Release Overview - Unimus 2.5.0
A new major feature Unimus release - 2.5.0 is finally here! This is a large release with lots of new features, enhancements, new device support, and a healthy dose of bug and security fixes.
This article is an overview of the biggest changes and features in 2.5.0, but you can also find the full Changelog at the bottom of this article.
Custom Backup Flows
One of the biggest features in 2.5 is the ability to create Custom Backup Flows. These Flows will allow you to specify your own sequences of commands to be executed during backup jobs on devices.
If you want to do backups on a device differently from our built-in flow (for example, add outputs of a few commands to be a part of the backup), up until now you didn't have a way to. Custom Backup Flows allow you to create your own backup procedures, so if you want to do a backup differently than our built-in flow, you now can.
You can find more info on Custom Backup flows, with more details and examples in this article on the Blog, or on our Wiki.
New Object Access Policies and improvements to user management
2.5 also brings a lot of improvements and changes to User Management and introduces new Object Access Policies.
Object Access policies replace Device Access rules (which existed before 2.5), and offer much better flexibility to define exact object access rules you need.
Together with new features like the Ownership system improvement and User provisioning (more on this below), the User Management system in Unimus receives a nice boost in 2.5.
For full info on what is new and what has checked, please check our Improvements to user management, provisioning and access policies in Unimus 2.5 on the Blog.
User provisioning (automatic new user creation)
Like we mentioned above, we have added an option to automatically create new users in Unimus when they successfully authenticate against an external AAA system for the first time. This allows for automatic user provisioning in Unimus.
After enabling this function, new users you create in LDAP / Radius can now login to Unimus without any manual user creation.
Ownership for Tags and Zones
We have extended the Ownership system to include Tags and Zones. We also added an option to show all objects owned by a particular user in the User Management screen.
These changes improve the overall access and security model in Unimus, and solve a few edge-cases where users could create new objects and immediately lose access to them due to access restrictions.
NetBox support in NMS Sync
Due to popular demand from the community (you!), we have added support for NetBox in NMS Sync.
Together with improvements to NMS Sync we introduced in 2.4, you can now sync your NetBox inventory to Unimus, sync object state and use NetBox as the source of truth for Unimus.
Tons of minor features and improvements
On top of the major features mentioned above, this release also contains over 20 minor features and improvements.
A few notable changes:
- Added option to create a new Credential directly in the Credential Binding window
- Tags can now be edited (you can change the Name or Owner)
- Added additional "Used by..." columns to the Tags table showing usage of Tags across Unimus
- Added a link to open the last failed job details to the "Device > Info" window
- Added an option to not show Unmanaged devices in results of Config Search
- Added an icon for credentials in High Security Mode to all relevant tables
- Added an option to specify your own Pushover API Key in Pushover settings
- Added an option to select the color scheme of diffs sent by notifications
- etc.
As always, we are also expanding the list of devices supported by Unimus. In this release, we added support for 12 new device types. Check the Changelog below for full info!
Bug fixes and security improvements
As always, we are also fixing bugs, solving issues, and improving security. In this release, we fixed 20+ bugs - from minor annoying issues all the way to jobs failing on various device types.
We have also focused quite a bit of attention on security. We have tightened the access restrictions for non-admin roles, but also fixed 10+ various security-related issues.
Please see the Changelog below for full info.
Finally, here is the full 2.5.0 Changelog:
= Version 2.5.0 =
Features:
Device Tags have been renamed to just Tags, since they can be used on many more objects than just Devices now
Tags can now be edited, allowing for change of Name or Owner (more on Ownership later)
Changed default job concurrency (max number of parallel jobs) to 50
When deleting a Zone, you can now choose to move devices to any other Zone you have access to before deleting the Zone
Added an option to create a new Credential directly in the Credential Binding window
Updated NetXMS client library to latest version (5.0.3)
Added a Zone ID column to "Backups > Devices" table
Added a link to open the last failed job details to the "Device > Info" window
Added a notification banner to "Backup Filters" when user doesn't see all filters due to Access Policy restrictions
Added a notification banner when trying to edit a Backup Filter when you don't have access to all devices covered by that filter
Added a better message when a user with the "None" role attempts to log in
Added additional "Used by..." columns to the Tags table showing usage of Tags across Unimus
Added an option to not show Unmanaged devices in results of Config Search
Added an icon for credentials in High Security Mode to all relevant tables
Added an option to specify your own Pushover API Key in Pushover settings
Added an option to select the color scheme of diffs sent by notifications
Added a help popup to "Notifications > Show FQDN"
Fixed various small UI / UX issues and UI element misalignment and sizing issues
Changed Cisco ASA multi-context driver to only attempt backing up contexts when switching to the "system" context is possible
Added support for offer prompts when a device offers multiple corrective options for invalid commands
Improved handling of Nokia SROS / TimOS devices, fixing multiple issues in the process
Improved support for Raisecom RAX / ISCOM devices (more device types now supported)
Added new "Custom Backup Flows" feature:
- you can now create presets that specify what commands are sent to Devices during Backup
- you can also specify pre-backup commands, post-backup commands, and what is consumed as the backup content
- if a Custom Flow exists for a Device, it will be used instead of the built-in flow in the Device Driver
- you can target devices by Tag, Vendor, Type, etc.
