Adding or editing a rule
Rules can be used to provision new devices and audit and enforce configuration best practices based on a set of rules. This topic describes how to configure a rule.
To add or edit a rule
- Open the Rules page by navigating to Network > Scripts > Rules.
- Perform one of the following actions:
- To define a new rule, click Add.
The Add Rule page is displayed. - To create a new rule by duplicating and editing an existing rule, click Copy
.
To edit an existing rule, click Edit
.
- To define a new rule, click Add.
On the Details tab, enter or modify settings in the following fields:
- On the Grammar tab, specify the patterns that must be matched by the device to comply with this rule. For more information, see Defining-rule-grammar.
On the Spans tab, specify the network spans that you want to exclude from auditing and compliance enforcement by using the Add button.
You can apply a rule set to a large number of devices and then exclude a few devices or groups from the entire rule set or from specific rules. The excluded devices are thus ignored or skipped when auditing and enforcing the rule (that is, Deploy to Active with Configuration = Remediate With All Assigned).
You can exclude the spans at the rule level, as follows:Span
Description
Realm
Excludes the devices in a realm from applying the rule. You need to add realms one by one. You are limited to accessible realms.
Group
Excludes the devices in a group from applying the rule. You need to add groups one by one. You are limited to groups in accessible realms.
Device
Excludes one device from applying the rule. You need to add devices one by one. You are limited to devices in accessible realms.
Group Filter
Excludes one or more groups matching a name from applying the rule. You can choose to look for groups in one particular realm, or you can choose to look for groups in any realm.
You can use the wildcard character, asterisk (*) to search for groups. For example, you can enter Model_Cisco.176* in the filter criterion to exclude all the devices that belong to groups whose name starts with Model_Cisco.176, irrespective of the realm the groups belong to. The filtered groups include simple groups (both static and auto groups) only, not combo groups. If a new device is added to the system and if the device belongs to a group that satisfies the filter criterion, that device is excluded from the auditing and compliance enforcement automatically.
Note: While choosing the excluded spans for a rule, the [Any] realm option is available for selection only if more than one realm exists in the system.
In the following example, the group Vendor.Cisco group in the Default realm is being added to the excluded network spans. This span is ignored when BMC Network Automation audits and enforces the rule.
- When you have finished performing the configuration on the various tabs, click Save to save the rule.
Running automatic compliance checks in the activation window
The system checks for compliance violations only if a rule is active. A rule is active only within its activation window based on the current date of the BMC Network Automation web server. The following table lists various combinations of activation and deactivation dates that determine whether a rule is within its activation window.
Activation date | Deactivation date | Is rule within the activation window? |
---|---|---|
Null | Null | Yes |
Past | Null | Yes |
Null | Past | No |
Past | Past | No |
Future | Null | No |
Null | Future | Yes |
Future | Future | No |
Past | Future | Yes |
While a rule is active, the system performs compliance checking of that rule when configuration changes are detected. Under certain circumstances (for example, when you add a new rule, edit a rule's grammar, or change the devices assigned to a rule set), you must perform a manual Refresh Device Status action to update the existing violations. But, the system performs an automatic refresh when a rule becomes active – that is, when the current time reaches the rule's activation date. The system also automatically clears violations when the current system time reaches a rule's deactivation date. These automatic refreshes are performed daily at the time specified in the Perform Daily Rule Activation/Deactivation At system parameter.
The automatic activation check is also done when you add a new rule that is within its activation window, or edit an existing rule such that it is now within its activation window. Since the automatic check is at a specified time, you do not immediately see violations. If you do not want to wait for this automatic check to find the violations, you should run the manual Refresh Device Status action.
For example, if you add a new rule whose activation date is February 15 and deactivation date is May 31, and today is March 1, the rule is considered to be active and the system performs an automatic compliance check at the scheduled time. On May 31, the rule is no longer active and the system clears its violations at the scheduled time.
If you edit a rule such that an active rule is no longer active, the system clears the violations when you save the rule. For example, if the rule initially had no deactivation date, and you assigned a deactivation date of yesterday, the violations are cleared at save time.
For a sample rule grammar that utilizes the activation window to run automatic compliance checks, see Device End of Life.
BMC Network Automation is installed with a set of canned rules. These rules have no activation or deactivation dates, so they are within their activation windows. However, they belong to disabled rule sets, so no violation checking is performed by default.
When you upgrade to version 8.8.00, all existing rules are assigned null activation and deactivation dates, so that they are within their activation windows. But since these are pre-existing rules that were already "active", it is assumed that you have maintained their violation states properly. These rules do not undergo an automatic compliance check.
Related topic