Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Network Change & Configuration Management

Reply

Port Policy Compliance on HP switches.

Techie
Posts: 6
4902     0

I want to check port setting on HP switches. The problem is that not all port parameters are under "interface" setting like on Cisco.

So i want to check the setting when it an access port without a description (name)

 

The acces port statement is in the config as:

spanning-tree 1 admin-edge-port

 

The description is in the config as:

interface 22
   dhcp-snooping max-bindings 10
   name "description"
   qos trust dscp
   rate-limit bcast in percent 2

 

Since I found you can't use as variable in a ConfigBlockCheck, I made two arrays; one with ports in acces mode and one with a name.

Then I do a Foreach one the first array where I first chek if the value is in the second array and the do the check on the port parameters.

 

There seemes to be a fault in the checking of the _loopvalue agains the array, the lines are:

 

<ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interf

 

I get an error on the</Expr> line, is my <Exp label='1' op='in'> syntax wrong ?

esRe: Port Policy Compliance on HP switches.

New Member
Posts: 3
4902     0

Can you please post the entire rule and the error message?

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 6
4902     0

This is the error message:

Line 18:
Missing end tag for 'Exp' (got "Expr")

 

And the policy rule:

 

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='access-ports'/>
  <Expr op='array' output='missing_configuration'/>
  <ConfigBlockCheck block-end='$' block-start='^spanning-tree (\d{1,2}) admin-edge-port' boundary-method='regexp'>
    <Expr op='push'>
      <Expr variable='access-ports'/>
      <Expr variable='_start_match_1'/>
    </Expr>
  </ConfigBlockCheck>
  <ForEach>
    <Expr variable='access-ports'/>
    <Do>
      <If>
        <Expr expression='1 and 2'>
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>

[ Hover for Error Info ]
        <Expr label='2' op='and'>
          <ConfigFileCheck op='does-not-contain-any'>
            <Expr op='concat'>
              <Expr value='^interface '/>
              <Expr variable='_loop_value'/>
              <Expr value='\\s+dhcp-snooping max-bindings 10\\s+name.*'/>
            </Expr>          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^spanning-tree '/>
              <Expr variable='_loop_value'/>
              <Expr value=' bpdu-protection'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-moves'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' client-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access '/>
              <Expr variable='_loop_value'/>
              <Expr value=' controlled-direction in'/>
            </Expr>
          </ConfigFileCheck>
        </Expr>
        <Then>
       </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_configuration'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op='size'>
      <Expr variable='missing_configuration'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op='join'>
            <Expr variable='missing_configuration'/>
            <Expr value=','/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 6
4902     0

Oops, when posting this I discover my typo:

<Exp label='1' op='in'>

This should be <Expr> label='1' op='in'>

 

So the statement 'in' seems to be in order.

 

After fixing this I got other error messages:

 

Line 105:
element Then: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then': This element is not expected. Expected is one of ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigBlockCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigFileCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}CPDCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Expr, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ListSearch ).

Line 13:
element If: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}If': Missing child element(s). Expected is ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then ).

Line 0:
Expression refers to invalid subexpression '1'

 

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 6
4902     0

And forget the policy rule i send before, this was a corrupted version. it should be like below. I seem te have my if statements mixed up.

 

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
  <Expr op="array" output="access-ports"/>
  <Expr op="array" output="no-name"/>
  <Expr op="array" output="missing_configuration"/>
  <ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
    <Expr op="push">
      <Expr variable="access-ports"/>
      <Expr variable="_start_match_1"/>
    </Expr>
  </ConfigBlockCheck>
  <ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
    <If>
      <Expr op="matches">
        <Expr variable="_block"/>
        <Expr value="^\sname.*"/>
      </Expr>
      <Then>
    </Then>
      <Else>
        <Expr op="push">
          <Expr variable="no-name"/>
          <Expr variable="_start_match_1"/>
        </Expr>
      </Else>
    </If>
  </ConfigBlockCheck>
  <ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
          <Expr label="1" op="in">
            <Expr variable="_loop_value"/>
            <Expr variable="no-name"/>
          </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interface "/>
                <Expr variable="_loop_value"/>
                <Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^spanning-tree "/>
                <Expr variable="_loop_value"/>
                <Expr value=" bpdu-protection"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-moves"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" client-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access "/>
                <Expr variable="_loop_value"/>
                <Expr value=" controlled-direction in"/>
              </Expr>
            </ConfigFileCheck>
          </Expr>
          <Then>
       </Then>
          <Else>
            <Expr op="push">
              <Expr variable="missing_configuration"/>
              <Expr variable="_loop_value"/>
            </Expr>
          </Else>
        </Expr>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op="size">
      <Expr variable="missing_configuration"/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op="concat">
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op="join">
            <Expr variable="missing_configuration"/>
            <Expr value=","/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Re: esRe: Port Policy Compliance on HP switches.

New Member
Posts: 3
4902     0

I wrote the same in Raw-xml viewer and fixed a couple of mixed statements. This works now:

 

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
<Expr op="array" output="access-ports"/>
<Expr op="array" output="no-name"/>
<Expr op="array" output="missing_configuration"/>
<ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
<Expr op="push">
<Expr variable="access-ports"/>
<Expr variable="_start_match_1"/>
</Expr>
</ConfigBlockCheck>
<ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
<If>
<Expr op="matches">
<Expr variable="_block"/>
<Expr value="^\sname.*"/>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="no-name"/>
<Expr variable="_start_match_1"/>
</Expr>
</Else>
</If>
</ConfigBlockCheck>
<ForEach>
<Expr variable="access-ports"/>
<Do>
<If>
<Expr expression="1 and 2">
<Expr label="1" op="in">
<Expr variable="_loop_value"/>
<Expr variable="no-name"/>
</Expr>
<Expr label="2" op="and">
<ConfigFileCheck op="does-not-contain-any">
<Expr op="concat">
<Expr value="^interface "/>
<Expr variable="_loop_value"/>
<Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^spanning-tree "/>
<Expr variable="_loop_value"/>
<Expr value=" bpdu-protection"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-moves"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" client-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access "/>
<Expr variable="_loop_value"/>
<Expr value=" controlled-direction in"/>
</Expr>
</ConfigFileCheck>
</Expr>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="missing_configuration"/>
<Expr variable="_loop_value"/>
</Expr>
</Else>
</If>
</Do>
</ForEach>
<If>
<Expr op="size">
<Expr variable="missing_configuration"/>
</Expr>
<Then>
<PolicyRuleFail>
<Expr op="concat">
<Expr value="missing configuration:"/>
<Expr op="join">
<Expr variable="missing_configuration"/>
<Expr value=","/>
</Expr>
</Expr>
</PolicyRuleFail>
</Then>
<Else>
<PolicyRulePass>
</PolicyRulePass>
</Else>
</If>
</PolicyRuleLogic>

Re: Port Policy Compliance on HP switches.

Techie
Posts: 6
4903     0

I have solved this issue myself by building on OR function before the parameter tests which check if thereis a name (description) configured.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You