In Network Configuration Manager 7.6, we introduced the ability to use NCM to upgrade the firmware for Cisco IOS devices. With NCM 7.7, we added support for upgrading the firmware for Cisco ASAs, and if you've seen the NCM WWWO, we're looking to extend this capability even further.
That said, do you have questions about how NCM's Firmware Upgrade feature really works? What do the "Collect Info" commands do? What about the "Upgrade" commands? Which commands are optional? And have you ever wondered how NCM uses the results from each command?
Wonder no more - introducing the new, hot off the virtual press NCM Firmware Upgrade Guide. Enjoy!
The SolarWinds NCM team wants to learn how you manage your Access Control Lists (ACLs). Please take our survey - for completing it, you will receive 500 Thwack points after the survey closes on Friday, 4 August 2017.
Please click here to start the survey:
SolarWinds Network Configuration Manager (NCM) 7.4.1 Hotfix 3
Hotfix 3 addresses the following issue:
To install SolarWinds NCM 7.4.1 Hotfix 3:
To uninstall SolarWinds NCM 7.4.1 Hotfix 3:
SolarWinds Network Configuration Manager (NCM) 7.4.1 Hotfix 2
Hotfix 2 addresses the following issue:
To install SolarWinds NCM 7.4.1 Hotfix 2:
To uninstall SolarWinds NCM 7.4.1 Hotfix 2:
We have been working hard to bring another bulk of enhancements to the Network Configuration Manager (NCM) and NCM 7.5 Beta is available. We have been working on:
To get access to the Beta, you need to be a customer on active maintenance for NCM and sign up here.
You can discuss your experience in the NCM Beta Forum.
As an added incentive, Beta users who submit feedback will receive 2,000 Thwack points to buy swag at the Thwack Store.
SolarWinds Network Configuration Manager (NCM) 7.4 Hotfix 2
Hotfix 2 addresses the following:
To install SolarWinds NCM 7.4 Hotfix 2:
To assign the new template:
SolarWinds Network Configuration Manager (NCM) 7.4 Hotfix 3
Hotfix 3 addresses the following:
To install SolarWinds NCM 7.4 Hotfix 3:
To assign the new template:
SolarWinds Network Configuration Manager (NCM)
Security is at an all-time high for many network engineers. Either being asked “are we good?”, “How’s our security policies?”, or “Hey do we have any security policies in place??” We wanted to be able to resolve these questions and back them with reports to prove your network is compliant!
I’ve been working on an ebook to help unlock the mystery within NCM. Something that would help users and prospects to reach their full NCM potential. The attached documents are simply a chapter from this book that will help simplify compliance once and for all.
In the Compliance Head Geek episode we went over basic to advanced ways of using this feature. However, if you really want to dive in then please download the provided compliance documentation and follow the step by step with screenshots.
I've even provided a RegEx help document to bridge a gap from beginner to advanced users. This will help you to fine tune your searches and get the matches you need. You could say I have been in a cave for a long time writing and screenshotting… Seriously, it’s been intense!
The ultimate goal behind these documents is to provide users information that can be used at any level of product knowledge. Standardization and security needs is a perfect place to start with NCM in general. These guides will help you to leverage the power of NCM through compliance remediation reporting.
If you're curious about compliance or other features, then by all means download a free 30 day trial and check it out today!
SolarWinds Network Configuration Manager (NCM) 7.4 Hotfix 1
Hotfix 1 addresses the following issues:
Hotfix 1 modifies the following files on the SolarWinds NCM server:
To install Hotfix 1:
You should now receive real-time notification email messages and the real-time notification rules work as expected.
To rollback Hotfix 1:
We are looking at extending NCM capabilities with support for automated workflows. This is a very broad topic and that's why I would like you to tell me about your needs. What tasks would you like to be automated? What is your motivation? Would you invest in product(s) that would really make a difference? Or, have you already invested in one?
Please share your thoughts and let me know if you are willing to discuss the details with me -- thwack points are waiting for you .
New Features and Improvements of NCM 7.4
In case you missed the first two blogs you can find them here:
Cisco Live was definitely a great time and visiting with all of the current customers and soon to be was perfect for this blog. I was able to see how people were wanting to use the new features and also what they wanted to know more about. So in this blog we are going to jump into how to use these new features and improvements. So hold on tight and get your NCM up in front of you to follow with me if you would like!
