Config Manager
  • 08 Mar 2024
  • 13 Minutes to read
  • Dark
    Light
  • PDF

Config Manager

  • Dark
    Light
  • PDF

Article Summary

Description

Netreo provides a degree of device config setting management for managed devices through its built-in configuration manager and configuration management rulesets.

To open the Config Manager go to the main menu and select Quick Views > Dashboards > Config Manager.

The tools available include:

  • A config settings monitoring and archiving tool (configuration check) for monitoring and alerting on device config setting changes, and archiving and storing of previous configs.
  • A config settings push tool for scheduling config change commands to be executed on groups of managed devices of the same device type.
  • Custom config management rules (managed through device templates) for enforcing config settings on specific device types.

Details

Prerequisites for Configuration Management

Device config management is active for all managed devices by default. But, it can only manage devices that use text-style configs (such as most routers, switches, load balancers and firewalls). Devices that use other forms of config are ignored. Additionally, a device will not be considered eligible for configuration management unless must it meets all of the following criteria:

  1. The SCHEDULED CONFIG CHECKS setting for that device must be set to ON in its "Advanced" device administration options. (By default, this setting is ON for all managed devices.) Manually switching this setting to OFF will exempt the device from all configuration management.
  2. The Netreo device type assigned to the managed device must contain a configuration map that is capable of executing configuration management. (This is not something that can be seen by the user. However, most device types in Netreo that would benefit from configuration management have this mapping included. Contact Netreo support if you have any questions.)
  3. The device must have authentication credentials configured in its "Authentication" device administration options.
    • This last criterion can be met by having any password, or username and password, combination configured. If either of these are present, Netreo will attempt to use them. However, credentials with full administrative privileges for the device are required for config manager to work properly.

If a managed device meets all of these criteria, then its config settings will be managed. Otherwise, it will be ignored by the config manager.

The Configuration Check (and Archiving Tool)

The config manager automatically tracks changes to device config settings for all of your eligible managed devices using its configuration check. There is only one configuration check in Netreo. It is built into the config manager (as opposed to the other types of monitoring checks) and it manages all devices at the same time. It does this by downloading a device's current config settings and comparing them to any archived versions Netreo already has stored in its database.

Every night, at 1 a.m., the config manager's configuration check automatically retrieves the device config settings from each eligible managed device and compares them to that device's most recently archived versions. If a change is detected within a newly retrieved configuration, Netreo will perform several actions:

  • The current, retrieved config settings are archived.
  • Any configuration management rulesets associated with the device are run to force compliance of any incorrect configuration settings.
  • An incident is opened and immediately closed. (The incident is only necessary for the purposes of creating a historical record.)
  • The event is recorded and displayed in the Config Manager dashboard.
  • A custom alert notification containing contextual information about that change is sent out to contacts in the “Default Email Alerts” action group. A different action group can be selected, if desired (see below).

If no change in a device's config settings are detected, the retrieved config settings are discarded and no further action is taken. If config settings are being downloaded from a managed device for the first time, Netreo will save that config in a zip archive, set it as the baseline config for that device, and take no further action until the next configuration check.

By default, the action group used for config manager alert notifications is the “Default Email Alerts” action group. Different action groups can be selected on the Incident Criteria Administration page, under the rule “Configuration Change Alerts”. The alert rule itself can also be edited or deleted, if desired. However, if deleted: There is no reset! Even though it is a default rule—if it's deleted, it will have to be recreated manually.

Optional Service Checks for Config Manager

While config manager's configuration check is a singular built-in check with no settings, there are also two optional service checks associated with the config manager: The "Configuration Manager" passive service check and the "Cisco Configuration Save Alert" active service check. Which may be added to devices to enhance configuration management.

As with any monitoring check in Netreo, it is recommended to add these checks to managed devices using device templates.

Configuration Manager Service Check

The Configuration Manager service check is a passive service check added to every managed device by the “Default” device template. This particular service check is only updated by the config manager, and is used to alert on a failure of the device's authentication credentials. Any failure by the config manager to retrieve a device's config (scheduled, manual, or triggered) due to failed authentication will cause a WARNING alarm state for this service check (resulting in an alert notification).

It is important to remember that this check is only updated by the config manager. If the config management criteria mentioned above are not all met for a respective device (resulting in the device being ignored by the config manager), this check will always remain in an OK state for that given device (since it's a passive service check). This means that even if the device does have bad credentials; if config manager is not managing the config settings for it, then this check will never alert you about those bad credentials.

Although this check is directly tied to the config manager; the incident opened by this check because of an authentication failure alarm is completely separate and unrelated to the incident opened by the config manager itself due to a detected configuration change. These two events generally shouldn't happen together for a single device anyway, but the distinction is useful to make for troubleshooting purposes.

By default, this service check uses the “blackhole” action group as the only assigned action group in its alarm configuration. This means that no alert notifications are sent when an authentication failure alarm causes an incident to be opened. However, the alarm is displayed in the "Services" column of any Tactical Overview dashboard widgets, as well as in the Config Manager dashboard (both of which are also represented on the Consolidated Dashboard). Administrators may add or change the action group(s) assigned to this passive service check in the "Default" device template if they wish to receive alert notifications about an authentication failure of the config manager.

Cisco Configuration Save Alert Service Check

(For Cisco devices only.) A "Cisco Configuration Save Alert" active service check can be added to a Cisco device to trigger a config manager configuration check for that device outside of the normal schedule if the "last configuration change" timestamp on the device changes. The use of this service check on a Cisco device provides a closer to realtime response to any configuration changes that might occur, since the "last configuration change" timestamp in a Cisco device is updated anytime a user enters configuration mode while logged in to the device (even if no changes were actually made). However, when the triggered configuration check is run; if no changes are detected in the retrieved config, Netreo will still ignore the event for configuration management purposes. Like all active service checks, this check typically runs every three minutes (although, this schedule is adjustable within the check).

Config Manager Page

The Config Manager page is where you manage device configs for the managed devices on your network. Here you can view errors in configuration management, archived versions of device configs, and even compare different versions of a device's saved configs.

The "CalView" tab of this page is also available as the Config Manager widget for custom dashboards.

Tabs

TimeView

This tab is opened by default when the Config Manager page is opened from the main menu. It shows a list of all device config change events clustered by hour for the selected day.

At the top and bottom of the hour list is a date display. Click this display to select the date you would like to view. On either side of the date display are previous ( < ) and next ( > ) arrow buttons. Click these buttons to navigate the dates one day at a time.

If any config change events have happened for the selected day, an entry will be present in the hour during which the event occurred. A badge on the left side of the entry displays the number of devices on which config change events occurred.

If only one config change event occurred in that hour, the entry will display the exact event time, along with the device name and the number of changes made to that device. If more than one device experienced config changes that hour, the entry will display the number of changes that occurred and the number of devices affected.

To see the actual changes made to the device configs, select details on the right side of the entry. A pop-up window will appear showing the exact entries added/removed from the device configuration settings.

CalView

This tab is opened by default when the Config Manager page is opened from its widget on a custom dashboard. By default, it shows device config change events by day of the month.

Options at the top right allow you to display the calendar in month, week or day mode (month by default). Previous ( < ) and next ( > ) arrow buttons at the top left cycle through the months, weeks or days, depending on the mode selected. The different modes are similar in appearance to a business appointment calendar and fairly easy to navigate. Selecting a day in month or week mode switches to day mode and shows the selected day. Selecting Today focuses the display on the current day for whatever mode is selected.

Config change events appear as orange entries. To see the actual changes made to the device configs, select an individual entry. A pop-up window appears showing the exact entries added/removed from the device configuration settings.

If there are too many events to display for a day while in month mode, a message will be displayed at the bottom of the day indicating “+x more.” Select that message to open a pop-up window with the list of additional events. To see the actual changes made to the device configs select details on the right side of the entry in the pop-up window.

ListView

This tab is where you manage archived device configs. It displays a list of config manager events and includes a tool for downloading archived device configs from Netreo's database.

To immediately perform a configuration check for a device, select a device name to open the Configuration Management Report for that device in its Device Dashboard and select the Retrieve Current Configuration button at the top of the page. (Note: Once you’ve opened the Configuration Management Report in a device’s Device Dashboard, all available config manager tabs and features relate to that device only. You will need to navigate back to the main Config Manager page to again view configs for other devices.)

In the ListView tab of the Configuration Management Report, all archived configs for that device are displayed in a table, sorted by date. To view the settings contained in a particular device config, select View in its ACTIONS column. To compare the settings in two different configs, select Compare in its ACTIONS column. You may then flag a specific config as the base and compare another to it by selecting the relevant radio buttons, then selecting Compare Configuration (only two configs may be compared at a time). Any archived version of a device config can be compared with any other, and any changes between versions will be highlighted.

Tools

Several buttons near the top of the config manager (below the tabs) provide access to the various config manager tools.

Download Configuration Archives

You can download archived device configs by selecting the Download Configuration Archives button. On the Config Download page that opens, you can select which devices to download config archives for, and whether to download all archived configs for the selected devices, or just the newest. The configs are provided in a compressed archive (.zip) with the collected configs for each device in separate directories.

Advanced Configuration Push

The Advanced Configuration Push Tool allows you to schedule a one-time push of configuration command sets to any device under the management of the Netreo config manager.

Select the Advanced Configuration Push button to open the Configuration Push page.

Scheduled command set pushes are displayed in the table along with their current state. The list can be filtered by description, user or status. Multiple pushes scheduled at the same time are executed sequentially.

The STATUS column of the table displays the current state of the respective configuration command set.

  • created - The configuration command set job has been created, but the matching CSV file has not yet been uploaded.
  • configured - The config push job has been scheduled and is awaiting execution.
  • queued - The config push job is currently trying to execute, but another job is ahead of it in line.
  • executed - The config push job has successfully executed all tasks in the set.
  • failed - The config push job has begun execution, but at least one task in the job set did not complete before the TIMEOUT period expired. Check output for details (see below).
  • missedexecution - The config push job has been scheduled, but more than 5 minutes have past since the scheduled execution time. This can happen if there is too large a backlog of config push jobs trying to run simultaneously.

To begin the process of adding a new new configuration to be pushed, select New Configuration. See Push Device Configuration Changes to Devices for step-by-step instructions. Once a command set is scheduled, it will run once, then remain in the scheduled list for reference until deleted manually.

Errors in Commands
No error checking is done on the configuration commands used. Therefore it is imperative that you double-check the commands you enter to avoid doing something destructive. Invalid input will cause the config push job to fail, but the job status will show as executed. Only timeouts cause a job to have a status of failed.

Output
To see the output of an executed command set (whether successful or failed), select the upload CSV icon in the command set's ACTIONS column. At the bottom of the Configuration Upload page is a list of devices. Select the view icon in the ACTIONS column of the device for which you would like to see the output to open a pop-up dialog containing the configuration commands and their respective outputs.

Config Manager Failures Report

If the configuration manager service check (see above) for any given device has failed, you can view these events by selecting the Config Manager Failures Report button. (Remember, that this service check fails on any config manager failures—not just authentication.) Click the button to see a list of config manager alarms for the past 24 hours. If there are any failures, you should check the authentication credentials configured for the respective devices (verifying that there are no access-lists or firewalls preventing the Netreo appliance from reaching the device via Telnet or SSH) and then attempt to download a configuration file manually (using the Download Configuration Archives tool) to view any errors which are occurring.

Search Latest Configurations

The search tool allows you to search through the most recently downloaded device configs managed by Netreo. Select the Search Latest Configurations button to open the search page.

This tool was written primarily for Cisco IOS and may not work properly with non-Cisco configs. Note that the search tool searches all of the most recent device configs during each search.

The Config Search tool has two fields, explained below.

  • CONTEXT
    Enter a regular expression to specify the context under which to search. In a Cisco device configuration file, a "context" is basically a subsection of the file containing related configuration parameters (for example, "interface fastethernet 1"). When searching for a context nested within another context, only specify the immediate context level you want to search. It is not necessary to include any higher-level contexts. Leave the ".*" default to not match a context and search the entire file.
  • LINE
    Enter a regular expression to specify the configuration parameter to look for within the context specified above (for example, "ip flow ingress"). In a Cisco device configuration file, configuration parameters within a context are indented to identify that they belong to that context.
Using Regular Expressions
MySQL databases (which is how config files are stored in Netreo) use a subset of the regular expression ruleset, as explained here: https://dev.mysql.com/doc/refman/5.7/en/regexp.html

Additional filters can be added to the search parameters by selecting Add Filter. This allows you to search for lines in more than one context at a time.


Was this article helpful?