Policy Groups Definition

6 min

policy groups consist of multiple policies if black and white keys are defined in the same policy group, then black keys have higher priority, i e , the system restricts the black key commands first, then allows white key commands if there are specific commands defined as white keys, the system will allow these commands and restrict all other commands navigate to policy > policy group navigate to the policy group field then click on the add button fill in the mandatory fields (name, operation mode, select policy key(s), action) under policy group properties and set the action field as generate error click save operation mode definition operation policy groups are available when devices are in operation mode maintenance policy groups are available when devices are in maintenance mode maintenance mode is set on devices check the device inventory – devices right click the menu section for more information kron pam can send information about executed black key commands to a simple network management protocol (snmp) server the following parameters should be defined in the system configuration manager parameter name parameter value snmp target ip target ip to send the snmp trap to if not defined, localhost is used as the default target ip to send the traps snmp target port target port of the target ip to send the snmp trap to if not defined, 162 is used as the default port snmp community string the preferred community string should be defined if not defined, public ” is used as the default value policy group definition when clicking on the policy key actions, general actions and black key action fields are shown send notifications on policy key execution when the command is run in ssh proxy, an e mail is sent to the user group to inform them if sc policy notification sendapproval useonlydevicerealmmanagers value is false in system configuration manager (default value is false), notification is sent to all managers in the user groups in the session user if it is set as true for this property, a notification e mail is sent to the group managers on the device realms to which the session user is connected time restriction policy definition time based restrictions are used to regulate the cli connections to network elements via kron pam in a timely manner time and command based restrictions can be used together to best fit your security needs the example below reflects a scenario that a service provider may experience often time interval authorization explanation weekdays 06 00 22 00 only monitoring commands configuration commands are restricted due to potential effects on service weekdays 22 00 02 00 all configuration commands but the service affecting commands may be run operators may run all configuration commands but commands such as “reboot”, “restart”, or “bgp shutdown” weekdays 02 00 06 00 all commands no restrictions on running commands weekend only monitoring commands configuration commands are restricted due to potential effects on service there must be four time based policies and three command based policies covering all the alternatives from the table above time based policies tbp 1 06 00 – 22 00, mon, tue, wed, thu, fri tbp 2 22 00 – 02 00, mon, tue, wed, thu, fri tbp 3 02 00 – 06 00, mon, tue, wed, thu, fri tbp 4 sat, sun command based policies whitelist 1 sh blacklist 1 rebo , resta , bgp /s shut whitelist 2 the regular expression, “ ” covers all of the command subsets by using command and time based policies together the scenario above would look like this weekdays 06 00 – 22 00 tbp 1 & whitelist 1 weekdays 22 00 – 02 00 tbp 2 & blacklist 1 weekdays 02 00 – 06 00 tbp 3 & whitelist 2 weekend tbp 4 & whitelist 1 permit zone policy definition for direct connection to devices that support tacacs and radius, the “direct access” feature is expected to be enabled on the user group however, for some cases, users are not allowded to connect from all locations in this case, “permit zone” can be defined to be valid for certain users or all users within the permit zone, direct access to devices can be provided even if “direct access” is not defined in the user group navigate to policy > permit zone click on the add button enter the ip description username and click save