3.5 Policy Management

policy management https //archbee io/docs/1s a8r9fnbldt7zdyf13d/nifhyvaitxtp gc7f5o5i#policy management defining a device realm log in to the single connect web gui navigate to device management > device group open the device realm tab pick a device group name from the “device group” list on the right; pick a user group name from the “user group” list from the left now a new “device realm” has been created by matching a device group with a user group defining a policy key log in to the single connect web gui navigate to policy control > session policy open the policy key tab select the type, element type and fill in the key and description fields save policy key types definition black key restricted commands white key allowed commands xml file xml file that contains context aware policies radius attribute allowed radius attributes ex cisco avpair = shell\ priv lvl=1 tacacs attribute allowed tacacs attributes ex priv lvl=15 user behavior rating commands to be detected as suspicious behavior to block black/white key command generator the “key” parameter of the policy definition contains the allowed or restricted commands in their regex form the “commandpatterngenerator” button can be used for the creation of these regex statements input the desired command into the “commands” tab, denoting the “auto completion point” with a “ ‘ ” (single quote) character click the button to create the regex statement note “auto completion point” is the point in a command string when hitting tab would complete the remainder of the command for example, for “clear”, the auto completion point is “cl” which means hitting tab after typing “cl” will complete the command to “clear” on the cli screen defining policy group log in to the single connect web gui navigate to policy control > session policy open the policy tab enter the policy name, description, operation mode select and add the policy key(s) defined earlier for this group under “select policy key(s)” save operation mode definition operation policy group is available when devices are in operation mode (out of maintenance mode) maintenance policy group is available when devices are in maintenance mode maintenance mode is set on devices (see also https /# managing devices – maintenance mode settings) defining time restriction policy time based restrictions are used to regulate the cli connections to network elements via single connect on a timely manner time and command based restrictions can be used together to correspond with security needs the example below reflects a scenario that a service provider may experience often time interval authorization explanation weekdays 06 00 22 00 only monitoring commands configuration commands are restricted due to potential service affect weekdays 22 00 02 00 all the configuration commands may be run but service affecting commands operators may run all the configuration commands but commands such as “reboot, restart, bgp shutdown” weekdays 02 00 06 00 all commands no restriction on command running weekend only monitoring commands configuration commands are restricted due to potential service affect there must be four time based policies and three command based policies covering all of the alternatives from the table above time based policies tbp 1 06 00 – 22 00, mon, tue, wed, thu, fri tbp 2 22 00 – 02 00, mon, tue, wed, thu, fri tbp 3 02 00 – 06 00, mon, tue, wed, thu, fri tbp 4 sat, sun command based policies whitelist 1 sh blacklist 1 rebo , resta , bgp /s shut whitelist 2 the regular expression mentioned as “ ” covers all of the command subset by using command and time based policies together the scenario above is corresponded as below weekdays 06 00 – 22 00 tbp 1 & whitelist 1 weekdays 22 00 – 02 00 tbp 2 & blacklist 1 weekdays 02 00 – 06 00 tbp 3 & whitelist 2 weekend tbp 4 & whitelist 1 defining permit zone policy the defined ip address can connect to devices directly, others ip that is not defined cannot connect directly log in to the single connect web gui navigate to policy control > session policy open the “permit zone” tab enter in ip and username save defining policy realm log in to the single connect web gui navigate to policy control > session policy go to the “policy realm” tab on this screen, enter the desired policy realm name with the “pr ” prefix format select “policy groups” from the right and “device realms” from the left a “policy realm” is created by matching “policy groups” with “device realms” managerial approval reservation for the devices that requires managerial approval for connection, users can make reservation for future dates, in order to get the approvals before the planned activity time to make reservation log in to the single connect web gui navigate to policy control > reservation management start typing the host info select the device appearing in search results below the text box click + button select time start and time end save after these steps are completed, reservation record will appear in search results part, and responsible manager will get the approval email user can connect to the device(s) between the specified start and end times, if the manager approves