Create Compliance Policy

This section will create a policy for a Cisco IOS device configuration using the Rule Set created in the previous section.

Click the [Compliance] main tab.
Click the [Compliance Policy] subtab.
Click the [Create] button.

In this example, “Search” is selected in the Editor window’s [Devices] tab.

Note:

The setting behavior for “Search” and “Static list” in the [Compliance] main tab > [Compliance Policy] subtab Editor window and the [Jobs] maintab > [Job Management] subtab Editor window is identical.

Devices will be searched every time a violation check is activated when using search rules, and violation checks will be performed on these devices.

The search result is not saved when creating policy.

In the Editor window, click the [Rule Set] subtab.
Click the button.

Select a Rule Set and click [Add].

In this example, “IOS Secure Enable Password” Rule Set is selected.

Select an Action for the rule. Different Actions can be set for each Rule Set.

In this example, the Action is set to “Violation on match”.

If no Actions are displayed, please review the policy or the adapter type of the Rule Set.

Save the policy.

Note:

Activate the policy after saving. Simply creating a policy does not check for violations.

Applying a Compliance Policy

After you create a policy, you need to enable it.

Click [Compliance] > [Compliance Policy].
Click the [Enable] button with the policy selected.

A pie chart is displayed that it allows you to check the violation status.

If a device violates the policy, the policy icon changes. Depending on the severity of the problem, an orange warning or red error icon will be displayed.

For more information about severity icons, refer to the Perform a Backup and Backup Status sections.

Doubleclick the changed icon to open the Editor, and view more details about the violation.

The violation icon also appears in the device view. Doubleclick the icon to learn more about the violation.

Automatic Remediation Function

By combining the compliance function and the Smart Change function, it is possible to automatically execute a pre-specified Smart Change job when a compliance violation is detected. This allows you to immediately resolve compliance violations.

Setting Process

Create Smart Change job (Create a Smart Change job to be executed when a compliance violation occurs.)
Create rules for compliance violations (Create a violation rule and link the rule to the Smart Change job.)
Creating a compliance policy (Associate compliance rules with devices and configure detection settings.)

The following explains how to set it up using a setting example.

Case 1: When the use of Read-Write authority is prohibited in the SNMP community settings

Click the [Jobs] main tab > [Job Management] subtab.
Click [New Job] > [Smart Change].

Enter the job name and comment (optional).

Check “Use remediation job”, select the device adapter, and click [OK].

This is used for linking with Rule Sets.

Enter the command you want the template to run.

Select the part you want to convert into a variable and click the the button.

Note:

Skip this step if you want to execute the command as is without converting it to a variable. In this case, the community name will be obtained from the config, so we will convert the community name part into a variable.

Enter the variable “Name” and click [OK].

Save the settings.

Click the [Compliance] main tab > [Rule Sets] subtab, and click [Create].

Enter the rule name, select the adapter, and click [OK].

Please select the adapter you selected when creating the Smart Change.

Click the button to add “Match Expression”.

In the “Variable” section in the bottom half of the page, specify the community name as the Smart Change Variable.
In the “Match Expression” section in the top half of the page, add ~ before and after the variable name.

Set the Action to “Violation on match.”

In the bottom right of the panel, click the […] button next to “Remediation job” to specify the Smart Change job to be executed in the event of a violation. Only one job can be specified.

Save your settings.

Click the [Compliance] main tab > [Compliance Policy] subtab, and click [Create].

After entering the “Name”, select the adapter and target configuration file, and click [OK].

Click the button.

Select [Rule Sets] and click [Add].

Click [Save].

Select the compliance policy you created and click [Enable].

Case 2: No access list added to the interface

Click [Jobs] main tab > [Job Management] subtab > [New Job] > [Smart Change].

Enter the job name and comment (optional).

Check “Use remediation jobs”, select the device adapter, and click [OK].

This is used for linking with Rule Sets.

Enter the command you want the template to run.

Select the part you want to convert into a variable and click the button.

Note:

Skip this step if you want to execute the command as is without converting it to a variable.

Enter the variable name and click [OK].

Click [Save].

Click the [Compliance] main tab > [Rule Sets] subtab, and click [Create].

After entering the rule name, select the adapter and click [OK].

Select the adapter you selected when creating the Smart Change.

In the Editor at the bottom of the page, click the [General] tab, and select “Apply to Blocks”.

Specify the block to which the rule applies using “Start” and “End”.

In the “Variable” section in the bottom half of the Editor, specify the interface number as the Smart Change Variable.

In the “Start” field at the top of the page, add ~ before and after the variable name.

Doubleclick the added variable and add a text filter.

In this example, the GigabitEthernet interface is targeted, so “Gigabit Ethernet” is specified.

Click the button to add matching conditions.

In the bottom right of the panel, click the “Remediation job” […] button, and specify the Smart Change job to be executed in the event of a violation. Only one job can be specified.