IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Some beginner IMC questions

amandravillis
Occasional Visitor

Some beginner IMC questions

Hello,

I'm trying to implement IMC in our organization mainly as a configuration backup/restore solution and although I am able to backup some devices, I have questions regarding other device types and IMC features:

The 3 types of devices I'm having problems backing up are Palo Alto Firewalls, FortiGate Firewalls and Pulse Secure appliances.

- For Pulse Secure, as I can't use Telnet or SSH, and there's no option for SNPM read-write. I *do* however have the option of using an 'archive server' using either SCP or FTP. Can I configure IMC to run as an SCP server? I'm also getting SNMPv3 errors (v2 works fine), even with correct credentials/firewall settings that work on another monitoring system.

Failure
Possible causes:

1. The device cannot be pinged.
2. SNMP settings/Telnet settings/SSH settings is incorrect.
3. Invalid characters are found. 
4. device returns a failure.

 

- For FortiGates, same issue as above regarding SNMPv3 (v2 works, v3 doesn't even though it's configured elsewhere with the same credentials). I also am unable to SSH from IMC (no problems when using Putty), with the following error: Failed to connect to device because of error "Session.connect: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)". Please check the network configuration and connection parameters.

- For Palo Alto Firewalls, I am able to use SSH, though SNMPv3 is again not working. When trying to perform a configuration backup, I receive the error: Adapter does not support. The sysOID is 1.3.6.1.4.1.25461.2.3.11 and IMC correctly identifies it as a PA-5020. Is it possible to backup Palo Alto configs using IMC? If yes, is the adapter available?

- Are there any SNMPv3 IMC tools I can try to find to troubleshoot the v3 connectivity issues?

- Finally, am I able to setup custom scripts? The previous admin had created a bunch of EXPECT scripts for backups, and I'm trying to figure how to import those into IMC so that the devices can be backed up. 

Thank you all for your help.

3 REPLIES
LindsayHill
Honored Contributor

Re: Some beginner IMC questions


@amandravilliswrote:

- For Pulse Secure, as I can't use Telnet or SSH, and there's no option for SNPM read-write. I *do* however have the option of using an 'archive server' using either SCP or FTP. Can I configure IMC to run as an SCP server?

The problem is that this doesn't fit IMC's model. For SCP, it thinks about pulling the file via SCP, not a push from the device. But that model does work for FTP - in that case IMC expects to act as the FTP server. 

- For FortiGates, same issue as above regarding SNMPv3 (v2 works, v3 doesn't even though it's configured elsewhere with the same credentials).

First guess with SNMP would be ACLs somewhere, if you know the credentials + protocols are OK. I would try using snmpwalk from the IMC server (you may need to install this). This gives you a relatively simple snmp client for basic SNMP testing. 

I also am unable to SSH from IMC (no problems when using Putty), with the following error: Failed to connect to device because of error "Session.connect: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)". Please check the network configuration and connection parameters.

SSH has lots of different options for ciphers. My guess here is that the built-in SSH proxy is a crappy thing that doesn't do some of the newer cipher options that the remote device is expecting. I'm not a big fan of using the built in client anyway, better to use a regular SSH client.

- For Palo Alto Firewalls, I am able to use SSH, though SNMPv3 is again not working. When trying to perform a configuration backup, I receive the error: Adapter does not support. The sysOID is 1.3.6.1.4.1.25461.2.3.11 and IMC correctly identifies it as a PA-5020. Is it possible to backup Palo Alto configs using IMC? If yes, is the adapter available?

Take a look at the <IMC>/server/conf/adapters/ICC directory. Anything there for Palo Alto with your IMC version? If yes, you may just need to edit the adapter-index.xml file. See https://lkhill.com/help-imc-doesnt-support-my-new-cisco-switch/ for more info. If not, see below.

- Are there any SNMPv3 IMC tools I can try to find to troubleshoot the v3 connectivity issues?

Better to use an non-IMC tool for testing SNMP. This just rules out anything going on at an IMC level. Find a simple SNMP testing tool, and run that *from your IMC server*.

- Finally, am I able to setup custom scripts? The previous admin had created a bunch of EXPECT scripts for backups, and I'm trying to figure how to import those into IMC so that the devices can be backed up. 

Yes, you can write custom adapters. Takes a little bit to figure out how to get your head around it, but once you've done it for one, it's pretty straightforward. The docs cover writing custom adapters. It's usually easiest to take an existing adapter and modify it to suit your needs. Main thing to remember is to restart IMC & resynchronize your device if you update any XML files. No need to restart if you're just updating the TCL files. (and BTW, IMC adapters use TCL/Expect).

Thank you all for your help.


 

amandravillis
Occasional Visitor

Re: Some beginner IMC questions

Thank you very much for your comprehensive reply! I'll look into the things you suggested ASAP.

Noob2017
Occasional Visitor

Re: Some beginner IMC questions

hi,

do you find any solution fpr add palo alto to imc.

I have the same problem to backup the configuration palo alto to the IMC.

 

Thanks