TrueSight Network Automation (TSNA) is a web-based application that automates the configuration management, compliance management and vulnerability management of network assets. It is highly customizable to meet the needs of network admins. Though it is shipped with the default configuration, there are ways of changing the configuration to use it optimally and efficiently. Below are a few practices which you can apply to TrueSight Network Automation.
Enable Security Settings: Today security is more important than ever. It is very important that you configure the tool to meet the security standards followed by your organization. TrueSight Network Automation is capable of guarding against XSS attacks, CSRF attacks and Brute force attacks. Also, it is strongly recommended that your database configuration is secured. In addition to that, please check the security algorithms used for communication by TSNA.
Configure RBAC: TrueSight Network Automation can manage fine grained access control. For example, not all users would need API access while others would need UI access and vice versa. Make sure that you share API access only with users that require it. Also, assign devices owned by different networking teams to different realms and create separate roles for those realms. For example, a user may need full access to the devices located in Austin but read only access to the devices located in Sydney. Such devices should be part of two different realms in TSNA.
Purge data: It is very important to purge older data for performance optimization. Administrators can configure the system to purge events, jobs, policies, and historical configurations according to their requirements. To set the purge criteria for events, jobs, and policies, see the Purge Settings in the Managing system parameters page. To set the purge criteria for historical configurations, see Adding or editing a realm.
Enable policies: There are many out-of-the-box (OOB) policies available, such as for configuration backup and sending notifications when compliance violations occur. Also, you can create your own policies to be triggered based on certain events. For example, anytime a new interface is added, the checks which you will manually execute can be automated using policies.
This can save a lot of manual effort for redundant activities. You can also create predefined jobs for sets of actions which you always execute together.
Enable auto groups: Though it may seem trivial, enabling auto groups can really help in grouping devices the way you would execute actions on those devices. You can also create auto groups based on dynamic field values. This will help in keeping the grouping of devices in the proper order.
Use external scripts: If you have Perl, python or any other scripts which you use to execute commands, use external scripts in TSNA to call these scripts. Do not run these scripts outside of the tool. This will help ensure that only assigned users can execute these scripts and will keep track of which users executed these scripts and if anything goes wrong it will show what happened and why.
The above are some key basic practices and once you have become familiar with them, you can start exploring the following:
- Historical reporting using TSNA-DW and Smart Reporting
- Multi-Server Administration for keeping the content in sync between different TSNA servers such as QA, Preproduction and Production environments
- Vulnerability management for network devices
- Exporting events to any event management system, such as if you would like to collect all events on specific system.
- Managing devices in multiple networks using a single agent
To summarize, there are multiple configurations available which can optimize the security and performance of the TSNA. To know more, check detailed documentation.
If you are following any other practices, please mention in the comments section to share with other network admins.