IT Operations Management (ITOM)

How to manage compliance using Network Automation

How to manage compliance using Network Automation



Guest post by Monalisa Sahoo, QA Engineer

Now a days every organization has to perform some kind of compliance check not just to follow best practices, internal security policies, government regulations and guidelines but also demonstrate network devices remain compliant to the policies defined. Companies utilize a lot of time, takes a lot of man hours or man days for compliance management and generating reports for audit.

Figure 1 – HPE Network Automation policy functions 

HPE Network Automation (NA) is a solution that helps you to automate compliance and generate compliance reports in a matter of minutes. NA also provides a solution for mitigating compliance issues by running an auto-remediation script.  

How Compliance is managed?  

NA manages devices like routers, switches, and firewalls over a network.  

When a device gets discovered in NA, you can configure syslog task which enables you to schedule the automatic configuration of one or more devices to send Syslog messages to NA. So whenever a configuration change is detected, NA runs a compliance check to see whether the devices are in compliance with the applied policies or not.  

These policies are created by you and can have one or more rules that determines the devices are in compliance with either Configuration, Diagnostic or Software level policies.  

You can import a pre-defined policies and export policies to a file. 


Figure 2 – Steps in compliance management  

Configuration Policy Management  

NA runs a compliance check on a device's configuration whenever a configuration change is detected. If configured, you will be notified if a configuration change violates applied policies.

Use Case 1:

Consider a device eg: Cisco having Model no. "Nexus5010" & Config text "CiscoDevice".

  1. In the Create a Policy step you can import a pre-defined policy or can create a policy with a configuration rule and give rule conditions like config text "Must Contain" Cisco Device. NA, has various rule conditions like:
  • "Must Contain"
  • "Must not Contain"
  • "Contains only"
  1. Enable auto-remediation script on NA and add command script for eg: set the banner of the device to "Text" by giving set banner motd "Test" command in the script.
  2. After enabling auto-remediation, you can enforce the created policy to the device and apply the same policy to multiple devices.
  3. So whenever a configuration change is detected on the device, NA runs a configuration compliance check and if the changed configuration does not match the applied policy, then a particular out of compliance event is generated in an automated fashion. When you click on the Policy Non-compliance event, you can view what is out of compliance relative to configuration for that particular device.
  4. Once Device is detected under policy non-compliance, an auto-remediation script is generated and mitigates the compliance issue by running the command script (as mentioned in step 2) on the device.

Diagnostic Policy Management

NA generates a diagnostic text (eg: Hardware information) for a device by running diagnostics task. So you create a diagnostic rule which checks whether the device(s) Diagnostic text is in compliance with the current diagnostic rule.

Use Case 2:

Every network resources such as Router, Switch, Firewall has below information:

  • Basic IP
  • Device information like Model, Hostname
  • Interfaces
  • Module Status

NA runs diagnostic task on a device and generates diagnostic text which has all the above information. You can create a policy with a diagnostic rule regarding valid IP addresses (eg: checking for four bytest x.x.x.x), so whenever a change is made on the IP address, NA runs the policy and checks if the changed IP matches the diagnostic text content or not. If not, it reports the device as Out of Compliance order.  

Software Policy Management

In Software policy compliance, NA checks to see if the selected device(s) are in compliance with the current software rule.  

Use Case 3:

Each software maintains some standards fields like Software Version, Model No. etc. So whenever there is a change in software lets assume you are upgrading the software and after the upgrade the software version gets changed. So as per the Software Policy, it does not meet the software standards and the device will be considered as Out Of Compliance.  

NA mitigates Compliance issue

You should enable an auto-remediation script on NA in order to resolve the compliance issues, so once the device is detected under policy non-compliance, NA runs command script and takes mitigation action on the device as per the actions mentioned in the command script.

The command script contains the device specific commands, so whenever you enable auto-remediation, you have to consider the device access mode and the driver supports to the respective device. NA provides a variety of built-in Device Variables which can be included in the script parameter and in the script itself. There are various in-built command script that NA has for eg:


1. Set Banner

// Script to set the login banner

banner motd ^$Banner_Text$^

2. Set Location

// Script to set the SNMP location

set system location $Location$

Example: In Use Case1, Step2 once the device is detected under Policy Non-compliance category, as per the mitigation step, NA changes the banner of the device to "Test".  

What is Compliance Center?

The Compliance center is nothing but NA’s portal which gives the detailed reporting of the current compliance status with respect to government regulations and IT standards. It is really helpful when you are subject to policy compliant environment like PCI Data Security Standard which gives the information about security standard for organizations that handle credit cards.

There are various policy compliant environment which NA supports. eg.

  1. COBIT (Control Objectives for Information and related Technology)
  2. HIPAA (Health Insurance Portability & Accountability Act)
  3. ITIL (IT Infrastructure Library)
  4. PCI Data Security Standard

Compliance is a necessary task. Ignoring it, at best, will get you bad marks on an internal audit; at worst, could cost major penalties if you are a regulated entity.

About the Author: Monalisa Sahoo, QA Engineer

Monalisa has been with HP software for more than 2.5 years. She is currently working with Network Automation team and mainly responsible for QA deliverables for Network Automation patch releases.

She has over 7 years of experience in software testing in various domain. She has good exposure on Automation, Malware & System performance testing.


Related items:

HPE Network Automation software automates the complete operational lifecycle of network devices from provisioning to policy-based change management, compliance, and security administration. Start your free trial today!

Tweet to us at @HPITOps and let us know what you think! | Friend us at HPE Software on FacebookJoin our Network Management Solutions group on LinkedIn



Michael Procopio Procopio
  • infrastructure management
About the Author


HPE Software Product Marketing. Over 20 years in network and systems management.

New Member.

Informative. Very Crisp.


How to check policy compliance for specific firmware version on devices and if compliance violate deploy the firmware image of specific version???