This blog will cover:
Cisco IOS and ASA Vulnerability Reporting
Lets enable this feature now by following these steps:
(For proxy user information scroll to the comments where this was answered.)
5. The NCM summary resource will populate similar to the below:
6. From this resource you are able to click in to each vulnerability and see the nodes that are connected to this.
7. This is where you will see the web link to the national vulnerability database for each issue and can see the remediation that is needed to resolve.
Now this is where you are able to make your decisions based on your needs. Some may not be an issue for so you can change these to low priority. Others may be critical and leave as high priority. You are able to set these and apply to all nodes or partial nodes. If you are needing to roll out a change you can sat scheduled and leave comments so everyone can see. If you need to roll out an IOS update or make a change on the device you can then schedule this in the Jobs and have it to execute your change or use the Config Change templates to remediate the vulnerabilities.
Here is a picture of vulnerability that will be applied to one of the devices and scheduled for a later date and time to be resolved:
Pretty simple, huh? This can be used to help you with any security or company audits to stay ahead of security issues. You are able to show and track everything you change and comment on through the reports found here:
The report will look like the following (notice it tracked my changes that I did above):
Now you may have heard or known that you can be alerted to potential vulnerabilities. Here is where you enable this alert so you can adjust and setup for your needs.
Enhanced Change Approval Workflow
PCI compliance is increasing to a two tier approval change approval. Luckily, NCM has improved this feature to allow you to do this with ease. While at Cisco Live several people wanted this to be within their company as the more eyes on changes being made the easier it is to prevent human errors and potential downtime.
I'm going to go through the process with you here so you know how to use this either for one or two step approvals.
Device Template Wizard
This is technically my favorite new addition to NCM! This is because use to in order for you to create a device template for a device that was not out of the box (around 100 device templates included with NCM) you would have to call in or create a support ticket. Some knew how to adjust the templates and would manually do this themselves as well. Not anymore!
So when would you use this feature? If you have a device that currently is not being recognized or if you are unable to get a device to download that is when you would use this feature of NCM.
Let me walk you through how to use this:
Pretty simple! People have also told me they use this for one on one troubleshooting on connecting with devices. I'm sure you will find this just as useful as well for your operational needs.
Automatic Compliance Remediation
Why would you use automatic remediation on out of compliance reports? Well as I have stated before the compliance reports are a huge opportunity for everyone not just healthcare, federal, or PCI auditing businesses. You are able to use this with your own security policies by setting up your personal compliance reports. Or pick and choose from existing to create a report that suits your needs.
Standardization of configurations is something several people use the compliance reports for. Sometimes the simplest things that can cause your network to be in trouble or for you to lose a bonus check... Example, customer stated he had to have a legal banner on all network devices. He assumed he had all of this. However, when randomly checked he did not have the banner on all of the devices. I showed him how you can setup an automatic remediation to his banner report so he doesn't have to worry about that again!
Since I have covered compliance reports in the past I am going to show you the new addition to these by using the automatic remediation.
The compliance reports are easy to use and completely broke down. Just remember the following tips:
I hope this information has been useful for you. There will be an ebook coming on common uses and implementations of NCM I'll keep you posted on when it will be available. The poll is still open for voting until June 24th so vote vote vote! Ebook poll voting
For further questions or how to's please comment below as I would be happy to assist on any of the topic we went over above. Compliance remediation, device templates, enhanced change approval, and of course vulnerability reporting. You can also add me as a friend and message me any topics you would like to know more about and I will create some step by steps for you and others so we can have you fully using NCM!
Update, currently working on ebook\ecourse and the poll is now being archived.
Implementing Security with NCM
Security threats are growing every hour and frankly every minute… I remember my first security class and my instructor telling us “Hacking at all levels just takes time, willpower, and egos. If you think you can secure your server take it to DEFCON and wait”.
Needless to say we did this and everyone’s server was easily hacked into. (Was there a doubt...) So from that point on I was pretty confident security was a myth or a false sense of security. Until, I realized the most common attacks are on the simplest of overlooked mistakes!
