A Compliance Policy stipulates conditions that the devices
must adhere to. A Compliance Policy contains Compliance Rules and
can be configured to send an e-mail action in the event that a policy
fails. Compliance Rules enable the user to combine multiple compliance
definitions to build the full validation to which a device must adhere
in order to pass a compliance test. Use this procedure to create a
compliance rule.
Before you begin
To define new Compliance Rules or edit existing Rules,
access to the User Interface wizard is required. Compliance Rules
can cover all devices in an entire network, a subset of devices or
a specific device. In defining Compliance Rules, a user must specify
a VTMOS to which devices the Rule applies. It is simple for a user
to copy an existing Rule, and modify some its components in order
to create a new Rule.
About this task
Follow these steps to create a Compliance Rule.
Procedure
- Select .
The Create a Rule window displays. Mandatory
fields are denoted by an * (asterisk).
- Use the following descriptions as a guide to entering the
appropriate information in the Create a Rule window.
- Name
- Specifies the name of the Compliance Rule. The maximum number
of characters for the name is 255. This is a mandatory field.
- Description
- Specifies a brief narrative attached to the newly created Compliance
Rule that explains its function or use. The maximum number of characters
for the description is 4000.
- Revision
- This number is automatically assigned and initially given a value
of 1. Each time the Compliance Rule is edited, the revision number
automatically increments by 1. This is for versioning control.
- Applicable Device Filter
- This filter allows the ability to select which device VTMOS applies
to this rule. As well as drop down selection for VTMOS, a regular
expression is supported for all filters. The selected value entered
in the Model Filter will be checked against both 'Model' and 'Actual
Model' fields (as in the Device Viewer).
Note: The devices selected
in the device filter rule must appropriately reflect the type of devices
against which all compliance definitions and remedial actions in the
rule can be applied. For example, Juniper routers must not be included
if the definitions in a rule are specific to CISCO routers only. If
in this example Juniper routers were included in the compliance rule
device filter, each of the Juniper routers would fail the compliance
evaluation, since the CISCO specific compliance definition would not
be found in the Juniper device configuration. On the other hand, if
a rule with the device filter is set appropriately is used against
a device that is not supported by that rule, the device will be marked
NA (not applicable) in the test results.
- Prev
- Go to previous selection.
- Next
- Go to next selection.
- Finish
- Finish current activity.
- Cancel
- Cancel current activity without saving.
- Click next to continue.
The Build
Graphical Rule window displays. The Build Graphical
Rule window consists of two panes. The left hand side of
the screen consists of the Nodes section, which is used to build the
rule graphically. The nodes graphically represent the different components
that are used to assemble a rule. The right hand side of the screen
is the working area, where the nodes are assembled to construct a
rule.
- Use the following descriptions as a guide to creating the
Compliance Rule using the Build Graphical Rule window.
- Start
- The Start Node represents the starting point for the Rule. Each
rule must have a Start Node to proceed.
- Definition
- Represents a definition as chosen by the user. The Definition
Node is a decision point where an Action may be chosen depending if
the outcome of the Definition is true (T) or false (F). Only one definition
can be selected per Definition node.
- Compliant
- The Compliant node is connected to either the T or F condition
of the Definition Node. This Node represents device compliance.
- Non-Compliant
- The Non-Compliant node is connected to either the T or F condition
of the Definition Node. This Node represents noncompliance of devices.
A corrective action can be specified in the event that devices are
found to be noncompliant.
Note: Any of the nodes may be removed
at any stage in the design of the rule, by right clicking and selecting
Delete.
- Connecting lines
- The connecting lines link nodes together. The lines are created
by dragging the mouse between two nodes, using the small loop on the
node graphic to make the connection as shown. In case adjustment of
nodes is required, connecting lines may be removed at any time by
right clicking, and choosing delete. A label may also be added to
the connecting line.
- Adding Labels
- If the lines are double clicked - the flow properties can be modified,
and a label added to the line.
- Prev
- Go to previous selection.
- Next
- Go to next selection.
- Finish
- Finish current activity.
- Cancel
- Cancel current activity without saving.
- Drag the Nodes from the resource pane over to the working
area and drop in place to compose a graphical rule consisting of T
and F conditions.
When the Definition node is dragged
across to the working area, the Select Definition window
displays.
- You must select one of the previously created Compliance
Definitions, or create a new one.
Note: A user can select
multiple definitions into a rule by repeating this step. By connecting
the next definition to the True (T) outcome of the previous definition,
the user can create AND logic between two definitions. For example,
a device is compliant if it passes Compliance Definition 1 AND Compliance
Definition 2. By connecting the next definition to the False (F) outcome
of the previous definition the user can create OR logic between two
definitions. For example, a device is compliant if it passes Compliance
Definition 1, OR, if Compliance Definition 1 is not passed, it passes
Compliance Definition 2.
- When a user drags the Non Compliant node across to the
working area, the Select Action window displays.
When a definition is non compliant, a corrective action may be applied
against the device to bring it back into compliance. Use the following
descriptions as a guide to specifying the appropriate corrective action
displayed on the Select Action window.
- Remedial Action
- A remedial action may be applied to the device to bring it back
into compliance. These corrective actions can be defined in advance
or on-demand when a rule is created. A corrective action is defined
based on a command set that must have been defined previously in the
ITNCM - Base application If a device violates a rule, the corrective
action is run against the device by triggering the appropriate command
set in ITNCM - Base.
- No action
- No action to be taken.
- OK
- Confirms most recent activity and saves.
- Cancel
- Cancel current activity without saving.
- Click Next to continue.
TheChoose
a Save Location window displays.
- Navigate through the tree structure, and choose the location
where you want to save the newly created Compliance Rule. Otherwise,
it is possible to create a new folder from here if required.
- Click Finish to complete the creation of the Compliance
Rule.
What to do next
The application does not stop the validation process once
a Compliant/Non-Compliant verdict has been reached, and will always
validate all definitions included in a rule. In other words, even
if the first Compliance Definition in the rule already determines
the Compliant/Non-Compliant outcome, the application will also present
the outcome of another device validation against other Compliance
Definitions in the rule.