Python policies and Python script policies

Overview

A Python policy references one or more Python script policies in the NFM-P, and associates each with a message (RADIUS or other). Each message entry is configured to act on either ingress or egress traffic.

A Python script policy is configured on a Python policy. A Python script policy is used to specify the location of a Python script. The Python script policy specifies three possible URL locations for the script (for example, a local CF card or a remote FTP server). The system picks the first URL that establishes a valid connection. The Python script policy also specifies the method used to ensure the integrity and/or the confidentiality of the content of a Python script, and the action taken when the defined RADIUS message type fails.

A Python script policy can be configured with a script protection key that is shared with the script protection configuration on an NE. If Python script protection is configured, the NE is configured with the same protection key, along with the source URL of the Python script, and the destination URL where the protected script is stored.

A Python policy message entry can be used, for example, to modify RADIUS messages of a RADIUS proxy server, change the RADIUS attributes of the different RADIUS messages, or to process DHCP messages for an interface. A Python policy message entry of the type Syslog can be used to customize the formatting of syslog messages carrying NAT information. Python policies can be configured on the following object types:

• RADIUS server or RADIUS proxy server on a base routing instance ( To configure a RADIUS server on a routing instance and To configure a RADIUS proxy server on a routing instance)

• RADIUS server policy ( To configure a RADIUS server policy)

• IES group interface ( To configure a group interface on an IES)

• VPRN group interface ( To configure a group interface on a VPRN)

A Python policy can be configured with a cache in which script message strings are saved. Other scripts can be configured to retrieve the strings. This functionality is not limited to a particular service type. For example, a RADIUS Python script could save an SLA profile name provided in RADIUS Access-Accept message to the cache, and a DHCP Discovery script could retrieve it. The Python cache is configured with a maximum number of entries, and a maximum size for each entry. The lifespan of cache entries is also configurable.

Each local definition of a distributed (global) Python policy can be configured with a Python cache peer object, which specifies the IP address of an MC redundancy synchronization peer and its associated synchronization tag.

A Python policy can be associated with an ISA-WLAN GW group or and ISA-NAT group, in which case the policy acts as an ISA Python policy. This means that all Python scripts associated with the Python policy are loaded into ISA memory, depending on the state of the Python script (shutdown or not shutdown), and its association with a Python policy.