Hi, I am trying to run a compliance report to check if intrusion prevention is enabled correctly on ASA's.
The check first identifies interfaces that are enabled by doing a check, parsing the config as blocks, checking for the string "shutdown". in each "^interface" block Any interfaces that are not "shutdown" continue, any interfaces with "shutdown" in the configuration are excluded from further checks - ie. does not raise a violation.
The second check matches previously matched blocks, checking the security level, excluding those with a security level of 100, and continuing for all other interfaces. Both of these checks work fine.
The final check is to identify the name of the interface - as the interface name is used in the global command that is used to enable intrusion prevention on the interface. This check also checks previously matched blocks for "nameif" - and captures the interface name by matching the expression "nameif (.*)". Where a interface name is not found, a violation is raised, otherwise (where a interface name is found) the check continues.
This works fine - and the violation message can correctly reference the name with the user defined message "Interface <1.1> found" etc.
The final stage of the compliance check is where this goes wrong, and I think this is due to the final check relating to global config rather than previously matched blocks - this check "ip audit interface <1.1>" no longer seems to relate <1.1> to the interface name identified in the previous checks - I know this is the case as when I use "<1,1>" in the violation message, in the previous check it correctly replaced this with the identified interface name, but now in this global check it simply outputs "<1.1>" in the violation message.
Is there anyway to reference a attribute found in the previously matched blocks section in a final stage check outside of the previously matched blocks - ie. global config? We are running Prime version 3.7.0
Thanks
Marc