Versions Compared

Old Version 2

changes.mady.by.user Jorge Ramirez

Saved on

compared with

New Version 3

changes.mady.by.user Jorge Ramirez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this example we want to extract the Netflow configuration cofiguration on a Fortigate device. Fortigate command that have the information we need "show full-configuration system netflow"

...

Code Block
# json_xs < opCommon.json

Note that all matching parsers will be applied for a particular command, in the order they are given in the configuration.

...

Code Block
[root@localhost conf]# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortinetTest debug=true
opconfig-cli.pl Version 3.420.0

Copyright (C) 2015 Opmantek Limited (www.opmantek.com)
This program comes with ABSOLUTELY NO WARRANTY;
See www.opmantek.com or email contact@opmantek.com

opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023

[2023-01-20 17:32:28.57037] [8596] [debug] new opConfig: require_db
[2023-01-20 17:32:28.71590] [8596] [debug] Creating NMISx
{
   "config_features" : {
      "netflow" : {
         "activeFtimeout" : "1800",
         "collectorip" : "192.168.0.104",
         "collectorport" : "2055",
         "inactFtimeout" : "15",
         "intmethod" : "auto",
         "sourceip" : "192.168.0.105",
         "txcounter" : "20",
         "txtimeout" : "1800"
      }
   }
}


Compliance Policy files.

Compliance policy language is very similar to opEvents language. 

Here is a quick overview of the structural rules:

  • A policy consists of one hash (or "associative array"). All hash keys (=rule numbers) must be numeric, and the keys control the order of rule evaluation.
    Rule numbers do not have to be globally unique, just within the enclosing subpolicy.
  • Each hash element must describe either one IF/THEN clause or one EACH/BLOCK iteration.
  • THEN statements can be either a single string (describing the actions to take) or a nested sub-policy (in the form of a nested hash).
  • EACH/BLOCK iterations always require a nested sub-policy.
  • IF statements are single strings, made up from structure or variable selector expressions and Perl operators and expressions.
  • The available actions for THEN statements are ok(), exception()CONTINUE() and LAST().
  • EACH statements consist of a variable name (for the iterator variable to be) and a structure selector expression (for the objects to iterate over).
  • The policy engine invokes policy rules with a number of pre-defined structure variables, to provide access to the configuration status document, the current node name and a few others

Compliance policy files are installed in the directory /usr/local/omk/conf/compliance_policies and they must have the .json extension.

Step 1. Create compliance policy file. 

With the Compliance policy file we are going to evaluate the information that we got on step 4 - Execute the update_config_status and export_config_status commands. We have to create a compliance policy file, navigate to /usr/local/omk/conf/compliance_policies.

Code Block
# cd /usr/local/omk/conf/compliance_policies

We can copy the cisco_nsa.json policy to create fortigate-netflow.json policy.

Code Block
# cp cisco_nsa.json fortigate-netflow.json

In our case we want to valided if the Fortigate has the collector IP and collector port configured. 

let's edit the fortigate-netflow.json file

Code Block
# vi fortigate-netflow.json


Code Block
{
   "10" : {
      "IF" : "not defined(${NODEINFO}.os_info)",
      "THEN" : "exception(\"Node has no os_info\",0,node=$NODENAME) AND LAST()",
      "Comment" : "If the device does not have a OS information you will get an exception "
   },
   "20" : {
      "IF" : "$NODEINFO.os_info.os eq \"Fortinet\"",
      "Comment" : "In our case OS info must macth with Fortinet in order to apply this policy, if you have cisco device you should have IOS or IOS-EX etc",
      "Comment" : "This policy will apply only for Fortigate devices",
      "THEN" : {
         "201" : {
            "IF" : "$NODE.config_features.netflow.collectorip eq \"192.168.0.104\"",
            "Comment" : "If you want to check if the value on collectorip variable is equal to 192.168.0.104",
            "Comment" : "all the variables stored in the inventory are strings, you should evaluate with eq ne etc",
            "THEN" : "ok(\"Collector IP for Netflow is OK\",4,node=$NODENAME,config=$NODE.config_features.netflow.collectorip)",
            "Comment" : "Output that you will get in opConfig NODE.config_features.netflow.collectorip"
         },
         "202" : {
            "IF" : "$NODE.config_features.netflow.collectorip ne \"192.168.0.104\"",
            "THEN" : "exception(\"Collector IP for Netflow is not correct\",3,node=$NODENAME,config=$NODE.config_features.netflow.collectorip)"
         },
         "203" : {
            "IF" : "not($NODE.config_features.netflow.collectorip)",
            "Comment" : "if the collectorip is not present on the inventory",
            "THEN" : "exception(\"Collector IP for Netflow is not configured\",3,node=$NODENAME,config=$NODE.config_features.netflow.collectorip)"
         },
         "204" : {
            "IF" : "$NODE.config_features.netflow.collectorport eq \"2055\"",
            "THEN" : "ok(\"Collector port is OK\",4,node=$NODENAME,config=$NODE.config_features.netflow.collectorport)"
         },
          "205" : {
            "IF" : "$NODE.config_features.netflow.collectorport ne \"2055\"",
            "THEN" : "exception(\"Collector port is not correct\",3,node=$NODENAME,config=$NODE.config_features.netflow.collectorport)"
         },
         "206" : {
            "IF" : "not($NODE.config_features.netflow.collectorport)",
            "THEN" : "exception(\"Collector port is not configured\",3,node=$NODENAME,config=$NODE.config_features.netflow.collectorport)"
         }
       }
    }
}


Warning

Compliance policy file does not allow comments. If you copy the code with comments you will get this error when you will try to use the check_compliance command. 

Code Block
[2023-01-23 12:24:01.24850] [68968] [debug] Operating on node FortinetTest
[2023-01-23 12:24:01.24909] [68968] [debug] iterating through policy rules, now at nr. 10, substvars NODE, NODEINFO, NODENAME
[2023-01-23 12:24:01.24926] [68968] [debug] Operating on node FortinetTest
[2023-01-23 12:24:01.24939] [68968] [debug] Taking exception action exception, Rule Error
check_compliance failed for node FortinetTest: Policy unparseable: Unknown keywords present.



We can check if the syntaxis is ok using this: 

Code Block
# json_xs < fortigate-netflow.json


We get the variable $NODE.config_features.netflow.collectorip from the inventory output: 

Image Added

Step 2. Execute the import_policy and check_compliance commands.

All compliance policies are named and versioned. 

To make a policy available to opConfig, it must be imported, we are going to import the fortigate-netflow.json policy like this:

Code Block
# /usr/local/omk/bin/opconfig-cli.pl act=import_policy name="netflow" file=/usr/local/omk/conf/compliance_policies/fortigate-netflow.json

List the compliance policies 

Code Block
# /usr/local/omk/bin/opconfig-cli.pl act=list_policies

Image Added

Info

Always that you change the compliance policy file you must import the policy in order to update it. You will have a new version. 

Image Added


At this time compliance policy assessments are not performed automatically but have to be triggered with opconfig-cli.pl:

We have to execute this command "/usr/local/omk/bin/opconfig-cli.pl act=check_compliance"

Code Block
# /usr/local/omk/bin/opconfig-cli.pl act=check_compliance name='netflow' node=FortinetTest debug=9

Step 3. View Compliance Status

Now you can check the Complaince Status in the opConfig GUI.  Access the opConfig GUI at http://YOUR_SERVERNAME/omk/opConfig, login and then from the Menu Bar "Views -> Compliance Status".

Image Added

Image Added