Table of Contents
NetYCE 7.2.0 Build_20210330
Release notes
Date: 2021-03-30
Enhancement
Node groups
Node groups are used to dynamically select the desired nodes for a task using given criteria. These criteria are implemented using Rules consisting of Conditions. The conditions accept lists of strings (with or without wildcards) to match the different values. And as long as these lists consists of single words, the whitespace separator being used causes no problems.
However, when trying to use a condition match string that included spaces proved to be impossible. To resolve the issue, conditions now accepts lists of strings where the values may be enclosed in quotes. By using quotes around values using spaces the lists can be properly separated.
Compliance REST signal
Changed CMPL REST-api signal config to use <variables> in (custom) attributes. Instead of sending a fixed-format Rest/Json post, the message payload can now be custom formatted using a number of '<variables>' which are substituted in the defined signal template.
HP C7 file transfer
When transferring a (configuration) file from a HP Comware7 device, the use of the 'management vpn' is mandatory. As one customer found out, adding the management vpn to their extensively modelled nodes was time consuming.
To relieve this problem, we created an option to add the missing vpn to transfer command based on a Tweak specific to a node-type or class.
Aruba MM vendor module
The new vendor module 'Aruba MM' was added to support the Aruba Mobility Master Controller family of devices.
Change
IPsec GRE api
In version 7.2 the form supporting IPsec GRE tunnels was dropped from the product as it was designed to support a specific customer design that was phased out.
In its stead two XCH API calls were created to provide continued support of this design during its migration phase.
Compliance traps
The optional SNMP Traps that can be issued on a changing Compliance status are now 'spoofed' by default. Here the 'spoofing' refers to the 'faking' of the source ip-address of the Trap message by replacing the server address with the node address.
The SNMP Trap will use the node ip-address instead of the NetYCE server as the source if the node-fqdn can be resolved using the DNS in an ipv4 address. Otherwise the NetYCE server will be used as the source address.
If this functionality is not desired, it can be disabled using the signal_cmpl.conf setup file.
Fix
Compliance fixes
A fair number of relatively minor fixes and improvements were incorporated in the NCCM and Compliance modules:
- Front-end fix for error on condition include change
- Nccm daemon fix for misaligned condition types
- Fixes in compliance reporting entries
- Fixed compliance report filenames and detail levels
- Front-end fix for report templates with both a policy id and a group name
- Front-end fox in report vendor type search
- You can now search for a numerical status in the cmpl api
- Modified the report details for multiconfig compliance
- Bug fix in compliance reporting XCH api call
- Fixed the hyperlink in the compliance signal report details
- Cleaned up the report details for configuration rules
- Added report details to report view for policy reports
- Added optional runtime statistics to the nccmd daemon for tuning purposes: Change Nccm_lookup variable Nccm_stats' Num_value 0 → 1
- Compliance report on 'ordered' blocks
- Added a timestamp column to the cmpl condition edit form
- Condition evaluation time streamlined giving better performance
- Enhancements to the 'new logic' form
- Compliance policy test timeout catch
- Nccm daemon optimizations to reduce memory load
- Condition exclude match now logs the exact line that has matched
- All excluded lines are now reported with a threshold of 20
Cisco IOS vendor
Some Cisco IOS devices are using a different on-screen layout to display their version output. The fix now detects and extracts the firmware version from either layout.
Huawei CE/S vendors
Some device types use a different on-screen confirmation prompt than others which caused time-outs on some transactions. Now either format is detected.
On devices using a different hostname than used in the NetYCE node, the configuration backup file was using an incorrect filename.
Cookie failure
Browsers keep improving their security levels enforcing older and newer guidelines. One of them, 'SameSite cookies' was causing some issues. This is now corrected.
Ldap/AD password failure
After an AD or Ldap password change some users could no longer login to NetYCE. The reason proved to be the inclusion of a backslash (\) character in the new password. These backslashes are commonly incorporated password generated by a tool.
As these backslashes require a 'protect' not to be discarded on encryption, the corresponding 'unprotect' before submitting to AD/Ldap was neglected, causing the password to be rejected. This is now corrected.
Aruba MC vendor
Aruba MC view config failed to show any configuration lines. Resolved the issue by adding the missing web formatter to the module
Vendor session timeout
When interacting with some devices that use a sub-prompt the session would not properly timeout if this prompt was not 'expected'. The session would end up in a loop basically indefinitely.
The handling of timeouts was extended to include these situations. Now, when an unexpected (sub-)prompt is presented, an <enter> is given after 10 seconds as before, but not forever. If the same prompt is encountered six times in a row (1 minute), the session is aborted.
'XXXXX' error flag fix
The string 'XXXXX' is used in templates and scenarios to flag an error when a variable substitution fails. This flag was chosen over 'error' or 'failed' because of its uniqueness.
But as it turns out, not unique enough. Customers that created templates which included the 'XXXXX' string found that the template was rejected or was reported to have an error. To resolve this issue, the handling of this flag was altered to make this distinction in context. Using the XXXXX string in templates is now supported without raising errors, but the flag will still be highlighted in red when using the various tools.
Site-type name fix
It was found that the front-end accepted Site_types with a slash (/) in its name. When using web-technologies, these slashes have special meaning and need to be protecting (escaping) to prevent them from getting lost when communicating with the server. This was properly incorporated as expected, but not once but twice. In the message routing these slashes resulted in the server receiving a name it should not find in the database preventing returning the correct data.
This problem was resolved for the site-types to support existing customer configurations. Other instances where slashes are currently accepted will be modified to deny them.
Huawei_S Hardware-model
During job execution the Hardware-model of the device is read using a version command. On some Huawei models this led to inaccurate model names.
The issue was resolved resulting in improved accuracy of hardware model determination.