- more info at: https://blog.unimus.net/custom-backup-flows-in-unimus-2-5/
Added support for NetBox in NMS Sync:
- you can now sync your NetBox inventory into Unimus
- import filtering based on "role", "tag", "location" and "field" (Custom Fields) is available
- the "status" field in NetBox is used to set the Managed flag in Unimus
- more info at: https://wiki.unimus.net/display/UNPUB/NetBox+importer
Prefixes for filters in NMS Sync were replaced by a key-value system
- until this release, entries in Sync Rules needed prefixes, with each prefix meaning something different
- this was inconsistent across different Sync Connectors, and also quite confusing (you had to read docs every time on what prefix does what)
- we replaced prefixes with a Key=Value system (for example "id=123", "group=routers", etc.)
- existing Sync Rule configuration will be automatically migrated to the new system
Device Access was reworked into Object Access Policies:
- you can now create complex Object Access policies which specify where a user should have access to
- Object Access Policies can then be assigned to users to limit object access across Unimus
- existing Device Access rules will be migrated to new Object Access Policies automatically
- more info at: https://blog.unimus.net/user-management-provisioning-and-access-policies-in-unimus-2-5/
Added an option to create user accounts for users successfully authenticated by an external auth system:
- this allows provisioning of users on first successful login to Unimus when using Radius / LDAP auth
- using this system, you no longer need to create user accounts in Unimus for external AAA users before they can log in
- both Role and Object Access Policy for automatically created accounts are configurable
- more info at: https://blog.unimus.net/user-management-provisioning-and-access-policies-in-unimus-2-5/
Object Ownership system has been extended to Tags and Zones:
- Tags and Zones now have an "Owner" attribute, same as Devices
- access to these objects can now be gained by being their Owner, separately from Object Access Policies
- ownership has precedent over Object Access Policies - owners always have access to objects owned by them
You can now see all Objects owned by a User in User Management:
- new "Show object ownership" button was added in User management
- this will show all Objects, as well as their types owned by this User
- you can also remove ownership of Objects from this User in this window
Improvements to APIv2 / APIv3:
- added the zoneId attribute to all Devices and Diff APIv2 endpoints
- added the zoneId attribute to multiple response objects in APIv3 where it was missing
Added support for:
- Cisco IOL (IOS on Linux) switches
- Cisco IOL (IOS on Linux) routers
- CheckPoint Gaia running on bare metal
- CheckPoint TE series
- CheckPoint QLS (Quantum Light Speed)
- iS5 IMX devices
- iS5 iES devices
- Netonix WS3 switches
- Racom RAy
- Raisecom REAP OS devices
- Ruckus vSZ-H
- SONiC OS
Fixes:
Fixed Config Change notifications would not apply Backup Filters in the notification diff when a new changepoint was generated
Fixed importing valid .csv files with formatting errors could result in a stuck Import job
Fixed "Export Diff" ignored the "Only changed lines" checkbox, and always sent only changes
Fixed selection model breaking in the Credentials table after editing a Credential
Fixed issues when changing large amount of objects (2000+) in a single operation when using MSSQL
Fixed multiple other object manipulation failures when using MSSQL (Device Zone change, etc.)
Fixed selected Zone disappearing from the Zone selection dropdown in "Basic import" after a successful import
Fixed config change notifications even when nothing changed on PA PanOS when managed by Panorama
Fixed issue in API with Zones which had a NetXMS Agent selected as their Connection method
Fixed Mass Config Push > Advanced Settings allowed setting an empty value for Override Timeouts
Fixed live updates there were missing in multiple screens, tables, and "used by" counters
Fixed many various minor UI and UX issues and inconsistencies
Fixed wrong / extraneous logging during the database upgrade stage when updating
Fixed OPNSense jobs failing when device presented a menu after switching to root
Fixed discovery failing on Ericsson SGSN in specific cases
Fixed multi-context backup failing on Ericsson IPOS in specific cases
Fixed a few specific Cisco router models being identified as switches
Fixed backup failing on Cisco routers that were incorrectly identified as switches
Fixed discovery could fail on Nokia SROS / TimOS devices on specific version
Fixed backup and Config Push could fail on Nokia SROS / TimOS devices on specific version
Fixed backup and Config Push could on specific version of NetElastic vBGN
Fixed Cisco ASA backup failing when logging into a context without the ability to switch into the "system" context
Fixed more cases when jobs could fail on Checkpoint Gaia devices
Security fixes:
Only Administrator-level users can now change Notification settings
Only Administrator-level users can now change Retention settings
Only Administrator-level users can now change Advanced System Settings
NMS Sync Presets where "Device Action policy" is set to "Move from All Zones" are now read-only for Users who do not have access to all Zones
Users who do not have access to all Zones can not select the "Move from All Zones" in "Device Action policy" when creating a new NMS Sync Preset
Users will not see an NMS Sync Rule if they don't have access to the Zone selected for that Rule
For Presets using Tags (Config Push, Backup Filters, etc.), only Users with access to all Devices under that Tag can manage the Preset
Users can no longer edit Credentials that are used on Devices they don't have access to
Users can no longer edit CLI Mode Change Passwords used on Devices they don't have access to
If a User doesn't have access to all Devices in Unimus, they can no longer change the Default Schedule
Users can no longer delete a Schedule if they don't have access to all Devices that use that Schedule
Fixed cases where Users could see Backup Filters even for Devices they did not have access to
Fixed Users could still see and modify Targets in Config Push if Object ownership was modified concurrently
Embedded Core version:
2.5.0