New Features and Improvements of NCM 7.4

 

In case you missed the first two blogs you can find them here:

  1. Part 1: Leverage more from Network Configuration Manager (NCM)
  2. Part 2: Implementing Security with Network Configuration Manager (NCM)

 

          Cisco Live was definitely a great time and visiting with all of the current customers and soon to be was perfect for this blog.  I was able to see how people were wanting to use the new features and also what they wanted to know more about.  So in this blog we are going to jump into how to use these new features and improvements.  So hold on tight and get your NCM up in front of you to follow with me if you would like!


This blog will cover:

  • Cisco IOS and ASA Vulnerabilities
  • Enhanced Change Approval
  • Device Template Wizard
  • Automatic Compliance Remediation


Cisco IOS and ASA Vulnerability Reporting


          Lets enable this feature now by following these steps:


  1. Login as an admin account for you NCM website. 
  2. Go to the NCM Settings
  3. Scroll to the Advanced Section
  4. Click on the Firmware Vulnerability Settings
    1. You'll see the following screen below
    2. Click the Enable daily auto run of vulnerability matching logic
    3. Adjust time if needed for it to be executed
    4. If on a closed network click the "How to manually import xml files?
    5. Now choose to Run Now so your resource on your NCM summary page will be filled once the scan is complete

(For proxy user information scroll to the comments where this was answered.)

settings.jpg


  5.  The NCM summary resource will populate similar to the below:

 

        1.jpg


   
  6.  From this resource you are able to click in to each vulnerability and see the nodes that are connected to this.

  7.  This is where you will see the web link to the national vulnerability database for each issue and can see the remediation that is needed to resolve.

 

          Now this is where you are able to make your decisions based on your needs.  Some may not be an issue for so you can change these to low priority.  Others may be critical and leave as high priority.  You are able to set these and apply to all nodes or partial nodes.  If you are needing to roll out a change you can sat scheduled and leave comments so everyone can see.  If you need to roll out an IOS update or make a change on the device you can then schedule this in the Jobs and have it to execute your change or use the Config Change templates to remediate the vulnerabilities.

 

Here is a picture of vulnerability that will be applied to one of the devices and scheduled for a later date and time to be resolved:

3.jpg

 

          Pretty simple, huh?  This can be used to help you with any security or company audits to stay ahead of security issues.  You are able to show and track everything you change and comment on through the reports found here:

 

4.jpg

 

          The report will look like the following (notice it tracked my changes that I did above):

5.jpg


          Now you may have heard or known that you can be alerted to potential vulnerabilities.  Here is where you enable this alert so you can adjust and setup for your needs.


  1. Click on your settings top right of your webpage by the logout
  2. Scroll to the Alerts & Reports section
    1. 6.jpg
  3. Click on Manage Alerts
  4. Scroll to NCM Audits
    1. 7.jpg
  5. Scroll through these and find the "Vulnerability State Changed"
  6. Enable this and you are ready to go!
  7. Reports and ability to drill into the vulnerabilities out-of-the-box:
    1. 24.jpg
    2. 25.jpg



         


Enhanced Change Approval Workflow



          PCI compliance is increasing to a two tier approval change approval.  Luckily, NCM has improved this feature to allow you to do this with ease.  While at Cisco Live several people wanted this to be within their company as the more eyes on changes being made the easier it is to prevent human errors and potential downtime.

 

I'm going to go through the process with you here so you know how to use this either for one or two step approvals.

 

  1. Login as a local admin
  2. Go to your NCM settings
  3. Click on the Setup Wizard
    1. 8.jpg
  4. Then choose from the following:
    1. One-level approval
    2. Two-level approval for non privileged users
    3. Two-level approval for all users
    4. 13.jpg
  5. Then click on submit
  6. Here is where your SMTP information is verified or placed if you have not setup this information in the past.  Click submit when completed.
    1. 9.jpg
  7. Now to setup your Admin email information click submit
    1. 10.jpg
  8. User roles
    1. This is were you setup who is approves at level one and/or two.
    2. Click Finish and you are not ready to start preventing change errors!
    3. 11.jpg
  9. When you have this setup you are now able to manage your approvals.  As in my previous blog you will know that you are able to edit the change script or action, Approve, or Deny at any level.  You are able to do this also with comments and send to the requester for their information and learning benefits.
    1. 12.jpg
  10. Reports are useful for tracking changes
    1. 26.jpg
    2. 27.jpg



Device Template Wizard



          This is technically my favorite new addition to NCM!  This is because use to in order for you to create a device template for a device that was not out of the box (around 100 device templates included with NCM) you would have to call in or create a support ticket. Some knew how to adjust the templates and would manually do this themselves as well.  Not anymore!

