8.8.00 enhancements

While creating a compliance rule, now you can add the activation date and deactivation date for the rule, as follows:

• Activation Date (Optional): Specify the date on which the system should begin to monitor devices for violations of this rule.
• Deactivation Date (Optional): Specify the date on which the system should clear violations to this rule and stop monitoring devices for violations of this rule.

These dates help you run automatic compliance checks on devices. You can specify the time at which the system should automatically find violations in newly activated compliance rules and clear violations in newly deactivated compliance rules in the Perform Daily Rule Activation/Deactivation At system parameter.

For more information about these fields, see Adding or editing a rule.

For a sample rule grammar that utilizes these fields to generate compliance violations when a device reaches End of Life (EOL), see Device End of Life.

The rule XMLs generated through the rule export task now contain the excluded network spans and groups for the rules. After importing the rules by using these exported XMLs, you do not need to reassign the excluded network spans and groups.

In addition, the behavior of rule import and rule export tasks has changed.

With version 8.8.00, if a user provides an incorrect password while logging in to BMC Network Automation, the user gets locked after a particular number of failed login attempts. Either the user gets unlocked automatically after a specific time period or a user with the Unlock Users right can unlock the user. For more details, see Locking or unlocking users.

Cross-Site Scripting (XSS) attacks

To handle XSS attacks, BMC Network Automation now includes an optional filter that restricts certain characters and patterns from being included in the HTTP request from a user. If the filter detects these characters or patterns in the request, BMC Network Automation denies the response to the request and generates an error message. You can configure this filter to restrict various characters and patterns by setting a few properties in the global.properties file. For more information, see Handling the XSS attacks.

Note: When you upgrade to version 8.8.00, certain characters and patterns are restricted by default.

BMC Network Automation now supports vSphere version 6.0. Deploying Virtual Security Gateway (VSG) on vSphere 6.0 devices does not require Policy Agent Image Name and VSG User Name parameters. Therefore, the following new external script actions are available to support deployment of VSG and VSG Secondary devices:

• VSG Deploy on vSphere 6
• VSG Deploy Secondary on vSphere 6

Note: In this version, BMC Network Automation does not support the configuration of VLAN on the port group of a dvSwitch for which the multipleLAG version of the Multiple Link Aggregation Control Protocol (LACP) is enabled. As a workaround, you can change the LACP version to singleLAG using the changeLacpApiVersionToSingleLag attribute in the vlan command. For example, use the following command to change the LACP version:
vlan vlanID portgroupName changeLacpApiVersionToSingleLag.

This command first reconfigures the underlying dvSwitch to disable the multipleLAG version and then configures VLAN on the port group.

BMC Network Automation provides a new device adapter, VMware NSX Manager to manage NSX Manager. This adapter is HTTP based and uses REST API calls to manage NSX Manager. It supports trails for the running configuration. This configuration is stored in ASCII format, which is obtained by running HTTP GET calls to capture configuration of various objects, such as components, edges, NTP settings, network settings, syslog settings, FTP settings, certificates, NSX Edge devices, distributed firewall, switch, virtual-wires, scope, controller, segment, and multicast.

You can make partial configuration changes in NSX Manager by using the Deploy to Active action with Injection Templates. For information about Injection Templates, see Using injection templates to change device configuration.

BMC Network Automation provides a new device adapter, VMware NSX Distributed Firewall to manage NSX Distributed Firewall. This adapter is HTTP based and uses REST API calls to manage NSX Distributed Firewall. It supports trails for the running configuration. This configuration is stored in ASCII format, which is obtained by running HTTP GET calls to capture configuration of distributed firewall.

You can make partial configuration changes in NSX Distributed Firewall by using the Deploy to Active action with Injection Templates. For information about Injection Templates, see Using injection templates to change device configuration.

BMC Network Automation provides support for a new device adapter, VMware NSX Edge to manage NSX Logical Router and NSX Service Gateway. This adapter is HTTP based and uses REST API calls to manage these devices.

It supports trails for the running configuration. This configuration is stored in ASCII format, which is obtained by running HTTP GET calls to capture configuration of these devices. You can deploy partial configuration changes by using the Deploy to Active action with Injection Templates. For information about Injection Templates, see Using injection templates to change device configuration.

