SANnav – Configuration Policy Feature
Brocade CIS SANText: Brocade CIS SAN Telegram channel
SANnav – Configuration Policy Feature
Configuration Policy is a SANnav feature. Configuration Policy is a great tool for ensuring your switch/Director configurations are setup identically between all of your Brocade products, even if those products are configured in Access Gateway mode. Beyond just monitoring for configuration drifts, this tool can be used to synchronize switch settings across all of your products.
• Configuration Policy is located under SANnav->SAN Monitoring->Configuration and Operations Monitoring Policy
• A Configuration Policy allows you to learn how one switch/Director is configured and then check to see if other switches/Directors in your fabrics are configured identically – if they’re not, they’re considered to have drifted away from the desired configuration
• Configuration policies consist blocks or blocksets, and here are only two types of blocksets:
• A MAPS policy blockset
• This blockset is your entire is all of your FV MAPS rules
• This blockset is really just your single FV MAPS policy with all of its associated rules
• Switch/Director configuration blocks
• This blockset is all of your switch configuration information
• This blockset consist of a single block, multiple blocks, or all available switch configuration blocks such as the DNS block or NTP settings block
• See below for a complete listing of supported configuration blocks
• You can manually enter in the information for individual blocks/settings you’d like to monitor for drifts, or, you can learn the configuration information by importing the block information from a file (JSON format) or from a running switch/Director
• When importing from a switch, you can either:
• Import Configurations
• These are the switch configuration blocks
• Note that these blocks also include MAPS configuration information not related to actual rules, namely: MAPS actions, MAPS emails, MAPS FPI Profiles, and MAPS Global Quiet Time settings
• Import MAPS
• The actual MAPS policy and its associated MAPS rules
• Note: You can’t do both Configurations and MAPS at the same time
• Note: Imported blocks that are empty will show up with a red alert triangle next to them
• For example, if you import the NTP configuration from a switch and NTP was not configured on that switch, the NTP block will show up with a red alert triangle next to it
• If one or more switches have drifted away from the desired configuration, you can simply select Sync to synchronize their settings – BOOM done
• Different configuration policies can be used to monitor different groups of ‘like-configured’ switches
• Miscellaneous Notes:
• Configuration drifts are monitored for every 15 minutes starting at the top of every hour
• SANnav will never allow you to sync a setting which is disruptive in nature. Any setting which is disruptive to a switch is for monitoring purposes only
• If a configuration policy contains one or more configuration blocks not supported by a monitored switch, SANnav will filter those blocks out and not push them to those switches
• When viewing a policy, there is a Push to Switches Action available to force or push that policy’s configuration onto the switches associated with that policy
• Note that there is a Configuration Drifts widget available under the main screen Dashboard View
• Configuration Policy blocks available in SANnav 2.2.0x include:
Operational Configuration Blocks for Chassis:
• Authorization (Auth) Configuration
• Which Authentication Mode
• Backup enabled Y/N?
• Log Primary Messages Y/N?
• Audit Configuration
• Which classes are enabled for auditing, and at what severity level
• Chassis Configuration (Monitor Only)
• HA Enabled Y/N?
• Virtual Fabrics Enabled Y/N?
• DNS
• Domain name configured
• Primary and Secondary IP addresses
• Note: This is invaluable for the initial FV MAPS email set up!
• FCIP Configuration
• The list of values you can check is extensive and pretty much all-encompassing
• Firmware Version (Monitor Only)
• Firmware version
• FTP
• The usual settings
• Remote Directory
• Protocol
• Server Connectivity Check Interval
• IP Filter Policy
• Everything you would expect
• Note: Great for ensuring Telnet has been consistently blocked
• Shows all IP Filters for IPv4 and IPv6 along with configured TCL rules
• LDAP
• IP Address/Hostname
• Port
• Timeout
• Domain Name
• LDAP Role Map
• LDAP role
• Chassis role
• Switch role
• Home Virtual Fabric ID
• Password Configuration
• All things password control – its extensive!
• RADIUS
• All things RADIUS
• SNMPv3 ACL
• Listing of IP addresses and their RO/RW setting
• SNMPv3
• Everything you would expect (accounts and recipients)
• Informs Enabled Y/N?
• Get/Set Levels of Security
• Syslog Destination
• Standard settings
• Whether in Secure Mode Y/N?
• TACACS+
• All things TACACS+
• Time Zone
• Configured Time Zone
• User Accounts (Monitor Only)
• Detailed
• Note: Tremendous for security consistency
Operational Configuration Blocks for Logical Switch:
• Banner
• The login banner
• Fabric Configuration (Monitor Only)
• Insistent Domain ID Enabled Y/N?
• F-Port Configuration (Monitory Only)
• Some fairly deep F-Port login enforcement restrictions and rules
• NTP Time Server
• IP Address/Hostname
• Active Server
• Port Configuration
• Dynamic D-Port enabled Y/N?
• On-Demand D-Port enabled Y/N?
• Switch Configuration
• WWN PID ID Mode enabled Y/N?
• Edge Hold Time
• Area Mode
• Zone Configuration
• Node Name Zoning enabled Y/N?
MAPS Configuration Blocks
• Actions
• The complete listing of MAPS Actions
• Relay Host and Domain Name
• Email From field
• Email To field (up to 5 emails)
• FPI Profiles
• Using default E or F-port configurations, or custom profiles
• Quiet Time
• Enabled Y/N?
Important: The Configuration Policy tool in SANnav has FOS version dependencies
• Per the SANnav Management Portal User Guide, for most of the Configuration Policy tool to function properly, your switches have to be running FOS v8.2.1 or later, ideally v8.2.1b or later. Per our recommendations, these days you should be running FOS v8.2.3c1 or later
• If you have switches running FOS versions prior to v8.2.1b, We do not recommend they be monitored for configuration drifts
• If you’re attempting to monitor or synchronize drifts on switches running FOS versions prior to v8.2.1, your results will vary
• You may have SANnav indicate Success when synching, even if the sync was not actually successful
• You may have SANnav indicate In Sync after synchronizing, despite the older systems not actually being In Sync
• Therefore, for legacy FOS v7x switching, we suggest you do your configuration monitoring the old-fashioned way – one switch at a time
Important: We suggest you use this tool to ensure your SNMPv3 configuration is consistent across your entire environment
• This is a key part in ensuring MAPS detected violations are successfully delivered to SANnav via SNMP traps
• On several occasions, I’ve come across customer environments in which switches/Directors were experiencing SNMP communication issues over to SANnav despite the switches being successfully discovered by SANnav
• This can be bad in the sense that SANnav may not be receiving:
• Fabric Vision MAPS alerts and all SNMP traps
• Performance information - depending on your FOS version and product generation
• Note: SANnav’s Configuration Policy tool can really help here!
• Unique to Brocade - instead of tracking down where the issues stem from (be it with the account, access settings, ports used, table entries etc.,) you can simply use this tool to create a template for SNMP ACLs and SNMPv3 Settings
• Use this tool to learn from a switch which is configured properly and working
• Then use this tool tell you which switches/Directors are not configured identically
• Lastly, instruct this tool to sync the settings up from the good switch to the misconfigured switch(es), and you’re done, they’re all configured identically
• Note: Once a switch is setup to monitor for configuration drifts, if a drift does occur, 5 points will be deducted from that switch’s Health Score in the SANnav’s Health Summary Dashboard
Configuration Policy’s Incorporation of Fabric Vision MAPS
SANnav engineering has incorporated most of FV MAPS policy and rule management into Configuration Policy management. Given the extensive engineering efforts made, moving forward Configuration Policy management will likely be all you need to fully manage FV MAPS.
To level set:
• SANnav automatically creates the following Configuration Policy blocksets:
• SANnav Aggressive Policy blockset
• SANnav Moderate Policy blockset
• SANnav Conservative Policy blockset
• SANnav Base Policy blockset
• These SANnav MAPS blocksets are purposely all-encompassing and are purposely read-only
• They include the supported MAPS groups and rules for every FOS version and every switch type that has been discovered by SANnav
• SANnav automatically maintains this database of MAPS categories, groups, rules, measurement types, thresholds, and actions
• Even if a new type of switch is discovered by SANnav, or if any new FOS version is encountered by SANnav, it doesn’t matter – SANnav automatically adds the new information to its MAPS blockset database
• Note: After FOS upgrades to net-new-to-SANnav FOS versions, all default MAPS blocksets are automatically updated with new or changed rules
• If you are using the SANnav->Configuration Policies Management tool, and if you’re using a default SANnav Policy blockset for MAPS monitoring, then you’re basically all set
• Unfortunately, just like in MAPS, you are not allowed to modify/edit any of the default SANnav policy blocksets and their underlying rules
• Therefore, to create an editable policy, you have to clone the default SANnav policy blockset by Viewing the default blockset and performing a Save As operation making it editable
• If you then modify your MAPS blockset, you can simply select Actions->Push to Switches to push the edits to every switch associated with that policy
• Think of this as the new Distribute capability you used in the MAPS Policy Management area of SANnav
• As mentioned above, SANnav automatically updates the default SANnav MAPS Policy blocksets when new products or new FOS versions are discovered by SANnav
• When this happens, within SANnav->Configuration Policies Management, if the updated SANnav default blockset has additional or different default rules than what is in your current policy’s MAPS blockset, a warning icon will appear next to that policy
• If this happens, it’s a good thing!
• Using the dropdown chevron, View the policy
• Select the MAPS blockset with the notification icon, and then select Show Changes from the dropdown chevron
• A Rule Changes window will then display all of the changes which you can individually Accept or Ignore
• Once you’ve looked at all of the changes, your updated MAPS blockset is ready to go and can be distributed to all other associated switches using the Push to Switches action
The ultimate goal of this tool is to allow you to use a single MAPS blockset to monitor any mix of Directors, switches, FCIP/IPEX products, or Access Gateway mode products regardless of FOS versions mix – that is of course unless you want different policies monitored for different product groups – that’s fine too.
To make this function, you can simply clone one of the SANnav default blocksets to create an editable blockset. You would then customize the rules to your liking, and use this editable SANnav MAPS blockset to monitor every one of your products. If you make any changes to the blockset, simply select Action-> Push to Switches to push the updates to every product you’ve set to monitor with that configuration policy.
Alternatively, you can start by using your existing and therefore already customized MAPS policies. To make this function, you would import your existing MAPS policy into a blockset by going to SANnav->Configuration Policies Management->Blocks, selecting + and Import, and importing your existing MAPS policy from a switch. On the next default SANnav MAPS policies update, you’d hopefully get the warning icon next to your policy and be allowed to show the changes which you could accept or ignore.