BMC Network Automation rules can be used to provision new devices and audit and enforce configuration best practices based on a set of rules. To improve network security and availability, BMC recommends using rules to audit network configuration standards. BMC Network Automation is delivered with rules that can help you get started. Some recommended rules include:
- NTP servers
- Syslog servers
- Enable secret
- Password encryption
- Disable protocols
- Defined access control lists should be assigned
- SNMP community strings
- Management ACL entries and assignment
- OS Version
Any configuration lines or blocks in the running, startup, or any other configuration can be audited.
Rules can be used for:
- Provisioning new devices based on a set of rules (that is, security policies)
- Implementing decision-based changes that are not handled by simple template pushes
- Auditing and enforcing your configuration standards
The use of rules to audit and enforce recommended configurations involves the following stages:
- Rule Specification: Available for all supported devices. Rules can be used to audit configuration standards such as TACACS+/RADIUS, logging, NTP, virtual terminal access, login banner, interface attributes, SNMP, QoS policies, Access Control Lists (ACL), and other items. Rules are defined through a grammar specification.
- Compliance auditing: Available for all supported devices. For enabled and assigned rule sets, BMC Network Automation verifies configuration compliance after each snapshot (for example, after each auto archive) or as requested by the user. BMC Network Automation audits both the Running and Startup configurations files.
- Compliance Enforcement: You can enforce compliance by using the Deploy to Active, Deploy to Stored, or Remediate span actions, through a policy action, and through the Compliance Summary report. You can request enforcement to all assigned rule sets, to a specific rule set, or to a specific rule. The specific rule set or rule does not have to be enabled or explicitly assigned to the device. There are conditions under which BMC Network Automation can make the configuration compliant based on the rule grammar, device type, and corrective actions.
To help you get started, BMC Network Automation is delivered with sample rules for typical security enforcement. You can tailor, reorganize, copy, or delete these rules and parent rule sets in accordance with your configuration standards. The rule sets are disabled by default, so no checks are done against these sample rules and no violations are reported.
If the Admin > System Parameter called
Check for Compliance Violations after Snapshots is enabled, BMC Network Automation automatically audits compliance of the configuration files after each snapshot operation. This enables BMC Network Automation to automatically detect compliance violations as configuration changes are made. The user can also force a compliance check for a selected network span (for example, device, group, network wide) by using the Network > Jobs > Span Actions > Refresh Device Status action. Compliance violations are logged to the event log and displayed on the Dashboard.
Policies can detect when compliance violation events are logged and then notify users via SNMP, email, or a Remedy ticket. Optionally, the policy can also enforce configuration compliance through Auto-Remediation.
The Compliance Summary report details the pass/fail status for each rule. The report can be used to view the details of current compliance violations, or to test rules before they are used in BMC Network Automation. The user can view the violation in detail by selecting the Failed indicator. Compliance violations can be corrected by selecting the Remediate action. Through policies, the Compliance Summary report can be automatically emailed to users upon detection of a violation or at any time. In addition, the report is available from the Reports tab and the Dashboard.
The following table contains conceptual information and tasks that describe how to manage rules and provides links to applicable topics:
|Administering task||For more information||Benefit|
|To add or edit a rule||Adding or editing a rule|
Use the following topics to configure a rule:
|To define substitution parameters and device dynamic fields for resolving the out-of-box rules||Resolving the out-of-box rules||To use the rules shipped with BMC Network Automation, you must define global substitution parameters and device dynamic fields which make the rules resolvable. Learn how to define these global substitution parameters and device dynamic fields.|
|To upgrade rules in case of BMC Network Automation application server upgrade||Upgrading rules||When you upgrade the BMC Network Automation application server from an earlier version, your customized rule sets and rules are not changed. In that case, you might need to upgrade rules. Learn how to upgrade rules, if required.|
|To perform various rule actions||Viewing the rules listing|
Use the rules list to perform the following rule actions: