- play_arrow Introduction
- play_arrow Overview
- play_arrow Access the Paragon Automation GUI
- play_arrow Access the Paragon Planner
- play_arrow Configure SMTP, LDAP, and Portal Settings
- play_arrow Manage Users
- play_arrow Manage Roles
- play_arrow Manage User Groups
- play_arrow Identity Providers
-
- play_arrow Workflows
- play_arrow Base Platform
- play_arrow Paragon Pathfinder
- play_arrow Paragon Planner
- play_arrow Paragon Insights
-
- play_arrow Manage Devices and Network
- play_arrow Devices
- play_arrow Device Groups
- play_arrow Device Images
- play_arrow Network
- play_arrow Network Groups
- play_arrow Topology Filter
-
- play_arrow Manage Device Templates and Configuration Templates
- play_arrow Configuration Templates
- Configuration Templates Overview
- Configuration Templates Workflow
- About the Configuration Templates Page
- Add Configuration Templates
- Preview and Render a Configuration Template
- Assign Configuration Templates to a Device Template
- Deploy a Configuration Template to a Device
- Edit, Clone, and Delete a Configuration Template
- play_arrow Device Templates
-
- play_arrow Manage Playbook, Rules, Resources, and Graphs
- play_arrow Playbooks
- play_arrow Rules
- Understand Paragon Insights Topics
- Rules Overview
- About the Rules Page
- Add a Predefined Rule
- Edit, Clone, Delete, and Download Rules
- Configure a Custom Rule in Paragon Automation GUI
- Configure Paragon Insights Notification for LSP Gray Failures
- Configure Multiple Sensors per Device
- Understand Sensor Precedence
- Configure Sensor Precedence
- play_arrow Resources
- Understand Root Cause Analysis
- About the Resources Page
- Add Resources for Root Cause Analysis
- Configure Dependency Between Resources
- Example Configuration: OSPF Resource Dependency
- Edit Resources and Dependencies
- Upload Resources
- Download Resources
- Clone Resources
- Delete User-Generated Resources and Dependencies
- Filter Resources
- play_arrow Graphs
- play_arrow Grafana
-
- play_arrow Configure Your Network
- play_arrow Topology
- play_arrow Network Information Table
- Network Information Table Overview
- About the Node Tab
- Add a Node
- Edit Node Parameters
- Delete a Node
- About the Link Tab
- Add a Link
- Edit Link Parameters
- Delete a Link
- About the Tunnel Tab
- Understand How Pathfinder Handles LSPs
- Reroute LSPs Overview
- Segment Routing Overview
- Add a Single Tunnel
- Add Diverse Tunnels
- Add Multiple Tunnels
- Edit and Delete Tunnels
- About the Demand Tab
- About the Interface Tab
- Container LSP Overview
- About the Container LSP Tab
- Add a Container LSP
- Edit Container LSP Parameters
- Maintenance Event Overview
- About the Maintenance Tab
- Add a Maintenance Event
- Edit a Maintenance Event
- Simulate a Maintenance Event
- Delete a Maintenance Event
- About the P2MP Groups Tab
- Add a P2MP Group
- Edit P2MP Group Parameters
- About the SRLG/Facility Tab
- Add an SRLG/Facility
- Edit SRLG/Facility Parameters
- About the Topology Group Tab
- Add Anycast Group Tunnels
- play_arrow Tunnels
- play_arrow Change Control Management
-
- play_arrow Monitoring
- play_arrow Monitor Network Health
- play_arrow Manage Alarms and Alerts
- play_arrow Monitor Jobs
- play_arrow Analytics
- play_arrow Monitor Workflows
-
- play_arrow Reports
- play_arrow Health Reports
- play_arrow Network Reports
- play_arrow Maintenance Reports
- play_arrow Inventory Reports
- play_arrow Demand Reports
-
- play_arrow Administration
- play_arrow Manage E-mail Templates
- play_arrow Manage Audit Logs
- play_arrow Configure External EMS
- play_arrow Manage Task Scheduler
- play_arrow Manage Security Settings
- play_arrow License Management
-
Sensors Overview
Paragon Insights accepts data from Juniper, third-party devices, and from various types of telemetry sensors including traditional network management protocols like system log and SNMP. Paragon Insights supports push and pull models of data collection. In the push model, your devices push telemetry data to Paragon Insights through trap notifications, for instance. In the pull mode, Paragon Insights periodically polls your devices for data. This guide describes each of the supported ingest methods, with examples, sorted by whether they fall into the push or pull model. Along with each description, we provide the required Junos OS version and device configurations needed to enable the specific ingest type.
