Cipher protocols supported by NCM SSH

January 22, 2016, 12:17 pm

≫ Next: Custom Property - Imported_From_NCM

≪ Previous: Backup config from Huawei Router an Switch

FYI, just hit an issue following the upgrade of the OS on some of our fortigate boxes [due to the backdoor password discovery] where the ssh provided in NCM 7.3.x doesn't have an agreeable set of cipher protocols.. which leads to non-SSH connection:

Server (firewall) Algorithms

kex_algorithms length: 61

kex_algorithms string: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

server_host_key_algorithms length: 15

server_host_key_algorithms string: ssh-rsa,ssh-dss

encryption_algorithms_client_to_server length: 135

encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

encryption_algorithms_server_to_client length: 135

encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

mac_algorithms_client_to_server length: 85

mac_algorithms_client_to_server string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

mac_algorithms_server_to_client length: 85

mac_algorithms_server_to_client string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

compression_algorithms_client_to_server length: 9

compression_algorithms_client_to_server string: none,zlib

compression_algorithms_server_to_client length: 9

compression_algorithms_server_to_client string: none,zlib

languages_client_to_server length: 0

languages_client_to_server string: [Empty]

languages_server_to_client length: 0

languages_server_to_client string: [Empty]

KEX First Packet Follows: 0

Reserved: 00000000

Client Algorithms

kex_algorithms length: 111

kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

server_host_key_algorithms length: 75

server_host_key_algorithms string: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

encryption_algorithms_client_to_server length: 175

encryption_algorithms_client_to_server string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc

encryption_algorithms_server_to_client length: 175

encryption_algorithms_server_to_client string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc

mac_algorithms_client_to_server length: 64

mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

mac_algorithms_server_to_client length: 64

mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

compression_algorithms_client_to_server length: 9

compression_algorithms_client_to_server string: none,none

compression_algorithms_server_to_client length: 9

compression_algorithms_server_to_client string: none,none

languages_client_to_server length: 0

languages_client_to_server string: [Empty]

languages_server_to_client length: 0

languages_server_to_client string: [Empty]

KEX First Packet Follows: 0

Reserved: 00000000

[the Fortigate simply drops the connection if it doesn't like the order or algorithms, which is somewhat less than helpful]

Is there a way to control the order of the client algorithms used by the NCM client?

[note: support cases 928417 and 927532]

↧

Custom Property - Imported_From_NCM

March 30, 2016, 12:30 pm

≫ Next: NCM only allow to execute Config Change Templates on specific interfaces

≪ Previous: Cipher protocols supported by NCM SSH

Is this custom field safe to remove? I assumed yes because it was a custom field, I thought somebody made it before me.

I hesitated before pressing the delete button.

I read somewhere that this field was no longer needed after 7.3 something?

I was hoping I could get a second opinion or two on that before I proceed.

I'm on NCM 7.4

Thanks!

↧

NCM only allow to execute Config Change Templates on specific interfaces

August 26, 2015, 5:00 am

≫ Next: F5 and NCM backup

≪ Previous: Custom Property - Imported_From_NCM

Hi,

We would like to use CCT to update interface configuration settings by first line, for example access vlan.

There for we would like to limit the ports where this CCT can be executed to, for example only access ports (never on trunk ports).

This there any functionality in CCT to implement this limitation? We prefer to not work based on port description but on port interface configuration ( ==switchport access or !=switchport trunk).

Even better would be to not show all ports in the selection list - I've been testing with tags and other things, none of these are working.

Kind regards,

Steven.

↧

F5 and NCM backup

January 2, 2015, 5:35 am

≫ Next: NCM Comparison Criteria help w/ ASA

≪ Previous: NCM only allow to execute Config Change Templates on specific interfaces

Hi All

Please help

My aim is to back up configs on our GTM/LTM F5. I have pretty much used all the templates I can see on this forum e.e F5 BIG IP-1.3.6.1.4.1.3375.ConfigMgmt-Commands and I get the error

.Validation Failed: An error occurred during script parsing. Position: Line 1, Character 3 Error message: mismatched character '-' expecting '=' Please check script syntax.

We are running Licensed Version 11.4.1 on the F5. I am not too familiar with F5. I do the following

......(tmos) # show running-config

Display all 235 items? (y/n) y

I have used the template assistant and have entered "y" in the RegEx, which i think it does accept but then comes back with "Unable to get Config Text". I have looked at the templates on here and really not too clear about some of the lines e.g. " <Command Name="EraseConfig" Value="write erase${CRLF}Yes"/>". Luckily it never went past the error above. I did remove the lines i did not think i will need and now left with the below:

<Configuration-Management Device="BIGIP F5 LTM" SystemOID=" 1.3.6.1.4.1.3375.2.1.3.4">

</Commands>

</Configuration-Management>

Not sure if "PostCommand" is valid.

When I log in I get this as my prompt

name@(device)(cfg-sync In Sync)(Active)(/Common)(tmos)#

Please help. I just need to back up the configs on the F5 like I do for the Cisco.

Thanks

↧

NCM Comparison Criteria help w/ ASA

March 31, 2016, 10:03 am

≫ Next: SQL database

≪ Previous: F5 and NCM backup

I am getting running vs startup config comparison differences where none appear to exist:

portions of configs:

running config portion:

name 192.168.49.8 ATHENA

name 192.168.63.12 NAVAJO

name 192.168.66.223 VRBCSC01

name 192.168.66.222 VRBCSIS1

name 192.168.66.11 VRGAZAP1

name 192.168.66.12 VRGAZAP2

name 192.168.66.16 VRGAZC02

name 192.168.66.13 VRGAZDB1

Startup config portion:

name 192.168.49.8 ATHENA

name 192.168.63.12 NAVAJO

name 192.168.66.223 VRBCSC01

name 192.168.66.222 VRBCSIS1

name 192.168.66.11 VRGAZAP1

name 192.168.66.12 VRGAZAP2

name 192.168.66.16 VRGAZC02

name 192.168.66.13 VRGAZDB1

I see no apparent differences yet i get the below when pulling up the comparison, and there are several of these differences.

How do i correct this?

↧

SQL database

March 31, 2016, 8:30 pm

≫ Next: cannot download a running config from Dell PowerConnect

≪ Previous: NCM Comparison Criteria help w/ ASA

We are currently using Microsoft SQL 2008. We want to switch it over to use Microsoft SQL 2012 so we can upgrade our Orion processes. Is there a place on Orion that we can find the IP address for the database or a place where we can map the SQL database?

Thank you

DWane

↧

cannot download a running config from Dell PowerConnect

March 31, 2016, 1:40 pm

≫ Next: Download configs from Cisco and Juniper switches configured with SSH

≪ Previous: SQL database

I have a good login credential for my Dell PowerConnect switch, but I see the following error in the NCMBusinessLayewrPlugin log when I try to download a running config:

Any ideas where my issue may be? Thanks.

↧

Download configs from Cisco and Juniper switches configured with SSH

March 31, 2016, 8:27 pm

≫ Next: How can I achieve this scenario with NCM

≪ Previous: cannot download a running config from Dell PowerConnect

We are doing a switch refresh. Our old Cisco and Juniper switches had telnet only enabled. The new switch stacks are only accessible through SSH and now we are unable to download configurations to our Orion database.

Is there a way we can configure Orion to do SSH and telnet?

thank you

Dwane

↧

How can I achieve this scenario with NCM

March 28, 2016, 4:53 am

≫ Next: Find all NCM managed nodes and if the config is backuped

≪ Previous: Download configs from Cisco and Juniper switches configured with SSH

I need to develop a template that will give me the detail below:

1. In Single VLAN, how many ports are configured/used in whole environment.

I will appreciate any clue to this.

Thanks.

↧

Find all NCM managed nodes and if the config is backuped

April 2, 2016, 2:27 am

≫ Next: SolarWinds Web Page Question

≪ Previous: How can I achieve this scenario with NCM

Hi all,

1st

I'd like to create a report that shows all nodes in Solarwinds and the field "Managed by NCM" with "Yes" or "No"

Which Database field do I need in a report ?

2nd

I'd like to have a report with all nodes "Managed by NCM" = "Yes" showing if the configs are backuped successfully or not.

Many thanks for any help.

Juergen

↧

SolarWinds Web Page Question

April 1, 2016, 9:38 am

≫ Next: Anyone know how to enter a list of options into the Configuration generator?

≪ Previous: Find all NCM managed nodes and if the config is backuped

My webpage was acting up, giving errors. I saw where one blog suggested to run the configuration wizard and do a repair. I did this and when the wizard got done it showed this:

Website configuration failed: Web Request for /Orion/Login.aspx failed - The remote server returned an error: (403) Forbidden.

What should I do next? Apparently the permissions changed somewhere.

Thanks

↧

Anyone know how to enter a list of options into the Configuration generator?

April 1, 2016, 4:51 pm

≫ Next: Upgrade IOS using NCM?

≪ Previous: SolarWinds Web Page Question

Working with the SolarWinds Network Configuration Generator to test moving our device templates into it. But I can't figure out how to build a variable where they choose from a list. So that when setting up the VTP mode setting of a switch, they can click on the mode they want. Anyone have ideas on how to do this?

↧

Upgrade IOS using NCM?

June 25, 2012, 1:13 am

≫ Next: NCM only allow to execute Config Change Templates on specific interfaces

≪ Previous: Anyone know how to enter a list of options into the Configuration generator?

Hello

We have over 500 switches which need an IOS upgrade and doing this one by one is going to take an age.

Is there any way we could use NCM to automate the upgrade?

Cheers

↧

NCM only allow to execute Config Change Templates on specific interfaces

August 26, 2015, 5:00 am

≫ Next: Cisco IOS Upload via SCP/SFTP Server Integrated in Solarwinds NCM

≪ Previous: Upgrade IOS using NCM?

Hi,

We would like to use CCT to update interface configuration settings by first line, for example access vlan.

There for we would like to limit the ports where this CCT can be executed to, for example only access ports (never on trunk ports).

This there any functionality in CCT to implement this limitation? We prefer to not work based on port description but on port interface configuration ( ==switchport access or !=switchport trunk).

Even better would be to not show all ports in the selection list - I've been testing with tags and other things, none of these are working.

Kind regards,

Steven.

↧

Cisco IOS Upload via SCP/SFTP Server Integrated in Solarwinds NCM

January 26, 2014, 8:41 pm

≫ Next: Firmware Vulnerabilities Acknowledgement

≪ Previous: NCM only allow to execute Config Change Templates on specific interfaces

Hi,

I have got some issues when I am trying to update my switch firmware through SCP/SFTP Server which is integrated on Solarwinds Network configuration Manager.

SSH is allowed between Solarwinds Server and Cisco devices. If you faced the same problem please guide me how can we solve this issue ?

I have enabled the SCP server and created one <user > without any password.

Copied the IOS image on X:/sftproot - Solarwinds Server.

Start SFTP server on Solarwinds Server.

Execute Command on switch :

Router1#copy scp: flash:
Address or name of remote host []? 10.x.x.x
Source username [user1]? user
Source filename []? image_filename.bin
Destination filename [image_filename.bin]?

%Error opening scp://user@10.x.x.x/image_filename.bin (Undefined error)
Router1#

↧

Firmware Vulnerabilities Acknowledgement

April 4, 2016, 2:55 pm

≫ Next: Everything DISA STIGs for your Network

≪ Previous: Cisco IOS Upload via SCP/SFTP Server Integrated in Solarwinds NCM

OK, maybe I'm blind and not seeing it, or looking in the wrong spot, but where do I acknowledge items listed that are potential issues that are not related to our setup? Example would be a vulnerability for Phone Proxy on the ASA, but we don't use that feature, so irrelevant to us. I have 298 listed issues, and want to trim it down to actual issues that affect us so we can plan for updates.

↧

Everything DISA STIGs for your Network

November 5, 2015, 12:14 am

≫ Next: Cipher protocols supported by NCM SSH

≪ Previous: Firmware Vulnerabilities Acknowledgement

Introduction

This page will be the Main Page for all DISA STIG information provided by CourtesyIT. The intent is to follow this page to alert you to new content and discussions about being DISA STIG Compliant. Please feel free to message me if you would like any STIG\Vendors packages developed that are not listed here.

This page is not endorsed by DISA or Solarwinds, but merely one interpretation of the requirements. Community involvement is encouraged.

Directory

1. Getting Started

This link will be to discuss ways to get started and how this process and capability can work for you.

How to Use the Compliance Feature in Solarwinds.pdf

How to Create a Policy Report.pdf

2. How to Create a STIG Dashboard and View

This link will provide a document for you to download and build a Dashboard to show your success with the NCM Compliance feature.

DISA STIG Dashboard

3. Reports by Vendor

These links will be based on Vendor STIGs. For best results, please download these reports through NCM. Navigate via Configs Tab > Compliance > Manage Policy Reports > Shared on Thwack Tab.

Dell

4. RAW DATA

This text document is the raw data for all the rules. This document can be used as a policy or baseline for all rules in the event submission is required for the coding and configuration of you Compliance Solution.

RAW DATA DISA STIG V8R19 - Cisco

5. DISA STIG Matrix

This document is a matrix to validate which rules are applied to which type of functional device.

DISA STIG Matrix - Cisco

6. Other Customization's

This link is a random sampling of various customization's I found through some Thwackers Content pages.

How to do various customizations with your Solarwinds

..........................................................................

.........................................................................

..........................................................................

.LivingDocument. PleaseBookmark.

↧

Cipher protocols supported by NCM SSH

January 22, 2016, 12:17 pm

≫ Next: how do I upgrade IOS with ncm using SCP?

≪ Previous: Everything DISA STIGs for your Network

Server (firewall) Algorithms

kex_algorithms length: 61

kex_algorithms string: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

server_host_key_algorithms length: 15

server_host_key_algorithms string: ssh-rsa,ssh-dss

encryption_algorithms_client_to_server length: 135

encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

encryption_algorithms_server_to_client length: 135

encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

mac_algorithms_client_to_server length: 85

mac_algorithms_client_to_server string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

mac_algorithms_server_to_client length: 85

mac_algorithms_server_to_client string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

compression_algorithms_client_to_server length: 9

compression_algorithms_client_to_server string: none,zlib

compression_algorithms_server_to_client length: 9

compression_algorithms_server_to_client string: none,zlib

languages_client_to_server length: 0

languages_client_to_server string: [Empty]

languages_server_to_client length: 0

languages_server_to_client string: [Empty]

KEX First Packet Follows: 0

Reserved: 00000000

Client Algorithms

kex_algorithms length: 111

kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

server_host_key_algorithms length: 75

server_host_key_algorithms string: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

encryption_algorithms_client_to_server length: 175

encryption_algorithms_server_to_client length: 175

mac_algorithms_client_to_server length: 64

mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

mac_algorithms_server_to_client length: 64

mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

compression_algorithms_client_to_server length: 9

compression_algorithms_client_to_server string: none,none

compression_algorithms_server_to_client length: 9

compression_algorithms_server_to_client string: none,none

languages_client_to_server length: 0

languages_client_to_server string: [Empty]

languages_server_to_client length: 0

languages_server_to_client string: [Empty]

KEX First Packet Follows: 0

Reserved: 00000000

[the Fortigate simply drops the connection if it doesn't like the order or algorithms, which is somewhat less than helpful]

Is there a way to control the order of the client algorithms used by the NCM client?

[note: support cases 928417 and 927532]

↧

how do I upgrade IOS with ncm using SCP?

April 7, 2016, 6:04 am

≫ Next: Cisco IOS Upload via SCP/SFTP Server Integrated in Solarwinds NCM

≪ Previous: Cipher protocols supported by NCM SSH

Do I use Scripts or Template? Not Sure on how templates work. Sure could use some help on this.

↧

Cisco IOS Upload via SCP/SFTP Server Integrated in Solarwinds NCM

January 26, 2014, 8:41 pm

≫ Next: Maintain configs of retired devices

≪ Previous: how do I upgrade IOS with ncm using SCP?

Hi,

I have got some issues when I am trying to update my switch firmware through SCP/SFTP Server which is integrated on Solarwinds Network configuration Manager.

SSH is allowed between Solarwinds Server and Cisco devices. If you faced the same problem please guide me how can we solve this issue ?

I have enabled the SCP server and created one <user > without any password.

Copied the IOS image on X:/sftproot - Solarwinds Server.

Start SFTP server on Solarwinds Server.

Execute Command on switch :

Router1#copy scp: flash:
Address or name of remote host []? 10.x.x.x
Source username [user1]? user
Source filename []? image_filename.bin
Destination filename [image_filename.bin]?

%Error opening scp://user@10.x.x.x/image_filename.bin (Undefined error)
Router1#

↧