diff --git a/VERSION b/VERSION
index 975c69384..e572934a6 100644
--- a/VERSION
+++ b/VERSION
@@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
 # build number is like "nano" version number. I am incrementing build
 # number during development cycle
 #
-BUILD_NUM="3525"
+BUILD_NUM="3526"
 
 VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
 
diff --git a/VERSION.h b/VERSION.h
index c17286308..86f2d27cd 100644
--- a/VERSION.h
+++ b/VERSION.h
@@ -1,2 +1,2 @@
-#define VERSION      "4.2.0.3525"
+#define VERSION      "4.2.0.3526"
 #define GENERATION   "4.2"
diff --git a/doc/ChangeLog b/doc/ChangeLog
index d3c396ff1..b540960cb 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,9 @@
+2011-04-14  vadim  <vadim@netcitadel.com>
+
+	* PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this
+	is FWSM and if manual commit mode is used, need to commit after
+	clearing ACLs before we clear object groups.
+
 2011-04-13  Vadim Kurland  <vadim@netcitadel.com>
 
 	* IPTImporter.cpp (pushPolicyRule): see #2338 "Empty Mangle Policy
diff --git a/packaging/fwbuilder-static-qt.spec b/packaging/fwbuilder-static-qt.spec
index 143a73daf..8dd777aaf 100644
--- a/packaging/fwbuilder-static-qt.spec
+++ b/packaging/fwbuilder-static-qt.spec
@@ -3,7 +3,7 @@
 
 
 %define name    fwbuilder
-%define version 4.2.0.3525
+%define version 4.2.0.3526
 %define release 1
 
 %if "%_vendor" == "MandrakeSoft"
diff --git a/packaging/fwbuilder.control b/packaging/fwbuilder.control
index c50c70f64..68ffdf007 100644
--- a/packaging/fwbuilder.control
+++ b/packaging/fwbuilder.control
@@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
 Priority: extra
 Section: checkinstall
 Maintainer: vadim@fwbuilder.org
-Version: 4.2.0.3525-1
+Version: 4.2.0.3526-1
 Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
 Description: Firewall Builder GUI and policy compilers
diff --git a/packaging/fwbuilder.spec b/packaging/fwbuilder.spec
index fa2bb29bd..d2ba82a45 100644
--- a/packaging/fwbuilder.spec
+++ b/packaging/fwbuilder.spec
@@ -1,6 +1,6 @@
 
 %define name    fwbuilder
-%define version 4.2.0.3525
+%define version 4.2.0.3526
 %define release 1
 
 %if "%_vendor" == "MandrakeSoft"
diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp
index b93d2c764..7f0a5d93f 100644
--- a/src/cisco_lib/PolicyCompiler_pix.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix.cpp
@@ -157,6 +157,13 @@ int PolicyCompiler_pix::prolog()
             output << endl;
 
             output << clearACLcmd << " " << temp_acl << endl;
+
+            if (fw->getStr("platform")=="fwsm" && 
+                fw->getOptionsObject()->getBool("pix_use_manual_commit") )
+            {
+                output << "access-list commit" << endl;
+            }
+
             output << "access-list " << temp_acl
                    << " permit ip "
                    << addr << " " << netmask
@@ -733,15 +740,19 @@ string PolicyCompiler_pix::printClearCommands()
 
     string vers = fw->getStr("version");
     string platform = fw->getStr("platform");
+
     string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
         string("/FWBuilderResources/Target/options/") +
         "version_" + vers + "/pix_commands/clear_acl");
+
     // string clearOGcmd = Resources::platform_res[platform]->getResourceStr(
     //     string("/FWBuilderResources/Target/options/") +
     //     "version_" + vers + "/pix_commands/clear_og");
+
     string clearICMPcmd = Resources::platform_res[platform]->getResourceStr(
         string("/FWBuilderResources/Target/options/") +
         "version_" + vers + "/pix_commands/clear_icmp");
+
     string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr(
         string("/FWBuilderResources/Target/options/") +
         "version_" + vers + "/pix_commands/clear_telnet");
@@ -769,6 +780,16 @@ string PolicyCompiler_pix::printClearCommands()
         output << clearTelnetcmd  << endl;
     }
 
+    // see #2322 If this is FWSM and if manual commit mode is used, we
+    // need to commit after clearing ACLs before we clear object groups
+
+    if (fw->getStr("platform")=="fwsm" && 
+        fw->getOptionsObject()->getBool("pix_use_manual_commit") )
+    {
+        output << "access-list commit" << endl;
+    }
+
+
     return output.str();
 }
 
diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig
index 7b88eacaf..04c6085c6 100755
--- a/test/pix/cluster1-1_pix1.fw.orig
+++ b/test/pix/cluster1-1_pix1.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:51 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:23 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig
index 29771b2b0..a38073d57 100755
--- a/test/pix/cluster1-1_pix2.fw.orig
+++ b/test/pix/cluster1-1_pix2.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:51 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:23 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig
index 2eb54ec2e..2c4c21614 100755
--- a/test/pix/cluster1_pix1.fw.orig
+++ b/test/pix/cluster1_pix1.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:50 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:23 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig
index 0a3e51403..3e57e55f4 100755
--- a/test/pix/cluster1_pix2.fw.orig
+++ b/test/pix/cluster1_pix2.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:50 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:23 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig
index 93545ec1f..bc6b2a917 100755
--- a/test/pix/firewall.fw.orig
+++ b/test/pix/firewall.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:31 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:11 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig
index 400091182..6865453cd 100755
--- a/test/pix/firewall1.fw.orig
+++ b/test/pix/firewall1.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:31 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:10 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig
index 485d8bb72..afa5c178c 100755
--- a/test/pix/firewall10.fw.orig
+++ b/test/pix/firewall10.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:32 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:11 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig
index 9fc21eb4f..ebf629591 100755
--- a/test/pix/firewall11.fw.orig
+++ b/test/pix/firewall11.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:32 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:11 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig
index aa92c047f..66138fd8b 100755
--- a/test/pix/firewall12.fw.orig
+++ b/test/pix/firewall12.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:33 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:12 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig
index 8640fd7ee..85755a794 100755
--- a/test/pix/firewall13.fw.orig
+++ b/test/pix/firewall13.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:33 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:12 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig
index 737e818f6..9e688df32 100755
--- a/test/pix/firewall14.fw.orig
+++ b/test/pix/firewall14.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:34 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:13 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig
index 25f4a3d3e..661979a82 100755
--- a/test/pix/firewall2.fw.orig
+++ b/test/pix/firewall2.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:34 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:13 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig
index a58ee5a52..c9e87eaa7 100755
--- a/test/pix/firewall20.fw.orig
+++ b/test/pix/firewall20.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:35 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:13 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig
index a8a844b1d..2714ab1f2 100755
--- a/test/pix/firewall21-1.fw.orig
+++ b/test/pix/firewall21-1.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:36 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:14 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig
index eac8c16f1..6d7dbe2c5 100755
--- a/test/pix/firewall21.fw.orig
+++ b/test/pix/firewall21.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:35 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:13 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig
index b872de112..f03c25d3a 100755
--- a/test/pix/firewall22.fw.orig
+++ b/test/pix/firewall22.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:36 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:14 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall23.fw.orig b/test/pix/firewall23.fw.orig
index 1891a6ac7..3b1c88590 100755
--- a/test/pix/firewall23.fw.orig
+++ b/test/pix/firewall23.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:37 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:14 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig
index c03e1ffbe..a67e4572a 100755
--- a/test/pix/firewall3.fw.orig
+++ b/test/pix/firewall3.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:37 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:15 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig
index 446f7d153..c789d5bad 100755
--- a/test/pix/firewall33.fw.orig
+++ b/test/pix/firewall33.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:38 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:15 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig
index 5ff887430..dd5bbe087 100755
--- a/test/pix/firewall34.fw.orig
+++ b/test/pix/firewall34.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:38 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:15 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig
index aa4c94ba7..84398d11c 100755
--- a/test/pix/firewall4.fw.orig
+++ b/test/pix/firewall4.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:39 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:16 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig
index d5564376f..c6c806903 100755
--- a/test/pix/firewall50.fw.orig
+++ b/test/pix/firewall50.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:40 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:16 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig
index ddcc7a817..3af1a2c2d 100755
--- a/test/pix/firewall6.fw.orig
+++ b/test/pix/firewall6.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:40 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:16 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig
index 952e319f3..c632f29a5 100755
--- a/test/pix/firewall8.fw.orig
+++ b/test/pix/firewall8.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:41 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:17 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig
index 9bd538a67..94a9caffd 100755
--- a/test/pix/firewall80.fw.orig
+++ b/test/pix/firewall80.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:42 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:17 2011 PDT by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig
index d49067a86..62d12b366 100755
--- a/test/pix/firewall81.fw.orig
+++ b/test/pix/firewall81.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:42 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:18 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig
index 86c8826d3..c0e260e83 100755
--- a/test/pix/firewall82.fw.orig
+++ b/test/pix/firewall82.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:43 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:18 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig
index 1a9bc911e..0569ec59c 100755
--- a/test/pix/firewall83.fw.orig
+++ b/test/pix/firewall83.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:43 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:18 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig
index af2416b87..53afc13ab 100755
--- a/test/pix/firewall9.fw.orig
+++ b/test/pix/firewall9.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:44 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:19 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig
index 1740d12cf..c2709ff11 100755
--- a/test/pix/firewall90.fw.orig
+++ b/test/pix/firewall90.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:44 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:19 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig
index 02b6fdb19..4fdc46526 100755
--- a/test/pix/firewall91.fw.orig
+++ b/test/pix/firewall91.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:44 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:19 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig
index df8028268..db0688065 100755
--- a/test/pix/firewall92.fw.orig
+++ b/test/pix/firewall92.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:45 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:19 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig
index 6aa148741..fd91184bd 100755
--- a/test/pix/firewall93.fw.orig
+++ b/test/pix/firewall93.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:45 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:20 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig
index 1e5cc1b03..cdcf322b2 100755
--- a/test/pix/firewall94.fw.orig
+++ b/test/pix/firewall94.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:46 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:20 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig
index 119e72d78..fb0096e42 100755
--- a/test/pix/fwsm1.fw.orig
+++ b/test/pix/fwsm1.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:47 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:21 2011 PDT by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig
index d578b4c90..113c7e91b 100755
--- a/test/pix/fwsm2.fw.orig
+++ b/test/pix/fwsm2.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:47 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:21 2011 PDT by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
diff --git a/test/pix/fwsm3.fw.orig b/test/pix/fwsm3.fw.orig
new file mode 100755
index 000000000..24b58e2a4
--- /dev/null
+++ b/test/pix/fwsm3.fw.orig
@@ -0,0 +1,183 @@
+!
+!  This is automatically generated file. DO NOT MODIFY !
+!
+!  Firewall Builder  fwb_pix v4.2.0.3526
+!
+!  Generated Thu Apr 14 11:46:21 2011 PDT by vadim
+!
+! Compiled for fwsm 4.x
+! Outbound ACLs: supported
+! Emulate outbound ACLs: yes
+! Generating outbound ACLs: no
+! Assume firewall is part of any: yes
+!
+!# files: * fwsm3.fw
+!
+! using manual commit mode
+
+
+
+!
+! Prolog script:
+!
+
+!
+! End of prolog script:
+!
