see #2295 added FWSM version 3.2

2026-05-01 14:47:27 +02:00 · 2011-04-14 16:34:38 -07:00 · 2011-04-14 16:34:38 -07:00 · 0a50274c28
commit 0a50274c28
parent 9fd0a00218
53 changed files with 1782 additions and 94 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,8 @@
 2011-04-14  vadim  <vadim@netcitadel.com>

+	* platform/fwsm.xml: see #2295 Added FWSM version "3.2". According to
+	Cisco documentation, FWSM version 3.2 matches PIX 7.
+
 	* platform/pix.xml: see #2348: "Accounting action is not valid for
 	FWSM platform". Actions "Accounting" and "Reject" should not
 	appear in the drop-down list of actions in the GUI if platform is
--- a/src/cisco_lib/NamedObjectsManager.cpp
+++ b/src/cisco_lib/NamedObjectsManager.cpp
@ -179,14 +179,16 @@ string NamedObjectsManager::getClearCommands()
 BaseObjectGroup* NamedObjectsManager::createObjectGroup()
 {
    BaseObjectGroup *grp = NULL;
-    if (platform == "pix" || platform == "fwsm")
+    if (platform == "pix")
    {
        if (XMLTools::version_compare(version, "8.0")<0)
            grp = new PIXObjectGroup();
        else
            grp = new ASA8ObjectGroup();
-
    }
+
+    if (platform == "fwsm") grp = new PIXObjectGroup();
+
    if (platform == "iosacl") grp = new IOSObjectGroup();

    assert(grp!=NULL);
--- a/src/cisco_lib/OSConfigurator_pix_os.cpp
+++ b/src/cisco_lib/OSConfigurator_pix_os.cpp
@ -233,14 +233,18 @@ string OSConfigurator_pix_os::_printInterfaceConfiguration()

        if (host_os == "pix_os")
        {
-            if (XMLTools::version_compare(version, "7.0") < 0)  configlet_name += "6";
-            if (XMLTools::version_compare(version, "7.0") >= 0) configlet_name += "7";
+            if (XMLTools::version_compare(version, "7.0") < 0)
+                configlet_name += "6";
+            if (XMLTools::version_compare(version, "7.0") >= 0)
+                configlet_name += "7";
        }

        if (host_os == "fwsm_os")
        {
-            if (XMLTools::version_compare(version, "4.0") < 0)  configlet_name += "2";
-            if (XMLTools::version_compare(version, "4.0") >= 0) configlet_name += "4";
+            if (XMLTools::version_compare(version, "3.2") < 0)
+                configlet_name += "2";
+            if (XMLTools::version_compare(version, "3.2") >= 0)
+                configlet_name += "3_2";
        }

        cnf = new Configlet(fw, "pix_os", configlet_name);
@ -317,8 +321,8 @@ string OSConfigurator_pix_os::_printFailoverConfiguration()

    if (host_os == "fwsm_os")
    {
-        if (XMLTools::version_compare(version, "4.0") < 0)  configlet_name += "2";
-        if (XMLTools::version_compare(version, "4.0") >= 0) configlet_name += "4";
+        if (XMLTools::version_compare(version, "3.2") < 0)  configlet_name += "2";
+        if (XMLTools::version_compare(version, "3.2") >= 0) configlet_name += "3_2";
    }

    Configlet cnf(fw, "pix_os", configlet_name);
@ -541,7 +545,7 @@ string OSConfigurator_pix_os::_printSNMP()
    // for pix
    bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0;
    // for fwsm
-    bool version_ge_40 = XMLTools::version_compare(version, "4.0") >= 0;
+    bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0;

    Configlet cnf(fw, "pix_os", "snmp");
    cnf.removeComments();
@ -549,8 +553,8 @@ string OSConfigurator_pix_os::_printSNMP()

    cnf.setVariable("pix_version_lt_70", ! version_ge_70);
    cnf.setVariable("pix_version_ge_70",   version_ge_70);
-    cnf.setVariable("fwsm_version_lt_40", ! version_ge_40);
-    cnf.setVariable("fwsm_version_ge_40",   version_ge_40);
+    cnf.setVariable("fwsm_version_lt_32", ! version_ge_32);
+    cnf.setVariable("fwsm_version_ge_32",   version_ge_32);

    bool set_communities = fw->getOptionsObject()->getBool(
        "pix_set_communities_from_object_data");
@ -622,15 +626,15 @@ string OSConfigurator_pix_os::_printNTP()
    // for pix
    bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0;
    // for fwsm
-    bool version_ge_40 = XMLTools::version_compare(version, "4.0") >= 0;
+    bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0;

    Configlet cnf(fw, "pix_os", "ntp");
    cnf.removeComments();
    cnf.collapseEmptyStrings(true);
    cnf.setVariable("pix_version_lt_70", ! version_ge_70);
    cnf.setVariable("pix_version_ge_70",   version_ge_70);
-    cnf.setVariable("fwsm_version_lt_40", ! version_ge_40);
-    cnf.setVariable("fwsm_version_ge_40",   version_ge_40);
+    cnf.setVariable("fwsm_version_lt_32", ! version_ge_32);
+    cnf.setVariable("fwsm_version_ge_32",   version_ge_32);

    string ntp_server_1=fw->getOptionsObject()->getStr("pix_ntp1");
    bool   ntp1_pref=fw->getOptionsObject()->getBool("pix_ntp1_pref");
@ -827,15 +831,15 @@ string OSConfigurator_pix_os::_printSSHConfiguration()
    // for pix
    bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0;
    // for fwsm
-    bool version_ge_40 = XMLTools::version_compare(version, "4.0") >= 0;
+    bool version_ge_32 = XMLTools::version_compare(version, "3.2") >= 0;

    Configlet cnf(fw, "pix_os", "ssh");
    cnf.removeComments();
    cnf.collapseEmptyStrings(true);
    cnf.setVariable("pix_version_lt_70", ! version_ge_70);
    cnf.setVariable("pix_version_ge_70",   version_ge_70);
-    cnf.setVariable("fwsm_version_lt_40", ! version_ge_40);
-    cnf.setVariable("fwsm_version_ge_40",   version_ge_40);
+    cnf.setVariable("fwsm_version_lt_32", ! version_ge_32);
+    cnf.setVariable("fwsm_version_ge_32",   version_ge_32);

    cnf.setVariable("clear", 1);
    cnf.setVariable("use_scp", fw->getOptionsObject()->getBool("use_scp"));
--- a/src/res/configlets/fwsm_os/failover_commands_3_2
+++ b/src/res/configlets/fwsm_os/failover_commands_3_2
--- a/src/res/configlets/fwsm_os/failover_interface_3_2
+++ b/src/res/configlets/fwsm_os/failover_interface_3_2
--- a/src/res/configlets/fwsm_os/regular_interface_3_2
+++ b/src/res/configlets/fwsm_os/regular_interface_3_2
--- a/src/res/configlets/fwsm_os/snmp
+++ b/src/res/configlets/fwsm_os/snmp
@ -13,10 +13,10 @@
 ##

 {{if clear}}
-{{if fwsm_version_lt_40}}
+{{if fwsm_version_lt_32}}
 clear snmp-server
 {{endif}}
-{{if fwsm_version_ge_40}}
+{{if fwsm_version_ge_32}}
 clear config snmp-server
 {{endif}}
 {{endif}}
--- a/src/res/configlets/fwsm_os/ssh
+++ b/src/res/configlets/fwsm_os/ssh
@ -13,10 +13,10 @@
 ##

 {{if clear}}
-{{if fwsm_version_lt_40}}
+{{if fwsm_version_lt_32}}
 clear ssh
 {{endif}}
-{{if fwsm_version_ge_40}}
+{{if fwsm_version_ge_32}}
 clear config ssh
 {{endif}}
 {{endif}}
--- a/src/res/configlets/fwsm_os/vlan_parent_interface_3_2
+++ b/src/res/configlets/fwsm_os/vlan_parent_interface_3_2
--- a/src/res/configlets/fwsm_os/vlan_subinterface_3_2
+++ b/src/res/configlets/fwsm_os/vlan_subinterface_3_2
--- a/src/res/platform/fwsm.xml
+++ b/src/res/platform/fwsm.xml
@ -10,7 +10,7 @@
      <diff>fwb_pix_diff</diff>
      <supported_os>fwsm_os</supported_os>

-      <versions>2.3,4.x</versions>
+      <versions>2.3,3.2,4.x</versions>

      <options>
        <default>
@ -127,6 +127,106 @@ nameif %in %il security%sl
        </version_2.3>


+        <version_3.2>
+          <pix_emulate_out_acl>true</pix_emulate_out_acl>
+          <pix_generate_out_acl>true</pix_generate_out_acl>
+          <pix_include_comments>true</pix_include_comments>
+          <pix_use_acl_remarks>true</pix_use_acl_remarks>
+          <pix_add_clear_statements>true</pix_add_clear_statements>
+          <pix_assume_fw_part_of_any>true</pix_assume_fw_part_of_any>
+          <pix_floodguard_supported>false</pix_floodguard_supported>
+          <pix_floodguard>true</pix_floodguard>
+          <pix_default_loglevel>info</pix_default_loglevel>
+          <pix_default_logint>300</pix_default_logint>
+          <pix_emblem_log_format>true</pix_emblem_log_format>
+          <pix_rule_syslog_settings>true</pix_rule_syslog_settings>
+          <pix_syslog_device_id_supported>true</pix_syslog_device_id_supported>
+          <pix_security_fragguard_supported>false</pix_security_fragguard_supported>
+          <pix_route_dnat_supported>false</pix_route_dnat_supported>
+          <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
+          <pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
+          <pix_resetoutside_supported>false</pix_resetoutside_supported>
+
+          <pix_commands>
+            <clear_acl>clear config access-list</clear_acl>
+            <clear_og>clear config object-group</clear_og>
+            <clear_icmp>clear config icmp</clear_icmp>
+            <clear_telnet>clear config telnet</clear_telnet>
+            <clear_ssh>clear config ssh</clear_ssh>
+            <clear_xlate>clear xlate</clear_xlate>
+            <clear_static>clear config static</clear_static>
+            <clear_global>clear config global</clear_global>
+            <clear_nat>clear config nat</clear_nat>
+            <clear_ntp>clear ntp</clear_ntp>
+            <clear_snmp>clear snmp-server</clear_snmp>
+
+            <ip_addr_static>
+ip address %il %a %n
+            </ip_addr_static>
+            <ip_addr_dyn>
+ip address %il dhcp setroute retry 10
+            </ip_addr_dyn>
+            <nameif>
+nameif %in %il security%sl
+            </nameif>
+          </pix_commands>
+    
+          <timeouts>
+              <xlate_hh>3</xlate_hh>
+              <xlate_mm>0</xlate_mm>
+              <xlate_ss>0</xlate_ss>
+      
+              <conn_hh>1</conn_hh>
+              <conn_mm>0</conn_mm>
+              <conn_ss>0</conn_ss>
+      
+              <udp_hh>0</udp_hh>
+              <udp_mm>2</udp_mm>
+              <udp_ss>0</udp_ss>
+      
+              <rpc_hh>0</rpc_hh>
+              <rpc_mm>10</rpc_mm>
+              <rpc_ss>0</rpc_ss>
+      
+              <h323_hh>0</h323_hh>
+              <h323_mm>5</h323_mm>
+              <h323_ss>0</h323_ss>
+      
+              <sip_hh>0</sip_hh>
+              <sip_mm>30</sip_mm>
+              <sip_ss>0</sip_ss>
+      
+              <sip_media_hh>0</sip_media_hh>
+              <sip_media_mm>2</sip_media_mm>
+              <sip_media_ss>0</sip_media_ss>
+      
+              <half-closed_hh>0</half-closed_hh>
+              <half-closed_mm>10</half-closed_mm>
+              <half-closed_ss>0</half-closed_ss>
+
+              <uauth_hh>2</uauth_hh>
+              <uauth_mm>0</uauth_mm>
+              <uauth_ss>0</uauth_ss>
+              <uauth_abs>True</uauth_abs>
+              <uauth_inact>False</uauth_inact>
+      
+            <telnet_timeout>5</telnet_timeout>
+            <ssh_timeout>5</ssh_timeout>
+          </timeouts>
+        
+          <fixups>
+            <list>dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
+
+            <use_fixup_commands>false</use_fixup_commands>
+            <use_mpf_policy_map>true</use_mpf_policy_map>
+            <use_policy_map_type_inspect>true</use_policy_map_type_inspect>
+
+          </fixups>
+
+        </version_3.2>
+
+
        <version_4.x>
          <pix_emulate_out_acl>true</pix_emulate_out_acl>
          <pix_generate_out_acl>true</pix_generate_out_acl>
--- a/test/pix/cluster1-1_pix1.fw.orig
+++ b/test/pix/cluster1-1_pix1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:51 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:44 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1-1_pix2.fw.orig
+++ b/test/pix/cluster1-1_pix2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:51 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:44 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1_pix1.fw.orig
+++ b/test/pix/cluster1_pix1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:51 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:44 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1_pix2.fw.orig
+++ b/test/pix/cluster1_pix2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:51 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:44 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall.fw.orig
+++ b/test/pix/firewall.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:34 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:30 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall1.fw.orig
+++ b/test/pix/firewall1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:34 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:30 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
--- a/test/pix/firewall10.fw.orig
+++ b/test/pix/firewall10.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:35 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:30 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall11.fw.orig
+++ b/test/pix/firewall11.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:35 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:30 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall12.fw.orig
+++ b/test/pix/firewall12.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:36 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:31 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall13.fw.orig
+++ b/test/pix/firewall13.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:36 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:31 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall14.fw.orig
+++ b/test/pix/firewall14.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:37 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:32 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall2.fw.orig
+++ b/test/pix/firewall2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:37 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:32 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall20.fw.orig
+++ b/test/pix/firewall20.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:37 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:32 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21-1.fw.orig
+++ b/test/pix/firewall21-1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:38 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:33 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21.fw.orig
+++ b/test/pix/firewall21.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:38 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:33 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall22.fw.orig
+++ b/test/pix/firewall22.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:39 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:33 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall23.fw.orig
+++ b/test/pix/firewall23.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:39 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:34 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall3.fw.orig
+++ b/test/pix/firewall3.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:40 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:34 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall33.fw.orig
+++ b/test/pix/firewall33.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:40 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:34 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall34.fw.orig
+++ b/test/pix/firewall34.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:40 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:35 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall4.fw.orig
+++ b/test/pix/firewall4.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:41 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:35 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall50.fw.orig
+++ b/test/pix/firewall50.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:41 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:36 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall6.fw.orig
+++ b/test/pix/firewall6.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:41 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:36 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall8.fw.orig
+++ b/test/pix/firewall8.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:42 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:36 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall80.fw.orig
+++ b/test/pix/firewall80.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:43 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:37 2011 PDT by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
--- a/test/pix/firewall81.fw.orig
+++ b/test/pix/firewall81.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:43 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:37 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall82.fw.orig
+++ b/test/pix/firewall82.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:43 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:38 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall83.fw.orig
+++ b/test/pix/firewall83.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:44 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:38 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall9.fw.orig
+++ b/test/pix/firewall9.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:44 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:38 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall90.fw.orig
+++ b/test/pix/firewall90.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:45 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:39 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall91.fw.orig
+++ b/test/pix/firewall91.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:45 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:39 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall92.fw.orig
+++ b/test/pix/firewall92.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:46 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:39 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall93.fw.orig
+++ b/test/pix/firewall93.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:46 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:40 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall94.fw.orig
+++ b/test/pix/firewall94.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:47 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:40 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/fwsm1.fw.orig
+++ b/test/pix/fwsm1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:48 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:41 2011 PDT by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
--- a/test/pix/fwsm2.fw.orig
+++ b/test/pix/fwsm2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:48 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:41 2011 PDT by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
--- a/test/pix/fwsm3.fw.orig
+++ b/test/pix/fwsm3.fw.orig
@ -3,9 +3,9 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:49 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:42 2011 PDT by vadim
 !
-! Compiled for fwsm 4.x
+! Compiled for fwsm 3.2
 ! Outbound ACLs: supported
 ! Emulate outbound ACLs: yes
 ! Generating outbound ACLs: no
@ -13,9 +13,10 @@
 !
 !# files: * fwsm3.fw
 !
-! using manual commit mode
-

