A configuration conflict occurs when there is a difference between the startup and running configuration of your device. Network Configuration Manager will indicate a conflict by showing "Conflict Detected" status in the "Config Conflict" column of device list. You can click the status to see the difference between two configurations. This can have a huge impact if something goes wrong and you want to reset the device. The device will always start with the Startup Configuration after reset and all the changes made in running configuration will be lost. To resolve this conflict, or to sync the running and startup configuration, please follow the steps given below:

If there is any difference between the baseline configuration and the running configuration of your device, Network Configuration Manager will consider that as a baseline running conflict. This will be shown as "Conflict Detected" status in the "Baseline Conflict" column of device list. To resolve such conflict you need to label your running configuration as baseline configuration. To do that please follow the steps given below:

If a device is already discovered and added to Network Configuration Manager successfully there won't be any effect if you run the same profile again and try to discover the device again.

In case the device was not added during first discovery due to some reason, and now it satisfies all the conditions to be added then the device will be added to Network Configuration Manager successfully.

 

A device will be shown as unknown in discovery notification and won't be added to Network Configuration Manager if any of the following condition is met:

Click on Add and provide the device ip address and other required information and click next. Network Configuration Manager will find the SysObjectID for the device and you can assign it to appropriate device template.

You can get more information about adding SysObjectID and their usage here, If you are still having trouble discovering your device(s), please contact Network Configuration Manager support team.

 

 

Yes, to reschedule a profile, use the following guidelines:

To view/edit any credential profile use the following steps:

 

Yes, you can always check the details like no of devices added, deleted or the time it took to discover all the device etc. under Settings > Discovery > Discovery Reports > Select Reports from the top right corner.

 

Yes, there is no restriction on the number of credential selection, so you can select as many credentials as you like.

 

After adding the device, while applying the credentials, if you don't find the protocol that you need, listed in the apply credential slide, then it means the Device Template used to add the device, does not support that particular protocol. To resolve the issue please contact Network Configuration Manager-support team and we will create a new device template for you, which can then be used to get the desired results.

 

Additional credentials option can be used to provide following additional details:

TFTP/SCP Server Public IP: When the device is present outside the private network (i.e. when the private IP of Network Configuration Manager is not reachable for the device) this parameter can be used to provide the public IP of the Network Configuration Manager server (NAT'ed IP of Network Configuration Manager). This IP will be used in Configuration backup via TFTP / SCP. In case you have not chosen any TFTP or SCP protocol, this field can be ignored.

Telnet/SSH Port: By default Network Configuration Manager uses port number 23 for Telnet protocols and 22 for SSH protocols, if you wish to change it, you can change this field. If you choose to change this field, the change will be effective only for the selected device.

Login Prompt: The text/symbol that appears on the console to get the typed login name is referred as login prompt. For example, "Username@" here '@' is the login prompt. Another example is "Login:" here ':' is the login prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for Network Configuration Manager to access the device properly.

Password Prompt: The text displayed on the console when asking for the password. For example, "Password:" has ':' as the password prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for Network Configuration Manager to access the device properly.

Enable User Prompt: The text displayed on the console when asking for Enable UserName. For example, "Username@" here '@' is the login prompt. Another example is "Login:" here ':' is the login prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for Network Configuration Manager to access the device properly.

Enable Password Prompt: The text displayed on the console when asking for password. For example, "Password:" has ':' as the password prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for Network Configuration Manager to access the device properly.

 

Prompt is a text/symbol that appears on the console after successfully logging into a device. Please refer the image given below for more details.

 

In the image given above, after providing the correct username and password the device name is shown with '#' symbol which is the indicator that the user can now enter commands to use the device. That '#' symbol is the prompt in this case, and shall be provided while applying the credentials. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for Network Configuration Manager to access the device properly.

 

Enable Prompt is a text/symbol that appears on the console after you have successfully entered into the enable mode of device. Please refer the image given below for more details.

In the image given above, after providing the correct username and password and executing the 'enable' command, user is in enable mode and the device name is shown with '#' symbol which is the indicator that the user can now execute commands in enable mode. That '#' symbol is the enable prompt in this case, and shall be provided while applying the credentials. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for Network Configuration Manager to access the device properly.

 

Telnet-TFTP has one advantage over Telnet protocol and that is, it allows you to do file transfers. So any operations which operate with a file transfer will not work with Telnet protocol but will work on Telnet-TFTP. One such important operation is uploading a configuration to the device

 

SSH-TFTP and SSH-SCP protocols allow file transfers for various operations like uploading a configuration to the device. These operations can't be performed with SSH protocol. SSH-SCP is a more secure protocol than SSH-TFTP.

 

A credential profile is a set of credential that can be saved and then can be used later to apply credentials to a particular device or to a group of devices at a time. Following are some of the benefits of creating a credential profile:

 

If your device doesn't use any username or password for entering the enable mode, you can simply configure the "Enable Prompt" value in credentials and ignore the "Enable Username" and "Enable Password" fields.

 

If your device is configured to use only a username to enter enable mode and not the password, please provide the "Enable Username" and "Enable Prompt" while applying credential and you can provide any dummy value in the "Enable Password" field.

 

Yes, multiple values in the form of a regular expression can be provided for prompts while applying credentials. Network Configuration Manager will determine the appropriate prompt value from the ones provided in the regular expression.

Note: Multiple values can only be provided for SSH protocol. If you wish to use Telnet protocol, kindly provide the exact prompt value

 

Yes multiple protocols can be included and configured in a single credential profile. Please click here to know more on how to create a credential profile. Once the profile is configured with multiple protocols, you can use it to apply the credentials and while applying credentials, you can select the appropriate protocol for that particular device or set of devices.

 

When credentials are applied to multiple devices using a credential profile, it is easy to edit the credential profile to edit credentials for all the associated devices. But in case if you want to change credential for a single device out of that set, you will have to remove the association from the credential profile first. Please follow the steps given below to change credential for a single device associated to a credential profile along with other devices.

 

SysOID or System Object ID is an id provided to all the SNMP agents. This ID is used by Network Management systems like Network Configuration Manager to automatically detect the monitoring capabilities of the given device and some other useful information about the device.

 

Network Configuration Manager uses SysOID for mainly 2 operations as described below:

 

Discovery: To add a device in Network Configuration Manager it must be associated to one of the device templates available in Network Configuration Manager, and during discovery Network Configuration Manager use device's SysOID to determine the appropriate template for the given device.

 

EOL/EOS Information: Network Configuration Manager also determines the EOL (End of Life) and EOS (End of Sale) dates for a particular device based on its SysOID. Although this information can also be gathered using the Series and Model of the device but it may not be accurate. So please keep the SysOID mapping updated for your devices under Settings > Network Configuration Manager > Device SysOID Mapping page.

 

You can find all the manually added SysOIDs under Settings > Network Configuration Manager > SysObjectID Finder > Click on Custom on the top right corner.

 

You can't edit the default SysOIDs present in Network Configuration Manager but you can always edit or delete the SysOIDs which are added manually. To edit SysOIDs please follow the steps given below:

Yes, you can update SysOIDs group wise.

Please select the 'Select Device Group option' under Update SysOID page and select the group you want to update from the given drop down. Only public groups will be shown in the drop down, so make sure the group you are trying to update is marked public.

Alternatively you can select multiple devices from the given list of devices.  

Updation of SysOID may take several minutes depending upon the no. of devices you have selected and also the no. of SNMP profiles you have selected. So please wait for some time and if you still don't see the SysOID's updated in the mapping table, please make sure you have chosen the right SNMP profiles to update the information. Also make sure that the devices you are trying to update the information for, are SNMP enabled.

If none of the above mentioned troubleshooting methods works for you, kindly contact the Network Configuration Manager support team and we will be happy to help you. 

Please make sure the device is reachable and also the SNMP is enabled for the device.

Also make sure the credentials provided to find the SysOID are correct.

If any of the reasons mentioned above is the root cause for your issue, then you will receive an error message after the timeout exceeds.

If this information doesn't help and you are still facing the issue in finding SysOID, feel free to contact Network Configuration Manager support team, we will be happy to help you.

Device Template

• Command to disable pagination in the devices.
• Command to fetch the startup configuration. (Only if the device supports startup configuration)
• Command to fetch the running configuration.
• Command sequence to fetch the configuration using Telnet or SSH.
• Command sequence to show the configuration version information.

• Command to enter configuration mode on the device.
• Command to exit configuration mode.
• Command sequence to upload configuration using Telnet or SSH.
• Command sequence to commit a configuration change on the device. 

• Try to check multiple device templates to get a hang of all the appropriate command syntax.
• Gather all the information required for your device template. 
• Find out whether you need to use any pre-command or command variable while creating/editing the device template, if yes what are they and where to use them.
• Try to create a device template tweaking existing device templates instead of going for a completely new device template from scratch.
• Always make a backup copy of a device template before modifying it.

Device Template New

Prompt ActionID is a command mapped to a prompt, which gets automatically executed when a prompt match is found, during an operation execution.

Example: Consider a command that has prompt "[yes/no]"(this prompt might be mapped to a promptActionId) asking whether to proceed to the next command. When this prompt appears, we check if any promptActionId has been provided and if the prompt that appeared is mapped to this ActionId. In that case, the command (either yes or no) mapped to this prompt will get executed. If that prompt's value is "yes", we proceed to next command and if it is a "no" , the execution stops there. Also, if there is no definition of that prompt, the operation will wait till a response is provided.

NOTE: If a prompt Action ID is not defined for a prompt, the operation will not continue. This is why it is essential to map a prompt Action ID to a prompt, for commands that require a response/action.

Operation refers to any device configuration activity. Network Configuration Manager supports the following operations:

• Backup Startup Configuration

• Backup Running Configuration

• Upload Startup Configuration

• Upload Running Configuration

• Enable Change Detection

• Disable Change Detection

• Sync Configuration

• Get Hardware Props

Yes, you can use the same Device Template for SSH protocol. In order to make the operations available for SSH, go to Settings -> DeviceTemplate and click on the template which needs to be changed to SSH protocol. Once the protocol is changed, click on save icon. This template can now be used for both the protocols (SSH/Telnet).

Backup Response is an action which triggers a backup from a particular configuration command, if enabled. The response of the command whose backup response is true is read and downloaded from the device. (For the command from which you want a back up to be triggered, enable the radio button for BackupResponse).

BackupResponse is available only in SSH/Telnet Protocol for Backup Operation because, in file-transfer protocols such as TFTP, and SCP, the configuration file will be automatically downloaded from the device in a file format. Since SSH/Telnet are not file transfer protocols, we can only read the response of the command. Hence, Backup Response must be given in order to trigger a backup of a configuration file.

Inventory & Change Detection

One of the ways to detect configuration changes in a device is by monitoring syslog messages. Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes.

Network Configuration Manager leverages this change notification feature of devices to provide real-time change detection and tracking. A syslog server comes in-built with Network Configuration Manager. It occupies port 514.

Besides the real-time change detection, configuration changes could also be tracked through scheduled, periodic backup of device configuration. For more details refer to the section "Configuration Change Detection" in help documentation.

Real time change detection is a feature provided by Network Configuration Manager which allows you to monitor every single change made to a device's configuration and trigger an automatic backup and can notify you about any unauthorized change.

• How does it work?

Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. Network Configuration Manager leverages this change notification feature of devices to provide real-time change detection and tracking

• How does it benefit me?

This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes. By enabling this, you can:

a. Capture configuration as and when changes happen

b. Get real-time notifications on change detection

c. Find information on who carried out the change and from where (the IP address)

d. Detect unauthorized changes on real-time

If you have configured the device for real time change detection, but you are not receiving the expected notifications and the backups are not working, please check following things once:

• Configured syslog server is up and running.
• Syslog services are running. You can check this and start the service if not running by going to Settings > Basic Settings > Server Settings.
• Check if the proper port is configured for the server.
• Check if the device is forwarding syslogs or not. You can use the ManageEngine's Syslog forwarder tool to detect this. It's free to use.

If all the above mentioned troubleshooting steps returns positive results and if change detection is still not working, please contact Network Configuration Manager support team, we will be more than happy to help you out

This message appears for one of the two reasons:

• The device is configured with SNMP credentials: If you have added the device using Network Configuration Manager discovery, then the device will be configured with SNMP credentials or if you have manually applied SNMP credentials to the device then the change detection can't be enabled for the said device. Network Configuration Manager can't detect syslog messages with SNMP credentials. Please change the credential protocol to either SSH or Telnet. If it still doesn't work, please contact the Network Configuration Manager support team .
• Configured device template doesn't support real time change detection: If the selected device template which was used to add the device to Network Configuration Manager does not support real time change detection, you will be shown this message. Please contact Network Configuration Manager support team to help you with the issue.

Each device has a pre-configured list of log levels or log types. These log levels are used to determine the severity of the change for which the syslog message is generated. Following are some example of syslog levels:

• Informational: These types of logs can be generated by the device to provide some basic information.
• Notice/Notification: These types of logs can be generated to provide a notification to the user.
• Warning/Alert: These are the most severe types of log and are generated to notify that something unusual has occurred with the device for example an unauthorized change.

Based on your need, you can set a level of logging while enabling real time change detection. This setting can be changed later using the same option. Once the logging level is set, Network Configuration Manager will notify you and will trigger a backup for all the logs that have the same or higher level as the one you have chosen.

Note: The above given list of log levels is just for example, and the actual type of log levels may differ for your device.

Yes you can enable/disable real time change detection for any number of devices simultaneously. Please click here to know how to enable/disable change detection.

Change Detection Status will be marked as enabled when the current configuration has the line matching the pattern provided under Config Automation -> Device Template -> Enable Change Detection Status. If you are not able to find the matching pattern by default, then we can add a new one. Please click here to know the steps to add new regex pattern.

Yes, more than one regex pattern can be configured for the same device type. However, all the regexes should have their current configuration matching to show the Change Detection Status as "enabled".

Label Configurations

Labelled configurations are normal device configurations but with a name (label) assigned to them. This helps us in distinguishing a configuration from all the other configurations for a particular device and allows us to find the necessary configuration easily. Any configuration that seems important, or may be needed in future, or if you want to save it as a fall back option if something goes wrong, can be associated with a label.

You can label a configuration to distinguish it from all the other configurations for a particular device. For example, you can label a very stable configuration as 'Stable' before making a critical change in the configuration. So if anything goes wrong, you can easily find your labelled device and revert to it. Since there are lot of configuration backups for a particular device, labeling a configuration helps you to easily identify a particular configuration among the hundreds of configurations for a specific device.

Scheduling

The following type of tasks can be scheduled using Network Configuration Manager:

• Configuration Backup
• Report Generation
• Compliance Check
• Configlets
• Sync Configuration
• Configuration Review

Yes, a schedule can be disable temporarily without removing it permanently. To do so, go to Settings > Schedule > All Schedules. Click on the Enable/Disable toggle button under Status column for the schedule which you want to Enable or Disable.

Yes, a schedule can be executed on demand before its scheduled time. To execute a Schedule on demand, go to Schedules page from Settings > Schedule > All Schedules. Click the "Execute Now" option from the Action column for the schedule you want to execute.

Yes, schedule execution history can be accessed from Settings > Schedule > Schedule Audit.

Yes, you can schedule a task for as many devices as you wish at a time. You can also select a device group for scheduling a task while creating the schedule. Click here to know more about how to create a schedule.

If any of the email addressees mentioned while creating the schedule are not receiving the notifications, then check the mail server settings under Settings > Basic Settings > Mail Server Settings. You can also send a test mail to ensure that the mail server is configured properly. If the mail server settings are working fine and if you are receiving the test mail without any issue, but you are still not getting the schedule notification, then please contact Network Configuration Manager Support team for further help.

Configlets

A configlet is a configuration script that is transformed to a CLI configuration string before being applied to a device. The dynamic elements (strings) in configlets are defined using variables. These variables act as an input to the process of transformation to construct the CLI configuration string. These variables can contain anything: the interface name, device name, description text, or any similar dynamic values. The values of these variables are either defined by the user or system, or determined by the context at the time of execution. The Configlets help in automating repetitive and time-consuming configuration tasks. All you need to do is to create a small Configlet containing the required commands and then execute the Configlet for carrying out repetitive tasks for many devices, multiple times. The Configlets can also be scheduled for execution at a certain point of time in future. This helps in executing the tasks without the intervention of the administrators. The Configlets enable the network administrator to apply the changes to multiple devices at one go. Also, the Configlets provide the benefit of carrying out exact changes with precision.

Yes a configlet can be imported/exported from and to a file. Go to Settings > Configlets page Click on "Import" to import a configlet. Provide a XML file containing configlet details, and click on Import. To export a configlet, select the configlet from the list and click on "Export".

Yes a configlet execution can be scheduled. To schedule a "configlet execution" please click on the Schedule icon  in the last column of Configlet list under Settings > Configlets. This will open up a slide to add the schedule. Provide the necessary details for the schedule and click on save to save the Scheduled task. Results of every schedule execution can be seen under the "Execution History" tab.

You can add a particular configlet or a group of configlets to the Action menu of device snapshot using this option. Once you select a configlet or multiple configlets, click on 'Add to Snapshot'. This will open a slide where you can choose the device template which you want to associate the configlet(s) with. Once associated, configlet option can be seen in the Action Menu of Device Snapshot page under "Configlet Actions" section. This is useful if you execute the said configlet(s) very often for a particular device or device type.

Configlet Execution History can be checked under Settings > Configlets > Execution History tab. A report can be exported as PDF for each record in history. Click the PDF icon provided in the last column of the record to export the report.

SNMP can be enabled on Cisco switch by using automation templates called as configlets. You can select script execution mode and enter device-specific commands and execute it. This will instantly enable SNMP on Cisco switch.

There are certain device-specific commands that need to be executed to configure SNMP on Cisco switch. You can find the step-by-step procedure in this page.

Yes, SNMP can be enabled or disabled using Configlets. Refer to your device specific command to enable SNMP and use the same command to create the configlet using Script Execution Mode.

Yes, the basic idea behind configlets is to allow users to perform various bulk operations on multiple devices at the same time. Following are few practical applications of the same:

• Changing Passwords
• Getting 'show version' output of all devices
• Updating NTP server entries on your devices
• Synchronizing Running & Startup Configurations 

Configlets offered by Network Configuration Manager are of two types:

TFTP Mode - for uploading a partial configuration change to a device/devices through TFTP.

Script Execution Mode - commands are executed on the CLI console one after another. Script execution is divided further into two types as below -

• Simple Script Execution
• Advanced Script Execution

The following table provides information about the each type of configlet and when to use them:

 

TFTP Mode	Simple Script Mode	Advanced Script Mode
TFTP mode is for uploading a partial configuration change to a device/devices through TFTP.	To execute a single command on the CLI console.	To execute a series of inter-connected commands on a device in command line. After the execution of one command, some input has to be provided before the next command is invoked. In such a situation, advanced scripting would be useful.
example Enabling TELNET service Changing SNMP Community Forwarding Syslog messages Changing the interface	Example: Synchronizing Running & Startup Configurations. Through a single line in the script containing the command copy running-config startup-config, you can synchronize the startup and running configurations of any number of devices. Other Examples: Changing Passwords Updating NTP Server Entries Getting 'show version' output	Example: Backing up your current IOS image to a TFTP server. To do this, the following sequence would be used: Command to be used copy flash tftp - the location of your current IOS image TFTP server's IP has to be specified The file where it has to be copied has to be specified
In all the above case, TFTP mode of configuration upload could be used. In general, for carrying out changes to existing configuration, this mode could be used.		The above sequence of command execution could be transformed into an advanced script as below: copy flash:/$SOURCE_FILE_NAME tftp $TFTP_SERVER_IP $DESTINATION_FILE_NAME
For other cases like executing a command on device, Script execution mode has to be used.		Uploading OS images / firmware upgrade Configuring banner message Resetting passwords of HP ProCurve and Exteme Summit devices Deleting files from flash

At any step of configlet execution, if the command prompt changes then this change must be explicitly handled while creating the configlet. You can add an attribute called "Prompt" for the command which will use a different prompt value, and mention the prompt as the value to the attribute.

 Example: copy startup-config tftp (Here, the prompt ? is placed within single quotes and following a closing square bracket. Everytime "<command prompt=']?'>copy startup-config tftp</command>" command runs, it will run with the prompt value '?')

 Note: "Prompt" attribute is supported only in Advanced Script Mode.

While creating the configlet, in the text field 'Configlet Content', enter the configuration commands that are to be uploaded to the device. While entering the configuration command, use $ to create a Variable. For instance: snmp-server community $COMMUNITY RO. Here, "COMMUNITY" will act as a variable for the command. If a variable has been created/defined in the configlet. You have two options here to enter the desired value for the respective configlet variables.

Same value for all devices: If you want to specify the same value for a particular configlet variable for all devices, choose this option and enter the value. For example, for '$COMMUNITY', you can provide 'public' as the value. After entering the values(s), you can preview the actual configuration with full configuration commands and value for community variable(s).

A different value for each device: In case, you want to specify a different value for different devices, provide your input in the form of a text file. This option will be highly useful in cases such as providing passwords. You assign a unique password to each device in a single click through this option. Ensure that the entries in the text file are in the following format:

• Column headers should be the same as that of the Configlet Parameters defined in the configlet with the entries separated by a comma.
• "RESOURCE" column is mandatory and it should be the first column in the file to identify the devices on which the script needs to be executed.
• The value for RESOURCE should be either host name / ip address. One line can hold the entries for one device.
• Format: RESOURCE,,
• Examples: RESOURCE,PASSWORD 192.168.1.1,password-0 de-host,password-1

Flow Export Configlets are used to export the flow from the device to a particular server. You can create a flow export configlet and assign it to a particular device template.

How to create and assign a flow export configlet:

• Go to Settings>Configlet>All Configlets from Main Menu.
• Click on Add.
• Enter all the necessary details for the configlet.
• Save the configlet using the Save button.
• Go to Settings > Device Management > Device Template
• Click on the Device Template to which you want to assign the newly created configlet
• Go to "Flow Export Configlet" tab.
• Click on "Add Flow Configlet"
• Choose the newly created configlet and move it to the right hand side of the select box.
• Click on save

How to use the assigned Flow Export Configlet:

• Go to Inventory > Devices
• Select the device for which you want to export the flow
• Click on the 3 horizontal dots at the top right corner to get device option list.
• Click on Export Flow
• If the credentials are not assigned to the device, you will have to provide the device credential, if the credentials are already present, then this step will be skipped automatically.
• Select the interfaces in next step. Interfaces will be listed only after successful configuration backup for the device. You can skip interface selection if you do not want to configure interfaces.
• Select the newly created 'Export Flow Configlet' in next step.
• Check all the ip addresses and interface values are populated successfully in the configlet
• Click on Apply.

Yes, $Variable can be used in Script Execution and Advanced Script Execution Mode Configlets. These variables are used to define dynamic data to be used for Configlet execution.

We use ‘$’ to define variables in Configlets. To use '$' without variable definition, you must escape ‘$’ using this format "#[[$]]#".

Configlet Group

Configlet group consists of grouped Configlets with similar functionality or based on usage for easier accessibility.

Only default Configlets can be accessed by the operator and other low privileged users, making it difficult in managing Configlets among users and causing duplicate Configlets. With Configlet group, you can overcome this limitation. Admins can now assign the Configlet group created to other users so that it can be used by them too.

No, we cannot delete the Configlet group associated with another Configlet group.

Yes, we can delete the Configlet group assigned to users.

Only an administrator with full access can edit or delete the Configlet group created by other users. Kindly check your access privilege if you are unable to perform any edit operation.

Go to Reports -> Vulnerability & User Reports -> User Audit. You can find the user details on any operation performed on Configlet group.

REST Configlets

A REST API is an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows interaction with RESTful web services. When it comes to configurations, most of the device vendors provide REST API support on different levels for reading and writing the device configuration in parts or as a whole during the backup process.

Network Configuration Manager uses the REST APIs to allow users to have a simplified UI experience. The users can focus on a particular part of the configuration without worrying about the command syntax and configuration hierarchy. On top of that, the REST API's GUI has been designed to resemble the device GUI for users' better understanding.

In NCM, REST API based configuration management works with REST Configlets.

Rest configlets are configuration objects such as address, policy, security rules etc. You can access Rest Configlets by going to Config Automation > Configlets > Rest Configlets (In case of OPM or NFA, this option is available under Settings > NCM > Configlets > REST Configlets).

Each configlet comes with a different set of operations such as Add, Edit, View, Delete, Rename, View All, Clone, Execute etc.

Operation	Description
Add	Adds a new object to the device configuration.
Edit	Provides a list of objects available in the device. Users can then select a particular object. The details about the selected object will be fetched from the device and will be shown to the users. Users can update any particular detail/parameter for that object and then execute the configlet to save the changes in device.
View	Provides a list of objects available in the device. Users can then select a particular object. The details about the selected object will be fetched from the device and shown to the user in read only mode.
View All	Shows all the available objects in the device in a grid along with their details
Delete	Provides a list of objects available in the device. Users can select a particular object and execute the configlet to delete the object.
Rename	Users can select a particular object and provide a new name to rename the object in the device.
Clone	Users can select a particular object and provide a new name to clone the object in the device with the name provided along with its properties
Execute	Most of the non-firewall devices have objects that can only be viewed and executed as CLI commands. For such devices and configuration objects, there will be only one operation available, which is "Execute". It will execute the command in the device with the provided parameters.

• While backing up whole configurations, REST APIs are much faster than a normal CLI backup. In fact all REST API operations are faster than CLI operations in general.
• One does not have to memorize command syntaxes while updating a particular part of a configuration.
• One does not have to worry about the hierarchy of objects in a configuration.
• The important objects in a configuration can be viewed in a grid format in NCM.
• NCM's REST Configlet feature provides a GUI that is similar to the device's GUI (Eg: Firewall GUI) and this makes it easy to update a part of the configuration directly from NCM.

If REST credentials are provided to a device, NCM will take backup and will upload configuration to the device using REST API's. Additionally user can execute REST Configlets to modify or view a part of configuration. Please click here to know more about REST Configlets and here to know about how to use them.

Yes, you can use both REST and CLI credentials to manage a device. In fact NCM recommends a user to use a combination of CLI and REST credentials to make the most out of the tool. Please click here to see how to apply REST credentials to a device.

Similar to CLI Device Templates, REST Device Templates are a set of instructions that helps NCM in performing the REST API operations on the device. It contains details about the operations that can be performed on a device, the list of parameters for each operation and also the REST Credential parameters that help NCM to connect with device using REST API.

One cannot associate a REST Device Template directly with a particular device, instead REST Device Templates are associated with CLI Device Templates and when a device is added with the CLI Device Templates, the respective REST template automatically gets associated with the device.

As of now, we have automatically mapped few CLI device templates with appropriate REST device Templates and this list cannot be modified. In the future, we may provide an option to create and edit REST device Templates, as well as to add and edit REST Configlets.

Please reach out to NCM support at ncm-support@manageengine.com with Device and Vendor information. We are continuously adding REST API support for more and more vendors and will be happy to prioritize your device once requested.

Base OS Version is the firmware version of the device from which the REST device template for that particular vendor is derived. Which means, if any API added, removed or modified before that version, it may not work in NCM.

Base OS Version is the firmware version of the device from which the REST device template for that particular vendor is derived. Which means, if any API added, removed or modified before that version, it may not work in NCM. We do not recommend to use REST API operations in NCM if the device's firmware version is older than the Base OS version.

Object Explorer is a list of object types (Address, Policy, Schedule etc) from device configuration that can be manipulated using REST API's. Once any of the object types is selected from the Object Explorer list, a new slide will open with the list of objects of the selected type. Here you can select any of the objects from the grid and click on "Hamburger icon" on top right of the grid to see the list of operations that can be performed on the selected object. Add and delete operations are available on top of the grid (These operations will be available only if Add and/or delete operations are supported). Once an operation is selected, a new slide will open to execute the operation. Provide required parameters in the newly opened slide and click on execute. (This option will be available only if the operation is not read-only). Please note that not all the objects that support REST API are listed under Object Explorer. We have listed only the operations that are deemed most important in device configurations. To check the complete list of object types that supports REST API for a particular vendor please go to Config Automation > Configlets > REST Configlets (In case of OPM or NFA, this option is available under Settings > NCM > Configlets > REST Configlets)

Firmware Vulnerability

In order to see the severity status of all the vulnerabilities in your devices, you can click on the "Firmware Vulnerability" tab. On the top left corner, under "Firmware Vulnerabilities" you will see all the vulnerabilities in your network along with its severity. 

Based on the severity, NCM groups vulnerabilities as Critical, Important, Moderate, Low and Unrated. By clicking on the severity, you can see all the vulnerabilities and the number of devices in your network environment which has those vulnerabilities. On top of that, NCM also provides a reference URL which provides the corrective measures to resolve a vulnerability.

Note: At present, NCM supports Firmware Vulnerability only for Cisco and Juniper vendors.

Network Configuration Manager categorizes the severity of vulnerabilities based on the "Base score" which is calculated based on a few metrics like Exploitability Metrics(Attack, Complexity, Authentication) and Impact Metrics (Confidentiality, Integrity, Availability). Here is the split up of how the severity is categorized:

• Base score 9.0 - 10 - Critical
• Base score 7.0 - 8.9 - Important
• Base score 4.0 - 6.9 - Moderate
• Base score 0 - 3.9 - Low

NCM helps identify risks to network security by detecting potential vulnerabilities in the following device types:

• Cisco IOS
• Cisco Adaptive Security Appliance (ASA)
• Cisco Nexus
• Juniper

NCM imports the firmware vulnerability warnings provided by National Institute of Standards and Technology (NIST), and correlates vulnerability data with nodes that it currently manages. If NCM finds a match, the Firmware Vulnerabilities resource on the Config Summary page displays information about the vulnerability and the number of affected nodes.

Network Configuration Manager fetches the data through an open network and updates the latest vulnerability data in NCM. NCM also allows users to set a time of schedule in order to sync data on a daily basis. When a schedule time is given, automatically the synchronization of vulnerability data happens at the exact time of schedule. NCM also allows you to edit/change the time of schedule as per your convenience. 

If you wish to update the Vulnerability data in the NCM UI immediately instead of the scheduled time, you can give the "Update Now" option. When "Update Now" is given, the latest vulnerability data will be updated in the NCM UI.

Yes, with "Advanced CVE search" you can globally search for all the vulnerabilities by searching using the vendor name, CVE id, device OS number, version or a model. For eg: If you search "Cisco IOS 7000", all the vulnerabilities present in that particular model will be listed. On further clicking it, you will be able to see all the details of the vulnerability corresponding to a particular CVE id.

Under Firmware vulnerabilities, all the vulnerabilities will be listed along with its corresponding CVE id. You can select a required CVE ID and view its details. In the CVE details page, you will be able to see:

• The date the CVE id was published and the last updation date of the CVE id.
• Summary of the CVE id which provides information about what the vulnerability is and the device version of the vulnerability.
• The reference URL, which provides the optimal resolution measures.
• A comment section which allows users to add a required statement.
• A select box with options to mark the status of the vulnerability.

• Reported - The vulnerability has been reported.
• Confirmed - The vulnerability is confirmed but no resolution is planned.
• Resolution planned - Action to resolve the threat is planned but has not been taken.
• Resolved - The vulnerability is confirmed and the action to resolve the threat has been taken on the selected devices.
• Not applicable - The vulnerability does not apply to the selected devices.

Syslog Blocked Host

In an environment where the users login and logout of devices more frequently, flooding of Syslog messages tend to occur. This leads to increased CPU usage of the Network Configuration Manager server which in turn affects the performance of the machine. To prevent this, Network Configuration Manager blocks the syslog messages from that device and notifies the user about the device that has been blocked. The blocked devices are listed in Settings > Device Management > Syslog blocked hosts. Since backup automation relies on syslog messages, Network Configuration Manager does not detect changes automatically for the blocked devices until the devices are unblocked. You can unblock the devices at any point of time from the blocked list and before unblocking any device make sure that the problem is resolved for that particular device. Please click here to know more about how to unblock a device.

There are two things you can do to avoid syslog flooding:

• Temporarily turn off syslogs for the blocked devices.
• Lower the syslog level to restrict the number of syslog messages.

Network Configuration Manager will block any host that is flooding the system with syslogs, for two hours. Post 2 hours the host will be unblocked again, and Network Configuration Manager will receive the syslogs from the said host. If the number of syslogs are still high, then the host will be blocked again for two hours.

Yes, syslog flood prevention can be turned off at any time, though it's not recommended because a huge number of incoming syslogs will increase the CPU use and will slow down Network Configuration Manager. Take extreme precaution before opting to turn off syslog flood prevention. To turn off flood prevention, please go to Settings > Global Settings > Client Server Settings and uncheck the checkbox next to "Enable Syslog Host Blocking" option. Save your changes to turn off the syslog flood prevention. If you wish to turn it on, check the same checkbox again and save your changes.

A device will be blocked by NCM if it sends more than 200 messages in 2 minutes of time.

Yes, threshold for number of messages in 2 minutes, after which the device will be blocked, can be configured by changing the system property "syslog.PER_HOST_MSG_COUNT" in "system_properties.conf" file under "/conf" folder. Please add the property in the file if not already exist.

Exclude Criteria

Exclude Criteria is a line or part of a line or a regex that represents a line from the configuration, and that need not to be considered for calculating differences between two configurations. For example, timestamp for a configuration will change based on the time backup was taken. There may not be any other change between two backups but just because the timestamp is changed, Network Configuration Manager will show you difference on that particular line. To avoid this we can create a exclude criteria and assign it to a particular device template and Network Configuration Manager will ignore changes on that particular line.

Yes, Network Configuration Manager supports regex as exclude criteria.

Yes any number of exclude criteria can be created and associated to a particular device template.

No, exclude criteria's can only be applied to a device template and not to a particular device or configuration.

Block Exclude Criteria is used to exclude a block of configuration from being considered while identifying differences between two configuration versions. This only works when the regular expressions provided match with the start and end of the configuration block.

Additional Block Criteria is used when users want to specify if there is a particular string or regular expression that the configuration blocks should or should not contain for the block to be considered.

NCM Terminal Tool

Terminal tool provides you functionality to open a terminal session with any network device and perform CLI commands directly from Network Configuration Manager. Why is it needed? We already have terminal options in device snapshot for each device, then why do we need a separate tool for the same thing? Well, the terminal tool can be used to open terminal sessions with network devices that are not added in inventory, or the devices that you don't wish to add in inventory. For example, if you want to connect to a Linux machine and perform some commands, you can do so by adding the Linux machine directly under Tools > Terminal > Custom. It also allows the user to open terminal sessions for Inventoried devices with just one click.

A terminal session can be started using either SSH or Telnet protocol.

Inventoried tab lists all the available devices from Inventory > Devices. You can open a SSH or Telnet terminal session for the devices listed under this tab with a single click. You won't be able to add/modify or remove any device from this list directly from Terminal Tool.

No. While adding a Custom Terminal Device, you won't have a option to provide SNMP credential, but there can be an inventoried device with SNMP credentials listed under Inventoried tab. If you try to perform any terminal action for those devices, it will fail after a particular timeout period.

No, you can't add/modify/delete an inventoried device from Terminal Tool. If you wish to delete an inventoried device, delete it from Inventory > Devices.

Terminal Device Groups are similar to normal device groups in Network Configuration Manager, they are used to group similar custom terminal devices together. Now, we are not using the device groups for any particular action, but we have a plan to assign the groups to the users in future. So whenever a new device is added to a certain group, it will be available for all the users who have access to the said group.

History/Audits of all the Terminal Actions is available under Tools > Terminal > Audit History. You can filter the audit records based on device type (Inventoried, Custom or Both).

While adding a Custom Device to be used in Terminal Tool, you can chose the visibility of the device. Network Configuration Manager provides you 3 types of visibility for any particular device:

• Only Me: Device will be visible only to the user who has added it.
• Admin: Device will be visible to the user who has added it and all the admins in the system.
• Everyone: Device will be visible to everyone.

Visibility of a device can be changed at any point of the time.

Export Configuration

Currently Network Configuration Manager exports configuration only in text format (.txt files), and this can not be changed, but we are working on providing more export option soon.

Yes, you can give any preferred location to save the exported configuration files. To change the location, go to Settings > Global Settings > Export Configuration and provide the desired location under "Destination Directory" field.

If you are exporting the configuration using "Export Configuration" page under Settings > Global Settings, then Network Configuration Manager will export the latest versions of startup and running configuration of device. Although you can export a particular version from inventory by following the steps given below:

• Go to Inventory > Configs
• Click on the configuration that you wish to export
• Click on the version of configuration that you wish to export from 'Config Changes' table
• Click on the settings button on top right corner of the page
• Click on Export Config

History of the all the export configuration operations can be accessed from Settings > Global Settings > Export History.

Network Configuration Manager saves the exported configuration in a folder name with current date, so if you try to export configurations multiple times on same day, Network Configuration Manager will just overwrite the previously exported file and keeps the latest files in the same folder.

Yes, Network Configuration Manager notifies you once the export process is completed, you can mention the email id(s) where the notification needs to be sent under Settings > Global Settings > Export Configuration page. Select any particular frequency (Daily, Weekly or Monthly) to export the device configuration and mention the email id(s) under "Notify on completion by Email" field. Multiple mail ids can be provided in a comma separated list. You can also choose to receive notification only when the process fails by checking the 'Notify only on failure' checkbox.

If you are exporting the configuration using "Export Configuration" page under Settings > Global Settings, then Network Configuration Manager will export the latest versions of startup and running configuration of device. Although you can export a particular version from inventory by following the steps given below:

• Go to Inventory > Configs
• Click on the configuration that you wish to export
• Click on the version of configuration that you wish to export from 'Config Changes' table
• Click on the settings button on top right corner of the page
• Click on Export Config

Third Party Syslog Server

A Syslog Message will be sent to a default Network Configuration Manager Syslog Server if the configuration is changed and change detection is enabled for the device, but in some cases you may want the syslog messages on a specific server of your choice, in that case you can add the server ip addresses under Settings > Global Settings > Third Party Syslog Server. Network Configuration Manager won't forward the messages to these servers, messages will be directly sent by the device.

Yes, multiple syslog servers can be configured to receive syslog messages. Please click here to know about how to configure external servers for syslog messages.

Database Administration

Network Configuration Manager doesn't keep a backup of any records that are being removed during cleanup. Everything will be deleted permanently. Hence, it is advised to be extra caution while giving the parameter values for the no. of days for which the records need to be kept after cleanup.

Network Configuration Manager performs DB clean up once a day. The default time for the cleanup is 2 AM, but this can be changed to any time of the day from Settings > Global Settings > Database Administration, under "DB Cleanup Time" heading.

Yes, the default time for the cleanup is 2 AM, but this can be changed to any time of the day from Settings > Global Settings > Database Administration, under "DB Cleanup Time" heading.

No, for now Network Configuration Manager does cleanup only once a day and this frequency cannot be altered, although you can change the time of the day at which Network Configuration Manager performs the cleanup.

Since the deletion operation performed during cleanup is permanent, if any of the device audit records deleted during the DB cleanup, you will not be able to see the details for those particular audits thereafter.

Network Configuration Manager gives more priority to the baseline configuration version than the conditions provided for cleanup, so for example, if you have chosen to keep only the last 10 configuration version and your latest version is 30 but the baseline version in 8, Network Configuration Manager will keep all the configuration starting from 8 to 30 instead of keeping just the versions 21 to 30.