+
+
+
+
+hostname fwsm3
+
+interface ethernet1
+  nameif outside
+  security-level 0
+exit
+
+interface ethernet0
+  nameif inside
+  security-level 100
+exit
+
+interface ethernet2
+  nameif dmz
+  security-level 50
+exit
+
+
+
+logging host inside 192.168.1.30
+logging queue 512
+logging facility 16
+logging trap 0
+no logging buffered
+no logging console
+no logging timestamp
+logging on
+
+
+timeout xlate 3:0:0 
+timeout conn 1:0:0 
+timeout udp 0:2:0 
+timeout sunrpc 0:10:0 
+timeout h323 0:5:0 
+timeout sip 0:30:0 
+timeout sip_media 0:0:0 
+timeout half-closed 0:0:0 
+timeout uauth 2:0:0 absolute 
+
+telnet timeout 5
+
+clear config ssh
+aaa authentication ssh console LOCAL
+ssh timeout 5
+
+clear config snmp-server
+snmp-server community public
+snmp-server enable traps
+snmp-server host inside 192.168.1.20 poll  
+snmp-server host inside 192.168.1.22 trap  
+
+
+
+
+no service resetinbound
+sysopt connection tcpmss 1380
+sysopt nodnsalias inbound
+sysopt nodnsalias outbound
+
+
+class-map inspection_default
+  match default-inspection-traffic
+
+policy-map global_policy
+  class inspection_default
+    inspect ftp
+    inspect h323 h225
+    inspect h323 ras
+    inspect http
+    inspect ils
+    inspect rsh
+    inspect rtsp
+    inspect sip
+    inspect skinny
+    inspect esmtp
+    inspect sqlnet
+
+service-policy global_policy global
+
+
+
+clear xlate
+clear config static
+clear config global
+clear config nat
+clear config access-list dmz_acl_in
+clear config access-list inside_acl_in
+clear config access-list outside_acl_in
+clear config icmp
+clear config telnet
+access-list commit
+clear config object-group
+
+
+object-group network id59803X13930.src.net.0
+  network-object 10.0.0.0 255.255.255.0 
+  network-object 10.1.0.0 255.255.255.0 
+  network-object 172.16.0.1 255.255.255.255 
+  network-object 172.16.0.2 255.255.255.255 
+exit
+
+!################
+access-list mode manual
+
+clear config access-list tmp_acl
+access-list commit
+access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any 
+access-list tmp_acl deny ip any any 
+access-list commit
+
+access-group tmp_acl in interface outside
+access-group tmp_acl in interface inside
+
+! 
+! Rule  1 (ethernet1)
+! need this rule to generate at least one object group
+icmp permit 10.0.0.0 255.255.255.0 3  outside
+access-list outside_acl_in permit icmp 10.0.0.0 255.255.255.0 host 22.22.22.22 3 
+icmp permit 10.1.0.0 255.255.255.0 3  outside
+access-list outside_acl_in permit icmp 10.1.0.0 255.255.255.0 host 22.22.22.22 3 
+icmp permit host 172.16.0.1 3  outside
+access-list outside_acl_in permit icmp host 172.16.0.1 host 22.22.22.22 3 
+icmp permit host 172.16.0.2 3  outside
+access-list outside_acl_in permit icmp host 172.16.0.2 host 22.22.22.22 3 
+access-list outside_acl_in permit icmp object-group id59803X13930.src.net.0 any 3 
+! 
+! Rule  2 (global)
+access-list outside_acl_in deny   ip any any log 0 interval 300
+access-list inside_acl_in deny   ip any any log 0 interval 300
+access-list dmz_acl_in deny   ip any any log 0 interval 300
+
+
+access-list commit
+
+access-group dmz_acl_in in interface dmz
+access-group inside_acl_in in interface inside
+access-group outside_acl_in in interface outside
+
+! 
+! Rule  0 (NAT)
+global (outside) 1 interface
+nat (inside) 1 192.168.1.0 255.255.255.0 0 0
+global (dmz) 1 interface
+!
+
+
+
+!
+! Epilog script:
+!
+
+! End of epilog script:
+!
diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb
index 19e37f777..ec2effa36 100644
--- a/test/pix/objects-for-regression-tests.fwb
+++ b/test/pix/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1298252555" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1302806528" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -16227,7 +16227,7 @@ no sysopt nodnsalias outbound
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id17217X54624" host_OS="fwsm_os" inactive="False" lastCompiled="1145688917" lastInstalled="0" lastModified="1295222056" platform="fwsm" version="4.x" name="fwsm2" comment="" ro="False">
+      <Firewall id="id17217X54624" host_OS="fwsm_os" inactive="False" lastCompiled="1145688917" lastInstalled="0" lastModified="1302806582" platform="fwsm" version="4.x" name="fwsm2" comment="" ro="False">
         <NAT id="id17562X54624" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id17563X54624" disabled="False" group="" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -22268,6 +22268,346 @@ no sysopt nodnsalias outbound
           <Option name="use_numeric_log_levels">False</Option>
         </FirewallOptions>
       </Firewall>
+      <Firewall id="id59725X13930" host_OS="fwsm_os" inactive="False" lastCompiled="1145688917" lastInstalled="0" lastModified="1302806626" platform="fwsm" version="4.x" name="fwsm3" comment="using manual commit mode&#10;" ro="False">
+        <NAT id="id60484X13930" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <NATRule id="id60486X13930" disabled="False" group="" position="0" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id59725X13930"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <ItfInb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfInb>
+            <ItfOutb neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ItfOutb>
+            <NATRuleOptions/>
+          </NATRule>
+          <RuleSetOptions/>
+        </NAT>
+        <Policy id="id59748X13930" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id59750X13930" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="blocking short fragments">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="ip-IP_Fragments"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id59733X13930"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id59803X13930" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="need this rule to generate at least one object group&#10;">
+            <Src neg="False">
+              <ObjectRef ref="id26247X5313"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="icmp-Unreachables"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id59733X13930"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions/>
+          </PolicyRule>
+          <PolicyRule id="id60455X13930" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="log_limit_suffix"></Option>
+              <Option name="log_prefix"></Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id61050X13930" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
+        </Routing>
+        <Interface id="id59733X13930" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
+          <IPv4 id="id59736X13930" name="fwsm3:ethernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id59738X13930" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+          <IPv4 id="id59741X13930" name="fwsm3:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id59743X13930" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
+          <IPv4 id="id59746X13930" name="fwsm3:ethernet2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Management address="192.168.1.1">
+          <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
+          <FWBDManagement enabled="True" identity="" port="9999"/>
+          <PolicyInstallScript arguments="" command="" enabled="False"/>
+        </Management>
+        <FirewallOptions>
+          <Option name="accept_established">False</Option>
+          <Option name="accept_new_tcp_with_no_syn">False</Option>
+          <Option name="action_on_reject">ICMP net unreachable</Option>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
+          <Option name="check_shading">True</Option>
+          <Option name="clamp_mss_to_mtu">False</Option>