As the number of objects in the network, and the metrics they generate, have grown, gathering operational statistics for monitoring the health of a network has become an ever-increasing challenge. Traditional ’pull’ data-gathering models, like SNMP and the CLI, require additional processing to periodically poll the network element, and can directly limit scaling.
The ’push’ model overcomes these limits by delivering data asynchronously, which eliminates polling. With this model, the Paragon Insights server can make a single request to a network device to stream periodic updates. As a result, the ’push’ model is highly scalable and can support the monitoring of thousands of objects in a network. Junos devices support this model in the form of the Junos Telemetry Interface (JTI).
Paragon Insights currently supports five push-model sensors:
While the ’push’ model is the preferred approach for its efficiency and scalability, there are still cases where the ’pull’ data collection model is appropriate. Two examples might be when a device doesn’t support the Junos Telemetry Interface (JTI), or when managing third party devices. With the pull model, Paragon Insights requests data from network devices at periodic, user-defined intervals.
Paragon Insights currently supports the following pull-model sensors:
Native GPB
Native sensors use a Juniper-proprietary data model using Google Protocol Buffers (GPB). The device pushes telemetry data (when configured) over UDP.
The device pushes data from the Packet Forwarding Engine, that is, directly from a line card. This means telemetry data is sent over the forwarding plane, so the collector must have in-band connectivity to the device.
To use native format, you configure the device with settings that include where to send the telemetry data. When you configure Paragon Insights to start collecting the data, the stream is already flowing towards the server.
For more information on native sensors, see Understanding the Junos Telemetry Interface Export Format of Collected Data.
NetFlow
Paragon Insights supports NetFlow v9 and NetFlow v10 (IPFIX) natively as NetFlow ingest method, using a data model that aligns with other Paragon Insights ingest mechanisms. NetFlow is a network protocol for collecting IP traffic statistics, which can then be exported to a tool for analysis. The NetFlow v9 data export format is described in RFC 3954; NetFlow v10 is officially known as IPFIX and standardized in RFC 7011.
Junos devices support flow monitoring and aggregation using these protocols; the Junos OS samples the traffic, builds a flow table, and sends the details of the flow table over a configured UDP port to a collector, in this case Paragon Insights. Paragon Insights receives the incoming Netflow data, auto-detects it as v9 or v10, and process it further.
As shown above, the network device pushes data from the Packet Forwarding Engine, that is, directly from a line card. This means flow data is sent over the forwarding plane, so the collector must have in-band connectivity to the device. To use the flow sensor option, you configure the device with settings that include where to send the flow data. When you configure Paragon Insights to start collecting the data, the flow data is already flowing towards the server.
Paragon Insights uses flow templates as a mechanism to identify and decode incoming flow
data before sending it for further processing. Paragon Insights provides predefined flow
templates for NetFlow v9 and v10 (IPFIX), or you can define your own. The predefined
templates match those which the Junos OS currently supports. For example, the Junos OS
template, ipv4-template
, aligns with the Paragon Insights template
hb-ipfix-ipv4-template
. To view the fields used in the Junos OS
templates, see Understanding Inline Active Flow Monitoring.
In the current ingest implementation for NetFlow, the following field types are not supported:
Fields for enterprise specific elements
Variable length fields
For NetFlow ingest, ensure that there is no source NAT in the network path(s) between the device and Paragon Insights. If the network path contains source NAT, then the received device information is not accurate.
A typical workflow includes adding a NetFlow configured device in Paragon Insights, configuring NetFlow templates, configuring a rule with Flow sensor, and deploying a playbook with the rule to a device group.
Configure devices to use NetFlow in Paragon Insights. See Edit Devices.
Add the device to a device group. See Add a Device Group.
Define NetFlow ingest settings. See Configure Netflow Settings.
Use pre-defined NetFlow templates or
Create your own NetFlow template
Clone an existing NetFlow template
Configure a rule that uses a flow sensor. See Configure a Rule Using Flow Sensor.
Add the rule to a playbook. Create a New Playbook Using the Paragon Insights GUI
Deploy the playbook. Manage Playbook Instances.
Monitor the device for NetFlow traffic
With the playbook applied, you can begin to monitor the devices.
Click Monitoring > Network Health in the left navigation bar and click on the Device Group tab.
Select the device group to which you applied the playbook from the Device Group pull-down menu.
Select one of more of the devices to monitor.
In the Tile View, the external tile contains the parameters from the rule you configured earlier.
sFlow
Paragon Insights supports sFlow (v5) natively as another flow-based ingest method.
sFlow is a statistical sampling-based technology for high-speed switched or routed networks. You can configure sFlow to continuously monitor traffic at wire speed on all interfaces simultaneously if you want.
sFlow provides or helps with:
Detailed and quantitative traffic measurements at gigabit speeds
Insight into forwarding decisions
Troubleshooting for network issues
Congestion control
Security and audit trail analysis
Route profiling
Everything that sFlow does above, it does without impact to forwarding or network performance. For more information on sFlow, see: RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks.
As a statistical sampling protocol, Juniper’s sFlow agent samples the traffic and counters on network interfaces, creates sFlow datagrams, and forwards them to external sFlow collectors. Paragon Insights is one such collector.
To know how to configure sFlow packets in Paragon Insights, go to Configure sFlow Settings.
OpenConfig
To use OpenConfig format, you configure the device as a gRPC server. With Paragon Insights acting as the client, you define which sensors you want it to subscribe to, and it makes subscription requests towards the device.
Data streamed through gRPC is formatted in OpenConfig key/value pairs in protocol buffer (GPB) encoded messages. Keys are strings that correspond to the path of the system resources in the OpenConfig schema for the device being monitored; values correspond to integers or strings that identify the operational state of the system resource, such as interface counters. OpenConfig RPC messages can be transferred in bulk, such as providing multiple interface counters in one message, thereby increasing efficiency of the message transfer.
For more information on OpenConfig sensors, see Understanding OpenConfig and gRPC on Junos Telemetry Interface.
gNMI-Encoded OpenConfig RPC
gNMI-encoded OpenConfig works much like OpenConfig RPC in that you must set the network
device up as an OpenConfig server to which Paragon Insights makes subscription requests.
However, gNMI supports more subscription types than Paragon Insights currently supports.
Currently, Paragon Insights only supports gNMI STREAM subscriptions in the SAMPLE mode.
STREAM subscriptions are long-lived subscriptions that continue, indefinitely, to transmit
updates relating to the set of paths configured within the subscription. SAMPLE mode
STREAM subscriptions must include a sample_interval
.
The messages returned to the client through gNMI are encoded by the device in protobuf, JSON, or JSON-IETF format and cannot be sent in bulk. This, in part, makes gNMI-encoded messaging less efficient than gRPC-encoded messaging.
For JSON or JSON-IETF, it is assumed that the device returns gNMI updates as only leaf values encoded in JSON, rather than returning an entire hierarchy or sub-hierarchy as a JSON object.
Numbers encoded in JSON or JSON-IETF are decoded by Paragon Insights as either float64, int64, or string, according to RFC 7159 and RFC 7951. If your OpenConfig rules contain fields that are of a different type, we recommend that you change the field types accordingly.
Junos OS and Cisco devices can be managed by Paragon Automation using gNMI-encoded OpenConfig. If a device does not support gNMI in general, or the STREAM subscription in SAMPLE mode, or does not support an OpenConfig request, it returns one of the following errors:
Unimplemented
Unavailable
InvalidArgument
In the case of a Junos OS or Cisco device, the error causes the connection to fall back to OpenConfig RPC. In the case of a third-party device, the connection simply fails due to the error.
gNMI-encoded OpenConfig can be enabled at the device or device-group level. If enabled at the device-group level, then all devices added to the group use gNMI by default. If enabled (or not enabled) at the device level, then the device level setting takes precedence over the device-group level setting.
During the initial connection gNMI devices attempt to perform an initial sync with the client. The device sends a continuous stream of data until the device and the collector (Paragon Insights) are in sync. After initial sync, the device begins normal streaming operations based on the configured reporting rate. Because of the processing load this creates, Paragon Insights has this feature disabled by default. It can be enabled at the device-group or device level if needed.
For more information about gNMI, see: gRPC Network Management Interface (gNMI).
Device Configuration for OpenConfig
OpenConfig requires:
Junos OS Version: 16.1 or later
The OpenConfig sensor requires that the Junos device have the OpenConfig and network agent packages installed. These packages are built into Junos OS Releases 18.2X75, 18.3, and later. For releases between 16.1 and 18.2X75 or 18.2, you must install the OpenConfig and Network Agent packages.
Before you install the Network Agent package:
Install Junos OS Release 16.1R3 or later.
Install the OpenConfig for Junos OS module. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage: https://www.juniper.net/support/downloads/. From the Network Management tab, scroll down to select OpenConfig. Select the Software tab. Select the OpenConfig Package (Junos with upgraded FreeBSD). For more information, see Installing the OpenConfig Package.
Install Secure Sockets Layer (SSL) certificates of authentication on your Juniper Networks device.
Note:Only server-based SSL authentication is supported. Client-based authentication is not supported.
An example of a valid Network Agent package name is:
network-agent-x86-32-16.1R4.12-C1.1.tgz
Note:Each version of the Network Agent package is supported on a single release of Junos OS only. The Junos OS version supported is identified by the Junos OS release number included in the Network Agent package name.
Use the 32-bit Network Agent package for both 32-bit and 64-bit versions of Junos OS or Junos OS Evolved.
To download and install the Network Agent package:
Navigate to the All Junos Platforms software download URL on the Juniper Networks webpage: https://www.juniper.net/support/downloads/.
Select the name of the Junos OS platform for the software that you want to download.
Select the release number (the number of the software version that you want to download) from the Release drop-down list to the right of the Download Software page.
Select the Software tab.
Navigate to the Tools section of the Software tab and select the Junos Network Agent package for the release.
Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by a Juniper Networks representative.
Download the software to a local host.
Copy the software to Juniper Networks device or to your internal software distribution site.
Install the new
network-agent
package on the device by issuing therequest system software add package-name
from the operational mode:For example:
content_copy zoom_out_mapuser@host > request system software add network-agent-x86-32-16.1R3.16-C1.0.tgz
Note:The command uses the
validate
option by default. This option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the device reboots successfully. This is the default behavior when the software package being added is a different release.
To verify whether you have the OpenConfig and the Network Agent packages installed, enter the following command:
content_copy zoom_out_mapuser@host> show version | match "Junos:|openconfig|na telemetry" Junos: 19.2R1.8 JUNOS na telemetry [19.2R1.8] JUNOS Openconfig [19.2R1.8]
See Understanding OpenConfig and gRPC on Junos Telemetry Interface for more information.
Network agent is not supported on PPC platforms (MX104, MX80, and so on).
Device Configuration
Configure a device by entering the following command:
set system services extension-service request-response grpc clear-text port <port number>
To configure OpenConfig port under device configuration in Paragon Automation GUI, see Editable Fields on the Edit Devices Page table in Edit Devices.
Syslog
In addition to the JTI-related options above, Paragon Insights also supports system logs as a data collection method, using a data model that aligns with other ingest mechanisms.
A device can push syslog messages (when configured) over UDP to the Paragon Insights server either out-of-band through the Routing Engine (RE) using the router’s management interface, or in-band through the Packet Forwarding Engine, that is, directly from a line card.
To use syslog format, you configure the device with settings that include where to send the syslog messages. When you configure Paragon Insights to start collecting the data, messages are already flowing towards the server.
For more information on syslog as used by Juniper devices, see Junos OS System Log Overview.
A syslog message consists of a header, structured data in key-value format within square brackets, and the log message. The header consists of the following information:
Log priority
Version number of Syslog protocol specification on header format.
Currently, this number is 1.
Timestamp of when the message was generated in the format of "Mmm dd hh:mm:ss".
Hostname identifies the device that sent the syslog message.
Application name
Application process ID
Message ID
Requirements to configure Syslog in Paragon Insights
Syslog ingest requires some setup before you can use it as a sensor in a rule:
Pattern - A pattern identifies some syslog event; you create a pattern for each event you want to monitor. You can configure patterns for both structured and unstructured events.
Pattern set - With the patterns configured, you then group them into a pattern set, which you then reference when defining the syslog sensor settings within a rule.
Before you configure Patterns and Pattern Set for Syslog ingest, note that the following fields are common in syslog messages. Paragon Insights extracts these fields and includes them automatically in the raw table, enabling you to make use of them directly when creating a rule, and avoiding the need to configure patterns.
