Ronnie Johansson, a SCOM expert having authored over 200 management packs, was one of the five courageous contestants that took on the challenge of building a community requested SCOM management pack (MP) in just 24 hours during HackaSCOM.
He was given difficult task of creating a SCOM management pack that opened the Windows Firewall port on demand until the traffic ceases, when the port will close again.
Ronnie tackled the challenge with some research and then roughly designing the management pack. Next, he looked at the Windows firewall log to uncover what he could use as a trigger for opening and closing the port.
Ronnie started out with four key challenges he needed to overcome:
Here’s the SCOM management pack Ronnie created using Visual Studio.
Ronnie made the decision to store the firewall port settings in the registry on the agents that will have the Firewall opened.
To get that into SCOM, it was a two-step discovery starting with a lightweight registry and seed discovery, then a PowerShell discovery to find all the settings from the registry and store them as properties on SCOM objects in a custom “WindowsFirewall Rule” class which is also part of the solution.
When the port connection fails, drop packets are loaded in the log file, so Ronnie built a monitor for the log file for a drop package and the criteria from the register to get a trigger to add the Firewall rule. When the Firewall rule was opened, A PowerShell WriteAction is triggered. A separate log file is also created for follow-ups so the user knows when to close the port again.
To close the Firewall, Ronnie created a PowerShell script that checks the Firewall log to see if the traffic has stopped. This interval is configured in the registry settings. If there is no traffic in the last interval, the Firewall rule will be removed. If there is still traffic logged, then the log file will be updated.
The closing of the Firewall was the trickiest part of the build, as most of the judges had expected.
To view this in SCOM, Ronnie created a couple of views. One is a state view for the monitored servers – the servers that have any registry information about the Firewall rules. An alert is raised when the Firewall rule is activated, and this alert is active for as long as the Firewall rule is active. This is achieved through a Monitor called “WindowsFirewall Rule IsActive”.
In the Health Explorer, you can see the health state of a server flip between warning and healthy when Firewall rules are active.
The judges were impressed with the result.
Stoyan Chalakov said, “Although I was pretty sure how I would have opened the Firewall, I had absolutely no idea how to solve the more complex issue of how to close the Firewall. Bravo to Ronnie for taking this approach. It looks nice.”
Bob Cornelissen chimed in saying, “You can really see how Ronnie took a creative approach to this. He needed to come up with an idea of how long you would wait and what you would wait for, testing it, and reading it back. It was difficult. But he brought very creative thinking.”
Shivam Kumar added, “Now that you’ve made it, it sounds intuitive, but it wasn’t 24 hours ago.”
In just 24 hours, Ronnie managed to build a complete SCOM management pack and he delivered an impressive final product. This will be a great MP for the community.