Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Network Change & Configuration Management

Reply
Highlighted
Accepted Solution

NetMRI policy rule for unwanted lines

Techie
Posts: 14
6120     0

I am trying to write a policy rule to make sure my switches have the correct SNMP community strings, but do not have any unwanted strings too. Using CPD this is fairly easy:

Required:
snmp-server community "string1" operator
snmp-server community "string2" unrestricted
Invalid:
snmp-server community .*

 

However, the manual says CPD is depricated, do not use and I am having problems with case sensitivity. Annoyingly some versions of my switch express operator with a capital.

 

Is there a way to do this using one of the other methods?

 

I have tried the same thing with the simple and rule logic builders. Both pass the valid string then immediately matches it with the invalid wildcarded string and flags an error.

 

Is the raw XML my only option? If so is there a tidy way do impletement this? I have a similar problem for my list of valid management IP addresses, which is a longer list. Potentially the XML could get rather large if I'm saying 'this or this or this, but nothing else similar'.

Highlighted

Re: NetMRI policy rule for unwanted lines

[ Edited ]
Adviser
Posts: 353
6120     0

[ edited this - when you use email reply I guess the XML gets stripped out - added it back below ]

 

The XML is your best bet. You can continue to use CPD if it works for you, but it does not scale as well if you have lots of devices.

I think the best way to do this is to use a ConfigBlockCheck, using the "num-lines" boundary method, with a line count of 1. What that will do is loop through every line matching your string and let you take some action on it. Here is an example (using the /.../i in the "matches" operator makes the regex search case-insenstive, if that's an issue).

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Assign value='1' variable='pass-count'/>
  <ConfigBlockCheck block-start='^snmp-server' boundary-method='line-count' line-count='1'>
    <If>
      <Expr op='matches'>
        <Expr variable='_block'/>
        <Expr value='/^snmp-server community (&quot;string1&quot; operator|&quot;string2&quot; unrestricted)/i'/>
      </Expr>
      <Then/>
      <Else>
        <Return>
          <PolicyRuleFail>
            <Expr op='concat'>
              <Expr value='Invalid line: '/>
              <Expr variable='_block'/>
            </Expr>
          </PolicyRuleFail>
        </Return>
      </Else>
    </If>
  </ConfigBlockCheck>
  <PolicyRulePass/>
</PolicyRuleLogic>


You can also use a list lookup instead of the "matches" in the "If". That way, if the list is really long, the XML is still relatively compact.

John

Highlighted

Re: NetMRI policy rule for unwanted lines

[ Edited ]
Techie
Posts: 14
6120     0

Thanks, that nearly does what I want. It does pick up on invalid strings however it does not ensure that the two lines are there. Is it possible to highlight missing lines in one go or do I need two rules, one for must have all these and one for must not have anything else?

 

Edit: Is there a guide for the XML used or is it just the 'Using the Raw XML Editor' section in the Automation Admin guide?

Highlighted

Re: NetMRI policy rule for unwanted lines

Techie
Posts: 14
6120     0

I have answered my own question, count the matching lines. This does not report what is missing just that something is, but that is probably good enough:

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Assign value='0' variable='pass-count'/>
  <ConfigBlockCheck block-start='^snmp-server community' boundary-method='line-count' line-count='1'>
    <If>
      <Expr op='matches'>
        <Expr variable='_block'/>
        <Expr value='/^snmp-server community (&quot;string1&quot; operator|&quot;string2&quot; unrestricted|&quot;string3&quot; operator)/i'/>
      </Expr>
      <Then>
        <!-- Add one to the pass-count -->
        <Assign variable='pass-count'>
          <Expr op='+'>
            <Expr variable='pass-count'/>
            <Expr value='1'/>
          </Expr>
        </Assign>
      </Then>
      <Else>
        <Return>
          <PolicyRuleFail>
            <Expr op='concat'>
              <Expr value='Invalid line: '/>
              <Expr variable='_block'/>
            </Expr>
          </PolicyRuleFail>
        </Return>
      </Else>
    </If>
  </ConfigBlockCheck>
  <If>
    <Expr op='ne'>
      <Expr variable='pass-count'/>
      <Expr value='3'/>
    </Expr>
    <Then>
      <Return>
        <PolicyRuleFail>
          <Expr>Failure: Missing SNMP community strings</Expr>
        </PolicyRuleFail>
      </Return>
    </Then>
  </If>
  <PolicyRulePass/>
</PolicyRuleLogic>

If I can get it working with a list, I will post the solution too. One weakness in the above is the number of options in the check needs to match the check on pass-count.

 

A plea to Infoblox: It would be much nicer if we could use perl scripts to check policies against. It could work similar to a nagios check, where the script must return an integer for pass/fail along with a text message. I.e.

# Do some perl stuff here
if(status="happy") {
  print "Pass: All good";
  exit(0);
} else {
  print "Fail: Some bad message";
  exit(1);
}

XML is hard!

Highlighted

Re: NetMRI policy rule for unwanted lines

Adviser
Posts: 353
6120     0

You could also make sure the lines are there by adding a couple variables that you set to "true" if the lines have been found as you loop through.

 

There is no separate guide, just what is in the admin guide, plus the XSD file that you can download from the rule editor screen. It contains detailed documentation of the various operators, etc. You can also use it in an XML-authoring tool to provide the validation if you want to edit your XML outside of the browser window.

 

You can also find some examples at:

 

https://github.com/infobloxopen/netmri-toolkit

 

in the "policy" folder. I just put in an example that validates the users against a list. The XSD is in there too.

 

 

Highlighted

Re: NetMRI policy rule for unwanted lines

Adviser
Posts: 353
6120     0

Perl would be nice. However, there are security and performance issues with that. If we are going to allow arbitrary Perl it has to run in the sandbox like the scripts, or it is a security vulnerability. It would also end up launching separate processes per rule evaluation, which can cause performance problems.

 

Nonetheless, you can put in an RFE with your account team and if we see enough interest we can look for a solution.

 

Highlighted

Re: NetMRI policy rule for unwanted lines

Techie
Posts: 14
6120     0

Is it possible to convert a list to an array?

 

From the documentation, it appears that ListSearch is the only list function available. The method I was thinking was to:

- Create a list, "Procurve SNMP strings" with one field comstr, containing values "string1 operator", "string 2 unrestricted" etc.

- At the start of the rule, ListSearch this list for 'comstr'=*

- Put the results in an array where we can then use the size function

- Match the config lines to the array by adding snmp-server community to the front, though I will have to do a regex match because of the case sensitivity isue.

Highlighted

Re: NetMRI policy rule for unwanted lines

[ Edited ]
Authority
Posts: 30
6120     0

I'll probably regret chiming in, i'm no programmer :-)... could you not add a column to the list with a sequential number (1,2,3,4...), then run a do-while loop to populate the array, looking up the next number with each loop?

I know, I'm missing something obvious... can you imagine how it must be as a developer here, having to listen to my stupid ideas all the time??? :-)

Lou


@DaveHartburn wrote:

Is it possible to convert a list to an array?

 

From the documentation, it appears that ListSearch is the only list function available. The method I was thinking was to:

- Create a list, "Procurve SNMP strings" with one field comstr, containing values "string1 operator", "string 2 unrestricted" etc.

- At the start of the rule, ListSearch this list for 'comstr'=*

- Put the results in an array where we can then use the size function

- Match the config lines to the array by adding snmp-server community to the front, though I will have to do a regex match because of the case sensitivity isue.



at the begging of the rule?

Highlighted

Re: NetMRI policy rule for unwanted lines

Adviser
Posts: 353
6120     0

 

When you query a list, you can ask for it to just return the first result, or to return all matching results in an array. 

 

Take a look at the "valid-user" rule in the github above. It makes good use of lists.

 

 

Highlighted

Re: NetMRI policy rule for unwanted lines

Adviser
Posts: 430
6120     0

You can use Rule Logic Builder as well Smiley Happy

 

Must Contain

snmp-server community "string1" operator
snmp-server community "string2" unrestricted

 

Must not Contain

snmp-server community (?!("string1" operator|"string2" unrestricted))

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

www.sifbaksh.com
Showing results for 
Search instead for 
Do you mean 

Recommended for You