(For a short video about this topic, click here.)
OmniCenter provides a degree of configuration management for managed devices through its built-in configuration manager and configuration management rulesets.
The tools available include:
- A configuration check and archiving tool for monitoring and alerting on device configuration changes, and archiving and storing of previous configurations.
- A configuration push tool for scheduling configuration commands to be executed on groups of devices of the same type.
- Custom configuration management rulesets applied through device templates to enforce configuration settings for different types of devices.
Configuration management in OmniCenter is managed from the Config Manager Dashboard.
Prerequisites for Configuration Management
Configuration management is active for all managed devices by default. But, it can only manage devices with text-style configurations; such as most routers and switches, load balancers, and firewalls. Devices that use other forms of configuration are ignored. Additionally, a device will not be considered eligible for configuration management unless must it meets all of the following criteria:
- The SCHEDULED CONFIG CHECKS setting for that device must be set to ON in its “Advanced” device administration options. (By default, this setting is ON for all managed devices.) Manually switching this setting to OFF will exempt the device from all configuration management.
- The OmniCenter “device type” assigned to the managed device must contain a configuration map that is capable of executing configuration management. (This is not something that can be seen by the user. However, most device types in OmniCenter that would benefit from configuration management have this mapping included. Contact Netreo support if you have any questions.)
- The device must have authentication credentials configured in its “Authentication” device administration options.
- This last criterion can be met by having any password or username and password combination configured. If either of these are present, OmniCenter will attempt to use them. However, credentials with full administrative privileges for the device are required for config manager to work properly.
If a managed device meets all of these criteria, then its configuration will be managed. Otherwise, it will be ignored by the config manager.
Configuration Check (and Archiving Tool)
The config manager automatically tracks changes to device configurations for all of your eligible managed devices using its configuration check. There is only one configuration check in OmniCenter. It is built into the config manager (as opposed to being something like a configurable service check) and it manages all devices at the same time. It does this by downloading a device’s current configuration and comparing it to any archived versions it has stored in its database.
Every night, at 1 a.m., the config manager’s configuration check automatically retrieves the device configuration from each eligible managed device and compares it to that device’s most recently archived versions. If a change is detected within a retrieved configuration, OmniCenter will perform several actions:
- The current, retrieved config is archived.
- Any configuration management rulesets associated with the device are run to force compliance of any incorrect configuration settings.
- An incident is opened, and immediately closed. (The incident is only necessary for the purposes of a historical record.)
- The event is recorded and displayed in the Config Manager dashboard.
- A custom alert notification containing contextual information about that change is sent out to contacts in the “Default Email Alerts” action group. A different group can be selected, if desired (see below).
If no change in configuration is detected, the retrieved config is discarded and no further action is taken. If a configuration is being downloaded from a device for the first time, OmniCenter will save that config as a zip archive, set it as the baseline config for that device and take no further action until the next configuration check.
By default, the action group used for config manager alert notifications is the “Default Email Alerts” action group. Different action groups can be selected on the Incident Management Administration page (Administration → Alerts → Incident Management), under the rule “Configuration Change Alerts”. The alert rule itself can also be edited or deleted, if desired. However, if deleted: There is no reset! Even though it’s a default rule—if it’s deleted, it will have to be recreated manually.
Service Checks Associated with Config Manager
While config manager’s configuration check is a singular built-in check with no settings, there are also two service checks associated with the config manager: The “Authentication” passive service check and the “Cisco Configuration Save Alert” active service check. Both of which are detailed below.
Authentication Service Check
The “Authentication” service check is a passive service check added to every device per the “Default” device template. This particular service check is only updated by the config manager, and is used to alert on a failure of the device’s authentication credentials. Any failure by the config manager to retrieve a configuration file (scheduled, manual, or triggered) will cause a WARNING alarm state for this check (resulting in an alert notification).
Please note, however, that this check is intrinsically tied to the config manager. If the config management criteria mentioned above are not all met for the respective device (resulting in the device being ignored by the config manager), this check will always remain in an OK state for the given device (since it’s passive). This means that even if the device does have bad credentials; if config manager is not managing the configuration files for it, this check will never alert you about those bad credentials.
Although this check is directly tied to the config manager; the incident opened by this check because of an authentication failure alarm is completely separate and unrelated to the incident opened by the config manager itself due to a detected configuration change. These two events generally shouldn’t happen together for a single device anyway, but the distinction is useful to make for troubleshooting purposes. By default, this service check uses the “blackhole” action group as the only selected action group in its alarm configuration. This means that no alert notifications are sent when an authentication failure alarm causes an incident to be opened. However, the alarm is displayed in the “Services” column of any Tactical Overview dashboard widgets, as well as in the Config Manager dashboard (both of which are also represented on the Consolidated Dashboard). Administrators may add or change the action groups selected for this passive service check in the “Default” device template (Administration → Templates) if they wish to receive alert notifications about an authentication failure of the config manager.
Cisco Configuration Save Alert Service Check
For Cisco devices only. A “Cisco Configuration Save Alert” active service check can be added to a device to trigger a configuration check for that device outside of the normal schedule if the “last configuration change” timestamp on its device changes. The use of this service check on a Cisco device provides a much closer to realtime response to any configuration changes that might occur, since the “last configuration change” timestamp in a Cisco device is updated anytime a user enters configuration mode while logged in to the device—even if no changes were actually made. However, when the triggered configuration check is run; if no changes are detected in the retrieved config, OmniCenter will still ignore the event for configuration management purposes. Like all active service checks, this check typically runs every three minutes (although, this schedule is adjustable within the check).
See Cisco Configuration Save Alert Service Check for more information about this service check.