3 Replies Latest reply on May 24, 2011 6:22 PM by JustinY

    RFE - Section Awareness & Configuration Blocks

    JustinY

      I have some configurations that apply to specific interfaces based on their role usually identified by the description. 

      It would be great if we could identify a "section" based on a string ie "description DS[1|3]IT", "description outside", "description inside" or "description Isolated" then search that "section" for the required configuration string or configuration block.  Then if needed the remediation could be applied to the violating "section".  I have tried to get something like this to work but not much luck.

      This could be used to ensure that a specific ACL "block" exists and that it is applied to a specific interface or group of interfaces.

        • Re: RFE - Section Awareness & Configuration Blocks
          fcaron

          I think we have introduced in NCM 6.1 what you are looking for: the ability to define compliance rules that apply only to blocks of config (vs. entire config), defined by a begin and end string.

          This new feature is available in both the WEB Integration WEB UI and the Win32 app.

          See snapshots before, showing a DISA STIGs compliance rule leveraging this new capability.

          Hope this helps

              • Re: RFE - Section Awareness & Configuration Blocks
                JustinY

                Close but its not really section aware.  It cannot report on what section is in violation of the config and it has no method to remediate the violating section.

                I should have also included "Conditional/Nested RegEx Expressions" with this request but it makes for a pretty big RFE.

                For example I would like to check every block begin "interface Fast*" and ends with "!"  So far thats doable.

                I want to search for interfaces that contain the following.
                IF "description DS[13]IT|description Trunk:.*"
                THEN "ip verify unicast reverse-path"

                The remediation script would need an expression for the section in violation and then recourse through each of the violating sections and fix them. 
                conf t
                {ViolatingSection}
                ip verify unicast reverse-path
                exit
                exit
                write mem