Golden Configuration (Devices)
  • Dark
    Light
  • PDF

Golden Configuration (Devices)

  • Dark
    Light
  • PDF

Configuration Tab

Golden Configuration ("Golden Config") is a configuration pattern which the device should conform to. It is comprised of configuration lines and rules which must be matched in order for the device to be considered compliant. The Configuration tab allows you to edit the Golden Config associated with a selected node, as well as the Configuration Variables for the tree.

Figure 1: Configuration Tab
21-configurationsSpec-21.1

When you create a new node in the Configuration Tree, its configuration will be inherited from the parent node. You may specialize this node from the parent by adding or overriding lines in the parent configuration.

The lines of Golden Configuration are designed to mimic the native configuration structure of a device, and will have parent-child relationships as they do on the device. This is usually shown by indentation or block delimiters.

Each line of Golden Configuration has an evaluation type that determines whether the line must be present, not present, or should be ignored. The severity determines whether rule failures are considered errors, warnings, or information-only issues in the Compliance Report.

Add/Edit Configuration Lines

The configuration editor allows configurations to be edited inline through the text editor. Once you have finished defining your configuration, you can save it by clicking the floppy disk icon in the toolbbar just above the editor. You can also import configurations from a device by clicking the import button located to the left side of the save button.

Each line in a configuration can be defined as follows.

Evaluation Mode

Used to indicate if a configuration line if required to exist in a device for compliance.

  • Required - Implies the line must exist in the device config.
  • Disallowed {d/} - Implies the line must not exist in the device config.
  • Ignored {i/} - Completely ignores the line and doesn't generate an issue in the compliance report.

Severity Type

Each severity type has its own weight which determines the grade of a compliance report.

  • Warning
  • Error <e/>
  • Info <i/>

Figure 2: Add/Edit Configuration Lines
22-configTools-21.1

Define New Tree Variables

To define new tree variables:

  • Select the (x) icon button on the right side to access the variables panel.
  • To hide a configuration which is not defined on the current node directly, click the eye icon and select the Inherited Config checkbox.

Figure 3: Define New Tree Variables
23-GoldenConfigVariables-21.1

Manage Devices

The Manage Devices tab allows you to associate network devices with the selected Configuration Node.

Figure 4: Manage Devices Tab
24-GoldenConfigDeviceManagement-21.1

When you run a compliance report for a device, it will be checked against the Golden Configuration of the device's associated configuration node. Likewise, when you run a compliance report for a node, each associated device will be checked. A device can only be associated with one configuration node.

From this tab, you can see a list of associated devices, and a small graph that shows the compliance status for each device. You may add or remove devices from the selected node.

Compliance

Click the vertical dots icon to open the Compliance dialog, which presents a menu to run and view compliance for a selected device. From the compliance report view, you can see overall statistics for a selected device. You can also select any issue that is found and view details that will enable you to troubleshoot and fix the error. You may address one or more issues before applying changes to a device.

Figure 5: Menu for Device Compliance
25-menuGoldenConfigDeviceCompliance-21.1

Figure 6: Compliance Report
26-GoldenConfigDeviceCompliance-21.1

Click the 3-bar graph icon near the top right to display the compliance history graph. This graph shows how many warnings, issues, errors and passes were computed in the compliance report. The blue line represents the score for each compliance report.

Figure 7: Compliance Graph
27-GoldenConfigDeviceComplianceGraph-21.1

You can navigate between compliance reports by clicking on the bar-chart.

Click the down arrow in the Configuration Errors section to expand an item and view additional detail that will enable you to choose how you would like to proceed with the issue.

Figure 8: Compliance Issues & Remediation Options
28-GoldenConfigDeviceComplianceIssue-21.1

When you select Add as an action the issue will minimize with a green check mark to represent that the issue has been marked for resolution.

Click Apply to compile a list of changes that have been marked for resolution to be added to the device.

Figure 9: Apply Remediation
29-GoldenConfigDeviceComplianceIssueAdded-21.1

You can also view Golden Configuration details by clicking the blue vertical dots (icon) on the top toolbar. A menu will display details of the tree and allow you to update the Name or modify read/write access for Groups.

Figure 10: Update Golden Config Details
30-GoldenConfigDetails-21.1

Define Severity Weight and Grade Benchmark Values

The grade a device configuration receives (Pass, Review, or Fail) in a compliance report can be influenced by changing:

  • The default weight value assigned to each line severity type.
  • The default benchmark value assigned to each grade.

The following sections detail how the grade of a device configuration is calculated and how you can change the values used in the calculation.

Calculating the Grade of a Device Configuration

When a compliance report is run against a device configuration, the following formula is used:

Score = (totalNumPassLines / ((numOfErrorLines * errorWeightValue) + (numOfWarnLines * warnWeightValue) + (numOfInfoLines * infoWeightValue) + totalNumPassLines)) * 100

The following severity type weight values are used in this formula by default:

  • Error: 2
  • Warning: 1
  • Info: 0.5

The score returned by this formula is compared to the following grade benchmark values by default to assign a grade to the device configuration:

  • Pass: 90
  • Review: 80
  • Fail: 0
Example

If a configuration that is ten lines long has one non-compliant line assigned the error severity type, it would be scored 81.82:

81.82 = ((9 / ((1 * 2) + (0 * 1) + (0 * 0.5) + 9)) * 100)

As such, the configuration would be given a grade of Review.

Using a Workflow to Define Custom Values

You can use a workflow to run a compliance report with custom severity type weight and grade benchmark values.

From a newly created Gen 1 or Gen 2 automation:

  1. Add the gradeComplianceReport task to the automation.
  2. Locate the options variable in the Task Configuration modal.
    1. In Gen 1, the modal is a dialog box.
    2. In Gen 2, the modal is a slider panel.
  3. Define the custom values in JSON object format.
Example

To halve the default severity type weight and grade benchmark values (excluding the Fail grade), provide the following to the options variable:

{
	"error": 1,
	"warning": 0.5,
	"info": 0.25,
	"pass": 45,
	"review": 40,
	"fail": 0
}