Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Paragon Insights Pull-Model Ingest Methods

 

Paragon Insights currently supports the following pull-model sensors:

iAgent (CLI/NETCONF)

For all the benefits of the ’push’ data collection methods, some operational and state information is available only through CLI/VTY commands. iAgent fills this gap by taking advantage of NETCONF/SSH functionality to provide Paragon Insights with the ability to connect to a device, run commands, and capture the output.

iAgent sensors use NETCONF/SSH and YAML-based PyEZ tables and views to fetch the necessary data. Both structured (XML) and unstructured (VTY commands and CLI output) data is supported.

With iAgent, the Paragon Insights server initiates SSH requests over any available network interface, whether in-band or out-of band; and the device responds (when properly configured) with the requested data.

Starting with Release 3.2.0, HealthBot can use iAgent connections that are device-initiated using outbound-ssh. This configuration makes Paragon Insights act as the client to the device making the connection. This type of connection is useful in environments in which the remote devices cannot accept incoming connections. All existing iAgent rules can be used when outbound-ssh is configured Junos OS devices.

Note

In the 3.2.0 release, outbound-ssh is only supported on Junos OS devices.

Outbound SSH is disabled by default and can be enabled at the device-group level. Once enabled, all devices in the group will use outbound-ssh unless specifically configured not to.

When you enable outbound-ssh within the device-group, you must select a tcp-port number over which all the member devices will initiate their NETCONF connections to Paragon Insights. This port must be unique across the Paragon Insights installation. Figure 1shows the outbound SSH section of the add/edit device group window.

Figure 1: Outbound-SSH - Device Group Level
Outbound-SSH -
Device Group Level
Note

To disable an individual device in a device-group from using outbound-ssh, you must edit the device and select disable in the outbound-ssh configuration section. If you later change your mind and want that device to use outbound-ssh, edit the device and set outbound-ssh to reset.Figure 2 is an edited (shortened) device add/edit window with the outbound-SSH section shown.

Figure 2: Outbound-SSH - Device Level
Outbound-SSH - Device
Level

Starting in HealthBot Release 3.1.0, iAgent functionality is extended to third party devices. When adding a device, you can choose Other Vendor from the Vendor pull-down. This adds the Vendor Name text field below the Vendor pull-down. Then you fill in the iAgent Port Number, Vendor Name, and OS name fields highlighted in Figure 3 to allow iAgent connections to non-Juniper devices.

Note

Refer to vendor documentation to understand how to configure third-party vendor devices to allow these connections.

Figure 3: Add Third-Party Device
Add Third-Party Device

Using Netmiko, Paragon Insights makes persistent SSH connections over the selected port to the third-party device. To gather device information, Paragon Insights sends CLI commands over SSH and receives string blobs back as output. The string blobs are then parsed through TextFSM, using ntc-templates into JSON format and then stored in the database. Default templates are located at /srv/salt/_textfsm. A repository of ntc-templates for network devices is available here: NTC Templates. For advanced users who need a template which does not exist, you can create your own templates and upload them to Paragon Insights using the Upload Rule Files button on the Configuration > Rules page. User defined templates are stored at /jfit/_textfsm. The files must end with the .textfsm suffix.

TextFSM is integrated into PyEZ’s table/view feature which is an integral part of iAgent.

Example: PaloAlto Panos– Show Running Security Policy

To see the running security policy on a Panos device, we need to:

  • Define a table/view for it

  • Gather the output by sending the needed CLI to the device over SSH

  • Generate JSON to store in Paragon Insights database

Define PyEZ Table/View

We need to define a PyEZ table that is used by the iAgent rule assigned to the Panos device. The following table definition lacks a view definition. Because of this, the entire output from the show running security-policy ends up getting stored in the database after processing.

(Optional) To store only a portion of the received data in Paragon Insights, you can define a view in the same file. The view tells Paragon Insights which fields to pay attention to.

Gather Output from Device

Using an iAgent rule that references the PyEZ table (or table/view) defined above, Paragon Insights sends the command show running security-policy to the device which produces the following output:

Generate JSON for Use in Paragon Insights Database

Since the device configuration specifies Palo Alto Networks as the vendor and Panos OS as the operating system, the TextFSM template used for this example would look like this:

When the template above is used by Paragon Insights to parse the output shown previously, the resulting JSON looks like:

iAgent - Device Configuration (Paragon Insights as server)

At minimum, iAgent (NETCONF) requires:

  • Junos OS Version: 11.4 or later

  • Minimum required device configuration:

    set system services netconf ssh

iAgent - Device Configuration (Outbound-ssh)

At minimum, iAgent (outbound-ssh) requires:

  • Junos OS Version: 11.4 or later

  • Minimum required device configuration:

    set system services outbound-ssh client client_name device-id <device-name-in-healthbot>
    set system services outbound-ssh client client_name keep-alive retry 30
    set system services outbound-ssh client client_name keep-alive timeout 35
    set system services outbound-ssh client client_name services netconf
    set system services outbound-ssh client client_name 10.10.10.1 port 2222
    Note

    In the configuration above, client_name can be anything that makes sense. The IP address and port shown are examples representing Paragon Insights’s IP address and a unique port number used for the devices in 1 device-group.

iAgent - vCenter/ESXi Server Monitor

Since release 2.0.0, Paragon Insights has supported user-defined functions (UDFs) within fields. A user-defined function relies on python tables and views, and YAML configuration files to allow a user to define their own functions for processing telemetry data from Junos OS devices.

