Policy Manager is designed to focus on policy management and help target policies to rule groups in your organization. It provides direct configurability along with other features such as:
- Ability to import policies.
- Push changes to devices.
- Rule optimization via Template Builder.
Policy Manager uses device specific textFSM templates to convert native config into JSON, and Jinja2 templates to convert JSON into device config. This guide provides detail on all the features available in Policy Manager and takes you through many of the tasks used to manage policies on devices.
Policies Card Collection
The Policies page allows new policies to be created, existing policies to be deleted, and rule updates through the policy edit page. All policies are displayed in a card format. You can paginate, filter, and sort policies by field. Data fields can also be toggled for display.
A policy can link to multiple targets on the same device or it can link to multiple targets across multiple devices. Deleting a policy requires all the targets to be unlinked from the policy. Deleting a single policy will display a table of targets to which the current policy is linked and deleting multiple policies will display the targets to which all the policies are linked.
Note: You cannot delete policies that have linked targets.
On the policy edit page, there are two tabs: Rules and Targets. The rules table allows you to create, delete and reorder rules by manual input index or drag and drop. The rules order (index) is converted to sequence numbers in the background prior to pushing to the device.
Creating and Updating Rules (in a Single Policy)
Every rule is unique and rules do not have their own database collection. If you want to give the same rule to two different policies, you must create two rules - one in each policy. The Name and Action fields are required to create a new rule. Multiple networks and multiple services are not supported. Only the first source network, destination network,and service will be applied on push.
Available Networks use server-side filtering and requires a network name. Address search is not supported.
Selected Networks are filtered and the networks list will auto-filter as you type.
On the Targets tab of the policy page, a list of linked targets are displayed in a table. You can unlink a target by removing the device chip from the table. You can also unlink a target from a policy from the Devices page.
When adding a target to a policy, a list of all targets is provided. Select and save the targets to link them to the current policy. A target cannot have more than one policy applied. From the Add Targets view, the application will restrict you from adding targets that already have policies.
The Redundant Rules switch becomes available when the current policy has redundant rules. This page has all the same capabilities as the Rules tab but with the redundant rules highlighted. The example screenshot shows that rules 3, 7, and 9 are redundant.
Devices Card Collection
The Devices page allows new devices to be imported, existing devices to be forgotten (removed from our database), and targets to be updated through the device edit page.
A device can be forgotten at any time without any restrictions. It removes the device document from the database, and the linked policies will lose reference to the device targets in the policy documents.
Importing Device: Frontend
The Import Device modal searches through all the devices a system is connected to. Only one device can be imported at a time. Users are given the option to preview data prior to importing.
Importing Device: Preview
Importing Device: Backend
On device import, via parsing methods in Template Builder, configurations for the policies (access-lists) and targets (interfaces) are parsed through the import-policy template and import-target template. Documents are then created for policies, networks, services, and device that correctly reference each other. This aligns with the Itential data model.
Push / Dry Run
The Push device modal allows you to view and accept a dry run before making changes to the device. A dry run is required on every push, and the push method takes in the dry run as an input. The dry run is displayed in the Diff.
Note: Pushing without a dry run will follow the same logic to retrieve the dry run - it will take just as much time.
From the examples shown below, a new policy named
GS_NAT_ACL_REIMPORT_1 is linked to a Gigabit Ethernet 1 inbound policy and details for the new policy appear in the config changes. It has a rule with a new network assigned which displays as an addition. Reordering of rules can show as a deletion or addition.
Networks Card Collection
The Network page allows new networks to be created, existing networks to be deleted, and network updates through the edit page.
A network is either a source or destination of a rule (which is either part of a policy or a rule template). When deleting one or many services, a modal is displayed with all the policies and rule templates the deletion affects. You cannot delete networks that have linked rules (policies/rule templates).
Creating and Updating Networks
When creating a new network, or updating an existing network, the network is validated via Policy Engine.
Services Card Collection
The Service page allows new services to be created, existing services to be deleted, and service updates through the edit page.
A service is only referenced in a rule (which is either part of a policy or a rule template). When deleting one or many services, a modal is displayed with all the policies and rule templates the deletion affects. You cannot delete services that have linked rules (policies/rule templates).
Creating and Updating Services
A service's protocol can be updated by giving the protocol number or selecting the protocol name from the dropdown. Additional service options will render the views dynamically depending on the protocol type.
Protocols that allow fragment restrictions give users the option to
exclude multiple flags:
Protocols that allow port options allow the user to set the source and destination port to be
Greater Than, or
Not In on a single port or multiple ports (1-65535).
TCP Additional flags
For TCP services, additional flags can be assigned by selecting
All Of or
Any Of the following flags:
ICMP/ICMPv6 Traffic Restrictions
For ICMP and ICMPv6 services, all
Type Numbers and
Code Fields from IANA are supported.
Device Type Settings Page
The Device Type Settings page is used to correctly assign integration to specific device types for import and export. You can create a new device type settings document by entering a new device type name. The Integration field dropdown provides a list of available integrations which have preset import and export templates. The Expand Rules field is a boolean for whether to allow grouped networks and group services. When set to true, on export, a single rule with two networks will be expanded into two rules with one network each.