- 18 Jul 2023
- 13 Minutes to read
- Updated on 18 Jul 2023
- 13 Minutes to read
Netreo provides a degree of configuration management for managed devices through its built-in configuration manager and configuration management rulesets.
The tools available include:
- A configuration check and archiving tool for monitoring and alerting on device configuration changes, and archiving and storing of previous configurations.
- A configuration push tool for scheduling configuration commands to be executed on groups of devices of the same device type.
- Custom configuration management rulesets applied through device templates to enforce configuration settings for different device types.
Configuration management in Netreo is managed from the Config Manager Dashboard (see below).
Prerequisites for Configuration Management
Configuration management is active for all managed devices by default. But, it can only manage devices with text-style configurations; such as most routers, switches, load balancers and firewalls. Devices that use other forms of configuration are ignored. Additionally, a device will not be considered eligible for configuration management unless must it meets all of the following criteria:
- The SCHEDULED CONFIG CHECKS setting for that device must be set to ON in its "Advanced" device administration options. (By default, this setting is ON for all managed devices.) Manually switching this setting to OFF will exempt the device from all configuration management.
- The Netreo device type assigned to the managed device must contain a configuration map that is capable of executing configuration management. (This is not something that can be seen by the user. However, most device types in Netreo that would benefit from configuration management have this mapping included. Contact Netreo support if you have any questions.)
- The device must have authentication credentials configured in its "Authentication" device administration options.
- This last criterion can be met by having any password or username and password combination configured. If either of these are present, Netreo will attempt to use them. However, credentials with full administrative privileges for the device are required for config manager to work properly.
If a managed device meets all of these criteria, then its configuration will be managed. Otherwise, it will be ignored by the config manager.
Configuration Check (and Archiving Tool)
The config manager automatically tracks changes to device configurations for all of your eligible managed devices using its configuration check. There is only one configuration check in Netreo. It is built into the config manager (as opposed to the other types of monitoring checks) and it manages all devices at the same time. It does this by downloading a device's current configuration and comparing it to any archived versions it has already stored in its database.
Every night, at 1 a.m., the config manager's configuration check automatically retrieves the device configuration from each eligible managed device and compares it to that device's most recently archived versions. If a change is detected within a retrieved configuration, Netreo will perform several actions:
- The current, retrieved config is archived.
- Any configuration management rulesets associated with the device are run to force compliance of any incorrect configuration settings.
- An incident is opened, and immediately closed. (The incident is only necessary for the purposes of a historical record.)
- The event is recorded and displayed in the Config Manager dashboard.
- A custom alert notification containing contextual information about that change is sent out to contacts in the “Default Email Alerts” action group. A different group can be selected, if desired (see below).
If no change in configuration is detected, the retrieved config is discarded and no further action is taken. If a configuration is being downloaded from a device for the first time, Netreo will save that config as a zip archive, set it as the baseline config for that device and take no further action until the next configuration check.
By default, the action group used for config manager alert notifications is the “Default Email Alerts” action group. Different action groups can be selected on the Incident Management Administration page (Administration > Alerts > Incident Management), under the rule “Configuration Change Alerts”. The alert rule itself can also be edited or deleted, if desired. However, if deleted: There is no reset! Even though it’s a default rule—if it's deleted, it will have to be recreated manually.
Service Checks Associated with Config Manager
While config manager's configuration check is a singular built-in check with no settings, there are also two service checks associated with the config manager: The "Authentication" passive service check and the "Cisco Configuration Save Alert" active service check. Both of which are detailed below.
Authentication Service Check
The "Authentication” service check is a passive service check added to every device per the “Default” device template. This particular service check is only updated by the config manager, and is used to alert on a failure of the device's authentication credentials. Any failure by the config manager to retrieve a configuration file (scheduled, manual, or triggered) will cause a WARNING alarm state for this check (resulting in an alert notification).
Please note, however, that this check is intrinsically tied to the config manager. If the config management criteria mentioned above are not all met for the respective device (resulting in the device being ignored by the config manager), this check will always remain in an OK state for the given device (since it's passive). This means that even if the device does have bad credentials; if config manager is not managing the configuration files for it, this check will never alert you about those bad credentials.
