Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How NSM manages the configuration of a DMI device

0

0

Article ID: KB13941 KB Last Updated: 21 Apr 2009Version: 1.0
Summary:
Understanding DMI device configuration management.

Symptoms:

Solution:
NSM manages the DMI device using an extension of the NETCONF protocol over the established SSH transport and management SSH session to the NSM device server on TCP port 7804.

The NETCONF protocol is using XML for data encoding purposes, because XML is a widely deployed standard which is supported by a large number of applications. The device provides its configuration to NSM in an XML config file. If the device native configuration file is not XML based, the DMI agent exports the current device configuration into an XML format. When receiving configuration updates from NSM, the device also receives an XML formatted file with the changes to be performed and then imports the XML into its real device configuration.

There are special RPCs (remote procedure calls) which have been defined for performing different management tasks beyond simply managing the configuration file. For example, special RPCs may be defined to query the current device status or update the firmware on the device. The standard RPC used for managing the configuration file are “add, modify, delete” which would represent which XML nodes and values would need to be changed on the device to match the configuration on NSM.

The job manager information when performing a delta config summary will show 3 sections assisting the user in finding what the update will affect. The first part shows the XML configuration currently on the device which is going to be modified, the 2nd portion shows what XML config changes will be sent to the device. The 3rd and last section shows a “diff” output between the 1st and 2nd section showing clearly the before/after of the changes to the configuration.

Example Delta Config output showing a change in the policy name to a number:

Configuration to be sent to Device on next Update Device:
<configuration>
<security>
<policies>
<policy>
<from-zone-name>default</from-zone-name>
<to-zone-name>default</to-zone-name>
<policy operation="delete">
<name>accept-all</name>
</policy>
<policy operation="create">
<name>490822</name>
<match>
<source-address>any</source-address>
<destination-address>any</destination-address>
<application>any</application>
</match>
<then>
<permit />
</then>
</policy>
</policy>
</policies>
</security>
</configuration>


XML Diff between Device (-) and NSM (+):

/configuration/security/policies/policy[from-zone-name="default" and to-zone-name="default"]/policy[name="accept-all"]
- <policy>
- <name>accept-all</name>
- <match>
- <source-address>any</source-address>
- <destination-address>any</destination-address>
- <application>any</application>
- </match>
- <then>
- <permit/>
- </then>
- </policy>

/configuration/security/policies/policy[from-zone-name="default" and to-zone-name="default"]/policy[name="490822"]
+ <policy>
+ <name>490822</name>
+ <match>
+ <source-address>any</source-address>
+ <destination-address>any</destination-address>
+ <application>any</application>
+ </match>
+ <then>
+ <permit/>
+ </then>
+ </policy>

The NSM server and GUI client has a definition of the device configuration using a W3C XML schema definition file (.XSD). Using those file schemas, NSM can create the GUI client device editor views and also validate the data against the schema definition for making sure the values entered are within a specific range. The schema definition can be updated using the following procedure: KB12561 - How to update the DMI Schema Information for NSM

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search