Maintenance is complete- We've moved from the saas.hpe.com domain to softwaregrp.com click to read more
As part of our journey to complete our separation work and our future integration with Micro Focus, we've now updated our domain for the community. This is an interim step, which will be followed by a series of future update / improvements: - Piloting Idea boards - Refreshing the entire UI. (more to come later) - and more
Network Automation Practitioners Forum
cancel

HPNA Compliance - Logging on Deny ACLs

mbryant25
New Member.

HPNA Compliance - Logging on Deny ACLs

 Hello,

Apologies if I posted this to the wrong location.

I am brand new to HPNA and we are trying to figure out a way check our router and switch ACLs for compliance. I’m trying to figure out a way to check every access-list to make sure every deny statement is also logging. Below is a sample ACL:

access-list 110 permit icmp any any
access-list 110 permit tcp host 5.5.5.5 host 7.7.7.7 eq 8080
access-list 110 permit tcp host 8.6.8.4 host 8.4.8.3 eq 5001
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 110 permit udp any host 12.12.2.2 range 1021 1023
access-list 110 permit udp any host 20.6.18.7 range 1021 1023
access-list 110 deny   tcp any host 17.16.9.2 eq 264
access-list 110 deny   ip any any log

Essentially, I’m looking for a way to check each line and if “deny” is found then it must also end with “log” or at least also have "log" in the same line. If there are any “deny” ACLs with a missing “log” then mark that device as out of compliance.

I imagine there is a very easy way to do this with regular expression, but I have not messed with regex very much and can't get it to work.

Thank you,
Michael

1 REPLY
Chris_Powers
Outstanding Contributor.

Re: HPNA Compliance - Logging on Deny ACLs

Hi Michael,

So, there's a few different ways you could do this, below is one you could try and then modify / change as you need, but think it'll get you going....

So, from the Policy Rule screen for the policy you have created....

Give it a name

Specify the devices you want to look at (all or just a particular device family - for example Cisco IOS).  

For Define Text Block, check the box

Block Start Pattern

    ^access-list .* deny

Block End Pattern

    $

Rule Conditions

Select Config Block

put in log

Save / save

So, this will treat each line that contains ^access-list {whatever} deny $ as something it needs to compare.  

The ^ and $ basically will ensure the line starts with access-list and the $ is the end of the line.  

So, using your example:

access-list 110 permit icmp any any -> this isn't considered

however:

access-list 110 deny   tcp any host 17.16.9.2 eq 264 -> this is as it matches the block.  

So when it gets evaluated, it fails:

Test data does not comply with Configuration Policy test for acl, rule acl.

This rule has Medium importance.

No text matching the line(s):

log

was found in Config Block.

access-list 110 deny tcp any host 17.16.9.2 eq 264

Now, again, you could do this differently, to treat the ACL as a whole and then look within it for missing data, that might work better if you're doing auto-remediation, but this I think will get you started and pretty quick to do.  :-)

Not sure if they are still in the forums, but you might find some presentations on Policy Compliance and building policies / rules.  But you're in the right spot.  If you have any follow up questions, let us know.  

HTH,
Chris