3 Replies Latest reply on Aug 14, 2018 8:49 AM by thsukudu

    IOS version Compliance validation

    subash_14

      In our environment, we have list of Cisco, juniper, 3 com devices configured in Solarwinds where my requirement is to run the compliance report for the IOS version configured and recommend in which version we are lagging in the current environment.

        • Re: IOS version Compliance validation
          rschroeder

          It seem like you might be asking "How do I create a Compliance Report that alerts us when a node's version doesn't match what we need?"  Is this correct?

           

          It's pretty easy to do; I'll lay out a basic format for you to follow.  You can choose to implement it or modify it or go with someone else's recommendations.

           

          First, let's test it on just one brand and model of device--for simplicity and testing.  Then we can build on that to create other Compliance Reports that cover more and more of your nodes.

           

          1. Log into Solarwinds, go to Configs > Compliance
          2. Click Manage Policy Reports
          3. Click Manage Rules
          4. Click Add New Ruile
            1. Give it an intuitive name (THIS is important!) I usually use the same name on the Rule, the Policy, and the Report--this makes it easy to find and modify and understand all three.
            2. Provide a helpful Description for others to reference (especially after you leave for other employment, or retire, etc.)
            3. Select the appropriate Alert Level for your needs
            4. Select where your New Rule will be stored.  This is an important bit of housekeeping that you will have to reference in steps below, so make it intuitive, or record where you save the New Rule.  Hopefully you've given the New Rule a very intuitive name that will be easy to find.
            5. Select the right String Matching solution for your needs.  NCM can Alert if the String is found, or if it is NOT found.
            6. If you wish to use the Advanced Config Search (which enables you to use drop-down options, logic, and strings you choose), check the Advanced Config Search box.  It lets you enter multiple strings, if you wish.  If you don't need the additional structure, you can leave the Advanced Config Search box unchecked.
            7. Select the logic you need (if you checked the Advanced Config Search box), or simply enter in the String you want--or DON'T want.  (Clue:  If you want to be alerted if a specific Machine Type  IS or IS NOT running a specific version of code, just enter the version information as you'd expect to find it from a manual CLI query of the device.  E.G.:  On a Cisco node you might enter the command "show ver | in Version".  The output might look like " Version 03.08.01.E RELEASE SOFTWARE (fc2)", so you'd want to search for "03.08.01E" in this case.)
            8. Choose the option for String type (RegEx or Find String).  You can play with the RegEx option, see if you like it.
            9. Carefully consider if you wish to use the Remediation option.  I would NOT recommend this at the present time, since setting the right remediation commands here would cause the node to download new code and apply it and reboot.  I recommend just having an Alert fire, and NOT a Remediation.  Reboots/upgrades should be done after consulting with the affected clients, and through Change Management procedures, on a schedule the users can tolerate.  So leave the Remediation area blank until you have the rest of the information and schedules.
            10. Click Test, and select a node that does, or does NOT, contain the version information you seek.  Verify the Rule works as expected, or modify it until it does.  Remember:  This is a vendor/model/version-specific Rule, and should only be applied to nodes that would be expected to have this version of code.  Obviously you would NOT include ALL nodes in the Compliance Report--you'd only select vendor and machine types that are appropriate (i.e.:  You wouldn't expect a 3Com node to have the same version of code that a Cisco node runs.).
            11. Click Submit when you have satisfactory Test results.
          5. Now that you have a Rule, go back to Admin > Settings > NCM Settings > Manage Policy Reports and click the Manage Policies tab.
            1. Click Add New Policy
            2. Give the new Policy a Name.  I usually use the same name on the Rule, the Policy, and the Report--this makes it easy to find and modify and understand all three.
            3. Put in a description (What the purpose of the policy is, who built it, when it was built, what it applies to, etc.)
            4. Save it in the intuitive Folder using the dropdown.
            5. Select the Nodes you want this policy to inspect.  Remember that the Rule this Policy will use is specific to a vendor and Machine Type.  Select Nodes or use the Dynamic Selection option to get the ride nodes included.
            6. Find the Rule you created in the previous area (Step 4 above).  It's in the Folder you put it in--hopefully you recorded that info, or used the folder that's intuitive.
            7. Select it on the Left side of the window and click the Add button to move it to the Right side of the window (it must show up under the Assigned Policy Rules area, or it won't work).
            8. Click Submit
          6. Go back to Admin > Settings > NCM Settings > Manage Policy Reports and click Add New Report
            1. Name it intuitively so you can find it in the future.   I usually use the same name on the Rule, the Policy, and the Report--this makes it easy to find and modify and understand all three.
            2. Put in the appropriate description.
            3. Save it in an Intuitive folder
            4. Check Include Report Summary, uncheck Show Rules Without Violation (this is your choice--check or uncheck either box and test to see how you like the results of each option)
            5. Find your Policy in the intuitive folder you stored it in (on the left side of the window)
            6. Select the Policy and click Add to move it to the right under Assigned Policies
            7. Click Submit
          7. You're almost done.   Find the new Report by clicking on the folder on the left column and opening it.
            1. Put a check in the box by the Report
            2. Click Enable.  This tells NCM you want to use this report.  I know--who'd have reports that aren't enabled, right?  Well, maybe you don't want every Compliance Report running every time, and you might temporarily disable or enable a given report as you need it.  I prefer NOT to do that--I like all my Reports to be enabled, since I include their output in the front page of my NPM view, so I know if there are issues.
            3. Click Update Selected.  (You could leave the box unchecked and simply click "Update All", but that may take a long time as NCM reviews ALL Policies/Rules/Reports AND looks at ALL of your Nodes' config files and applies the Reports/Policies/Rules to each of them.  Why wait for that?  Just select the new Report and click Updated Selected.).
            4. The column showing "Last Update" will show a progress icon.
            5. Once it's done updating, click on the Report and see which devices are out of compliance.
            6. The report will have several columns: all of the Nodes'  Names will show up, along with their IP address, and a column that shows the Violations.  Note that the header over the Violations column can contain multiple conditions, since you may include multiple Rules and Policies within a single Compliance Report. 
            7. Click on the Violation icon to see the details.
          8. Finally, you can build this type of report for every brand / model / Machine Type.  OR, you can build just ONE Report that contains multiple Rules and Policies in it.  The beauty of that is one report can show ALL of your version compliance issues, instead of having to run a separate report for every Machine Type / Brand / Model.

           

          As an example of a Compliance Report, I have one that shows me every ASA 5506 I own that is running BGP.  Of 58 devices, five are running BGP.  You can how easy and quick this is!

           

          Give it a try, let us know how you like it.

           

          Alternately, there are a nice selection of pre-built Inventory Reports in NCM that you could run.  They'll show every node and the version of code the nodes are running.  You can sort them by machine type or by vendor or by code version.  You can export them to Excel for easy searching and reporting.  And you can schedule a report to be run as often as you wish, and have NCM automatically e-mail it to you or your team or your boss.  If you'd like more information on this process, send me an e-mail or an IM.  I'll show you how this is done, too.

           

          Swift packets!

           

          Rick Schroeder

            • Re: IOS version Compliance validation
              subash_14

              Hi Rschroeder,

               

              Thanks for your prompt response with the details.

               

               

              In our estate, we have mixed vendor network devices (Cisco, Juniper & 3Com) with different standards of IOS images. From the compliance view, need your support to share the way to find & compare the market (GA) available IOS images with the devices configured/ monitored in SolarWinds.

              By this we shall plan/ schedule IOS upgrade periodically in our estate.

              • Re: IOS version Compliance validation
                thsukudu

                rschroeder this is not a scale-able solution. This should already be in solarwinds (if i can determine it's not running an ios to upgrade it, it definitely can make a report!)

                 

                I have a network with at least 50-75 different models of devices on it. Manually creating a rule for each device each time ios upgrade comes out isn't what NCM is about.