Setting a Policy Manager domain to passive mode allows you to determine the effectiveness of a policy configuration prior to enforcing the complete domain configuration to your network. This is useful in new Policy Manager deployments, as it provides the ability to test a new policy configuration in a manner that does not disrupt traffic flow in any way, while providing information as to how policy rules are being used. This information can help you determine whether the policy rules you have defined are providing the desired network access.
| NOTE: | In order to take advantage of Passive Mode reporting information, devices
must support Syslog and
Audit Trap actions. Currently, only K-Series, S-Series, and N-Series Platinum
devices support this functionality. Enforcing the domain to other devices while in passive mode will result in no
rules being written. |
|---|
While in passive mode, all rule actions which prioritize, contain, or discard traffic (including Class of Service (CoS), Access Control, and Disable Port on Rule Hit as specified on the rule's General tab), are disabled. A syslog/audit action is specified that provides the capability to collect "rule hit" data. This data shows a traffic description match (rule hit) but does not show what the defined behavior would have been (rate limit/classify/permit/deny/contain) had the domain been enforced in active mode. You will need to configure external tools to make use of the syslog/audit trap data.
| NOTE: | Passive Mode does not disable a role's default actions. Traffic not
matching a rule is still dropped if that's the default action for a
role. |
|---|
Following are instructions for enabling passive mode and setting up the syslog/audit action.
- Select the Passive Domain Mode option from the Edit menu in the
Policy Manager toolbar. A note indicating that the domain is in
Passive Mode is added to Policy Manager as shown below, so that you always
know when a domain is in passive mode.
- The note also allows you to specify the syslog/audit action that you
want to use while the domain is in passive mode. Select the appropriate
radio button:
- Syslog only - a syslog message is generated when a rule is used.
- Audit Trap only - an audit trap is generated when a rule is used.
- Both - both a syslog message and an audit trap are generated when a rule is used.
- Rule Specified - Generate a syslog message or audit trap or both, as specified for each rule in the rule's General tab.
- Select File > Enforce Preview. The Enforce Preview window opens.
- Select "Show All" and then select the Matrix Platinum device folder.
- In the Enforce Preview window, you will see rules listed in the Excluded section, with "Passive Mode" appended to each rule name. These rules will not be enforced because their actions are not allowed in Passive Mode. Rules in the Included section will be enforced because their actions specify the syslog/audit actions that are allowed in Passive Mode.
- Click the Enforce button in the Enforce Preview window to enforce the domain (in passive mode) to your network.
- Review the syslog and/or audit trap data collected while in passive mode to verify that traffic is being handled appropriately by the policy rules. Make any changes as needed. When you are confident the domain configuration is working effectively for your network, deselect the passive domain mode option and enforce the policy domain to your network.
For information on related tabs:
