The Wall of Fire – 04 – Management

Management is such an interesting topic. There are many ways in approaching how to manage a device and the correct method to do so. By no means is this a comprehensive guide but should influence how you design the management network. The choices made are derived from staff, business requirements, money, and capability.

The CLI is a great tool for initial configuration. It allows full control over the appliance (except the ASA 5585x SSP-CX modules) and can be used for just deployment or the main method of configuration and management. Depending on the scale and size of the deployment and the network the CLI may be used daily or never at all. In the environment with a handful of firewalls the CLI might be a great way of configuring and managing. This could be supplemented with the ASDM for graphs and packet tracing. Anything more than a handful you will find administrators will incur an administrative overhead in management. Little changes can become error prone with the way that Cisco commits code instantly.

Vendor applications such as ASDM and JUNOS sphere allow GUI based configuration. ASDM has entered a rather mature phase and the early pain and gripes have disappeared. The only issue that is still gripes me personally is the requirement for Java. That aside ASDM provides a user-friendly interface that provides splash page showing a lot of device information and summaries. Although touching the interface is required, it is a good use in an environment with a handful of devices. When you have more two or three devices applications such as Cisco Security Manager can aggregate firewalls into a single administrative environment. This helps reduce the administrative overhead with firewall appliances with replication, synchronisation, and easy to find information.

Taking it one step further Cisco PRSM allows all devices to be managed via a comprehensive solution. Depending on your requirements this might integrate with other tools, be the only tool you use, or somewhere in between. This would be a Cisco only solution as it caters to Cisco devices only.

Monitoring solutions provide key insights, alerts, and statistics. Most shops will have some flavour of monitoring in place already. Identifying what should be monitored does depend on what is being configured. It is with this information you can devise a monitoring template. It is good to monitoring some of the following independent of configuration.

  • Environmental – This is one of the most important statistics to watch. Temperature, memory, power, fans, and interfaces should be watched and set with priority alarming.
  • Sessions and throughput – Sessions and throughput are worth watching to. Knowing what is a normal level of traffic will provide insight when anomalies arise.

What is worth monitoring when a relatively normal configuration is placed down would be the following:

  • NAT – NAT sessions and translations need to be monitored. This is to ensure NAT sessions are forming and being torn down correctly and to identify embryonic, excess, and errors in translations.
  • VPN – VPN connections should warrant an engineer to have CPU and interface statistics to be monitored. With encryption and an increased workload due to multiple VPNs, a little bit of extra monitoring is just an insurance policy.

Reporting is a strong positive that can be output from management tools and devices. The generation of reports from the infrastructure informs management, auditors, and staff regarding key outputs. Identification of where CapEx spend would be most appropriate, where a potential re-architecture would benefit, or simply, the ability to find the root cause of a long-standing trouble ticket can be attributed to good reporting. Reporting and monitoring are too much until the time you rely on them and it is not enough.

The method of management is an important consideration when thinking about requirements. Management tools are extremely useful things but it does come down to the business requirements of what it is expected to do, and also the people who will be using it. Depending on the size and scale will adjust the pros and cons of each choice. Knowing how a customer operates and manages their devices can help identify a particular path to so don’t forget to understand that. What ever method you choose you must ensure a stable, planned, and considered management environment.

1 thought on “The Wall of Fire – 04 – Management”

  1. I think you maybe mean Junos Space (not JUNOS sphere) for management. Sphere is the cloud-based lab product while Space is the configuration and management product.

Leave a Reply

Your email address will not be published. Required fields are marked *