+          <Option name="cmdline">-v</Option>
+          <Option name="compiler"></Option>
+          <Option name="conn_hh">1</Option>
+          <Option name="conn_mm">0</Option>
+          <Option name="conn_ss">0</Option>
+          <Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
+          <Option name="debug">False</Option>
+          <Option name="dns_fixup">2 65535 0 nil 0</Option>
+          <Option name="dyn_addr">False</Option>
+          <Option name="espike_fixup">2 0 0 nil 0</Option>
+          <Option name="filesystem"></Option>
+          <Option name="firewall_dir"></Option>
+          <Option name="firewall_is_part_of_any">True</Option>
+          <Option name="firewall_is_part_of_any_and_networks">True</Option>
+          <Option name="ftp_fixup">0 21 0 strict 0</Option>
+          <Option name="h323_h225_fixup">0 1720 1720 nil 0</Option>
+          <Option name="h323_hh">0</Option>
+          <Option name="h323_mm">5</Option>
+          <Option name="h323_ras_fixup">0 1718 1719 nil 0</Option>
+          <Option name="h323_ss">0</Option>
+          <Option name="half-closed_hh">0</Option>
+          <Option name="half-closed_mm">0</Option>
+          <Option name="half-closed_ss">0</Option>
+          <Option name="http_fixup">0 80 80 nil 0</Option>
+          <Option name="icmp_error_fixup">2 0 0 nil 0</Option>
+          <Option name="ignore_empty_groups">False</Option>
+          <Option name="ils_fixup">0 389 389 nil 0</Option>
+          <Option name="in_out_code">True</Option>
+          <Option name="inst_cmdline"></Option>
+          <Option name="inst_script"></Option>
+          <Option name="install_script"></Option>
+          <Option name="ip_options_eool_fixup">2 0 0 nil 0</Option>
+          <Option name="ip_options_nop_fixup">2 0 0 nil 0</Option>
+          <Option name="ip_options_rtralt_fixup">2 0 0 nil 0</Option>
+          <Option name="ipv4_6_order">ipv4_first</Option>
+          <Option name="limit_suffix">/second</Option>
+          <Option name="limit_value">0</Option>
+          <Option name="linux24_ip_forward">0</Option>
+          <Option name="linux24_tcp_fin_timeout">30</Option>
+          <Option name="linux24_tcp_keepalive_interval">1800</Option>
+          <Option name="load_modules">False</Option>
+          <Option name="log_all_dropped">True</Option>
+          <Option name="log_ip_opt">False</Option>
+          <Option name="log_level">debug</Option>
+          <Option name="log_limit_suffix">/second</Option>
+          <Option name="log_limit_value">0</Option>
+          <Option name="log_prefix"></Option>
+          <Option name="log_tcp_opt">False</Option>
+          <Option name="log_tcp_seq">False</Option>
+          <Option name="manage_virtual_addr">True</Option>
+          <Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
+          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_ssh">False</Option>
+          <Option name="modulate_state">False</Option>
+          <Option name="no_iochains_for_any">False</Option>
+          <Option name="no_optimisation">False</Option>
+          <Option name="openbsd_ip_directed_broadcast">0</Option>
+          <Option name="openbsd_ip_forward">1</Option>
+          <Option name="openbsd_ip_redirect">0</Option>
+          <Option name="openbsd_ip_sourceroute">0</Option>
+          <Option name="output_file"></Option>
+          <Option name="pass_all_out">False</Option>
+          <Option name="pix_acl_basic">False</Option>
+          <Option name="pix_acl_no_clear">False</Option>
+          <Option name="pix_acl_substitution">True</Option>
+          <Option name="pix_acl_temp_addr">192.168.1.0/24</Option>
+          <Option name="pix_add_clear_statements">True</Option>
+          <Option name="pix_assume_fw_part_of_any">True</Option>
+          <Option name="pix_check_duplicate_nat">False</Option>
+          <Option name="pix_check_overlapping_global_pools">False</Option>
+          <Option name="pix_check_overlapping_global_statics">False</Option>
+          <Option name="pix_check_overlapping_statics">False</Option>
+          <Option name="pix_check_rule_shading">True</Option>
+          <Option name="pix_conn_abs">True</Option>
+          <Option name="pix_conn_hh">1</Option>
+          <Option name="pix_conn_inact">False</Option>