+! C fwsm3:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)'  below it
+! C fwsm3:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
+! C fwsm3:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule

 !
 ! Prolog script:
@ -110,13 +111,11 @@ service-policy global_policy global


 !################
-access-list mode manual
+access-list mode auto

 clear config access-list tmp_acl
-access-list commit
 access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any 
 access-list tmp_acl deny ip any any 
-access-list commit

 access-group tmp_acl in interface outside
 access-group tmp_acl in interface inside
@ -131,38 +130,247 @@ clear config access-list inside_acl_in
 clear config access-list outside_acl_in
 clear config icmp
 clear config telnet
-access-list commit
 clear config object-group


-object-group network id59803X13930.src.net.0
-  network-object 10.0.0.0 255.255.255.0 
-  network-object 10.1.0.0 255.255.255.0 
-  network-object 172.16.0.1 255.255.255.255 
-  network-object 172.16.0.2 255.255.255.255 
+object-group network id37010X447.dst.net.0
+  network-object host 211.11.11.11 
+  network-object host 211.22.22.22 
+exit
+
+object-group service id37010X447.srv.tcp.0 tcp
+  port-object eq 113
+  port-object eq 80
+  port-object eq 443
+  port-object eq 143
+  port-object eq 25
+  port-object eq 22
+  port-object eq 540
+exit
+
+object-group icmp-type id37094X447.srv.icmp.0
+  icmp-object 3
+  icmp-object 0
+  icmp-object 11
+exit
+
+object-group service id37122X447.srv.tcp.0 tcp
+  port-object eq 70
+  port-object eq 6667
+  port-object eq 3128
+  port-object eq 23
+exit
+
+object-group service id37122X447.srv.udp.0 udp
+  port-object eq 53
+  port-object eq 161
+exit
+
+object-group network id37207X447.dst.net.0
+  network-object host 192.168.1.10 
+  network-object host 192.168.1.20 
+exit
+
+object-group network id37237X447.dst.net.0
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit
+
+object-group network id37265X447.dst.net.0
+  network-object 192.168.1.250 255.255.255.254 
+  network-object 192.168.1.252 255.255.255.252 
+exit
+
+object-group network id37322X447.dst.net.0
+  network-object host 192.168.1.11 
+  network-object host 192.168.1.12 
+  network-object host 192.168.1.13 
+  network-object host 192.168.1.14 
+  network-object host 192.168.1.15 
+exit
+
+object-group service id37322X447.srv.tcp.0 tcp
+  port-object eq 113
+  port-object eq 80
+  port-object eq 443
+  port-object eq 143
+  port-object eq 25
+  port-object eq 3128
+  port-object eq 22
+  port-object eq 540
+exit
+
+object-group network id37351X447.dst.net.0
+  network-object 192.168.1.11 255.255.255.255 
+  network-object 192.168.1.12 255.255.255.252 
+exit
+
+object-group service id37380X447.srv.tcp.0 tcp
+  port-object eq 113
+  port-object eq 13
+  port-object eq 53
+  port-object eq 2105
+  port-object eq 21
+  port-object eq 70
+  port-object eq 80
+  port-object eq 443
+  port-object eq 143
+  port-object eq 993
+  port-object eq 6667
+  port-object eq 6667
+  port-object eq 543
+  port-object eq 544
+  port-object eq 389
+  port-object eq 98
+  port-object eq 3306
+  port-object eq 2049
+  port-object eq 119
+  port-object eq 110
+  port-object eq 5432
+  port-object eq 515
+  port-object eq 26000
+  port-object eq 512
+  port-object eq 513
+  port-object eq 514
+  port-object eq 4321
+  port-object eq 25
+  port-object eq 465
+  port-object eq 1080
+  port-object eq 3128
+  port-object eq 22
+  port-object eq 111
+  port-object eq 23
+  port-object range 10000 11000
+  port-object eq 540
+  port-object eq 7100
 exit