To illustrate use of these values, consider the following example syslog messages:
Structured - <30>1 2019-11-22T03:17:53.605-08:00 R1 mib2d 28633
SNMP_TRAP_LINK_DOWN [junos@2636.10.1.1.2.29 snmp-interface-index="545"
admin-status="up(1)" operational-status="down(2)" interface-name="ge-1/0/0.16"] ifIndex
545, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-1/0/0.16
Equivalent unstructured - <30>Nov 22 03:17:53 R1 mib2d[28633]:
SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName
ge-1/0/0.16
System-generated fields:
"__log_priority__" - Priority of syslog message
In the examples,
<30>
denotes the priority
“__log_timestamp__" - Timestamp in epcoh in the syslog message
In the structured example,
2019-11-22T03:17:53.605-08:00
is converted to epoch with -08:00 indicating the time zoneIn the unstructured example, the time zone from the configuration will be used to calculate epoch
"__log_host__" - Host name in the syslog message
In the examples,
R1
denotes the host name
"__log_application_name__” - Application name in the syslog message
In the examples,
mib2d
is the application name
"__log_application_process_id__” - Application process ID in the syslog message
In the examples,
28633
is the ID
"__log_message_payload__" - Payload in the message
Structured example -
“SNMP_TRAP_LINK_DOWN [junos@2636.10.1.1.2.29 snmp-interface-index="545" admin-status="up(1)" operational-status="down(2)" interface-name="ge-1/0/0.16"] ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-1/0/0.16”
Unstructured example -
“SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-1/0/0.16”
"Event-id" - Denotes the event ID configured in the pattern
In the examples,
SNMP_TRAP_LINK_DOWN
is the event ID
Be sure not to define any new fields using a name already defined above.
To know how to configure Syslog ingest, see Configure System Log Ingest.
Server Monitoring Sensor
In Paragon Automation, the Server Monitoring sensor collects data from servers and virtual machines on which you host the Paragon application. The sensor uses the third-party plug-in, Node Exporter. The Node Exporter plug-in is pre-installed in all server clusters of Paragon Automation. In the GUI, the default servers and virtual machines deployed in the Paragon Automation cluster are represented as devices that are automatically added to the Paragon-Cluster device group. The sensor collects data from servers and virtual machines to track CPU, memory, network, traffic, disk, and filesystem metrics. It writes the output to a time series database.
Users must not delete the default Paragon-Cluster device group.
Paragon Automation has the following pre-configured playbooks to monitor server data.
- CPU utilization
- Disk reads and writes
- Errors, available bytes, and utilized bytes in filesystem
- Utilized bytes and available bytes in memory
- Received and transmitted total packet size, errors in received and transmitted packets, total received and transmitted multicast packets in network
When you configure a rule using Server Monitoring ingest, you can use the some of the sensor paths listed in Table 1.
Sensor Path | Description |
---|---|
/node/boot/time/seconds | Boot time in each server node. |
/node/cpu/seconds/total | The total time (in seconds) the CPU stays in idle, system, user, and nice modes. |
/node/disk/read/bytes/total | The total number of bytes read successfully. |
/node/disk/read/errors/total | The total number of read errors in a node. |
/node/disk/read/retries/total | The number of times the ingest tries to read from the disk if there is a failure. |
/node/disk/read/sectors/total | The total number of sectors read successfully. |
/node/disk/read/time/seconds/total | The total time taken to complete reads successfully per node. |
/node/disk/reads/completed/total | The total number of reads completed successfully. |
/node/disk/write/errors/total | The total number of errors in writes |
/node/disk/write/retries/total | The number of times the ingest tries to write on the disk if there is a failure. |
/node/disk/write/time/seconds/total | The total time taken to complete all writes. |
/node/disk/writes/completed/total | The total number of writes completed per node. |
/node/disk/written/bytes/total | The total number of bytes written successfully. |
/node/disk/written/sectors/total | The total number of sectors written successfully. |
/node/exporter/build/info | A metric that has the value '1' and has version, revision, go version, and branch from which node exporter is built. |
/node/filesystem/avail/bytes | The filesystem size available to non-root users. |
/node/filesystem/device/error | The number of I/O errors that occur when collecting data from a filesystem. |
/node/filesystem/files | The total number of index nodes permitted in a node. |
/node/filesystem/files/free | The number of index nodes that are free for use in a node. |
/node/filesystem/free/bytes | The free space (in bytes) available for the user, excluding reserved blocks. |
