New Features and Improvements of NCM 7.4
In case you missed the first two blogs you can find them here:
- Part 1: Leverage more from Network Configuration Manager (NCM)
- Part 2: Implementing Security with Network Configuration Manager (NCM)
Cisco Live was definitely a great time and visiting with all of the current customers and soon to be was perfect for this blog. I was able to see how people were wanting to use the new features and also what they wanted to know more about. So in this blog we are going to jump into how to use these new features and improvements. So hold on tight and get your NCM up in front of you to follow with me if you would like!
This blog will cover:
- Cisco IOS and ASA Vulnerabilities
- Enhanced Change Approval
- Device Template Wizard
- Automatic Compliance Remediation
Cisco IOS and ASA Vulnerability Reporting
Lets enable this feature now by following these steps:
- Login as an admin account for you NCM website.
- Go to the NCM Settings
- Scroll to the Advanced Section
- Click on the Firmware Vulnerability Settings
- You'll see the following screen below
- Click the Enable daily auto run of vulnerability matching logic
- Adjust time if needed for it to be executed
- If on a closed network click the "How to manually import xml files?
- Now choose to Run Now so your resource on your NCM summary page will be filled once the scan is complete
(For proxy user information scroll to the comments where this was answered.)
5. The NCM summary resource will populate similar to the below:
6. From this resource you are able to click in to each vulnerability and see the nodes that are connected to this.
7. This is where you will see the web link to the national vulnerability database for each issue and can see the remediation that is needed to resolve.
Now this is where you are able to make your decisions based on your needs. Some may not be an issue for so you can change these to low priority. Others may be critical and leave as high priority. You are able to set these and apply to all nodes or partial nodes. If you are needing to roll out a change you can sat scheduled and leave comments so everyone can see. If you need to roll out an IOS update or make a change on the device you can then schedule this in the Jobs and have it to execute your change or use the Config Change templates to remediate the vulnerabilities.
Here is a picture of vulnerability that will be applied to one of the devices and scheduled for a later date and time to be resolved:
Pretty simple, huh? This can be used to help you with any security or company audits to stay ahead of security issues. You are able to show and track everything you change and comment on through the reports found here:
The report will look like the following (notice it tracked my changes that I did above):
Now you may have heard or known that you can be alerted to potential vulnerabilities. Here is where you enable this alert so you can adjust and setup for your needs.
- Click on your settings top right of your webpage by the logout
- Scroll to the Alerts & Reports section
- Click on Manage Alerts
- Scroll to NCM Audits
- Scroll through these and find the "Vulnerability State Changed"
- Enable this and you are ready to go!
- Reports and ability to drill into the vulnerabilities out-of-the-box:
Enhanced Change Approval Workflow
PCI compliance is increasing to a two tier approval change approval. Luckily, NCM has improved this feature to allow you to do this with ease. While at Cisco Live several people wanted this to be within their company as the more eyes on changes being made the easier it is to prevent human errors and potential downtime.
I'm going to go through the process with you here so you know how to use this either for one or two step approvals.
- Login as a local admin
- Go to your NCM settings
- Click on the Setup Wizard
- Then choose from the following:
- One-level approval
- Two-level approval for non privileged users
- Two-level approval for all users
![13.jpg]()
- Then click on submit
- Here is where your SMTP information is verified or placed if you have not setup this information in the past. Click submit when completed.
- Now to setup your Admin email information click submit
- User roles
- This is were you setup who is approves at level one and/or two.
- Click Finish and you are not ready to start preventing change errors!
![11.jpg]()
- When you have this setup you are now able to manage your approvals. As in my previous blog you will know that you are able to edit the change script or action, Approve, or Deny at any level. You are able to do this also with comments and send to the requester for their information and learning benefits.
- Reports are useful for tracking changes
Device Template Wizard
This is technically my favorite new addition to NCM! This is because use to in order for you to create a device template for a device that was not out of the box (around 100 device templates included with NCM) you would have to call in or create a support ticket. Some knew how to adjust the templates and would manually do this themselves as well. Not anymore!
So when would you use this feature? If you have a device that currently is not being recognized or if you are unable to get a device to download that is when you would use this feature of NCM.
Let me walk you through how to use this:
- Login as admin and go to the NCM settings
- Scroll to the advanced location
- Click on the Device Templates
- From here you are able to choose add new or edit an existing template
- Edit one if it is similar to a device that you know of
- Don't worry we will not let you overwrite out of the box templates
- For my example I am going to choose "add new"
- Using Interactive Wizard
![15.jpg]()
- You can choose XML if you are familiar with the template process, however I caution you on this if you have not done this in the past. Slight errors can cause the template to not work.
- Now I will choose the device I am wanting to work one on one with and create a template for and click next
- Even if the device shows up as unknown you can choose it as this is commands for the device
![16.jpg]()
- Specify what I want the template used for and click next
- Here is where I place my access info for the device
- For additional login etc I have clicked the advanced portion to give more options
![18.jpg]()
- I can also test my access from here and see the output section so I can adjust if needed.
- Now I can place the information needed for the downloading and/or executing scripts that I choose in Step 7
- I can verify these as well with the test feature then click next when satisfied
- Here I can save my template and assign to the nodes I want it to be used by
- Ability to fix connections from configuration management tab
Pretty simple! People have also told me they use this for one on one troubleshooting on connecting with devices. I'm sure you will find this just as useful as well for your operational needs.
Automatic Compliance Remediation
Why would you use automatic remediation on out of compliance reports? Well as I have stated before the compliance reports are a huge opportunity for everyone not just healthcare, federal, or PCI auditing businesses. You are able to use this with your own security policies by setting up your personal compliance reports. Or pick and choose from existing to create a report that suits your needs.
Standardization of configurations is something several people use the compliance reports for. Sometimes the simplest things that can cause your network to be in trouble or for you to lose a bonus check... Example, customer stated he had to have a legal banner on all network devices. He assumed he had all of this. However, when randomly checked he did not have the banner on all of the devices. I showed him how you can setup an automatic remediation to his banner report so he doesn't have to worry about that again!
Since I have covered compliance reports in the past I am going to show you the new addition to these by using the automatic remediation.
- Go to your Configs Tab>Compliance ( you can also manage from your NCM settings)
- Click on the "Manage Policy Reports"
- Now to adjust a remediation where do you go? Yes manage Rules!
- Fill in the criteria you want
- Mine is going to be looking for a banner
- Place the script to remediate the violation
- Now I will enable for automatic remediation
- I can now submit
- Then I can add a new policy and choose the Rule I created, or add the rule to an existing policy
- Then create a new report and add the new policy or use one that had the existing policy that I just added the rule to.
- Now anytime the report is ran it will automatically remediate the banner! I can schedule the report to be ran in my jobs.
The compliance reports are easy to use and completely broke down. Just remember the following tips:
- Rules are specific and have a remediation set to them
- Gather rules to create a Policy or add to existing policies
- Create a new report to include policies or add policies to existing reports
I hope this information has been useful for you. There will be an ebook coming on common uses and implementations of NCM I'll keep you posted on when it will be available. The poll is still open for voting until June 24th so vote vote vote! Ebook poll voting
For further questions or how to's please comment below as I would be happy to assist on any of the topic we went over above. Compliance remediation, device templates, enhanced change approval, and of course vulnerability reporting. You can also add me as a friend and message me any topics you would like to know more about and I will create some step by steps for you and others so we can have you fully using NCM!
~Dez
Twitter @Dez_Sayz