 ! 
-! Rule  1 (ethernet1)
-! need this rule to generate at least one object group
-icmp permit 10.0.0.0 255.255.255.0 3  outside
-access-list outside_acl_in permit icmp 10.0.0.0 255.255.255.0 host 22.22.22.22 3 
-icmp permit 10.1.0.0 255.255.255.0 3  outside
-access-list outside_acl_in permit icmp 10.1.0.0 255.255.255.0 host 22.22.22.22 3 
-icmp permit host 172.16.0.1 3  outside
-access-list outside_acl_in permit icmp host 172.16.0.1 host 22.22.22.22 3 
-icmp permit host 172.16.0.2 3  outside
-access-list outside_acl_in permit icmp host 172.16.0.2 host 22.22.22.22 3 
-access-list outside_acl_in permit icmp object-group id59803X13930.src.net.0 any 3 
+! Rule  2 (ethernet1)
+icmp permit any 3  outside
+access-list outside_acl_in permit icmp any host 22.22.22.22 3 
+access-list outside_acl_in permit icmp any any 3 
 ! 
-! Rule  2 (global)
+! Rule  3 (ethernet1)
+! anti-spoofing rule
+! fwsm3:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
+
+access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
+! 
+! Rule  4 (ethernet0)
+ssh 192.168.1.0 255.255.255.0 inside
+! 
+! Rule  5 (ethernet0)
+access-list inside_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 
+access-list inside_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 
+access-list dmz_acl_in permit tcp any object-group id37010X447.dst.net.0 object-group id37010X447.srv.tcp.0 
+! 
+! Rule  6 (ethernet0)
+access-list inside_acl_in deny   ip any host 192.168.1.255 
+! 
+! Rule  8 (global)
+access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 
+access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 
+access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id37094X447.srv.icmp.0 
+! 
+! Rule  9 (global)
+access-list outside_acl_in permit icmp any host 192.168.1.10 
+access-list inside_acl_in permit icmp any host 192.168.1.10 
+access-list dmz_acl_in permit icmp any host 192.168.1.10 
+access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 
+access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 
+access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id37122X447.srv.tcp.0 
+access-list outside_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 
+access-list inside_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 
+access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id37122X447.srv.udp.0 
+access-list outside_acl_in permit 47 any host 192.168.1.10 
+access-list inside_acl_in permit 47 any host 192.168.1.10 
+access-list dmz_acl_in permit 47 any host 192.168.1.10 
+! 
+! Rule  10 (global)
+access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
+icmp permit any 3  inside
+access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
+icmp permit any 3  dmz
+access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
+access-list outside_acl_in permit icmp any any 3 log 0 interval 300
+access-list inside_acl_in permit icmp any any 3 log 0 interval 300
+access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
+access-list outside_acl_in permit 47 any any log 0 interval 300
+access-list inside_acl_in permit 47 any any log 0 interval 300
+access-list dmz_acl_in permit 47 any any log 0 interval 300
+access-list outside_acl_in permit 50 any any log 0 interval 300
+access-list inside_acl_in permit 50 any any log 0 interval 300
+access-list dmz_acl_in permit 50 any any log 0 interval 300
+! 
+! Rule  12 (global)
+access-list outside_acl_in permit ip object-group id37010X447.dst.net.0 object-group id37207X447.dst.net.0 
+! 
+! Rule  13 (global)
+! fwsm3:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
+
+access-list inside_acl_in permit tcp host 192.168.1.10 object-group id37237X447.dst.net.0 eq 3128 
+! 
+! Rule  14 (global)
+access-list outside_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 
+access-list inside_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 
+access-list dmz_acl_in permit tcp any object-group id37265X447.dst.net.0 eq 3128 
+! 
+! Rule  15 (global)
+ssh 0.0.0.0 0.0.0.0 outside
+ssh 0.0.0.0 0.0.0.0 inside
+ssh 0.0.0.0 0.0.0.0 dmz
+access-list outside_acl_in permit icmp any host 22.22.22.22 3 
+access-list inside_acl_in permit icmp any host 192.168.1.1 3 
+access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
+! 
+! Rule  16 (global)
+access-list outside_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 
+access-list inside_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 
+access-list dmz_acl_in permit tcp any object-group id37322X447.dst.net.0 object-group id37322X447.srv.tcp.0 
+! 
+! Rule  17 (global)
+access-list outside_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 
+access-list inside_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 
+access-list dmz_acl_in permit tcp any object-group id37351X447.dst.net.0 object-group id37322X447.srv.tcp.0 
+! 
+! Rule  18 (global)
+! fwsm3:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)'  below it
+
+access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 
+access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 
+access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id37380X447.srv.tcp.0 
+! 
+! Rule  19 (global)
+! objects hostA and hostB are
+! redundant and should be removed by
+!  removeRedundantAddressesFromDst
+access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 
+access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 
+access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494 
+! 
+! Rule  20 (global)
+access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 
+access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 
+access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80 
+! 
+! Rule  23 (global)
+access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
+access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
+access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
+! 
+! Rule  24 (global)
+access-list outside_acl_in permit ip host 22.22.22.22 any 
+access-list inside_acl_in permit ip host 192.168.1.1 any 
+access-list dmz_acl_in permit ip host 192.168.2.1 any 
+access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any 
+! 
+! Rule  25 (global)
 access-list outside_acl_in deny   ip any any log 0 interval 300
 access-list inside_acl_in deny   ip any any log 0 interval 300
 access-list dmz_acl_in deny   ip any any log 0 interval 300


