In order to manage a large number of devices in an effective way, TikManager defines a set of Concepts that allows system administrators to define abstract rules and configurations and get them applied to that variety of devices.
Device shape is a concept that aims to device a specifc role of a device. For example, in a network may one have two different types of roles for their devices: border-gateway and customer-router. Of course these two devices will receive different configurations as one is meant to handle border traffic and related rules, and the other one is meant to protect a end user with an internet link at his home.
TikManager is able to group rules into these two different “shapes” and get them applied to tens, hundreds or even thousands of devices using these two main templates.
Device Shapes are important because it’s through them that TikManager is able to tell a system administrator that one or more devices have outdated confiurations. If something changes within a device shape, then all devices associated with it will be shown as outdated. These changes can be firewall rules, firmware versions, proxy rules, NTP configurations, etc.
Profiles represents the set of RouterOS features that can be managed by TikManager.
For example there’s Firewall profiles. Firewall profiles can handle firewall rules in an abstract way, these rules can be applied to devices that have a Device Shape associated.
NTP profiles are able to define NTP servers to be configured on your devices.
To see a complete list of available profile types, see: Features.
When a system administrator is creating a firewall rule, he/she has to define some basic information such as protocol, ports, in-interfaces, out-interfaces, etc.
A typical mikrotik firewall rule should look something like:
/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related
But when one need to manage a large number of devices from a single point, reusing rules in order to optimize and scaling up things, there’s some restrictions involved, for example: interface names aren’t the same within all devices.
To solve that issue, TikManager defines the Packet Matcher concept. Packet Matcher profiles allows you to reference certain type of traffic in an abstract way, for example:
I’d like to block all traffic comming from internet to the SSH 22/TCP port
Within TikManager you’ll first create a Packet Matcher that matches SSH traffic on interfaces that has INTERNET type.
When a firewall rule is created, you’ll define the Packet Matcher for that rule, instead of defining a static interface name, protocol, ports, etc.
A Packet Matcher for that type of traffic should look something like:
This way you’re able to deliver firewall profiles with rules that will fit a RB-750 and a RB-1100, without having to worry the intereface numbers and names.
Keep in mind that everything within TikManager is meant to be done one time and get applied a lot of times regardless the device models in which they’re going to be delivered.