cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Creating rules through NCM Policy

I have been looking for a place where we can share rules for policies created for NCM.  I have been trying to create one such policy where it detects if port security is enabled on all switch ports, not trunks.  If anyone can help out here it would be a great +.  I know there was a previous thread about STIGs for the government and I think that is going to take a while, so why don't we start sharing some of those STIG implementations to help each other out.  Thanks for the assistance.

Tags (2)
0 Kudos
11 Replies
Level 8

Anyone know how to perform a rule for the following on a Cisco Firewall:

ip verify reverse-path interface <ifname>

Check that this command exists for all interfaces on the firewall except the stateful failover interface.

The zone names vary from firewall to firewall.

0 Kudos
Level 8

I never knew you could negate the whole rule. So if I wanted to do something like:

Search for an interface that contains ip nat outside, if so it must contain ip inspect FW in.

Im trying to negate the rule with two OR, 1st must not contain ip nat outside or encapsulation dot1q.

Only seems to work with or ip nat outside. IM getting caught on the encapsulation part as we have mpls interfaces that also have ip nat outside too but we dont use the inspect for these as they are mpls. The others are internet interfaces which we do. It doesnt like the 2nd OR for encapsulation but not too sure why.


IP_InspectFW_Rule.JPG

0 Kudos

rkearney

You need to user parentheses to make make rules inclusive of eachother, like above do you want (rule2 or rule3) or do you want (rule 1 and rule 2) or rule 3 or rule 4.  Hopefully this makes sense to you, if not trial an error will probably yield the results.  Keep in mind this is just a truth table of AND, OR operations with a resulting 1 or 0 once calculated.

I don't think I can really explain it better as this is one of those things that each person grasps in their own way.

0 Kudos
Level 8

Does anyone know how to do this? I'm looking for this rule.

0 Kudos

Make a config block based on a multiline regex

Then look for what you want after you have the mulitline regex config block working.

If you paste an example block of what you WANT it to look like, I will type it up and screenshot it for you.

0 Kudos

I'm trying to build a rule which performs something similar to the above:

Example 1:

A rule which checks that if spanning-tree portfast or storm-control broadcast level 1.00 or Port Security is enabled on all switchports except trunks. (this would be spilt in 3 different rules but the idea would be the same)

interface FastEthernet/GigabitEthernetX/Y

description ABCDEFG          [optional]

switchport access vlan Z

switchport mode access

no logging event link-status

no snmp trap link-status

spanning-tree portfast

Another example would be if an interface contains a description called Internet, check that the interface contains ip access-group Internet-in in or ip nat outside.

interface [internet-interface]

description Internet interface (ISP Abcdefg)

ip address x.x.x.x y.y.y.y

ip access-group Internet-in in

ip access-group Internet-out out

ip inspect FW in

ip inspect FW out

ip nat outside

Most of my rules are working but rules like these are difficult and catch me out. (My Regex wouldn't be the best)

Any help would be great.

0 Kudos

ThwackTestRule.jpg

rkearney, This requires the port not be shut down and as well it gives you an idea of the second rule as to how to require something else as well.  I should also explain that you can conditional like this and then follow it all with an OR must not contain whatever the condition was.  Let me know if you have any further issues as I feel this should be enough to get you going

This looks great. Totally forgot about the 'must not contain' function.

How about something like this:

I want to look for interfaces that have 'switchport access vlan 999'

and if so must contain 'no cdp enable'

2nd part is easy but how do i trigger the 1st part.

I cant say must contain right, as if a switchport is in any other vlan it will violate.

Basically vlan 999 or 999 contains untrusted devices in our network like Internet routers which we want to turn off cdp neighbor.

0 Kudos

rkearney

Simply do a  ( Must Contain String "switchport access vlan 999"

and Must Contain String "no cdp enable" )

Or Must not contain String "switchport access vlan 999"

With the parentheses to make the first two rules inclusive of eachother.  Then you negate the whole thing if switchport access vlan 999 is not found.

Level 13

Hi DMJ--

Did you get the information you needed? Have you tried looking at the NCM area of the Content Exchange?

0 Kudos

I am still looking and have not found anything.  I did look in the NCM Content Exhange but nothing besides the complex SQL's.  If you know of anything to help me out please let me know.  Thank you..

0 Kudos