Ever need to make a firewall change or update a rule set but not had access to the device? An always on, cloud based software as a service solution has grown from the labs of OneConfig. Based on the premise of not all changes need a network engineer, OneConfig allows administrators to make changes through an intuitive web interface. Aimed at Small and Medium enterprise, this product is a supplement to an administrators tool set.
How does this differ from J-Web? Vastly. OneConfig is a cloud based application that established a secure channel via outbound SSH to their servers. An administrator logs into the web page opposed to the device and can access things such as rule sets and security zone information. You can create, modify, and delete rules and create changes that only require a small amount of information. For many, this is what it is about. Core changes, done simply and efficiently.
The OneConfig solution uses NETCONF to push changes across a secure channel established between a supported JUNOS webpage and the HTTPS session. Once you log in you need to create a device.
After creating a device, a configuration is generated for you.
set system services ssh protocol-version v2 set system login user oneconfig class super-user set system login user oneconfig authentication encrypted-password <string?> set system services outbound-ssh client oneconfig device-id SRX110-ciscoinferno set system services outbound-ssh client oneconfig secret set system services outbound-ssh client oneconfig keep-alive retry 3 set system services outbound-ssh client oneconfig keep-alive timeout 5 set system services outbound-ssh client oneconfig services netconf set system services outbound-ssh client oneconfig my.oneconfig.com port 4087 set system services outbound-ssh client oneconfig my.oneconfig.com retry 1000 set system services outbound-ssh client oneconfig my.oneconfig.com timeout 60
Lets break down this set of configurations. So we have a SSH 2 connection using a user of Oneconfig and the password we set earlier. A few optimised connection settings for a keep-alive and we have an outbound connection to OneConfig. The end configs specify what port is used and more optimisation settings. The real interesting part of the config is specifying the NETCONF protocol. This is a superb use of the framework.
Once you apply this to the respective device, refresh your management page and check the status. Now you have established the link you can actually configure what you need to. Let us look now at how to provision a new security zone remotely via the web interface of OneConfig.
Like other web interfaces of JAVA (coughciscocough) you find that you have a nice way to define object and a logical setting to build rules. Above we are creating a new prefix for the untrust zone for this example.
I have now made my rule to allow my test range from trust to access the new inside-corporate zone with the SSH protocol. Once I create the policy what happens is where I believe the magic is. From all the inputs listed thus far, a configuration is pushed and committed to your device under administration.
By doing away with the CLI, OneConfig is approachable for Small and Medium deployments that might not have a dedicated engineer who specializes in networks. Generally someone would be a jack of all trades or might be server-centric and networks as we know, are a dark art!
OneConfig targets a market in which I think there is good growth. I like the fact that you can manage a device through an interface and push through reliable changes. OneConfig offers a three device trial and I have both my lab devices and it is very impressive. As the product grows I am sure the feature set will expand. Honestly, it is only as limited as the NETCONF protocol and really, it is quite limitless.