Adding a rule set

On the Network > Scripts > Rule Sets page, click Add and do the following:

1. On the Details tab, enter information in the following fields:
   • Name: Specify a unique name, up to 255 characters, for the rule set.
   • Enabled: (Optional) Enable or disable the rule set. When a rule set is enabled, compliance checking is performed by the configuration snapshot and Network > Jobs > Span Actions > Refresh Device Status span action. You should only enable the rule set after you have created, tested, and assigned the associated rules. You must enable the Check Compliance Violations after Snapshot system parameter to perform compliance checks for enabled rule sets as part of the configuration snapshot operation. Compliance violations are logged and shown on the Dashboard. Logged violations could trigger a policy to perform one or more actions (for example, send notification, remediate).

2. In the Spans tab, assign the rule set either to the Entire Network or to one or more spans using the Add button.

   Note

   The Entire Network option appears only for the users who have the Full Rights network right. Only users with the Full Rights network right can then manage (edit, copy, and delete) a rule set assigned to the entire network. All users can remediate and report on such a rule set, within their accessible network spans.

   When auditing and enforcing device compliance to assigned rules sets, you can exclude one or more network spans at the rule or rule set level. You can apply a rule set to a large number of devices and then exclude a few devices/groups from the entire rule set or specific rules. The excluded devices are thus ignored or skipped when auditing and enforcing the rule set (that is, Deploy to Active with Configuration = Remediate With All Assigned).
   You can assign or exclude the spans at the rule set level, as follows:

   Span	Description
   Realm	Assigns the rule set to the devices in a realm. You need to add realms one by one. You are limited to accessible realms.
   Group	Assigns the rule set to the devices in a group. You need to add groups one by one. You are limited to groups in accessible realms.
   Device	Assigns the rule set to one device. You need to add devices one by one. You are limited to devices in accessible realms.
   Group Filter	Assigns the rule set to the devices belonging to one or more groups matching a name. You can choose to look for groups in one particular realm, or you can choose to look for groups in any realm. You can use the wildcard character, asterisk (*) to search for groups. For example, you can enter Model_Cisco.176* in the filter criterion to use all the devices that belong to groups whose name starts with Model_Cisco.176, irrespective of the realm the groups belong to. The filtered groups include simple groups (both static and auto groups) only, not combo groups. If a new device is added to the system and if the device belongs to a group that satisfies the filter criterion, that device is included in or excluded from the auditing and compliance enforcement automatically. Notes: While choosing the assigned spans, the [Any] realm option is available for selection only when you have full network rights and more than one realm exists in the system. While choosing the excluded spans, the [Any] realm option is always available.

   In the following example, Default.DeviceType.CiscoACI group is excluded when TrueSight Network Automation audits and enforces the rule set.
   
   

3. If the Access Control tab is enabled, you can restrict who can access the rule set and associated rules. You can restrict view, edit, delete, enable, and disable rights. The Access Control tab is enabled when the administrator has enabled rule set access controls under Admin > System Parameters. See Associating-user-access-rights-with-a-rule-set.
4. Click Save to save the rule set.