Note:

• When adding NSX Logical Router in BMC Network Automation, select Category as Router and when adding NSX Service Gateway, select Category as Other.
• This device type supports only the user-defined security context. You need to add the name of the NSX Logical Router or NSX Service Gateway in the user-defined context.

With this release, BMC Network Automation supports the Cisco ACI device adapter to manage the Cisco ACI Application Policy Infrastructure Controller (APIC). This adapter is HTTP based and uses REST API calls to manage APIC.

It supports trails for the running configuration. This configuration is stored in binary format, which is obtained by creating an export policy using the import/export feature of Cisco ACI. The configuration also contains the decoded ASCII contents, which is obtained by capturing the output from the HTTP GET calls to capture the configuration of the following objects:

• Top-level system components
• Tenants

Using this device adapter, you can take a snapshot of a configuration file that is in the tar.gz format, and you can deploy that file to the APIC using full merge. You can deploy partial configuration changes to APIC by using Injection Templates. For information about Injection Templates, see Using injection templates to change device configuration.

BMC Network Automation now supports the MRV OptiSwitch 904 device running with Master-OS version 4_3_2B. This device adapter supports the following features:

• Span actions: Commit, Deploy to Active, Deploy to Stored, Reboot, Snapshot
• Access modes: Telnet, SSH2
• File transfer mode: Tunneled, FTP, SCP

The existing device adapters have been enhanced as follows:

• Support for FortiOS 5.x: The Fortigate device type now supports devices running with FortiOS 5.x.
• Support for the IOS Show Uptime custom action: The Cisco IOS Switch/ Router device type now supports a new custom action, IOS Show Uptime. This custom action captures the device uptime in the following format:

  Year, Week, Day, Hour, Minute.

  To execute this custom action, on the Add Job page, click Add Action > Custom Actions > Diagnostics > IOS Show Uptime.

BMC Network Automation supports the following operating systems:

• SUSE Linux Enterprise Server 11 SP3
• SUSE Linux Enterprise Server 11 SP2

For complete operting system support information, see OS support.

BMC Network Automation discontinues support for the following operating systems:

• SUSE Linux Enterprise Server 11, 11 SP1
• SUSE Linux Enterprise Server 10 SP2
• Ubuntu 11.04

BMC Network Automation supports Microsoft SQL Server 2008 R2 SP3.

For the complete database support information, see Database support.

BMC Network Automation discontinues support for the following databases:

• Oracle Database 11g Release 1 (R1)
• SQL Server 2008 R2 SP1, SP2

BMC Network Automation discontinues support for the following browsers:

• Microsoft Internet Explorer 10.x
• Safari (Windows)

For complete browser support information, see Web-based client system requirements.

During a snapshot operation if the configuration file for a device (such as Cisco ACI) is generated and transferred with a naming convention that does not match the one which BMC Network Automation expects in the transfer directory, you can include a new property, filenameUsedByDevice in the device adapter. This property must be populated with a value that exactly matches the file being transferred. BMC Network Automation searches for a file with the name as populated by this property in the transfer directory and takes a snapshot.

This release supports the following new TFTP parameters in the global.imported.properties file:

• tftpInboundFileMaxWaitSeconds: Indicates the maximum number of seconds for which BMC Network Automation should wait for a TFTP file transfer to complete. The waiting period starts after the device declares that the transfer has finished. The device might declare the transfer as finished even before the TFTP server has completely flushed the file out to the disk. If the waiting period is over and and the file transfer is not complete, BMC Network Automation should consider the file transfer as failed and generate an error. Default value of this parameter is 60 seconds.
• tftpInboundFileSizePollSeconds: Indicates the number of seconds for which BMC Network Automation should wait between two consecutive polls for a TFTP file size change. Two consecutive checks yielding the same size indicate that the file transfer is complete. This idle time should be long enough to detect whether the TFTP server is still active on a busy system. This value is shared by all device agents, therefore, it must account for how each device agent host performs during the TFTP file transfer. This parameter is used only when the device does not report the size of the file it sent via the transferredBytes property, which means that the polling for the change in the file size is not done when you know the exact file size to expect. Default value of this parameter is 10 seconds.

You can generate the Compliance Summary report by rules in addition to the selected rule sets. The Compliance Summary report wizard includes a new option, Selected Rules to select the rules to be included in the report.

This new option is also available in the Send Email action when attaching a Compliance Summary report.

Support for exporting the Discrepancy Summary report in CSV format

You can now export the Discrepancy Summary report in CSV format, and then use this report in third-party applications (such as spreadsheets).

This new export format is also available in the Send Email action when attaching a Discrepancy Summary report.

You can now enable logging of low-level debug statements in the job transcripts at the job level by using the Include Debug Trace in Communication Transcripts option while creating a job. Earlier, you could enable logging only at the global level for all device command/response interactions by using the Include Debug Trace in Communication Transcripts system parameter. With this enhancement, you can control debugging at granular level. For more information about this option, see Creating a generic job.

The Job Details report shows whether logging was enabled prior to execution of the job. For more information, see To view the job details report.

Note: For the predefined jobs, policies, the template push extension scripts, and the auto script (bcan-dsn utility), the Include Debug Trace in Communication Transcripts option is not available at job level. Logging depends on the value of the Include Debug Trace in Communication Transcripts system parameter.

Support for debug trace at job level

To enable logging of low-level debug statements in the job transcripts at job level, the jobParamsDTO in the SpanActionService and EndPointService web services now includes the includeDebugTrace parameter. Default value of this parameter is false, which disables debugging. To enable debugging, set it to true.

A new class, SecurityVulnerabilityService, has been added, which contains the following web services that help you to import security vulnerabilities into the system:  

• importSecurityVulnerability(): Imports a new security vulnerability into the system.
• importSecurityVulnerabilitiesFromZip(): Imports multiple security vulnerabilities present inside a zipped file into the system.

The ImportExportService class has been enhanced as follows:

• The ImportExportService class now contains the following new methods to export rules and rule sets:
  • exportRules(): Exports rules from the BMC Network Automation database to XML.
  • exportRuleSets(): Exports rule sets from the BMC Network Automation database to XML.
• The importComponents() method has been updated to allow import of rule and rule set XMLs into the BMC Network Automation database.

Starting with this version, during container provisioning, the network resources are acquired in the order in which they are defined in the container blueprint. The Order column in the container details page shows the order in which resources are acquired during provisioning.

For the containers provisioned in version 8.8.00, this column shows the true order in which resources were acquired during provisioning. For upgraded containers, this column shows the numbers that are randomly assigned to the acquired resources.

To view the container details page, navigate to Network > Virtual Data Center > Containers, and click the View icon for the container for which you want to view the details.

To improve performance during service offering instance (SOI) provisioning, this release provides the following new IPAM supporting processes:

• Is Address Used: Indicates whether a specific IP address is used.
• Is Address Free: Indicates whether a specific IP address is free.

For more information about these processes, see Creating and configuring BMC Atrium Orchestrator modules to communicate with other third-party IPAM systems in the BMC Cloud Lifecycle Management documentation.

Starting with version 8.8.00, BMC Network Automation does not support the add, remove, and replace firewall rule operations if the device is using tunneled transfer mode. The tunneled transfer mode pushes the ACL updates in an unsafe way because it first deletes the old ACL and then builds up the new ACL. The process might lead to data packets being processed incorrectly.

If you are using the tunneled transfer mode in a Juniper SRX firewall device, set the device to use the file transfer mode.

BMC Remedy AR System Server
(Includes BMC Remedy Mid Tier)

9.0

BMC Remedy ITSM Suite
(Includes BMC Change Management and BMC Service Desk: Incident Management)

9.0

BMC Atrium CMDB Enterprise Manager
(Includes BMC Atrium CMDB Web Services)

9.0

BMC Atrium Orchestrator Platform
(using BMC Atrium Single Sign-On 9.0.0)

7.8.00

BMC Atrium Orchestrator Content

20.16.01

BMC Atrium Orchestrator Platform

7.6.03

BMC Atrium Orchestrator Content

20.14.02