-access-list commit
-
 access-group dmz_acl_in in interface dmz
 access-group inside_acl_in in interface inside
 access-group outside_acl_in in interface outside
@ -172,7 +380,56 @@ access-group outside_acl_in in interface outside
 global (outside) 1 interface
 nat (inside) 1 192.168.1.0 255.255.255.0 0 0
 global (dmz) 1 interface
-!
+! 
+! 
+! Rule  1 (NAT)
+nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
+! 
+! Rule  2 (NAT)
+nat (inside) 1 0.0.0.0 0.0.0.0 0 0
+! 
+! 
+! Rule  3 (NAT)
+global (outside) 1 22.22.22.0 netmask 255.255.255.0
+! 
+! 
+! Rule  4 (NAT)
+global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0
+! 
+! 
+! Rule  5 (NAT)
+static (inside,outside) tcp interface 25 192.168.1.10 25  0 0
+! 
+! Rule  6 (NAT)
+global (inside) 8 interface
+nat (dmz) 8 192.168.2.0 255.255.255.0 outside
+! 
+! Rule  7 (NAT)
+
+clear config access-list nat0.inside
+access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
+nat (inside) 0 access-list nat0.inside
+! 
+! Rule  8 (NAT)
+
+access-list nat0.inside permit ip host 192.168.1.11  192.168.2.0 255.255.255.0
+
+access-list nat0.inside permit ip host 192.168.1.12  192.168.2.0 255.255.255.0
+
+access-list nat0.inside permit ip host 192.168.1.13  192.168.2.0 255.255.255.0
+
+access-list nat0.inside permit ip host 192.168.1.14  192.168.2.0 255.255.255.0
+
+access-list nat0.inside permit ip host 192.168.1.15  192.168.2.0 255.255.255.0
+! 
+! Rule  9 (NAT)
+nat (dmz) 0 0 0
+! 
+! Rule  10 (NAT)
+static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
+! 
+! Rule  11 (NAT)
+static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255



