Profile Groups
The devices can be grouped based on group name and rules for easy access and identification. Group names can be used in role mapping rules, resource policies, filtering etc.
- Navigate to Profiler > Profiler Configuration > Profiler Groups.
- Enter the Group Name and Rule. The rules contain device attributes and operators. Manually enter the rule or choose from the list that dynamically displays the probable combinations.
To create rules for all values including null, use the rule: category ="*" or category ="". - Select the approval mode to approve the devices added to the profile group. Auto-Approval is the default option.
- Auto-Approval: Automatically approves the devices.
- Manual-Approval: Administrator manually approves the devices.
- Time-Bound-Approval: Devices approved for a specific time period and time zone. Enter the start date, end date, and time zone.
- Select the option to send email notifications to notify when new devices are added to the group.
Choose Use emails from General Settings to send e-mails to address specified in General Settings or choose Custom and enter the e-mail addresses separated by semicolon. - Enter the Auth table Timeout in seconds that is used for Firewall Provisioning. By default, the Auth Table Timeout is set to 60 seconds.
- Select the interval from the list to purge the older devices in the group automatically.
- Click Save.
Updating the profile groups for existing devices may take time if a rule covers more devices. Navigating away from the page cancels the update for the existing devices. But, the group names are updated when the device receive updates during regular profiling.
To edit a profile group, select the group name from the list on the left and make required changes and click Save.
To delete a profile group, select the group name from the list on the left and click Delete this group at the bottom of the page.
Precedence of Time Bound Approval
The endpoints marked for time bound approval in DDR or multiple groups has the following precedence:
- If an endpoint is configured for time-bound settings in DDR, it takes precedence over profile groups time-bound settings.
- When an endpoint belongs to multiple groups and the start date of the time bound approved groups are in future, the time bound settings for the group that has the start date that is closest to current date is applicable.
- When an endpoint belongs to multiple groups and the start date of any time bound approved groups are in past, the time bound settings for the group that has the farthest end date is applicable.
Creating Rules for Profile Groups
To create rules for profile groups, type the expressions in the Rules field. The list appears with suggested device attributes and operators as you type the expression.
Create the rule expression using one or combination of the following set of qualified rule attributes and the operators.
Attribute Name |
Rule Attribute |
---|---|
Category |
category |
Manufacturer |
manufacturer |
Operating System |
os |
MAC Address |
macaddr |
IP Address |
ip |
Hostname |
hostname |
Profiler Name |
profiler_name |
SNMP Attributes |
|
SSID |
snmp.ssid |
Switch IP Address |
snmp.switch_ip |
Switch Name |
snmp.switch_name |
WMI Attributes |
|
Classified Category |
wmi.classified_category |
Classified OS |
wmi.classified_os |
Domain |
wmi.domain |
Hostname |
wmi.hostname |
Status |
wmi.status |
username |
wmi.username |
Operators
- == (exactly equal)
- != (Not equal to)
- AND
- OR (enabled to add multiple sets of AND rules - as shown in UI, which internally is called as 'OR')
Examples
macaddr == "64:87*" and manufacturer =="VMWare"
ip =="10.204*" and manufacturer== "VMWare*" and (os != "linux" or os !="Linux*")
wmi.classified_category == "Windows" or wmi.classified_os == "Microsoft Windows 10 Pro 10.0.17134" or wmi.domain == "WORKGROUP" or wmi.hostname == " W71-PC" or wmi. status == "up" or wmi.username == "admin"