I have been looking for a place where we can share rules for policies created for NCM. I have been trying to create one such policy where it detects if port security is enabled on all switch ports, not trunks. If anyone can help out here it would be a great +. I know there was a previous thread about STIGs for the government and I think that is going to take a while, so why don't we start sharing some of those STIG implementations to help each other out. Thanks for the assistance.
Anyone know how to perform a rule for the following on a Cisco Firewall:
ip verify reverse-path interface <ifname>
Check that this command exists for all interfaces on the firewall except the stateful failover interface.
The zone names vary from firewall to firewall.
I never knew you could negate the whole rule. So if I wanted to do something like:
Search for an interface that contains ip nat outside, if so it must contain ip inspect FW in.
Im trying to negate the rule with two OR, 1st must not contain ip nat outside or encapsulation dot1q.
Only seems to work with or ip nat outside. IM getting caught on the encapsulation part as we have mpls interfaces that also have ip nat outside too but we dont use the inspect for these as they are mpls. The others are internet interfaces which we do. It doesnt like the 2nd OR for encapsulation but not too sure why.
You need to user parentheses to make make rules inclusive of eachother, like above do you want (rule2 or rule3) or do you want (rule 1 and rule 2) or rule 3 or rule 4. Hopefully this makes sense to you, if not trial an error will probably yield the results. Keep in mind this is just a truth table of AND, OR operations with a resulting 1 or 0 once calculated.
I don't think I can really explain it better as this is one of those things that each person grasps in their own way.
Make a config block based on a multiline regex
Then look for what you want after you have the mulitline regex config block working.
If you paste an example block of what you WANT it to look like, I will type it up and screenshot it for you.
I'm trying to build a rule which performs something similar to the above:
A rule which checks that if spanning-tree portfast or storm-control broadcast level 1.00 or Port Security is enabled on all switchports except trunks. (this would be spilt in 3 different rules but the idea would be the same)
description ABCDEFG [optional]
switchport access vlan Z
switchport mode access
no logging event link-status
no snmp trap link-status
Another example would be if an interface contains a description called Internet, check that the interface contains ip access-group Internet-in in or ip nat outside.
description Internet interface (ISP Abcdefg)
ip address x.x.x.x y.y.y.y
ip access-group Internet-in in
ip access-group Internet-out out
ip inspect FW in
ip inspect FW out
ip nat outside
Most of my rules are working but rules like these are difficult and catch me out. (My Regex wouldn't be the best)
Any help would be great.
rkearney, This requires the port not be shut down and as well it gives you an idea of the second rule as to how to require something else as well. I should also explain that you can conditional like this and then follow it all with an OR must not contain whatever the condition was. Let me know if you have any further issues as I feel this should be enough to get you going
This looks great. Totally forgot about the 'must not contain' function.
How about something like this:
I want to look for interfaces that have 'switchport access vlan 999'
and if so must contain 'no cdp enable'
2nd part is easy but how do i trigger the 1st part.
I cant say must contain right, as if a switchport is in any other vlan it will violate.
Basically vlan 999 or 999 contains untrusted devices in our network like Internet routers which we want to turn off cdp neighbor.
Simply do a ( Must Contain String "switchport access vlan 999"
and Must Contain String "no cdp enable" )
Or Must not contain String "switchport access vlan 999"
With the parentheses to make the first two rules inclusive of eachother. Then you negate the whole thing if switchport access vlan 999 is not found.
I am still looking and have not found anything. I did look in the NCM Content Exhange but nothing besides the complex SQL's. If you know of anything to help me out please let me know. Thank you..
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.