Enforce Policy Rule Description, Tag, and Audit Comment
Focus
Focus

Enforce Policy Rule Description, Tag, and Audit Comment

Table of Contents
End-of-Life (EoL)

Enforce Policy Rule Description, Tag, and Audit Comment

Require that a description, tag or audit comment be entered when creating or editing a policy rule.
When creating or modifying rules, you can require a rule description, tag, and audit comment to ensure your policy rulebase is correctly organized and grouped, and to preserve important rule history for auditing purposes. By requiring a rule description, tag, and audit comment, you can simplify your policy rulebase review by ensuring that rules are appropriately grouped, and that the rule change history is tracked when creating or modifying a rule. For uniformity, you can set specific requirements for what the audit comment can include.
By default, enforcement of a description, tag, and audit comment is not enabled. You can specify whether a description, tag, audit comment, or any combination of these three is required to successfully add or modify a rule. The audit comment archive allows you to view the audit comments entered for a selected rule, review the configuration log history, and compare rule configuration versions.
The audit comment history includes all the comments entered for a selected policy rule, including the audit comments entered for the policy rules that existed before with the same name.
  1. Select DeviceSetupManagement and edit the Policy Rulebase Settings.
  2. Configure the settings you want to enforce. In this example, tags and audit comments are required for all policies.
    Enforce audit comments for policy rules to capture the reason an administrator creates or modifies a rule. Requiring audit comments on policy rules helps maintain an accurate rule history for auditing purposes.
  3. Configure the Audit Comment Regular Expression to specify the audit comment format.
    When administrators create or modify a rule, you can require they enter a comment those audit comments adhere to a specific format that fits your business and auditing needs by specifying letter and number expressions. For example, you can use this setting to specify regular expressions that match your ticketing number formats:
    • [0-9]{<Number of digits>}—Requires the audit comment to contain a minimum number of digits that range from 0 to 9. For example, [0-9]{6} requires a minimum of six digit in a numerical expression with numbers 0 to 9.
    • <Letter Expression>—Requires the audit comment to contain a letter expression. For example, Reason for Change- requires that the administrator begin the audit comment with this letter expression.
    • <Letter Expression>-[0-9]{<Number of digits>}—Requires the audit comment to contain a predetermined character followed by a minimum number of digits that range from 0 to 9. For example, SB-[0-9]{6} requires the audit comment format to begin with SB-, followed by a minimum six digits in a numerical expression with values from 0 to 9. For example, SB-012345.
    • (<Letter Expression>)|(<Letter Expression>)|(<Letter Expression>)|-[0-9]{<Number of digits>}—Requires the audit comment to contain a prefix using any one of the predetermined letter expressions with a minimum number of digits that range from 0 to 9. For example, (SB|XY|PN)-[0-9]{6} requires the audit comment format to begin with SB-, XY-, or PN- followed by a minimum of six digits in a numerical expression with values from 0 to 9. For example, SB-012345, XY-654321, or PN-012543.
  4. Click OK to apply the new policy rulebase settings.
  5. Commit the changes.
    After you commit the policy rulebase settings changes, modify the existing policy rule based on the rulebase settings you decided to enforce.
  6. Verify that the firewall is enforcing the new policy rulebase settings.
    1. Select Policies and Add a new rule.
    2. Confirm that you must add a tag and enter an audit comment click OK.