Policy Groups Definition

policy groups consist of multiple policies if black and white keys are defined in the same policy group, then black keys have higher priority, i e , the system restricts the black key commands first, then allows white key commands if there are specific commands defined as white key, the system will allow these commands and restrict all other commands to create policy groups navigate to policy control > session policy open the policy group tab fill in the mandatory fields (policy name, operation mode, select policy key(s), action) under policy group properties and set the action field as generate error and click save operation mode definition operation policy groups are available when devices are in operation mode maintenance policy groups are available when devices are in maintenance mode maintenance mode is set on devices check the device inventory – devices right click the menu section for more information single connect can send information about executed black key commands to a simple network management protocol (snmp) server snmp trap if the checkbox is selected, an snmp trap is sent to the desired target when a user tries to execute a black key command the target the snmp trap will be sent to can be configured as a property in the system config manager the following parameters should be defined in the system config manager parameter name parameter value snmp target ip target ip to send the snmp trap to if not defined, localhost is used as the default target ip to send the traps snmp target port target port of the target ip to send the snmp trap to if not defined, 162 is used as the default port snmp community string the preferred community string should be defined if not defined, public ” is used as the default value send email when the command is run in ssh proxy, an e mail is sent to the user group to inform them if sc policy notification sendapproval useonlydevicerealmmanagers value is false in system config manager (default value is false), notification is sent to all managers in the user groups were in the session user if it set as true for this property, a notification e mail is sent to the group managers on the device realms to which the session user is connected to time restriction policy definition time based restrictions are used to regulate the cli connections to network elements via single connect in a timely manner time and command based restrictions can be used together to best fit your security needs the example below reflects a scenario that a service provider may experience often time interval authorization explanation weekdays 06 00 22 00 only monitoring commands configuration commands are restricted due to potential effects on service weekdays 22 00 02 00 all configuration commands but the service affecting commands may be run operators may run all configuration commands but commands such as “reboot”, “restart”, or “bgp shutdown” weekdays 02 00 06 00 all commands no restrictions on running commands weekend only monitoring commands configuration commands are restricted due to potential effect on service there must be four time based policies and three command based policies covering all the alternatives from the table above time based policies tbp 1 06 00 – 22 00, mon, tue, wed, thu, fri tbp 2 22 00 – 02 00, mon, tue, wed, thu, fri tbp 3 02 00 – 06 00, mon, tue, wed, thu, fri tbp 4 sat, sun command based policies whitelist 1 sh blacklist 1 rebo , resta , bgp /s shut whitelist 2 the regular expression, “ ” covers all of the command subsets by using command and time based policies together the scenario above would look like this weekdays 06 00 – 22 00 tbp 1 & whitelist 1 weekdays 22 00 – 02 00 tbp 2 & blacklist 1 weekdays 02 00 – 06 00 tbp 3 & whitelist 2 weekend tbp 4 & whitelist 1 permit zone policy definition the defined ip addresses can connect to devices directly, unlike other undefined ips, which cannot connect to devices directly navigate to policy control > session policy open the permit zone tab enter the ip and username and click save