+          <Option name="pix_conn_mm">0</Option>
+          <Option name="pix_conn_ss">0</Option>
+          <Option name="pix_connection_timewait">True</Option>
+          <Option name="pix_disable_snmp_agent">False</Option>
+          <Option name="pix_emb_limit">0</Option>
+          <Option name="pix_emblem_log_format">False</Option>
+          <Option name="pix_emulate_out_acl">True</Option>
+          <Option name="pix_enable_snmp_traps">True</Option>
+          <Option name="pix_epilog_script"></Option>
+          <Option name="pix_floodguard">False</Option>
+          <Option name="pix_fragguard">True</Option>
+          <Option name="pix_generate_out_acl">False</Option>
+          <Option name="pix_h323_abs">True</Option>
+          <Option name="pix_h323_hh">0</Option>
+          <Option name="pix_h323_inact">False</Option>
+          <Option name="pix_h323_mm">5</Option>
+          <Option name="pix_h323_ss">0</Option>
+          <Option name="pix_include_comments">True</Option>
+          <Option name="pix_ip_address">False</Option>
+          <Option name="pix_logging_buffered">False</Option>
+          <Option name="pix_logging_buffered_level">0</Option>
+          <Option name="pix_logging_console">False</Option>
+          <Option name="pix_logging_console_level">0</Option>
+          <Option name="pix_logging_timestamp">False</Option>
+          <Option name="pix_logging_trap_level">0</Option>
+          <Option name="pix_max_conns">0</Option>
+          <Option name="pix_nodnsalias_inbound">True</Option>
+          <Option name="pix_nodnsalias_outbound">True</Option>
+          <Option name="pix_ntp1">192.168.1.20</Option>
+          <Option name="pix_ntp1_pref">True</Option>
+          <Option name="pix_ntp2"></Option>
+          <Option name="pix_ntp2_pref">False</Option>
+          <Option name="pix_ntp3"></Option>
+          <Option name="pix_ntp3_pref">False</Option>
+          <Option name="pix_optimize_default_nat">True</Option>
+          <Option name="pix_prolog_script">	
+</Option>
+          <Option name="pix_regroup_commands">False</Option>
+          <Option name="pix_replace_natted_objects">True</Option>
+          <Option name="pix_resetinbound">False</Option>
+          <Option name="pix_resetoutside">False</Option>
+          <Option name="pix_route_dnat">False</Option>
+          <Option name="pix_rpc_abs">True</Option>
+          <Option name="pix_rpc_hh">0</Option>
+          <Option name="pix_rpc_inact">False</Option>
+          <Option name="pix_rpc_mm">10</Option>
+          <Option name="pix_rpc_ss">0</Option>
+          <Option name="pix_set_communities_from_object_data">True</Option>
+          <Option name="pix_set_host_name">True</Option>
+          <Option name="pix_set_sysinfo_from_object_data">True</Option>
+          <Option name="pix_sip_abs">True</Option>
+          <Option name="pix_sip_hh">0</Option>
+          <Option name="pix_sip_inact">False</Option>
+          <Option name="pix_sip_media_abs">True</Option>
+          <Option name="pix_sip_media_hh">0</Option>
+          <Option name="pix_sip_media_inact">False</Option>
+          <Option name="pix_sip_media_mm">2</Option>
+          <Option name="pix_sip_media_ss">0</Option>
+          <Option name="pix_sip_mm">30</Option>
+          <Option name="pix_sip_ss">0</Option>
+          <Option name="pix_snmp_poll_traps_1">1</Option>
+          <Option name="pix_snmp_poll_traps_2">2</Option>
+          <Option name="pix_snmp_server1">192.168.1.20</Option>
+          <Option name="pix_snmp_server2">192.168.1.22</Option>
+          <Option name="pix_ssh_timeout">5</Option>
+          <Option name="pix_syslog_device_id_opt"></Option>
+          <Option name="pix_syslog_device_id_val"></Option>
+          <Option name="pix_syslog_facility">16</Option>
+          <Option name="pix_syslog_host">192.168.1.30</Option>
+          <Option name="pix_syslog_level">error</Option>
+          <Option name="pix_syslog_queue_size">512</Option>
+          <Option name="pix_tcpmss">True</Option>
+          <Option name="pix_tcpmss_value">1380</Option>
+          <Option name="pix_telnet_timeout">5</Option>
+          <Option name="pix_uauth_abs">True</Option>
+          <Option name="pix_uauth_hh">2</Option>