Starting with Release 3.2.0, Paragon Insights can use UDFs to process streamed data from VMWare’s vCenter and ESXi server products.

We implement this feature by making use of VMWare’s PyVmomi API and persistent SaltStack connections to that API. We use UDFs to process the vCenter/ESXi server data because:

  • these servers do not respond to RPC with XML formatted text.

  • it is extremely difficult to construct a table and view from the response data that these servers provide

SNMP

SNMP is a widely known and accepted network management protocol that many network device manufacturers, including Juniper Networks, provide for use with their devices. It is a polling type protocol where network devices that are properly configured make configuration, diagnostic, and event information available to collectors, which must also be properly configured and authenticated. The collectors poll devices by sending specifically structured requests, called get requests, to retrieve data.

Paragon Insights supports SNMP as a sensor type, using standard get requests to gather statistics from the device. Paragon Insights makes requests over any available interface, whether in-band or out-of-band, and the device responds (when configured) with the requested data.

For information about SNMP as used on Junos OS devices, see Understanding SNMP Implementation in Junos OS.

The sections below delve deeper into SNMP ingest configuration and all of the steps needed for Paragon Insights to successfully ingest SNMP data from a device or devices in a device group.

Configure SNMP Ingest in Paragon Insights GUI

Paragon Insights supports three methods of collecting telemetry data using SNMP. The ingest, also known as request-response, is a pull mode method in which Paragon Insights requests for telemetry data from the devices. The trap and inform notifications are push mode methods in which the devices notify Paragon Insights about key performance indicator events that prevents the devices from functioning as expected.

Paragon Insights Release 4.0.0 supports SNMPv3 alongside the current SNMPv2c as an ingest method. Users with sp-admin role can select any version of SNMP in the Paragon Insights GUI.

SNMPv3 ingest provides you with an option to set authentication and privacy credentials to leverage the following features:

  • Authentication — Identifies and verifies the origin of an SNMPv3 message.

  • Privacy — Prevents packet analyzers from snooping the content of messages by encrypting them.

  • Integrity — Ensures that the content of SNMP messages is not altered while in transit without authorization.

Table 1 lists the supported authentication and privacy algorithms in SNMPv3 protocol.

Table 1: Authentication and Privacy Algorithms

Feature

Algorithm

Supported authentication algorithms

MD5

SHA

SHA224

SHA256

SHA384

SHA512

Supported privacy algorithms

DES

AES

AES192

AES256

AES192C

AES256C

The SNMPv3 ingest can be set at the device or device group level, with device configuration taking precedence if the ingest is configured at both levels. The configuration of SNMPv3 and SNMPv2c is mutually exclusive.

Note

If a device is not configured for SNMP ingest, Paragon Insights uses SNMP v2c with SNMP Community set to public as the default settings.

Note

In Paragon Insights, the SNMPv2c and SNMPv3 ingest and trap configurations share the same workflow.

To configure SNMP ingest at the device level:

  1. Click the Configuration > Device option in the left navigation bar.
  2. Click the add device button (+).
  3. Enter the necessary values in the text boxes and select the appropriate options for the device.

    The following table describes the attributes in the Add a Device window:

    Attributes

    Description

    Name

    Name of the device. Default is hostname. (Required)

    Hostname / IP Address / Range

    Hostname or IP address of a single device. If you are providing a range of IP addresses, enter the IP address for the device that marks the start and end of the address range. (Required)

    System ID to use for JTI

    Unique system identifier required for JTI native sensors. Junos devices use the following format: <host_name>:<jti_ip_address>

    When a device has dual routing engines (REs), it might send different system IDs depending on which RE is primary. You can use a regular expression to match both system IDs.

    Flow Source IPs

    Enter the IP address(es) that this device uses to send NetFlow data.

    OpenConfig Port Number

    Port number required for JTI OpenConfig sensors. The default value is 32767.

    iAgent Port Number

    Port number required for iAgent. The default value is 830.

    Vendor

    Lists the vendor or supplier of the device you are using.

    The operating system you can select from the OS drop-down list depends on the vendor you select from the Vendor drop-down list.

    The following are the list of options you can choose from.

    • Select Juniper from the vendor drop-down list to select either Junos or Junos Evolved operating systems from the OS drop-down list.

    • Select CISCO from the Vendor drop-down list to select either IOSXR or NXOS operating systems from the OS drop-down list.

      With Paragon Insights Release 4.0.0, NXOS OS is also supported.

      Note: If you plan to use Cisco IOS XR devices, you must first configure the telemetry. For more information, see Paragon Insights Installation Requirements

    • Select Arista from the Vendor drop-down list to select EOS operating system from the OS drop-down list.

    • Select Paloalto from the Vendor drop-down list to select PANOS operating system from the OS drop-down list.

    • Select Linux from the Vendor drop-down list and you can enter the name of the operating system in the OS field.

    • If you select Other Vendor, the Vendor Name and OS Name fields are enabled. You can enter the name of the vendor of your choice in the Vendor Name field and the corresponding operating system for the vendor in the OS field.

      Consider the following example. If the operating system of a vendor (listed in the Vendor drop-down list) is not listed (in the OS drop-down list), you can select the Other Vendor option to enter name of the vendor and operating system of your choice.

    Starting with Release 4.0.0, Paragon Insights supports Arista Networks, Paloalto Networks, and Linux vendors.

    Timezone

    Timezone for this device, specified as + or -hh:mm. For example, +07:00

    Syslog Source IPs

    List of IP addresses for the device sending syslog messages to Paragon Insights. For example, 10.10.10.23, 192.168.10.100.