Password Management

Password Manager Pro or PMP is a password vault developed by Manage Engine which allows you to save all your device credentials in one place and once it is integrated with Network Configuration Manager, you can sync the credential changes for all the devices with a single click. Click here to know more about how it works and how to configure it.

Yes, the passwords can be changed manually even after synchronizing it with PMP but if you wish to change the password for a particular device manually, remove the association of that device with PMP first, if not, PMP will change the password back to the original one whenever you choose to sync it next time.

Network Configuration Manager does not support automatic syncing yet but we are in process of developing the feature to schedule the sync process. The option will soon be available under Schedule page in Network Configuration Manager. For now users have to intervene, to sync the passwords with PMP. Please click here to know more about how to sync the passwords with PMP.

System Details

In the device, there are three fields that network admins can configure to provide extra information about the device. These fields are known as "System Location," "System Description," and "System Contact." The "System Location" field is typically utilized to indicate the physical placement of the device within the network. The "System Description" field can contain any additional important details that need to be conveyed to other users. Lastly, the "System Contact" field holds information about the designated contact person for the device. By updating these values in the Network Configuration Manager, users can conveniently access them directly from the device snapshot page, eliminating the need for executing any extra commands on the device.

To review the System Details, navigate to the device snapshot page and locate the corresponding headings: 'System Location,' 'System Description,' and 'System Contact.' Under each of these headings, you can find the relevant information pertaining to the system.

To access a device's snapshot page, go to Inventory > Devices and click on any device.

Yes, System Details of multiple devices can be updated in one go. Please click here to know how to update System Details.

Yes, When updating the System Details, you have the flexibility to select multiple SNMP profiles. Network Configuration Manager will intelligently choose the suitable SNMP credentials for each device automatically.

Upload Request

What is an upload request and when are they created?

An upload request is created whenever an operator user is trying to run a configlet, or trying to upload a configuration or draft for a particular device. All the admins will be notified about this request and any one of them can approve/reject the request. Only after the approval of the request, respective changes will be carried out to the device.

Can I change the status of an already approved/rejected request?

No, a request, once approved or rejected can't be changed back to its original state or to any other status.

What happens when a request is approved or rejected?

An upload request is generally created when an operator is trying to make changes to a device configuration by either uploading a configuration, a draft or for running a configlet. These changes don't have any effect until the request is approved. As soon as the request is approved, the respective changes will be made to the selected device(s).

Change Notifications

What is change notification?

A change notification is a notification which can be sent to a user/server whenever there is a configuration change in the startup, running or both configurations of any device(s) or device group(s). You can create a change notification under the Change Management tab in Main Menu. Click here to know more about how to create a change notification. These notifications can be sent as an email, SNMP trap, Syslog messages or tickets. You can also choose to rollback the changes back to the previous version or to the baseline configuration version using these notifications. Please click here to know more about the different types of notifications and how to configure them.

What are the different types of Change Notification Actions?

A user can select a preferable notification type, out of 5 different types of actions that can be carried out whenever there is a configuration change for the selected device(s). Multiple actions can also be carried out for a single notification. Following are the different actions that can be selected while creating or editing a change notification:

• Email: An email can be sent to multiple recipients alerting them about the change. You can compose the subject and the email body for the mail that will be sent. For both the  subject and the body you can choose to select some useful variables that will give you more information about the change. These variables are listed in front of the Subject and Message field. Some commonly used variables are $CONFIGTYPE (to get the configuration type that is changed.), $DEVICENAME (to get the device name for which the configuration is changed.), $CHANGEDBY (to get the user/system name who made the configuration change.) etc.
• SNMP Trap: A v2 trap will be sent to the specified host. SnmpTrapOid = .1.3.6.1.4.1.2162.100.4.1.2.1 Varbinds will include the name & ip address of the device whose configuration is changed and also the type of configuration changed. Please refer to the ADVENTNET-DEVICEEXPERT-MIB bundled with the product
• Sylog: A Syslog Message will be sent to the specified Syslog Server if the configuration is changed. Syslog Message will include the configuration type (CONFIG_TYPE), change type (CHANGE_TYPE), ip address (IP_ADDRESS) and changed by (CHANGEDBY).
• Ticket: A trouble ticket can be sent to the support team email(s) that can be specified under 'Send Trouble Ticket To' field. The configuration of the trouble tickets are similar to that of a mail notification.
• Rollback: You can also choose to rollback the changes that caused this notification. There are two options available for rollback. You can either choose to rollback to the previous version or you can rollback to the baseline version.

 Can multiple actions be carried out for a single change?

Yes, you can select any combination of actions from the given 5. Please click here to know more about these actions.

Compliance Policies

What are Compliance policies?

With the increasing security threats to network resources, enterprises are required to follow standard practices, and execute internal/external security policies to remain compliant with the latest industry standards. Therefore, ensuring network compliance has become a priority for network administrators. But, it is a mammoth task to scrutinize and make changes in a networking environment consisting of network devices from multiple vendors. Network Configuration Manager helps administrators analyse network devices to achieve auditable network compliance across industry-specific compliance policies. Every time a configuration is backed up, Network Configuration Manager will automatically run a compliance check on those configurations. Network Configuration Manager also alerts and generates reports whenever a rule/policy gets violated.

What are Compliance Rules?

Conditions or lines that should be either compulsorily present or not be present in a configuration file are called compliance rules. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file. There are 3 different types of criteria that you can define to create a rule. To know more about these criteria, please click here.

What is a Remediation Template?

A remediation template is a configlet that can be defined while creating a rule, so that if a policy is violated because of the defined rule, Network Configuration Manager will execute the configlet automatically and fix the issue with the configuration to make it compliant with the policy. Please click here to know more about how to create a configlet.

What is an Adhoc Test?

During any stage of compliance policy creation (rule creation, rule group creation & policy creation), you can perform checks on adhoc basis to test the validity of the rule/rule group/policy added by you. The adhoc tests depict the results then and there. After adding a rule, you can perform adhoc test for a device/device group by clicking the "Adhoc Test" button present under Compliance > Rules page. Similarly, adhoc tests can be performed for rule group from Compliance > Rule Groups page and for Policy from Compliance > Policies page.

Can I generate a report for all the policies at once?

Yes a consolidated report for all the policies can be created at once. Go to Reports > Compliance report and click on the PDF icon provided in the top right corner of the page to generate the report. You can also select the device group for which you want to create this report.

What is HIPAA compliance?

HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA Compliance is the process by which covered entities need to protect and secure a patient's healthcare data or Protected Health Information.

What is required for HIPAA compliance?

1. Privacy: patients' rights to PHI
2. Security: physical, technical, and administrative security measures
3. Enforcement: investigations into a breach
4. Breach Notification: required steps if a breach occurs
5. Omnibus: compliant business associates

Why is HIPAA compliance important?

Being HIPAA-compliant means that a healthcare provider has adequate measures in place to protect patient data. Compliance makes it easier for patients to trust you, and since trust is the backbone of every business entity, they are likely to choose you as their go-to healthcare provider.

How to ensure HIPAA compliance?

1. Develop a cohesive privacy policy
2. Hire a dedicated security staff
3. Have an internal auditing process
4. Stipulate specific email policies

Device Group

What is a device group?

Sometimes, you might have to group devices based on some logical criteria. For example, you may wish to create groups such as a group containing all cisco routers, or a group containing all cisco switches or group based on device's physical locations etc., This would help in carrying out certain common operations with ease.

What operations can be performed on device groups?

Almost any operation that can be performed on a single device is also applicable on a device group. Some of the most common operations that can be performed on a device group are as follows:

• Setting Credentials
• Configuration Backup
• Configuration Upload
• Configuration change management
• Defining compliance rules/policies
• Generating a report
• Creating a schedule

Where can I check the devices associated with a device group?

List of devices associated with the device group can be checked by clicking on the device group name in 'Grid View' of device group page under Inventory > Groups. To check the list of devices in 'Widget View', click on the expand icon  present on the top right corner of each widget.

