Rich Martin • 00:03
Hello, everyone, and welcome to another Itential webinar. My name is Rich Martin, Director of Technical Marketing at Itential. Today, you’re in store for an exciting ride through building compliance rules for ordered lists in CLI configurations. Now, I know that’s a mouthful, so let me break it down for you. and we’re going to break it down this way. We’ll talk very specifically about a set of features within our Configuration Manager, and specifically within building a Golden Configuration Template in Configuration Manager, that is focused on ordered list for CLI compliance. Think in terms of any network device or firewall device that’s CLI-driven, CLI-configured, CLI-managed primarily.
Rich Martin • 00:48
There’s probably a subset of configurations that appear as a list, many times ACL, firewall rules, things of that nature, and that has to be handled differently than perhaps building templates for other things, especially in regards to how they’re ordered, and some features around how strict or how loose that ordering needs to be, should be, or ought to be, depending on your use case. That’s where we’re going to spend some time today looking at these features, discovering how they work, and then letting your mind grow on how you can utilize these in your own environment. So we’ll talk about strict ordering rules and the common use cases, loose ordering rules and common use cases. We’ll talk about applying exclusion and exclusivity features to this rule and how those things work and how you can make these templates more applicable towards lots of different use cases. And then we’re gonna take a step away from just automating through an application or a tool in our system. And because we’re an automation and orchestration platform, for all forms of network infrastructure, including network and security, let’s take a look at how we can leverage the work that we’ve just done to do some automation, like, I don’t know, schedule an automated compliance check for these rules on the rules that we just built for ordered list. And then going from automating that particular task, automating other tasks so that we’re starting to form an orchestrated workflow.
Rich Martin • 02:13
So I’ll show you how to build a workflow, how to create tasks in that workflow to automate very specific things and how do we start to tie things together in order to orchestrate more steps in a process that includes your automations. So with that, let me share my screen and we can get going. All right, so we’re going to start off in the Itential Automation Platform under Configuration Manager. So when you log in, you’ll see we have different parts of our platform, and this is an application configuration manager. We won’t take a deep dive into all the features here. We’ll hit a couple of the main features. I definitely encourage you to go into any of our previous webinars where we really do a deep dive into features and how to use Config Manager and all it can do.
Rich Martin • 03:03
On the left-hand side here, you’ll see a federated inventory of network devices and services, and I say services because we can also onboard not just routers, switches, firewalls, physical devices that are CLI-driven, but even services like network services, security services from API, managed Cloud, Cloud platforms like VPCs, security groups, things like that. That’s all available here because Configuration Manager is about managing configurations for both CLI, API, and that includes building golden configuration templates, regardless of whether you have modern legacy infrastructure, we all have a bit of all of it going on in our worlds. You should have a tool that leverages its feature set across all of your different infrastructure, whether it’s API, CLI, legacy, modern, whatever it may be. Being able to federate a list of devices so that we can start to build golden configuration templates on top of them, and that’s what we’ve done here. I’ve created one for this particular webinar for this CLI compliance for ordered lists. We won’t get to all the features, but this is where you start to build your golden configuration templates.
Rich Martin • 04:18
Under the configuration tab here, there are a lot of things going on here. Right here is we can actually build a hierarchy of different configurations that are inherited. We’re going to start with the base configuration, we’re not going to move past that. But again, in our previous webinars, we deep dive into how to use that and how it can be applicable to building golden configurations. But really, we want to focus on building a golden configuration for ordered lists. But I want you to first see the outside of ordered lists where we’re just building a specific configuration template, and then we’ll get into lists, and I’ll show you some of the features here. Here is where you can literally import a configuration from a live router if you wanted to.
Rich Martin • 05:01
You can copy and paste it from a backup that you’ve made within the application or maybe you have it online on your laptop or desktop. You can paste in a configuration as it appears inside the device configuration itself. Now, you don’t have to express everything that’s in the configuration here. This is a template. We want snippets of the things that are important to us that we should be checking for. It could be something security-minded, like you should always turn on on a Cisco device, and that’s what we were operating on today. We should always turn off unsecured HTTP access, and maybe even secure HTTP access. For a Cisco device, I can go into here and I can type IP HTTP server.
Rich Martin • 05:49
And I’m building a template that’s going to compare to the current running configuration on a device. Now, which device will pick that from our federated inventory? We first focus on building the configuration template itself. So here is how you would turn it on on a Cisco device. And obviously we don’t want that. So what we can do here is we can disallow this. If I select that line now, I disallow it.
Rich Martin • 06:14
You can see we’re operating on top of this configuration. If I update this, now I’ve saved this and I’ve started my golden configuration template. There’s one thing in here. We want to make sure that when we compare the configuration of a specific device or set of devices, we’re going to ensure that the rules say this shouldn’t be disallowed in the current configuration. And so now we can update this again. Now, we can go into the Devices and Groups tab. This is where I can add devices.
Rich Martin • 06:52
Now, I’ve already added a device for time here, but I can add more devices. Remember that federated inventory? I can add devices anywhere from that federated inventory. Obviously, you want to have like devices if you’re doing something specific to a CLI, because the CLI has to be the same if you’re going to build a template that’s relevant for all of them. But you can add more devices here. We’re working in testing, so we’re just going to use one device. You can also add device groups.
Rich Martin • 07:15
We have the ability to define groups and then add devices into this. So you could have Cisco iOS routers in a group and just add the group itself. But since we’ll be testing on this to show how these features work, I’m going to use a single device. From here, if I run compliance, you’ll see that the compliance run has started. And in a moment, what it’s doing is it’s saying it’s pulling the configuration. comparing it to our golden configuration with that one line that says it should be disallowing IPHTTP server. Now it’s going to give me a compliance report here and it tells me one line was in warning. That’s because the router that we’re testing off of actually has that line live in its configuration. So I can take a look at this compliance report and in fact I’m actually taking a look at all of the compliance reports historically here from this application. So you can see over time what was in and out of compliance based off of the golden configuration template that was defined at the time. In this case we’re just looking at the last one and what you’ll see here is this was disallowed. So we just built this rule to disallow IPHTTP server and this is how you would typically build for any like non-list. This is the kind of features you have available to us because the ordering really doesn’t matter right. So whether this appears at the top or the bottom of the configuration it should never appear at all.
Rich Martin • 08:34
And what you’ll also notice here is you have the opportunity to remediate this immediately from within the application. So if I click that to remove I apply it’s going to actually make the change on the device push it live take that out and if I were to rerun this again which we won’t do here but if I were to do it again it would pass the compliance check. So it’s telling us it’s removed that. and then we would be in compliance in subsequent calls. But that gives you, without the ordered. feature set that we’ll be digging into today. That gives you an idea of the capabilities, generally speaking, inside of Configuration Manager, and how easy it is to build a template, how easy it is to add devices and check, and then how easy it is to do remediation right from the application. This will be even more important as we move from automating within our tools and our applications to automating the tying automations together and orchestrating processes, which is a little bit later in the demonstration. With that said, we can delete this because this isn’t the focus of what we want to take a look at today.
Rich Martin • 09:37
What we really want to look at is the ordered lists and the features there. On this tab, I have access to that particular router. I’ll show you that we have an ACL that’s already defined. This is the list we’ll be operating on. You’ll see it’s pretty straightforward. It’s just a example list. I’m sure in your live environments, you have much more complex lists.
Rich Martin • 10:02
It’s important to understand that this list is also sequenced. You see the sequence numbers there. There’s a lot of legacy stuff, Cisco and other vendors that doesn’t do sequencing. What you’ll see with the rule sets around compliance lists, works with sequenced and unsequenced list, and a lot of flexibility around unsequenced lists to ensure that things are in the right order. Because for instance, if things aren’t in the right order, you’re going to have some real problems, especially with access lists, firewall rules, things of that nature. If your deny is at the front of the list, you’ve got real issues. Just as bad if you have an allow all at the front of the list, then you’ve got a different set of issues, but issues nonetheless.
Rich Martin • 10:44
Let’s take this and now we can just copy and paste it into our golden configuration. So this represents what needs to exist in a configuration on a router that I want to compare this to. So this is line for line what needs to occur. Now remember, This is a list, so we have a special set of features and functions that operate on lists. And they’re located right here under this dropdown. You’ll see, you know, it’s a list icon here.
Rich Martin • 11:18
So what you wanna do is you wanna highlight the top element of the list. Everything under this becomes the list because it’s indented. We work on multiple flavors of Cisco, CLI, Juniper, Arista. The way that the golden configurations are built and Cal Configuration Manager understands CLIs through syntax, it’s not modeling everything, it’s understanding things through the syntax. So it makes it very easy to use what we’ve already built as far as understanding the syntax of multiple vendors and multiple CLIs under different vendors. But also being able to have the flexibility to build a syntax for maybe some very antiquated things in your network that may not have, you know, that you may wanna support under this application. You have the ability to build a template for the CLI syntax so that you can build golden configurations, test them and run compliance reports off of them as well.
