Policy compliance

5 mins

V6 ProV6 MSP

Overview

The Policy Compliance page shows the compliance for the Policy Assignments you have configured and already run against devices.

Main View

The Policy Compliance main view gives us high level statistics about the compliance for the Policy Assignments you have configured. The individual items in the main view are a list of compliance items for the Policy Assignments you have configured. We can expand each item to see the compliance results for the assignment. The following is a screenshot of the main view: Policy Compliance main view - expanded view

We can click the 'View Details' button to see the detailed compliance results for the assignment. And we can edit the assignment by clicking the 'Edit Assignment' button. When viewing the detailed results, we can see compliance results for each device in the assignment. We can expand the results for each device by clicking the expand icon in the main view, and click 'Show Result Output' button to view the JSON results form the last time the compliance assessment was run against the device. Policy Compliance details - expanded view

The detailed result output is essentially a copy of the actual JSON Policy Definition file with an extra key/value pair. That is the "result Output" key/value pair. The values are either "true", "false" or "NOT EVALUATED - CONFIG NOT FOUND".

Successful Policy Output

{
  "displayName": "SNMPCheck",
  "description": "SNMPCheck desc",
  "policyType": "BuiltIn",
  "metadata": {
    "version": "1.0.0",
    "category": "rConfigDefault"
  },
  "policyRules": [
    {
      "ruleName": "must_match_single_string SNMP Policy",
      "description": "Description: must_match_single_string SNMP Policy",
      "ruleType": "BuiltIn",
      "parameters": {
        "effect": "Audit"
      },
      "conditions": {
        "policyMethod": "must_match_single_string",
        "policyString": "snmp-server host 1.1.1.1 TESTCOMMUNITY10"
      },
      "result": true
    }
  ]
}

Take note of the Result. In this case the 'Result' is true. Meaning the config for this device had the correct value for the policy.

Missing Config Policy Output

{
  "displayName": "Routers Baseline Policy Definition",
  "description": "A Baseline Policy Definition for Routers Category",
  "policyType": "BuiltIn",
  "metadata": {
    "version": "1.0.0",
    "category": "rConfigDefault"
  },
  "policyRules": [
    {
      "ruleName": "must_match_single_string SNMP Policy",
      "description": "Description: must_match_single_string SNMP Policy",
      "ruleType": "BuiltIn",
      "parameters": {
        "effect": "Audit"
      },
      "conditions": {
        "policyMethod": "must_match_single_string",
        "policyString": "snmp-server host 1.1.1.1 TESTCOMMUNITY10"
      },
      "result": "NOT EVALUATED - CONFIG NOT FOUND"
    }
  ]
}

The 'Result' value this time says that the config for this device was not found. So double check that the config is downloaded to the device, for the command that was configured in the Policy Assignment.

Failed Policy Output

{
  "displayName": "SNMPCheck",
  "description": "SNMPCheck desc",
  "policyType": "BuiltIn",
  "metadata": {
    "version": "1.0.0",
    "category": "rConfigDefault"
  },
  "policyRules": [
    {
      "ruleName": "must_match_single_string SNMP Policy",
      "description": "Description: must_match_single_string SNMP Policy",
      "ruleType": "BuiltIn",
      "parameters": {
        "effect": "Audit"
      },
      "conditions": {
        "policyMethod": "must_match_single_string",
        "policyString": "snmp-server host 1.1.1.1 TESTCOMMUNITY1XXX"
      },
      "result": false
    }
  ]
}

The 'Result' is false this time, meaning the config for this device had the incorrect value for the policy.