Although this check is directly tied to the config manager; the incident opened by this check because of an authentication failure alarm is completely separate and unrelated to the incident opened by the config manager itself due to a detected configuration change. These two events generally shouldn't happen together for a single device anyway, but the distinction is useful to make for troubleshooting purposes. By default, this service check uses the “blackhole” action group as the only selected action group in its alarm configuration. This means that no alert notifications are sent when an authentication failure alarm causes an incident to be opened. However, the alarm is displayed in the "Services" column of any Tactical Overview dashboard widgets, as well as in the Config Manager dashboard (both of which are also represented on the Consolidated Dashboard). Administrators may add or change the action groups selected for this passive service check in the "Default" device template (Administration > Templates) if they wish to receive alert notifications about an authentication failure of the config manager.
Cisco Configuration Save Alert Service Check
For Cisco devices only. A "Cisco Configuration Save Alert" active service check can be added to a device to trigger a configuration check for that device outside of the normal schedule if the "last configuration change" timestamp on its device changes. The use of this service check on a Cisco device provides a much closer to realtime response to any configuration changes that might occur, since the "last configuration change" timestamp in a Cisco device is updated anytime a user enters configuration mode while logged in to the device—even if no changes were actually made. However, when the triggered configuration check is run; if no changes are detected in the retrieved config, Netreo will still ignore the event for configuration management purposes. Like all active service checks, this check typically runs every three minutes (although, this schedule is adjustable within the check).
Config Manager Dashboard
The Config Manager dashboard is where you manage device configurations for the managed devices on your network. You can view errors in configuration management, view archived versions of device configurations, and even compare different versions of the same configuration.
To open the Config Manager dashboard go to the main menu and select Quick Views > Dashboards > Config Manager.
This tab is opened by default when the Config Manager dashboard is opened from the main menu. It shows a list of all configuration change events clustered by hour for the selected day.
At the top and bottom of the hour list is a date display. Click this display to select the date you would like to view. On either side of the date display are previous ( < ) and next ( > ) arrow buttons. Click these buttons to navigate the dates one day at a time.
If any configuration change events have happened for the selected day, an entry will be present in the hour during which the event occurred. A badge on the left side of the entry displays the number of devices on which config change events occurred.
If only one change event occurred in that hour, the entry will display the exact event time, the device name and the number of changes made to that device. If more than one device experienced config changes that hour, the entry will display the number of changes that occurred and the number of devices affected.
To see the actual changes made to the device configurations select details on the right side of the entry. A pop-up window will appear showing the exact entries added and removed from the device configuration.
This tab is opened by default when the Config Manager dashboard is opened from its widget on a custom dashboard. By default it shows configuration change events by day of the month.
Options at the top right allow you to display the calendar in month, week or day mode (month by default). Previous ( < ) and next ( > ) arrow buttons at the top left cycle through the months, weeks or days, depending on the mode selected. The different modes are similar in appearance to a business appointment calendar and fairly easy to navigate. Selecting a day in the month or week mode switches to day mode and shows the selected day. Selecting Today focuses the display on the current day for whatever mode is selected.
Config change events appear as orange entries. To see the actual changes made to the device configurations select an individual entry. A pop-up window appears showing the exact entries added and removed from the device configuration.
If there are too many events to display for a day while in month mode, a message will be displayed at the bottom of the day indicating “+x more.” select that message to open a pop-up window with the list of additional events. To see the actual changes made to the device configurations select details on the right side of the entry in the pop-up window.
This tab is where you manage archived device configurations. It displays a list of config manager events and includes a tool for downloading configuration archives.
You can download copies of the archived configurations for a device to your computer by selecting Download Configuration Archives. You can select which devices to download configuration files for, and whether to download all archived config files for the selected devices, or just the newest. The files will be provided in a compressed archive (.zip) with the collected configurations for each device in separate directories.
To immediately check the current configuration file for a device, select a device name to open the Configuration Management Report for that device in its Device Dashboard, then select Retrieve Current Configuration. (Note: Once you’ve opened the Configuration Management Report in a device’s Device Dashboard, all available config manager tabs and features relate to that device only. You will need to navigate back to the main Config Manager dashboard to again view other device configurations.)
In the ListView tab of the Configuration Management Report, all archived configurations for the device are displayed in the "Device Configurations" panel, sorted by date. To view a configuration, select View in its ACTIONS column. To compare configurations, select Compare in its ACTIONS column. You may then flag a configuration as the base and compare another to it by selecting the relevant radio buttons and then selecting Compare Configuration (only two configurations may be compared at a time). Any archived version of the configuration can be compared with any other. Any changes between versions will be highlighted.
Config Manager Tools
Simple Configuration Push Tool
Advanced Configuration Push Tool
The Advanced Configuration Push Tool allows you to schedule a one-time push of configuration command sets to any device under the management of the Netreo config manager.
Select Advanced Configuration Push Tool to open the Configuration Push page. Scheduled command set pushes are displayed in the table along with their current state. The list can be filtered by description, user or status. Multiple pushes scheduled at the same time are executed sequentially.
The STATUS column of the table displays the current state of the respective configuration command set.
- created - The configuration command set job has been created, but the matching CSV file has not yet been uploaded.
- configured - The config push job has been scheduled and is awaiting execution.
- queued - The config push job is currently trying to execute, but another job is ahead of it in line.
- executed - The config push job has successfully executed all tasks in the set.
- failed - The config push job has begun execution, but at least one task in the job set did not complete before the TIMEOUT period expired. Check output for details (see below).
- missedexecution - The config push job has been scheduled, but more than 5 minutes have past since the scheduled execution time. This can happen if there is too large a backlog of config push jobs trying to run simultaneously.
To begin the process of adding a new new configuration to be pushed, select New Configuration. See Push Device Configuration Changes to Devices for step-by-step instructions. Once a command set is scheduled, it will run once, then remain in the scheduled list for reference until deleted manually.
No error checking is done on the configuration commands used. Therefore it is imperative that you double-check the commands you enter to avoid doing something destructive. Invalid input will cause the config push job to fail, but the job status will show as executed. Only timeouts cause a job to have a status of failed.
To see the output of an executed command set (whether successful or failed), select the upload CSV icon in the command set's ACTIONS column. At the bottom of the Configuration Upload page is a list of devices. Select the view icon in the ACTIONS column of the device for which you would like to see the output to open a pop-up dialog containing the configuration commands and their respective outputs.
Config Manager Failures Report
If the authentication service check (see above) for a given device has recorded any config manager errors, you can view these by selecting Config Manager Failures Report. (Remember, the "Authentication" service check fails on any config manager failures—not just authentication.) Click it to see a list of config manager alarms for the past 24 hours. If there are any failures, you should check the usernames and passwords configured for the respective devices—verifying that there are no access-lists or firewalls preventing the Netreo appliance from reaching the device via Telnet or SSH—and then attempt to download a configuration file manually to view any errors which are occurring.
Configuration Search Tool
The Config Search tool allows you to search through the most recently downloaded device configuration files managed by Netreo. Select Search Latest Configurations to open the tool's page.
This tool was written primarily for Cisco IOS and may not work properly with non-Cisco config files. Note that the search tool searches all the most recent device configuration files during each search.
The Config Search tool has two fields, explained below:
Enter a regular expression to specify the context under which to search. In a Cisco device configuration file, a "context" is basically a subsection of the file containing related configuration parameters (for example, "interface fastethernet 1"). When searching for a context nested within another context, only specify the immediate context level you want to search. It is not necessary to include any higher-level contexts. Leave the ".*" default to not match a context and search the entire file.
Enter a regular expression to specify the configuration parameter to look for within the context specified above (for example, "ip flow ingress"). In a Cisco device configuration file, configuration parameters within a context are indented to identify that they belong to that context.
Additional filters can be added to the search parameters by selecting Add Filter. This allows you to search for lines in more than one context at a time.