ManageEngine Network Configuration Manager Integration Guide

Network Configuration Manager is a web-based, network configuration, change and compliance management (NCCCM) solution for switches, routers, firewalls and other devices. With NCCCM, hardware vendors, such as Cisco, can take total control of the entire life cycle of device configuration management. This document describes the steps to integrate ManageEngine Network Configuration Manager with your WatchGuard Firebox®.

Platform and Software

The hardware and software used to complete the steps in this document include:

  • Firebox with Fireware version 12.8.1
  • ManageEngine Network Configuration Manager
    Version 12.6.102
  • Test environment: Windows 10

Test Topology

This diagram shows the test topology.

Test Topology

Set Up Firebox

Use these steps to set up a Firebox.

  1. Log in to Fireware Web UI at:
    https://<IP address of Firebox>:8080
  2. Select Firewall > Firewall Policies.

Screen shot of the Firewall Policies page

  1. Click Add Policy.
    The Add Firewall Policy page opens.
  2. Select the Custom check box.
  3. In the Custom drop-down list, select Select a Policy Type.
  4. To create a new custom policy template, click Add.
    The Add Policy Template page opens.

Add Policy Template

  1. In the Name text box, type a policy name.
  2. In the Type section, select Packet Filter.
  3. In the Protocols list, click Add.
    The Protocol dialog box opens.

Screen shot of the Protocol dialog box

  1. From the Type drop-down list, select Single Port.
  2. From the Protocol drop-down list, select TCP.
  3. In the Server Port text box, type 4118.
  4. Click OK.

Screen shot of the completed Policy Template

  1. Click Save.

Screen shot of the Add Firewall Policy page

  1. Click Add Policy.
  2. Configure the policy to allow connections from Any Trusted to Firebox.
    You can also select Any-Optional to Firebox, depending on which port is connected.

Screen shot of the Add Policy page

  1. Click Save and review the new policy.

Screen shot of the added policy

Set Up Network Configuration Manager

Use these steps to set up Network Configuration Manager.

  1. On a computer with Network Configuration Manager installed, open a web browser and, in the address bar, type:
    http://localhost:8060/apiclient/ember/Login.jsp
  2. Log in with your user name and password.

Screen shoto of the Network Configuration Manager login page

  1. Select Inventory > Devices > Add Device.

Screen shot of the Add Device menu item

  1. In the Choose Action setting, select Add Device.

Screen shot of the Add Device page

  1. In the Hostname/IP Address text box, type the Firebox interface IP address.
  2. From the Vendor drop-down list, select WatchGuard.
  3. From the Device Template Name drop-down list, select WatchGuard Firewall.
  4. From Associate Tag, select No Tags.
  5. Type the Series number and Model type.
  6. Click Add.
    The Apply Credentials dialog box opens.

Screen shot of the Apply Credentials dialog box

  1. From the Protocol drop-down list, select SSH-TFTP.
  2. Select the Primary tab.
  3. From the Use Credential Profile drop-down list, keep the default setting.
  4. In the Login Name text box, type the user name for an administrative user on the Firebox.
  5. Under Authentication Mode, select Password Auth. In the password text boxes, type a password for an administrative user on the Firebox.

Screen shot of the Apply Credentials dialog box

  1. In the Prompt text box, type #.
  2. Leave all other text boxes empty.
  3. Select the Additional tab.
    The settings for additional credentials open.

Screen shot of the Apply Credentials dialog box with Additional selected

  1. Leave the TFTP/SCP Server Public IP text box empty.
  2. In the SSH Port text box, type 4118.
  3. For all the other text boxes, accept the default ":" entry.
  4. Click Save &Test.
    At this step, make sure that a user is not currently logged in with the CLI or Web UI of the Firebox.
  5. After you apply the credentials, Network Configuration Manager generates a report that shows whether the credentials are valid.

Screen shot of a successful test result

Test the Integration

This section describes how to test the integration.

Add the WatchGuard Firebox to the Network Configuration Manager

The procedure in the previous section describes the steps to directly add the Firebox by its IP address. For information about other methods to add devices, see the ManageEngine Network Configuration Manager documentation.

After you add a Firebox to Network Configuration Manager, you can back up the configuration, and you can connect to the CLI on the Firebox.

  1. Log in to Network Configuration Manager.
  2. Select Inventory > Devices.
  3. Select the added device.
  4. Click ...
  5. Click Backup.

Screen shot of the device page - status Not Backed Up

  1. When done, you see that the back up is successful.

Screen shot of the device page - status Backup Success

  1. Click the Host Name of the device to open the device page.

Screen shot of the device info page

  1. Click SSH to open the SSH Terminal. You can execute any Fireware CLI command from here.

terminal-SSH

Firebox Restore Configuration

To restore a previous configuration to the Firebox:

  1. Click Upload Config.

Screen shot of the Upload Config menu item

  1. Select the version to restore, and click Upload.

Screen shot of the Upload Config dialog box

Firebox Command Configlets

Network Configuration Manager can perform a variety of actions using command Configlets, which execute Fireware CLI commands. For example, you can use a Configlet to display information or modify a Firebox configuration.

To add a Configlet:

  1. On the device page for your Firebox, select Config Automation > Configlets > Add Configlet.

Screen shot of the Add Configlet menu item

The Add Configlet dialog box opens.

Screen shot of the Add Configlet dialog box with settings configured

  1. In the Name text box, type a name.
  2. From the Execution Mode drop-down list, select Advanced Script Execution Mode.
  3. In the Description text box, type a description.
  4. From Associate Tag, select No Tags.
  5. In the Configlet Content text box, type a command or command group to run on your Firebox.

For example, these CLI commands change the IP address of a Firebox interface:

  • <command timeout='5'>show interface</command>
  • <command timeout='5'>co</command>
  • <command timeout='5'>interface fa 6</command>
  • <command timeout='5'>ip address 1.1.1.1/24</command>
  • <command timeout='5'>exit</command>
  • <command timeout='5'>exit</command>
  • <command >show interface</command>
  1. Disable Configuration Backup (optional).
  2. Click Save.
    The new Configlet is added to the Configlets list.

Screen shot of the Configlet list

  1. To execute a Configlet, click Execute.
    The Execute Configlet page opens.
  2. Select the Device Group tab, and select a device group.
  3. Select the Devices tab, and from the Selected Devices list, select the target device.

Screen shot of the Execute Configlet dialog box with a device selected

  1. To execute the Configlet on the device that you select, click Execute.
    When the execution is complete, the Execution Status changes to Completed.

Screen shot of a Confliglet with Execution Status Completed

  1. For information about a Configlet that was executed, from Configlet Name, click a Configlet.
  2. From the Host Name section, click the IP address of the device.

Screen shot of the Configlets Execution Details page

  1. Review the execution details and the results of each command. In this example, you can find the interface number and verify the IP address was successfully changed.

Screen shot of the Configlets Execution Details for this example