2 Replies Latest reply on Oct 1, 2017 6:34 PM by rschroeder

    How can we build a report to show Cisco ASA problem ACLs based on Net Insight information?

    rschroeder

      It's great to finally be able to discover ACLs that are built improperly, or deployed in the wrong order, or negated by higher rules.

       

      But doing so by clicking through ten ACL's per screen at a time, and then having to hover over a warning icon and click in it's "Show Details" link isn't the enterprise way of operating that I know NPM 12.2 and NCM 7.7 can provide.

       

      Clicking through that way is an OK way to learn about one problem at a time, but it's inefficient.

       

      I'd prefer to see or build/use a Report that retrieves all Net Insight ACL problem information and shows it all in a single report.

       

      Do you know how we can make this happen--perhaps with SWQL in a Custom Report?  Or is there already a Report for this?  I've not found it yet.

       

      Finally, that report should be adjustable so it can include more than one ASA.  I have 80 ASA's at present, and outside of building Compliance Reports for them, I've no great way to see things about them as a group.

       

       

      How about it SWQL & SQL Custom Report Masters?  Is this a challenge, or is it easy-peasy-Mac & Cheezy?

        • Re: How can we build a report to show Cisco ASA problem ACLs based on Net Insight information?
          mesverrum

          So I took this as an opportunity to quickly learn how these new tables are set up... all I can say is I regret that.  Getting down to the ACL was pretty straightforward but the way the rules are in the db is not making much sense to me.  First of all nothing in SWQL will actually show you the content of the line, so nothing will show you anything like 'permit  tcp  any4  host  192.168.xx.xx  eq  https', the whole thing just refers to them by their rule numbers.  What was more frustrating was that the rule numbering scheme seems not to add up.  It seems that the db starts counting at 0 but the UI adds 1 so things can start at 1.  Easy to offset for single values but when a rule is shadowed by multiple other rules they end up in a string and I can't add 1 to a string and get the intended results.

           

          On the plus side I did find out that if you click on the 1-10 it allows you to pick a number of items to display.  I think that selection doesn't seem to persist though, every time i go to a new ACL I was back to 10 per page.

           

          This is the best I can do for you, it looks up the latest config of each type, and lets you know the summary info about any ACL that has issues and generates a link to that page for you to look it over.  Go ahead and remove the comment marks if you want to see the madness that lies deeper but I fear it won't be too helpful.

           

          SELECT  n.NodeCaption

          , n.AgentIP

          , n.Vendor

          , n.MachineType

          ,ca.ConfigType

          ,acl.AccessListName

          ,acl.FullyShadowedCount

          ,acl.PartiallyShadowedCount

          ,acl.FullyRedundantCount

          ,acl.PartiallyRedundantCount

          ,concat('/ui/ncm/aclRules/',tostring(n.CoreNodeID),'/',+ca.ConfigID,'?aclName='+acl.AccessListName) as [_linkfor_AccessListName]

          --,(ace.RuleId+1) as [RuleId]

          --,rd.OverlappingRules

          --,rd.OverlappingType

          --,case when rd.OverlappingType = 2 then 'Partially Shadowed'

          --when rd.OverlappingType = 3 then 'Fully Redundant'

          --when rd.OverlappingType = 4 then 'Partially Redundant'

          --end as [Overlap Type]

           

          FROM NCM.Nodes n

          join (SELECT NodeID, max(DownloadTime) as [DownloadTime], ConfigType

          FROM NCM.ConfigArchive

          group by nodeid, configtype) latest on latest.nodeid=n.nodeid

          join NCM.ConfigArchive ca on ca.NodeID=n.nodeid and ca.DownloadTime=latest.downloadtime

          join NCM.ShadowRuleDetectionAclStatistics acl on acl.ConfigId=ca.ConfigID and (FullyShadowedCount <> 0 or PartiallyShadowedCount <> 0 or FullyRedundantCount <> 0 or PartiallyRedundantCount <> 0)

          --join NCM.ShadowRuleDetectionResult sdrd on sdrd.ConfigId=acl.ConfigId and acl.AccessListName=sdrd.AccessListName

          --join NCM.AceShadowRuleDetectionResult ace on ace.SrdrId=sdrd.srdrid

          --join NCM.RuleDetection rd on rd.ResultId=ace.ResultId

           

          order by n.nodecaption, ca.configtype, acl.AccessListName--, [RuleId]

           

          -Marc Netterfield

              Loop1 Systems: SolarWinds Training and Professional Services