Rich Martin • 12:15
So it gives you a lot of flexibility. Again, the idea here is regardless of what your infrastructure is made of, you should be able to apply all of these features, all of these tools across all of it. So if we highlight the top one of the top of the list here, now we can start looking at these particular features for this list. So let’s start with strict, because strict is what it sounds like it’s strict. You’ll see that as soon as I chose strict on the top, you see this tag LSO. That stands for List Strict Order. And that just identifies everything under it that’s part of this list.
Rich Martin • 12:51
We’ll have the application of strict ordering. You also see a little icon here with these that identifies it as a strict ordered list. What this means is that everything following the beginning of the list, so all the list elements, every list element is every line is an element in this list. It has to, every line has to follow exactly as defined in the list, every element, and an immediate consecutive order. So again, this is very strict. So this has to match line for line in the same sequence, in the same, every line has to match every line in the same sequence consecutively. during a compliance audit in order for it to be identified as a pass or a success.
Rich Martin • 13:37
If there’s any changes in here, if there’s any additional lines put in, it’s going to flag this, give us a warning or we have the ability to change the severity of it. But by default, it gives us a warning and it says, hey, you should probably take a look at this. Let’s take a look at what that looks like. We’ve just simply pasted in a verbatim configuration. I’ve identified the top of the list of this particular ACL list as a strictly ordered list, so it knows to do that comparison type under it. If I go back here to test and run a compliance on this particular device using this golden configuration snippet as the template, it’s going to tell us it passed it successfully. That’s no surprise because it’s word for word exactly the way it’s supposed to be.
Rich Martin • 14:23
Now, what if I went into the configuration and deleted line 20, And so in the actual running configuration, it would be 10, 30, 200. Now it’s no longer matching line for line as the consecutively element to element. And that would cause a subsequent test to fail. We can kind of replicate that without making changes to the router. By deleting this, if I change the nature of my template, basically I’m saying it should only look like 10, 30, and 200 and nothing else. So now because there is a 20, a line 20 that’s there, that would be an interruption in the sequence of consecutive elements.
Rich Martin • 15:08
And this should trigger, once I save this and run this, this should trigger and generate a warning for us. So I’ll go back. This is where we test and run this compliance check. It’s going to pull the configuration, take a look at it, compare it to our Golden Config, and you’ll see we’re not all green here. We have two warnings. We have warnings on some lines here. If we take a look at the compliance report, and it’s always going to show the topmost one, the latest one here, you’ll see that if I click into this, it’s telling us the list ordering was strict for this particular set of lines that we need to remediate this in the configuration.
Rich Martin • 15:48
And it tells us which lines, which ordered list was identified as problematic. Obviously, this is when we configured, but it’s also saying at line 30, where I expected to see line 30, this is where the sequence broke and it was not what I expected. So this allows you to go back into the actual device config and determine at that particular line, what’s in there that ought not be in there. And so this is how strict ordering works. Again, it’s strict. And so it follows the list of elements consecutively, one by one, and there can be no interruptions in the order. So let’s go back to our configuration template again, and now let’s make a change.
Rich Martin • 16:34
So if I highlight this and I go back to none, We can save it. Now let’s talk about the next one is loose ordering, right? So we had strict, now we have loose ordering. So with loose ordering, the ordering is still required for the list. So everything still has to be in the same order. So 10 has, so 200 has to come after, 30 has to come after 10.
Rich Martin • 16:57
And those elements still have, they still all have to be in there. So everything in the list has to be in the list and they have to be subsequent, but they don’t have to be consecutive. So in this case, because there’s a 20 in between 10 and 30 in the live running config, with a loose config setting on a list, it’s going to allow and say, this is a passing audit. If this is set to loose, just as long as 30 comes before 10 and 200, sorry, 30 comes after 10 and 200 comes after 30 and 10. So the sequence is important, but if any rules appear in between these. then those are also permitted as well. So it’s a little loosening of the order, right?
Rich Martin • 17:44
And this might be great if you want to identify and place some very specific items in very specific places, right? So your deny any, any, or your allow any, any. These things could be useful to make sure they’re in the right order and everything else must appear in between there that’s applicable, right? So you can have some loosening of this based off of your use case. So with that being said, I think I saved it, but we’ll save it again. And now we should see, unlike the strict, if I run a compliance report here, it should pass this without any issues. Because again, we are in kind of a looser ordering here.
Rich Martin • 18:27
The 20 that comes between the 10 and the 30 is permissible where in strict it’s not permissible. So we’ve done strict ordering, we’ve done loose ordering. Let’s talk about some other rules around exclusions and exclusivity. That’s a tough word. Exclusivity and strict ordering seem to be very similar. So let me go back to none here. We’ll update this. For this, recall that if I set this to strict, it’s going to generate an error when I run the compliance report because there’s a 20.
