Configuration management rulesets help force compliance rules onto device configurations. These rulesets are cumulative, meaning that all config rulesets from all device templates applied to a device will be added to that device. See Config Manager for more information on configuration management and rulesets.
To add a configuration management ruleset to a device template follow the steps below.
- Navigate to the edit page of the device template you want to add the ruleset to.
- See How to Edit a Device Template to learn how to do this.
- Find the “Configuration Management Ruleset” section of the “Template Components” panel and click the plus button to add a ruleset.
- On the page that follows:
- In the TITLE field, enter a name for your ruleset. All configuration ruleset names must be unique.
- In the CONTEXT field, enter the section of the device configuration that will be evaluated by the ruleset (you can use a regular expression here to affect multiple sections of the configuration. if necessary). Leave blank to match the top level context (i.e. no context). This field will be used in the commandlet below.
- In the RULE(S) section, add conditions that represent the desired state of the device config (regex is allowed in the value field). Click the plus button on the right to add additional conditions (additional conditions use a logical AND, so be careful when constructing your conditions).
- “Must Have” means that if the device config does not contain the value to the right of the condition, execute the ACTION.
- “Must Not Have” means that if the device config does contain the value to the right of the condition, execute the ACTION.
- In the example above, if any device configs affected by this template do not contain the value “keepalive 10” under the specified context “interface GigabitEthernet1\/0\/2”, the action will be executed on that device config. IN this case, the action adds that value to that context.
- (Optional) In the ACTION field, enter the set of commands (commandlet) that you want executed on the device configuration exactly as you would type them on the command line.
- Connect and disconnect commands are not required, Netreo will handle these on its own.
- Begin the commandlet with a command to enter configuration mode for the device. End the commandlet with a command to exit configuration mode. For each deeper level of context you go (for example, accessing a specific interface) a matching exit command must also be included.
- When specifying the context in the commandlet, enter
$CONTEXT$. Netreo will replace this with the value entered in the CONTEXT field (see example in image above).
- No error checking is done on the configuration commands used. Therefore it is imperative that you double-check the commands you enter to avoid doing something destructive.
- Click the Add Rule button.
The ruleset is added to the device template.
If no commands are entered in the ACTION field of the ruleset, any violations of the ruleset will still be picked up by the configuration check and processed as if a configuration change had occurred—even though no changes have actually been made. This means that the violation event will be displayed in the config manager dashboard and an alert notification will be sent out to contacts in the “Default Email Alerts” action group or the action group specified in the Configuration Change Alerts incident management rule. It is then up to an administrator to rectify the configuration of the device manually, if necessary.
You may add as many config management rulesets to your template as necessary. When finished, it is not necessary to click the Update button on the edit page of the template. This is only required when editing authentication credentials.
If you’ve added config management rulesets to a device template that is already applied to any devices, navigate back to the Device Templates Administration page using the arrow icon at the top left of the page and reapply your device templates.