Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
9-53 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Cisco Security Advisories (PSIRT)AAA Command Authorization By-pass - 68840 ARP Table Overwrite - 13600 Access Point Memory Exhaustion from ARP Attacks - 68715 Access Point Web-browser Interface - 70567 Auth Proxy Buffer Overflow - 66269 Authentication Proxy Vulnerability - 110478 BGP Attribute Corruption - 10935 BGP Logging - 63845 BGP Long AS path Vulnerability - 110457 BGP Packet - 53021 BGP Update Message Vulnerability - 110457 CEF Data Leak - 20640 Call Processing Solutions - 63708 Cisco 10000 Series DoS Vulnerability - 113032 Cisco IOS Software IGMP Vulnerability - 112027 Content Services Gateway DOS Vulnerability - 112206 Content Services Gateway Service policy bypass - 112206 Crafted Encryption Packet DoS Vulnerability - 110393 Crafted ICMP Messages DoS for IPSec Tunnels - 64520 Crafted ICMP Messages DoS for L2TPv2 - 64520 Crafted ICMP Messages DoS for TCP over IPv4 - 64520 Crafted ICMP Messages DoS for TCP over IPv6 - 64520 Crafted IP Option - 81734 Crafted TCP Packet Denial of Service Vulnerability - 111450 Crafted UDP Packet Vulnerability - 108558 Crypto - 91890 DFS ACL Leakage - 13655 DHCP - 63312 DLSw Denial of Service Vulnerabilities - 99758 DLSw Vulnerability - 77859 FTP Server - 90782 Firewall Application Inspection Control Vulnerability - 107716 H.323 Denial of Service Vulnerability - 111265 H.323 Protocol DoS Vulnerability - 110396 H323 DoS Vulnerability - 112021 Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-54 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Cisco Security Advisories (PSIRT) (contd.)HTTP - 13627 HTTP Auth - 13626 HTTP Command Injection - 68322 HTTP GET Vulnerability - 44162 HTTP Server Query - 13628 Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability- 111895 IKE Resource Exhaustion Vulnerability - 110559 IKE Xauth - 64424 IOS Internet Key Exchange Vulnerability - 20120328 IOS Software Command Authorization Bypass Vulnerability - 20120328 IOS Software NAT SIP Memory Starvation Vulnerability - 20120328 IOS Software RSVP Denial of Service Vulnerability - 20120328 IOS Software DHCP DoS Vulnerability - 20120926 IOS Software DHCPv6 DoS Vulnerability - 20120926 IOS Software Data Link Switching Vulnerability - 112254 IOS Software ICMPv6 over Multiprotocol Label Switching Vulnerability - 113058 IOS Software IP Service Level Agreement Vulnerability - 113056 IOS Software IPS DoS Vulnerability - 20120926 IOS Software IPS and Zone Based Firewall Memory Leak Vulnerability - 113057 IOS Software IPS and Zone Based Firewall crafted HTTP packets Vulnerability - 113057 IOS Software IPv6 DoS Vulnerability - 112252 IOS Software IPv6 over Multiprotocol Label Switching Vulnerability - 113058 IOS Software MACE DoS Vulnerability - 20120328 IOS Software Malformed BGP Vulnerability - 20120926 IOS Software Memory Leak Associated with Crafted IP Packets Vulnerability - 20120328 IOS Software Memory Leak in H.323 Inspection Vulnerability - 20120328 IOS Software Memory Leak in HTTP Inspection Vulnerability - 20120328 Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-55 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Cisco Security Advisories (PSIRT) (contd.)IOS Software Memory Leak in SIP Inspection Vulnerability - 20120328 IOS Software Multicast Source Discovery Protocol Vulnerability - 20120328 IOS Software NAT DoS Vulnerability - 20120926 IOS Software NAT For SIP DoS Vulnerability - 20120926 IOS Software NAT H.323 Vulnerability - 112253 IOS Software NAT LDAP Vulnerability - 112253 IOS Software NAT SIP Vulnerability - 112253 IOS Software Reverse SSH DoS Vulnerability - 20120328 IOS Software SIP DoS Vulnerability - 112248 IOS Software SIP DoS Vulnerability - 20120926 IOS Software Smart Install DoS Vulnerability - 20120328 IOS Software Smart Install Vulnerability - 113030 IOS Software Tunneled Traffic Queue Wedge Vulnerability - 20120926 IOS Software WAAS DoS Vulnerability - 20120328 IPS ATOMIC.TCP Signature Vulnerability - 81545 IPS DoS Vulnerability - 107583 IPS Fragmented Packet Vulnerability - 81545 IPSec IKE Malformed Packet - 50430 IPsec Vulnerability- 111266 IPv4 - 44020 IPv6 Crafted Packet - 65783 IPv6 Routing Header - 72372 Information Leakage Using IPv6 Routing Header - 97848 Inter Process Communication (IPC) Vulnerabilty - 107661 Layer 2 Tunneling Protocol (L2TP) DoS Vulnerability - 107441 MPLS - 63846 MPLS Forwarding Infrastructure DoS Vulnerability - 107646 MPLS VPN May Leak Information Vulnerability - 107578 Mobile IP and IPv6 Vulnerabilities - 109487 Multicast Virtual Private Network (MVPN) Data Leak - 100374 Multiple Crafted IPv6 Packets - 63844 Multiple DNS Cache Poisoning Attacks-107064 Multiple Features Crafted TCP Sequence Vulnerability - 109337 Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-56 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Cisco Security Advisories (PSIRT) (contd.)Multiple Features IP Sockets Vulnerability - 109333 Multiple Multicast Vulnerabilities - 107550 Multiple SIP DoS Vulnerabilities - 107617 Multiple SSH Vulnerabilities - 8118 Multiprotocol Label Switching Packet Vulnerability- 111458 NAM (Network Analysis Module) Vulnerability - 81863 NAT - 13659 NAT Skinny Call Control Protocol Vulnerability - 111268 NAT Skinny Call Control Protocol Vulnerability - 99866 NTP - 23445 NTP Packet Vulnerability - 110447 Network Address Translation Vulnerability - 112028 Next Hop Resolution Protocol Vulnerability - 91766 OSPF Malformed Packet - 61365 OSPF MPLS VPN Vulnerability - 100526 Object-Group ACL Bypass Vulnerability - 110398 OpenSSL Implementation DOS Vulnerability - 45643 OpenSSL Implementation Vulnerability - 49898 PPTP - 13640 Radius - 65328 Reload After Scanning - 13632 SAA Packets - 42744 SGBP Packet - 68793 SIP - 81825 SIP DoS Vulnerabilities - 109322 SIP DoS Vulnerability - 110395 SIP DoS Vulnerability - 112022 SNMP Malformed Message Handling - 19294 SNMP Message Processing - 50980 SNMP Multiple Community String Vulnerabilities - 13629 SNMP Read-Write ILMI Community String - 13630 SNMP Trap Reveals WEP Key - 46468 SNMP Version 3 Authentication Vulnerability - 107408 SSH Can Cause a Crash - 24862 Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-57 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Cisco Security Advisories (PSIRT) (contd.)SSH Malformed Packet - 29581 SSH TACACS+ Authentication - 64439 SSL - 91888 SSL Packet Processing Vulnerability - 107631 SSL VPN Vulnerability - 112029 Secure Copy Authorization Bypass Vulnerability - 97261 Secure Copy Privilege Escalation Vulnerability - 109323 Secure Shell Denial of Service Vulnerabilities - 99725 Session Initiation Protocol Denial of Service Vulnerability - 111448 Syslog Crash - 13660 TCP - 72318 TCP Conn Reset - 50960 TCP Denial of Service Vulnerability - 112099 TCP ISN - 13631 TCP State Manipulation DoS Vulnerability - 109444 Telnet DoS - 61671 Telnet Option - 10939 Timers Heap Overflow - 68064 Tunnels DoS Vulnerability - 109482 Unified Communications Manager Express Vulnerability - 110451 User Datagram protocol delivery issue - 100638 Virtual Private Dial-up Network DOS Vulnerability - 97278 Vulnerabilities Found by PROTOS IPSec Test Suite - 68158 Vulnerability in IOS Firewall Feature Set - 9360 WebVPN and SSLVPN Vulnerabilities - 107397 Zone-Based Policy Firewall Vulnerability - 110410 cTCP Denial of Service Vulnerability - 109314 uBR10012 Series Devices SNMP Vulnerability - 107696 Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-58 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Compliance PoliciesBPDU Filter Disabled on Access Ports BPDU-Guard Disabled on Access Ports CDP Enabled on Access Ports Channel Port in Auto Mode Loop Guard and Port Fast Enabled on Ports Non-channel Port in Desirable Mode Non-trunk Ports in Desirable Mode Port Fast Enabled on Trunk Port Port is in Error Disabled State Trunk Ports in Auto Mode Global Configuration ACLs CDP Clock FTP NTP Configuration Traceroute Network Access Services Loopback Interfaces Remote Commands Network Protocols Check only Secure SNMP enabled Control Plane Policing HTTP Server Hot Standby Router Protocol (HSRP) ICMP Miscellaneous Services Routing and Forwarding SNMP SSH Parameters TCP Parameters Others Device Version Checks Devices Running outdated OS Versions Devices with outdated modules L2 Switch—STIG L3 Router—STIG L3 Switch—STIG Outdated Devices As Per Vendor Specific EOL/EOS Announcements Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-59 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Choosing the Devices for the Compliance Audit After you create a policy profile, you must