3 Replies Latest reply on Aug 29, 2012 6:41 PM by fcaron

    Negate a match

      Dumb question - how can I negate a match in Cirrus Policy Manager?  I'd like to match on a pattern and negate it so that the rule fails if it finds any further similar commands.  For instance, in a config, I have two TACACS servers defined:

      set tacacs server primary
      set tacacs server

      I want my rule to match only these two TACACS servers - if the policy manager finds any others, it should fail.  Here's the current rule I have set up:

      set tacacs server 192\.168\.(219|230)\.6( primary)?

      I'd like to negate the match on 192.168.(219|230).6 so that if, for instance, shows up, the policy manager will report it.  I've tried using the exclamation point, but it doesn't seem as though the regex engine that Cirrus uses accepts that as a character class. 

      Or, is there a better way to do this without negation?
        • Re: Negate a match

          I do not have an answer, but I have a similar situation.

          After checking for ACL compliance of a particular ACL; I want to report on any additional ACL assignments not already defined by the Policy rules.

          I want to report on any added device ACL rules that are not part of the defined Cirrus ACL rules.

          I do not know about a negation option within the RedEx engine; but I thought allowing the use of Boolean logic between defined rules would be beneficial.

            • Re: Negate a match

              The best solution I have been able to come up with, is a pattern match across multiple lines (i.e. block of text).

              For an acl list, this means that you can include the remark at the top of the access list, and the deny any at the bottom.

              So for an acl like this...


              access-list 49 remark Management Server
              access-list 49 permit
              access-list 49 deny   any

              You can create a rule like this...

              access-list 49 remark Management Server\s+access-list 49 permit 10\.1\.1\.11\s+access-list 49 deny   any


              Not perfect, but without a true negation option it appears all we have.Dave.
            • Re: Negate a match

              We just introduced a new product which should help: FSM, Firewall Security Manager, more here