Contents

ManageEngine Network Configuration Manager Integration Guide

Network Configuration Manager is a web-based, network configuration, change and compliance management (NCCCM) solution for switches, routers, firewalls and other devices from Cisco and other hardware vendors to take total control of the entire life cycle of device configuration management. This document describes the steps to integrate ManageEngine Network Configuration Manager with your WatchGuard Firebox®.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox with Fireware version 12.2.1
  • ManageEngine Network Configuration Manager
    Version 12.3.218
  • Test environment: Windows 10

Test Topology

Test Topology

Set Up Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Firewall > Firewall Policies.

Screen shot of the Firewall Policies page

  1. Click Add Policy.
  1. Select the Custom check box.
  2. In the Custom drop-down list, select --Select a policy type--.
  3. To create a new custom policy template, click Add.
    The Add Policy Template page appears.

Add Policy Template

  1. In the Name text box, type the policy name.
  2. In the Type section, select Packet Filter.
  3. In the Protocols list, click Add.
    The Protocol dialog box appears.

Screen shot of the Protocol dialog box

  1. From the Type drop-down list, select Single Port.
  2. From the Protocol drop-down list, select TCP.
  3. In the Server Port text box, type 4118.
  4. Click OK.

Screen shot of the completed Policy Template

  1. Click Save.

Screen shot of the Add Firewall Policy page

  1. Click Add Policy.
  2. Configure the policy to allow connections from Any Trusted to Firebox.
    You can also select Any-Optional To Firebox depending on which port is connected.

Screen shot of the Add Policy page

  1. Click Save and review the new policy.

Screen shot of the added policy

Set Up Network Configuration Manager

  1. On a computer with Network Configuration Manager installed, open a browser and enter http://localhost:8060/apiclient/ember/index.jsp#/.
  2. Log in with your user-name and password.

Screen shoto of the Network Configuration Manager login page

  1. Select Inventory > Devices > Add Device.

Screen shot of the Add Device menu item

  1. In the Choose Action setting, select Add Device.

Screen shot of the Add Device page

  1. In the Hostname/IP Address text box, type the Firebox interface IP address.
  2. From the Vendor drop-down list, select WatchGuard.
  3. From the Device Template Name drop-down list, select WatchGuard Firewall.
  4. Type the Series number and Model Type.
  1. Click Add.
    The Apply Credentials dialog box appears.

Screen shot of the Apply Credentials dialog box

  1. From the Protocol drop-down list, select SSH-TFTP.
  2. In the Options, select Primary.
  3. Keep the default setting for Use Credential Profile.
  4. In the Login Name and Password text boxes, type the user name and password for an administrative user on the Firebox.

Screen shot of the Apply Credentials dialog box

  1. In the Prompt text box, type #.
  2. Leave all other text boxes empty.
  1. In the Options section, select Additional.
    The settings for additional credentials appear.

Screen shot of the Apply Credentials dialog box with Additional selected

  1. Leave the TFTP/SCP Server Public IP text box empty.
  2. In the SSH Port text box, type 4118.
  3. For all the other text boxes, accept the default ":" entry.
  1. Click Save &Test.
  2. After you apply the credentials, Network Configuration Manager generates a report to show whether the credentials are valid.

Screen shot of a successful test result

Test the Integration

Add the WatchGuard Firebox to the Network Configuration Manager

Add the WatchGuard Firebox to the Network Configuration Manager. You can use any of these methods: 

  • Directly add the Firebox by its IP address, without SNMP credentials
  • Manually add the Firebox by its IP address or IP address range scan, with SNMP credentials
  • Automatically import the Firebox information from a .CSV or .TXT file, with SNMP credentials

The procedure in the previous section describes the steps to directly add the Firebox by its IP address. For information about other methods to add devices, see the ManageEngine Network Configuration Manager documentation.

After you add a Firebox to Network Configuration Manager, you can back up the configuration, and you can connect to the CLI on the Firebox.

  1. Log in to Network Configuration Manager.
  2. Select Inventory >Devices.
  3. Select the added device.
  4. Click ...
  5. Click Backup.

Screen shot of the device page - status Not Backed Up

  1. Backup success.

Screen shot of the device page - status Backup Success

  1. Click device Host Name to open the device page.

Screen shot of the device info page

  1. Click SSH to open the SSH Terminal. You can execute any Fireware CLI command here.

terminal-SSH

Firebox Sync & Restore Configuration

You can use the Sync Configuration action to get the current device configurations, and show the difference between different configuration versions. You can also restore a previous configuration to the Firebox.

  1. Make any necessary configuration changes in your Firebox configuration.
  2. In the Network Configuration Manager device page, click in the top right of the page.
  3. Click Sync Configuration.

Screen shot of the Sync Configuration option

  1. Wait until the Sync Configuration action is complete.
  2. On the device page, the Health tab shows a summary of differences between two configurations. Click Health to see details.

Screen shot of the Health page with differences from baseline

  1. To restore a previous configuration to the Firebox, click Upload Config.

Screen shot of the Upload Config menu item

  1. Select the version to restore and click Upload.

Screen shot of the Upload Config dialog box

Firebox Command Configlets

Network Configuration Manager can perform a variety of actions using command Configlets, which execute Fireware CLI commands. For example, you can use a Configlet to display information or modify the Firebox configuration.

To add a Configlet:

  1. On the device page for your Firebox, select Settings > Configlets.

Screen shot of the Add Configlet menu item

  1. Select Add Configlet.
    The Add Configlet dialog box appears.

Screen shot of the Add Configlet dialog box with settings configured

  1. In the Name text box, type a name.
  2. From the Execution Mode drop-down list, select Advanced Script Execution Mode.
  3. In the Description text box, type a description.
  4. In the Configlet Content text box, type a command or command group to run for your Firebox.

For example, these CLI commands change the IP address of a Firebox interface:

  • <command timeout='5'>show interface</command>
  • <command timeout='5'>co</command>
  • <command timeout='5'>interface fa 6</command>
  • <command timeout='5'>ip address 1.1.1.1/24</command>
  • <command timeout='5'>exit</command>
  • <command timeout='5'>exit</command>
  • <command >show interface</command>
  1. Disable Configuration Backup(optional)
  2. Click Save.
    The new Configlet is added to the list.

Screen shot of the Configlet list

  1. To execute a Configlet, click .
  2. From the Available Devices list, select the running devices.
    The selected devices are moved to the Selected Devices list.

Screen shot of the Execute Configlet dialog box with a device selected

  1. To execute the Configlet on the selected devices, click Execute.
    When the execution is complete, the Execution Status changes to Completed.

Screen shot of a Confliglet with Execution Status Completed

  1. To see details for an executed Configlet, click the Configlet name.
    The Configlets Execution Details page appears.
  2. To see details about an executed Configlet, click the device Host Name.

Screen shot of the Configlets Execution Details page

  1. Review the execution details to see the result of each command. For this example, you can find the interface number and verify the IP address was successfully changed.

Screen shot of the Configlets Execution Details for this example

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search