
History/Audits of all the Terminal Actions is available under Tools > Terminal > Audit History. You can filter the audit records based on device type (Inventoried, Custom or Both)
8. If I add a Custom Terminal Device, will it be visible to all the users?
While adding a Custom Device to be used in Terminal feature, you can chose the visibility of the device. the Network Configuration Management feature provides you 3 types of visibility for any particular device: Only Me: Device will be visible only to the user who has added it. Admin: Device will be visible to the user who has added it and all the admins in the system. Everyone: Device will be visible to everyone. Visibility of a device can be changed at any point of the time
Export Configuration
1. What is the file format that is being used to export device configuration and can I change it?
Currently the Network Configuration Management feature exports configuration only in text format (.txt files), and this can not be changed, but we are working on providing more export option soon
2. Can I change the default location to save the exported configurations?
Yes, you can give any preferred location to save the exported configuration files. To change the location, go to Settings > Global Settings > Export Configuration and provide the desired location under "Destination Directory" field
3. Can I select the version of configuration that needs to be exported?
If you are exporting the configuration using "Export Configuration" page under Settings > Global Settings, then the Network Configuration Management feature will export the latest versions of startup and running configuration of device. Although you can export a particular version from inventory by following the steps given below: Go to Inventory > Configs Click on the configuration that you wish to export Click on the version of configuration that you wish to export from 'Config Changes' table Click on the settings button on top right corner of the page Click on Export Config
4. Where can I check the history of previous configuration export?
History of the all the export configuration operations can be accessed from Settings > Global Settings > Export History.
5. What happens when I export the configuration multiple times on the same day?
the Network Configuration Management feature saves the exported configuration in a folder name with current date, so if you try to export configurations multiple times on same day, it will just overwrite the previously exported file and keeps the latest files in the same folder
6. Does the Network Configuration Management feature notify me once the export process is completed?
Yes, the Network Configuration Management feature notifies you once the export process is completed, you can mention the email id(s) where the notification needs to be sent under Settings > Global Settings > Export Configuration page. Select any particular frequency (Daily, Weekly or Monthly) to export the device configuration and mention the email id(s) under "Notify on completion by Email" field. Multiple mail ids can be provided in a comma separated list. You can also choose to receive notification only when the process fails by checking the 'Notify only on failure' checkbox
7. Which configuration will be exported from the selected devices?
If you are exporting the configuration using "Export Configuration" page under Settings > Global Settings, then the Network Configuration Management feature will export the latest versions of startup and running configuration of device. Although you can export a particular version from inventory by following the steps given below: Go to Inventory > Configs Click on the configuration that you wish to export Click on the version of configuration that you wish to export from 'Config Changes' table Click on the settings button on top right corner of the page Click on Export Config
Third Party Syslog Server
1. What is the use of third party syslog servers?
A Syslog Message will be sent to a default the Network Configuration Management feature Syslog Server if the configuration is changed and change detection is enabled for the device, but in some cases you may want the syslog messages on a specific server of your choice, in that case you can add the server ip addresses under Settings > Global Settings > Third Party Syslog Server. the Network Configuration Management feature won't forward the messages to these servers, messages will be directly sent by the device
2. Can I configure multiple syslog servers at a time?
Yes, multiple syslog servers can be configured to receive syslog messages
Database Administration
1. Will any of the deleted records while cleanup be archived or will they be deleted permanently?
the Network Configuration Management feature doesn't keep a backup of any records that are being removed during cleanup. Everything will be deleted permanently. Hence, it is advised to be extra caution while giving the parameter values for the no. of days for which the records need to be kept after cleanup
2. When does the Network Configuration Management feature perform the cleanup and what is the frequency?
the Network Configuration Management feature performs DB clean up once a day. The default time for the cleanup is 2 AM, but this can be changed to any time of the day from Settings > Global Settings > Database Administration, under "DB Cleanup Time" heading
3. Can I reschedule DB cleanup time?
Yes, the default time for the cleanup is 2 AM, but this can be changed to any time of the day from Settings > Global Settings > Database Administration, under "DB Cleanup Time" heading
4. Can I change the frequency of the schedule?
No, for now the Network Configuration Management feature does cleanup only once a day and this frequency cannot be altered, although you can change the time of the day at which the Network Configuration Management feature performs the cleanup
5. What happens to the device audit details once the audit history is deleted?
Since the deletion operation performed during cleanup is permanent, if any of the device audit records deleted during the DB cleanup, you will not be able to see the details for those particular audits thereafter
6. What happens to the baseline configuration version of the device when it qualifies for deletion during DB cleanup?
the Network Configuration Management feature gives more priority to the baseline configuration version than the conditions provided for cleanup, so for example, if you have chosen to keep only the last 10 configuration version and your latest version is 30 but the baseline version in 8, the Network Configuration Management feature will keep all the configuration starting from 8 to 30 instead of keeping just the versions 21 to 30
