Policy Compliance

Policy Compliance

Table 1. Feature History

Feature Name

Release Information

Description

Policy Compliance

Cisco IOS XE Catalyst SD-WAN Release 17.14.1a

Cisco Catalyst SD-WAN Control Components Release 20.14.1

This feature analyzes application-aware policies to determine whether the updates to applications in a later Protocol Pack release change the operation of a policy. Any such change is considered a policy compliance issue. To ensure that the operation of each policy remains aligned to the policy intent, the feature flags any compliance issues to enable you to address them.

Information About Policy Compliance

Various types of policies specify application traffic to match by using application lists, which contain one or more applications. The applications in application lists may be from a Protocol Pack or may be user-defined custom applications. As new Protocol Packs are released, changes occur to the protocol set. These changes may include adding applications that provide more granular classification of existing applications, renaming applications, and so on.

For example, an earlier Protocol Pack may include an application that captures all traffic for a set of services. A later Protocol Pack may include separate applications for different components of the services to provide more granular classification of the traffic. To illustrate with a fictional example, an application x-media might be broken into x-audio and x-video for more granular classification.

If a policy matches traffic using an application list that includes the x-media application, the policy does not make use of the later, more granular classification as x-audio and x-video.

Check Policy Compliance

When checking the applications in a policy, Cisco SD-WAN Manager compares them with the applications in the Protocol Pack currently loaded in Cisco SD-WAN Manager. Cisco SD-WAN Manager checks policies for the following compliance issues:

  • Checks existing policies to determine whether the policies match applications that have become classified in a more granular fashion in a later Protocol Pack release.

  • Checks for renamed applications. For example, renaming application Skydrive to Onedrive.

  • Checks for policies that match traffic broadly by transport protocol, such as http. When a policy matches traffic so broadly, it is difficult to anticipate which new applications, in later Protocol Packs, may be included in the match.

This check keeps the policy intent intact after new applications are added.

View Compliance Issues

If Cisco SD-WAN Manager detects a compliance issue with a policy, it displays the affected policies and relevant new applications. For information about viewing compliance issues, see View and Resolve Policy Compliance Issues.

Restrictions for the Policy Compliance Check

  • See the NBAR2 Protocol Pack Library for information about which Protocol Pack updates are available for each Cisco IOS XE release.

  • Devices using a Cisco IOS XE release earlier than Cisco IOS XE Catalyst SD-WAN Release 17.14.1a support only policies that use applications that were available in the original built-in Protocol Pack release of the Cisco IOS XE release. They do not support policies that use applications added in subsequent Protocol Pack releases.

    For example, if the original built-in Protocol Pack release of the Cisco IOS XE release did not include application x, and a policy uses application x, then a router using a release earlier than Cisco IOS XE Catalyst SD-WAN Release 17.14.1a cannot support that policy. This is true even if you later upgrade the router to use a Protocol Pack that includes application x.

View and Resolve Policy Compliance Issues

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Application Catalog > Compliance.

    In the Policy Compliance area, the table shows the policies that do not comply with the application lists in the current Protocol Pack.

  2. In the Policy Compliance area, click ... in the Actions column adjacent to the policy you want to update and choose one of these:

    • Update Application: Automatically updates the relevant application lists used by affected policies to incorporate the new application or applications.


      Note


      • Ensure that all devices in the network are using Cisco IOS XE Catalyst SD-WAN Release 17.14.1a or later. If there are devices in the network using earlier releases, updating applications may cause a failure in employing a policy.

      • For policies created using policy groups, this action does not deploy the policy to the devices. In this case, to update devices to use the adjusted policy, deploy the policy manually to the devices.


    • Change Policy: Opens the policy to enable you to manually edit the policy and address the use of the affected application.