Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Policy Reporter/Compliance Report for "Unmanaged" devices?

We have a number of routers/switches than are in DMZs and unmanagable via SNMP/SSH.

To archive the configurations we copy/paste to a text file, and manually import the configurations into NCM (from the Configuration History Tab on the individual node).

What I would like to do is to run compliance/policy reports against the stored configurations of these "unmanaged" devices.

Within the created policy - these unmanaged nodes (imported configurations) are not available in the list of nodes available for selection - almost as if "unmanaged" nodes are not eligible for reporting.

Am I doing something incorrectly, or is this a limitation within the current release?

Thanks as always!

Regards,

Bob

Find more posts tagged with

Accepted answers

fcaron

Hi Bob,

Interesting use case.

I opened an enhancement request to facilitate usage of Compliance reports on un-reachable devices, so users don't have to use the workaround that you describe above.

I would like other NCM users to voice their opinion on how relevant this use case is for them, so we can set the right priority for this enhancement (44389).

Thank you

All comments

christineb

Hi Bob:

Unmanaged nodes are not included into any NCM reports- this is actually the purpose of ‘Unmanaged’ state.

To include such nodes in Policy report, mark these nodes as ‘Managed’ (right click on Node and select ‘Manage Selected Nodes’).

The next step is to ensure that all Compliance policies are configured to work with ‘Any’ Config type as well as node selection is configured to ‘Select Nodes directly’ with directly specifying nodes to run the policy on. This configuration can be done on Edit policy screen.

Hope that helps!

--Christine

reheindel

Thanks Christine.

The auditors we deal with like a nice pretty report from NCM that shows compliance for all devices.

As I mentioned, devices in DMZs are not reachable via standard management protocols (http, telnet, ssh or snmp), and as a result we don't manage them in NPM/NCM.

That does not mean however, that NCM can't be used to ensure compliance for specific portions of the configurations, for example to ensure management protocols are DISABLED on vty lines, etc...

One of the cool features that we love about NCM is the configuration import feature.

I would think that the ability to use NCM to check compliance of "unmanaged" would be useful for such an instance as described above.

NCM is getting strong with regard to compliance checking, why not leverage the features/functionality against stored configurations from unreachable devices?

Thanks again!

Regards,

Bob

docwhite

Christine can answer regarding the product features. I'm not sure I follow, though, in terms of compliance checking for devices that are unreachable via telnet, ssh, etc. I'm probably misunderstanding your use case, but to check compliance NCM has to first download the relevant configs. Would you be running an instance of NCM out in your DMZ?

Doug

reheindel

Good morning Doug, thanks for the reply.

No we utilize a single NCM instance within our corporate network.

As changes are made to DMZ devices, we copy the configuration to a text file, and manually import it into NCM via the configuration history tab on the individual node in NCM.

This way all configurations of devices, both internal as well as external are stored in one place - nice and tidy.

It's my understanding that the compliance checking is done against most recent configurations already stored witin the database - no need to go and interrogate the end device prior to running a compliance report.

I verified this by "managing" an unreachable device, and was able to check the configuration via the compliance reporter.

Because the compliance reporter goes against stored configurations, I don't quite understand the requirement for the device to be managed just to check the configuration for compliance - as the configuration is already available.

Maybe a different boolean check could be utilized to determine whether the configuration is a candidate for compliance reporting - regardless of whether it is managed/reachable via a management protocol.

My opinion is that Solarwinds has done an awesome job building the compliance engine, why not expand the functionality a bit more.

For the time being I can get around the issue with two options:

1. Manage the unreachable devices, run the reports, and unmanage them. (Inefficient as user interaction required)

2. Leave the devices managed, and ignore the errors in the job that snags the configurations each night (Ugly as errors=bad).

Regards,

Bob