Syslocation and Description
1. What is Syslocation and description and why do we need to update these values?
"System Location" and "System Description" are two fields in the device that network admins can set to give any additional details about the device. "System Location" is generally used to provide the physical location of the device in the network and System Description can hold any additional important information that needs to be communicated to the other users. Updating these values in the Network Configuration Management feature will help the users to access them directly from device snapshot page, without running any additional command on the device
2. After updation, where can I check the Syslocation and Description value?
Syslocation and Description values can be checked in Device snapshot page, under 'System Location' and 'System Description' headings, respectively. Please go to Inventory > Devices and click on any device to access the snapshot page
3. Can Syslocation and Description values be updated for multiple devices at a time?
Yes, Syslocation and Description value of multiple devices can be updated in one go
4. Can I select multiple SNMP profiles for updating Syslocation and Description values?
Yes, any number of SNMP profiles can be selected to update Syslocation and Description. the Network Configuration Management feature will automatically select the appropriate SNMP credentials for each device
Upload Request
1. What is an upload request and when are they created?
An upload request is created whenever an operator user is trying to run a configlet, or trying to upload a configuration or draft for a particular device. All the admins will be notified about this request and any one of them can approve/reject the request. Only after the approval of the request, respective changes will be carried out to the device
2. Can I change the status of an already approved/rejected request?
No, a request, once approved or rejected can't be changed back to its original state or to any other status
3. What happens when a request is approved or rejected?
An upload request is generally created when an operator is trying to make changes to a device configuration by either uploading a configuration, a draft or for running a configlet. These changes don't have any effect until the request is approved. As soon as the request is approved, the respective changes will be made to the selected device(s)
Change Notifications
1. What is change notification?
A change notification is a notification which can be sent to a user/server whenever there is a configuration change in the startup, running or both configurations of any device(s) or device group(s). You can create a change notification under the Change Management tab in Main Menu. These notifications can be sent as an email, SNMP trap, Syslog messages or tickets. You can also choose to rollback the changes back to the previous version or to the baseline configuration version using these notifications
2. What are the different types of Change Notification Actions?
A user can select a preferable notification type, out of 5 different types of actions that can be carried out whenever there is a configuration change for the selected device(s). Multiple actions can also be carried out for a single notification.
Following are the different actions that can be selected while creating or editing a change notification:
- Email: An email can be sent to multiple recipients alerting them about the change. You can compose the subject and the email body for the mail that will be sent. For both the subject and the body you can choose to select some useful variables that will give you more information about the change. These variables are listed in front of the Subject and Message field. Some commonly used variables are
- $CONFIGTYPE (to get the configuration type that is changed.),
- $DEVICENAME (to get the device name for which the configuration is changed.),
- $CHANGEDBY (to get the user/system name who made the configuration change.) etc.
- SNMP Trap: A v2 trap will be sent to the specified host. SnmpTrapOid = .1.3.6.1.4.1.2162.100.4.1.2.1 Varbinds will include the name & ip address of the device whose configuration is changed and also the type of configuration changed. Please refer to the ADVENTNET-DEVICEEXPERT-MIB bundled with the product
- Sylog: A Syslog Message will be sent to the specified Syslog Server if the configuration is changed. Syslog Message will include the configuration type (CONFIG_TYPE), change type (CHANGE_TYPE), ip address (IP_ADDRESS) and changed by (CHANGEDBY).
- Ticket: A trouble ticket can be sent to the support team email(s) that can be specified under 'Send Trouble Ticket To' field. The configuration of the trouble tickets are similar to that of a mail notification.
- Rollback: You can also choose to rollback the changes that caused this notification. There are two options available for rollback. You can either choose to rollback to the previous version or you can rollback to the baseline version
3. Can multiple actions be carried out for a single change?
Yes, you can select any combination of actions from the given 5
Compliance Policies
1. What are Compliance policies?
With the increasing security threats to network resources, enterprises are required to follow standard practices, and execute internal/external security policies to remain compliant with the latest industry standards. Therefore, ensuring network compliance has become a priority for network administrators. But, it is a mammoth task to scrutinize and make changes in a networking environment consisting of network devices from multiple vendors. the Network Configuration Management feature helps administrators analyse network devices to achieve auditable network compliance across industry-specific compliance policies. Every time a configuration is backed up, the Network Configuration Management feature will automatically run a compliance check on those configurations. the Network Configuration Management feature also alerts and generates reports whenever a rule/policy gets violated
2. What are Compliance Rules?
Conditions or lines that should be either compulsorily present or not be present in a configuration file are called compliance rules. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file. There are 3 different types of criteria that you can define to create a rule
3. What is a Remediation Template?
A remediation template is a configlet that can be defined while creating a rule, so that if a policy is violated because of the defined rule, the Network Configuration Management feature will execute the configlet automatically and fix the issue with the configuration to make it compliant with the policy
