Creating compliance definitions using device models
Modeled definitions are based on modeled device configurations. Modeled definitions are all based on XPaths. An XPath is a search mechanism used in XML, and models an XML document as a tree of nodes. Use this procedure to create Compliance Definitions using device models.
Before you begin
A compliance definition created based on one device schema may be used against devices that are modeled using a different device schema, as long as those schemas share the nodes included in the compliance definition With other words the scope of a compliance definition using a device model is not limited to the devices defined by the VTMOS that was used to retrieve the schema based on which the definition was built.
Read the following information about parameters before beginning this procedure:
- Parameters defined in Modelled Definitions will automatically be passed to remedial actions, if configured to do so.
- Parameters passed to remedial actions can be viewed in the Remedial queue under the “parameters” column.
- Parameters defined in remedial commandsets need to have the same
name as parameters defined in remedial command sets in ITNCM - Base.Note: Placing a parameter inside another parameter is not supported.
It is simple for a user to copy an existing definition, and modify some of its components to create a new definition.
Use the Create a Definition window of the User Interface to create a new compliance definition using device models.
About this task
Follow these steps to create a Compliance Definition using device models.
Procedure
- Select Create->Compliance Definition.
The Create a Definition window displays.
- Use the following descriptions as a guide to entering the
appropriate information in the Create a Definition window.
- Name
- Name chosen to identify the compliance definition. The maximum number of characters for the name is 255. This is a mandatory field.
- Description
- Brief narrative attached to the compliance definition to be created that explains its function and use. The maximum number of characters is 4000.
- Revision
- This number is automatically assigned and initially given a value of 1. Each time the compliance definition is edited, the revision number increments by 1. This is for versioning control. The revision changes only if the entity is active.
- Select Definition Type
- Radio buttons that allow you to create the following types of
compliance definitions:
Radio button Description Create compliance definition using CLI configuration lines Select this definition type if you want to define a Compliance Definition with a native definition that uses a stored configuration. Selecting this option causes the Enter Native Definition Details (CLI configuration lines) window to display. Create compliance definition using Native Commands Select this definition type if you want to define a Compliance Definition with Native Commands. Selecting this option causes the Enter Native Definition Details (Native Commands) window to display. Create compliance definition using a Device Model Select this definition type if you want to define a Compliance Definition with a modeled definition. Selecting this option causes the Enter Modeled Definition Details window to display. Create compliance definition using a Script Select this definition type if you want to define a Compliance Definition with a script. Selecting this option causes the Enter Script-Based Definition Details window to display. Create compliance definition using a Golden Configuration Select this definition type if you want to define a Compliance Definition using a device’s golden configuration as a template for automatically generating evaluations. Selecting this option causes the Select a Golden Device window to display. - Prev
- Go to the previous selection.
- Next
- Go to the next selection.
- Finish
- Complete process.
- Cancel
- Cancel activities.
- Select the Create compliance definition using
a Device Model radio button, and then click Next.
The Enter Modeled Definition Details window displays.
- Use the following descriptions as a guide to entering the
appropriate information in the Enter Modeled Definition
Details window.
- VTMOS
- Choose a device schema by selecting VTMOS combination.
- Retrieve Model
- Selecting the Retrieve Model button, will present an XML model (or device schema) of all configurable parameters available for the VTMOS selected.
- Modeled Definition
- Direct XPath is more commonly used in a simple definition, where
only one logical entity is being searched for. If the entity is not
unique, or there are more than one nodes, only the first occurrence
of the entity being searched for will be tested. The schema should
be chosen using the node navigation tree.
Contextual XPath should be used to test all nodes of a certain type, for example, test all FastEthernet Interfaces where the context becomes FastEthernet. The context should be chosen using the node navigation tree in the left hand window pane. Once the context of the validation has been set the nodes must be selected in the right hand pane that will be validated within this context.
- XPath
- XPath will be populated with the schema path chosen.
- Add Evaluation
- This button invokes the wizard for adding a modeled definition evaluation.
- Evaluation List
- Lists all XPaths alongside test conditions and match criteria.
- Evaluation List Criteria
- Use the following evaluation list criteria.
- Match All — Match All evaluations added to the Compliance Definition.
- Match Any — Match Any of the evaluations added to the Compliance Definition.
- Match None — Match None of the evaluations added must be found in the Device Configuration.
- Match One — Match only One of the evaluations added to the Definition. If more than one of the evaluations are matched, the match fails.
- Match Exactly — Identically match all evaluations
added to the definition; including the number of evaluations selected.Note: When using Match Exactly logic with an extraction or group parameter, the XPath option 'matches' must be selected. This is only applicable to modeled definitions.
- Match Specific Number — Matches a specific number of evaluations as defined by the user. For example, Match 2 out of the 6 evaluations listed. This choice activates an integer field called Specific Number.
- Number
- This is activated when the Match Specific Number is chosen. An integer must be entered here.
- Manual Override
- This allows the XPath to be overridden through a process of manually altering the Context/Defined XPath.
- Update
- Updates screen.
- Edit
- Edits current selection.
- Delete
- Deletes current selection.
- Test
- The definition test button is enabled when editing or creating a definition, but not when opening a definition. Also, it is only available for modeled and native definitions (not scripts).
- You use the definition test functionality to execute a definition against all open tabs, and view the results.
- You can test definitions using native CLI configuration lines,
native commands or device models. You can view results in the evaluation
list either in detail, or as a summary.
Definition Test window elements Description Definition Test window When you click Test, the Definition Test window is displayed (it resembles the Regex Tool window).
When you import definitions from a device, the type of definition you are creating determines what content is imported from the device:- For modeled and golden configuration definitions
- Imports the xml configuration from the device.
