Configuring a Compliance Rule

This topic explains how to create a compliance rule. For an overview of the Compliance module, see Understanding the vGW Series Compliance Module.

To create a compliance rule, from the Compliance module Rules tab:

  1. Click Add. The Add Rule dialog box appears.
  2. Define the rule. Table 13 describes the available options.

    Table 13: Compliance Rule Creation Parameters

    Option

    Action

    Compliance Scope

    Select All Machines or Selected Group, and then choose a group from the list.

    Name

    Enter a name for the rule. Rule names can contain characters and numbers and should be descriptive, yet simple. You can describe the rule in more detail in the Comment field, if needed.

    Weight

    Enter a weight to be used when calculating the compliance level.

    Generate Alert when compliance state changes

    Direct the vGW Series to post a warning when the compliance level changes.

    Compliance Groupings

    Click Edit, move one or more labels to the Selected Labels list, and then click Apply.

    Create Groups

    Create groups comprised of members who meet or violate the designated match criteria (defined in the Matches field).

    You are not required to create groups, but if you do select one of the two options, you will by default create a non-policy, Smart Group. This group can be changed to a Policy group through Settings -> Security Settings -> Groups. The benefit of automatically creating a compliance-based group is that you can easily find VMs in the VM Tree using this criterion and use the group throughout the vGW Series Table 13.

    Matches

    Select All if the VM must meet all criteria defined in field below or Any if the VM can meet any of the criteria defined in the field below, and then choose an attribute, choose an operator, and enter a value. (For example, vi.datacenter Equals HQ) Click + to add another criterion to the rule Click - to remove a criterion from the rule.

    Advanced

    Enter a selection query rather than defining. For information about query syntax, see Understanding vGW Series Smart Groups.

  3. Click Test.

    The vGW checks your criteria and posts a message in the Edit Rule dialog box indicating which VMs are included in the group (if any), given the criteria you specified.

  4. Click Save.

    Note: In addition to the items described in Table 10, you also have the option to disconnect VMs from the network on a compliance check. By default this option is hidden because if it is used incorrectly it can cause serious unintended network downtime. For example, if you incorrectly created a compliance rule with this action, you could knock all VMs offline including vCenter. To enable this compliance action, execute the following from within the web interface of the vGW Security Design VM. Once executed you will see a selection box called “Disconnect from the network when non compliant”.

    http:///compDisconnect?disconnect=true (or false)

You can select a predefined rule to use. To facilitate your search for a rule, you can specify a filter.

Figure 78: Adding a Predefined Compliance Rule

Adding a Predefined Compliance Rule

Related Documentation