Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Network Configuration Manager (NCM) > NCM Documentation > NCM 7.8 Administrator Guide > Ensure compliance to policy rules > Create and manage policy rules

Create and manage policy rules

Created by Caroline Juszczak, last modified by Melanie Boyd on Jun 03, 2018

Views: 1,019 Votes: 1 Revisions: 7

Updated: May 31, 2018

rules_policies_reports_small.png

Rules are used to ensure that device configurations comply with policies. Each rule defines a search string that either must or must not be present in a configuration. For example, a rule can specify that configurations cannot include the read-only community string "public."

Each rule applies to a specific set of device configurations, which are selected at the policy level.

To learn how rules, policies, and policy reports work together, see Policy compliance.

Create a rule

Complete the following tasks to create a rule:

  1. Add and identify the rule.
  2. Do one of the following:

  3. (Optional) Define a remediation script.
  4. Test and save the rule.

Add and identify the rule

  1. Click My Dashboards > Configs > Compliance.
  2. Click Manage Policy Reports.
  3. Click the Manage Rules tab.
  4. Click Add New Rule.
  5. Name the rule, and enter a description.
  6. Select the Alert Level that indicates the severity of violating this rule.

    You can customize alert level descriptions.

  7. Select an existing folder to store the rule in, or select New folder and enter a folder name.

Define the search string using basic matching

Use basic string matching to search the entire config for one string. You can enter a simple string or a regular expression.

  1. Specify whether the rule triggers an alert when the string is found or when the string is not found.
  2. Specify whether the string should be evaluated as a regular expression or a simple string.

    A simple string can contain the variables ? and *.

  3. Enter the string to search for.

    NCM uses the Microsoft .NET RegEx engine to evaluate regular expressions. See Regular expression pattern matching examples for some examples of use in NCM. For detailed information about the syntax, see Microsoft's Regular Expression Language Quick Reference.

Define search conditions using Advanced Config Search

Choose Advanced Config Search if you want to:

  • Define a search string that includes conditions (multiple lines connected by AND or OR operators).
  • Specify a block of the config to search, instead of searching the entire config.

See Examples of search string conditions for information about defining conditions.

  1. Specify whether the rule triggers an alert when the string is found or when the string is not found.

    If the search string includes lines that must be included and lines that must not be included, choose the alerting option that is appropriate for the first line. See Example 2.

  2. Select Advanced Config Search.

    The Advanced Config Search and Search Config File/Block sections are displayed.

  3. In the Advanced Config Search section, define the first search string.

    Must/Must Not Contain Specify whether the string should be included in the config.
    String Type

    Specify whether the string should be evaluated as a regular expression or a simple string.

    A simple string can contain the variables ? and *.

    String

    Enter the string to search for.

    NCM uses the Microsoft .NET RegEx engine to evaluate regular expressions. See Regular expression pattern matching examples for some examples of use in NCM. For detailed information about the syntax, see Microsoft's Regular Expression Language Quick Reference.

  4. To build conditions into your search:
    1. Click Add Another String.
    2. Enter the string and specify the relationship between the lines. (See Examples of search string conditions.)

      And/Or Select an operator to define the relationships between strings.
      Parens

      Optionally, use parentheses to group strings into conditional relationships.

    3. Repeat to add as many conditions as you need to define the rule.
  5. To search only part of the config:
    1. Under Search Config File/Block, select Config block.
    2. Enter strings or regular expressions to define the beginning and end of the block.
    3. Specify the string type.

(Optional) Define a remediation script

Each rule can include a script to add or remove lines of a configuration to remediate the policy violation.

  1. Enter or load a script that makes the required changes to the config.

    The remediation script must include CLI statements that run on the relevant devices. When executed, the script runs through the default communication protocol, such as Telnet or SSH.