Eureka, this brought me to pursue ways to block out easily forgotten open gateways. That’s security being able to have a checks and balances in place to ensure that even the little things are not being accidentally overlooked.
This is where SolarWinds Network Configuration Manager (NCM) becomes a crucial piece to the bigger puzzle in security. There are many ways to use NCM for added security with Automation backups, Real-time change notification (RTN), Change Approval, and Compliance Reports for your company’s security needs, management of policies, and reports that instantly provides you value from your product.
This blog should jump start your security uses with NCM by leveraging these features together. Next week’s blog will be over NCM 7.4 release and showcase some of the new additions and uses!
First we should setup a scheduled job to back up your network devices. To do this open your website to the configs location and click on “jobs” from the toolbar. Here you can check the weekly or nightly config backup and edit to your liking.
Some Engineers may only want certain devices while others will setup all devices within NCM. This is really up to you as the Engineer. Once you have this enabled and scheduled we will turn on your Real-time change notification (RTN). Here is link to how you can do this: Enable Real-time Chance Notification
Real-Time Change Notification
RTN allows you as the Network Engineer to be on top of any changes to your devices. Giving you automatic notifications and the ability to revert these once they have been made. This can help against errors, sabotage, and defective equipment.
When you are focusing on network security you need to make sure that changes are correctly being made and accounted for. The built in auditing of who made the change and when also allows you to audit who is on your network and what they are doing.
Real-Time Change View
This leads me to the next part of great security practices, Change Approval Systems. You may ask why this would be such a great security tool or you may be thinking “OF COURSE”. Either way implementing an approval system is key to securing your network right out of the box with NCM.
There are more requirements coming down the pipeline to businesses where change approval has to be bare minimum one tier. This is because it vastly decreases your chances for human error that can cause horrible network issues and downtime. If there is even a slight bit of a chance you can prevent unauthorized or incorrect changes on your network, then I’d say that is a win for all network engineers.
You are able to set this up quickly with the approval setup wizard found under the NCM settings>Config Management Change Approval>Setup Wizard (bottom right of the NCM settings page). This will take you through a step by step implementation of activating your approval system.
Setup wizard location:
Once complete you now have email alerts and website resources that bring yourself or a different approver aware of a change to be made. From the website resource of “Pending Approval List” you are able to see all pending and past changes.
So in essence you are able to prevent unexpected config changes that could cause downtime. Which is a great investment in your network reliability since downtime cost more and more as applications and services are being used within more businesses.
From the pending location you are able to now view the change completely. You have choices you can make as an approver like view the script or change being requested, Edit the script if you notice it is incorrect or perhaps needs just an extra line of commands to make it official, approve this to be executed immediately or schedule to be made at a later time.
Change Approval View
Since we have the basics enabled lets dive into the compliance reporting. These are key on monitoring your configurations for security errors, standardization of configs, and are fully customizable to adhere to your organizational needs. If you are being audited or foresee this in your future, NCM takes the burden from countless hours of manually auditing your configs or piecing together programs to provide this information accurately.
Choose the Compliance portion of the Config toolbar and you will see out of the box best practices and awareness of compliance reporting. I will be focusing on the “Cisco Reports” for this blog to get your feet wet in the compliance realm.
When I click on the Cisco Reports folder I see two that populate Cisco Policy Report and Cisco Security Audit. Check the policy report and then click the “view report” above. Notice this will bring up your report and show you any violations. If you click on the red x violation and you are presented with remediation options. How easy is that?
From this Violation Details popup you are presented with 3 options. 1. View the configuration of the device that’s config was found out of compliance. 2. Execute remediation Script on this node. 3. Execute remediation Script on all nodes in violation.
Compliance Report View
This is valuable and time saving for a few reasons. For instance, you are new to a company and you’re wanting to bring things up to date or verify best practices currently within your environment. Standardization is key to efficiency on networks and you now have a way to carefully adjust and bring your configs to standardization with the help of these reports.
What if you are handed a new security policy that has to be enforced? NCM is fully customizable to your needs. You can edit an existing report or create a new report. This allows you to manually setup your own rules to be checked against your configs. Then you are able to set a group of rules as your own policy. Once this is complete move the policies and or rules to create a report that you need for your company. Implement and run to verify your configurations and you’re done!