 

          So when would you use this feature?  If you have a device that currently is not being recognized or if you are unable to get a device to download that is when you would use this feature of NCM.

 

 

        Let me walk you through how to use this:

 

  1. Login as admin and go to the NCM settings
  2. Scroll to the advanced location
    1. 14.jpg
  3. Click on the Device Templates
  4. From here you are able to choose add new or edit an existing template
    1. Edit one if it is similar to a device that you know of
    2. Don't worry we will not let you overwrite out of the box templates 
    3. For my example I am going to choose "add new"
      1. Using Interactive Wizard
      2. 15.jpg
      3. You can choose XML if you are familiar with the template process, however I caution you on this if you have not done this in the past.  Slight errors can cause the template to not work.
    4. Now I will choose the device I am wanting to work one on one with and create a template for and click next
      1. Even if the device shows up as unknown you can choose it as this is commands for the device
      2. 16.jpg
    5. Specify what I want the template used for and click next
      1. 17.jpg
    6. Here is where I place my access info for the device
      1. For additional login etc I have clicked the advanced portion to give more options
      2. 18.jpg
    7. I can also test my access from here and see the output section so I can adjust if needed.
      1. 19.jpg
    8. Now I can place the information needed for the downloading and/or executing scripts that I choose in Step 7
      1. 20.jpg
    9. I can verify these as well with the test feature then click next when satisfied
    10. Here I can save my template and assign to the nodes I want it to be used by
      1. 21.jpg
    11. Ability to fix connections from configuration management tab
      1. 29.jpg

     

     

              Pretty simple!  People have also told me they use this for one on one troubleshooting on connecting with devices.  I'm sure you will find this just as useful as well for your operational needs.

             

     



    Automatic Compliance Remediation

             


              Why would you use automatic remediation on out of compliance reports?  Well as I have stated before the compliance reports are a huge opportunity for everyone not just healthcare, federal, or PCI auditing businesses.  You are able to use this with your own security policies by setting up your personal compliance reports.  Or pick and choose from existing to create a report that suits your needs.


              Standardization of configurations is something several people use the compliance reports for.   Sometimes the simplest things that can cause your network to be in trouble or for you to lose a bonus check...  Example, customer stated he had to have a legal banner on all network devices.  He assumed he had all of this.  However, when randomly checked he did not have the banner on all of the devices.  I showed him how you can setup an automatic remediation to his banner report so he doesn't have to worry about that again!


    Since I have covered compliance reports in the past I am going to show you the new addition to these by using the automatic remediation.


    1. Go to your Configs Tab>Compliance ( you can also manage from your NCM settings)
    2. Click on the "Manage Policy Reports"
      1. 22.jpg
    3. Now to adjust a remediation where do you go?  Yes manage Rules!
    4. Fill in the criteria you want
      1. Mine is going to be looking for a banner
    5. Place the script to remediate the violation
    6. Now I will enable for automatic remediation
      1. 23.jpg
    7. I can now submit
    8. Then I can add a new policy and choose the Rule I created, or add the rule to an existing policy
    9. Then create a new report and add the new policy or use one that had the existing policy that I just added the rule to.
    10. Now anytime the report is ran it will automatically remediate the banner!  I can schedule the report to be ran in my jobs.

     

     

              The compliance reports are easy to use and completely broke down.  Just remember the following tips:

    • Rules are specific and have a remediation set to them
    • Gather rules to create a Policy or add to existing policies
    • Create a new report to include policies or add policies to existing reports

     


              I hope this information has been useful for you.  There will be an ebook coming on common uses and implementations of NCM I'll keep you posted on when it will be available.  The poll is still open for voting until June 24th so vote vote vote!  Ebook poll voting


              For further questions or how to's please comment below as I would be happy to assist on any of the topic we went over above.  Compliance remediation, device templates, enhanced change approval, and of course vulnerability reporting.  You can also add me  as a friend and message me any topics you would like to know more about and I will create some step by steps for you and others so we can have you fully using NCM!


    ~Dez

    Twitter @Dez_Sayz


    Update, currently working on ebook\ecourse and the poll is now being archived.

       

    Implementing Security with NCM

    Blog 2



    Security threats are growing every hour and frankly every minute…  I remember my first security class and my instructor telling us “Hacking at all levels just takes time, willpower, and egos. If you think you can secure your server take it to DEFCON and wait”. 


