Ever need to make a firewall change or update a rule set but not had access to the device? An always on, cloud based software as a service solution has grown from the labs of OneConfig. Based on the premise of not all changes need a network engineer, OneConfig allows administrators to make changes through an intuitive web interface. Aimed at Small and Medium enterprise, this product is a supplement to an administrators tool set.

How does this differ from J-Web? Vastly. OneConfig is a cloud based application that established a secure channel via outbound SSH to their servers. An administrator logs into the web page opposed to the device and can access things such as rule sets and security zone information. You can create, modify, and delete rules and create changes that only require a small amount of information. For many, this is what it is about. Core changes, done simply and efficiently.

The OneConfig solution uses NETCONF to push changes across a secure channel established between a supported JUNOS webpage and the HTTPS session. Once you log in you need to create a device.

After creating a device, a configuration is generated for you.

set system services ssh protocol-version v2
set system login user oneconfig class super-user
set system login user oneconfig authentication encrypted-password <string?>
set system services outbound-ssh client oneconfig device-id SRX110-ciscoinferno
set system services outbound-ssh client oneconfig secret 
set system services outbound-ssh client oneconfig keep-alive retry 3
set system services outbound-ssh client oneconfig keep-alive timeout 5
set system services outbound-ssh client oneconfig services netconf
set system services outbound-ssh client oneconfig my.oneconfig.com port 4087
set system services outbound-ssh client oneconfig my.oneconfig.com retry 1000
set system services outbound-ssh client oneconfig my.oneconfig.com timeout 60

Lets break down this set of configurations. So we have a SSH 2 connection using a user of Oneconfig and the password we set earlier. A few optimised connection settings for a keep-alive and we have an outbound connection to OneConfig. The end configs specify what port is used and more optimisation settings. The real interesting part of the config is specifying the NETCONF protocol. This is a superb use of the framework.

Screen Shot 2013-04-05 at 8.10.17 PM

Once you apply this to the respective device, refresh your management page and check the status. Now you have established the link you can actually configure what you need to. Let us look now at how to provision a new security zone remotely via the web interface of OneConfig.

Screen Shot 2013-04-05 at 8.11.07 PM 

Like other web interfaces of JAVA (coughciscocough) you find that you have a nice way to define object and a logical setting to build rules. Above we are creating a new prefix for the untrust zone for this example.


Screen Shot 2013-04-05 at 8.13.09 PM

I have now made my rule to allow my test range from trust to access the new inside-corporate zone with the SSH protocol. Once I create the policy what happens is where I believe the magic is. From all the inputs listed thus far, a configuration is pushed and committed to your device under administration.
Screen Shot 2013-04-05 at 8.14.20 PM

By doing away with the CLI, OneConfig is approachable for Small and Medium deployments that might not have a dedicated engineer who specializes in networks. Generally someone would be a jack of all trades or might be server-centric and networks as we know, are a dark art!

Screen Shot 2013-04-05 at 8.18.58 PM

OneConfig targets a  market in which I think there is good growth. I like the fact that you can manage a device through an interface and push through reliable changes. OneConfig offers a three device trial and I have both my lab devices and it is very impressive. As the product grows I am sure the feature set will expand. Honestly, it is only as limited as the NETCONF protocol and really, it is quite limitless.

Futher Reading:  http://www.techworld.com.au/article/455336/australian_startup_snapshot_oneconfig/

One thought on “OneConfig for JUNOS

  1. Thanks for taking the time to write about OneConfig. My colleagues and I thought you did an awesome job of describing the product, both from a business value and a technical perspective. It’s very encouraging for OneConfig to get feedback like this and it helps us track progress

    We have an interesting roadmap for the product and I’ll share some of that in the near future.

Leave a Reply

Your email address will not be published. Required fields are marked *