--- a/test/pix/fwsm4.fw.orig
+++ b/test/pix/fwsm4.fw.orig
@ -0,0 +1,184 @@
+!
+!  This is automatically generated file. DO NOT MODIFY !
+!
+!  Firewall Builder  fwb_pix v4.2.0.3526
+!
+!  Generated Thu Apr 14 16:32:41 2011 PDT by vadim
+!
+! Compiled for fwsm 4.x
+! Outbound ACLs: supported
+! Emulate outbound ACLs: yes
+! Generating outbound ACLs: no
+! Assume firewall is part of any: yes
+!
+!# files: * fwsm4.fw
+!
+! using manual commit mode
+
+
+
+!
+! Prolog script:
+!
+
+!
+! End of prolog script:
+!
+
+
+
+
+hostname fwsm4
+
+interface ethernet1
+  nameif outside
+  security-level 0
+exit
+
+interface ethernet0
+  nameif inside
+  security-level 100
+exit
+
+interface ethernet2
+  nameif dmz
+  security-level 50
+exit
+
+
+
+logging host inside 192.168.1.30
+logging queue 512
+logging facility 16
+logging trap 0
+no logging buffered
+no logging console
+no logging timestamp
+logging on
+
+
+timeout xlate 3:0:0 
+timeout conn 1:0:0 
+timeout udp 0:2:0 
+timeout sunrpc 0:10:0 
+timeout h323 0:5:0 
+timeout sip 0:30:0 
+timeout sip_media 0:0:0 
+timeout half-closed 0:0:0 
+timeout uauth 2:0:0 absolute 
+
+telnet timeout 5
+
+clear config ssh
+aaa authentication ssh console LOCAL
+ssh timeout 5
+
+clear config snmp-server
+snmp-server community public
+snmp-server enable traps
+snmp-server host inside 192.168.1.20 poll  
+snmp-server host inside 192.168.1.22 trap  
+
+
+
+
+no service resetinbound
+sysopt connection tcpmss 1380
+sysopt nodnsalias inbound
+sysopt nodnsalias outbound
+
+
+class-map inspection_default
+  match default-inspection-traffic
+
+policy-map global_policy
+  class inspection_default
+    inspect ftp
+    inspect h323 h225
+    inspect h323 ras
+    inspect http
+    inspect ils
+    inspect rsh
+    inspect rtsp
+    inspect sip
+    inspect skinny
+    inspect esmtp
+    inspect sqlnet
+
+service-policy global_policy global
+
+
+
+!################
+access-list mode manual
+
+clear config access-list tmp_acl
+access-list commit
+access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any 
+access-list tmp_acl deny ip any any 
+access-list commit
+
+access-group tmp_acl in interface outside
+access-group tmp_acl in interface inside
+access-group tmp_acl in interface dmz
+
+clear xlate
+clear config static
+clear config global
+clear config nat
+clear config access-list dmz_acl_in
+clear config access-list inside_acl_in
+clear config access-list outside_acl_in
+clear config icmp
+clear config telnet
+access-list commit
+clear config object-group
+
+
+object-group network id59803X13930.src.net.0
+  network-object 10.0.0.0 255.255.255.0 
+  network-object 10.1.0.0 255.255.255.0 
+  network-object 172.16.0.1 255.255.255.255 
+  network-object 172.16.0.2 255.255.255.255 
+exit
+
+! 
+! Rule  1 (ethernet1)
+! need this rule to generate at least one object group
+icmp permit 10.0.0.0 255.255.255.0 3  outside
+access-list outside_acl_in permit icmp 10.0.0.0 255.255.255.0 host 22.22.22.22 3 
+icmp permit 10.1.0.0 255.255.255.0 3  outside
+access-list outside_acl_in permit icmp 10.1.0.0 255.255.255.0 host 22.22.22.22 3 
+icmp permit host 172.16.0.1 3  outside
+access-list outside_acl_in permit icmp host 172.16.0.1 host 22.22.22.22 3 
+icmp permit host 172.16.0.2 3  outside
+access-list outside_acl_in permit icmp host 172.16.0.2 host 22.22.22.22 3 
+access-list outside_acl_in permit icmp object-group id59803X13930.src.net.0 any 3 
+! 
+! Rule  2 (global)
+access-list outside_acl_in deny   ip any any log 0 interval 300
+access-list inside_acl_in deny   ip any any log 0 interval 300
+access-list dmz_acl_in deny   ip any any log 0 interval 300
+
+
+access-list commit
+
+access-group dmz_acl_in in interface dmz
+access-group inside_acl_in in interface inside
+access-group outside_acl_in in interface outside
+
+! 
+! Rule  0 (NAT)
+global (outside) 1 interface
+nat (inside) 1 192.168.1.0 255.255.255.0 0 0
+global (dmz) 1 interface
+!
+
+
+
+!
+! Epilog script:
+!
+
+! End of epilog script:
+!
--- a/test/pix/objects-for-regression-tests.fwb
+++ b/test/pix/objects-for-regression-tests.fwb
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1302806528" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1302823327" id="root">
  <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -22268,7 +22268,7 @@ no sysopt nodnsalias outbound
          <Option name="use_numeric_log_levels">False</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id59725X13930" host_OS="fwsm_os" inactive="False" lastCompiled="1145688917" lastInstalled="0" lastModified="1302806626" platform="fwsm" version="4.x" name="fwsm3" comment="using manual commit mode&#10;" ro="False">
+      <Firewall id="id59725X13930" host_OS="fwsm_os" inactive="False" lastCompiled="1145688917" lastInstalled="0" lastModified="1302823923" platform="fwsm" version="4.x" name="fwsm4" comment="using manual commit mode&#10;" ro="False">
        <NAT id="id60484X13930" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id60486X13930" disabled="False" group="" position="0" action="Translate" comment="">
            <OSrc neg="False">
@ -22369,15 +22369,15 @@ no sysopt nodnsalias outbound
          <RuleSetOptions/>
        </Routing>
        <Interface id="id59733X13930" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
-          <IPv4 id="id59736X13930" name="fwsm3:ethernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
+          <IPv4 id="id59736X13930" name="fwsm4:ethernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
          <InterfaceOptions/>
        </Interface>
        <Interface id="id59738X13930" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
-          <IPv4 id="id59741X13930" name="fwsm3:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
+          <IPv4 id="id59741X13930" name="fwsm4:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
          <InterfaceOptions/>
        </Interface>
        <Interface id="id59743X13930" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
-          <IPv4 id="id59746X13930" name="fwsm3:ethernet2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
+          <IPv4 id="id59746X13930" name="fwsm4:ethernet2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
          <InterfaceOptions/>
        </Interface>
        <Management address="192.168.1.1">
@ -22608,6 +22608,1144 @@ no sysopt nodnsalias outbound
          <Option name="xlate_ss">0</Option>
        </FirewallOptions>
      </Firewall>
+      <Firewall id="id36850X447" host_OS="fwsm_os" inactive="False" lastCompiled="1145688917" lastInstalled="0" lastModified="1302823928" platform="fwsm" version="3.2" name="fwsm3" comment="" ro="False">
+        <NAT id="id37609X447" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <NATRule id="id37611X447" disabled="False" group="" position="0" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37654X447" disabled="False" group="" position="1" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37697X447" disabled="False" group="" position="2" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3DAA5110"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37740X447" disabled="False" group="" position="3" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3B665641"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37783X447" disabled="False" group="" position="4" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3D196750"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37826X447" disabled="False" group="" position="5" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="tcp-SMTP"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="tcp-SMTP"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37869X447" disabled="False" group="" position="6" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3AFC191C"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37912X447" disabled="False" group="" position="7" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id37955X447" disabled="False" group="" position="8" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3CD87A53"/>
+              <ObjectRef ref="id3CD87A5E"/>
+              <ObjectRef ref="id3CD87A6D"/>
+              <ObjectRef ref="id3CD87A7C"/>
+              <ObjectRef ref="id3CD87A8B"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id38002X447" disabled="False" group="" position="9" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id38045X447" disabled="False" group="" position="10" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id38088X447" disabled="False" group="" position="11" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id38131X447" disabled="True" group="" position="12" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="tcp-HTTP"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id3B4FF09A"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <RuleSetOptions/>
+        </NAT>
+        <Policy id="id36873X447" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id36875X447" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="blocking short fragments">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="ip-IP_Fragments"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36858X447"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id36903X447" disabled="True" group="" log="True" position="1" action="Deny" direction="Inbound" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="ip-IP_Fragments"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36858X447"/>