choose the devices or device groups on which the compliance audit must be performed. After you choose the devices or device groups and schedule an audit, a job with the name of the policy profile is created. This name defines the job, and can be scheduled periodically. You can edit the job name. Step 1After you have created the profiles, click the Run Compliance Audit icon. Step 2In the Select Device page, choose one of the following options:Routing Protocols BGP EIGRP OSPF RIP Security ACL on Interfaces Distributed DoS Attacks Firewall Traffic Rules Land Attack Martian Traffic Null (Black Hole) Routing Risky Traffic SMURF Attack Traffic Rules Switching DHCP Snooping Dynamic Trunking Protocol IEEE 802.1x Port-Based Authentication IEEE 802.3 Flow Control IP Phone + Host Ports IP Phone Ports Management VLAN Port Security Spanning Tree Protocol (STP) Unidirectional Link Detection (UDLD) Unused Ports VLAN 1 VLAN Trunking Protocol (VTP) Compliance Policies All user-defined policies are listed under this policy group. Table 9-4 Policy Group Details (continued) Policy Group Name Policies
9-60 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit By Devices—Choose this option to select the device(s) that you want to audit. By Groups—Choose this option to select the device group(s) that you want to audit. There must be at least one device added to a device group for the group to be audited. If a device is added to multiple device groups that are selected for auditing, the device will be audited once. For information on how to set up a device group, see the “Setting Up CCM Device Groups” section on page 3-17. NoteThe audit will be performed on the devices that are available in the device group at the time of execution. Step 3Click Next. Step 4In the Schedule Audit page, enter the schedule details. In the Choose Configuration option, select one of the following: Use Latest Archived Configuration—If you choose this option, the latest Backup Configuration in the archive is used. If the backup configuration is not available, the device is not audited and is marked against non-audited devices. Use Current Device Configuration—If you choose this option, Prime Network polls for the latest configuration from the device and then performs the audit. If a Show command is used in the compliance policy, the output of the Show command is taken from the current device configuration. Use Send Audit Configuration Report—If you choose this option, a new compliance audit mail job is generated. The compliance audit mail job creates a new audit report and attaches the report as an excel sheet to the email with subject as Config Audit Report for Job ID:. The excel sheet contains the details of device name, device IP, timestamp, the profile name, policy name, rule name, rule result, and violation message. You can cancel or delete the compliance audit mail job. Use Compare & Send Previous Configuration—If you choose this option, a new compliance audit mail job is generated with a message Compare & Send Previous Configuration will be performed from next job. From the next audit job, a new configuration comparison report is generated. If there are any changes between the earlier and the later audit reports, then the fields that have discrepancies appear in red. The configuration comparison report is attached to the email. You can cancel or delete the compliance audit mail job. You can also download the report as an excel sheet, for which you need to choose the devices and click Compare Previous Config in the Audited Devices window. Step 5Click Audit. An audit job is scheduled. You can view the status of an audit job from the Jobs page. Viewing the Results of a Compliance Audit Job and Running Fixes for Violations The status of scheduled jobs appears on the Jobs page (Compliance Audit > Jobs). All audits are logged by Prime Network as jobs. From this page, you can view the violation details and can also apply a fix. To apply a fix for a violation, you can either do a regular fix or use a predefined command that is available in the Command Manager. After a job is created, you can set the following preferences for the job: Suspend—Can be applied only on jobs that are scheduled for future. You cannot suspend a job that is running. Resume—Can be applied only on jobs that have been suspended.
9-61 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Reschedule—Using this option, you can reschedule a job that has been scheduled for a different time. Choose a job, and click Reschedule. The Compliance Audit Job Rescheduler window opens. Set your preferences. The following options are available against Choose Configuration option: –Use Latest Archived Configuration—If you choose this option, the latest Backup Configuration in the archive is used. If Show command is used in the compliance policy, the output of the Show command is taken from the current device configurations. –Use Latest Configuration from Device—If you choose this option, Prime Network polls for the latest configuration from the device and performs the audit. NoteYou might be prompted to enter your device access credentials. This option is enabled if, from the Administration client, Global Settings > Security Settings > User Account Settings > Execution of Configuration Operations, you checked the option Ask for user credentials when running configuration operations. This is an enhanced security measure to restrict access to devices. Cancel—Using this option, you can cancel a scheduled job or the job that is in the running state. Once the job is canceled, the job status with Canceled status appears against the Last Run Status field. Click the Canceled hyperlink to view the user who has canceled that job. View—This option is enabled only for jobs that are in Completed state. Using this option, you can view the details of a job, the associated policies and devices. If you have selected a device group for auditing, click the hyperlinked device group name to display the list of devices included in the device group. Edit—Using this option, you can edit a scheduled job. You cannot edit a job that is running. If you have selected By Groups in the Select Device page when scheduling an audit, you cannot select By Devices, and vice versa, when editing the scheduled job. Delete—This option deletes a job that has been scheduled. This deletes the listing from CCM. You cannot delete a job that is running. All jobs that are completed are listed in the jobs page. The job is flagged a success only if all the devices audited conform to the policies specified in the profile. The result, otherwise, is displayed as Failure. The job is called a partial success if job contains a mix of both audited and non-audited devices, with the compliance status of audited devices being a success. Export Job Results You can view the Job status in a XLS format for the completed job from the All Jobs tab, or from each module of the CCM. You can view the export option only for the following selected job types from the CCM module. Table 9-5 CCM Modules and Job Types Module Job Types Configurations Archives, which includes Backup, Restore, Synchronize and so on NEIM Import; from device, Package add, Distribution, Activation, Commit, Rollback Compliance Audit Compliance Job
9-62 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit To export and view the job results in XLS format from Change and Configuration: Step 1Log in to the Change and Configuration Management client. Step 2Click the All Jobs tab. Step 3Select a row that has a Job type that is mentioned above. Ensure that the Job Status is in Scheduled or Completed and the Lastrun Status is Success or Partial_Success for a selected job type. For example, when you click the Lastrunresult of a compliance audit job type, the Compliance Job Audit Details window displays the compliance audit and violation details. For more information about audit violation details, see Job Details and Violations Summary, page 9-62. Step 4Click the hyperlinked Lastrunresult displayed against each job to view the details of a specific job. Step 5In the Job Details window, click Export Result to export the job results in a XLS format. NoteJob status details can be exported and downloaded from the other CCM module’s Job page. Step 6Click OK to close a specific Job Details window. Job Details and Violations Summary Figure 9-17 displays the information about the available and selected devices, rules that you selected for the compliance audit, compliance state, violation count, instance count, highest severity and ignore count. The information about audited devices from all the devices are displayed separately at the back end. Figure 9-17 Job Details and Violations Summary Commands Manager Commands-manager Transaction Manager Transaction-manager Table 9-5 CCM Modules and Job Types Module Job Types