4. What is an Adhoc Test?
During any stage of compliance policy creation (rule creation, rule group creation & policy creation), you can perform checks on adhoc basis to test the validity of the rule/rule group/policy added by you. The adhoc tests depict the results then and there. After adding a rule, you can perform adhoc test for a device/device group by clicking the "Adhoc Test" button present under Compliance > Rules page. Similarly, adhoc tests can be performed for rule group from Compliance > Rule Groups page and for Policy from Compliance > Policies page
5. Can I generate a report for all the policies at once?
Yes a consolidated report for all the policies can be created at once. Go to Reports > Compliance report and click on the PDF icon provided in the top right corner of the page to generate the report. You can also select the device group for which you want to create this report
6. What is HIPAA compliance?
HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA Compliance is the process by which covered entities need to protect and secure a patient's healthcare data or Protected Health Information
7. What is required for HIPAA compliance?
Privacy: patients' rights to PHI Security: physical, technical, and administrative security measures Enforcement: investigations into a breach Breach Notification: required steps if a breach occurs Omnibus: compliant business associates
8. Why is HIPAA compliance important?
Being HIPAA-compliant means that a healthcare provider has adequate measures in place to protect patient data. Compliance makes it easier for patients to trust you, and since trust is the backbone of every business entity, they are likely to choose you as their go-to healthcare provider
9. How to ensure HIPAA compliance?
Develop a cohesive privacy policy Hire a dedicated security staff Have an internal auditing process Stipulate specific email policies
Device Group
1. What is a device group?
Sometimes, you might have to group devices based on some logical criteria. For example, you may wish to create groups such as a group containing all cisco routers, or a group containing all cisco switches or group based on device's physical locations etc., This would help in carrying out certain common operations with ease
2. What operations can be performed on device groups?
Almost any operation that can be performed on a single device is also applicable on a device group. Some of the most common operations that can be performed on a device group are as follows: Setting Credentials Configuration Backup Configuration Upload Configuration change management Defining compliance rules/policies Generating a report Creating a schedule
3. Where can I check the devices associated with a device group?
List of devices associated with the device group can be checked by clicking on the device group name in 'Grid View' of device group page under Inventory > Groups. To check the list of devices in 'Widget View', click on the expand icon present on the top right corner of each widget
Reports
1. Can I receive automatically generated reports on Device Configuration in my mailbox?
Yes, the Network Configuration Management feature provides option to mail reports to email IDs. You can schedule reports to be generated at any point of time and reports will be mailed to your email ID
2. Can the Network Configuration Management feature generate email alerts?
Yes, the Network Configuration Management feature can be configured to send email alerts whenever there happens a change in configuration
3. Does the Network Configuration Management feature maintain historical data about Device Configuration?
'Yes it maintains historical data of device configuration. The historical data are available in the device properties page of each device
4. What are the different types of reports available in the Network Configuration Management feature?
the Network Configuration Management feature can generate 17 different types of reports which are classified into 4 different categories.
Following is the list of reports available in the Network Configuration Management feature with their respective categories.
- Network Reports:
- Hardware Inventory: Hardware details listing the components and their status of the devices
- Firmware Inventory: Firmware details listing the OS version and associated information of the devices
- Device Inventory: Device details listing the model number, series and type of the devices
- Network Health Status: Overview of the conflicts and compliance status of the device configurations
- Device Management Status: Overview of device management setup status like credentials, real-time change detection etc
- Device Audit: Details on 'who', 'when' and 'what' of all the operations performed on the devices
- Configuration Reports:
- Startup-Running Conflict: Details on the devices whose startup and running configurations differ
- Configuration Changes: Details on the devices that have undergone changes in configuration
- Configuration Change Trend: Details on the number and type of configuration changes, during a specific time period
- Configuration Analysis Report: Complete details about device configuration settings
- Security Audit Report: Details on the findings of security audit together with the impact and recommendations
- User Reports: User Access: Details on user access permission for all the devices
- Configuration Upload Request: Overview of the status of configuration upload requests raised by the users
- User Audit: Details of the operations performed by various users using the application
- Other Reports:
- EOL/EOS: End-of-Life and End-of-Sale details of the devices
- Compliance: Details on the violations and compliance of the associated policies of the devices. : The status of PCI Review made by the specified administrator/ operator as to whether the reviews are pending or completed, are presented in this report
5. What are the different file formats, in which a report can be exported?
A report can be exported in either PDF or CSV format. You can also choose to mail a report and it will be sent as a PDF
Security Aspects
1. How much security does the Network Configuration Management feature offer to my configuration?
the Network Configuration Management feature offers a good level of security to your configuration as all the configuration information retrieved from devices are encrypted and stored in DB. Also device credential information are also encrypted and stored in DB.
Miscellaneous
1. I have enabled syslog-based change detection for my device. But the feature does not seem to detect any configuration changes.
Configuration change messages will be generated only at certain logging levels. So check if the logging level in the device is set to one of the values listed in the "Syslog Config for Change Detection" - logging level drop-down. Also, ensure if syslog server is running and the syslog port (514) is free for Network Configuration Manager's use.