/node/filesystem/readonly | Data that shows if the filesystem in a node is mounted as read-only. |
/node/filesystem/size/bytes | The size of all files in bytes. |
/node/load1 | Load on each server/host node captured every 1 minute. |
/node/load15 | Load on each server/host node captured every 15 minutes. |
/node/load5 | Load on each server/host node captured every 5 minutes. |
/node/memory/active/bytes | Memory bytes that are actively used by processes. |
/node/memory/compressed/bytes | Total size of compressed memory. |
/node/memory/free/bytes | Total memory in bytes that is free for use in a node. |
/node/memory/inactive/bytes | Memory bytes that are not actively used by processes. |
/node/memory/swap/total/bytes | Total memory swapped in a node. |
/node/memory/swap/used/bytes | The amount of swapped memory used in a node. |
/node/memory/swapped/in/bytes/total | Total swapped in memory in a node. |
/node/memory/swapped/out/bytes/total | Total swapped out memory in a node. |
/node/memory/total/bytes | Total bytes of memory in a node. |
/node/memory/wired/bytes | Memory that cannot be swapped out. |
/node/network/receive/bytes/total | Total size of packets received by a device. |
/node/network/receive/errs/total | Total number of errors encountered by a device when receiving packets. |
/node/network/receive/multicast/total | Total number of multicast packets received by a device. |
/node/network/receive/packets/total | Total number of packets received by a device. |
/node/network/transmit/bytes/total | Total size of packets sent from a device. |
/node/network/transmit/errs/total | Total number of errors encountered a device when transmitting packets. |
/node/network/transmit/multicast/total | Total number of multicast packets transmitted by a device. |
/node/network/transmit/packets/total | Total number of packets transmitted by a device. |
/node/scrape/collector/duration/seconds | Time taken by each collector to scrape metrics. |
/node/scrape/collector/success | Number of times Node Exporter collector successfully scraped targets. |
/node/textfile/scrape/error | Errors encountered by Node Exporter when scraping targets using textfile scripts. |
/node/time/seconds | Displays system time in seconds in the node since epoch (1970). |
/node/uname/info | Name of the node from which Node Exporter collects metrics. |
The following tags such as mode, device etc. can be used as key fields applicable to all metrics listed under main metrics (/node/cpu or /node/network).
When you configure a key field in a rule, you can mention only the key field name in the Path field.
- /node/cpu/
- cpu: The number of cores available in CPU.
- mode: The type of CPU usage in a node such as idle, system, user, and nice.
- /node/disk/
- device: Name of disks such as disk0, disk1, sda, sdb, or sdc.
- /node/filesystem/
- device: Disk paths such as /dev/sda1, /dev/sda2, and /dev/sdb1
- fstype: Type of partition formatting such as ext4, NTFS (New Technology File System), and APFS (Apple File System).
- mountpoint: Mount paths in the device.
- /node/network/
- device: Interface names of the device such as wlan0, en0, or docker0.
To configure an example rule using Server Monitoring ingest, see Configure a Rule Using Server Monitoring Sensor
iAgent (CLI/NETCONF)
For all the benefits of the ’push’ data collection methods, some operational and state information is available only through CLI/VTY commands. iAgent fills this gap by taking advantage of NETCONF/SSH functionality to provide Paragon Automation with the ability to connect to a device, run commands, and capture the output.
iAgent sensors use NETCONF/SSH and YAML-based PyEZ tables and views to fetch the necessary data. Both structured (XML) and unstructured (VTY commands and CLI output) data is supported.
With iAgent, the Paragon Automation server initiates inbound SSH requests over any available network interface, whether in-band or out-of band; and the device responds (when properly configured) with the requested data.
In Paragon Automation Platform, the iAgent ingest is extended to other vendor devices from Arista Networks, Palo Alto Networks, and Cisco.
You must configure a Junos device to send telemetry data using iAgent sensor or a NETCONF connection.
At minimum, iAgent (NETCONF) requires:
Junos OS Version: 11.4 or later
Minimum required device configuration:
content_copy zoom_out_mapset system services netconf ssh
To configure iAgent or NETCONF port for inbound connection in Paragon Automation GUI, see Table 1.
Paragon Automation uses Netmiko to make inbound SSH connections over the selected port to a third-party device. To gather device information, Paragon Automation sends CLI commands over SSH and receives string blobs back as output. The string blobs are then parsed through TextFSM, using NTC templates into JSON format and then stored in the database. Default templates are located at /srv/salt/_textfsm. You can visit the GitHub repository of NTC Templates for network devices.
