-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* removing ruleset files * adding 3_interface rules and refs * Revert "adding 3_interface rules and refs" This reverts commit 6ec630d. * added 3_interfaces rules and refs again * added 4_protocols tests --------- Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>
- Loading branch information
1 parent
114037f
commit f4b3ef8
Showing
56 changed files
with
1,056 additions
and
0 deletions.
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
...4_protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_4_10_1_ensure_icmp_router_discovery_is_disabled', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_10_1_ensure_icmp_router_discovery_is_disabled(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
9 changes: 9 additions & 0 deletions
9
..._protocols/4_10_router_discovery/rule_4_10_1_ensure_icmp_router_discovery_is_disabled.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
.rule_4_10_1_ensure_icmp_router_discovery_is_disabled | ||
|
||
Reference: | ||
Remediation: If you have configured ICMP Router Discovery and do not require it, you can disable it by | ||
issuing the following command from the [edit protocols router-discovery] hierarchy: | ||
[edit protocols router-discovery] | ||
user@host#set disable | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_4_11_1_ensure_authentication_is_set_to_md5', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_11_1_ensure_authentication_is_set_to_md5(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
17 changes: 17 additions & 0 deletions
17
CIS/Junos/4_protocols/4_11_rsvp/rule_4_11_1_ensure_authentication_is_set_to_md5.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
.rule_4_11_1_ensure_authentication_is_set_to_md5 | ||
|
||
Reference: Guide, Juniper Networks | ||
(http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic- | ||
collections/config-guide-mpls-applications/mpls-configuring-rsvp- | ||
interfaces.html#id-39542) | ||
|
||
Remediation: If you have configured RSVP you can add authentication by issuing the following command | ||
from the [edit protocols rsvp] hierarchy: | ||
[edit protocols rsvp] | ||
user@host#set interface <interface name> authentication-key <key> | ||
|
||
|
||
|
||
|
||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...4_protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_4_12_1_ensure_lldp_is_disabled_if_not_required', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_12_1_ensure_lldp_is_disabled_if_not_required(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
27 changes: 27 additions & 0 deletions
27
..._protocols/4_12_lldp_and_lldp_med/rule_4_12_1_ensure_lldp_is_disabled_if_not_required.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
.rule_4_12_1_ensure_lldp_is_disabled_if_not_required | ||
|
||
Reference: discovery-using-lldp-lldp-med.html | ||
ayer-2-services-lldp-configuring.html | ||
|
||
Remediation: To turn off LLDP globally for all interfaces, issue the following command from the [edit | ||
protocols] configuration hierarchy: | ||
[edit protocols] | ||
user@host# set lldp disable | ||
Sending of LLDPDUs will be disabled, while any LLDP related configuration will be retained | ||
(but ignored). | ||
Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the | ||
|
||
|
||
|
||
following command from the [edit protocols] configuration hierarchy: | ||
To disable LLDP for a specific interface, leaving LLDP enabled for all others: | ||
[edit protocols] | ||
user@host# set lldp interface <interface name> disable | ||
Or to disable LLDP for all interfaces and allow only for specific ports: | ||
[edit protocols] | ||
user@host# delete lldp interface all | ||
user@host# set lldp interface <interface name> | ||
This procedure should be repeated for all Routing Instances/Logical Systems where LLDP | ||
is configured but not required. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
...otocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
27 changes: 27 additions & 0 deletions
27
...tocols/4_12_lldp_and_lldp_med/rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
.rule_4_12_2_ensure_lldp_med_is_disabled_if_not_required | ||
|
||
Reference: discovery-using-lldp-lldp-med.html | ||
ayer-2-services-lldp-configuring.html | ||
|
||
Remediation: To turn off LLDP-MED globally for all interfaces, issue the following command from the | ||
[edit protocols] configuration hierarchy: | ||
[edit protocols] | ||
user@host# set lldp-med interface all disable | ||
|
||
|
||
|
||
Sending of LLDPDUs will be disabled, while any other LLDP-MED related configuration will | ||
be retained (but ignored). | ||
Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the | ||
following command from the [edit protocols] configuration hierarchy: | ||
To disable LLDP-MED for a specific interface, leaving LLDP-MED enabled for all others: | ||
[edit protocols] | ||
user@host# set lldp-med interface <interface name> disable | ||
Or to disable LLDP-MED for all interfaces and allow only for specific ports: | ||
[edit protocols] | ||
user@host# set lldp-med interface all disable | ||
user@host# set lldp-med interface <interface name> | ||
This procedure should be repeated for all Routing Instances/Logical Systems where LLDP- | ||
MED is configured but not required. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_4_1_1_ensure_peer_authentication_is_set_to_md5', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_1_1_ensure_peer_authentication_is_set_to_md5(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
31 changes: 31 additions & 0 deletions
31
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_1_ensure_peer_authentication_is_set_to_md5.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
.rule_4_1_1_ensure_peer_authentication_is_set_to_md5 | ||
|
||
Reference: National Security Agency (NSA) | ||
|
||
Remediation: If you have deployed BGP in your network you should authenticate all neighbors. | ||
Authentication can be configured at the Global, Group or Neighbor level, with more specific | ||
settings overriding less specific. For eBGP a different MD5 password should be configured | ||
for each neighbor or peer. For iBGP neighbors the same key may be used globally or | ||
different keys may be used by group or neighbor as appropriate to your infrastructure. To | ||
configure BGP Authentication at the globally enter the following command at the [edit | ||
protocols bgp] hierarchy: | ||
|
||
|
||
|
||
|
||
[edit protocols bgp] | ||
user@host#set authentication-key <md5 key> | ||
To configure BGP Authentication at the group level enter the following command at the | ||
[edit protocols bgp] hierarchy: | ||
|
||
[edit protocols bgp] | ||
user@host#set group <group name> authentication-key <md5 key> | ||
Finally, to configure BGP Authentication at the neighbor level enter the following command | ||
at the [edit protocols bgp group <group name>] hierarchy: | ||
|
||
[edit protocols bgp group <group name>] | ||
user@host#set neighbor <neighbor IP> authentication-key <md5 key> | ||
Remember that more specific settings override less specific settings, so a key set at the | ||
neighbor level will be used even if keys are also set at the group and global levels. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
40 changes: 40 additions & 0 deletions
40
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
.rule_4_1_2_ensure_peer_authentication_is_set_to_ipsec_sa | ||
|
||
Reference: Juniper Networks | ||
|
||
Remediation: To setup IPSEC SA based authentication, first configure a Security Association at the [edit | ||
security ipsec] hierarchy; | ||
|
||
|
||
|
||
|
||
[edit security ipsec] | ||
edit security-association <SA name> | ||
set description <description> | ||
set mode transport | ||
set manual direction bidirectional protocol ah | ||
set manual direction bidirectional authentication algorithm <authentication | ||
method> | ||
set manual direction bidirectional authentication key <key> | ||
The SA must be bi-directional and must be configured with the same parameters on all | ||
neighbors reachable on the intended interface. Note that only Authenticated Header is | ||
configured in this example which provides mutual authentication but does not encrypt BGP | ||
protocol messages in transit. | ||
To configure IPSEC SA based authentication globally for BGP, issue the following command | ||
from the [edit protocols bgp] hierarchy; | ||
|
||
[edit protocols bgp] | ||
user@host#set ipsec-sa | ||
To configure IPSEC SA based authentication for a group, issue the following command from | ||
the [edit protocols bgp group <group name>] hierarchy; | ||
|
||
[edit protocols bgp group <group name>] | ||
user@host#set ipsec-sa <SA name> | ||
To configure IPSEC SA based authentication for a neighbor, issue the following command | ||
from the [edit protocols bgp group <group name> neighbor <neighbor ip address>] | ||
hierarchy; | ||
|
||
[edit protocols bgp group <group name> neighbor <neighbor ip address>] | ||
user@host#set ipsec-sa <SA name> | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
24 changes: 24 additions & 0 deletions
24
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
.rule_4_1_3_ensure_ebgp_peers_are_set_to_use_gtsm | ||
|
||
Reference: National Security Agency (NSA) | ||
|
||
Remediation: If you have deployed multihop in your network but do not have any peers more then 1 hop | ||
away, disable multihop with the following command from the [edit protocols bgp], | ||
[edit protocols bgp group <group name>] or [edit protocols bgp group <group | ||
name> neighbor <neighbor address>] depending at which level you have configured | ||
multihop; | ||
|
||
[edit protocols bgp] | ||
user@host#delete multihop | ||
To change the number of hops distance from which a route update can originate, enter the | ||
following command from the [edit protocols bgp group <group name>] to apply | ||
multihop to a group or [edit protocols bgp group <group name> neighbor <neighbor | ||
address>] to apply multihop to a single neighbor; | ||
|
||
[edit protocols bgp group <group name>] | ||
user@host#set multihop ttl <number of hops> | ||
Remember that, in both cases, more specific settings override less specific ones. So if | ||
multihop is set to 5 at the neighbor level, but the default of 1 at the global level, the | ||
neighbor level setting will apply for communications with that peer. | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
77 changes: 77 additions & 0 deletions
77
...Junos/4_protocols/4_1_bgp/rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
.rule_4_1_4_ensure_bogon_filtering_is_set_where_ebgp_is_used | ||
|
||
Reference: National Security Agency (NSA) | ||
cymru.org/Services/Bogons/) | ||
(http://www.iana.org/assignments/ipv4-address-space/) | ||
|
||
Remediation: JUNOS offers a variety of options for filtering Bogons and Martians, which is why this item | ||
is not scored. Some of the more common options are discussed below. | ||
1 - The Martian Table Most Martian space (but not all, else you would not be able to use | ||
|
||
|
||
|
||
your router on private networks) is blocked using the Martian Routing Table, which is | ||
discussed elsewhere in this Benchmark and configured under the [edit routing-options | ||
martians] hierarchy. Route updates for prefixes in this special table are ignored, so adding | ||
Bogons here will prevent them being learned through any routing protocol. | ||
2 - Ingress Prefix Filtering Ingress Filtering should be used on eBGP sessions to prevent | ||
your own prefixes being advertised back to your network or, in the case of ISP networks, | ||
customer networks advertising prefixes other than those allocated to them. | ||
The other filtering types are covered previously. Prefix lists are configured under the [edit | ||
policy-options] hierarchy, but are discussed here as they are applied under the [edit | ||
protocols bgp <group name>] hierarchy. First configure a policy: | ||
[edit policy-options] | ||
user@host#edit policy-statement <policy name> term <term name> | ||
[edit policy-options policy-statement <policy name> <term name>] | ||
user@host#set from route-filter <network>/<mask> <exact | orlonger | prefix- | ||
length-range <start>-<end>> reject | ||
The last stage should be repeated for each prefix required, but as several options are | ||
shown, a couple of examples are given below: | ||
[edit policy-options <policy name> <term name>] | ||
user@host#set from route-filter 0.0.0.0/0 exact reject | ||
user@host#set from route-filter 10.0.0.0/8 orlonger reject | ||
user@host#set from route-filter 0.0.0.0/0 prefix-length-range /29-/32 reject | ||
The first line in the example rejects a default route advertised to the router and only that | ||
route. The second line will filter any route from the 10.0.0.0/8 range, for instance | ||
with a mask length of /29, /30, /31 or /32 (generally eBGP routes should be summarized | ||
into larger prefixes than this). Having defined a policy, we need to apply it. | ||
As with most other BGP configuration options, you can apply the policy at Global, Group or | ||
Neighbor levels as suites your needs. In this example we will apply the policy to a group | ||
containing all our eBGP peers: | ||
|
||
[edit protocols bgp group <group name>] | ||
user@host#set import <policy name/s> | ||
3 - Peering with a Bogon Route Server As far as I am aware, the idea of using a BGP | ||
Peering session to a Route Server for updates on Bogon networks was hatched by Team | ||
Cymru and they offer a free, public Bogon Route Server, which you can peer with to keep | ||
you Bogon list up to date. The theory works equally well by peering to a route server of | ||
your own, allowing a greater degree of control over your Bogon list updates for your | ||
organization if desired. First a static route is created and configured to discard traffic. An | ||
|
||
|
||
|
||
address that is reserved for Test or Example networks is used, you may need to allow this | ||
/32 prefix in the Martian Table: | ||
|
||
[edit routing-options] | ||
user@host#set static route 192.0.2.1/32 discard no-readvertise retain | ||
An import policy should be set to match prefixes from the route servers AS and the | ||
Community (if used) for Bogon updates, setting the next hop to 192.0.2.1 and accepting the | ||
route. | ||
|
||
[edit policy-options] | ||
user@host#edit policy-statement <policy name> term <term name> | ||
[edit policy-options policy-statement <policy name> term <term name>] | ||
user@host#set from protocol bgp as-path <peer AS> community <community> | ||
user@host#set then next-hop 192.0.2.1 | ||
Finally the BGP Peering and Group is configured with the import policy above and not to | ||
export. In addition security options covered in other recommendations should be used: | ||
|
||
[edit protocols bgp <group name>] | ||
user@host#set type external description "bogon route servers" | ||
user@host#set import <policy name> | ||
user@host#set peer-as <AS of Route Server> | ||
user@host#set neighbor <neighbors IP> | ||
user@host#set local-address <local IP to use for peering> | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import medium | ||
|
||
|
||
@medium( | ||
name='rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
17 changes: 17 additions & 0 deletions
17
CIS/Junos/4_protocols/4_1_bgp/rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers.ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
.rule_4_1_5_ensure_ingress_filtering_is_set_for_ebgp_peers | ||
|
||
Reference: National Security Agency (NSA) | ||
|
||
Remediation: From the [edit policy-options] hierarchy, define a new policy by issuing the following | ||
commands: | ||
[edit policy-options] | ||
user@host#edit policy-statement <policy name> term <term name> | ||
[edit policy-options policy-statement <policy name> term <term name>] | ||
user@host# set from route-filter <network>/<mask> <exact | orlonger | prefix- | ||
length-range <start>-<end>> reject | ||
Now apply the policy, either globally, to a group or to an individual peer as required by | ||
your environment. | ||
[edit protocols bgp <group name>] | ||
user@host#set import <policy name> | ||
|
||
. |
10 changes: 10 additions & 0 deletions
10
.../4_protocols/4_1_bgp/rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from comfy.compliance import low | ||
|
||
|
||
@low( | ||
name='rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers', | ||
platform=['juniper'], | ||
commands=dict(chk_cmd='') | ||
) | ||
def rule_4_1_6_ensure_rpki_is_set_for_origin_validation_of_ebgp_peers(commands, ref): | ||
assert '' in commands.chk_cmd, ref |
Oops, something went wrong.