Reviewing Policy Evaluation

OpenNAC rules are designed to apply like a firewall policy, top –> down. From the rule on the top of the policy set to the last rule, so this task helps to verify how the configured policy set is working over each asset connection, by this way openNAC users can verify the policy matches en each rule for an specific connection.

First of all keep in mind how is designed the current policy set, Go to ON NAC –> Policies, in this case several rules are configured, each of them with its preconditions and postconditions, the firsts one is CAFECAFECAFE rule.

../../_images/poleval_eyeicon1.png

Go to ON NAC –> Business Profiles –> Default View, select the option Show all, in the policy column an eye icon is available for each connection, click on it.

../../_images/poleval_eyeicon2.png

The received params are shown is this part, the authentication method was MAB in this case, mainly in this view openNAC users can check the inserted tags by openNAC on this asset, according with this information and all the rules preconditions in policy set the policy evalution begins.

../../_images/poleval_eyeicon3.png

In the left side of this window, there’re a blue button which contains the policy flow evaluation.

Each rule es numbering from the top and in the red letters the first miss matched param, so the next rule in policy set is evaluating until every specify preconditions matched with asset. In this example the match is in Discovery Videoconference rule so this asset will be under this policy, and the postconditions specified will apply.

../../_images/poleval_eyeicon4.png

OpenNAC users can create a business profile an associate this as least one rule to it, so for this case a Videoconference business profile was created and the rule associate to it, so the evaluated connection will appear under this Business Profile.

../../_images/poleval_eyeicon5.png