- For native CLI definitions
- Imports the CLI configuration for the device.
- For native commands definitions
- Imports the show commands from the device into the text area in the tab.
Warning: Importing a text file from a file with an xml extension may result in an error when you execute the test.Tabs
You can add as many tabs as your memory allows. The definition is applied to each tab and the results are flagged on the tabs.- Green flag
- Passed
- Red flag
- Failed
- Yellow flag
- Not assessed
Evaluation list Results are displayed in the Evaluation list under a number of columns.- Evaluation
- 532: Is the same as XPath
- 533: Is the same as Evaluation Line
- 534: Is the same as Evaluation Line
- This is the search criteria for the Definition or the XPath to search for in the case of Device Models
- Match Criteria
- The criteria used to match the device configuration: Match All, Match Any, None, One, Exactly, Specific Number
- Match Criteria Argument
- 532: Is the same as Number
- 533: Is the same as Number
- 534: Is the same as Number
- Only available on group parameters and extractions. Same as Match Specific Number.
- Default Result
- The default result is the value defined in the Evaluation Result if Context not
found option, that is, one of Fail, Pass, Not Assessed, and Not Applicable.Note: If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
- User can opt to choose the result they wish to receive if the context is not found. The options are: Fail, Pass, Not Assessed, Not Applicable.
- If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
- Result
- Green text = Pass, Red text = Fail, Yellow text = Not Assessed/Not Applicable, Blue text =Error
Restriction: Script parameters and extractions are not supported in test evaluation lists. If any are found in the evaluation they will not be assessed during the test, and the overall definition result will be not assessed.Details mode You can toggle between Details and Summary mode to select the level of detail displayed in the test results. When in Summary mode, you can click on each evaluation to display detailed results. Clear all Clears the results from the Evaluation List and tabs. Test Click to run the test Close Closes the Definition Test window.Note: The test tabs are only available when the window is open.Menu bar All options described are also available from the menu bar (File, Edit, Mode, Tabs).
- If you clicked the Add Evaluation button, the Add
Modelled Definition Evaluation window displays. The fields
on this window allow the user to define the parameters to the command.
Use the following descriptions as a guide to filling in the fields
displayed in the Add Modelled Definition Evaluation window.
- Node
- The node chosen for the modeled definition.
- Node description
- The description of the logical entity and name of the node selected are automatically populated here. This information is retrieved from the device schema based on the XPATH defined in the previous step and cannot be changed by the user.
- XPath Function
- The following table describes the syntax associated with an XPath
Function:
XPath syntax Description =
Equal to
!=
Not equal to
>
Greater than
>=
Greater than or equal to
<
Less than
<=
Less than or equal to
Matches
Allows Regex to be entered.
Contains
Indicates that the specified argument is contained in the string.
Starts-with
The string starts with the specified argument.
Ends-with
The string ends with the specified argument.
- Argument
- The value you want to search on specifically. This can be left empty to find all.
- Show CLI Text Boxes
- When selected this will show unmodeled commands. Normally the node will be ARG.999.
- Parameters
- This is an optional field. This field provides a drop down list
for the type of parameter you want. There is also an Insert
Parameter button used to insert the parameter.Note: Placing a parameter inside another parameter is not supported.
When an argument in the Argument List is selected, the Argument Details in the lower section of the screen is populated. If changes are required to the Argument Details, they can be made at this point. Select Update to save amendments to the argument.
- Click Next to continue.
The Enter test condition window displays. The test conditions are used to decide whether you want to test for the presence or absence of the CLI, or in the case of some CISCO commands, to check for the presence of the
no
form of the command (for example,no ip http server
). - Use the following descriptions as a guide to filling in
the fields displayed in the Enter test condition window.
- Test Condition
- Specifies one of the following test conditions that you can select
from the dropdown list:
Test condition Description Present in Config
Searches to locate the test condition in the configuration.
Not Present in Config
Search to ensure that the test condition does not appear in the configuration.
Present and Disabled in Config
Search to locate the test condition in the configuration. However, contrary to the Present in Config condition, this search looks for conditions in the configuration that are present but are disabled. For instance, in most CISCO devices entities are prefixed by
"no"
if they are disabled but present, for example,'no ip proxy-arp'
or'no ip bootp' server
. - Match Criteria
- The following table describes the Match Criteria syntax:
- Match All - Match all hits in the target device configuration. For example, if a contextual XPath gets 3 hits in a target device configuration, each hit must satisfy the defined XPath, or the match will fail.
- Match Any - Match any of the hits in the target device configuration.
- Match None - Match none of the hits in the target device configuration.
- Match One - Match any of the hits in the target device configuration. If more than one are matched, the match fails.
- Match Exactly - Identically match all hits in the target device configuration.
- Match Specific Number - Matches a specific number of hits in the target device configuration as defined by the user. For example, Match 2 out of the 6 hits listed. This choice activates an integer field called Specific Number.
- Specific Number
- This is activated when the Match Specific Number is chosen. An integer must be entered here.
- Evaluation result if context not found
- Specifies the result to receive if the context is not found. The
options are: Fail, Pass, Not Assessed, and Not Applicable.
If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
- Click Finish to complete the Modeled Definition Evaluation.
The Enter Modeled Definition Details window displays again.
- Click Next to continue.
The Choose a Save Location window displays.
- Navigate through the tree structure, and choose the location to which you want to save the Compliance Definition. Otherwise, it is possible to create a new folder from here if required.
- Click Finish to complete the creation of the Compliance Definition.
What to do next
You can create another Compliance Definition using a device model by following the instructions in this procedure.