Policy Manager - Is there a way to...

Interesting use case, not supported in 6.1. Created an enhancement (46497). Others?

absolutely!

There are quite a few cases I can think of, off the top of my head, where this would be handy.

Wasn't this possible in NCM 6.0 with regular expressions (I might be wrong but I thought thats what I read)?

If not, that would definitely be something needed

Wow, I'm pretty disappointed that this feature doesn't exist. We just purchased this product for its "compliance" features that were so highly touted. How can you sell a product as being able to report for compliance when you can't verify that additional rules are not in the configs? What if someone were to put a permit ip any any in my firewall ACLs? How would I know?

I think this might have been an incorrect information, if not... I can basically stop the project of implementing policy reporting with NCM 6.1 before we even started.

I am quite sure though that I read that you can use regular expressions for this...

@Francois, could you please double-check this for us?

Will do.

We are doing something similar with ACL policies for PCI.

create a text file that matches your desired config block.

Then itentify a begin and end line.

The rule will fire based on a config match with the contents of the text file.

We are just getting started with this but we see manny applications

Hi Francois,

I am still waiting for your email response to the two questions I had (including this one)

were you able to get some information?

Hi Questionario--

I'll ding Francois on this for you.

M

Hi cnorborg,

during a discussion with Francois I created a regex with your use-case as an example.

The following regex will match if it finds the line "ssh <IP> <subnetmask> MgmtInterface" and the IP is not 10.10.10.1/32 or 10.10.10.3/32, you have to create an advanced regex rule that "must not contain" the following:

---

^(?:ssh )(?:((?:(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))) ((?:(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))))(?<!(?:(?:(?:10\.10\.10\.1)|(?:10\.10\.10\.3))(?: )255\.255\.255\.255))(?: )(?:MgmtInterface)$

---

This rule does NOT check if these two IP's are in the config (as I assume you already have a rule for that) but rather checks that no other IPs are in the config.

To make it short: with regex (which NCM supports) it should be possible to test ANYTHING in the config, only problem is that it is very complex and difficult to create if you do not know regex.