Using Itential’s Configuration Manager network teams can quickly build compliance rules for any network device, routers, switches, or even firewalls, and check these devices for compliance. If any of these network devices are reported as out of compliance, the same application can automatically remediate them so that they are compliant again. The process to do this is very straightforward and takes very little time for anyone to get started.

First, determine which device represents the best example of a Golden Configuration for this type of network device. We can use this device’s running configuration as a starting point for a Golden Configuration template that can be applied to multiple devices.

Once the device is available through the federated inventory, you can access the device’s running configuration in real-time within Configuration Manager, under the “Devices” section on the left-hand navigation menu.

However, an even more convenient method of building Golden Configurations using a device’s configuration in real-time by directly accessing it as you build a Golden Configuration tree, which is what we will be doing next.

Navigate to the left hand menu, and click the plus “+” sign to create a new Golden Configuration for this group of network devices, in this example, core routers. Determine a descriptive “Name” for this golden configuration, and select the appropriate network OS from the drop down menu, and finally click “Create”.

This will start off with a base node configuration, which we can rename to something more descriptive. In this example, we will rename the base node to “All Routers.” Configuration Manager allows you to build a Golden Configuration in a hierarchy, where configurations applied to lower nodes can be inherited into upper nodes. This allows you to organize configuration lines in specific nodes that can range from globally applicable and to very specific features. Since this is a base node section, it will include commands that apply to all routers in the tree.

As mentioned earlier, we can directly import a configuration in real-time from a device in the federated inventory. Under the “Configuration” tab in the main window, click on the “Import Configuration” icon.

From this new window, you can select the network device from the federated inventory that we determined is the best example for a Golden Configuration. Navigate through the list, and click the plus “+” icon to import the configuration.

The configuration section will be populated with the entire running configuration of the chosen device. From here, you can edit the configuration commands and reduce them to the sections that you wish to be globally applicable to these types of devices. In this example, we are including three lines:

ip http server
ip http authentication local
ip http secure-server

Every line in the Configuration editor can be assigned a rule to identify the line as something that can be Ignored, Required, or Disallowed. In this example, we have assigned a Disallow rule to the “ip http server” configuration, since it is a security violation and shouldn’t be enabled in any router. Every line can also have any of three severity level (Info, Warning, or Error) associated to it.

Now that we’ve finished the first node of the Golden Configuration, let’s create the next node under it. On the left side, next to the “All Routers” node, click on the 3 dots, and select “Add Child” from the menu. This will create a new node under “All Routers,” colored in green, with a unique name.

Using the same method as we discussed earlier, rename this new node “US Routers”. It will hold configuration lines that are applicable for Core Routers that are located in the US.

Import the configuration for device, like we accomplished earlier, and edit the lines to a represent a subset of configrations that would be unique to devices located in the geographic region of the US. Features like like syslog or ntp that define that define servers that need to be located within the US are good examples.

Repeat the process of creating a new child node, renaming it, and importing the configuration to a third node. This node is named “Atlanta” and represents the most specific configurations for a single router. In this case, we are defining a hostname and snmp location that should only be unique to a single device.

Notice that as we view the completed Golden Configuration from the most specific node, we have inherited all of the configuration sections from the previous nodes. Any additions or changes to the previous nodes will be reflected in the most specific node.

Now that we’ve built our multi-node Golden Configuration, we can assign a device or multiple devices to any node of the golden configuration tree. We could assign a group of network routers to the “US Routers” node, and the golden configuration for those devices would be based on the blue and green nodes, but not the orange nodes. This is a powerful feature that reduces the need for multiple files for nearly every router.

We can assign a network router to the most specific node of the tree. Here, we assign the CORE-ATL-0 router to the orange “Atlanta” node of the tree, which will include all of the golden configuration nodes that we have defined so far.

From the “Atlanta” tree, click on the “Manager Devices” tab, and then click the “Add Devices” button. This will present the federated inventory where we can click on the arrow icon to select the device to assign to this node. Click “Apply” to save the setting.

Now that we’ve created a Golden Configuration tree and assigned a network device to the Atlanta node, we can now run a compliance report. This will compare the configuration of the assigned device to the Golden Configuration template that we defined, and determine if it is in compliance.

Click on the 3 dots next to the device name, and select “Run Compliance” from the menu.

In a moment, the compliance check will complete and the compliance section will update. Here, we can see that the check determined that this device is out of compliance. This is because we created a rule that disallows the “ip http server” configuration command on the “All Routers” node, which was inherited into the “Atlanta” node, which is where this device is assigned.

Click on the 3 dots again, and now choose “View Compliance” to see the details of the compliance report.

From this screen, you can see this device’s compliance history at the top, and if the latest compliance check generated any warnings or errors the config lines and rules that violated the standard are listed under the “Configuration Errors” section.

In this example, we can see the configuration line that caused the compliance check failure– “Disallowed config found: ip http server”.  From here, we also have the option of remediating the device by selecting each line, and clicking “Apply” to allow the application to update the device’s configuration to bring it back into compliance.

When the remediation process is complete, you will see a window that details every configuration line that was updated on the device. In this example, the line “ip http server” was removed from the “CORE-ATL-0″ device.

Now the device should be compliant to our Golden Configuration. In order to verify that is the case, you can simply run another compliance report by clicking the 3 dots, and selecting “Run Compliance” again. When the compliance check completes, the compliance bar will turn completely green which signifies that there were no problems found and the device is in compliance.

Itential Configuration Manager makes it simple for any network team to quickly build Golden Configurations for any CLI-based network device or API-based cloud service, run compliance reports, and remediate any part of the network so it always remains compliance. The network team can continue to build and evolve Golden Configuration templates for the entire network, and utilize Itential’s Automation Platform to build powerful workflows for compliance, validation, and infrastructure automation.