Login
Contents x
Policy Engine
  • 05 Feb 2025
  • Dark
    Light
  • PDF
Contents

Policy Engine

  • Updated on 05 Feb 2025
  • Dark
    Light
  • PDF
Article summary

Overview

Itential Policy Engine is a service that provides IP/Network address information, network math functions, and traffic policy analysis and tools. This guide introduces Policy Engine along with related information that takes you through Policy Engine installation and configuration.

IP Address and Network Validation and Normalization

Itential Policy Engine provides functions for validating strings passed in as IP addresses or Network addresses. In addition to reporting validity, it also returns the IP version of the address and a canonical form that represents the same endpoint address or network. For IPv4 networks, CIDR notation is canonical. Whereas for IPv6 the shortest representation is canonical, eliminating zeroes where possible.

Best effort parsing means that all common formats for IPv4 and IPv6 endpoint addresses and network notations are recognized, and even uncommon or noisy ones are often accepted.

Registered Port Information

Itential Policy Engine provides lookups for registered ports by port number or registered name, with optional restriction to a single Layer 4 protocol (TCP, UDP, etc.). This can be used to translate between port numbers and IANA names for various use cases.

MAC Address Validation and Information

Itential Policy Engine provides functions for validating MAC addresses and deriving various information from them, such as version (48 vs 64), the converted EUI64 value of an EUI48 address, the issuing organization, and other useful information.

Traffic Policy Analysis

Policy Analysis is the namesake use case for Policy Engine, and it provides functions for analyzing a device's traffic policy for certain use cases, such as identifying redundancies in a policy and checking proposed rules against a policy for redundancy and conflict.

Installation

Policy Engine is a stateless, compute only Web Service, and is hosted on a server as described below. It is distributed as a python pip package.

Prerequisites

  • Python 3.6.3 or better and pip (for pip installation)
  • Available listener port (8080 by default, configurable)

HA deployments should use a load balancer, and likewise SSL or Authentication should be terminated by a load balancer or reverse proxy. Such configurations are beyond the scope of this procedure, but should be fairly straightforward as the service is synchronous, stateless, and side-effect free.

Install Policy Engine via pip on CentOS 7

Install RH SCL, Python 3.6, and pip

sudo yum update
sudo yum install centos-release-scl
sudo yum install rh-python36

Install in SCL Environment

From a file:

sudo scl enable rh-python36 "pip install --upgrade service-policy-1.10.8+2022.1.0.tar.gz"
Click here for 2022.1 
sudo scl enable rh-python36 "pip install --upgrade service-policy-<version>.tar.gz"

 

Or from the Itential repository:

sudo scl enable rh-python36 "pip install service-policy --upgrade --extra-index-url=<itential pip repo url>"

Start the service manually to test

PORT=4567 scl enable rh-python36 service-policy

Set up a systemd service

In /etc/systemd/system/policyengine.service:

[Unit]
Description=Itential Policy Engine
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=1
User=policyengine
Environment="PORT=4567"
ExecStart=/bin/scl enable rh-python36 service-policy

[Install]
WantedBy=multi-user.target

sudo systemctl start policyengine
sudo systemctl enable policyengine

Install Policy Engine via pip on Ubuntu 18.04

Install pip

sudo apt update
sudo apt install python3-pip

Install Policy Engine

From a file:

sudo pip3 install --upgrade service-policy-1.10.8+2022.1.0.tar.gz
Click here for 2022.1 
sudo pip3 install --upgrade service-policy-<version>.tar.gz

 
Or from the Itential repository:

sudo pip3 install service-policy --upgrade --extra-index-url=<itential pip repo url>

Start the service manually to test

PORT=4567 service-policy

Set up a systemd service

In /etc/systemd/system/policyengine.service:

[Unit]
Description=Itential Policy Engine
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=1
User=policyengine
Environment="PORT=4567"
ExecStart=/usr/local/bin/service-policy

[Install]
WantedBy=multi-user.target

sudo systemctl start policyengine
sudo systemctl enable policyengine

Post installation

The service is a simple compute-only web service, and does not need access to read/write anything. Its only configuration option is the PORT environment variable which sets the port the service will listen on. It is recommended that a reverse proxy or load balancer be added in front of the service to implement SSL, and to benefit throughput by buffering incoming requests. HA and scaling are also considerations here, but these options are beyond the scope of this guide.

The service provides a healthcheck endpoint for the benefit of load balanced use cases at GET /api/v1.0/healthcheck.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout