Our community includes Cisco experts to answer your questions about the Smart Net Total Care (SNTC) portal and CSP-Collector.
Click the navigation links below to access materials for using our service and supported collectors.
Can SNTC look at the configs of devices in an inventory upload to better determine if PSIRT alerts apply to the devices? Based on what i've found it appears that device model and image name are the primary means by which a PSIRT comparison is made. I can see it taking up a lot of time with thousands of devices to compare workarounds and config options to.
For example, "Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-energywise) require energywise to be configured. My SNTC PSIRT report shows 987 affected devices, but energywise is not enabled on the majority of these.
Solved! Go to Solution.
This is very interesting, I was not aware that, the PSIRT checks against the inventory, had the ability to be 'context aware' in respect of enabled features/protocols etc.
Is there any supporting documentation that describes this?
Presumably there are some constraints as some alerts can be quite niche in their cases for being applicable to any specific device, thinking of compound logic here i.e. if, and - within range, or type conditions?
I don't own any of the external documentation, so I'll let someone else chime in there. There are always caveats with automation because of niche cases, as you mentioned. If you have some more specifics, I'd be happy to answer them. It is pretty straight-forward in that we'll write a regex rule for parsing against the running config to look for those configuration lines that indicate you have the feature enabled. In addition, of course, the software version is matched. For IOS, the imagename is matched as well. Optionally, hardware information, such as Product Family and PID can be matched, if needed. For IOS XR, SMU checks are also done. The automation does not currently look at additional show commands beyond the running config.
Thanks for the clarification.
At present we aren't uploading configs, partially due to security restrictions but also because we didn't think there was sufficient value in doing so.
So, as of now we are just getting the Alert/Device match on just HW type and SW version, but given that when my next 6 collectors come online there will be over 60K chassis to report on, hence my interest in the alert matching being context aware.
Just to check... this is included within the standard SNTC offering, and not part of the Threat Awareness or other bolt on service correct?