Policy Import Templates
Policy Manager maintains an internal collection of traffic policies. Policies can be tedious to recreate by hand, so Policy Manager offers the ability to import existing configurations from devices using an integration. To support this, the integration must provide at least one policy import template. As with target import templates, the output format is determined solely by what the JavaScript mapper expects, since it will be passed unmodified into the mapper's import function for further transformation.
Below is an example policy import template:
# IOS ACL structure is quite complex.
#
# Extended IP ACL:
# SN ACTION PROTOCOL SOURCE [SOURCE_PORT] DESTINATION [DESTINATION_PORT] [MODIFIER]
#
# Standard ACL:
# SN ACTION SOURCE DESTINATION [MODIFIER]
#
#
Value Filldown ADDRESS_TYPE (IP)
Value Filldown LIST_TYPE (\S+)
Value Filldown NAME (\S+)
Value Required SN (\d+)
Value ACTION (\w+)
Value PROTOCOL (\w+)
#
# SOURCE : Pattern : (source-ip [wildcard] | host source-ip | any)
Value SOURCE ((any)|(\d+\.\d+\.\d+\.\d+(,?\s+(wildcard bits\s+)?\d+\.\d+\.\d+\.\d+)?)|(host\s+\d+\.\d+\.\d+\.\d+))
#
# Port operaters:
# - gt, lt : Take a single port as a parameter. Pattern: /(gt|lt)\s+[\w\d]+/
# - eq, neq : Take a list of ports as a parameter. Pattern: /eq|neq\s+([\w\d]+\s+)+/
# - range : Takes two ports as parameters. Pattern: /range\s+[\w\d]+\s+[\w\d]+/
#
# Single Port Pattern : (?!host(?!name))[\w\d]+
# - Matches all IOS port names, including hostname, but excludes host, which can precede an IP address and should not be captured
# - Needed by eq and neq, which take a list of unknown length as a parameter
# - gt, lt, and range all require a fixed number of parameters, which removes the need for excluding host as a special case
#
Value SOURCE_PORT (((gt|lt)\s+[\w\d]+)|((eq|neq)(\s+(\d+|bgp|biff|bootpc|bootps|chargen|cmd|daytime|discard|dnsix|domain|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|isakmp|klogin|kshell|login|lpd|mobile-ip|msrpc|nameserver|netbios-dgm|netbios-ns|netbios-ss|nntp|non500-isakmp|ntp|onep-plain|onep-tls|pim-auto-rp|pop2|pop3|rip|ripv6|smtp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|telnet|tftp|time|uucp|who|whois|www|xdmcp))+)|(range\s+[\w\d]+\s+[\w\d]+))
#
Value DESTINATION ((any)|(\d+\.\d+\.\d+\.\d+(,?\s+(wildcard bits\s+)?\d+\.\d+\.\d+\.\d+)?)|(host\s+\d+\.\d+\.\d+\.\d+))
Value DESTINATION_PORT (((gt|lt)\s+[\w\d]+)|((eq|neq)(\s+(\d+|bgp|biff|bootpc|bootps|chargen|cmd|daytime|discard|dnsix|domain|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|isakmp|klogin|kshell|login|lpd|mobile-ip|msrpc|nameserver|netbios-dgm|netbios-ns|netbios-ss|nntp|non500-isakmp|ntp|onep-plain|onep-tls|pim-auto-rp|pop2|pop3|rip|ripv6|smtp|snmp|snmptrap|sunrpc|syslog|tacacs|talk|telnet|tftp|time|uucp|who|whois|www|xdmcp))+)|(range\s+[\w\d]+\s+[\w\d]+))
#
Value MODIFIER (.*)
Start
^${LIST_TYPE}\s+${ADDRESS_TYPE}\s+access\s+list\s+${NAME}
^\s+${SN}\s+${ACTION}\s+${PROTOCOL}\s+${SOURCE}(\s+${SOURCE_PORT})?\s+${DESTINATION}(\s+${DESTINATION_PORT})?(\s+${MODIFIER})* -> Record
^\s+${SN}\s+${ACTION}\s+${SOURCE}(\s+${DESTINATION})?(\s+${MODIFIER})* -> RecordThe template in the example above takes in the output from running show ip access-list on a Cisco IOS device and parses it out into several fields for the JavaScript mapper file to use when creating Policy Manager entities. Note the use of the MODIFIER field as a catch-all for unmatched, trailing fields. These options are separated out later in the JavaScript file, and need not be worried about in the template, so long as they are captured by the TextFSM engine.