    Needless to say we did this and everyone’s server was easily hacked into. (Was there a doubt...) So from that point on I was pretty confident security was a myth or a false sense of security.  Until, I realized the most common attacks are on the simplest of overlooked mistakes!


    Eureka, this brought me to pursue ways to block out easily forgotten open gateways. That’s security being able to have a checks and balances in place to ensure that even the little things are not being accidentally overlooked.

     

    This is where SolarWinds Network Configuration Manager (NCM) becomes a crucial piece to the bigger puzzle in security.  There are many ways to use NCM for added security with Automation backups, Real-time change notification (RTN), Change Approval, and Compliance Reports for your company’s security needs, management of policies, and reports that instantly provides you value from your product. 


    This blog should jump start your security uses with NCM by leveraging these features together.  Next week’s blog will be over NCM 7.4 release and showcase some of the new additions and uses!


    Automation Backups

    First we should setup a scheduled job to back up your network devices.  To do this open your website to the configs location and click on “jobs” from the toolbar.  Here you can check the weekly or nightly config backup and edit to your liking. 


    Jobs View

    1.png

    Some Engineers may only want certain devices while others will setup all devices within NCM.  This is really up to you as the Engineer.  Once you have this enabled and scheduled we will turn on your Real-time change notification (RTN). Here is link to how you can do this: Enable Real-time Chance Notification


    Real-Time Change Notification

    RTN allows you as the Network Engineer to be on top of any changes to your devices. Giving you automatic notifications and the ability to revert these once they have been made.  This can help against errors, sabotage, and defective equipment. 


    When you are focusing on network security you need to make sure that changes are correctly being made and accounted for.  The built in auditing of who made the change and when also allows you to audit who is on your network and what they are doing.


    Real-Time Change View

    2.png


    Change Approval

    This leads me to the next part of great security practices, Change Approval Systems. You may ask why this would be such a great security tool or you may be thinking “OF COURSE”.  Either way implementing an approval system is key to securing your network right out of the box with NCM.


    There are more requirements coming down the pipeline to businesses where change approval has to be bare minimum one tier.  This is because it vastly decreases your chances for human error that can cause horrible network issues and downtime.  If there is even a slight bit of a chance you can prevent unauthorized or incorrect changes on your network, then I’d say that is a win for all network engineers.


    You are able to set this up quickly with the approval setup wizard found under the NCM settings>Config Management Change Approval>Setup Wizard (bottom right of the NCM settings page).  This will take you through a step by step implementation of activating your approval system.


    Setup wizard location:

    3.png

    Once complete you now have email alerts and website resources that bring yourself or a different approver aware of a change to be made.  From the website resource of “Pending Approval List” you are able to see all pending and past changes.

     

    So in essence you are able to prevent unexpected config changes that could cause downtime.  Which is a great investment in your network reliability since downtime cost more and more as applications and services are being used within more businesses.


    From the pending location you are able to now view the change completely. You have choices you can make as an approver like view the script or change being requested, Edit the script if you notice it is incorrect or perhaps needs just an extra line of commands to make it official, approve this to be executed immediately or schedule to be made at a later time.


    Change Approval View

    5.png

    Compliance Reports

    Since we have the basics enabled lets dive into the compliance reporting.  These are key on monitoring your configurations for security errors, standardization of configs, and are fully customizable to adhere to your organizational needs.  If you are being audited or foresee this in your future, NCM takes the burden from countless hours of manually auditing your configs or piecing together programs to provide this information accurately.


    Choose the Compliance portion of the Config toolbar and you will see out of the box best practices and awareness of compliance reporting.  I will be focusing on the “Cisco Reports” for this blog to get your feet wet in the compliance realm. 


    When I click on the Cisco Reports folder I see two that populate Cisco Policy Report and Cisco Security Audit.  Check the policy report and then click the “view report” above.  Notice this will bring up your report and show you any violations.  If you click on the red x violation and you are presented with remediation options. How easy is that?


    From this Violation Details popup you are presented with 3 options.  1. View the configuration of the device that’s config was found out of compliance.  2. Execute remediation Script on this node.  3. Execute remediation Script on all nodes in violation.


    Compliance Report View

    6.png


    This is valuable and time saving for a few reasons.  For instance, you are new to a company and you’re wanting to bring things up to date or verify best practices currently within your environment. Standardization is key to efficiency on networks and you now have a way to carefully adjust and bring your configs to standardization with the help of these reports.


    What if you are handed a new security policy that has to be enforced? NCM is fully customizable to your needs. You can edit an existing report or create a new report.  This allows you to manually setup your own rules to be checked against your configs. Then you are able to set a group of rules as your own policy.  Once this is complete move the policies and or rules to create a report that you need for your company.  Implement and run to verify your configurations and you’re done!


    The customization and ease of implementation allows you to stay on top of your network needs in the ever changing security realm.  Compliance is a great defense for you company to ensure standardization, security, and reporting for auditing.

     

    How can you set remediation scripts:

    • Click on compliance from toolbar
    • Then Manage policy reports

    8.png

    • Click on manage rules
    • then choose are rule and click edit
      • or create a new rule

    9.png

    • Scroll to remediation
    • add script to match your need to the rule

    10.png

    Security policies are only as good as the ones in place.  Time to dust off the policy book and start implementing and maintaining your network with the help of NCM’s security features like Real-time change notification, Change approval, and compliance reports.


    Don’t miss next week’s blog on 7.4 new features and improvements.  Not to spoil anything, but there is more security and better troubleshooting coming your way! 

     

    Tell me about your uses with NCM and Security as I would love to hear from everyone!  Also, comment on any ideas you have or things you want within NCM that helps or would help your security needs.

     

    ~Dez

    I am happy to announce General Availability (GA) of SolarWinds Network Configuration Manager (NCM) v7.4. This version includes the following new features and improvements:

     

    • Cisco IOS and ASA Vulnerability Reporting
      NCM uses Cisco IOS and ASA firmware and configuration vulnerability data from the National Vulnerability Database to record which nodes in NCM are vulnerable. This information is available in a new Firmware Vulnerability resource and as a report.
    • NCM Entirely Web-based
      The NCM desktop application is no longer available and all functionality has migrated to the SolarWinds Orion Web Console.
    • New Compliance Reports
      • You can run over 60 Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy reports, preconfigured with the necessary rules and policies.
      • You can run National Institute of Standards and Technology Federal Information Security Management Act (NIST FISMA) and Payment Card Industry Data Security Standard (PCI DSS) reports.
    • Device Template Wizard
      • Create and edit device templates using the new, web-based Device Template Wizard in the SolarWinds Orion Web Console.
      • All templates from previous versions of NCM are migrated to the SolarWinds Orion database during an upgrade.
      • Access templates that other SolarWinds users share through thwack directly in Device Template Management.
    • Enhanced Change Approval Workflow
      The NCM approval system allows three different workflows:
      • Use a one-tier approval workflow to submit configuration changes to an NCM administrator.
      • Use a non-privileged, two-tier approval workflow to require non-privileged users (any user with the WebUploader role) to submit configuration changes to two different approval groups.
      • Use an inclusive, two-tier approval workflow to require all users to submit configuration changes to two different approval groups.
    • Web-based Reports
      • Create and edit reports using new, web-based reports.
      • NCM now uses Orion Platform reports (HOME > Reports) instead of the NCM reporting pages (CONFIGS > Reports).
      • Previous reports are not migrated to the web-based reports system and can no longer be edited after an upgrade.
      • Schedule reports with the Orion Report Schedulers instead of the NCM Run Report job.
    • Policy Violation Remediation
      You can automatically remediate violations in a device configuration on multiple nodes using a script.
    • Web-based Alerts
      • Create and manage alerts using the web-based alerting engine.
      • Alerts created using the desktop-based alerting engine are automatically migrated to the web-based alerting engine.

     

    More details can be found in the Release Notes and in the RC blog post: Network Configuration Manager v7.4 Release Candidate is Available!.

    Configuration Change Management Software is more than backing up configs!

    This will be a three part series focusing on NCM

     

    Fast Forward to Part 2 Here 

    Don't Miss Out on Part 3 Here

     

     

                    Generally speaking we all should know that backing up configurations and being able to see when a change was made is crucial to network infrastructures.  But what happens when you have the basics done like automation backup and real-time change notifications?  Has it just become the infamous saying of “set it and forget it”?  The answer is NO!  There is a whole world to SolarWinds Network Configuration Manager (NCM) that is just waiting for you to use in your everyday work life. 


    This blog will focus on some of the "out-of-the-box" features that are available like:

              • Asset Management
              • Change Approvals
              • Script Management
              • Compliance Reports
              • Troubleshooting
              • End-of-Life/End-of-Engineering


              with a quick overview on their uses.


    The next blog will be more in depth on setup and uses for your security needs and how NCM has your back!  The third one will focus on 7.4 with more in depth information on how to use the new features.


              I'm hoping you have the basics of nightly backups and real-time change notifications (RTN) setup.  (Crossing fingers, but if not here is the tech tip on setting up your RTN Enable RTN)  So let’s get started.