Rich Martin • 19:12
In strict says, every element in the list must appear in the right sequence consecutively, one after another. There cannot be in-betweeners between them. That is not permissible. So if we were to run this now with strict, it’s going to fail because of those rules. Now, we also have the ability to even take a step further in our stance with exclusivity, which is exactly these items, this particular feature here. So I’ll show you how this works. So we can create, we can go back to no ordering here.
Rich Martin • 19:51
Update this, and now if I continue to select the top one, and I click on exactly these items for this list, this is exclusivity. This means everything in the list is required in the same consecutive sequence just like in strict ordering. That part is the same. If there’s any intermediate in between lines like 20 here, you’ll still generate a failure of some sort. But in this case, we’re saying only these things, and we’re taking a different stance internally. The stance we’re taking internally is a little more strict in the sense that if anything appears outside of what’s listed here, so in this case, that line 20, we’re going to flag it, and we’re going to take the stance that it should be completely deleted.
Rich Martin • 20:48
So in strict ordering, it says, hey, you should take a look at this, make the determination on whether you want to delete this from the configuration, or if you want to delete this, perhaps from your golden configuration template in Config Manager. In the only mode, which is here, which is you see this tag here, we’re basically saying anything that is not in this list that we determine is out of sequence and does not appear in this list should be deleted. This might be very useful for things like preventing ghost configurations. What is a ghost configuration? It’s stuff that gets added to a configuration, could be an ACL, could be an interface, could be all kinds of stuff. And over time, somebody adds it and forgets what it was for. And over time, they forget who added it, and they forget what it’s used for, and nobody wants to touch it.
Rich Martin • 21:37
Thank you. And so it just carries on and it might be something, cause if you touch it, if we delete it, something might be deleted and it becomes a ghost config. We have no idea what it was tied to, but it’s there. It’s probably best, we would like to get rid of it, but we can’t because it might break something and we don’t want to incur that penalty. So how do you approach preventing that? Because in a lot of cases it’s already happened. You can use this particular feature to really lock down the list.
Rich Martin • 22:07
So if anything gets added and a report is put out there, you can immediately identify all those lines and even remediate them in this application or auto remediate them in an automated workflow. So what does that look like? We go here, if we run this now, It should come back because of line 20 and tell us that’s a no-go, right? If we look at the compliance report itself, it’s going to tell us exactly, this is a disallowed command and we can actually remove it here. So, how is that different from before? Before, this is a strict ordering, so this is the report from a couple of minutes ago.
Rich Martin • 22:50
It’s telling us to remediate this ourselves. In this case, it’s saying, I’ll be happy to remediate it right here if you click the remove button. And if there were more than one line, they would all appear. So, you can quickly remove these things. Again, the stance is a little bit more stringent here. We don’t want these things. We want to make it easier for you to remove these because we are trying to prevent things like errant, forgotten, lost, ghost configurations from applying.
Rich Martin • 23:17
So, there’s another tool in the toolbox for ordered lists that you can build really complex and valuable compliance rules with. Now, the last one we’ll talk about. is excluding items from list ordering. So this is a little different. So what I’ll do here is if I remember if I put this on, well, not strict, let’s make this loose. So that’s loose, LLO is List Loose Ordering. Update that. Now, this section will pass.
Rich Martin • 23:52
Now, here’s what’s interesting, because this is sequenced, it’s not a great example of how to show this particular feature. So what I’m gonna do is I’m going to add another type of configuration here. Now, of course, if you know iOS, which most majority of people do, you’ll know that this is an interface configuration, but technically this is also a list. It’s indented and we can operate lists on this as well. And notice here, like I said earlier, you don’t have to represent your entire configuration for a device here. That would not work because there’s a lot of things that are specific to a device, IP addresses and host names and things like that. You only want to express in your golden configuration templates, the things that we’re super interested in that are applicable to many different types of devices.
Rich Martin • 24:42
Now, I know this is a specific interface. We’ll use this as an example. There are ways to actually dynamically generate lots of different rules for an entire set of interfaces. We won’t get into that there, but there are a lot of flexible features here. But just to illustrate how we can do exclusions from rules. So notice here when you create an interface in a Cisco device, you can put IP address and description, whatever order you want as you’re configuring it. And it’s going to reorder it when you do a show config, and it’s going to put the description first after the IP address.
Rich Martin • 25:15
So this is, if I were to do a show config on that device and look at loopback 300, it would show just like this. But, and so if I do something like this though, and I put it in a different order, So everything is misordered, and then I set this to strict ordering. This should trigger an error or a warning and fail the compliance check because it’s out of order. Remember, strict ordering is every element ordered consecutively one after the other. So by switching these around, when it takes a look at the current configuration, it’s going to see description before IP address, and it should generate a warning for us. Actually, one of the things we can do is we can generate errors too.
Rich Martin • 26:05
So in the case of especially very strict things, you can change the severity to error. If I update this, and when you run a compliance report, this really gets your attention when errors pop out. Now we’re building a compliance audit on this. You see the red is an error, warnings are orange. If we take a look at the compliance report now, you’ll notice that indeed this is pointing out, this is strict ordering. This is what I ran into on this line. This shouldn’t have been here.
Rich Martin • 26:37
You need to take a look at the configuration and manually remediate this. That’s the nature of strict ordering. Now, let’s take a look at this one last feature and see how it works in the context of strict ordering. So now if I highlight this particular line in the list, so there’s only two elements in the list, IP address and description, and I select from the dropdown here exclude, what that means is it doesn’t mean exclude this from the check. It still has to be in the list. What this is saying is just exclude it from the ordering rules that are applied to the entire list. So this is the LX.
Rich Martin • 27:14
So this is the exclusion from the list ordering rules. So it still has to be in there. It just can be in anywhere in the elements, in any of the different elements of the list. If you think in terms of an unsequenced list, this is really useful. So now if we go back and run the compliance report, what you’ll see is that because we’ve given that particular line the ability to appear anywhere in the list order, it’s acceptable that it’s below the IP address, even though when it is looking at the configuration, the list is the opposite. Description comes first and then IP address. With that, hopefully that illustrates how you can leverage just a handful of compliance rules that are specific to ordered lists, so you can apply them to all different vendors and all different CLI types.
Rich Martin • 28:10
For things like ACLs, firewall rules, even lists of servers or services like DNS, NTP, syslog depending on what network OS you’re running, what vendor you’re running. All of these things are possible. And again, not only just for CLI driven and managed network services and devices, but also for API. So something that’s managed through a controller like SD-WAN. If we can do an API call into that system, generate a list of configuration options that have been defined for a service, we can express that as a JSON object and then apply list rules that way too that are very similar to what we’re doing in CLI. That’s not the focus here, this is for CLI, but know that the same feature sets exist for both of those types. Because again, we want these types of tools to be applicable to all parts of your network, legacy, modern, CLI, or API.
Rich Martin • 29:09
Now, let’s go. That is how you can build lists. This is how you can order them. There are lots of things you can do. We use very simple examples here. I’m sure you have lists, especially ACLs, firewall rules, that number in the dozens or hundreds perhaps, maybe more. But this gets you the main idea and the main goals of what these features can do for you.
Rich Martin • 29:31
Hopefully, your mind can start from there and figure out how this can be super valuable for you. Now, that being said, let’s continue on because this is an application in our platform that’s going to help you manage your network around compliance. You’re going to have all sorts of tools in your network, in different domains that are going to be able to automate things for you. Quite honestly, while this is doing some automation, it still requires us once we’ve built a golden configuration and maybe added a bunch of devices here to go and run compliance manually. What you should be looking at is how do you leverage all these tools together and start automating them as steps in a task. That would be really helpful if you could do that. Again, since we’re focusing on this application, but since we’re an automation and orchestration platform, we’ll show you how to integrate this tool, but not just this tool, all kinds of other tools that you may have that aren’t in our platform, and how you can use those in a workflow really quickly.
Rich Martin • 30:29
Now, if I go into our platform from here, if I go into Automation Studio, I’ve created a project that we can work on for creating a workflow to automate the manual steps that I would normally take in that particular application and configuration management. And so how do we do that? So on the left-hand side here, this is a palette. So you’re seeing a workflow here. I have a stub task. This is just a placeholder task. It does nothing, but it’s helpful as you’re starting to kind of build the framework of perhaps an orchestrated workflow that has multiple steps, but you got to start somewhere.
Rich Martin • 31:05
And we start with a single step, a stub task. What I want to do now though, is even though that application is great in Configuration Manager, it requires me to, let’s say I wanted to run that golden configuration audit report weekly. And so that will require somebody to go in, click the run report and look at the results, determine whether if there was something going on or if it was all green. We should be able to automate that and we can. So everything that you saw and more inside of the Configuration Manager application in our platform has APIs for every one of those features and functions. And those APIs can be run from a workflow in our platform, but it’s not exclusive to just things in our platform, right? You’ll see here that we have the ability to integrate with both networking and non-networking solutions, platforms, systems, anything in your environment.
Rich Martin • 32:04
Because we wanna take you from using those great automation tools, leveraging them in a workflow. So now you can automate steps in a workflow and then tying that together as you start to think about the bigger, broader processes that lead up to using these tools, like clicking a button to run compliance and allowing you to automate those steps. And all of a sudden, you’re orchestrating end-to-end processes. And so this is the direction we’re helping our customers go. They’ve got a bunch of great automation tools and we’re helping them leverage those tools together along with all the other things in their environment, like ServiceNow and Jira and Sources of Truth, like Netbox and Infoblox and even message notifications like Slack and Teams and leveraging all those together in workflows. So you can actually drive even more efficiency in your organization. So in this case, let’s just start simple.
Rich Martin • 32:53
Let’s go to Configuration Manager and let’s take a look at all of the… tasks which are basically API calls into that application that we have available to us in this palette. It’s as simple as dragging and dropping. Now, of course, I know that there’s a lot of options here. What we want to do is we’re wanting to run a compliance report for a node. If I grab this run compliance for a node, and I can drop it right into our box here. If I double-click this, it’s going to give me a list of variables that I can fill out that are necessary in order for this to run.
Rich Martin • 33:33
This is essentially what I was clicking to run a compliance report. I’m going to automate that in a step in a workflow. I don’t have to click that. We’ll see why is that important as we go forward, because this is the start of this automation journey, where we can start leveraging these tools together. The tree ID comes from actually the. Configuration Manager. If I go here and view the metadata, I get the ID.
Rich Martin • 34:02
So this is the identifier for this golden configuration template, and specifically this node on the tree, and the version is initial here. So that’s where that information is found. So I can just paste that into here. Version here is going to be initial. And the node path is going to be the base node. We didn’t create any other child nodes and do any of the hierarchy stuff. And really that’s all I need to do here.
Rich Martin • 34:30
So if I close that and I save it, we’ve basically just created our first automated workflow that’s automating the click step to run the compliance report. So if I run it from here, Automation Studio is where we build, it’s the canvas where we visually build these workflows. So now if I run it, it’s gonna instantiate it, run this as a job, and then actually go through this step-by-step and show us the inputs and the outputs for every step. So I said, this stub is just a placeholder. There’s nothing going on here, but I can double click it and you can see incoming and outgoing variables that are feeding into it and going out of it as this step is executed. The one we’re looking for here is to run the compliance for a node. So this is the functional equivalence of me going to that particular page in Configuration Manager under the devices and clicking Run Compliance Report.
Rich Martin • 35:28
So you’ll see, this is what I filled out from that form when I double clicked it, all those variables. And then the outgoing is the response back from the API call to run the compliance report. And one of the things I wanna point out here is that this was completed and it generated some information about reports. In this case, that data is stored in a JSON object that gets returned to us. One of the things we’re looking for is we can now start to build this workflow out to start to make some decisions for us on whether or not something was passed or failed. One of the things we can look for is before we look at the output.
Rich Martin • 36:07
Remember, I was looking at green, that little green bar. Well, programmatically, how do we do the little green bar? We can look at the output from that compliance node check, that report. We get all kinds of information and a very simple way to see it is this grade pass. There’s a pass or a fail here. Obviously, you can get a little more granular. You can see your warnings, your errors, your info, so you can build some logic around that.
Rich Martin • 36:33
But for a simple build of a workflow, let’s just use this grade pass and let’s build an evaluation as our next step here. We were able to automate that one step of clicking it, and now we can automate getting the information back from that, the visual information we would normally manually see, and even clicking into view the compliance report, all of that information is available that’s returned back from this API call. Now we can just extract the things that we need and start to build more logic into this workflow. I’ll close this out and we’ll go back to Automation Studio where we are building this out some more. So as our next step, I can filter tasks here by a search, and I can do evaluation by searching for eval. If I pop eval onto our line here, Evaluation task allows us to take a look at some data from a subsequent task and query it and evaluate it so that we can have a branching path.
Rich Martin • 37:33
So in this case, if the report passed, that compliance audit passed and the report said passed of that grade, let’s go down one branch. But if it failed, let’s go down another branch. That’s the idea here. So in the evaluation, I have to add a new evaluation group. And in this case, I want to add an evaluation. And it’s going to say, well, what are you evaluating? What type of information are you evaluating?
Rich Martin • 37:58
I want to take a look at a string because that was the data that we want to extract. But that data is coming from a previous task. It’s not something I’m defining here. And that task is this particular run compliance for node tasks. So I can select any of the previous tasks here. It’s going to auto select the most previous one. And then the task variable is the data that is output from it.
Rich Martin • 38:20
So it automatically detects that. And now from that, remember, it was a very large JSON object. I just want to extract through a query one particular part of that. And the part that I want was that grade. So I have to identify in the JSON what that is. And it would be identified as reports zero dot grade because reports was an array. and I want the very first element of the array.
Rich Martin • 38:44
You could iterate over the array if you needed to, but in this case for testing, we just want the first element, so that’s element zero in those brackets. Then dot grade is the grade key in the JSON that was under the reports array for element zero. That needs to not just contain, but it needs to equal. In this case, what are we comparing it to? Let’s say if it passes. So now that we’ve done that, we’ve created our evaluation and I can detach this, and I can reuse this stub over here because what we’re really going to end up doing is we’re going to create a fail path going this way. So the evaluation is going to run.
Rich Martin • 39:31
If it passes, that means the audit was a pass and it’s going to go to end. But here, we want to do a fail path. Now, you’ll see that this is green. This is on a success. So here, we need to change this to a failure. So it’s going to change to a purple. So if the evaluation doesn’t work out, then it’s going to take this path, in which case it was a fail.
Rich Martin • 39:56
Now, we have a subsequent fail path here, and I can rename this to Oops, I can rename this. How’d it failed? Just to identify it. Again, stubs are great for frameworks. And then from here, I can have it go back to the end. All right, so let’s give this a roll.
Rich Martin • 40:23
Let’s see how this goes. Let’s run it so we can test run it from here. And now we’ve just added a subsequent step. Remember, we’re automating, not just running the compliance check. We also want to evaluate, we want to automate the other steps subsequent to that. What was the result of it? And if it was a success, which it took this path here, so it took the success path, then we don’t have to do anything.
Rich Martin • 40:51
Everything was right on the money, right? Our compliance audit was great. But if it fails, we need to do something. We need to dig into that report. We need to find out what’s going on. We need to figure out why it failed. So we just saw a success path here.
Rich Martin • 41:04
So let’s make a change to our configuration. template. If we simply go, if we change this back to strict order, this should cause us to fail because remember, there’s a 20 in between here and strict order says the ordering and the sequence must be consecutive. So save that. Now if I go back to here without any changes, just changing the template itself, I run this, this should give us our fail path through that stub task. So it runs the compliance node, the evaluation is going to check, you see here the audit has failed. So it’s taking this, you see this blue check, this is the path it’s taken and now it’s gone to end. So now we’ve created, we’ve gone from having a really awesome tool that can help us with compliance to now automating several steps of using that tool through APIs. And again, this is a tool in our platform, but it’s not just limited to our platform. These are, when we onboard anything, whether it’s network or an IT system like Netbox, if those APIs are published, we can use them as tasks that we drag and drop into any workflow. Finally, along that same line, we now have a fail path, we now have a path here. If something were to fail, someone needs to look into it. But it would be even better if we could be told when it failed, and not just me, but let’s say an entire team. This is where we start getting into the idea of orchestration, adding more things to this. We started off with compliance, ordered list, critically important, great features to be able to do this.
Rich Martin • 42:41
And now we’re adding this to a workflow to automate that task and how it’s run. And then ultimately, we’re starting to think in terms of, what else can I add here that would drive more efficiency in my organization, make us be able to react faster. So we could add things like opening up tickets, right? You can document when something has failed, but let’s do something simple. If I save this, what’s already saved, let me flip over to here, this is a complete workflow. What you’ll see here is I’ve added, I’ve replaced the stub task with a notification in MS Teams. This would allow us to now go and think about the process, we’re just automating, to now, we’ve created the golden configuration template.
Rich Martin • 43:22
We can run it manually from within the application, but we don’t have to. We have just built an automation to run the template and then to get the results from the template and determine whether it was a pass, in which case everything’s good and nobody needs to know about anything because it’s a pass. Or if it’s a fail, somebody needs to take a look at it and evaluate what needs to be done. In this case, if we were doing this manually, that somebody would be me clicking on the report, looking at green, and then if it’s not green, if it’s orange or red, I need to go and view the compliance report, I need to dig down into it and figure out what’s going on. What if we could take that as an additional step and push that out into MS Teams or Slack, or whatever notification systems is, you have into a channel where the network engineers that are on duty can all see that something failed and so whoever’s available can immediately start to react to it. This is just one step. You could do things like auto-remediate under certain circumstances using the logic built into a workflow. You could do things like automatic documentation.
Rich Martin • 44:25
I can open up a ticket, I can pull information from the compliance report, I can pull live information from the configuration, I can show you what it should be, what it isn’t, and append that into the work notes of a service now ticket or JIRA issue. All of these things are possible. You just have to start with a single step and start working it from there. If I hit run here, Remember, this should take the fail path, so this should be able to trigger through and go to our service now, which used to be a stub, but now it’s going to make a post into MS Teams and tell us that the compliance has failed. Here we go, we’ve gone through that, now we’ve taken this path. I have Teams right here opened up, and this is the last read, and you can see scheduled list compliance report failed.
Rich Martin • 45:13
I’ve embedded into that particular task the ability to click through to look at the job details or look at the golden configuration. Again, now an entire team can be aware of what’s going on. They can look at the job itself directly from Teams and say, aha, this is what failed. Let me double-click into this and take a look at what happened, or they can look at the golden configuration itself. I embedded that into the Teams message with hyperlinks into the actual golden configuration. Now, they can look at the report directly and see what triggered and what failed. This is the idea of how you can step from automation tooling with manual processes behind it to finally going into
Rich Martin • 45:55
building a workflow so that you can automate these particular steps. And then finally, since this is pretty much a completed and useful workflow, we can publish it in our platform so that it can be useful outside of just running it here in Automation Studio. In fact, in Automation Studio, this is where you’re building, testing, and creating. When you’re done, you need to publish that workflow as an automation somewhere. So if I go back here into Operations Manager, I can now publish this. And in this case, because it’s a compliance report, I can create a new automation workflow. I can call it Scheduled Compliance Webinar.
Rich Martin • 46:49
I hit Create. All I have to do here is search for, I think I call it main workflow. Yeah, main workflow completed in my particular project. I specify the workflow we just built out. I create a trigger for it. This trigger, you name it. In this case, there’s different types of trigger types.
Rich Martin • 47:10
We can attach a workflow that we’ve created when we publish it to an API. It can be run in response to an event, internal or external event. It can be manually run. So think in terms of self-service within our platform. API would allow you to do self-service outside of our platform. So a workflow can be run from like a ServiceNow catalog. Or in this case, we want to schedule it.
Rich Martin • 47:33
Compliance report, right? So we can start this Saturday at 4 a.m. We can repeat it every week or every day. If there’s a missed run, we don’t go back and do it, and there’s no forms, and that’s optional. Forms allow you to pass data to a workflow. We don’t need anything here. Everything is built-in and self-sufficient.
Rich Martin • 48:06
With that, we have now a scheduled workflow that’s running compliance on our ordered list. For a single router, I can now start to add more routers to this or an entire group of routers that use like CLIs and that it would have like ACLs, could be service ACLs to who can access that particular device through the management network. This is going to run every 4 a.m. every week, and if there’s a pass, everything is quiet on the set, and if there’s a fail, it’s going to send out a message into our Teams channel that says, hey, somebody take a look, by the way, click into either one of these two things to take a deeper look into what went wrong. So you can immediately react based off of who’s available, who’s looking at the channel, and you don’t have to waste any time trying to figure out where I need to go to find it. Like you have that ability to do all of that within our platform. And so with that, I just wanted to say, thank you very much for tuning into this webinar.
Rich Martin • 49:05
Hopefully you learned how to use the compliance, ordered list for compliance, CLI compliance options. There’s just a handful of them, but they’re so flexible. They give you the ability to do a lot of really important and really valuable things in your golden configuration templates. That’s one set of features in our templates. I hoped I showed you at least a glimpse of some of the other features in our templates. Again, I encourage you to take a look, get a deeper dive if you’re interested into some previous webinars or on our website. to find out more about how we do golden configuration and config templates.
Rich Martin • 49:41
And then beyond that, I hope you can see how this journey is the beginning that drives more efficiency for your team, for your organization, for your business, by allowing you to leverage the automation tools that you may get from us or from wherever, from other vendors, from open source, how you can leverage those together in a workflow to save your team time, and then how you can ultimately orchestrate that with all kinds of other steps and processes that are not necessarily network related, but still time consuming and always part of a general process that you’re following. And now you can model those in a workflow, save all kinds of time and publish that. And in the case of compliance, you might wanna publish that in a scheduled way and make it super easy for your team to understand, manage what’s going on in the network, know that reports are running and be able to respond to them immediately. driving, again, more efficiency in your organization. So thank you very much for your time, and I look forward to talking to you again. Bye-bye.