The customization and ease of implementation allows you to stay on top of your network needs in the ever changing security realm. Compliance is a great defense for you company to ensure standardization, security, and reporting for auditing.
How can you set remediation scripts:
Security policies are only as good as the ones in place. Time to dust off the policy book and start implementing and maintaining your network with the help of NCM’s security features like Real-time change notification, Change approval, and compliance reports.
Don’t miss next week’s blog on 7.4 new features and improvements. Not to spoil anything, but there is more security and better troubleshooting coming your way!
Tell me about your uses with NCM and Security as I would love to hear from everyone! Also, comment on any ideas you have or things you want within NCM that helps or would help your security needs.
I am happy to announce General Availability (GA) of SolarWinds Network Configuration Manager (NCM) v7.4. This version includes the following new features and improvements:
More details can be found in the Release Notes and in the RC blog post: Network Configuration Manager v7.4 Release Candidate is Available!.
Configuration Change Management Software is more than backing up configs!
This will be a three part series focusing on NCM
Generally speaking we all should know that backing up configurations and being able to see when a change was made is crucial to network infrastructures. But what happens when you have the basics done like automation backup and real-time change notifications? Has it just become the infamous saying of “set it and forget it”? The answer is NO! There is a whole world to SolarWinds Network Configuration Manager (NCM) that is just waiting for you to use in your everyday work life.
This blog will focus on some of the "out-of-the-box" features that are available like:
with a quick overview on their uses.
The next blog will be more in depth on setup and uses for your security needs and how NCM has your back! The third one will focus on 7.4 with more in depth information on how to use the new features.
I'm hoping you have the basics of nightly backups and real-time change notifications (RTN) setup. (Crossing fingers, but if not here is the tech tip on setting up your RTN Enable RTN) So let’s get started.
Let’s talk about a network inventory. Seems boring but what does this really provide you? Asset management, ugh, I know it’s a dreaded word that provokes thoughts of monotonous, tedious, and timely work!
Stop wasting hours of punching numbers and gathering information. Use NCM to run a nightly inventory or a one time inventory to gather information like Model, Serial, IOS version, cards in routers, chassis switches etc. BOOM, you freed up your time instantly by using what you already have.
Use the Cisco inventory and route tables to help you quickly see neighbors and routing information on your monitored devices. IOS image lists and memory pools also offer you detailed information to help you know what you are working with in your environment.
Change Approval System
Prevent unexpected downtime or incorrect roll outs BEFORE they happen. Wait… did she seriously say prevent downtime? Sure did , with NCM’s Change Approval you can be emailed when someone on your team is wanting to change a configuration on the network you’re responsible for. Once you have the email you can login to the NCM web site and then see the change that is being requested, edit, approve, or deny it. Now you have instantly prevented issues before they even happened.
Change approval is more than preventing errors. This can be a valuable training tool for your team. Stopping and preventing potential issues and\or errors allows you to teach\coach the person that was making the change to prevent future endeavors.
This is crucial in fast pace environments that are consistently growing with new devices and protocols. It’s always better to teach and learn from almost mistakes then scrambling around recovering from them.
Change Approval View
How about NCM’s script management? I’m sure you and your team have an arsenal of scripts you use daily or even certain policy updating scripts. With script management you are able to store, name, edit, and use scripts from within NCM.
You can access these for compliance remediation (more on compliance in a moment), jobs to be scheduled, configuration templates, and even from the node details. Gone are the days of saved notepads or google searches.
Script Management View
Compliance Reports benefit more than just Government and Healthcare companies. All networks should take security as a priority and be able to show they are secure. NCM helps you do this seamlessly with detailed customization to fit your organizational needs. Use the reports out-of-the-box to quickly assess your network configs to common standards we have gathered.
You can also customize the existing reports or create your own. Take your security policies and create your own rules to look for and use for policies. Then you’re able to report on these as a whole and remediate any out of compliance issues.
The compliance reports are queried against your configurations within NCM. This helps you with standardization and security compliance by knowing if a command or verbiage is present or not. Talk about instant security and auditing checks available within your product.
Being ahead of the game or even if you’re catching up, NCM eases you into compliance and takes the frustration out of auditing. Remediation by using scripts already stored also helps you to quickly address any out of compliant needs efficiently from the same report.
Compliance Report View
What about the need for troubleshooting network issues while they are happening? Would NCM be beneficial in assisting you in anyway? The answer is undeniably, yes! You are able to use CDP neighbors, ARP information, routing configs, and run your show commands instantly from within the product.
This is the perfect product to use for troubleshooting network devices as this is where all your data is being stored already. You can see past implementations, monitor any changes, monitor the effects of changes, and use for recovery of devices in failure.
Troubleshooting View Example
How many times does upper management refuse your budget for device refreshes, but then 3 months later when you can’t get support (because the box is now 3 years past EOL) they blame YOU for not making it clear? That’s why EOL and EOE reports are so valuable.
With almost NO effort from you, you can generate a detailed report of all (or part) of your inventory and when those devices WILL BE falling out of maintenance. That allows you to escalate potential support issues before they happen, and plan budgets accordingly.
As you can see your basic Network Configuration Change Management (NCCM) needs are more than backing up and change notification. There are features like Change Approval, Compliance reports, and Troubleshooting within NCM that are begging to be leveraged. Even if you’re currently not tracking or using these features it’s time to step it up and be knowledgeable on your infrastructure.
Which leads me to my next blog which will be over the dreaded word, security… We all know we need it, but how can NCM help you to implement and maintain security? I will drill in to some of the security features like Real-time change and Change approval within NCM and how to implement and use these together among other features. Typical use cases and ideas on why you would want to use these features among your environment.
If there is specific topic that you would like to learn more about please let me know. I would be happy to dive in to those and post step by steps and how to's for anything related to NCM.
We have reached the Release Candidate (RC) status for Network Configuration Manager (NCM) 7.4. RC is the last step before general availability and is a chance for existing customers to get the newest functionality before it is available to everyone else.
Update: NCM v7.4 RC2 is available on customer portal. Please note that an NCM server host with SolarWinds NPM installed cannot install or upgrade to NCM 7.4 RC2 until the NPM is ugraded to NPM 11.5.2 RC1. More details can be found in NCM 7.4 RC2 is Available on Customer Portal.
Device templates have been moved to the database. You can modify the templates in the Web UI and no longer have to replicate them accross your polling engines. Smooth thwack integration was a must!
In addition, we have integrated a wizard into NCM that helps you develop new templates or troubleshoot problems with the existing ones.
If network security is a concern in your organization, you should definitely use this new capability of NCM -- run a nightly vulnerability assessment based on recent CVE data provided by the National Vulnerability Database (by NIST). NCM will download and process the CVE data in a SCAP-compatible way and will notify you of potential vulnerabilities, provide detailed information and let you take an appropriate action. This security scan works even if your NCM server is not connected to the Internet -- you just have to download the datafiles manually. Complimentary reports are provided out of the box.
Note: Cisco IOS and ASA devices are supported as of now.
Tired of importing the obligatory reports from thwack? No longer a problem! NCM now ships the latest DISA STIG, NIST FISMA, and PCI reports out of the box. The updates also include broader vendor coverage and more detailed checks.
Note: If you upgrade from NCM v7.2.x to v7.4 Release Candidate, these new reports will be missing. The workaround is to upgrade from 7.2.x to 7.3.2 first and then to 7.4 RC. The problem is related to upgrades from NCM 7.2.x only; upgrades from NCM 7.3.x and clean installations are not affected. We apologoize for incovenience and work on solution for the final NCM 7.4 release.
Were you looking forward to the day when you could customize your NCM reports in the web and combine them with information from other modules? The day has come! Not only have we migrated all the existing inventory reports to the Orion reporting engine, but we have also added a decent number of new ones. The same applies to alerts.
Maintaining your configurations compliance has never been so easy. Just configure the remediation script to be executed automatically! Works for interfaces, too.
Ant that's not all -- check Network Configuration Manager v7.4 Beta2 is Available! for other improvements that cannot fit in this post.
RC builds are made available to existing customers prior to the formal release. These are used to get customer feedback in production environments and are fully supported. If you have any questions, I encourage you to leverage the NCM forum.
You will find the latest version on your customer portal in the Release Candidate section.