We use NCM policies to check if devices are configured according to the standards we have set out for our ISO27001 certification. For each item we have a separate global collection with a policy rule applied to it so we can mix and match the correct group of rules based on the exact type and firmware version of the device. The problem is that a policy can only be applied to one specific device family. So if we have devices with similar configurations, but in different device families (for example for ssh and telnet config downloads), we will have to duplicate all the rules. This quickly increases the number of rules and complicates maintaining them and keeping track of where you have to make changes when rules need to be adjusted.
I see two solutions for this:
- Have the ability to apply the same policy to multiple device families
- Apply policies just based on global collections and drop the restriction by device family
I think the second option would be easiest to implement and also be the most flexible.