Change Management / ProScan

Open Manage Network Manager’s change management utility is ProScan, which lets you scan stored configurations to verify managed devices compliance with company, department or industry standards. This application automatically tracks all changes occurring to managed devices. You can report on user-specified values found in persisted backup configuration files for a group of devices. This lets network managers, security officers and external auditors generate detailed audit trail documents to validate compliance with both internal standards (ISO 17799, NSA Guidelines) as well as industry regulations (Sarbanes-Oxley, GLBA, HIPAA).

Compliance reporting lets you specify a text string, regular expression, or optionally the generated configlet from File Management (NetConfig) for matching. Group results must be separated by device like Adaptive CLI Manager. When ProScan policies run, the application emits notifications whose contents depend on whether compliance was or was not maintained.

Your system may have several ProScan examples. You can use these as provided, or alter them to suit your network.

Use ProScan / Change Management

The following outlines common use cases for this software, and the steps to achieve the goals of each case:

Goal: Verify configurations are compliant on a scheduled / recurring basis.

1. Create ProScan policy(ies) based on what indicates compliance. Right-click New > Policy in the ProScan portlet.

2. Specify the Name and Input source (based on Device Backup, Current Config, Configuration Label, By Date and Adaptive CLI Results)

3. Add Targets > Filter Option available for selecting Equipment/Group

The advantage of selecting dynamic device groups is that newly discovered devices of the selected type are automatically members of the group, so they are scanned too. A benign warning (“No proscan policies have target group(s)”) lets you know you have not selected groups when you execute a ProScan policy without them.

4. Specify Proscan Compliance Criteria. Add Criteria. For example, SNMP communities Do not contain the following:

snmp {

community public {

5. Save.

6. Execute or schedule your created ProScan policies.

7. Any out-of-compliance devices throw an alarm, which you can email, or configure to trigger other actions (see the next use case).

Goal:...And if not compliant restore compliant configuration

In addition to the steps in the previous section:

8. In the Actions portlet, create an action to restore the labelled compliant configuration.

The Action here is Netconfig Restore. Configure it to restore the Compliant labeled configuration in the screen that appears next.

9. Create event processing rule that says when ProScan fails execute the restore action in 7.

If you have multiple device types you do not need to assign actions for each device, or even each device type. Open Manage Network Manager supports the assigned policies, so it knows which actions to do to that device based on which device sent the trap.

Configure ProScan Groups

If you have different ProScans for different device type, then you can run a ProScan Group and automatically scan even different types of devices. For more about this, see Creating or Modifying ProScan Policy Groups.

1. Right-click and select New > Group.

2. Specify the Proscan Policy Group Parameters.

3. Add ProScan Policies. These policies can be in multiple groups.

4. Add Targets. Notice that group targets appear in the “child” policies, grayed out. Child policies can add more targets.

5. Save.

6. Execute or schedule the group policies to run against the selected targets.

Do Change Management (Example)

The following describes an example use of Change Manager. This backs up a configuration file, modifies it, then scans the file for the modified text, and acts according to the result. The following steps describe how to do this:

1. Back up a device configuration. Select a device and click the File Management > Backup right-click menu in Managed Resources portlet.

2. Right click, and Export this backup to a file in the Configuration Files portlet.

3. Edit this config file, adding the word “MyTestContact” somewhere in its text that has no impact. For example, the snmp-server contact, or in comments. Some devices let you create descriptions within their configurations so you can enter a word without impact there.

4. Now import this edited file from the Managed Resources portlet after you have right-clicked on the same device from which you exported it. Renaming it something distinctive is helpful.

5. Right-click this file and Restore to the device. Since the name is a comment or description, it should not interfere with the device’s operations.

6. Right-click the device and select File Management > Backup. This makes the MyTestContact file label Current.

To confirm MyTestContact is labeled Current, you can use an Advanced filter in the expanded Configuration Files portlet to view only Current labels.

7. Now, create a ProScan policy by right-clicking in the ProScan portlet, selecting New > Policy.

8. In the General tab, name this policy MyTestContactScan, and as an input, select the Configuration Label > Current label as the Input Source.

9. In the Targets tab, select the equipment from which you exported the config file.

10. In the Criteria tab, click Add Criteria enter contains MyTestContact as the Match All of the following criteria.

11. Click Save.

12. Right-click the new policy and select Execute Compliance.

13. The audit screen that appears should indicate Success.

14. Right-click and Open the MyTestContactScan policy, and change the Criteria to “does not contain” MyTestContact.

15. Save

16. Re-execute the policy.

17. The audit screen that appears should indicate Failure.

Alarms / Events

Once you have a ProScan policy that has failed, the redcellProScanFailureNotification alarm appears in the Alarms portlet. Success produces an event, not an alarm (visible in the Event History portlet) called redcellProScanClearNotification.

To create a response, create processing rules for the event / alarm (see Event Processing Rules). For example, you could restore the Compliant-labeled configuration file if redcellProScanFailureNotification occurs, or send an e-mail to a technician, among many other responses.

Some Limitations in this Example

Note that this example does not change authentication, either for telnet or SNMP. If it did alter the SNMP authentication, you would have to create an SNMP authentication alternative before scanning could occur.