+            </Itf>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id36928X447" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="icmp-Unreachables"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36858X447"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id36956X447" disabled="False" group="" log="True" position="3" action="Accept" direction="Outbound" comment="anti-spoofing rule">
+            <Src neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+              <ObjectRef ref="id36850X447"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36858X447"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id36985X447" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
+            <Src neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="tcp-SSH"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36863X447"/>
+            </Itf>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37010X447" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-secondary1-com"/>
+              <ObjectRef ref="host-secondary2-com"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3CD878C8"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36863X447"/>
+            </Itf>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37036X447" disabled="False" group="" log="False" position="6" action="Deny" direction="Inbound" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id3B64FFAC"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id36863X447"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37064X447" disabled="True" group="" log="True" position="7" action="Deny" direction="Both" comment="this rule, if enabled, shades&#10;some rule below because&#10;of service &quot;any ICMP&quot;">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="tcp-TCP-SYN"/>
+              <ServiceRef ref="id3B58E3F1"/>
+              <ServiceRef ref="id3C1A5D46"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_limit_suffix"></Option>
+              <Option name="log_prefix"></Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37094X447" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sg-Useful_ICMP"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37122X447" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3D12CD12"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37150X447" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3D0E8383"/>
+              <ServiceRef ref="id3D116567"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_limit_suffix"></Option>
+              <Option name="log_prefix"></Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37179X447" disabled="True" group="" log="False" position="11" action="Deny" direction="Both" comment="shades rule #8 below">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3C1A5D46"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37207X447" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="host-secondary1-com"/>
+              <ObjectRef ref="host-secondary2-com"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-hostA"/>
+              <ObjectRef ref="host-hostB"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37237X447" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="id3BF1B3E1"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id3D0F7F89"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3B5009F7"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37265X447" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id3D0F7F89"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3B5009F7"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37293X447" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="icmp-Unreachables"/>
+              <ServiceRef ref="tcp-SSH"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37322X447" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id3CD87A9A"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3CD878C8"/>
+              <ServiceRef ref="id3B5009F7"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37351X447" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id3CD8769F"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3CD878C8"/>
+              <ServiceRef ref="id3B5009F7"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37380X447" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3B5009F7"/>
+              <ServiceRef ref="id3C1A66C9"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37409X447" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="objects hostA and hostB are&#10;redundant and should be removed by&#10; removeRedundantAddressesFromDst">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+              <ObjectRef ref="host-hostA"/>
+              <ObjectRef ref="host-hostB"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id3CB131C4"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37439X447" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id431BD5EE"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37467X447" disabled="True" group="" log="False" position="21" action="Accept" direction="Both" comment="rules 12 and 13 can be&#10;used to test shading">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37495X447" disabled="True" group="" log="False" position="22" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id3B3D5A3B"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37523X447" disabled="False" group="" log="True" position="23" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id36850X447"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id37551X447" disabled="False" group="" log="False" position="24" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+              <ObjectRef ref="id36850X447"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_prefix"></Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id37580X447" disabled="False" group="" log="True" position="25" action="Deny" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_limit_suffix"></Option>
+              <Option name="log_prefix"></Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id38175X447" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
+        </Routing>
+        <Interface id="id36858X447" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
+          <IPv4 id="id36861X447" name="fwsm3:ethernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id36863X447" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+          <IPv4 id="id36866X447" name="fwsm3:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id36868X447" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
+          <IPv4 id="id36871X447" name="fwsm3:ethernet2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Management address="192.168.1.1">
+          <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
+          <FWBDManagement enabled="True" identity="" port="9999"/>
+          <PolicyInstallScript arguments="" command="" enabled="False"/>
+        </Management>
+        <FirewallOptions>
+          <Option name="accept_established">False</Option>
+          <Option name="accept_new_tcp_with_no_syn">False</Option>
+          <Option name="action_on_reject">ICMP net unreachable</Option>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
+          <Option name="check_shading">True</Option>
+          <Option name="clamp_mss_to_mtu">False</Option>
+          <Option name="cmdline">-v</Option>
+          <Option name="compiler"></Option>
+          <Option name="conn_hh">1</Option>
+          <Option name="conn_mm">0</Option>
+          <Option name="conn_ss">0</Option>
+          <Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
+          <Option name="debug">False</Option>
+          <Option name="dns_fixup">2 65535 0 nil 0</Option>
+          <Option name="dyn_addr">False</Option>
+          <Option name="espike_fixup">2 0 0 nil 0</Option>
+          <Option name="firewall_dir"></Option>
+          <Option name="firewall_is_part_of_any">True</Option>
+          <Option name="firewall_is_part_of_any_and_networks">True</Option>
+          <Option name="ftp_fixup">0 21 0 strict 0</Option>
+          <Option name="h323_h225_fixup">0 1720 1720 nil 0</Option>
+          <Option name="h323_hh">0</Option>
+          <Option name="h323_mm">5</Option>
+          <Option name="h323_ras_fixup">0 1718 1719 nil 0</Option>
+          <Option name="h323_ss">0</Option>
+          <Option name="half-closed_hh">0</Option>
+          <Option name="half-closed_mm">0</Option>
+          <Option name="half-closed_ss">0</Option>
+          <Option name="http_fixup">0 80 80 nil 0</Option>
+          <Option name="icmp_error_fixup">2 0 0 nil 0</Option>
+          <Option name="ignore_empty_groups">False</Option>
+          <Option name="ils_fixup">0 389 389 nil 0</Option>
+          <Option name="in_out_code">True</Option>
+          <Option name="inst_cmdline"></Option>
+          <Option name="inst_script"></Option>
+          <Option name="install_script"></Option>
+          <Option name="limit_suffix">/second</Option>
+          <Option name="limit_value">0</Option>
+          <Option name="linux24_ip_forward">0</Option>
+          <Option name="linux24_tcp_fin_timeout">30</Option>
+          <Option name="linux24_tcp_keepalive_interval">1800</Option>
+          <Option name="load_modules">False</Option>
+          <Option name="log_all_dropped">True</Option>
+          <Option name="log_ip_opt">False</Option>
+          <Option name="log_level">debug</Option>
+          <Option name="log_limit_suffix">/second</Option>
+          <Option name="log_limit_value">0</Option>
+          <Option name="log_prefix"></Option>