Reports

Can I receive automatically generated reports on Device Configuration in my mailbox?

Yes, Network Configuration Manager provides option to mail reports to email IDs. You can schedule reports to be generated at any point of time and reports will be mailed to your email ID.

Can Network Configuration Manager generate email alerts?

Yes, Network Configuration Manager can be configured to send email alerts whenever there happens a change in configuration. For more details refer to the section "Change Management " in help documentation.

Does Network Configuration Manager maintain historical data about Device Configuration?

'Yes it maintains historical data of device configuration. The historical data are available in the device properties page of each device. For more details refer to the section "Device Configuration Details" in help documentation

What are the different types of reports available in Network Configuration Manager?

Network Configuration Manager can generate 17 different types of reports which are classified into 4 different categories. Following is the list of reports available in Network Configuration Manager with their respective categories.

Network Reports:

• Hardware Inventory: Hardware details listing the components and their status of the devices
• Firmware Inventory: Firmware details listing the OS version and associated information of the devices
• Device Inventory: Device details listing the model number, series and type of the devices
• Network Health Status: Overview of the conflicts and compliance status of the device configurations
• Device Management Status: Overview of device management setup status like credentials, real-time change detection etc
• Device Audit: Details on 'who', 'when' and 'what' of all the operations performed on the devices

Configuration Reports:

• Startup-Running Conflict: Details on the devices whose startup and running configurations differ
• Configuration Changes: Details on the devices that have undergone changes in configuration
• Configuration Change Trend: Details on the number and type of configuration changes, during a specific time period
• Configuration Analysis Report: Complete details about device configuration settings
• Security Audit Report: Details on the findings of security audit together with the impact and recommendations

User Reports:

• User Access: Details on user access permission for all the devices
• Configuration Upload Request: Overview of the status of configuration upload requests raised by the users
• User Audit: Details of the operations performed by various users using the application

Other Reports:

• EOL/EOS: End-of-Life and End-of-Sale details of the devices
• Compliance: Details on the violations and compliance of the associated policies of the devices.
• : The status of Configuration Review made by the specified administrator/ operator as to whether the reviews are pending or completed, are presented in this report.

What are the different file formats, in which a report can be exported?

A report can be exported in either PDF or CSV format. You can also choose to mail a report and it will be sent as a PDF. To know more about how to generate a report, please click here .

Advanced Reports

No. Default advanced reports cannot be edited or deleted.

Advanced reports can be exported as PDF, CSV, or XLS.

Device details such as Backup Status, Baseline Conflict, Compliance Status, Credentials Status, Custom Column 1, Custom Column 2, Custom Column 3, Device Template, Device Type, End Of Sale Date, End Of Support Date, Host Name, IP Address, Image File Name, Last Backup at, Last Operation Status, MAC Address, Managed Status, Model, OS Type, OS Version, Protocol, Real-Time Change Detection, Serial Number, Series, Startup Conflict, System Description, System Location, and Vendor can be selected and generated as a report.

Security Aspects

How much security does Network Configuration Manager offer to my configuration?

Network Configuration Manager offers a good level of security to your configuration as all the configuration information retrieved from devices are encrypted and stored in DB. Also device credential information are also encrypted and stored in DB.

Can we install our own SSL certificate? How?

Yes, you can install your own SSL certificates in Network Configuration Manager. Please follow the steps below to do that:

If you are using keytool utilities for certificate generation

The Network Configuration Manager runs as a HTTPS service. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it runs. By default, on first time startup, it creates a self signed certificate. This self signed certificate will not be trusted by the user browsers. Thus, while connecting to Network Configuration Manager, you need to manually verify the certificate information and the hostname of Network Configuration Manager server carefully and should force the browser to accept the certificate.

To make the Network Configuration Manager server identify itself correctly to the web browser and the user:

• you need to obtain a new signed certificate from a CA for the Network Configuration Manager host or
• you can configure an existing certificate obtained from a CA with wild-card principal support for the Network Configuration Manager host

Step 1: The first step is to create the public-private key pair that will be used for the SSL handshake

• Go to <Network Configuration Manager_Home>/jre/bin folder
• Execute the command "./keytool -genkey -alias Network Configuration Manager -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore <keystore_filename>"
• The command will prompt you to enter details about you and your organization:
  1. For the 'first and the last name' enter the FQDN of the server running Network Configuration Manager
  2. For other fields enter the relevant information
  3. <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key and <no_of_days> is the validity of the key pair in number of days, from the day it was created
• This will create a keystore file named <keystore_filename> in the same folder, with the generated key pair

Step 2: Create a Certificate Signing Request (CSR) for submission to a certificate authority to create a signed certificate with the public key generated in the previous step.

• Go to <Network Configuration Manager_Home>/jre/bin folder
• Execute the command "keytool -certreq -keyalg RSA -alias Network Configuration Manager -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename>"
  • Note that the <csr_filename> that you choose should have .csr extension. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the last step
• This will create a CSR file named <csr_filename> in the same folder

Step 3 : Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

• Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
• This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's certificate as .cer files
• Save them both in the <Network Configuration Manager_Home>/jre/bin folder

Step 4: Import the CA-signed certificate to the Network Configuration Manager server

• Import your SSL certificate into your keystore
• Go to <Network Configuration Manager_Home>/jre/bin folder
• Execute the command "keytool -import -alias Network Configuration Manager -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_certificate>"
• <your_ssl_certificate> is the certificate you obtained from the CA, a .cer file saved in the previous step. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the previous steps
• Now copy the <keystore_filename> to the <Network Configuration Manager_Home>/conf folder

Step 5: Finally, configure the Network Configuration Manager server to use the keystore with your SSL certificate

• Go to <Network Configuration Manager_Home>/conf folder
• Open the file server.xml
• Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one used in the previous steps
• Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to "RGV2aWNlRXhwZXJ0". Change the value to "<keystore_password>" where <keystore_password> is the one used in the previous steps
• Restart the Network Configuration Manager server and connect through the web browser. If you are able to view the Network Configuration Manager login console without any warning from the browser, you have successfully installed your SSL certificate in Network Configuration Manager!

Note 1: Tomcat by default accepts only the JKS (Java Key Store) and PKCS #12 format keystores. In case, the keystore is of PKCS #12 format, include the following option in the server.xml file along with the keystore name,

keystoreType=”PKCS12″

This tells tomcat that the format is PKCS12. Restart the server after this change.

To configure existing wild card supported SSL certificate,

• Go to <Network Configuration Manager_Home>/conf folder
• Open the file server.xml
• Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one belong to the existing wild-card certificate.
• Also search for the entry 'keystorePass' (which will in fact be next to keystoreFile), which will have the default value set to "RGV2aWNlRXhwZXJ0". Change the value to "<keystore_password>" where <keystore_password> is the one used to protected the existing wild-card certificate keystore.
• Restart the Network Configuration Manager server and connect through the web browserconsole. If you are able to view the Network Configuration Manager login console without any warning from the browser, you have successfully installed your SSL certificate in Network Configuration Manager!

Note 2: Please refer your CA's documentation for more details and troubleshooting

If you are using OpenSSL / Microsoft Utilities

Follow these steps to enable using your own certificates :

• Generate the certificate signing request and generate the certificate using MS CA, as you did before (or use the cert generated before). DO NOT use the one generate using keytool
• Have tested here with the Base64 encoded certs, so use the same
• Download OpenSSL from here http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8e.exe and install it in your system
• After install, go to the OpenSSL\bin folder
• Copy the private key (generated with your CSR), your certificate and the root certificate into this bin folder
• Run this command on the command prompt : openssl pkcs12 -export -in <cert_file>.cer -inkey <private_key>.key -out <keystore_file>.p12 -name Network Configuration Manager -CAfile <root_cert_file>.cer -caname Network Configuration Manager -chain, where
1. cert_file is the certificate with the .cer extention
2. private_key is the private key file with a .key extension
3. keystore_file is the keystore that will be generated with a .p12 or .pfx extension
4. root_cert_file is the root certificate with a .cer extension
5. provide extension to all the file entries on the command line
• When prompted for password, enter 'RGV2aWNlRXhwZXJ0'
• This will generate the keystore file <keystore_file>.p12 on the same folder
• Copy this file to <Network Configuration Manager_Install_Folder>\conf folder
• Move to <Network Configuration Manager_Install_Folder>\conf folder
• Open the file server.xml and do the following changes
• Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_file>.p12"
• Make sure the entry for 'keystorePass' is set to "RGV2aWNlRXhwZXJ0"
• Add a new entry keystoreType=”PKCS12″ next to the keystorePass entry
• Save the server.xml file
• Restart the Network Configuration Manager server and connect through the web browser. If you are able to view the Network Configuration Manager login console without any warning from the browser, you have successfully installed your SSL certificate in Network Configuration Manager!

I want to prevent unauthorized configuration changes to my core devices.

You can make use of the 'Change Management' feature of Network Configuration Manager. For more details refer to the section "Configuration Change Management " in help documentation.

ManageEngine ServiceDesk Plus Integration

Can we integrate NCM with ServiceDesk Plus while ServiceDesk Plus uses a third-party SSL certificate?

• Copy the sdp.keystore file from the SDP installation which is under the sdp\conf folder to OpManagerhome directory.
• We have to get the keypass and storepass used while generating the sdp.keystore file in Service Desk plus
  You can open the file "server.xml" located under "‹SDP installed directory›\server\default\deploy\jbossweb-tomcat50.sar\" and see keypass & storepass, mostly keypass and storepass will be the same.
• We have to identify the exact alias name used while generating sdp.keystore. You can get that by running the below command from the Network Configuration Manager administrative command prompt.
  Execute below command from the Network Configuration Manager installed directory using command prompt with run as administrator:
  \\ OpManager‹.\jre\bin\keytool -list -v -keystore sdp.keystore After executing the above command, you will get the alias name from the result.
• Once you have the alias name, keypass and store pass, replace them in the below command and execute it.(which is the first part of ssl_servicedesk.bat), this will create a file called sdp_cert.txt
  \\ OpManager>.\jre\bin\keytool -export -v -rfc -alias ‹asc› -file sdp_cert.txt -keystore .\conf\sdp.keystore -keypass ‹sdpsecured› -storepass ‹sdpsecured›
  In the above command, we have to change the alias name(), keypass value() and storepass value () with the respective alias name, keypass and storepass values.
• Execute the below command(second part of ssl_servicedesk.bat)
  \\ OpManager>.\jre\bin\keytool -import -alias SDPSSL -keystore .\conf\ OpManager.truststore -file sdp_cert.txt -storepass OpManager -noprompt
  Once it is done, go to to OpManager\bin directory and open the ssl_servicedesk.bat and do the below changes
  Replace this line
  %NMS_HOME%\jre\bin\keytool -export -v -rfc -alias asc -file sdp_cert.txt -keystore %NMS_HOME%/conf/sdp.keystore -keypass sdpsecured -storepass sdpsecured
  with
  %NMS_HOME%\jre\bin\keytool -export -v -rfc -alias ‹alias name› -file sdp_cert.txt -keystore %NMS_HOME%/conf/sdp.keystore -keypass ‹keypass value› -storepass ‹storepass value›
  where ‹alias name›, ‹keypass value› and ‹storepass value› is the alias, keypass value and the storepass value that you used in fourth step.
  Save the file and restart the OpManager service and verify the integration.

Can we integrate NCM with ServiceDesk Plus while ServiceDesk Plus uses a .pfx certificate?

Applying .pfx certificate in SDP does not involve creating keystore file which is required for integration. Please follow the below steps to create a Keystore file.

• Run the below command to convert pfx certificate to JKS format from OpManager\Jre\bin directory.
  >keytool -importkeystore -srckeystore sdp_pfx_cert.p12 -destkeystore OpManager.truststore -srcstoretype pkcs12 -deststoretype JKS
  It requires Destination password, give it as OpManager.
  Source password which is the pfx certificate password.
• Place the output file OpManager.truststore in OpManager_Home\conf folder. Also have a copy of this file named as sdp.keystore and place it in OpManager home directory.
• Try configuring SDP integration from Network Configuration Manager UI with sdp.keystore. No need to wait for the connection success message.
• Try configuring Log a Ticket notification.

If it fails, restart OpManager service and try once again.

Can we integrate NCM with any version of ServiceDesk Plus?

There are a few version-related restrictions when it comes to integrating ServiceDesk Plus with Network Configuration Manager. Please refer the table below to know the compatible version of Network Configuration Manager and SDP.

ServiceDesk Plus version	Suggested NCM Version	Compatibility Status
10513 and below	124031-124096	Compatible
11000 - 11127	124097 and above	Compatible
11128 - 11137	125214 and above	Compatible
11138 and above	125410 and above	Compatible

 

On a general note, it is HIGHLY RECOMMENDED for users with SDP version 11.0 and above to integrate it with Network Configuration Manager version 125410 and above to ensure the integration runs smoothly and to avoid any sort of compatibility issues.

SSH Private Key Authentication

Which permission should private key files have?

In Linux, private key file should have permission 600 that denotes only users can perform read and write operation.

For Windows, if we generate a key pair, the file will contain "inherited privileges". Users have to remove them using "icacls" command and grant permission for Administrators and Systems.

How to change file permissions for private key file in Linux?

Use "chmod" command in terminal.

Example: chmod 600

How to view inherited privileges for private key in Windows?

Use "icacls" command in Command Prompt with Administrator privileges.

Example : icacls

How to remove inherited privileges for private key in Windows?

Use "icacls" command in Command Prompt with "Administrator" privilege.

Example : icacls/inheritance:r

How to grant inherited privileges for private key in Windows?

Use "icacls" command in Command Prompt with Administrator privileges.

Example : icacls/grant SYSTEM:(F)

icacls/grant BUILTIN\Administrators:(F)

Miscellaneous

I have enabled syslog-based change detection for my device. But the product does not seem to detect any configuration changes.

Configuration change messages will be generated only at certain logging levels. So check if the logging level in the device is set to one of the values listed in the "Syslog Config for Change Detection" - logging level drop-down. Also, ensure if syslog server is running and the syslog port (514) is free for Network Configuration Manager's use.

Has Network Configuration Manager been reviewed by any independant reviewers?

Yes. Network Configuration Manager has been reviewed by the following magazines/reviewers:

• SC Magazine, the world's longest running monthly publication focusing on information security has reviewed Network Configuration Manager.
• 3d2f, a web portal featuring reviews on software products has reviewed Network Configuration Manager. Report available here.

How to reduce the transactional log size (MSSQL database)?

Network Configuration Manager provides extensive workflow operations:

You will find a print to the following effect in the logs: Caused by: java.sql.SQLException: The transaction log for database 'OpManagerDB' is full. To find out why space in the log cannot be reused, see the log_reuse_wait_desc column in sys.databases..

To check the used % : DBCC SQLPERF(LOGSPACE) 

Steps to clear the logs:

1. Shutdown Network Configuration Manager server.
2. Change the Recovery Model to Simple by following the steps below:
   • Go to SQL server-->OpManagerDB properties-->Options-->Recovery Model-->Simple.
3. Connect to MSSQL Server-->OpManagerDB. Execute the following query
   1. DBCC SHRINKDATABASE (database name , target percent) for eg DBCC SHRINKDATABASE (OpManagerdb,20)
   2. alter database MODIFY FILE (Name = "_log",MAXSIZE=1 GB) - for eg alter database OpManagerdb MODIFY FILE (Name = "OpManagerdb_log",MAXSIZE=1 GB) (If the transaction log is too huge without any backup, it can not be shrunk. So run this query and then follow the above steps.
   BACKUP LOG OpManagerDB WITH TRUNCATE_ONLY
4. Restart Network Configuration Manager server.

Ensure you upgrade to the latest build.

If you still get transaction logs filled up issue, check if you have free disk space where the database and transaction log files are saved.

If the drives are filled up, move them to different drive.