Open for Voting

FEATURE REQUEST - Push firmware upgrade files during upgrade job

Here is the backstory of the request from the SolarWinds support case (Case #: 890027) that I opened on this feature request:

So, we are trying to do a firmware upgrade on a Juniper vSRX (Currently: Version 12.1X47-D20.7) to upgrade the firmware to 12.1X47-D25.4. This process works fine manually on the command line and it will work from the NCM server by going to the CONFIGS tab, then the Jobs tab and creating a new job with a Job Type of "Execute Command Script on Devices" and executing the following commands:
start shell
scp USERNAME@SOLARWINDSIPADDRESS:junos-vsrx-12.1X47-D25.4-domestic.tgz /cf/var/tmp/junos-vsrx-12.1X47-D25.4-domestic.tgz
PASSWORD
exit
request system software add validate /cf/var/tmp/junos-vsrx-12.1X47-D25.4-domestic.tgz reboot

That is the only way that I could successfully upgrade the firmware on a Juniper device using SolarWinds NCM (FTP, HTTP and TFTP are either unsupported by Juniper or banned by our Security team).

The problem with this approach is that the username and password is in clear text on the SolarWinds NCM job, which is unacceptable by the Networking and Security folks.

What I need to know is if there are any other methods that I can upgrade a Juniper vSRX device without using a job with a clear text password in the job? Can the SolarWinds NCM server's "SolarWinds SFTP/SCP Server" be used to create SSH private/public key pairs to push to the devices?

The main question that I have is: "Is there a way to push a file FROM the SolarWinds NCM server (Maybe using the SolarWinds SFTP/SCP Server process?) TO the Juniper device using a CONFIGS --> Job somehow?



This is the reply that I received from the support agent:


Unfortunately, this is a limitation of the SolarWinds Software. Currently, we use a VTY which is no different than PuTTY or CLI. This would be a feature request.


So, here I am creating a feature request to get the devs to add this as a feature.  I know that if Junipers supported TFTP to transfer the file, this wouldn't be an issue, so this likely doesn't affect Cisco/Brocade customers, but this is such a big issue for us, as we are almost 100% a Juniper shop, that we are going to have to buy and install Junos Space just to do firmware upgrades in a fashion that the Network/Security guys will allow.


Junos Space handles this process by SCPing the file to the Juniper device as well (From Junos Space to the target device), but the authentication credentials are embedded in the job and the user does not see it (Take a gander at this video to see how it is done: Junos Space Image Management - YouTube).  This actually makes me wonder if I can use a SolarWinds variable as the password in that firmware upgrade job... I'll have to look into that now that I think of it...


milewideinchdeep
  • in reply to milewideinchdeep

    No worries.  We actually had Junos Space for a while and you're right, it does a sweet job of firmware upgrades.  We moved to this to attempt a more vendor agnostic approach like you're talking about, so I'm also really interested in this feature too.

  • in reply to swf5002

    I do appreciate presenting a work-around though.  Don't interpret my message as being argumentative.  I'm just disappointed in a tool that I love.

  • in reply to swf5002

    I hear ya.  But if we go that route, we might as well write a python script to do the firmware upgrade command while we are at it.  There should be some type of way to get it to work using SolarWinds.  In Junos Space (Juniper's version of NCM), you upload a file to the Junos Space server, right click the filename and deploy it wherever you like.  It handles all of the authentication on the back end.  It handles the upgrade commands, it pushes the file out to the devices using SCP.  Much more streamlined and makes the Network/Security folks happy.  I'm trying to prove that we don't need to purchase yet another tool (An expensive one, no less) to do all facets of Config Management in a vendor-agnostic fashion.  It's looking like I won't be able to do that currently without the Network/Security folks crossing their arms and shaking their heads at me.

  • As a somewhat automated workaround until / unless this gets fulfilled, you could maybe use something like WinSCP and create a script that copies the files to the devices ahead of time to stage it, then use solarwinds to just run your "request system software add".  We have the same situation and that's what we're doing.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.