+          <Option name="pix_uauth_inact">False</Option>
+          <Option name="pix_uauth_mm">0</Option>
+          <Option name="pix_uauth_ss">0</Option>
+          <Option name="pix_udp_abs">True</Option>
+          <Option name="pix_udp_hh">0</Option>
+          <Option name="pix_udp_inact">False</Option>
+          <Option name="pix_udp_mm">2</Option>
+          <Option name="pix_udp_ss">0</Option>
+          <Option name="pix_unauth_abs">True</Option>
+          <Option name="pix_unauth_hh">2</Option>
+          <Option name="pix_unauth_inact">False</Option>
+          <Option name="pix_unauth_mm">0</Option>
+          <Option name="pix_unauth_ss">0</Option>
+          <Option name="pix_use_acl_remarks">False</Option>
+          <Option name="pix_use_manual_commit">True</Option>
+          <Option name="pix_xlate_abs">True</Option>
+          <Option name="pix_xlate_hh">3</Option>
+          <Option name="pix_xlate_inact">False</Option>
+          <Option name="pix_xlate_mm">0</Option>
+          <Option name="pix_xlate_ss">0</Option>
+          <Option name="platform">iptables</Option>
+          <Option name="pptp_fixup">2 1723 0 nil 0</Option>
+          <Option name="rpc_hh">0</Option>
+          <Option name="rpc_mm">10</Option>
+          <Option name="rpc_ss">0</Option>
+          <Option name="rsh_fixup">0 514 0 nil 0</Option>
+          <Option name="rtsp_fixup">0 554 0 nil 0</Option>
+          <Option name="scpArgs"></Option>
+          <Option name="script_env_path"></Option>
+          <Option name="short_script">False</Option>
+          <Option name="sip_fixup">0 5060 5060 nil 0</Option>
+          <Option name="sip_hh">0</Option>
+          <Option name="sip_media_hh">0</Option>
+          <Option name="sip_media_mm">0</Option>
+          <Option name="sip_media_ss">0</Option>
+          <Option name="sip_mm">30</Option>
+          <Option name="sip_ss">0</Option>
+          <Option name="sip_udp_fixup">2 5060 0 nil 0</Option>
+          <Option name="skinny_fixup">0 2000 2000 nil 0</Option>
+          <Option name="smtp_fixup">0 25 25 nil 0</Option>
+          <Option name="snmp_contact"></Option>
+          <Option name="snmp_description"></Option>
+          <Option name="snmp_location"></Option>
+          <Option name="sqlnet_fixup">0 1521 1521 nil 0</Option>
+          <Option name="sshArgs"></Option>
+          <Option name="ssh_timeout">5</Option>
+          <Option name="telnet_timeout">5</Option>
+          <Option name="tftp_fixup">2 69 0 nil 0</Option>
+          <Option name="uauth_abs">True</Option>
+          <Option name="uauth_hh">2</Option>
+          <Option name="uauth_inact">False</Option>
+          <Option name="uauth_mm">0</Option>
+          <Option name="uauth_ss">0</Option>
+          <Option name="udp_hh">0</Option>
+          <Option name="udp_mm">2</Option>
+          <Option name="udp_ss">0</Option>
+          <Option name="use_numeric_log_levels">False</Option>
+          <Option name="use_scp">False</Option>
+          <Option name="xlate_hh">3</Option>
+          <Option name="xlate_mm">0</Option>
+          <Option name="xlate_ss">0</Option>
+        </FirewallOptions>
+      </Firewall>
     </ObjectGroup>
     <IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
   </Library>
diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig
index 189db3b2c..afd1dd788 100755
--- a/test/pix/pix515.fw.orig
+++ b/test/pix/pix515.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:48 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:22 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig
index 406bd0041..5f83e017d 100755
--- a/test/pix/real.fw.orig
+++ b/test/pix/real.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:48 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:22 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
diff --git a/test/pix/test_net_zone_2.fw.orig b/test/pix/test_net_zone_2.fw.orig
index aa3e40e9a..dda96c6f9 100755
--- a/test/pix/test_net_zone_2.fw.orig
+++ b/test/pix/test_net_zone_2.fw.orig
@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3525
+!  Firewall Builder  fwb_pix v4.2.0.3526
 !
-!  Generated Wed Apr 13 17:15:49 2011 PDT by vadim
+!  Generated Thu Apr 14 11:41:23 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported