Find and remediate policy violations
You can use policy reports to find device configurations that do not comply to policies. To view information about policy violations, you must:
Make sure the cached policy compliance information is up-to-date.
- View a policy report to display the cached information.
After you have viewed a report and remediated one or more violations, you can verify that the violations were successfully remediated.
NCM runs policy reports against the selected nodes to locate any policy violations, and then caches the results so that the data can be accessed quickly. You can update cached policy compliance information in any of the following ways:
- Enable the policy cache to automatically update information each day. (This option is enabled by default.)
- Manually update the policy cache.
- Schedule a policy report job to update cached information for that report and send emails about violations.
When the policy cache is enabled, NCM automatically runs policy reports at the specified time to check for policy violations. By default, the policy cache is updated daily at 11:55 PM.
- Click Settings > All Settings.
- Under Product Specific Settings, click NCM Settings.
- Under Advanced, click Advanced Settings.
- Under Cache Settings, select Enable Config and Policy Caches.
- Specify what time to generate the policy cache.
- Click Submit.
After you modify policy rules or download updated configuration files, you can manually update cached policy compliance information to reflect the changes.
The NCM role of WebUploader or higher is required to manually update cached policy compliance information.
- Click My Dashboards > Network Configuration > Compliance.
To manually update the cached information:
- To update all reports, click Update All.
- To update one or more reports, select the reports and click Update Selected.
You can configure a policy report job to send emails each time the job runs or only if it finds policy violations. When the job runs, it updates the cached policy compliance information so that the report provides a snapshot of current policy compliance.
- Click My Dashboards > Network Configuration > Jobs.
- Click Create New Job.
- Name the job, and select Generate a Policy Report from Job Type.
Specify when the job runs:
To run the job once or on a simple schedule, select Basic. Click the tab that identifies how frequently the job runs, and then specify the start time and (if needed) the day(s).
To create a more complex schedule, select Advanced and then use the five fields to create a CRON expression.
- Add a comment if this job relates to a business rule, and click Next.
- On the Choose Nodes tab, click Next.
- Select an email notification option, and click Next. If you click Email Results, the default email notification and SMTP server settings are populated. These settings can be overridden in each job.
- Select the policy report to generate as part of the job.
- If you want to suppress notifications when no violations are found, select Send Notification Only When There Are Policy Violations.
- Click Next.
- Review the settings for the job, and click Finish.
When you view a report, it displays the latest cached policy compliance information. Use this information to investigate and remediate policy violations.
If compliance information for a report is not current, you can manually update the information.
Click My Dashboards > Network Configuration > Config Summary.
If you are using the classic Config Summary dashboard, the Policy Violations widget lists the reports that found policy violations the last time each report ran.
If you are using the new Config Summary dashboard (available in NCM 2022.3 and later), the Policy Violations widget shows the number of policy reports that found violations with each status.
Click any status to open the Policy Violations report, which lists all reports that found policy violations.
Click a report name to open the Report Details page.
The upper left corner shows the Last Updated date and time.
Icons indicate which rules were violated on each node:
- A green check mark indicates that the rule was not violated.
- Any other icon indicates that the rule was violated. The type of icon indicates the severity of violating that rule.
Click a violation icon.
The Violation Details dialog shows the rule that was violated and indicates if a remediation script is available.
If the violation occurred because the string was found, you can click the arrow to display the line number in the config file.
- (Optional) Click View Config to open the Config Details view in a different tab.
- (Optional) If a remediation script is available, you can run it to automatically remediate the issue. Click a Management option to run the script on this node or on all nodes that violate this policy rule.
When you discover a policy violation, complete the following steps to resolve the issue and verify that the remediation was successful.
- Update the configuration file to resolve the policy violation, either by editing the file or by running a remediation script.
- Download the updated configuration file.
- Update the cached policy compliance information for the report that detected the policy violation.
- View the report to verify that the policy violation is not found.