For advanced users who need a template which does not exist, you can create your own templates and upload them to Paragon Insights using the Upload Rule Files button on the Configuration > Rules page. User defined templates are stored at /jfit/_textfsm. The files must end with the .textfsm suffix. To know how to upload pre-defined rules in Paragon Automation Platform, see Add a Predefined Rule.
TextFSM is integrated into PyEZ’s table/view feature which is an integral part of iAgent.
Example: PaloAlto Panos– Show Running Security Policy
To see the running security policy on a Panos device, we need to:
Define PyEZ Table/View—Define a table/view for it
Gather Output from Device—Gather the output by sending the needed CLI command to the device over SSH
Generate JSON for Use in Paragon Automation Database—Generate JSON to store in Paragon Automation database
- Define PyEZ Table/View
- Gather Output from Device
- Generate JSON for Use in Paragon Automation Database
- Outbound SSH (Device-Initiated)
Define PyEZ Table/View
We need to define a PyEZ table that is used by the iAgent rule assigned to the Panos
device. The following table definition lacks a view definition. Because of this, the
entire output from the show running security-policy
ends up getting
stored in the database after processing.
--- PanosSecurityPolicyTable: command: show running security-policy platform: paloalto_panos key: NAME use_textfsm: True
(Optional) To store only a portion of the received data in Paragon Automation, you can define a view in the same file. The view tells Paragon Automation which fields to pay attention to.
--- PanosSecurityPolicyTable: command: show running security-policy platform: paloalto_panos key: NAME use_textfsm: True view: TrafficAndActionView TrafficAndActionView: fields: source: SOURCE destination: DESTINATION application_service: APPLICATION_SERVICE action: ACTION
Gather Output from Device
Using an iAgent rule that references the PyEZ table (or table/view) defined above,
Paragon Automation sends the command show running security-policy
to
the device which produces the following output:
"intrazone-default; index: 1" { from any; source any; source-region none; to any; destination any; destination-region none; category any; application/service 0:any/any/any/any; action allow; icmp-unreachable: no terminal yes; type intrazone; } "interzone-default; index: 2" { from any; source any; source-region none; to any; destination any; destination-region none; category any; application/service 0:any/any/any/any; action deny; icmp-unreachable: no terminal yes; type interzone; } dynamic url: no
Generate JSON for Use in Paragon Automation Database
Since the device configuration specifies Palo Alto Networks as the vendor and Panos OS as the operating system, the TextFSM template used for this example would look like this:
Value Key,Filldown NAME (.*?) Value Required FROM (\S+) Value SOURCE (\S+) Value SOURCE_REGION (\S+) Value TO (\S+) Value DESTINATION ([\S+\s+]+) Value DESTINATION_REGION (\S+) Value USER (\S+) Value CATEGORY (\S+) Value APPLICATION_SERVICE ([\S+\s+]+) Value ACTION (\S+) Value ICMP_UNREACHABLE (\S+) Value TERMINAL (\S+) Value TYPE (\S+) Start ^${NAME}\s+\{ ^\s+from\s+${FROM}; ^\s+source\s+${SOURCE}; ^\s+source-region\s+${SOURCE_REGION}; ^\s+to\s+${TO}; ^\s+destination\s+${DESTINATION}; ^\s+destination-region\s+${DESTINATION_REGION}; ^\s+user\s+${USER}; ^\s+category\s+${CATEGORY}; ^\s+application/service\s+${APPLICATION_SERVICE}; ^\s+action\s+${ACTION}; ^\s+icmp-unreachable:\s+${ICMP_UNREACHABLE} ^\s+terminal\s+${TERMINAL}; ^\s+type\s+${TYPE}; ^} -> Record
When the template above is used by Paragon Automation to parse the output shown previously, the resulting JSON looks like:
{'"interzone-default; index: 2"': {'ACTION': 'deny', 'APPLICATION_SERVICE': '0:any/any/any/any', 'CATEGORY': 'any', 'DESTINATION': 'any', 'DESTINATION_REGION': 'none', 'FROM': 'any', 'ICMP_UNREACHABLE': 'no', 'SOURCE': 'any', 'SOURCE_REGION': 'none', 'TERMINAL': 'yes', 'TO': 'any', 'TYPE': 'interzone', 'USER': ''}, '"intrazone-default; index: 1"': {'ACTION': 'allow', 'APPLICATION_SERVICE': '0:any/any/any/any', 'CATEGORY': 'any', 'DESTINATION': 'any', 'DESTINATION_REGION': 'none', 'FROM': 'any', 'ICMP_UNREACHABLE': 'no', 'SOURCE': 'any', 'SOURCE_REGION': 'none', 'TERMINAL': 'yes', 'TO': 'any', 'TYPE': 'intrazone', 'USER': ''}}
Outbound SSH (Device-Initiated)
Paragon Automation also supports iAgent (NETCONF) connections that are device-initiated using outbound SSH. This configuration makes Paragon Automation act as the client to the device making the connection. This type of connection is useful in environments in which the remote devices cannot accept incoming connections. All existing iAgent rules can be used when outbound SSH is configured in Junos devices.
NETCONF over SSH connections are supported only in Junos devices.
Outbound SSH is disabled by default. You can configure an outbound SSH connection:
In the ingest by configuring a single port. This port is used by all device groups.
In device-groups by configuring its ports. This configuration takes precedence over the ingest configuration.
When you configure outbound SSH in device-groups, you must enter a TCP port number over which all the member devices initiate their NETCONF connections to Paragon Automation. You can disable outbound SSH in a device through management CLI. To configure outbound SSH ports in device groups, see ports section of the device group configuration in Add a Device Group.
Paragon Automation supports a single TCP port for iAgent (NETCONF) outbound SSH connections from all device groups. This port can be configured at the ingest level. You can avoid opening multiple TCP ports in different device groups and simplify network management with a single port. To configure iAgent port at the ingest, see Configure Outbound SSH Port for iAgent.
You can connect a device that is managed in different device groups through outbound SSH by configuring multiple clients, where each client has the same port. In this case, you must create as many copies of the device as there are device groups. Each device must have the same port number.
As an example, consider device r0 (10.1.1.1) configured for device groups dg1 and dg2. To connect 10.1.1.1 to both device groups via the same outbound SSH port, you can create one more device r1 (10.1.1.1) with the same IP and deploy it in dg2.
You must also configure Paragon Automation for these ports in the respective device-groups. Figure 1 is an example device group configuration.
Using the following sample client configurations, device 10.1.1.1 can connect to two device groups using two outbound SSH clients with the same port.
set system services outbound-ssh client outbound-ssh1 device-id r0 set system services outbound-ssh client outbound-ssh1 10.1.1.1 port 2020 set system services outbound-ssh client outbound-ssh2 device-id r1 set system services outbound-ssh client outbound-ssh2 10.1.1.1 port 2020
The 10.1.1.1 in the example denotes Paragon Automation (host) IP address.
SNMP
SNMP is a widely known and accepted network management protocol that many network device manufacturers, including Juniper Networks, provide for use with their devices. It is a polling type protocol where network devices that are configured to use SNMP make configuration, diagnostic, and event information available to collectors, which must also be properly configured and authenticated. The collectors poll devices by sending specifically structured requests, called get requests, to retrieve data.
Paragon Automation supports SNMP as a sensor type, using standard get requests to gather statistics from the device. Paragon Automation makes requests over any available interface, whether in-band or out-of-band, and the device responds (when configured) with the requested data.
For information about SNMP as used on Junos OS devices, see Understanding SNMP Implementation in Junos OS.
Paragon Insights also supports scalar object instances along with tabular objects in SNMP.
The SNMP object can be scalar, tabular, or a combination of both in rules. When you create a rule using SNMP ingest, you can add:
Only scalar fields.
A combination of tabular and scalar fields.
A tabular column along with the index queried as a scalar object.
A tabular column queried as a scalar comes with the limitation that the index number does not refer to the same Object across all the devices when you configure the tabular field in rule. For example, IF-MIB::ifAdminStatus.16. The ifAdminStatus is a column in IF MIB table. The IF-MIB::ifAdminStatus.16 refers to the table column with index 16.
- Only tabular fields.
A scalar object is identified by its MIB name (for example, JUNIPER-MIB::scalarObjectName) or as an OID.
Paragon Insights validates a given scalar by checking the MAX-ACCESS property in the MIB definition.
If you find MAX-ACCESS in the MIB definition set to read-only, read-create, or read-write, then that object can be queried as a scalar.
The complete path to query a scalar object is MIB-Name::table
column name:index number
.
For example, IF-MIB::ifInOctets:16
.