ManageEngine DeviceExpert Review: Network Configuration, Change, and Compliance Management

by

Once you have a good network monitoring system in place, what’s next? Many organizations have a gap around configuration, compliance, and inventory management.

They know which routers and switches are up or down, but don’t necessarily know useful information like which admins made recent changes (and why!), which devices are mis-configured or running old code, and which devices are no longer supported by vendors.

ManageEngine’s DeviceExpert has lots of features designed to make it faster, easier, and more accurate for admins to manage network device configuration:

  • Automation: simplify routine tasks with scripts to help automate firmware updates and security updates.
  • Monitor devices for configuration changes, and quickly roll-back to known good configs.
  • Audit changes: know when and who made a change, quickly compare different config versions.
  • Automate inventory tracking for serial numbers, ip addresses, and more.
  • End-of-Life management helps admins proactively plan refresh on aging hardware before losing vendor support.
  • Compliance management: define and enforce standards, check devices for compliance.

How well do those features stack up? Read on to find out…

Automate Routine Network Maintenance

One of the most common tasks for administrators is to perform routine firmware and software updates. But updating routers and switches can be a mind-numbingly time consuming task, even if your network is small.

DeviceExpert’s solution is to automate those routine jobs by scripting them. Once a script template is created, the tool will run those scripts on any device or group of devices that administrators choose.

This feature has huge potential. For example, admins could automate tasks like SNMP configuration, VLAN Configuration, Access Control List changes, or even interface configuration – and much more.

Let’s look at one example – a password change. The screen below shows the template script for a password change, and the new password is simply entered as a variable: %password%.

Starting the script launches a screen that will prompt for any variables to be filled in – so in this case we’re prompted to enter a value for “%password%”. Once that’s done, use the box at the bottom of the screen to choose which devices to run the script against – then click “Execute” and watch the magic happen.

Like any script, it could take some trial-and-error to build something that works as expected most of the time. It would be great to see ManageEngine provide more sample templates for common hardware, or even an integrated forum for users to exchange their own templates.

Configuration, Change Management and Auditing

Change management is a major strength of DeviceExpert – but, and it’s a big but, it revolves around using DeviceExpert to “push” configuration changes to network devices, rather than logging on directly to make changes.

This requires a discipline change that some admins may have trouble with – requiring them to edit entire config files in the GUI and then load them to the router, rather than logging on to the console and entering commands the traditional way. Love it or hate it though, there are huge benefits to a system like this.

First, it automates part of the change management approval process with role-based controls. Users can be granted rights to create new config files, but not be allowed to push configuration changes without administrator approval. This would probably be most useful in situation where junior staff work closely with seasoned admins.

Second, it provides an audit trail that tracks which users have uploaded configurations, so the right people can be involved in fixing problems.

Third, it simplifies configuration management and could save hours of troubleshooting. Picture a scenario where an admin makes a series of changes to a router on a weekend. The admin runs through their test plan and all looks fine. But on Monday morning, the helpdesk is deluged with phone calls related to a problem caused by the change.

DeviceExpert makes configuration rollback simple – the changes are all recorded, and on Monday any administrator can simply roll-back to the original baseline configuration.

And finally, it provides alerts when device configurations are changed, even if changes are made directly on the device. It can send email, SMS, SNMP, and use other ways of notifying administrators whenever configurations is modified. This eliminates the problem of mystery changes that haven’t gone through the change management process and aren’t discovered right away, potentially reducing downtime.

Policy Compliance Management

This is one of the more interesting features of DeviceExpert, because it helps to standardize the network, and identify devices that don’t conform to your standards.

The software monitors your network devices, and compares configurations from every device against a set of policies determined by you. Any device that doesn’t match is flagged so that admins can take action.

Have a look at the example in the screenshot below – the “CiscoIOSPolicy” specifies that all devices should have NAT enabled. The device in question doesn’t, so this is flagged as a “Critical” policy violation. Admins can specify the severity of every policy violation, so that lower-priority violations can appear as “Warnings” only; compared to important security risks which might be “Critical.” Multiple policies can be specified for devices, or groups of devices.

Device End-Of-Life Management

An unfortunate reality: most networks have some old and outdated equipment still in production. Often, admins don’t find out that an old device is no longer supported until a problem pops up – and by then a problem could be critical.

DeviceExpert has a helpful new function called End-of-Life (EOL) management that is designed to help proactively manage older equipment. The software is continually updated with EOL data from various sources – manufacturer’s websites, service bulletins, and other information.

Next, that data is fed into a report that scans your network, identifying any devices near End-of-Life. The upshot is that admins are enabled to proactively remove unsupported devices from the network, rather than discovering them by surprise. This is a fairly new feature in the industry, so it will be interesting to see how it proves itself over the long term.

[Note:ManageEngine pointed out that they have a strong track-record of releasing new and innovative features, and are very confident in the ability of the EOL feature to identify and manage end-of-life hardware.]

Network Reporting

DeviceExpert has a very comprehensive reporting engine. Everything from hardware inventory, to configuration change reports, and security auditing can be reported on.

Have a look at the screen clip of a configuration analysis report below. The screenshot shows only one small section of a large report that details nearly everything there is to know about a router.

Command Execution Tools

Want to save some time running basic show commands?

DeviceExpert provides an interface that can execute show commands like “Show Interfaces” or “Show Log.” The software executes the command on the target device, and then displays the results in the GUI.

It’s a great feature and a real time-saver if you’re just after information, and don’t need full access to the console.

Summary and Pricing

DeviceExpert is a very cool tool that most organizations should have, but probably don’t. It makes it easy to know exactly which devices are deployed, where they are, how old they are, and when they were changed last. It provides configuration backups and snapshots that make it easy to rollback a bad change. And, it provides a structure to automate many routine tasks – saving time and money. And, if you already have their OpManager network management system (Recently reviewed here) then DeviceExpert can be integrated as a plug-in.

On the other hand, some administrators may not like the idea of editing and pushing config files in a GUI, rather than logging on to routers. And, ManageEngine doesn’t have the same sort of user-exchange community like some of their competitors, so you’re mostly on your own when it comes to creating templates and scripts. Fortunately, the interface is simple and easy to use, so most admins will have no trouble creating their own scripts.

Pricing starts at $795 (USD) to manage 10 devices. Like they do with most of their products, ManageEngine offers a free 30-day trial download so you can try it out on your network. But be warned: you probably won’t want to give up this tool once you see it in action.

 

Product: ManageEngine DeviceExpert  ♦   Review Date: May 2, 2012

Rating: 4 ★★★★☆

Pros:

  • Automate routine tasks.
  • Support for hardware from over 50 vendors.
  • Easy configuration roll-back.
  • Role-based security access.

Cons:

  • Requires editing config files in GUI, push to network devices.
  • Small number of built-in automation scripts.
  • EOL feature is new, yet to be proven with time.