4 Configuring Cloud Native Policy and Charging Rules Function Using Cloud Native Core Console

This chapter describes how to configure different services in Oracle Communications Cloud Native Policy and Charging Rules Function (CNPCRF) and how to create policies and manageable objects in CNPCRF using Oracle Communications Cloud Native Core Console.

Cloud Native Core Console Interface

This section provides an overview of the Oracle Communications Cloud Native Core (CNC) Console, which includes a interface to aid in creating policies and manageable objects in CNPCRF.

To Log in:

1. Open a web browser and enter the IP address of the CNC Console system.

   The login page opens.

2. Enter your Username.
3. Enter your Password.
4. Click Login.
   Tha main page opens.

   Figure 4-1 CNC Console Interface

   
   

   

   
   

   You are logged in. All the PCF related configurations are available in the left navigation menu under PCRF.

Configuring Services and Manageable Objects

This section describes how to create and manage the services and manageable objects that are available to be used in policies.

Managing a Charging Server

This chapter describes how to define and manage charging servers within the CNPCRF GUI. A charging server is an application that calculates billing charges.

To define a charging server:

1. From the navigation pane, under PCRF, then under Configurations, select Charging Servers.
   The Charging Server Management screen appears.
2. Click Add.
   The Create Charging Server page opens.
3. (Required) Enter the Name for the charging server.
   The name can only contain the characters A through Z, a through z, 0 through 9, period (.), hyphen (-), and underline (_).
4. Enter the Description/Location.
   Free-form text that identifies the charging server within the network. Enter up to 250 characters.
5. (Required) Enter the Host Name.
   The FQDN (fully qualified domain name assigned) to the charging server.
6. Enter the Port number on which the charging server is listening for messages.
   If left blank, port 3868 is used.
7. Select the Transport protocol used to communicate with the charging server:
   Available options include:

   • tcp

     Transmission Control Protocol (used with TACACS+)

   • udp

     User Datagram Protocol (used with RADIUS)

     Note:

     If you configure the Transport protocol as udp, you cannot configure the AAA Protocol as diameter.
   • sctp

     Stream Control Transmission Protocol

8. Select the Authentication, Authorization, and Accounting (AAA) Protocol used to communicate with the charging server.
   Available options include:

   • diameter
   • radius
   • tacacs+

   Note:

   If you configure the Transport protocol as udp, you cannot configure the AAA Protocol as diameter.
9. Select if transport Security is used to communicate with the charging server.
10. Click Save.

The charging server is displayed on the Charging Server Management page.

Note:

Use pencil icon or trash bin icon available in the next column to edit or update the created charging server.

Managing Custom AVPs

This chapter describes how to create, modify, and delete custom third-party attribute-value pairs (AVPs) in the CNPCRF User Interface (UI).

In a wireless network, custom AVPs are used to encapsulate protocol-specific data for routing, authentication, authorization, and accounting information.

About Custom AVPs

An attribute-value pair (AVP) is used to encapsulate protocol-specific information with usage monitoring supported by the MPE device. Diameter messages such as RAA, CCA, CCR, and RAR are supported by third-party AVP policy conditions. The supported outgoing Diameter messages set or remove third-party AVPs.

Note:

The Diameter messages listed are examples only. There are many messages associated with Diameter.

You can create policy conditions to evaluate the presence of both standard (base) and third-party AVPs in Diameter messages or group AVPs during policy execution. A policy condition can check for the presence of both standard and third-party AVPs in incoming Diameter messages and evaluate their values. A policy action can use standard and third-party AVPs for routing, authentication, authorization, and accounting.

Standard AVPs can be included in third-party AVP conditions and actions. To include a standard (base) AVP in a nonstandard application message, or to use a pre-standard AVP as a standard AVP, define it as a custom AVP.

When defined, custom AVPs are located at the end of a parent Diameter message or group AVP. If the parent AVP is null, the custom AVP is inserted at the root level of the message. For example, a custom AVP definition appears at the end of this Charging-Rule-Install message:

 Charging-Rule-Install ::= < AVP Header: 1001 >
*[ Charging-Rule-Definition ]
*[ Charging-Rule-Name ]
*[ Charging-Rule-Base-Name ]
[ Bearer-Identifier ]
[ Rule-Activation-Time ]
[ Rule-Deactivation-Time ]
[ Resource-Allocation-Notification ]
[ Charging-Correlation-Indicator ]
*[ customAVP ]

A Set or Get SPR user attribute value can be set to the defined third-party AVP in Diameter messages. You can also set or remove defined third-party AVPs during the execution point.

A third-party AVP is identified by a unique identifier in the following format:

name:vendorId

For example:

Condition

where the request AVP NEW_AVP3:555 value is numerically equal to 2012

Parameters

The AVP name and vendor ID. In the example, the vendor ID is 555.

Description

A well-defined AVP custom name is referred to if the vendor ID is not specified.

When entering and sending a new third-party AVP definition to an MPE or MRA device, the definition must include the AVP name, code, vendor ID, data type, and an optional AVP flag.

Validation of the AVP code, Name, and vendor ID prohibits a user from overwriting the existing base AVPs.

These AVP actions include the ability to perform the following:

• Routing
• Authentication
• Authorization
• Accounting

Creating a Custom AVP

To create a Custom AVP:

1. From the PCRF section of the navigation pane, select Custom AVP under Configurations .
   The Custom AVP Management screen appears.
2. Click Add.
   The Create Custom AVP page opens.
3. Enter information as appropriate:
   1. AVP Name (required) — The name you assign to the AVP.
      The name can only contain the characters A–Z, a–z, 0–9, period (.), hyphen (-), and underline (_). The maximum length is 255 characters.
   2. Description — Free-form text that identifies the AVP.
      Enter up to 250 characters.
   3. AVP Code (required) — A unique numeric value assigned to the new AVP.
   4. Vendor — Select a vendor from the vendor list.
      To add a vendor to the list, see Managing Custom Vendors .
   5. Mandatory Flag (optional) —
   6. Protect Flag (optional) — When checked, specifies the protected AVP values.
   7. May Encrypt Flag — The AVP is encrypted if the checkbox is specified.
   8. Vendor Specific Flag — The AVP is vendor specific if the checkbox is specified.

      Note:

      This box is checked automatically if the value of the vendor ID is not 0.
   9. AVP Type (required) — Select the data type from the list:
      • address
      • enumerated
      • float32
      • float64
      • grouped
      • id
      • int32
      • int64
      • ipFilterRule
      • octetString
      • time
      • uint32
      • uint64
      • uri
      • utf8String
   10. Parent AVP — If the AVP is a member of a grouped AVP, then the parent AVP must be specified. Select one of the following from the list:
   • ADC-Rule-Definition:10415
   • ADC-Rule-Install:10415
   • ADC-Rule-Remove:10415
   • ADC-Rule-Report:10415
   • AF-Correlation-Information:10415
   • Acceptable-Service-Info:10415
   • Access-Network-Charging-Identifier-Gx:10415
   • Access-Network-Charging-Identifier:10415
   • Access-Network-Physical-Access-ID:10415
   • Allocation-Retention-Priority:10415
   • Application-Detection-Information:10415
   • CC-Money
   • Charging-Information:10415
   • Charging-Rule-Definition-3GPP2:5535
   • Charging-Rule-Definition:10415
   • Charging-Rule-Event-Cisco:9
   • Charging-Rule-Event-Trigger-Cisco:9
   • Charging-Rule-Install-3GPP2:5535
   • Charging-Rule-Install:10415
   • Charging-Rule-Remove:10415
   • Charging-Rule-Report-3GPP2:5535
   • Charging-Rule-Report:10415
   • Codec-Data-Tmp:10415
   • Codec-Data:10415
   • Cost-Information
   • Default-EPS-Bearer-Qos:10415
   • E2E-Sequence
   • Envelope:10415
   • Event-Report-Indication:10415
   • Explicit-Route-Record:21274
   • Explicit-Route:21274
   • Failed-AVP
   • Final-Unit-Indication
   • Flow-Description-Info:5535
   • Flow-Description:10415
   • Flow-Grouping:10415
   • Flow-Info:5535
   • Flow-Information:10415
   • Flow:10415
   • G-S-U-Pool-Reference
   • Granted-Qos:5535
   • Granted-Service-Unit
   • Juniper-Discovery-Descriptor:2636
   • Juniper-Provisioning-Descriptor:2636
   • LI-Indicator-Gx:12951
   • LI-TargetMFAddr:12951
   • Media-Component-Description:10415
   • Media-Sub-Component:10415
   • Multiple-Services-Credit-Control
   • Offline-Charging:10415
   • PCEF-Forwarding-Info:971
   • PCEF-Info:971
   • PS-Furnish-Charging-Information:10415
   • PS-information:10415
   • Packet-Filter-Information:10415
   • Qos-Information-3GPP2:5535
   • Qos-Information:10415
   • Qos-Rule-Install:10415
   • Qos-Rule-Definition:10415
   • Qos-Rule-Remove:10415
   • Qos-Rule-Report:10415
   • Reachable-Peer:21274
   • Redirect-Information:10415
   • Redirect-Server
   • Requested-Qos:5535
   • Requested-Service-Unit
   • Service-Information:10415
   • Service-Parameter-Info
   • Siemens-DL-SDP-Data:4329
   • Siemens-UL-SDP-Data:4329
   • Subscription Id
   • Subscription-Id-3GPP:10415
   • Supported-Features:10415
   • TDF-Information:10415
   • TFT-Packet-Filter-Information:10415
   • TMO-Redirect-Server-29168
   • Time-Quota-Mechanism:10415
   • Trigger:10415
   • Tunnel-Header-Filter:10415
   • Unit-Value
   • Usage-Monitoring-Control:21274
   • Usage-Monitoring-Information:10415
   • Used-Service-Unit
   • User-CSG-Information:10415
   • User-Equipment-Info
   • User-Location-Info-3GPP:10415
   • VZW-Access-Network-Physical-Access-ID:12951
   • Vendor-Specific-Application-Id
   • Vzw-Trigger:12951
4. Click Save.
5. If the AVP name matches the name of a standard AVP, a confirmation message displays. Click OK to overwrite the existing AVP.

The AVP is created.

Modifying an AVP

To modify an AVP:

1. From the PCRF section of the navigation pane, select Custom AVP under Configurations .
   The Custom AVP Management page opens in the work area, listing the defined AVPs.
2. From the work area, click (pencil icon), located to the right of the AVP.
   The Edit Custom AVP page opens.
3. Modify AVP information as required.
   For a description of the fields contained on this page, see Creating a Custom AVP.
4. Click Save.

The AVP is modified.

Deleting an AVP

To delete an AVP:

1. From the PCRF section of the navigation pane, select Custom AVP under Configurations .
   The Custom AVP Management page opens in the work area, listing the defined AVPs.
2. From the work area, click (trash can icon), located to the right of the AVP.
   A confirmation message displays.
3. Click OK.

The AVP is deleted.

Managing Custom Vendors

This chapter describes how to create, modify, and delete custom vendor definitions in the CNPCRF User Interface (UI).

Custom vendors are used in RADIUS Change of Authorization (CoA) messages.

About Custom Vendors

A custom vendor is used to define a vendor in the CNPCRF system. This dictionary includes vendor IDs and text descriptions. You can define custom vendors and add them to the dictionary.

Creating a Custom Vendor

To create a custom vendor:

1. From the PCRF section of the navigation pane, select Custom Vendor under Configurations .
   The Custom Vendor Management screen appears.
2. Click Add.
   The Create Custom Vendor page opens.
3. Enter information as appropriate:
   1. Name (required) — The name you assign to the vendor.
      The name can only contain the characters A–Z, a–z, 0–9, period (.), hyphen (-), and underline (_).
   2. Description — Free-form text that identifies the vendor.
      Enter up to 250 characters.
   3. Vendor Id — Enter the vendor ID.
      Enter a positive integer.
4. Click Save.

The vendor is created.

Modifying a Custom Vendor

To modify a custom vendor definition:

1. From the PCRF section of the navigation pane, select Custom Vendor under Configurations .
   The Custom Vendor Management page opens in the work area, listing the defined vendors.
2. From the work area, click (pencil icon), located to the right of the vendor.
   The Edit Custom Vendor page opens.
3. Modify Vendor information as required.
   For a description of the fields contained on this page, see Creating a Custom Vendor .
4. Click Save.

The Vendor is modified.

Deleting a Custom Vendor

You cannot delete a custom vendor definition that is used in a CoA template.

To delete a custom vendor definition:

1. From the PCRF section of the navigation pane, select Custom Vendor under Configurations .
   The Custom Vendor Management page opens in the work area, listing the defined vendors.
2. From the work area, click (trash can icon), located to the right of the vendor.
   A confirmation message displays.
3. Click OK.

The custom vendor definition is deleted.

Creating a Media Profile

This section defines how to manage media profiles in the CNPCRF GUI. In a cable network, a media profile describes a CODEC supported for Rx-to-PCMM translation.

Note:

Media Profiles is a function that is applicable to Cable mode only.

To create a media profile:

1. From the navigation pane, under PCRF, then under Configurations, select Media Profiles.
   The Media Profile Management screen appears.
2. Click Add.
   The Create Media Profile page opens.
3. Enter the following information:
   1. ID — Unique ID assigned to the media profile.
   2. Name — Unique name assigned to the media profile.
   3. Description — specifies the description of the media profile.
   4. Codec Name — Unique media subtype assigned to the media profile.
      This is defined in the IANA MIME registration for the CODEC. Enter a string of up to 255 characters.
   5. Transport Type — Select from the following:
      • RTP/AVP (default) — RTP audio-video profile.
      • RTP/SAVP — RTP secure audio-video profile.
      • RTP/AVPF — RTP extended audio-video profile with feedback.
   6. Payload Number — The payload number.
      Valid payload numbers range from 0 through 127. Enter -1 to indicate an unknown payload number.

      Note:

      You cannot add a CODEC that is predefined with a payload number in the range of 0 to 96.
   7. Sample Rate (kHz) — The sampling rate of the CODEC in KHz.
      The valid range is an integer from 1 through 100 KHz.
   8. Frame Size in Milliseconds — The size of one audio frame in milliseconds.
      This is the length of time represented by one audio frame. A single RTP packet may contain multiple audio frames. The bitrate is calculated using the frame size in milliseconds, the frame size in bytes, and the packetization time. The valid range is 0 through 100 ms.
   9. Frame Size in Bytes — The size of one audio frame size in bytes.
      This is the size represented by one audio frame. A single RTP packet may contain multiple audio frames. The bitrate is calculated using the frame size in milliseconds, the frame size in bytes, and the packetization time. The valid range is 1 through 1,500 bytes.
   10. Packetization Time — The length of time, in milliseconds, represented by the media in a packet.
       The bitrate is calculated using the frame size in milliseconds, the frame size in bytes, and the packetization time. The valid range is 1 through 100.
   11. Always Use Default Ptime — Select to always use the default packetization time, ignoring the value received in the SDP message.
       The default is unchecked.
4. Click Save.

The media profile is created.

Note:

Use pencil icon or trash bin icon available in the next column to edit or update the created media profile.

Session Viewer

The Session Viewer displays detailed session information for a specific subscriber. Within the session viewer, you can enter query parameters to render session data for a specific subscriber. This section provides information about viewing the sessions.

To view the sessions:

1. From the navigation menu, under PCRF, click Session Viewer. The Session Viewer page appears.
2. From the Identifier Type drop-down menu, select the identifier type for the selected session type. Possible values are:
   • DIAMETER SESSION ID
   • IMSI
   • MSISDN
   • IPV4
3. Enter the value in the Identifier Value field for the selected identifier type.
4. Click Query. Information about the subscriber session(s) is displayed.

If session data is not available, the error is displayed along with No session found.

Configuring Core Service

You can configure the CNPCRF core service from this page.

To configure the Core Service:

1. From the navigation menu, under PCRF, then under Services , click Core Service.

   The Core Service screen appears.

2. Click Edit to edit the core service configurations. This enables the Add button in Advance Settings group.
3. Click Add. The Add Advanced Settings window opens.
4. Enter the values in Key and Value fields.
5. Click Save.

Managing Policy

Cloud Native Policy and Charging Rules Function (CNPCRF) offers a Policy Design editor based on Blockly interface. You can create and manage a policy project for PCRF core service.

Settings

You can manage and view the CNPCRF supported services from this page.

To edit the Settings:

1. From the navigation menu, under Policy Management, click Settings.

   The Policy Runtime Environment screen appears.

2. Click Edit to edit the settings.
3. Enter the value in Log Level field. The default value is WARN.
4. Click Add in the Supported Services group.

   The Add Supported Services screen appears.

5. Enter the following information to create service:
   • Service Name: Enter the service name.
   • Service Label: Enter the service label.
   • Relative URL: Enter the relative URL.
6. Click Save. The services get listed in the Supported Services list. The supported services are pcrf-core and pds.

Note:

Use Edit or Delete buttons available in the next column to update or delete the services.

Creating a Policy Project

To create a policy project:

1. From the Policy Management section of the navigation pane, select Policy Projects.
2. Click Create.

   The Create Project window opens.

3. In the Name field, enter the name for the project.
4. In the Description field, enter the description for the project.
5. In the Service Type, select the service from list of services already created in Settings section.
6. Click Save.

   The policy project is created.

7. Select the policy project created and click Open. This opens a Blockly editor.

   You can construct one or more policies as required using the building blocks provided in the Left Side Panel of the editor construct one or more Policies as required.

   The following screen capture shows an example of how the policies can be created using the building blocks.

   
8. Click Save.

   The policy for the selected policy project is created.

Managing State Variables

State Variables are set within a policy action to be used at a later time during policy rule execution (in either conditions or actions). The names of these variables are not predefined and are determined at the time of creation. State variables have a scope which determines how long the value persists after it is set. The scopes are:

• Subscriber Policy Evaluation State Variables — This variable exists locally and has a value as long as the associated subscriber has at least one session. After the last session is terminated these variables no longer have value and will no longer be available for use in policies.
• Session State Variables — This variable has a value that is saved as long as the session the variable is associated with is still valid. After the session is terminated, this variable no longer has value and will no longer be available for use in policies.
• Policy Evaluation State Variables — This variable are available for the lifetime of a policy evaluation cycle (the process of evaluating all the policies for a single request or context)
• Data Source State Variables —

Note:

State Variables are only supported for Session Management service.

Creating State Variables Condition

You can use the default blocks provided in Variables section to create state variables condition. However, the following blocks in the State Variables section under the Public section can also be used to create these conditions:

Syntax

operation variable-name in scope context

Parameters

operation

One of the following:

• Save- To save the state variable in a specific context.
• Load- To load the state variable from the selected context into policy evaluation.
• Remove- To remove the state variable from the selected context.
• Remove All- To remove all the state variable from the selected context

variable-name

String. Specifies name of the state variable.

Scope

One of the following:

• Policy- Policy evaluation variables that last only for the duration of policy evaluation cycle.
• Session- Session variables that have a value as long as the session they are associated with is open.
• Subscriber- Subscriber variables that are associated with a subscriber that has at least one session.
• Data source

Data Model

You can create and manage sample attributes for policy. This is used for testing the policies.

To create the Data Model from this page:

1. From the navigation menu, under System Administration, click Data Model.
   The Data Model Management screen appears with the listing of all the attributes created. You can create or import new attributes from this page.

   Note:

   Click the Export button to download the available listings to your system.
2. Click Add.

   The Create Data Model screen appears.

3. On the Create Data Model screen, enter values for the input fields.
   The following table describes the fields:

   Field Name	Description
   ID	ID of the attribute, not displayed on the GUI.
   Name	Name of the attribute, not displayed on the GUI.
   Label Name	Name of the attribute, displayed on the GUI.
   Description	Description of the attribute
   Type	Select one of the values: enum or object

4. In the Fields group, click Add to add the field details:
   1. Enter the applicable values in the input fields available on the window.

      The following table describes the fields:

      Field Name	Description
      Name	Name of the field, not displayed on the GUI.
      Description	Description of the field
      Label Name	Name of the field, displayed on the GUI.
      Type	Select either of the values from drop-down (primitive, object, array)
      Primitive Type	Defines the primitive type
      Units	Specifies the units
      Object Type	Defines the object type
      Item Type
      Type	Select either of the values from drop-down (primitive, object)
      Primitive Type	Defines the primitive type
      Object Type	Defines the object type

      Note:

      Click Remove to cancel the changes.
   2. Click Save.
5. In the Enum Items group, click Add to add the field details:
   1. Enter the applicable values in the input fields available on the window.

      The following table describes the fields:

      Field Name	Description
      Name	Name of the field, not displayed on the GUI.
      Value	Specify the value.

   2. Click Save.
6. Click Save.
   The value gets listed on the Data Model Management screen.

   Note:

   Use Edit or Delete buttons available in the next column to update or delete the listing.

Importing the Data Model

To import the session rules:

1. Click Import.

   The File Upload window appears on the screen.

2. Upload the files in required format by clicking Drop Files here or click to upload.

Configuring Policy Common Configurations

This chapter describes how to configure the managed objects which are common to Policy Control Function and Cloud Native Policy Charging and Rules Function.

Connecting to LDAP Data Source

PCRF-core establishes connections with data sources to retrieve information about subscribers from the database. The PCRF-core queries a data source using a key attribute that uniquely identifies a subscriber and stores the results in its cache. A data source uses this key attribute (for example, the phone or account number of the subscriber) to index the information contained in the database.

Oracle Communications Cloud Native Core Policy and Charging Rule Function (PCRF) supports Lightweight Directory Access Protocol (LDAP) data source. Based on the conditions implemented in CNPCRF system, Policy Data Source (PDS) would retrieve all the relevant information from LDAP data source based on the rules configured in the system through LDAP gateway.

LDAP credentails are stored as kubernetes secret along with Authentication DN and LDAP name. You must create a kuberenetes secret to store LDAP credentials before setting a PDS as LDAP data source.

To create a kubernetes secret for storing LDAP credentails:

1. Create a yaml file with the following syntax:

   apiVersion: v1
   kind: Secret
   metadata:
     name: ldapsecret
     labels:
       type: ocpm.secret.ldap
   type: Opaque
   stringData:
     name: "ldap1"
     password: "camiant"
     authDn: "uid=PolicyServer,ou=vodafone,c=hu,o=vodafone"

   where, name is the configured LDAP server name.

   password is the LDAP credential for that data source.

   authDN is the authentication DN for that LDAP datsource.

   Note:

   For different LDAP data sources more entries can be added in above format only the key of the entry should be the ldap name specified in CNPCRF Graphical User Interface (GUI).
2. Create the secret by executing the following command:

   kubectl apply -f yaml_file_name -n pcrf-namespace

   where:

   yaml_file_name is a name of the yaml file that is created in step 1.

   pcrf-namespace is the deployment namespace used by the helm command.

To set Policy Data Source as LDAP Data Source using CNPCRF GUI:

1. Add LDAP data source. To add LDAP source, From the navigation menu, under Common Policy Configuration, then under Data Source Configurations, click Data Sources. In the Type drop-down list, select LDAP.

   The following screen capture shows the example of adding LDAP data source in GUI:

   In the above example, LDAP datasource with name LDAP1 is created.
2. Edit thepcrf-core deployment file in vi editor to enable policy data source:

   - name: SH_ENABLED
             value: "false"
           - name: SY_ENABLED
             value: "false"
           - name: USERSERVICE_ENABLED
             value: "true"

3. Create pds service type in CNPCRF system. To create pds service type, From the navigation menu, under Policy Management, click Settings . On Settings page, click Add to create pds service type.

   The following screen capture shows the example of creating pds service type in GUI:

   In the above example, pds service type is created.

   Note:

   The service name should be entered as pds.
4. Create Policy Project with pds Service Type. From the navigation menu, under Policy Management, click Policy Projects. On Policy Projects page, click Create to create policy project. While creating a policy project select pds as a service type.

   The following screen capture shows the example of creating policy project with pds service type in GUI:

   In the above example, s policy project is created with pds service type.
5. Create policy action and condition in previously created policy project. Click Open for the selected policy project and you can see the project is a file. You can create the policy action and condition by using the different blocks available under Conditions and Actions under PDS.

   The following screen capture shows the example of creating policy action and condition in GUI:

   

   In the above example, if request received for configured IMSI ranges between 404050000000001 and 404050000000001, then PCF will forward request to PDS and PDS will forward the request to LDAP gateway to lookup user information in LDAP1.

Managing Match Lists

In a wireless network, a match list is a set of defined values that can represent, for example, IDs or Internet addresses. Match lists provide whitelist and blacklist functions in policy rules. Match lists support wildcard matching.

A match list is a set of values in various categories, including access point names (APNs), subscriber IMSIs, location area codes (LACs), service area codes (SACs), Internet addresses, and user equipment identities. A match list can function as a whitelist (listing items to be included) or a blacklist (listing items to be excluded). By using a match list, you can, for example, apply a policy to all subscribers in a set of LACs, or block access to a list of Internet addresses known to be high risk. Match lists support wildcards. Using wildcards, a range of values can be specified compactly.

Creating a Match List

To create a match list:

1. From the navigation pane, under Policy Common Configurations, select Match List.

   The Match List Management page opens in the work area.

2. Click Create.

   The Create Match List page opens.

3. Enter the following information:
   • ID: The ID assigned to the match list.
   • Name: The name assigned to the match list.

     The name can only contain the characters A-Z, a-z, 0-9, period (.), hyphen (-), and underline (_). The maximum length is 40 characters.

   • Description: Free-form text
   • Type: Select from the following:
     • string (default) - The list consists of strings.
     • wildcard string - The list consists of wildcard match patterns that use an asterisk (*) to match zero or more characters or a question mark (?) to match exactly one character.
   • Items:
4. Click Save.

The match list is defined in the database and can now be used in a policy.

Modifying a Match List

To modify a match list:

1. From the navigation pane, under Policy Common Configurations, select Match List.

   The Match List Management page opens in the work area, displaying the list of defined match lists.

2. Select the match list you want to modify.
3. Click Edit.

   The Edit Match List page opens.

4. Modify match list information as required.
5. Click Save.

   The match list is modified.

Deleting a Match List

To delete a match list:

1. From the navigation pane, under Policy Common Configurations, select Match List.

   The Match List Management page opens in the work area, displaying the list of defined match lists.

2. Select the match list you want to delete.
3. Click Delete.

   A confirmation message displays.

4. Click OK.

   The match list is deleted.

Importing the Match Lists

To import the match lists:

1. Click Import.

   The File Upload window appears on the screen.

2. Upload the files in required format by clicking Drop Files here or click to upload.

Exporting the Match Lists

You can export the match lists by clicking Export All. The Match Lists will be downloaded in a local machine.

Importing Configurable Objects

This section describes how to perform a bulk import of configurable objects into the system.

Importing Configuration Object Files

To import json or ZIP files:

1. From the navigation pane, under Policy Common Configurations, click Bulk Import.

   The Upload option appears on the screen.

2. Click Upload.

   Locate the file to be imported.

3. Select a processing option to use to Handle collisions between imported items and existing items:
   • Delete all before importing The system deletes all objects for each object type matching the import file before importing the object type json file.

     Attention: This import strategy can result in object inconsistency. For example, if you import a ZIP file that only contains traffic profiles, all the traffic profiles are deleted first. However, if existing policies depend on the existing traffic profiles, and the import file does not contain them, the policies can become invalid.

   • Overwrite with imported version For each object in the import file, if the object exists in the system, the import updates the object with the configuration contained in the import file. If an object does not exist, the system adds the object to the system.
4. Click Import.

The configuration objects and their configuration settings are imported into the database. After the import is complete, the window reports the results for each json file contained in the ZIP file.

Exporting Configurable Objects

This section describes how to perform a bulk export of configurable objects.

Exporting All Configuration Object Files

To export all configuration objects:

1. From the navigation pane, under Policy Common Configurations, click Bulk Export.

   The Export All option appears on the screen.

2. Click Export All .

   A ZIP file is downloaded to your local computer.