    The script should perform the following tasks in order:

    1. Put the device into configuration mode, if needed.
    2. Issue a series of config commands.
    3. Exit config mode.
  2. Select a Remediation Script Type. Your selection determines how NCM executes commands against targeted devices to remediate a policy rule violation.
    • CLI allows NCM to use the commands in the script to change the config.
    • Config Change Template launches the Config Change Template wizard to guide you through executing the script.
  3. For a CLI script:
    • If you want NCM to execute the script automatically when a policy violation is found, select Automatically execute this script.

      Otherwise, you can choose to execute the script when you view the policy report that lists the rule violation.

      Be sure to test the script thoroughly before you choose to execute it automatically.

    • If you want NCM to put the device in config mode before executing the script, select Execute Script in Config Mode.

Test and save the rule

Test the rule to verify that it finds policy violations as expected.

If the rule includes multiple lines containing regular expressions, SolarWinds recommends testing each regular expression individually before you test the rule as a whole. You can:

  • Use an online RegEx tester to test each expression.
  • Include only one of the regular expressions in a rule, and use NCM to test that rule against your configs.
  1. Click Test to validate the rule against a device configuration.
  2. Select a config to test the rule against.
  3. Click Test Rule Against Selected Config.

    If the config violates the rule, the Results panel indicates which search strings violated the rule and whether the violation occurred because the string was found or not found.

    If the violation occurred because the string was found, you can click the arrow to display the line number in the config file.

    rules_test.png

  4. Click Select Different Config to test the rule against another config.

    SolarWinds recommends testing the rule against at least two configurations: one known to comply with the rule, and another known to violate it.

    If you are testing a regular expression that uses the $ operator, be aware that the downloaded config can contain special non-printable characters that prevent the $ operator from matching the line end. To determine if there are non-printable characters at line ends, paste lines from the config into a plain text file in a text editor. If you see extra, empty lines in the text file that are not visible in the config, those lines probably contain non-printable characters.

  5. When you have finished testing, click Close.
  6. Click Submit to save the rule in the selected folder.

Examples of search string conditions

The following sections show how to define some simple conditions, and how NCM evaluates each example.

Example 1: Config must contain at least one of multiple strings

In this example, a config must contain at least one of the following strings:

Must contain string1
OR must contain string2
OR must contain string3

NCM reports a rule violation if the config does not contain any of the strings.

conditions_or.png

Example 2: A config must contain one string and must not contain another

In this example, the first string is required, but the second cannot be included.

Must contain string1
AND must not contain string2

NCM reports a rule violation if:

  • A config does not contain string1.
  • A config contains bothstring1 and string2.

conditions_must_and_must_not.png

Example 3: Config must contain at least one string in a group and a string outside the group

This example uses parentheses to group the first two strings. A config must contain at least one of the strings in the group, as well as the third string.

(Must contain string1
OR must contain string2)
AND must contain string3

NCM reports a rule violation if:

  • A config contains either string1 or string2, but does not contain string3.
  • A config contains string3, but does not contain either string1 or string2.
  • A config does not contain any of the strings.

conditions_parentheses.png

Edit a rule

Edit a rule to reflect policy changes or to refine the search string or remediation script. For example, if policy reports return false positives on violations, edit the rule to improve the search string.

  1. Click My Dashboards > Configs > Compliance.
  2. Click Manage Policy Reports.
  3. Click the Manage Rules tab.
  4. Select a rule, and click Edit.
  5. Edit values, and click Submit.

Delete a rule

  1. Click My Dashboards > Configs > Compliance.
  2. Click Manage Policy Reports.
  3. Click the Manage Rules tab.
  4. Select a rule, and click Delete.
  5. Click Yes.

Customize alert level descriptions for rules

NCM provides three levels to specify the severity of a rule violation. By default, these levels have the following descriptions.

Level Default Description
1 Informational
2 Warning
3 Critical

You can customize the description of each level.

  1. Click Settings > All Settings.

  2. Under Product Specific Settings, click NCM Settings.
  3. In the Compliance Policy Report Management section, select Manage Violation Levels.
  4. In the text field for the level that you are changing, replace the word describing that level.
  5. Click Submit.

Learn more

After you define rules, you can create a policy and then create a policy report.

 

Last modified

Tags

Classifications

Public