    Asset Management:

    Let’s talk about a network inventory.  Seems boring but what does this really provide you?  Asset management, ugh, I know it’s a dreaded word that provokes thoughts of monotonous, tedious, and timely work! 


    Stop wasting hours of punching numbers and gathering information.  Use NCM to run a nightly inventory or a one time inventory to gather information like Model, Serial, IOS version, cards in routers, chassis switches etc.  BOOM, you freed up your time instantly by using what you already have. 

    Use the Cisco inventory and route tables to help you quickly see neighbors and routing information on your monitored devices.  IOS image lists and memory pools also offer you detailed information to help you know what you are working with in your environment.


    Inventory view

    Inv.png


    Change Approval System

    Prevent unexpected downtime or incorrect roll outs BEFORE they happen.  Wait… did she seriously say prevent downtime?  Sure did , with NCM’s Change Approval you can be emailed when someone on your team is wanting to change a configuration on the network you’re responsible for.  Once you have the email you can login to the NCM web site and then see the change that is being requested, edit, approve, or deny it.  Now you have instantly prevented issues before they even happened.


    Change approval is more than preventing errors.  This can be a valuable training tool for your team. Stopping and preventing potential issues and\or errors allows you to teach\coach the person that was making the change to prevent future endeavors. 


    This is crucial in fast pace environments that are consistently growing with new devices and protocols.  It’s always better to teach and learn from almost mistakes then scrambling around recovering from them.

     

    Change Approval View

    CPV.png


    Script Management

    How about NCM’s script management?  I’m sure you and your team have an arsenal of scripts you use daily or even certain policy updating scripts.  With script management you are able to store, name, edit, and use scripts from within NCM. 


    You can access these for compliance remediation (more on compliance in a moment), jobs to be scheduled, configuration templates, and even from the node details.  Gone are the days of saved notepads or google searches.


    Script Management View

    SM.png


    Compliance Reports

    Compliance Reports benefit more than just Government and Healthcare companies. All networks should take security as a priority and be able to show they are secure.  NCM helps you do this seamlessly with detailed customization to fit your organizational needs.  Use the reports out-of-the-box to quickly assess your network configs to common standards we have gathered. 


    You can also customize the existing reports or create your own.  Take your security policies and create your own rules to look for and use for policies.  Then you’re able to report on these as a whole and remediate any out of compliance issues.


    The compliance reports are queried against your configurations within NCM. This helps you with standardization and security compliance by knowing if a command or verbiage is present or not. Talk about instant security and auditing checks available within your product.


    Being ahead of the game or even if you’re catching up, NCM eases you into compliance and takes the frustration out of auditing.  Remediation by using scripts already stored also helps you to quickly address any out of compliant needs efficiently from the same report.


    Compliance Report View

    CR.png

    Troubleshooting

    What about the need for troubleshooting network issues while they are happening?  Would NCM be beneficial in assisting you in anyway?  The answer is undeniably, yes!  You are able to use CDP neighbors, ARP information, routing configs, and run your show commands instantly from within the product. 


    This is the perfect product to use for troubleshooting network devices as this is where all your data is being stored already.  You can see past implementations, monitor any changes, monitor the effects of changes, and use for recovery of devices in failure.


    Troubleshooting View Example

    TV.png

    End-of-Life/End-of-Engineering

    How many times does upper management refuse your budget for device refreshes, but then 3 months later when you can’t get support (because the box is now 3 years past EOL) they blame YOU for not making it clear? That’s why EOL and EOE reports are so valuable.


    With almost NO effort from you, you can generate a detailed report of all (or part) of your inventory and when those devices WILL BE falling out of maintenance. That allows you to escalate potential support issues before they happen, and plan budgets accordingly.


    EOE/EOL View

    eol.png

     

     

    As you can see your basic Network Configuration Change Management (NCCM) needs are more than backing up and change notification.  There are features like Change Approval, Compliance reports, and Troubleshooting within NCM that are begging to be leveraged.  Even if you’re currently not tracking or using these features it’s time to step it up and be knowledgeable on your infrastructure.


    Which leads me to my next blog which will be over the dreaded word, security… We all know we need it, but how can NCM help you to implement and maintain security?  I will drill in to some of the security features like Real-time change and Change approval within NCM and how to implement and use these together among other features.  Typical use cases and ideas on why you would want to use these features among your environment.


    If there is specific topic that you would like to learn more about please let me know.  I would be happy to dive in to those and post step by steps and how to's for anything related to NCM. 

    SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.