configuration search within Network Devices

I have a requirement to look for an IP anywhere in the configurations files that pertain to devices with a specific name. I tried to use the built in NQE under Forward Library>Device>Config Search, but when I enter the IP in the bottom box of the Parameters section, “Config_Pattern”, the results come back blank. Yet when I look at the device config, the IP I copied and pasted appears in the actual configuration.

Also, the built in NQE seems picky...as in it wont pick of tacacs+ or acl, will pickup tacacs...and case sensitive as well apparently.

For now, im looking for help with the IP search, I just wanted to not other issues with it.

Page 1 / 1

gbaron,

I think if you tailor your search towards where you are looking for the IP. It would most likely work. For example, if I set the Config_Pattern parameter as follows:

interface
 ip address

we would then get the config lines defined for ip address. If you would input your IP address in there, if there was a match it would be selected. We could do the similar for what you are trying to do I would think.

I already showed them pattern searching, which they like. But they, security, are also looking for a blanket search of the config, regardless of there the match may be.

Security is on to something there! That is a good idea! Would something like this be something that they are looking for?

With this, You can define the IPs in the list. If the list is large we can look to change this to look to input from a csv or json, but here this is now looking for any time that the IP may show up in the CONFIG.

/**
 * @intent Detect forbidden IPs in device configurations
 * @description This query checks for forbidden IPs in device configs.
 */

forbidden =  "*192.168.1.1*", "*192.168.1.2*", "*192.168.1.3*", "*192.168.1.4*"];

foreach device in network.devices
foreach command in device.outputs.commands
where command.commandType == CommandType.CONFIG
let lines = parseConfigBlocks(OS.UNKNOWN, command.response)
foreach line in lines
foreach ip in forbidden
where matches(line.text, ip)  // Check if the line contains any forbidden IP
let output = line.text

select {
  device: device.name,
  output: output
}

Much appreciate the NQE to try out. Let me get it transferred over and present it to them tomorrow and I shall let you know. Thanks much!

Hi @gbaron ,

For your use case, it is better to get the raw config text search anywhere within that using a regular expression. The raw config file is found in the device.outputs.commands objects, with commandType equal to CommandType.CONFIG.

Here is an example that shows all distinct IPs found anywhere in any device config file. You could adapt it further by filtering the devices (e.g. by name, os, tag, location, etc.) or IPs, or adding more attributes.

// Define a regex to capture IP addresses
ipRe = re`(?<ip:IpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`;

foreach device in network.devices
foreach command in device.outputs.commands
where command.commandType == CommandType.CONFIG
foreach match in regexMatches(command.response, ipRe)
select distinct { Device: device.name, IP: match.data.ip }

Here is another variation on the above, that has one row per device, showing all IPs for the device in the device’s row:

// Define a regex to capture IP addresses
ipRe = re`(?<ip:IpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`;

foreach device in network.devices
let ips = (foreach command in device.outputs.commands
           where command.commandType == CommandType.CONFIG
           foreach match in regexMatches(command.response, ipRe)
           select distinct match.data.ip)
select { Device: device.name, IPs: ips }

In both cases, you can filter by device name and IP in the column filters.

In case it helps, here is an article highlighting some useful regex capabilities in NQE: