Compliance Overview

Policy Compliance Overview for rConfig V8 Pro

Policy Compliance in rConfig V8 Pro provides automated validation of network device configurations against organizational standards, regulatory requirements, and security baselines. The compliance engine evaluates device configurations using flexible, customizable policy definitions, identifying deviations from approved settings and enabling systematic remediation across your network infrastructure.

Unlike traditional manual configuration audits that are time-consuming, error-prone, and quickly outdated, rConfig’s compliance system provides continuous, automated validation that scales from dozens to thousands of devices. Compliance checks run on-demand or on schedules, with results immediately available through comprehensive reports and dashboards.

Understanding Policy Compliance

What Policy Compliance Provides

Automated validation: Continuously verify device configurations match organizational policies without manual review or device connections.

Flexible policy definitions: Create custom compliance rules using an intuitive text-based policy format that accommodates any configuration requirement—from simple string matching to complex pattern validation.

Scalable enforcement: Apply policies across individual devices, device categories, or tagged device groups, enabling policy enforcement at any organizational scale.

Comprehensive reporting: Detailed compliance results identify exactly which devices pass or fail policies, with specific information about non-compliant configuration elements.

Historical tracking: Monitor compliance trends over time, identifying improvement or degradation in configuration adherence across your network.

Scheduled automation: Configure compliance checks to run automatically at specified intervals, ensuring continuous validation without administrator intervention.

How Policy Compliance Works

The compliance system operates on a three-tier architecture:

Policy Definitions: Define the compliance rules—what configurations should look like, what must be present, what must be absent, and what patterns must match. Policy definitions are reusable across multiple assignments.

Policy Assignments: Link policy definitions to device scopes (devices, categories, or tags) and specify which command output to validate. Assignments control what gets checked, where it gets checked, and how often.

Compliance Jobs: Execute the actual validation by evaluating device configuration files against policy definitions. Jobs run manually or on schedules, producing compliance reports showing pass/fail status.

Workflow:

1. Administrator creates policy definition with compliance rules
2. Policy assignment links definition to device scope and command output
3. Scheduled task or manual trigger executes compliance job
4. Compliance engine evaluates latest device configurations against policy
5. Results are stored and displayed in compliance reports
6. Administrators review results and remediate non-compliant devices

Key Principles

Policy-based rules: Compliance rules are defined in easy-to-edit rConfig Policy files, making the system flexible and customizable to your organizational needs. The policy format supports multiple validation methods and complex logic.

No direct device connection: The compliance engine evaluates the most recent downloaded configurations from your devices but never connects directly to them. This ensures security, reduces network load, and provides consistent results based on known configuration state.

Configuration-driven: All compliance logic resides in policy definitions, not hardcoded in the application. This means you can adapt compliance requirements instantly by updating policy files without software changes or vendor involvement.

In-app guidance: Detailed help is available directly in the application, guiding you through the process of designing and implementing your own compliance rules with examples and syntax documentation.

Incremental implementation: Start with simple policies validating critical configurations, then expand to comprehensive compliance coverage as your confidence and expertise grow.

Compliance Architecture Components

Policy Definitions

Policy Definitions are text-based files containing one or more compliance rules. Each rule specifies a validation method and the expected configuration elements.

Key characteristics:

• Reusable across multiple assignments
• Support multiple validation methods in single definition
• Include comments and descriptions for documentation
• Strict syntax validation ensures correctness
• Versionable and transferable between rConfig instances
• Template library available on GitHub for common policies

Example policy definition structure:

// Description: Verify NTP server configuration
#[must_match_single_string]
ntp server 192.168.1.10

// Description: Ensure no default SNMP community
#[must_not_match_single_string]
snmp-server community public

Policy Assignments

Policy Assignments connect policy definitions to device scopes, specifying what to validate and where.

Assignment components:

• Scope: Single device, device category, or tag defining which devices are evaluated
• Command output: Which configuration file to validate (e.g., show running-config, show version)
• Policy definition: Which compliance rules to apply
• Status: Enabled or disabled for testing and debugging

Assignment rules:

• Only one scope per assignment (one device, one category, OR one tag)
• Multiple assignments can use the same policy definition
• Assignments can be disabled without deletion for testing

Compliance Jobs

Compliance Jobs execute the validation process, evaluating device configurations against assigned policies.

Job execution:

• Triggered manually via UI or API
• Scheduled via Scheduled Tasks for automated validation
• Process through Horizon queue system (PolicyCompliance queue)
• Generate detailed results stored in compliance reports

Job processing:

1. Job retrieves latest configuration file for each device in assignment scope
2. Policy definition loaded and parsed
3. Each policy rule evaluated against configuration content
4. Results (pass/fail) recorded with detailed output
5. Summary statistics calculated and displayed

Compliance Workflow

Step-by-Step Implementation

Step 1: Write Policy Definition

• Identify configuration requirements to validate
• Choose appropriate validation methods
• Create policy definition with rules and comments
• Test policy syntax using in-app validation

Step 2: Create Policy Assignment

• Select device scope (device, category, or tag)
• Choose command output containing configurations to validate
• Link policy definition to assignment
• Enable assignment for active use

Step 3: Execute Compliance Check

• Run manual compliance job to validate results
• Review compliance report for pass/fail status
• Investigate and remediate any failures
• Verify fixes with additional compliance runs

Step 4: Schedule Automated Checks

• Create Scheduled Task for compliance assignment
• Set appropriate interval (daily, weekly, etc.)
• Monitor scheduled execution results
• Adjust policies or remediate as needed

Compliance Reporting

Main Compliance View

The Policy Compliance main view provides high-level statistics about compliance status for all policy assignments.

Displayed information:

• Total assignments configured
• Overall compliance percentage
• Individual assignment compliance status
• Pass/fail device counts per assignment
• Last execution timestamp
• Expandable details for each assignment

Policy Compliance Main View

Detailed Compliance Results

Expanding an assignment reveals per-device compliance details:

Device-level information:

• Device name and status
• Pass/fail indicator
• Last evaluation timestamp
• Individual rule results
• JSON output showing exactly what passed or failed

Result interpretation:

PASS: All policy rules passed validation for this device FAIL: One or more policy rules failed validation NOT EVALUATED - CONFIG NOT FOUND: Configuration file for specified command doesn’t exist for device

Policy Compliance Detailed Results

Result Output Examples

Successful compliance:

{
  "0": {
    "policyMethod": "must_match_single_string",
    "comment": "Description: must_match_single_string SNMP Policy",
    "policyString": "snmp-server host 1.1.1.1 TESTCOMMUNITY",
    "result": "pass",
    "resultRaw": true,
    "configId": 9
  },
  "eval_result": "PASS",
  "eval_result_raw": true,
  "eval_result_reason": "All policy methods passed"
}

Failed compliance:

{
  "0": {
    "policyMethod": "must_match_single_string",
    "comment": "Description: must_match_single_string SNMP Policy",
    "policyString": "snmp-server host 1.1.1.1 TESTCOMMUNITY",
    "result": "pass",
    "resultRaw": true,
    "configId": 9
  },
  "1": {
    "policyMethod": "must_match_single_string",
    "comment": "Description: must_match_single_string SNMP Policy",
    "policyString": "snmp-server host 1.1.1.1 NOTCOMMUNITY",
    "result": "fail",
    "resultRaw": false,
    "configId": 9
  },
  "eval_result": "FAIL",
  "eval_result_raw": false,
  "eval_result_reason": "1 policy methods failed"
}

Missing configuration:

{
  "result": "NOT EVALUATED - CONFIG NOT FOUND"
}

Note

If you see “NOT EVALUATED - CONFIG NOT FOUND”, verify that the device has downloaded configurations for the command specified in the policy assignment.

Common Use Cases

Security Baseline Validation

Objective: Ensure all devices meet security requirements.

Policy examples:

• Verify enable secret is configured
• Ensure SSH is enabled and Telnet disabled
• Validate AAA authentication is active
• Confirm logging to central server
• Verify management interface ACLs

Implementation: Create comprehensive security policy definition, assign to all production devices, schedule daily compliance checks.

Configuration Standardization

Objective: Maintain consistent device configurations across network.

Policy examples:

• Verify standard NTP servers configured
• Ensure DNS servers match approved list
• Validate SNMP community strings
• Confirm standard banner text
• Check domain name configuration

Implementation: Define standard configuration policies, assign by device role or location, schedule regular validation.

Regulatory Compliance

Objective: Meet audit requirements (PCI-DSS, HIPAA, SOX).

Policy examples:

• Verify no default passwords configured
• Ensure encrypted passwords enabled
• Validate privilege separation
• Confirm audit logging active
• Check access control configurations

Implementation: Create audit-specific policy definitions mapped to regulatory requirements, generate compliance reports for auditors.

Change Validation

Objective: Verify configuration changes don’t violate policies.

Policy examples:

• Ensure critical services remain enabled
• Validate routing protocol configurations
• Confirm VLAN configurations correct
• Check interface descriptions present

Implementation: Run compliance checks immediately after maintenance windows to validate changes didn’t introduce policy violations.

Best Practices

Policy Development

Start simple: Begin with basic policies validating critical configurations before expanding to comprehensive coverage. Success with simple policies builds confidence and expertise.

Test thoroughly: Validate policy definitions against known-good and known-bad configurations before production deployment. Use disabled assignments for testing without affecting reports.

Document extensively: Include detailed comments in policy definitions explaining what each rule validates and why. Future administrators will thank you.

Version control: Maintain policy definition versions externally (Git, documentation system) to track changes and enable rollback if needed.

Use templates: Leverage rConfig’s GitHub policy template repository for common compliance scenarios, adapting templates to your specific requirements.

Assignment Configuration

Logical scoping: Use categories and tags for policy assignments rather than individual devices where possible. This simplifies management as the network grows.

Appropriate granularity: Create separate assignments for different device types or roles rather than trying to cover everything with one policy. This improves troubleshooting and reporting clarity.

Command selection: Choose command output that contains the configurations being validated. Don’t validate NTP settings against show version output.

Naming conventions: Use clear, descriptive names for assignments indicating scope and purpose: “Core-Routers-Security-Baseline” rather than “Assignment1”.

Operational Management

Regular review: Review compliance reports weekly at minimum, daily for critical policies. Don’t let compliance drift go unnoticed.

Remediation workflow: Establish process for addressing failures:

1. Investigate root cause
2. Remediate configuration
3. Re-run compliance check
4. Document resolution

Scheduled automation: Use Scheduled Tasks for routine compliance checks, freeing administrators from manual execution while ensuring consistent validation.

Performance monitoring: Track compliance job execution times. Policies taking excessive time may need optimization or splitting into multiple assignments.

Report retention: Export compliance reports periodically for historical analysis and audit evidence. Database reports may be purged based on retention settings.

Performance Considerations

Optimization Strategies

Scope appropriately: Don’t assign policies to devices where they’re irrelevant. This wastes processing time and clutters reports with expected failures.

Efficient patterns: Complex regex patterns in policies can slow evaluation. Test pattern performance and simplify where possible.

Schedule strategically: Stagger compliance job schedules to avoid overwhelming Horizon queue during peak backup times.

Command output selection: Use smallest command output that contains needed configurations. Don’t validate against show tech-support if show running-config suffices.

Tip

For environments with >1000 devices, consult rConfig support for capacity planning guidance ensuring adequate resources for compliance processing at scale.

Troubleshooting Common Issues

”NOT EVALUATED - CONFIG NOT FOUND”

Cause: Configuration file for specified command doesn’t exist for device.

Resolution:

• Verify device is backing up successfully
• Confirm command specified in assignment matches command in device’s command group
• Check that command has executed recently and created configuration file
• Review device backup logs for errors

All Devices Failing Same Policy

Cause: Policy definition syntax error or incorrect validation string.

Resolution:

• Review policy definition syntax carefully
• Test policy against known-good configuration manually
• Verify validation strings match actual device output format
• Check for case sensitivity issues or extra whitespace

Compliance Job Not Running

Cause: Scheduled task not configured or Horizon queue issues.

Resolution:

• Verify Scheduled Task exists and is enabled
• Check Horizon is running and processing jobs
• Review Horizon queue for failed compliance jobs
• Check application logs for compliance job errors

Inconsistent Results

Cause: Configurations changing between evaluations, or policy evaluating dynamic content.

Resolution:

• Review device configuration history to identify changes
• Adjust policy to account for acceptable variation
• Increase compliance check frequency to catch changes faster
• Investigate why configurations are changing unexpectedly

Related Documentation

• Policy Definitions - Creating and managing compliance rules with detailed method reference
• Policy Assignments - Linking policies to devices and configuring validation scope
• Policy Compliance Results - Reviewing detailed compliance reports and remediation
• Scheduled Tasks - Automating compliance checks on schedules
• Horizon Queue Manager - Monitoring compliance job execution

Quick Reference

Implementation Checklist

• Identify configurations to validate
• Write policy definition with appropriate validation methods
• Test policy definition syntax
• Create policy assignment with correct scope and command
• Enable assignment
• Run manual compliance check
• Review results and remediate failures
• Create Scheduled Task for automated checks
• Monitor compliance trends over time

Result Interpretation

Result	Meaning	Action
PASS	All rules passed	No action needed
FAIL	One or more rules failed	Review failures, remediate configuration
NOT EVALUATED	Config file not found	Verify device backup, check command

Component Relationships

Policy Definition (rules)
    ↓
Policy Assignment (scope + command)
    ↓
Compliance Job (validation)
    ↓
Compliance Report (results)

Summary

Policy Compliance in rConfig V8 Pro transforms network configuration management from reactive troubleshooting to proactive governance. By automating validation of device configurations against organizational standards, compliance enforcement becomes continuous, scalable, and comprehensive—ensuring your network consistently meets security, regulatory, and operational requirements.

Key Takeaways

Automated enforcement: Policy compliance eliminates manual configuration audits, providing continuous automated validation that scales to thousands of devices without increasing administrative overhead.

Flexible policy framework: The text-based policy format accommodates any compliance requirement, from simple string matching to complex code block validation, adapting to your organization’s specific needs.

Three-tier architecture: Policy definitions, assignments, and jobs work together to provide flexible, scalable compliance validation across any device population.

No device impact: Compliance checks evaluate stored configurations without connecting to devices, ensuring zero performance impact on production infrastructure.

Comprehensive visibility: Detailed reporting identifies exactly which devices pass or fail policies, with rule-level results enabling targeted remediation.

Scheduled automation: Integration with Scheduled Tasks enables continuous compliance monitoring, with reports always reflecting current device state.

With properly configured policy definitions and assignments, rConfig provides the foundation for continuous compliance monitoring, reducing audit preparation time, accelerating change validation, and ensuring network configurations consistently meet organizational standards.