    Syslog Hostnames

    List of hostnames for the device sending syslog messages to Paragon Insights. For example, router1.example.com.

    SNMP

    SNMP Port Number

    Port number required for SNMP ingest (request-response) messages. The port number is set to the standard value of 161.

    SNMP Version

    Select either v2c or v3 in the drop-down menu.

    SNMP Community

    Enter an SNMP Community string for SNMPv2c ingest.

    In SNMPv2c, Community string is used to verify the authenticity of the ingest (request-response) message issued by the SNMP agent (devices such as routers, switches, servers, and so on).

    SNMPv3 Username

    Enter a username for SNMPv3 ingest (request-response).

    Authentication None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option if you want to set SNMPv3 authentication to None.

    Privacy None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option if you want to set SNMPv3 privacy protocol to None.

    SNMPv3 Authentication Protocol

    This field appears if you selected v3 in SNMP Version field and disabled Authentication None.

    Select an authentication protocol from the drop-down menu.

    SNMP authentication protocol hashes the SNMP username with the passphrase you enter. The hashed output is sent along with the ingest message. Insights again hashes the username with the passphrase you entered for authentication. If the output matches, the ingest message is further processed.

    SNMPv3 Authentication Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase for SNMPv3 authentication.

    SNMPv3 Privacy Protocol

    Select a privacy protocol from the drop-down menu.

    Privacy algorithm encrypts the ingest message with the protocol passphrase so that the message cannot be read by an unauthorized application in the network.

    SNMPv3 Privacy Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase to encrypt the ingest message.

    Authentication (Required either here or at Device Group level)

    Password

    UsernameAuthentication username.
    PasswordAuthentication password.

    SSL

    Server Common NameServer name protected by the SSL certificate.
    CA Profile*Choose the applicable CA profile(s) from the drop-down list.
    Local Certificate*Choose the applicable local certificate profile(s) from the drop-down list.

    SSH

    SSH Key Profile*Choose the applicable SSH key profile(s) from the drop-down list.
    UsernameAuthentication username.

    *To edit or view details about saved security profiles, go to the Security page under the Settings menu in the left navigation bar.

  4. Click Save to save the configuration or click Save and Deploy to save and deploy the configuration. For information on how to use the Devices table, see Monitor Device and Network Health.

To configure SNMP ingest at the device-group level:

  1. Click the Configuration > Device Group option in the left navigation bar.
  2. Click the add group button (+).
  3. Enter the necessary values in the text boxes and select the appropriate options for the device group.

    The following table describes the attributes in the Add a Device Group window:

    Attributes

    Description

    Name

    Name of the device group. (Required)

    Description

    Description for the device group.

    Devices

    Add devices to the device group from the drop-down list. (Required)

    Starting in Paragon Insights 4.0.0, you can add more than 50 devices per device group. However, the actual scale of the number of devices you can add depends on the available system resources.

    For example, consider that you want to create a device group of 120 devices. In releases earlier than release 4.0.0, it is recommended that you create three device groups of 50, 50, and 20 devices respectively. With Paragon Insights Release 4.0.0, you just create one device group.

    Native Ports

    (Native GPB sensors only) List the port numbers on which the Junos Telemetry Interface (JTI) native protocol buffers connections are established.

    Flow Ports

    (NetFlow sensors only) List the port numbers on which the NetFlow data is received by Paragon Insights. The port numbers must be unique across the entire Paragon Insights installation.

    Syslog Ports

    Specify the UDP port(s) on which syslog messages are received by Paragon Insights.

    Retention Policy

    Select a retention policy from the drop-down list for time series data used by root cause anaylsis (RCA). By default, the retention policy is 7 days.

    Reports

    In the Reports field, select one or more health report profile names from the drop-down list to generate reports fo the device group. Reports include alarm statistics, device health data, as well as device-specific information (such as hardware and software specifications).

    To edit or view details about saved health report profiles, go to the System page under the Settings menu in the left-nav bar. The report profiles are listed under Report Settings.

    For more information, see Alerts and Notifications.

    SNMP

    SNMP Port Number

    Port number required for SNMP notifications. The port number is set to the standard value of 161.

    SNMP Version

    Select either v2c or v3 in the drop-down menu.

    • If you select v2c, the SNMP Community name field appears. The string used in v2c authentication is set to public by default. It is recommended that users change the community string.

    • If you select v3, you are given an option to set username, authentication and privacy methods, and authentication and privacy secrets.

    SNMP Community

    Enter an SNMP Community string for SNMPv2c ingest.

    In SNMPv2c, Community string is used to verify the authenticity of the trap message issued by the SNMP agent.

    SNMPv3 Username

    Enter a username for SNMPv3 ingest messages.

    Authentication None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option on if you want to set SNMPv3 authentication to None.

    Privacy None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option on if you want to set SNMPv3 privacy protocol to None.

    SNMPv3 Authentication Protocol

    This field appears if you selected v3 in SNMP Version field and disabled Authentication None.

    Select an authentication protocol from the drop-down menu.

    SNMP authentication protocol hashes the SNMP username with the passphrase you enter. The hashed output is sent along with the trap notification message. Paragon Insights again hashes the username with the passphrase you entered for authentication. If the output matches, the trap notification is further processed.

    SNMPv3 Authentication Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase to authenticate SNMPv3 ingest messages.

    SNMPv3 Privacy Protocol

    Select a privacy protocol from the drop-down menu.

    Privacy algorithm encrypts the ingest message with the protocol passphrase so that the message cannot be read by an unauthorized application in the network.

    SNMPv3 Privacy Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase to encrypt the trap notification.

    Summarization

    To improve the performance and disk space utilization of the Paragon Insights time series database, you can configure data summarization methods to summarize the raw data collected by Paragon Insights. Use these fields to configure data summarization:

    Time SpanThe time span (in minutes) for which you want to group the data points for data summarization.
    Summarization ProfilesChoose the data summarization profiles from the drop-down list for which you want to apply to the ingest data. To edit or view details about saved data summarization profiles, go to the Data Summarization Profiles page under the Settings menu in the left-nav bar.

    For more information, see Configure Data Summarization.

    Ingest Frequency

    Select existing Ingest Frequency Profiles to override rule or sensor frequency settings.

    Authentication(Required here or at Device level)

    Password

    UsernameAuthentication user name.
    PasswordAuthentication password.

    SSL

    Server Common NameServer name protected by the SSL certificate.
    CA Profile*Choose the applicable CA profile(s) from the drop-down list.
    Local Certificate*Choose the applicable local certificate profile(s) from the drop-down list.

    SSH

    SSH Key Profile*Choose the applicable SSH key profile(s) from the drop-down list.
    UsernameAuthentication username.

    Notifications

    • You can use the Alarm Manager feature to organize, track, and manage KPI event alarm notifications received from Paragon Insights devices.

    • To receive Paragon Insights alarm notifications for KPI events that have occurred on your devices, you must first configure the notification delivery method for each KPI event severity level (Major, Minor, and Normal). Select the delivery method from the drop-down lists.

      To edit or view details about saved delivery method profiles, go to the System page under the Settings menu in the left-nav bar. The delivery method profiles are listed under Notification Settings.

    For more information, see Alerts and Notifications.

    Logging Configuration

    You can collect different severity levels of logs for the running Paragon Insights services of a device group. Paragon Insights Release 4.0.0 supports log collection for SNMP notification.

    Use these fields to configure which log levels to collect:

    Global Log LevelFrom the drop-down list, select the level of the log messages that you want to collect for every running Paragon Insights service for the device group. The level is set to error by default.
    Log Level for specific servicesSelect the log level from the drop-down list for any specific service that you want to configure differently from the Global Log Level setting. The log level that you select for a specific service takes precedence over the Global Log Level setting.

    For more information, see Logs for Paragon Insights Services.

    Publish

    You can configure Paragon Insights to publish Paragon Insights sensor and field data for a specific device group:

    DestinationsSelect the publishing profiles that define the notification type requirements (such as authentication parameters) for publishing the data.

    To edit or view details about saved publishing profiles, go to the System page under the Settings menu in the left-nav bar. The publishing profiles are listed under Notification Settings.

    FieldSelect the Paragon Insights rule topic and rule name pairs that contain the field data you want to publish.
    Sensor(Device group only) Select the sensor paths or YAML tables that contain the sensor data you want to publish. No sensor data is published by default.

    *To edit or view details about saved security profiles, go to the Security page under the Settings menu in the left-nav bar.

  4. Click Save to save the configuration or click Save and Deploy to save and deploy the configuration. For information on how to use the device group cards, see Monitor Device and Network Health.

Example: Creating a Rule using SNMP Ingest

To illustrate how to configure and use an SNMP sensor, consider a scenario where you want to:

  • Monitor Routing Engine CPU, CPU average, and memory utilization for a device, using SNMP data

  • Create a rule with triggers that indicate when utilization for any of the above elements goes above 80%

To implement this scenario, you will need to complete the following activities:

The workflow is as follows:

CONFIGURE NETWORK DEVICES

Note

This example assumes you have already added your devices into Paragon Insights and assigned them to a device group.

If not already done, configure your network device(s) to accept SNMP ingest in Paragon Insights. See Configure SNMP Ingest in Paragon Insights GUI for steps to configure SNMP ingest.

CREATE RULE, APPLY PLAYBOOK

Configure a Rule Using an SNMP Sensor

You can now create a rule using SNMP as the sensor.

This rule includes multiple elements, as shown below:

  • An SNMP sensor to ingest data

  • Five fields extracting specific SNMP data of interest:

    • CPU utilization, memory utilization

    • CPU utilization averages - 1min, 5min, 15min

  • A field representing a static value, used as a threshold

    • Value provided by a variable

  • A field representing a description

    • Value provided by a variable; extracted from the SNMP messages

  • Five triggers, indicating when CPU, CPU average, and memory utilization is higher than the threshold value

  1. In the Paragon Insights GUI, click Configuration > Rules in the left-nav bar.
  2. On the Rules page, click the + Add Rule button.
  3. On the page that appears, in the top row of the rule window, set the rule name. In this example, rule name is check-system-cpu-memory-snmp.
  4. Add a description and synopsis if you wish.
  5. Click the + Add sensor button and enter the following parameters to configure the sensor, system-cpu-memory:
    • Name is user-defined

    • The sensor is using the Juniper SNMP MIB table jnxOperatingTable

    • Paragon Insights polls the device group for table data every 60 seconds

  6. Now move to the Variables tab, click the + Add variable button and enter the following parameters to configure the first variable, comp-name:
    • Matches any string that includes “Routing Engine”

    • Referenced later in field description

  7. Click the + Add variable buttononce more and enter the following parameters to configure the second variable, static-threshold:
    • Represents a (default) static value of “80”; in this case, 80%

    • Referenced later in field threshold

  8. Now move to the Fields tab, click the + Add field button and enter the following parameters to configure the first field, cpu-15min-avg:
    • Field names are user-defined

    • Extracts jnxOperating15MinLoadAvg value from SNMP table configured in the sensor

    • jnxOperating15MinLoadAvg - CPU Load Average (as a % value) over the last 15 minutes

  9. Click the + Add field button again and enter the following parameters to configure the second field, cpu-1min-avg:
    • Extracts jnxOperating1MinLoadAvg value from SNMP table

    • jnxOperating1MinLoadAvg - CPU Load Average (as a % value) over the last 1 minute

  10. Click the + Add field button again and enter the following parameters to configure the third field, cpu-5min-avg:
    • Extracts jnxOperating5MinLoadAvg value from SNMP table

    • jnxOperating5MinLoadAvg - CPU Load Average (as a % value) over the last 5 minutes

  11. Click the + Add field button again and enter the following parameters to configure the fourth field, description:
    • Extracts jnxOperatingDescr value from SNMP table

    • jnxOperatingDescr - name or description; for example, ”Routing Engine 0”, “FPC 0”, etc.

    • The expression references the variable comp-name; filters the data further to retain only the values that include the string “Routing Engine”

    • Matching values will act as keys; each key gets a colored block in device health view

  12. Click the + Add field button again and enter the following parameters to configure the fifth field, system-buffer-memory:
    • Extracts jnxOperatingBuffer value from SNMP table

    • jnxOperatingBuffer - buffer pool utilization (as a % value)

  13. Click the + Add field button again and enter the following parameters to configure the sixth field, system-cpu:
    • Extracts jnxOperatingCPU value from SNMP table

    • jnxOperatingCPU - CPU utilization (as a % value)

  14. Click the + Add field button once more and enter the following parameters to configure the seventh field, threshold:
    • The expression references the variable static-threshold, giving this field the (default) integer value “80”

    • Referenced later in triggers

  15. Now move to the Triggers tab, click the + Add trigger button and enter the following parameters to configure the first trigger, system-buffer:
    • Trigger names are user-defined

    • Trigger logic runs every 90 seconds

    • Evaluate terms in sequence; when a term’s conditions are met, show its color and message on the device health pages

    • When system memory buffer utilization (the value in field system-buffer-memory) is greater than 80 (the value in field threshold), set color to red and show related message

    • Otherwise, set color to green and show related message

  16. Click the click the + Add trigger button again and enter the following parameters to configure the second trigger, system-cpu:
    • Trigger logic runs every 90 seconds

    • When CPU utilization (the value in field system-cpu) is greater than 80 (the value in field threshold), set color to red and show related message

    • Otherwise, set color to green and show related message

  17. Click the click the + Add trigger button again and enter the following parameters to configure the third trigger, system-cpu-15min-average:
    • Trigger logic runs every 90 seconds

    • When CPU 15min utilization average (the value in field cpu-15min-avg) is greater than or equal to 80 (the value in field threshold), set color to red and show related message

    • Otherwise, set color to green and show related message

  18. Click the click the + Add trigger button again and enter the following parameters to configure the fourth trigger, system-cpu-1min-average:
    • Trigger logic runs every 90 seconds

    • When CPU 1min utilization average (the value in field cpu-1min-avg) is greater than or equal to 80 (the value in field threshold), set color to red and show related message

    • Otherwise, set color to green and show related message

  19. Click the click the + Add trigger button once more and enter the following parameters to configure the fifth trigger, called system-cpu-5min-average:
    • Trigger logic runs every 90 seconds

    • When CPU 5min utilization average (the value in field cpu-5min-avg) is greater than or equal to 80 (the value in field threshold), set color to red and show related message

    • Otherwise, set color to green and show related message

  20. At the upper right of the window, click the + Save & Deploy button.

Add the Rule to a Playbook

With the rule created, you can now add it to a playbook. For this example, create a new playbook to hold the new rule.

  1. Click Configuration > Playbooks in the left-navigation bar.
  2. On the Playbooks page, click the + Create Playbook button.
  3. On the page that appears, enter the following parameters:
  4. Click Save & Deploy.

Apply the playbook to a device group

To make use of the playbook, apply it to a device group.

  1. On the Playbooks page, click the Apply (Airplane) icon for the playbook you configured above.
  2. On the page that appears:
    • Enter a playbook instance name

    • Select the desired device group

    • (Optional) If desired, you can adjust the variables for this playbook instance to use different values than the defaults configured in the rule

    • Click Run Instance

  3. On the Playbooks page, confirm that the playbook instance is running. Note that the playbook instance may take some time to activate.

MONITOR

Monitor the devices

With the playbook applied, you can begin to monitor the devices.

  1. Click Monitor > Device Group Health in the left-nav bar. and
  2. Select the device group to which you applied the playbook from the Device Group pull-down menu.
  3. Select one or more of the devices to monitor.
  4. In the Tile View, hover your mouse over one of the external tiles.
    • external is the topic name under which the rule was created

    • Each colored block represents a key and its related values

    • The mouse-over window shows information related to the given key, with the triggers listed inside

  5. In the Table View, try out the various filters and sorting options.
    • Each trigger is listed as a KPI

SNMP Trap and Inform Notifications

Paragon Insights Release 4.0.0 supports inform and trap notifications that are sent by devices in the network for fault management. Traps and informs are notifications about change of state in network that are sent between the SNMP manager (Paragon Insights) and the SNMP agents (devices), on which Paragon Insights performs trigger evaluations. Paragon Insights processes traps and informs from the configured device only if a playbook containing an SNMP-notification rule is running for the specified device. In all other cases, the trap or inform message is dropped by the SNMP Manager.

The following sections describe relevant terms, configuration of traps and informs through CLI, port configuration, and accessing status of SNMP traps through CLI.

Note

SNMP trap notifications are supported by SNMPv2c and SNMPv3. SNMP inform messages are supported only when you use SNMPv3 protocol.

Glossary

The following terms are used when describing processes or concepts related to SNMP traps and informs.

  • Authoritative agent — In SNMPv3 transactions between two entities (agent and manager), the flow of sending notification is controlled through authentication and privacy that are unique features in SNMPv3.Authentication identifies and verifies the source of an SNMPv3 message. The privacy feature prevents packet analyzers from snooping the content of messages by encrypting them.

    The entity that controls the notification flow is known as authoritative agent. In SNMPv3, the non-authoritative entity must know the <Engine ID> of the authoritative agent for a successful communication.

  • Traps or trap messages — A trap is an unacknowledged notification sent from an SNMP agent to the SNMP manager. In trap messages, SNMP agent is the authoritative agent. The administrator must configure the SNMP v3 <user> (distinct from the local IAM users) and <Context Engine ID> on the device that sends out the trap messages. For traps, the <Context Engine ID> is set to the Engine ID that uniquely identifies the SNMP agent.

  • Informs or inform messages — An inform is also a notification sent from an SNMP agent to the SNMP manager. In inform messages, SNMP manager is the authoritative agent. The configuration is done on the device that needs to send inform messages, with the details of the remote authoritative agent, SNMP manager. The administrator must configure the <user> found in the remote SNMP manager.

  • Engine ID<Engine ID> is a hexadecimal generated for a given agent that uniquely identifies the SNMP agent and needs to be unique across a given administrative domain. It also must be persistent across reboots or upgrades.

  • Security Engine ID — It is a security parameter in the SNMP communication between the agent and the manager. It is usually set to the <Engine ID> of the authoritative agent involved. A trap message has two parts: a header and a trap Protocol Data Unit (PDU). The header contains the <Security Engine ID> and a <username> set in the trap configuration. When an agent sends a trap, these parameters in the trap header are checked against the details stored in the USM table. The trap is further processed only when there is a match.

  • Context Engine ID<Context Engine ID> is part of a trap PDU. It uniquely identifies a device which has sent the original trap message. <Context Engine ID> and <Security Engine ID> are identical is most cases.

  • USM Table — SNMP managers receiving the traps needs to maintain the USM table (User-based Security Model) which has <Security Engine ID> and <username> as the key to verify the source of the trap messages.

  • Virtual IP Address for SNMP Proxy — Paragon Insights is deployed as a Kubernetes application and it uses load balancers that exposes virtual IP addresses to external entities. When messages are routed through the load balancer, the source IP address of the trap message will be set to the IP address of the load balancer.

    The load balancer has an option to retain the source IP address if you allot an exclusive virtual IP address for services that require the source IP address of SNMP agents to be preserved. Since in SNMP notifications, the source IP address is required for parsing the message, an exclusive virtual IP must be allotted for SNMP Proxy. The same virtual IP needs to be configured on the device or device groups as the target address.

Configurations

The following sections detail how to:

Find the Engine Id

Depending on if you configure devices to send trap or inform notifications, you need to first find the <Engine ID> of either the SNMP agent. You can refer to the sample commands below to find the engine id in Junos devices.

Note

The CLI command to find <Engine ID> varies from vendor-to-vendor.

To find the <Engine ID> of SNMP agents (devices) that are Junos-based platforms, enter the following command in CLI.

show snmp v3 engine-id

You will receive a HEX output as the device <Engine ID>.

Trap Configurations

You can configure a device to send trap notifications using SNMPv2c and SNMPv3.

The source IP address needs to be unique across all the devices as it uniquely identifies the device. The source IP address can only be configured under device while community name can be configured under both device and device group.

Note

In Paragon Insights, the SNMPv2c and SNMPv3 ingest and trap configurations share the same workflow.

To configure SNMP trap notifications at the device level:

  1. Click the Configuration > Device option in the left navigation bar.
  2. Click the add device button (+).
  3. Enter the necessary values in the text boxes and select the appropriate options for the device.

    The following table describes the attributes in the Add a Device window:

    Table 2: Add Device(s) Page Details

    Attributes

    Description

    Name

    Name of the device. Default is hostname. (Required)

    Hostname / IP Address / Range

    Hostname or IP address of a single device. If you are providing a range of IP addresses, enter the IP address for the device that marks the start and end of the address range. (Required)

    SNMP

    SNMP Port Number

    Port number required for SNMP. The port number is set to the standard value of 161.

    SNMP Version

    Select either v2c or v3 in the drop-down menu.

    SNMP Community

    This field appears if you selected v2c in SNMP Version field.

    Enter an SNMP Community string if you configure SNMPv2c for trap notifications.

    In SNMPv2c, Community string is used to verify the authenticity of the trap message issued by the SNMP agent (devices such as routers, switches, servers, and so on).

    SNMPv3 Username

    This field appears if you selected v3 in SNMP Version field.

    Enter a username for trap notifications.

    Authentication None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option on if you want to set SNMPv3 authentication to None.

    Protocol None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option on if you want to set SNMPv3 protocol to None.

    SNMPv3 Authentication Protocol

    This field appears if you selected v3 in SNMP Version field and disabled Authentication None.

    Select an authentication protocol from the drop-down menu.

    SNMP authentication protocol hashes the SNMP username with the passphrase you enter. The hashed output is sent along with the trap notification message. Paragon Insights again hashes the username with the passphrase you entered for authentication. If the output matches, the trap notification is further processed.

    SNMPv3 Authentication Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase for SNMPv3 authentication.

    SNMPv3 Privacy Protocol

    Select a privacy protocol from the drop-down menu.

    Privacy algorithm encrypts the trap notification message with the protocol passphrase so that the message cannot be read by an unauthorized application in the network.

    SNMPv3 Privacy Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase to encrypt the trap notification.

    Context Engine ID

    This field appears if you selected v3 in SNMP Version field.

    The Engine ID must be set to engine-id of the SNMP agent.

    Source IP Address

    Enter the source IP address of the device.

    This field is mandatory for SNMPv2c traps and optional for SNMPv3 traps and informs.

    If you use NAT or an SNMP Proxy, the virtual IP address you configure for the SNMP Proxy must be set as the source IP address.

    To set virtual IP address for SNMP Proxy, go to Settings > Deployment in the left navigation bar. In the Loadbalancer page, enter the virtual IP adres and click Save and Deploy button.

  4. Click Save to commit the configuration or click Save and Deploy to deploy the configuration in Paragon Insights.

To configure SNMP trap notifications at the device-group level:

  1. Click the Configuration > Device Group option in the left navigation bar.
  2. Click the add group button (+).
  3. Enter the necessary values in the text boxes and select the appropriate options for the device group.

    The following table describes the attributes in the Add a Device Group window:

    Table 3: Add Device Group Page Details

    Attributes

    Description

    Name

    Name of the device group. (Required)

    Description

    Description for the device group.

    Devices

    Add devices to the device group from the drop-down list. (Required)

    Starting in Paragon Insights Release 4.0.0, you can add more than 50 devices per device group. However, the actual scale of the number of devices you can add depends on the available system resources.

    For example, consider that you want to create a device group of 120 devices. In releases earlier than release 4.0.0, it is recommended that you create three device groups of 50, 50, and 20 devices respectively. With Paragon Insights Release 4.0.0, you just create one device group.

    SNMP

    SNMP Port Number

    Port number required for SNMP. The port number is set to the standard value of 161.

    SNMP Version

    Select either v2c or v3 in the drop-down menu.

    • If you select v2c, the SNMP Community name field appears. The string used in v2c authentication is set to public by default. It is recommended that users change the community string.

    • If you select v3, you are given an option to set username, authentication and privacy methods, and authentication and privacy secrets.

    Notification Ports

    Enter notification ports separated by comma.

    Paragon Insights listens on these notification ports for traps and inform notification messages from device groups.

    SNMP Community

    This field appears if you selected v2c in SNMP Version field.

    Enter an SNMP Community string if you configure SNMPv2c for traps and ingest.

    In SNMPv2c, Community string is used to verify the authenticity of the trap notification messages issued by the SNMP agent.

    SNMPv3 Username

    This field appears if you selected v3 in SNMP Version field.

    Enter a username for trap notifications.

    The USM configuration configured under device-groups is shared among devices configured under the same device-group.

    Authentication None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option on if you want to set SNMPv3 authentication to None.

    Privacy None

    This field appears if you selected v3 in SNMP Version field.

    Enable this option on if you want to set SNMPv3 privacy protocol to None.

    SNMPv3 Authentication Protocol

    This field appears if you selected v3 in SNMP Version field and disabled Authentication None.

    Select an authentication protocol from the drop-down menu.

    SNMP authentication protocol hashes the SNMP username with the passphrase you enter. The hashed output is sent along with the trap notification message. Paragon Insights again hashes the username with the passphrase you entered for authentication. If the output matches, the trap notification is further processed.

    SNMPv3 Authentication Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase for SNMPv3 authentication.

    SNMPv3 Privacy Protocol

    Select a privacy protocol from the drop-down menu.

    Privacy algorithm encrypts the trap notification message with the protocol passphrase so that the message cannot be read by an unauthorized application in the network.

    SNMPv3 Privacy Passphrase

    This field appears if you selected v3 in SNMP Version field and disabled Privacy None.

    Enter a passphrase to encrypt the trap notification.

    Logging Configuration

    SNMP Notification

    Paragon Insights Release 4.0.0 supports collecting log data for SNMP notification. You can collect different severity levels of logs for snmp-notification service in a device group.

    Use these fields to configure which log levels to collect:

    Global Log LevelFrom the drop-down list, select the level of the log messages that you want to collect for every running Paragon Insights service for the device group. The level is set to error by default.
    Log Level for specific servicesSelect the log level from the drop-down list for any specific service that you want to configure differently from the Global Log Level setting. The log level that you select for a specific service takes precedence over the Global Log Level setting.
  4. Click Save to commit the configuration or click Save and Deploy to deploy the configuration in Paragon Insights. For information on how to use the device group cards, see Monitor Device and Network Health.

SNMPv3 Inform Configurations

To enable devices to send inform notifications, you must configure SNMPv3 USM user(s).

To create USM users in Paragon Insights:

  1. Go to Settings > Ingest. In the Ingest Settings page, click SNMP Notification on the menu.
  2. Click the Usm Users tab.
  3. Click the + icon to add a USM user.
  4. In the Add USM User page, enter the username, select authentication and privacy protocols, and enter passphrases.

    If you enabled Authentication None and Privacy none, the protocol menu and passphrase fields do not appear.

  5. Click Save to only save the configuration and Save and Deploy to deploy the configuration in Insights.

After adding USM users, you can configure the following details in the Add Device(s) page in Device Configuration or Add Device Group page in Device Group Configuration.

Table 4: SNMP Configuration for Informs

Attributes

Description

SNMP

SNMP Port Number

Port number required for SNMP. The port number is set to the standard value of 161.

SNMP Version

Select v3 in the drop-down menu.

Notification Ports (Device Groups only)

Enter notification ports separated by comma.

Paragon Insights listens on these notification ports for traps and inform notification messages from device groups.

Context Engine ID (Devices only)

This field appears if you selected v3 in SNMP Version field.

The Engine ID must be set to engine-id of the SNMP agent.

Source IP Address (Devices only)

This field appears if you selected v3 in SNMP Version field.

Enter the source IP address of the device.

If you use NAT or an SNMP Proxy, the virtual IP address you configure for the SNMP Proxy must be set as the source IP address.

To set virtual IP address for SNMP Proxy, go to Settings > Deployment in the left navigation bar. In the Loadbalancer page, enter the virtual IP address and click Save and Deploy button.

Port Configuration

By default, Paragon Insights listens for traps and informs in the standard SNMP trap port 162. This can be changed if needed either at the global level which is applicable to all device groups or at the device group level applicable to a specific device group.

Port configured under ingest will apply to all device groups. Trap and Inform messages received through any other port are discarded.

To configure port number at the ingest level:

  1. Go to Settings > Ingest in the left navigation bar.
  2. Select SNMP Notification in the Ingest Settings page.
  3. In the Port tab, enter the port number.
  4. Click Save to only save the configuration and Save and Deploy to deploy the configuration in Insights.

Port configured under device group will apply to only a specific device group. Traps and informs received through any other port are discarded. To configure port numbers at the device group level, see Table 3.

Rule Configuration

Once the device is configured to send traps or inform notification, you must configure a rule on the device with SNMP trap so that, Paragon Insights can process traps from the device. In device groups, you can apply a playbook instance that has the snmp-notification rule. When you configure SNMP notification in any rule, you must select the MIB name you want to monitor. Go to Juniper MIBS Explorer to browse MIB files for Junos devices and Cisco MIBS Locator to browse MIB files for Cisco devices.

The following example shows how you can configure a rule with SNMP notification to send alerts if an interface comes up for the chassis.interfaces/ topic.

Note

It is assumed that you have configured the device or device group for SNMP trap notification. See Paragon Insights Pull-Model Ingest Methods to configure SNMP trap notifications in devices or device groups.

To configure a rule under topic system.trap/:

  1. Go to Configuration > Rules.
  2. Click the Add Rules button in the Rules page.

    Enter the rule name in the topic/rule-name format in the Rule field and description in the Description field. For example, chassis.interfaces/linkup.

  3. Click Add Sensor button in Sensors tab.
  4. Enter a name in the Sensor Name field and select SNMP Notification from the drop-down menu in Sensor Type.
  5. Enter notification name in MIB-Name::Notification Name format.

    For example, IFMIB::linkDown.

  6. Click Add Field button in the Fields tab.

    The fields for SNMP Notification rule can be derived as described:

    • Variables (varbinds) for the given trap name.

      The variables of the trap name can be defined as fields. The following steps use the example IfAdminStatus as varbind and IF-MIB:linkDown as the snmp-notification.

      1. Enter IfAdminStatus in the Field Name.

      2. Select Integer as Field Type.

        The Field Type you enter in the GUI must be same as the type defined in the MIB File.

      3. Select Sensor as Ingest Type (field soruce).

        The Ingest Type (field source) must be set to sensor.

      4. Select the sensor name from the drop-down menu under Sensor.

        The sensor name is the name you entered for the snmp-notification sensor.

      5. Enter IfAdminStatus as sensor path.

        The Path must be set the to the variable (varbind) name defined in the MIB file.

      To add a second field for IfOperStatus as variable (varbind) for a given snmp-notification, follow the steps described here but change the field name and sensor path to IfOperStatus.

  7. Click Save to commit the rule or Save & Deploy to deploy the rule in Paragon Insights.

    You can see the new topic name and rule in the list of existing rules.

    You can also configure triggers or functions based on the fields you add. See how to create a new rule in GUI as explained in Paragon Insights Rules and Playbooks.

You must include this rule in a playbook and apply the playbook instance on a device or device group.

To check the new SNMP notifications sent by device groups, log into Paragon Insights server as a root user and type the following command.

healthbot cli --device-group healthbot -s influxdb

You can track new entries sent by SNMP trap notifications to the Paragon Insights server for the fields (for example, IfAdminStatus) you configured.

Release History Table
Release
Description
Paragon Insights Release 4.0.0 supports SNMPv3 alongside the current SNMPv2c as an ingest method.
Starting in Paragon Insights 4.0.0, you can add more than 50 devices per device group.
Paragon Insights Release 4.0.0 supports log collection for SNMP notification.
Paragon Insights Release 4.0.0 supports inform and trap notifications that are sent by devices in the network for fault management.
Starting in Paragon Insights Release 4.0.0, you can add more than 50 devices per device group.
Paragon Insights Release 4.0.0 supports collecting log data for SNMP notification.
Starting with Release 3.2.0, HealthBot can use iAgent connections that are device-initiated using outbound-ssh
Starting with Release 3.2.0, Paragon Insights can use UDFs to process streamed data from VMWare’s vCenter and ESXi server products
Starting in HealthBot Release 3.1.0, iAgent functionality is extended to third party devices.
Since release 2.0.0, Paragon Insights has supported user-defined functions (UDFs) within fields.