I don't like Windows servers, but SolarWinds NCM makes it worth running
May 15, 2019
I don't like Windows servers, but SolarWinds NCM makes it worth running
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with SolarWinds Network Configuration Manager
We mostly use NCM as version control for our network device configurations. It also integrates into Network Performance Monitor and can display complete ACLs from Cisco devices and VPC information from our Nexus devices. This has been very useful for us, as we don't have to log into the device in order to get an overview of what is happening on it. I've used it many times to review old configs, or even to plan changes. It's much easier to search through the full config in a browser than on the CLI. There are a few of features in NCM that we don't currently use, such as config baselines or pushing configs to devices, but that's mostly because we haven't taken the time to delve into those features.
- Full configuration version control. Depending on how often you set it to check for config changes, you can see every change made, and review old configs very easily. You can run diffs against any two versions of config very easily in their interface. Searching through a full config with Ctrl+f in a browser is so much better than searching through a running-config with the CLI.
- Firmware vulnerability alerting. NCM integrates with NIST vulnerability tracking and can give you a full list in your device config summary page of which vulnerabilities are applicable to a given device. There's an out of the box alert for firmware vulnerabilities discovered for your systems, so you'll know right away when new ones are discovered for your devices. It does require manual verification and remediation, though. When you first set it up, you're going to have a lot of CVEs to manually go through, but once you've done that, it's great. It's especially useful for any kind of audits that require remediation within a certain window of discovery. The manual remediation steps will give you a very clear audit trail to provide as evidence for compliance.
- Compliance reporting in NCM is very impressive. Out of the box, NCM comes with a number of best-practice reports to run against your configurations. There are reports for multiple vendors, and certifications (such as PCI). You will see how each of your device configurations fare against the recommended best practices. For each non-compliant device, you have the option to run a pre-configured remediation script to bring the device into compliance. One of the best features is that you can create your own reports to verify that your devices meet your own companies configuration policies. You can export these reports and provide them as evidence of compliance to auditors.
- Running exclusively on Windows servers is a PITA. This is an Orion platform complaint and not NCM-specific. If you're a Windows shop this won't be a big deal for you, but we're a Linux shop. The only Windows servers we run are AD servers and these two SolarWinds servers (one web server and one database server). We don't have any MSSQL DBAs, so I'm pretty much on my own if anything goes wrong. Every single one of our production tools requires some extra configuration to work on these Windows servers. The entire Orion platform stopped support on Server 2012 this year and even though the new version of NPM had some features I really wanted, I still procrastinated upgrading for 6 months because I dreaded migrating everything to new servers (Full disclosure: it actually wasn't that difficult to migrate and everything worked great). Again, if you have Windows Server sysadmins and DBAs on staff, this won't be as big an issue for you.
- No native Git support. This is a minor quibble, but we use Git for version control of our server configurations, and it would be incredibly useful for us to be able to store our network configs in Git as well. We have multiple tools that work with our Git repository that would require considerable customization to work with the SolarWinds API. I do love that SolarWinds provides a REST API, but our tools just don't work with it. We could write scripts to grab the configs from SolarWinds and then commit them to our repo, but it would be very nice if that were a built-in feature.
- Features for non-Cisco devices are lacking. The basic features of NCM work on non-Cisco devices just fine. We have a few old Quanta switches in a low-priority environment that no other configuration management system can pull configs from, so pulling configs with NCM is perfect. The issue is that there were new features for Cisco ASA and Nexus switches introduced that still aren't available for other vendors. We've been moving to Palo Altos from ASAs (bye bye Java!) and don't use NCM for them at all because the features just aren't there yet.
- NCM saves me a lot of time logging into network devices and manually searching through configuration files. It's much easier for me to find exactly what I'm looking for and to see the overall context of configurations. I'm able to diff config versions in the same window. It's so much faster for me to parse configs in NCM than in the CLI.
- I'm able to correlate network changes with issues in real-time. We saw a dramatic increase in response time one morning, and I had just received an email from NCM about a config change on our load balancer. That change turned out to be the issue and that email saved us at least 30 minutes of troubleshooting.
- We have to manually configure tools to work with Windows and SolarWinds. We're not a Windows shop, so we have to do extra customization on our production tools to get them to work with Windows and SolarWinds.
Rancid and Oxidized are the two other configuration management systems we've used. Both were open source and ran on Linux. They were useful, but they took a lot of extra work to configure and maintain. When Rancid stopped being supported we had to find a new product. We were looking to get Network Performance Monitor and Network Traffic Analyzer, so adding NCM with those was an easy choice. We still use Oxizided for a few things because of other tools we have, and we exclusively use Panorama for our Palo Altos. We use NPM and NTA with the Palos, but Panorama is just so much better at config management for PANOS systems.