Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Network Change & Configuration Management

Reply

Port Policy Compliance on HP switches.
FredKamsteeg
Techie
Posts: 6

‎04-21-2020 04:54 AM

4921     0

I want to check port setting on HP switches. The problem is that not all port parameters are under "interface" setting like on Cisco.

So i want to check the setting when it an access port without a description (name)

 

The acces port statement is in the config as:

spanning-tree 1 admin-edge-port

 

The description is in the config as:

interface 22
   dhcp-snooping max-bindings 10
   name "description"
   qos trust dscp
   rate-limit bcast in percent 2

 

Since I found you can't use as variable in a ConfigBlockCheck, I made two arrays; one with ports in acces mode and one with a name.

Then I do a Foreach one the first array where I first chek if the value is in the second array and the do the check on the port parameters.

 

There seemes to be a fault in the checking of the _loopvalue agains the array, the lines are:

 

<ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interf

 

I get an error on the</Expr> line, is my <Exp label='1' op='in'> syntax wrong ?

Labels:
Reply
0 Kudos

esRe: Port Policy Compliance on HP switches.
RNair
New Member
Posts: 3

‎04-23-2020 07:59 AM

4921     0

Can you please post the entire rule and the error message?

Reply
0 Kudos

Re: esRe: Port Policy Compliance on HP switches.
FredKamsteeg
Techie
Posts: 6

‎04-24-2020 01:14 AM

4921     0

This is the error message:

Line 18:
Missing end tag for 'Exp' (got "Expr")

 

And the policy rule:

 

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='access-ports'/>
  <Expr op='array' output='missing_configuration'/>
  <ConfigBlockCheck block-end='$' block-start='^spanning-tree (\d{1,2}) admin-edge-port' boundary-method='regexp'>
    <Expr op='push'>
      <Expr variable='access-ports'/>
      <Expr variable='_start_match_1'/>
    </Expr>
  </ConfigBlockCheck>
  <ForEach>
    <Expr variable='access-ports'/>
    <Do>
      <If>
        <Expr expression='1 and 2'>
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>

[ Hover for Error Info ]
        <Expr label='2' op='and'>
          <ConfigFileCheck op='does-not-contain-any'>
            <Expr op='concat'>
              <Expr value='^interface '/>
              <Expr variable='_loop_value'/>
              <Expr value='\\s+dhcp-snooping max-bindings 10\\s+name.*'/>
            </Expr>          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^spanning-tree '/>
              <Expr variable='_loop_value'/>
              <Expr value=' bpdu-protection'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-moves'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' client-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access '/>
              <Expr variable='_loop_value'/>
              <Expr value=' controlled-direction in'/>
            </Expr>
          </ConfigFileCheck>
        </Expr>
        <Then>
       </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_configuration'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op='size'>
      <Expr variable='missing_configuration'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op='join'>
            <Expr variable='missing_configuration'/>
            <Expr value=','/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Reply
0 Kudos

Re: esRe: Port Policy Compliance on HP switches.
FredKamsteeg
Techie
Posts: 6

‎04-24-2020 01:26 AM

4921     0

Oops, when posting this I discover my typo:

<Exp label='1' op='in'>

This should be <Expr> label='1' op='in'>

 

So the statement 'in' seems to be in order.

 

After fixing this I got other error messages:

 

Line 105:
element Then: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then': This element is not expected. Expected is one of ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigBlockCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigFileCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}CPDCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Expr, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ListSearch ).

Line 13:
element If: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}If': Missing child element(s). Expected is ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then ).

Line 0:
Expression refers to invalid subexpression '1'

 

Reply
0 Kudos

Re: esRe: Port Policy Compliance on HP switches.
FredKamsteeg
Techie
Posts: 6

‎04-24-2020 01:54 AM

4921     0

And forget the policy rule i send before, this was a corrupted version. it should be like below. I seem te have my if statements mixed up.

 

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
  <Expr op="array" output="access-ports"/>
  <Expr op="array" output="no-name"/>
  <Expr op="array" output="missing_configuration"/>
  <ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
    <Expr op="push">
      <Expr variable="access-ports"/>
      <Expr variable="_start_match_1"/>
    </Expr>
  </ConfigBlockCheck>
  <ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
    <If>
      <Expr op="matches">
        <Expr variable="_block"/>
        <Expr value="^\sname.*"/>
      </Expr>
      <Then>
    </Then>
      <Else>
        <Expr op="push">
          <Expr variable="no-name"/>
          <Expr variable="_start_match_1"/>
        </Expr>
      </Else>
    </If>
  </ConfigBlockCheck>
  <ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
          <Expr label="1" op="in">
            <Expr variable="_loop_value"/>
            <Expr variable="no-name"/>
          </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interface "/>
                <Expr variable="_loop_value"/>
                <Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^spanning-tree "/>
                <Expr variable="_loop_value"/>
                <Expr value=" bpdu-protection"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-moves"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" client-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access "/>
                <Expr variable="_loop_value"/>
                <Expr value=" controlled-direction in"/>
              </Expr>
            </ConfigFileCheck>
          </Expr>
          <Then>
       </Then>
          <Else>
            <Expr op="push">
              <Expr variable="missing_configuration"/>
              <Expr variable="_loop_value"/>
            </Expr>
          </Else>
        </Expr>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op="size">
      <Expr variable="missing_configuration"/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op="concat">
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op="join">
            <Expr variable="missing_configuration"/>
            <Expr value=","/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Reply
0 Kudos

Re: esRe: Port Policy Compliance on HP switches.
RNair
New Member
Posts: 3

‎05-13-2020 02:10 PM

4921     0

I wrote the same in Raw-xml viewer and fixed a couple of mixed statements. This works now:

 

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
<Expr op="array" output="access-ports"/>
<Expr op="array" output="no-name"/>
<Expr op="array" output="missing_configuration"/>
<ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
<Expr op="push">
<Expr variable="access-ports"/>
<Expr variable="_start_match_1"/>
</Expr>
</ConfigBlockCheck>
<ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
<If>
<Expr op="matches">
<Expr variable="_block"/>
<Expr value="^\sname.*"/>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="no-name"/>
<Expr variable="_start_match_1"/>
</Expr>
</Else>
</If>
</ConfigBlockCheck>
<ForEach>
<Expr variable="access-ports"/>
<Do>
<If>
<Expr expression="1 and 2">
<Expr label="1" op="in">
<Expr variable="_loop_value"/>
<Expr variable="no-name"/>
</Expr>
<Expr label="2" op="and">
<ConfigFileCheck op="does-not-contain-any">
<Expr op="concat">
<Expr value="^interface "/>
<Expr variable="_loop_value"/>
<Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^spanning-tree "/>
<Expr variable="_loop_value"/>
<Expr value=" bpdu-protection"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-moves"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" client-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access "/>
<Expr variable="_loop_value"/>
<Expr value=" controlled-direction in"/>
</Expr>
</ConfigFileCheck>
</Expr>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="missing_configuration"/>
<Expr variable="_loop_value"/>
</Expr>
</Else>
</If>
</Do>
</ForEach>
<If>
<Expr op="size">
<Expr variable="missing_configuration"/>
</Expr>
<Then>
<PolicyRuleFail>
<Expr op="concat">
<Expr value="missing configuration:"/>
<Expr op="join">
<Expr variable="missing_configuration"/>
<Expr value=","/>
</Expr>
</Expr>
</PolicyRuleFail>
</Then>
<Else>
<PolicyRulePass>
</PolicyRulePass>
</Else>
</If>
</PolicyRuleLogic>

Reply
0 Kudos

Re: Port Policy Compliance on HP switches.
FredKamsteeg
Techie
Posts: 6

‎05-29-2020 04:51 AM

4921     0

I have solved this issue myself by building on OR function before the parameter tests which check if thereis a name (description) configured.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community