+          <Option name="log_tcp_opt">False</Option>
+          <Option name="log_tcp_seq">False</Option>
+          <Option name="manage_virtual_addr">True</Option>
+          <Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
+          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_ssh">False</Option>
+          <Option name="modulate_state">False</Option>
+          <Option name="no_iochains_for_any">False</Option>
+          <Option name="no_optimisation">False</Option>
+          <Option name="openbsd_ip_directed_broadcast">0</Option>
+          <Option name="openbsd_ip_forward">1</Option>
+          <Option name="openbsd_ip_redirect">0</Option>
+          <Option name="openbsd_ip_sourceroute">0</Option>
+          <Option name="output_file"></Option>
+          <Option name="pass_all_out">False</Option>
+          <Option name="pix_acl_basic">False</Option>
+          <Option name="pix_acl_no_clear">False</Option>
+          <Option name="pix_acl_substitution">True</Option>
+          <Option name="pix_acl_temp_addr">192.168.1.0/24</Option>
+          <Option name="pix_add_clear_statements">True</Option>
+          <Option name="pix_assume_fw_part_of_any">True</Option>
+          <Option name="pix_check_duplicate_nat">False</Option>
+          <Option name="pix_check_overlapping_global_pools">False</Option>
+          <Option name="pix_check_overlapping_global_statics">False</Option>
+          <Option name="pix_check_overlapping_statics">False</Option>
+          <Option name="pix_check_rule_shading">True</Option>
+          <Option name="pix_conn_abs">True</Option>
+          <Option name="pix_conn_hh">1</Option>
+          <Option name="pix_conn_inact">False</Option>
+          <Option name="pix_conn_mm">0</Option>
+          <Option name="pix_conn_ss">0</Option>
+          <Option name="pix_connection_timewait">True</Option>
+          <Option name="pix_disable_snmp_agent">False</Option>
+          <Option name="pix_emb_limit">0</Option>
+          <Option name="pix_emblem_log_format">False</Option>
+          <Option name="pix_emulate_out_acl">True</Option>
+          <Option name="pix_enable_snmp_traps">True</Option>
+          <Option name="pix_epilog_script"></Option>
+          <Option name="pix_floodguard">False</Option>
+          <Option name="pix_fragguard">True</Option>
+          <Option name="pix_h323_abs">True</Option>
+          <Option name="pix_h323_hh">0</Option>
+          <Option name="pix_h323_inact">False</Option>
+          <Option name="pix_h323_mm">5</Option>
+          <Option name="pix_h323_ss">0</Option>
+          <Option name="pix_include_comments">True</Option>
+          <Option name="pix_ip_address">False</Option>
+          <Option name="pix_logging_buffered">False</Option>
+          <Option name="pix_logging_buffered_level">0</Option>
+          <Option name="pix_logging_console">False</Option>
+          <Option name="pix_logging_console_level">0</Option>
+          <Option name="pix_logging_timestamp">False</Option>
+          <Option name="pix_logging_trap_level">0</Option>
+          <Option name="pix_max_conns">0</Option>
+          <Option name="pix_nodnsalias_inbound">True</Option>
+          <Option name="pix_nodnsalias_outbound">True</Option>
+          <Option name="pix_ntp1">192.168.1.20</Option>
+          <Option name="pix_ntp1_pref">True</Option>
+          <Option name="pix_ntp2"></Option>
+          <Option name="pix_ntp2_pref">False</Option>
+          <Option name="pix_ntp3"></Option>
+          <Option name="pix_ntp3_pref">False</Option>
+          <Option name="pix_optimize_default_nat">True</Option>
+          <Option name="pix_prolog_script">	
+</Option>
+          <Option name="pix_regroup_commands">False</Option>
+          <Option name="pix_replace_natted_objects">True</Option>
+          <Option name="pix_resetinbound">False</Option>
+          <Option name="pix_resetoutside">False</Option>
+          <Option name="pix_route_dnat">False</Option>
+          <Option name="pix_rpc_abs">True</Option>
+          <Option name="pix_rpc_hh">0</Option>
+          <Option name="pix_rpc_inact">False</Option>
+          <Option name="pix_rpc_mm">10</Option>
+          <Option name="pix_rpc_ss">0</Option>
+          <Option name="pix_set_communities_from_object_data">True</Option>
+          <Option name="pix_set_host_name">True</Option>
+          <Option name="pix_set_sysinfo_from_object_data">True</Option>
+          <Option name="pix_sip_abs">True</Option>
+          <Option name="pix_sip_hh">0</Option>
+          <Option name="pix_sip_inact">False</Option>
+          <Option name="pix_sip_media_abs">True</Option>
+          <Option name="pix_sip_media_hh">0</Option>
+          <Option name="pix_sip_media_inact">False</Option>
+          <Option name="pix_sip_media_mm">2</Option>
+          <Option name="pix_sip_media_ss">0</Option>
+          <Option name="pix_sip_mm">30</Option>
+          <Option name="pix_sip_ss">0</Option>
+          <Option name="pix_snmp_poll_traps_1">1</Option>
+          <Option name="pix_snmp_poll_traps_2">2</Option>
+          <Option name="pix_snmp_server1">192.168.1.20</Option>
+          <Option name="pix_snmp_server2">192.168.1.22</Option>
+          <Option name="pix_ssh_timeout">5</Option>
+          <Option name="pix_syslog_facility">16</Option>
+          <Option name="pix_syslog_host">192.168.1.30</Option>
+          <Option name="pix_syslog_level">error</Option>
+          <Option name="pix_syslog_queue_size">512</Option>
+          <Option name="pix_tcpmss">True</Option>
+          <Option name="pix_tcpmss_value">1380</Option>
+          <Option name="pix_telnet_timeout">5</Option>
+          <Option name="pix_uauth_abs">True</Option>
+          <Option name="pix_uauth_hh">2</Option>
+          <Option name="pix_uauth_inact">False</Option>
+          <Option name="pix_uauth_mm">0</Option>
+          <Option name="pix_uauth_ss">0</Option>
+          <Option name="pix_udp_abs">True</Option>
+          <Option name="pix_udp_hh">0</Option>
+          <Option name="pix_udp_inact">False</Option>
+          <Option name="pix_udp_mm">2</Option>
+          <Option name="pix_udp_ss">0</Option>
+          <Option name="pix_unauth_abs">True</Option>
+          <Option name="pix_unauth_hh">2</Option>
+          <Option name="pix_unauth_inact">False</Option>
+          <Option name="pix_unauth_mm">0</Option>
+          <Option name="pix_unauth_ss">0</Option>
+          <Option name="pix_use_acl_remarks">False</Option>
+          <Option name="pix_xlate_abs">True</Option>
+          <Option name="pix_xlate_hh">3</Option>
+          <Option name="pix_xlate_inact">False</Option>
+          <Option name="pix_xlate_mm">0</Option>
+          <Option name="pix_xlate_ss">0</Option>
+          <Option name="platform">iptables</Option>
+          <Option name="pptp_fixup">2 1723 0 nil 0</Option>
+          <Option name="rpc_hh">0</Option>
+          <Option name="rpc_mm">10</Option>
+          <Option name="rpc_ss">0</Option>
+          <Option name="rsh_fixup">0 514 0 nil 0</Option>
+          <Option name="rtsp_fixup">0 554 0 nil 0</Option>
+          <Option name="script_env_path"></Option>
+          <Option name="sip_fixup">0 5060 5060 nil 0</Option>
+          <Option name="sip_hh">0</Option>
+          <Option name="sip_media_hh">0</Option>
+          <Option name="sip_media_mm">0</Option>
+          <Option name="sip_media_ss">0</Option>
+          <Option name="sip_mm">30</Option>
+          <Option name="sip_ss">0</Option>
+          <Option name="sip_udp_fixup">2 5060 0 nil 0</Option>
+          <Option name="skinny_fixup">0 2000 2000 nil 0</Option>
+          <Option name="smtp_fixup">0 25 25 nil 0</Option>
+          <Option name="snmp_contact"></Option>
+          <Option name="snmp_description"></Option>
+          <Option name="snmp_location"></Option>
+          <Option name="sqlnet_fixup">0 1521 1521 nil 0</Option>
+          <Option name="sshArgs"></Option>
+          <Option name="ssh_timeout">5</Option>
+          <Option name="telnet_timeout">5</Option>
+          <Option name="tftp_fixup">2 69 0 nil 0</Option>
+          <Option name="uauth_abs">True</Option>
+          <Option name="uauth_hh">2</Option>
+          <Option name="uauth_inact">False</Option>
+          <Option name="uauth_mm">0</Option>
+          <Option name="uauth_ss">0</Option>
+          <Option name="udp_hh">0</Option>
+          <Option name="udp_mm">2</Option>
+          <Option name="udp_ss">0</Option>
+          <Option name="use_numeric_log_levels">False</Option>
+          <Option name="xlate_hh">3</Option>
+          <Option name="xlate_mm">0</Option>
+          <Option name="xlate_ss">0</Option>
+        </FirewallOptions>
+      </Firewall>
    </ObjectGroup>
    <IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
  </Library>
--- a/test/pix/pix515.fw.orig
+++ b/test/pix/pix515.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:49 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:42 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/real.fw.orig
+++ b/test/pix/real.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:49 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:43 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/test_net_zone_2.fw.orig
+++ b/test/pix/test_net_zone_2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Thu Apr 14 16:05:50 2011 PDT by vadim
+!  Generated Thu Apr 14 16:32:43 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported