Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Network Configuration Manager (NCM) > Create a compliance policy rule

Create a compliance policy rule

Created by Jeremy Ruth, last modified by Melanie Boyd on Apr 07, 2017

Views: 1,818 Votes: 4 Revisions: 8

Overview

This article provides steps on how to create a policy rule. 

A rule verifies policy compliance of a device by specifying a string that either must or must not be present in a configuration file. Rules are collected into policies and applied to specific network devices. Reports of policy violations are generated based on a schedule.
 
Strings are plain text matching, no special characters
RegEx will allow the use of special characters to define a specific search pattern 
 
Environment

All versions of NCM have Compliance Reporting. 

Steps

Basic String Matching

  1. From the Web Console, click CONFIGS > Compliance.
  2. Click Manage Policy Reports .
  3. On the Manage Rules tab, click Add New Rule.
  4. Name the rule, and then enter a description.
  5. Select the Alert Level and Save in Folder settings.
  6. Select the type of alert trigger.
  7. Enter a string and select the String type.
  8. Create a script in Remediation to modify the lines of configuration if they do not comply with the policy rule.

    Notes: 

  • To function properly, a remediation script must include CLI statements that run on the relevant devices. When executed, the script runs through the default communication protocol (Telnet, SSH).
  • Your script should put the device into configuration mode, if needed, issue a series of config commands, and then exit config mode.
  1. Select a Remediation Script type. Your selection determines how NCM executes commands against targeted devices to remediate a policy rule violation. 
    • CLI allows NCM to use the commands in the script to change the config. 
    • Config Change Template launches the Config Change Template wizard to guide you through executing the script.
  2. Click Test to validate the rule against a device configuration.
  3. Select a config to test the rule against.
  4. Click Test Rule Against Selected Config.
    Notes: Test your rule against at least two nodes and configurations, one known to comply with the rule, the other known not to comply. In testing a rule against a noncompliant configuration, expect a result that includes the rule and its violation.
  5. Click Select Different Config to continue your rule test on another config.
  6. Click Close, and then click Submit.

Advanced String Matching

  1. From the Web Console, click CONFIGS > Compliance.
  2. Click Manage Policy Reports. 
  3. On the Manage Rules tab, click Add New Rule.
  4. Name the rule, and then enter a description.
  5. Select the Alert Level and Save in Folder settings.
  6. Select the type of alert trigger.
  7. Select Advanced Config Search.
  8. Select the appropriate option in the String Type list.
  9. Type your string or expression in the String field. 

Note: If there are some special non-printable characters at the end of the lines in a downloaded config, the $ operator might not match the line end. A test would be to copy lines from a config to a plain text editor. If you see extra, empty lines that are not in the pasted content then there are mostly likely non-printable characters in them.

  1. If you want to build conditions into your search, click Add Another String and create the string, as before.
  2. Repeat this step for as many strings as you need to define your search. For example, let’s assume that you need to search configs for occurrences of the string access list in conjunction with different names (Joe, Sam, Tom).

To build the appropriate conditions into the search, you would create the following logic:

Must Contain ^(?=.*?\bAccess-list\b)(?=.*?\joe\b).*$
OR Must Contain ^(?=.*?\bAccess-list\b)
(?=.*?\sam\b).*$
OR Must Contain ^(?=.*?\bAccess-list\b)
(?=.*?\tom\b).*$

A violation of this rule logic occurs if NCM finds in a line in a config that includes the string Access-list and the string joe, sam, or tom.

  1. Adjust the operators (And/Or) to determine relationships between strings in the execution of your search. The default operator is and.
  2. Use parentheses to group strings into conditional relationships and to establish relationships between string groups. For example, if you had three strings defined, you might put opening and closing parentheses around the first two strings, linking the two with the and operator. Then you might use the or operator to evaluate the last string by itself. The result will be a search that looks for both of the first two configs. If it finds them, the alert is triggered. If it does not find them, but the last string is found, the alert is also triggered. Finally, the alert is triggered if both the first two strings and the last string are found.
  3. Select the search context under Search Config File/Block.
  4. Create a script in Remediation to modify the lines of configuration if they do not comply with the policy rule.

Notes: 

  • To function properly, a remediation script must include CLI statements that run on the relevant devices. When executed, the script runs through the default communication protocol (Telnet, SSH).
  • Your script should put the device into configuration mode, if needed, issue a series of config commands, and then exit config mode.
  1. Select a Remediation Script type. Your selection determines how NCM executes commands against targeted devices to remediate a policy rule violation.
    • CLI allows NCM to use the commands in the script to change the config. 
    • Config Change Template launches the Config Change Template wizard to guide you through executing the script.
  2. Click Test to validate the rule against a device configuration.
  3. Select a config to test the rule against.
  4. Click Test Rule Against Selected Config.

Notes: Test your rule against at least two nodes and configurations, one known to comply with the rule, the other known not to comply. In testing a rule against a non-compliant configuration, expect a result that includes the rule and its violation. For example, if you were attempting to disable Reverse-Telnet with your rule, you would see something like this in case the config under test violates the rule:
    Pattern ‘line con 0.*\n(.*\n)*.*transport input none’was not found. 

This tells you that the NCM policy software used the regular expression specified under String Matching to search the specified config file and no matches were found. Since it expected to find the specified string, the software generates an alert.

  1. Click Select Different Config to continue your rule test on another config.
  2. Click Close, and then click Submit.

 

**Note**
As of NCM 7.5.1 and before there has been an issue with searching for lines in a configuration, where the line, in of itself is a Regular Expression or the search contains Special Characters identified as Regular Expessions, find string will not work.  The work around is set the search pattern as a Regular Expression and then escape out the special characters
Example:
access-list (7[6-9]|1[0-9]|3[01])
The regex for this would be 
access-list \(7\[6-9\]\|1\[0-9\]\|3\[01\]\)
 
 

 

Last modified
15:15, 7 Apr 2017

Tags

Classifications

Public