When we normalize the configuration, contents that are in the the remark, comment, or description field (the exact field changes between different devices and OS versions) are normalized as comments. The auto-doc process looks at what we picked up in comments, and then each regex is run against that to look for matches to capture.
When we view the rule in FireMon, the comments should have ALL of the text descriptions for that rule, and the documentation fields like Owner and Justification are the pieces we were able to capture out of those comments using the regex.
Here is an example for this Juniper SRX config_xml file that contains a policy 'from: trust to: untrust' has one rule named 'trust to untrust'
the description for that rule contains 'own:JKnapp'
<policy>
<from-zone-name>trust</from-zone-name>
<to-zone-name>untrust</to-zone-name>
<policy>
<name>trust-to-untrust</name>
<description>own:JKnapp</description>
<match>
<source-address>any</source-address>
<destination-address>any</destination-address>
<application>any</application>
</match>
<then>
<permit>
</permit>
<log>
<session-close/>
</log>
</then>
</policy>
When FireMon normalizes this, then it looks like this in the gui
Notice that here, the rule is described as rule # | rule name
Rule
1 | trust-to-untrust
and the comments show own:jknapp
If we check, own:jknapp is matched by my regex for business owner own:\s*(.[^;]*)\s*[;]*
and in the documentation for that rule, that is reflected
So if the description and comments had been 'own:jknapp;jst:iwantto;ccn:12345'
Then these regexes would have matched
Owner own:\s*(.[^;]*)\s*[;]*
Business Justification jst:\s*(.[^;]*)\s*[;]*
Change Control Number ccn:\s*(.[^;]*)\s*[;]*
and we would have documentation that reads
Owner jknapp
Business Justification: iwantto
Change Control Number 12345
Note: If the rule already exists on the device in firemon, and you update the regex, you MUST make a change to that rule (any change) and then retrieve a new configuration for the device in order for auto-doc to look at it again.
Even if another change is made on the device, it won't update. Auto-Doc only runs on the first instance we normalize a rule, or when we normalize a changed rule.
** Additional information for Rule documentation can be found on the ‘About Documentation’ section of FireMon Admin guide available on the User center.
Comments
0 comments
Article is closed for comments.