Criteria

This screen lets you filter configuration files based on text, or Regular Expressions. Click Add to open an editor line.This screen ultimately determines whether the configuration file(s) for the selected equipment complies with the applicable policy. To create a policy, first select whether you want to Match Any (logical OR), or All (logical AND) of the criteria you configure with the radio buttons at the top of this screen.

See these sections for more about criteria:

Editing Compliance Policy Criteria

Match Regex for each line

Count number of occurrences

Input Source Grouping

Properties

For additional criteria information consult these sections:

Create Source Group Criteria

Regular Expressions

Perl / Java (Groovy) Language Policies

Editing Compliance Policy Criteria

After clicking Add Criteria, use the pick list on the upper right to select an operation to select a criteria match type (Contains, Doesn’t contain, [does not] match Regex (see Regular Expressions), [does not] Match Regex for each line, Count number of occurrences, Perl or Java (Groovy)). Specify the match string or regular expression (Regex) in the text editor below the pick list.

With the Add Criteria button, you can configure multi-criteria policies with several lines. For example, configure one saying a maximum of four lines containing name-server can appear (<5), in any order (Match Regex for each line), and another that says the configuration must contain no ip domain lookup [domain].

Notice the radio buttons Match Any of the following and Match all of the following. Selecting Any means that if either of the lines matched the policy would succeed. Selecting All says that both lines must pass before the policy is successful.

For more complex scans, you can also enter Perl or Java (Groovy) language policies. See Perl / Java (Groovy) Language Policies for details about these. The does not operators are just the negative of the match without does not.

Click the Apply green check button to accept your term, or the Cancel button to abandon your edits.

You can edit already listed compliance tests by clicking the Edit button (pencil and paper) in the list row. You can delete them by clicking the Delete button next to the criterion.

Match Regex for each line

In using this type of term, Open Manage Network Manager processes each line separately, comparing the input source to the match criteria. This returns a true value only if the criteria find a match in the source. The order of matching is not important since Open Manage Network Manager processes each line separately.

Count number of occurrences

This operator lets you specify a less than, greater than, or equal mathematical operator (<, >, =) and a number of lines after you provide regex or string criteria with the operator and count value. This returns true if the criteria (as a whole) match the input source count and operator combination. On the other hand, for example, if you choose a match criterion that includes =9 lines as the operator, and the scanned configuration has ten lines that match, the scan returns false.

Input Source Grouping

Adaptive CLI show commands and configuration files often have repeating sections or groups of parameters. Open Manage Network Manager scan configurations by section using Start Criteria and End Criteria Regex group criteria patterns. A configuration can contain multiple start and stops. This is especially useful when the criteria provided might occur multiple times in the input source but you want to find only the instances which are preceded by a particular line in the source.

Click Add new group in the Input Source panel in the Criteria editor, and the grouping editor appears. (Click the red icon to the source grouping’s left to delete it.)Enter the starting and ending regular expressions (Start at / End at), and elect whether the beginning or end of the source group includes or excludes what that expression matches. Click Apply to accept your edits, or Cancel to abandon them. You can create multiple group criteria. Open Manage Network Manager applies the group criteria in order, from top to bottom.

When you have defined a Start and Stop, Open Manage Network Manager finds the information between these. Open Manage Network Manager logically extracts the data from the main config (essentially creating sections) and then does the audit.

For example, if your configuration has one section of router bgp and multiple sections for each bgp neighbor, you can specify matches within each neighbor. Your policy can audit each router bgp section and each neighbor within each router bgp.

See Create Source Group Criteria below for an example of how to use these capabilities. Also, see Regular Expressions below for more about what match criteria are supported.

Properties

Checkboxes on this page configure whether the proscan match is Case Sensitive, or has Multi-Line Support. By default they are disabled. Check to enable them.

Create Source Group Criteria

Here is an example of how you can use source group criteria. Suppose you want to scan for the following text:

neighbor 2.3.4.5 activate

neighbor 2.3.4.5 route-map allanRM01

This is within the following configuration:

router ospf 888

log-adjacency-changes

redistribute bgp 88 metric 10010 metric-type 1 subnets tag 334 route-map allanRM02

network 2.3.4.0 0.0.0.255 area 123

network 2.3.5.0 0.0.0.255 area 124

network 2.3.6.0 0.0.0.255 area 125

!

router isis

!

router rip

version 2

network 175.92.0.0

no auto-summary

!

address-family ipv4 vrf VPN_PE_A

no auto-summary

no synchronization

exit-address-family

!

router bgp 88

bgp log-neighbor-changes

neighbor 2.3.4.5 remote-as 22

neighbor description "This is Test"

neighbor test-parameter xxx

neighbor 4.5.6.7 remote-as 66

neighbor description "This is Test"

neighbor test-parameter xxx

!

address-family ipv4

redistribute connected route-map map-12

redistribute static route-map hjlhjhjhjk

redistribute ospf 888 metric 500 match internal external 2 nssa-external 1 nssa-external 2 route-map allanRM03

neighbor 2.3.4.5 activate

neighbor 2.3.4.5 route-map allanRM01 in

neighbor 4.5.6.7 activate

neighbor 4.5.6.7 route-map allanRM02 in

default-information originate

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf VPN_PE_A

redistribute ospf 10 vrf VPN_PE_A match internal external 1 external 2

no auto-summary

no synchronization

exit-address-family

!

In addition, within this configuration, you want to check if the target lines are present under each address-family in the router bgp section. To scan for this, follow these steps:

1. Select the Match All of the following radio button and enter both of the above lines as match criteria.Select the Config Term as match Regex for each line, so the order in which these lines appears does not matter.

2. Add a source group criterion to search for a section that begins with “routers bgp”--in regex: routers\sbgp. No end match criterion is needed. Click Apply.

3. Click Add to make another criterion. This time, the start is address-family\s, and the end is exit-address-family. Click Apply.

4. You should see both criteria listed in the editor

5. Applying the first group criterion finds the match (underlined) in the following:

router bgp 88

bgp log-neighbor-changes

neighbor 2.3.4.5 remote-as 22

neighbor description "This is Test"

neighbor test-parameter xxx

neighbor 4.5.6.7 remote-as 66

neighbor description "This is Test"

neighbor test-parameter xxx

!

address-family ipv4

redistribute connected route-map map-12

redistribute static route-map hjlhjhjhjk

redistribute ospf 888 metric 500 match internal external 2 nssa-external 1 nssa-external 2 route-map allanRM03

neighbor 2.3.4.5 activate

neighbor 2.3.4.5 route-map allanRM01 in

neighbor 4.5.6.7 activate

neighbor 4.5.6.7 route-map allanRM02 in

default-information originate

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf VPN_PE_A

redistribute ospf 10 vrf VPN_PE_A match internal external 1 external 2

no auto-summary

no synchronization

exit-address-family

!

6. Applying the second group criterion on the above result divides the source:

Source 1:

address-family ipv4

redistribute connected route-map map-12

redistribute static route-map hjlhjhjhjk

redistribute ospf 888 metric 500 match internal external 2 nssa-external 1 nssa-external 2 route-map allanRM03

neighbor 2.3.4.5 activate

neighbor 2.3.4.5 route-map allanRM01 in

neighbor 4.5.6.7 activate

neighbor 4.5.6.7 route-map allanRM02 in

default-information originate

no auto-summary

no synchronization

exit-address-family

Source 2:

address-family ipv4 vrf VPN_PE_A

redistribute ospf 10 vrf VPN_PE_A match internal external 1 external 2

no auto-summary

no synchronization

exit-address-family

This creates two sources sections.

7. Now Open Manage Network Manager applies the regex in the criteria field to each of the sources. It returns true only if both sources pass (we selected the Match All radio button). In this case “Source 2" does not have those lines, so Open Manage Network Manager returns a false value.

8. The error details appear in the audit trail panel.