From 5acc9238835215cdcc0c37b27697436c0f895d4d Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Mon, 28 Dec 2009 02:02:33 +0000
Subject: [PATCH] * PolicyCompiler_iosacl.cpp
 (PolicyCompiler_iosacl::addDefaultPolicyRule): compiler for IOS ACL added
 only inbound automatic rule to permit ssh access from the management
 workstation but did not add a rule to permit reply packets. This fixes #993

---
 build_num                                    |    2 +-
 doc/ChangeLog                                |    5 +
 src/cisco_lib/PolicyCompiler_cisco.cpp       |   57 +-
 src/cisco_lib/PolicyCompiler_cisco.h         |    2 +-
 src/cisco_lib/PolicyCompiler_iosacl.cpp      |   30 +
 src/cisco_lib/PolicyCompiler_iosacl.h        |    2 +
 test/iosacl/objects-for-regression-tests.fwb | 1008 ++++++++++--------
 test/iosacl/quick-cmp.sh                     |    2 +-
 test/pix/objects-for-regression-tests.fwb    |   19 +-
 9 files changed, 646 insertions(+), 481 deletions(-)

diff --git a/build_num b/build_num
index 41306e751..e05d55d6a 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2282
+#define BUILD_NUM 2283
diff --git a/doc/ChangeLog b/doc/ChangeLog
index d0bae82f9..e3333175a 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,10 @@
 2009-12-27  vadim  <vadim@vk.crocodile.org>
 
+	* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):
+	compiler for IOS ACL added only inbound automatic rule to permit
+	ssh access from the management workstation but did not add a rule
+	to permit reply packets. This fixes #993
+
 	* CompilerDriver_iosacl_run.cpp (CompilerDriver_iosacl::run):
 	fixed bug (no #): compiler for iosacl failed to open output file
 	because of the wrong path.
diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp
index deee797c4..45f4c8240 100644
--- a/src/cisco_lib/PolicyCompiler_cisco.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco.cpp
@@ -110,11 +110,15 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
     if ( getCachedFwOpt()->getBool("mgmt_ssh") &&
          !getCachedFwOpt()->getStr("mgmt_addr").empty() )
     {
-        PolicyRule *r;
         TCPService *ssh = dbcopy->createTCPService();
         ssh->setDstRangeStart(22);
         ssh->setDstRangeEnd(22);
-        dbcopy->add(ssh,false);
+        dbcopy->add(ssh, false);
+
+        TCPService *ssh_rev = dbcopy->createTCPService();
+        ssh_rev->setSrcRangeStart(22);
+        ssh_rev->setSrcRangeEnd(22);
+        dbcopy->add(ssh_rev, false);
 
         Network *mgmt_workstation = dbcopy->createNetwork();
         mgmt_workstation->setAddressNetmask(
@@ -122,52 +126,11 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
 
         dbcopy->add(mgmt_workstation, false);
 
-        r= dbcopy->createPolicyRule();
-        temp_ruleset->add(r);
-        r->setAction(PolicyRule::Accept);
-        r->setLogging(false);
-        r->setDirection(PolicyRule::Inbound);
-        r->setPosition(-1);
-//        r->setComment("   backup ssh access rule ");
-        r->setHidden(true);
-        r->setFallback(false);
-        r->setLabel("backup ssh access rule");
-
-        RuleElement *src=RuleElement::cast(
-            r->getFirstByType(RuleElementSrc::TYPENAME) );
-        src->addRef(mgmt_workstation);
-
-        RuleElement *dst=RuleElement::cast(
-            r->getFirstByType(RuleElementDst::TYPENAME) );
-        dst->addRef(fw);
-
-        RuleElement *srv=RuleElement::cast(
-            r->getFirstByType(RuleElementSrv::TYPENAME) );
-        srv->addRef(ssh);
-
-        combined_ruleset->push_front(r);
+        PolicyCompiler::addMgmtRule(
+            mgmt_workstation, fw, ssh,
+            NULL, PolicyRule::Inbound, PolicyRule::Accept,
+            "backup ssh access rule");
     }
-
-    // Ciscos provide built-in fallback rule so we do not need
-    // this. Besides, desired behavior is that if the user did not
-    // create any rules for a given interface (at all), then generated
-    // config file should have none. Adding fallback rule here creates
-    // 'deny any any' rule for such interfaces and screws things big
-    // time.
-#if 0
-    PolicyRule *r= dbcopy->createPolicyRule();
-
-    temp_ruleset->add(r);
-    r->setAction(PolicyRule::Deny);
-    r->setLogging(false);
-//    r->setDirection(PolicyRule::Both);
-    r->setPosition(10000);
-    r->setComment("   fallback rule ");
-    r->setLabel("fallback rule");
-    r->setFallback(true);
-    r->setHidden(true);
-    combined_ruleset->push_back(r);
-#endif
 }
 
 bool PolicyCompiler_cisco::splitIfSrcAny::processNext()
diff --git a/src/cisco_lib/PolicyCompiler_cisco.h b/src/cisco_lib/PolicyCompiler_cisco.h
index 19c588110..59df38028 100644
--- a/src/cisco_lib/PolicyCompiler_cisco.h
+++ b/src/cisco_lib/PolicyCompiler_cisco.h
@@ -58,7 +58,7 @@ protected:
 	 * this unconditional blocking rule in the end. See also comment
 	 * in the code regarding "pass_all_out" option
 	 */
-	void addDefaultPolicyRule();
+	virtual void addDefaultPolicyRule();
 
         /**
          * prints rule in some universal format (close to that visible
diff --git a/src/cisco_lib/PolicyCompiler_iosacl.cpp b/src/cisco_lib/PolicyCompiler_iosacl.cpp
index 16536e638..59d9906cc 100644
--- a/src/cisco_lib/PolicyCompiler_iosacl.cpp
+++ b/src/cisco_lib/PolicyCompiler_iosacl.cpp
@@ -87,6 +87,36 @@ int PolicyCompiler_iosacl::prolog()
     return PolicyCompiler::prolog();
 }
 
+void PolicyCompiler_iosacl::addDefaultPolicyRule()
+{
+    PolicyCompiler_cisco::addDefaultPolicyRule();
+
+/*
+ * PolicyCompiler_cisco::addDefaultPolicyRule() adds a rule to permit
+ * backup ssh access to the firewall. Since IOS ACL are stateless, we
+ * need to add another rule to permit reply packets.
+ */
+    if ( getCachedFwOpt()->getBool("mgmt_ssh") &&
+         !getCachedFwOpt()->getStr("mgmt_addr").empty() )
+    {
+        TCPService *ssh_rev = dbcopy->createTCPService();
+        ssh_rev->setSrcRangeStart(22);
+        ssh_rev->setSrcRangeEnd(22);
+        dbcopy->add(ssh_rev, false);
+
+        Network *mgmt_workstation = dbcopy->createNetwork();
+        mgmt_workstation->setAddressNetmask(
+            getCachedFwOpt()->getStr("mgmt_addr"));
+
+        dbcopy->add(mgmt_workstation, false);
+
+        PolicyCompiler::addMgmtRule(
+            fw, mgmt_workstation, ssh_rev,
+            NULL, PolicyRule::Outbound, PolicyRule::Accept,
+            "backup ssh access rule (out)");
+    }
+}
+
 bool PolicyCompiler_iosacl::checkForDynamicInterface::findDynamicInterface(
     PolicyRule *rule, RuleElement *rel)
 {
diff --git a/src/cisco_lib/PolicyCompiler_iosacl.h b/src/cisco_lib/PolicyCompiler_iosacl.h
index 7ad6d5b59..e8e4abb61 100644
--- a/src/cisco_lib/PolicyCompiler_iosacl.h
+++ b/src/cisco_lib/PolicyCompiler_iosacl.h
@@ -55,6 +55,8 @@ namespace fwcompiler {
 
         protected:
 
+	virtual void addDefaultPolicyRule();
+
         /**
          * dynamic interfaces can not be used in policy rules in IOS ACLs
          */
diff --git a/test/iosacl/objects-for-regression-tests.fwb b/test/iosacl/objects-for-regression-tests.fwb
index 753c35351..fad3baaf7 100644
--- a/test/iosacl/objects-for-regression-tests.fwb
+++ b/test/iosacl/objects-for-regression-tests.fwb
@@ -2,7 +2,7 @@
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
 <FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1257560726" id="root">
   <Library id="sysid99" name="Deleted Objects" comment="" ro="False">
-    <Interface id="id19433X65694" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
+    <Interface id="id19433X65694" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
       <IPv4 id="id19434X65694" name="firewall-ipv6-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
       <IPv6 id="id19435X65694" name="firewall-ipv6-1:lo:ipv6" comment="" ro="False" address="::1" netmask="128"/>
       <InterfaceOptions/>
@@ -53,11 +53,11 @@
       </ObjectGroup>
       <ObjectGroup id="id4511636923682" name="Hosts" comment="" ro="False">
         <Host id="id451164EB23682" name="beaver" comment="" ro="False">
-          <Interface id="id451164EF23682" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
+          <Interface id="id451164EF23682" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
             <IPv4 id="id451164F023682" name="beaver:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
             <InterfaceOptions/>
           </Interface>
-          <Interface id="id451164F523682" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
+          <Interface id="id451164F523682" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
             <IPv4 id="id451164F723682" name="beaver:eth0:ip1" comment="" ro="False" address="10.3.14.40" netmask="255.255.255.0"/>
             <IPv4 id="id451164F823682" name="beaver:eth0:ip2" comment="" ro="False" address="192.168.123.123" netmask="255.255.255.0"/>
             <physAddress id="id451164F623682" address="00:30:48:20:16:10" name="beaver:eth0:mac" comment="" ro="False"/>
@@ -136,46 +136,46 @@
       <ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
       <ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
         <CustomService id="id4226X64279" name="dscp af11" comment="" ro="False" protocol="tcp" address_family="ipv4">
-          <CustomServiceCommand platform="fwsm"/>
+          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
           <CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"/>
-          <CustomServiceCommand platform="ipfw"/>
-          <CustomServiceCommand platform="iptables"/>
-          <CustomServiceCommand platform="pf"/>
-          <CustomServiceCommand platform="pix"/>
-          <CustomServiceCommand platform="unknown"/>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
         </CustomService>
         <CustomService id="id8888X64279" name="esp dscp af12" comment="" ro="False" protocol="50" address_family="ipv4">
-          <CustomServiceCommand platform="fwsm"/>
+          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
           <CustomServiceCommand platform="iosacl">dscp af12</CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"/>
-          <CustomServiceCommand platform="ipfw"/>
-          <CustomServiceCommand platform="iptables"/>
-          <CustomServiceCommand platform="pf"/>
-          <CustomServiceCommand platform="pix"/>
-          <CustomServiceCommand platform="unknown"/>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
         </CustomService>
         <CustomService id="id26068X65694" name="esp dscp af11 ipv6" comment="" ro="False" protocol="50" address_family="ipv6">
-          <CustomServiceCommand platform="fwsm"/>
+          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
           <CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"/>
-          <CustomServiceCommand platform="ipfw"/>
-          <CustomServiceCommand platform="iptables"/>
-          <CustomServiceCommand platform="pf"/>
-          <CustomServiceCommand platform="pix"/>
-          <CustomServiceCommand platform="unknown"/>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
         </CustomService>
       </ServiceGroup>
       <ServiceGroup id="id4511637323682" name="TagServices" comment="" ro="False"/>
       <ServiceGroup id="id4511636C23682_userservices" name="Users" comment="" ro="False"/>
     </ServiceGroup>
     <ObjectGroup id="id4511637423682" name="Firewalls" comment="" ro="False">
-      <Firewall id="id46412B5226577" host_OS="ios" inactive="False" lastCompiled="1251228626" lastInstalled="0" lastModified="1237473570" platform="iosacl" version="12.x" name="testios1" comment="" ro="False">
-        <NAT id="id46412B5626577" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+      <Firewall id="id46412B5226577" host_OS="ios" inactive="False" lastCompiled="1261963115" lastInstalled="0" lastModified="1261963111" platform="iosacl" version="12.x" name="testios1" comment="" ro="False">
+        <NAT id="id46412B5626577" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id46412B5526577" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
-        <PolicyRule id="id464154BB29061" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing">
+          <PolicyRule id="id464154BB29061" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing">
             <Src neg="False">
               <ObjectRef ref="id46412C4226611"/>
             </Src>
@@ -194,7 +194,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641623D29061" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641623D29061" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -213,7 +214,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46412C3326611" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46412C3326611" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -233,7 +235,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46415A0129061" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46415A0129061" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -254,7 +257,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641356226611" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641356226611" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -274,7 +278,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641359926611" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641359926611" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -294,7 +299,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46412F0326611" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46412F0326611" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -314,7 +320,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641357426611" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641357426611" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -334,7 +341,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641358626611" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641358626611" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -354,7 +362,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641456D29061" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641456D29061" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456929061"/>
             </Src>
@@ -374,7 +383,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641457E29061" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641457E29061" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456929061"/>
             </Src>
@@ -394,7 +404,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641458F29061" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641458F29061" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456929061"/>
             </Src>
@@ -414,7 +425,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464147C929061" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0">
+          </PolicyRule>
+          <PolicyRule id="id464147C929061" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -434,7 +446,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46414A3E29061" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46414A3E29061" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -454,7 +467,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46414A4F29061" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46414A4F29061" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -474,7 +488,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46414A6029061" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46414A6029061" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -494,7 +509,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46414CEB29061" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46414CEB29061" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -514,7 +530,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641521829061" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641521829061" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -534,7 +551,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46415F6729061" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46415F6729061" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -554,7 +572,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5377X64279" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5377X64279" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -574,7 +593,8 @@
               <Option name="color">#7694C0</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id8889X64279" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id8889X64279" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -594,7 +614,8 @@
               <Option name="color">#7694C0</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46412C2726611" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46412C2726611" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -613,19 +634,21 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id46412B5726577" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id46412B5726577" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id46412B5826577" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+        <Interface id="id46412B5826577" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
           <IPv4 id="id46412B5926577" name="testios1:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id46412B5A26577" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="ethernet1" comment="" ro="False">
+        <Interface id="id46412B5A26577" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="ethernet1" comment="" ro="False">
           <IPv4 id="id46412B5B26577" name="testios1:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id4642828219184" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="ethernet2" comment="" ro="False">
+        <Interface id="id4642828219184" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="ethernet2" comment="" ro="False">
           <IPv4 id="id4642828319184" name="testios1:ethernet2:ip" comment="" ro="False" address="3.3.3.3" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
@@ -638,12 +661,13 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
+          <Option name="filesystem">/etc</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">true</Option>
           <Option name="freebsd_ip_forward">1</Option>
@@ -662,15 +686,16 @@
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
-          <Option name="iosacl_logging_buffered_level">2</Option>
+          <Option name="iosacl_logging_buffered_level">3</Option>
           <Option name="iosacl_logging_console">False</Option>
-          <Option name="iosacl_logging_console_level">2</Option>
+          <Option name="iosacl_logging_console_level">3</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
-          <Option name="iosacl_logging_trap_level">2</Option>
+          <Option name="iosacl_logging_trap_level">3</Option>
           <Option name="iosacl_prolog_script">! This is prolog</Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
+          <Option name="iosacl_use_acl_remarks">False</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
@@ -681,10 +706,10 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">true</Option>
-          <Option name="mgmt_addr"/>
-          <Option name="mgmt_ssh">False</Option>
+          <Option name="mgmt_addr">1.1.1.100</Option>
+          <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"/>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -705,19 +730,20 @@
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_nlgroup">1</Option>
+          <Option name="use_scp">False</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
       </Firewall>
       <Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1257660998" platform="iosacl" version="12.4" name="testios20" comment="" ro="False">
-        <NAT id="id4641320F26611" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id4641320F26611" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id464131EA26611" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
-        <PolicyRule id="id464131EB26611" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id464131EB26611" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -737,7 +763,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464131F726611" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464131F726611" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -757,7 +784,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464137AA26611" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464137AA26611" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -777,7 +805,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641379926611" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641379926611" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -797,7 +826,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641378826611" disabled="False" log="False" position="4" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641378826611" disabled="False" log="False" position="4" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -817,7 +847,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641377726611" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641377726611" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -837,7 +868,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id152F20845" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id152F20845" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -856,7 +888,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id152220845" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id152220845" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -875,7 +908,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id153D20845" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id153D20845" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -894,7 +928,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id154B20845" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id154B20845" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -914,7 +949,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id7427X44763" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id7427X44763" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -936,7 +972,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id7456X44763" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id7456X44763" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -955,7 +992,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id85935X7744" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id85935X7744" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -975,7 +1013,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id85953X7744" disabled="False" group="" log="False" position="13" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id85953X7744" disabled="False" group="" log="False" position="13" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -996,7 +1035,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id85970X7744" disabled="False" group="" log="False" position="14" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id85970X7744" disabled="False" group="" log="False" position="14" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1016,7 +1056,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1035,7 +1076,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4641320326611" disabled="False" log="True" position="16" action="Deny" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4641320326611" disabled="False" log="True" position="16" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1054,15 +1096,17 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id4641321026611" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id4641321026611" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id4641321126611" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+        <Interface id="id4641321126611" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
           <IPv4 id="id4641321326611" name="testios20:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id4641321426611" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
+        <Interface id="id4641321426611" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
           <IPv4 id="id4641321626611" name="testios20:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
@@ -1075,10 +1119,10 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="firewall_dir">/etc</Option>
@@ -1091,21 +1135,21 @@
           <Option name="iosacl_acl_basic">True</Option>
           <Option name="iosacl_acl_no_clear">False</Option>
           <Option name="iosacl_acl_substitution">False</Option>
-          <Option name="iosacl_acl_temp_addr"/>
+          <Option name="iosacl_acl_temp_addr"></Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
-          <Option name="iosacl_logging_buffered_level"/>
+          <Option name="iosacl_logging_buffered_level"></Option>
           <Option name="iosacl_logging_console">False</Option>
-          <Option name="iosacl_logging_console_level"/>
+          <Option name="iosacl_logging_console_level"></Option>
           <Option name="iosacl_logging_timestamp">False</Option>
-          <Option name="iosacl_logging_trap_level"/>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_logging_trap_level"></Option>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">true</Option>
@@ -1115,10 +1159,10 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">true</Option>
-          <Option name="mgmt_addr"/>
+          <Option name="mgmt_addr"></Option>
           <Option name="mgmt_ssh">False</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"/>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -1140,17 +1184,17 @@
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id464264CC12807" host_OS="ios" inactive="False" lastCompiled="1251228628" lastInstalled="0" lastModified="1237438938" platform="iosacl" version="12.x" name="testios2" comment="" ro="False">
-        <NAT id="id464265C412807" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+      <Firewall id="id464264CC12807" host_OS="ios" inactive="False" lastCompiled="1261963349" lastInstalled="0" lastModified="1261963784" platform="iosacl" version="12.x" name="testios2" comment="" ro="False">
+        <NAT id="id464265C412807" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id464264D212807" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
-        <PolicyRule id="id464264D312807" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing">
+          <PolicyRule id="id464264D312807" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing">
             <Src neg="False">
               <ObjectRef ref="id46412C4226611"/>
             </Src>
@@ -1169,7 +1213,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464264DF12807" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464264DF12807" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1188,7 +1233,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464264EB12807" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464264EB12807" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1208,7 +1254,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464264F712807" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464264F712807" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1229,7 +1276,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642650412807" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642650412807" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1249,7 +1297,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642651012807" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642651012807" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1269,7 +1318,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642651C12807" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642651C12807" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1289,7 +1339,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642652812807" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642652812807" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1309,7 +1360,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642653412807" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642653412807" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1329,7 +1381,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642654012807" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642654012807" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456929061"/>
             </Src>
@@ -1349,7 +1402,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642654C12807" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642654C12807" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456929061"/>
             </Src>
@@ -1369,7 +1423,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642655812807" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642655812807" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456929061"/>
             </Src>
@@ -1389,7 +1444,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642656412807" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642656412807" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1409,7 +1465,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642657012807" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642657012807" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1429,7 +1486,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642657C12807" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642657C12807" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1449,7 +1507,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642658812807" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642658812807" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1469,7 +1528,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4642659412807" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4642659412807" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1489,7 +1549,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464265A012807" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464265A012807" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1509,7 +1570,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464265AC12807" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464265AC12807" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4641456629061"/>
             </Src>
@@ -1529,7 +1591,8 @@
               <Option name="color">#C86E6E</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464265B812807" disabled="False" log="True" position="19" action="Deny" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464265B812807" disabled="False" log="True" position="19" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1548,15 +1611,17 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id464265C512807" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id464265C512807" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id464265C612807" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+        <Interface id="id464265C612807" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
           <IPv4 id="id464265C812807" name="testios2:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id464265C912807" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
+        <Interface id="id464265C912807" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
           <IPv4 id="id464265CB12807" name="testios2:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
@@ -1569,11 +1634,12 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="check_shading">False</Option>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
+          <Option name="filesystem">/etc</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">true</Option>
           <Option name="freebsd_ip_forward">1</Option>
@@ -1587,19 +1653,20 @@
           <Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
-          <Option name="iosacl_logging_buffered_level">0</Option>
+          <Option name="iosacl_logging_buffered_level">3</Option>
           <Option name="iosacl_logging_console">False</Option>
-          <Option name="iosacl_logging_console_level">0</Option>
+          <Option name="iosacl_logging_console_level">3</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
-          <Option name="iosacl_logging_trap_level">0</Option>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_logging_trap_level">3</Option>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
+          <Option name="iosacl_use_acl_remarks">False</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
@@ -1610,10 +1677,10 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">true</Option>
-          <Option name="mgmt_addr"/>
-          <Option name="mgmt_ssh">False</Option>
+          <Option name="mgmt_addr">10.10.10.0/24</Option>
+          <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"/>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -1634,19 +1701,20 @@
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_nlgroup">1</Option>
+          <Option name="use_scp">False</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
       </Firewall>
       <Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1244751217" lastInstalled="0" lastModified="1252367946" platform="iosacl" version="12.x" name="c3620" comment="" ro="False">
-        <NAT id="id46435A0216989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id46435A0216989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id46435A0116989" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
-        <PolicyRule id="id464D2B0E24319" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="interface eth 1/1 has only&#10;inbound access list">
+          <PolicyRule id="id464D2B0E24319" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="interface eth 1/1 has only&#10;inbound access list">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1665,7 +1733,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464C8AAD10931" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464C8AAD10931" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1684,7 +1753,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id464C8AA110931" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id464C8AA110931" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1703,7 +1773,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46435A1C16989" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id46435A1C16989" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="id46435A0F16989"/>
             </Src>
@@ -1722,7 +1793,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4643662716989" disabled="False" log="False" position="4" action="Accept" direction="Outbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4643662716989" disabled="False" log="False" position="4" action="Accept" direction="Outbound" comment="">
             <Src neg="False">
               <ObjectRef ref="id46435A0F16989"/>
             </Src>
@@ -1741,7 +1813,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4643664116989" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4643664116989" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1760,7 +1833,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4643663516989" disabled="False" log="False" position="6" action="Accept" direction="Outbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4643663516989" disabled="False" log="False" position="6" action="Accept" direction="Outbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1779,7 +1853,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4254X38343" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4254X38343" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1798,7 +1873,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4341X97727" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4341X97727" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1819,7 +1895,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4268X38343" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4268X38343" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1838,7 +1915,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5500X42946" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5500X42946" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1857,7 +1935,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id46435A1016989" disabled="True" log="True" position="11" action="Deny" direction="Both" comment="disable this rule to make&#10;sure no outbound rules are&#10;generated for eth 1/1">
+          </PolicyRule>
+          <PolicyRule id="id46435A1016989" disabled="True" log="True" position="11" action="Deny" direction="Both" comment="disable this rule to make&#10;sure no outbound rules are&#10;generated for eth 1/1">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -1876,7 +1955,9 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
         <Routing id="id46435A0316989" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RoutingRule id="id4195X90642" disabled="False" metric="1" position="0" comment="">
             <RDst neg="False">
@@ -1914,26 +1995,25 @@
             </RItf>
             <RoutingRuleOptions/>
           </RoutingRule>
-        <RuleSetOptions/>
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id46435A0416989" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
+        <Interface id="id46435A0416989" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
           <IPv4 id="id46435A0516989" name="c3620:Ethernet1/0:ip" comment="" ro="False" address="192.168.171.2" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id46435A0616989" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="Ethernet1/1" comment="" ro="False">
+        <Interface id="id46435A0616989" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="Ethernet1/1" comment="" ro="False">
           <IPv4 id="id46435A0716989" name="c3620:Ethernet1/1:ip" comment="" ro="False" address="0.0.0.0" netmask="255.255.255.255"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id46435A0816989" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
+        <Interface id="id46435A0816989" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
           <IPv4 id="id46435A0916989" name="c3620:FastEthernet0/0:ip" comment="" ro="False" address="10.3.14.201" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id46435A0A16989" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="True" name="Null0" comment="" ro="False">
+        <Interface id="id46435A0A16989" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="True" name="Null0" comment="" ro="False">
           <IPv4 id="id46435A0B16989" name="c3620:Null0:ip" comment="" ro="False" address="0.0.0.0" netmask="255.255.255.255"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id46435A0C16989" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="True" name="Serial1/0" comment="" ro="False">
+        <Interface id="id46435A0C16989" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="True" name="Serial1/0" comment="" ro="False">
           <IPv4 id="id46435A0D16989" name="c3620:Serial1/0:ip" comment="" ro="False" address="0.0.0.0" netmask="255.255.255.255"/>
           <InterfaceOptions/>
         </Interface>
@@ -1946,8 +2026,8 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="check_shading">False</Option>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
@@ -1959,10 +2039,10 @@
           <Option name="iosacl_acl_basic">True</Option>
           <Option name="iosacl_acl_no_clear">False</Option>
           <Option name="iosacl_acl_substitution">False</Option>
-          <Option name="iosacl_acl_temp_addr"/>
+          <Option name="iosacl_acl_temp_addr"></Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_generate_logging_commands">True</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">True</Option>
@@ -1971,10 +2051,10 @@
           <Option name="iosacl_logging_console_level">5</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">2</Option>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
           <Option name="iosacl_use_acl_remarks">True</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
@@ -1989,7 +2069,7 @@
           <Option name="mgmt_addr">10.3.14.40</Option>
           <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"/>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -2010,19 +2090,19 @@
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
       </Firewall>
       <Firewall id="id19020X65694" host_OS="ios" inactive="False" lastCompiled="1251228621" lastInstalled="0" lastModified="1237473586" platform="iosacl" version="12.x" name="firewall-ipv6-1" comment="" ro="False">
-        <NAT id="id19428X65694" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id19428X65694" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id19026X65694" name="fw-ipv6-1-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
-        <PolicyRule id="id19054X65694" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id19054X65694" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -2041,7 +2121,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id28332X65694" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id28332X65694" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2061,9 +2142,11 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
         <Policy id="id19082X65694" name="fw-ipv6-1-ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
-        <PolicyRule id="id19110X65694" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id19110X65694" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -2082,7 +2165,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19137X65694" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19137X65694" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19151X65694"/>
             </Src>
@@ -2101,7 +2185,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19165X65694" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19165X65694" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19179X65694"/>
             </Src>
@@ -2120,7 +2205,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19194X65694" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19194X65694" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -2139,7 +2225,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19226X65694" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19226X65694" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2158,7 +2245,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19260X65694" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19260X65694" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -2177,7 +2265,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19288X65694" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19288X65694" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2196,7 +2285,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19316X65694" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19316X65694" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -2215,7 +2305,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19344X65694" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19344X65694" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -2234,7 +2325,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19372X65694" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19372X65694" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -2253,7 +2345,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id19400X65694" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id19400X65694" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2272,7 +2365,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id24941X65694" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id24941X65694" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2292,7 +2386,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id7994X97727" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id7994X97727" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2311,7 +2406,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id9240X97727" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id9240X97727" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2334,11 +2430,13 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id19429X65694" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id19429X65694" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id19430X65694" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
+        <Interface id="id19430X65694" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
           <IPv4 id="id19431X65694" name="firewall-ipv6-1:Ethernet0/0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <IPv6 id="id19432X65694" name="firewall-ipv6-1:Ethernet0/0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
           <InterfaceOptions/>
@@ -2351,34 +2449,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"/>
-          <Option name="activationCmd"/>
+          <Option name="action_on_reject"></Option>
+          <Option name="activationCmd"></Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"/>
+          <Option name="epilog_script"></Option>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"/>
-          <Option name="freebsd_ip_sourceroute"/>
+          <Option name="freebsd_ip_redirect"></Option>
+          <Option name="freebsd_ip_sourceroute"></Option>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"/>
-          <Option name="freebsd_path_ipfw"/>
-          <Option name="freebsd_path_ipnat"/>
-          <Option name="freebsd_path_sysctl"/>
+          <Option name="freebsd_path_ipf"></Option>
+          <Option name="freebsd_path_ipfw"></Option>
+          <Option name="freebsd_path_ipnat"></Option>
+          <Option name="freebsd_path_sysctl"></Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -2387,7 +2485,7 @@
           <Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -2396,13 +2494,13 @@
           <Option name="iosacl_logging_console_level">0</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">0</Option>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
-          <Option name="ipt_mangle_only_rulesets"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
+          <Option name="ipt_mangle_only_rulesets"></Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"/>
+          <Option name="limit_suffix"></Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -2417,18 +2515,18 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"/>
+          <Option name="mgmt_addr"></Option>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"/>
+          <Option name="openbsd_ip_directed_broadcast"></Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"/>
-          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_ip_redirect"></Option>
+          <Option name="openbsd_ip_sourceroute"></Option>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"/>
-          <Option name="openbsd_path_sysctl"/>
-          <Option name="output_file"/>
+          <Option name="openbsd_path_pfctl"></Option>
+          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -2447,7 +2545,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"/>
+          <Option name="pf_optimization"></Option>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -2499,12 +2597,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"/>
+          <Option name="prolog_script"></Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -2515,11 +2613,11 @@
         </FirewallOptions>
       </Firewall>
       <Firewall id="id10507X97727" host_OS="ios" inactive="False" lastCompiled="1251228623" lastInstalled="0" lastModified="1236920290" platform="iosacl" version="12.x" name="firewall-ipv6-2" comment="" ro="False">
-        <NAT id="id10713X97727" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id10713X97727" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id10513X97727" name="fw-ipv6-2-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
-        <PolicyRule id="id10514X97727" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id10514X97727" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -2538,7 +2636,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10526X97727" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10526X97727" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2558,9 +2657,11 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
         <Policy id="id10539X97727" name="fw-ipv6-2-ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
-        <PolicyRule id="id10540X97727" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id10540X97727" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -2579,7 +2680,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10552X97727" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10552X97727" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19151X65694"/>
             </Src>
@@ -2598,7 +2700,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10564X97727" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10564X97727" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19179X65694"/>
             </Src>
@@ -2617,7 +2720,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10576X97727" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10576X97727" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -2636,7 +2740,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10588X97727" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10588X97727" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2655,7 +2760,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10600X97727" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10600X97727" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -2674,7 +2780,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10612X97727" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10612X97727" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2693,7 +2800,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10624X97727" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10624X97727" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -2712,7 +2820,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10636X97727" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10636X97727" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -2731,7 +2840,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10648X97727" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10648X97727" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -2750,7 +2860,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10660X97727" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10660X97727" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2769,7 +2880,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10672X97727" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10672X97727" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2789,7 +2901,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10685X97727" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10685X97727" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2808,7 +2921,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id10697X97727" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id10697X97727" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -2831,11 +2945,13 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id10714X97727" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id10714X97727" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id10715X97727" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
+        <Interface id="id10715X97727" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
           <IPv4 id="id10718X97727" name="firewall-ipv6-2:Ethernet0/0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <IPv6 id="id10719X97727" name="firewall-ipv6-2:Ethernet0/0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
           <InterfaceOptions/>
@@ -2848,34 +2964,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"/>
-          <Option name="activationCmd"/>
+          <Option name="action_on_reject"></Option>
+          <Option name="activationCmd"></Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"/>
+          <Option name="epilog_script"></Option>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"/>
-          <Option name="freebsd_ip_sourceroute"/>
+          <Option name="freebsd_ip_redirect"></Option>
+          <Option name="freebsd_ip_sourceroute"></Option>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"/>
-          <Option name="freebsd_path_ipfw"/>
-          <Option name="freebsd_path_ipnat"/>
-          <Option name="freebsd_path_sysctl"/>
+          <Option name="freebsd_path_ipf"></Option>
+          <Option name="freebsd_path_ipfw"></Option>
+          <Option name="freebsd_path_ipnat"></Option>
+          <Option name="freebsd_path_sysctl"></Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -2884,7 +3000,7 @@
           <Option name="iosacl_acl_temp_addr">1.1.1.0/24</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -2893,13 +3009,13 @@
           <Option name="iosacl_logging_console_level">2</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">2</Option>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
-          <Option name="ipt_mangle_only_rulesets"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
+          <Option name="ipt_mangle_only_rulesets"></Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"/>
+          <Option name="limit_suffix"></Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -2918,14 +3034,14 @@
           <Option name="mgmt_ssh">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"/>
+          <Option name="openbsd_ip_directed_broadcast"></Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"/>
-          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_ip_redirect"></Option>
+          <Option name="openbsd_ip_sourceroute"></Option>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"/>
-          <Option name="openbsd_path_sysctl"/>
-          <Option name="output_file"/>
+          <Option name="openbsd_path_pfctl"></Option>
+          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -2944,7 +3060,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"/>
+          <Option name="pf_optimization"></Option>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -2996,12 +3112,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"/>
+          <Option name="prolog_script"></Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -3012,11 +3128,11 @@
         </FirewallOptions>
       </Firewall>
       <Firewall id="id4881X21941" host_OS="ios" inactive="False" lastCompiled="1251228619" lastInstalled="0" lastModified="1237438894" platform="iosacl" version="12.x" name="ccie4u-r1" comment="CCIE4U router R1&#10;2600&#10;" ro="False">
-        <NAT id="id5087X21941" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id5087X21941" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id4887X21941" name="r1-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
-        <PolicyRule id="id4888X21941" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4888X21941" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3035,7 +3151,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4900X21941" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4900X21941" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3057,7 +3174,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id15139X21941" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id15139X21941" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3077,9 +3195,11 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
         <Policy id="id4913X21941" name="r1-ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
-        <PolicyRule id="id4914X21941" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4914X21941" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -3098,7 +3218,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4926X21941" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4926X21941" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19151X65694"/>
             </Src>
@@ -3117,7 +3238,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4938X21941" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4938X21941" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19179X65694"/>
             </Src>
@@ -3136,7 +3258,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4950X21941" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4950X21941" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -3155,7 +3278,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4962X21941" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4962X21941" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3174,7 +3298,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4974X21941" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4974X21941" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -3193,7 +3318,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4986X21941" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4986X21941" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3212,7 +3338,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id4998X21941" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id4998X21941" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3231,7 +3358,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5010X21941" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5010X21941" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -3250,7 +3378,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5022X21941" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5022X21941" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -3269,7 +3398,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5034X21941" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5034X21941" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3288,7 +3418,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5046X21941" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5046X21941" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3308,7 +3439,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5059X21941" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5059X21941" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3327,7 +3459,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id5071X21941" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id5071X21941" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3350,16 +3483,18 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id5088X21941" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id5088X21941" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id5089X21941" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
+        <Interface id="id5089X21941" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
           <IPv4 id="id5092X21941" name="ccie4u-r1:FastEthernet0/0:ip" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
           <IPv6 id="id5093X21941" name="ccie4u-r1:FastEthernet0/0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id8437X21941" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
+        <Interface id="id8437X21941" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
           <IPv4 id="id8438X21941" name="ccie4u-r1:FastEthernet0/1:ip" comment="" ro="False" address="10.1.2.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
@@ -3371,34 +3506,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"/>
-          <Option name="activationCmd"/>
+          <Option name="action_on_reject"></Option>
+          <Option name="activationCmd"></Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"/>
+          <Option name="epilog_script"></Option>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"/>
-          <Option name="freebsd_ip_sourceroute"/>
+          <Option name="freebsd_ip_redirect"></Option>
+          <Option name="freebsd_ip_sourceroute"></Option>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"/>
-          <Option name="freebsd_path_ipfw"/>
-          <Option name="freebsd_path_ipnat"/>
-          <Option name="freebsd_path_sysctl"/>
+          <Option name="freebsd_path_ipf"></Option>
+          <Option name="freebsd_path_ipfw"></Option>
+          <Option name="freebsd_path_ipnat"></Option>
+          <Option name="freebsd_path_sysctl"></Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -3407,7 +3542,7 @@
           <Option name="iosacl_acl_temp_addr">10.1.1.0</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -3416,13 +3551,13 @@
           <Option name="iosacl_logging_console_level">2</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">2</Option>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
-          <Option name="ipt_mangle_only_rulesets"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
+          <Option name="ipt_mangle_only_rulesets"></Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"/>
+          <Option name="limit_suffix"></Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -3441,14 +3576,14 @@
           <Option name="mgmt_ssh">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"/>
+          <Option name="openbsd_ip_directed_broadcast"></Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"/>
-          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_ip_redirect"></Option>
+          <Option name="openbsd_ip_sourceroute"></Option>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"/>
-          <Option name="openbsd_path_sysctl"/>
-          <Option name="output_file"/>
+          <Option name="openbsd_path_pfctl"></Option>
+          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -3467,7 +3602,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"/>
+          <Option name="pf_optimization"></Option>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -3519,12 +3654,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"/>
+          <Option name="prolog_script"></Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -3535,11 +3670,11 @@
         </FirewallOptions>
       </Firewall>
       <Firewall id="id12133X53662" host_OS="ios" inactive="False" lastCompiled="1251228625" lastInstalled="0" lastModified="1237437327" platform="iosacl" version="12.x" name="firewall-ipv6-3" comment="test &quot;safety net&quot; install in case when there are many rulesets" ro="False">
-        <NAT id="id12339X53662" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id12339X53662" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id12139X53662" name="fw-ipv6-3-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
-        <PolicyRule id="id12140X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id12140X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -3558,7 +3693,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id12152X53662" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id12152X53662" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3578,9 +3714,11 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
         <Policy id="id12165X53662" name="fw-ipv6-3-ipv6-1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
-        <PolicyRule id="id12166X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id12166X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19068X65694"/>
             </Src>
@@ -3599,7 +3737,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id12202X53662" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id12202X53662" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19208X65694"/>
             </Src>
@@ -3618,9 +3757,11 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
         <Policy id="id18060X53662" name="fw-ipv6-3-ipv6-2" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
-        <PolicyRule id="id21571X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id21571X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id19240X65694"/>
             </Src>
@@ -3640,11 +3781,13 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id12340X53662" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id12340X53662" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id12341X53662" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
+        <Interface id="id12341X53662" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
           <IPv4 id="id12344X53662" name="firewall-ipv6-3:Ethernet0/0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <IPv6 id="id12345X53662" name="firewall-ipv6-3:Ethernet0/0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
           <InterfaceOptions/>
@@ -3657,34 +3800,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"/>
-          <Option name="activationCmd"/>
+          <Option name="action_on_reject"></Option>
+          <Option name="activationCmd"></Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"/>
+          <Option name="epilog_script"></Option>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"/>
-          <Option name="freebsd_ip_sourceroute"/>
+          <Option name="freebsd_ip_redirect"></Option>
+          <Option name="freebsd_ip_sourceroute"></Option>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"/>
-          <Option name="freebsd_path_ipfw"/>
-          <Option name="freebsd_path_ipnat"/>
-          <Option name="freebsd_path_sysctl"/>
+          <Option name="freebsd_path_ipf"></Option>
+          <Option name="freebsd_path_ipfw"></Option>
+          <Option name="freebsd_path_ipnat"></Option>
+          <Option name="freebsd_path_sysctl"></Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -3693,7 +3836,7 @@
           <Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb/64</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -3702,13 +3845,13 @@
           <Option name="iosacl_logging_console_level">1</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">1</Option>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
-          <Option name="ipt_mangle_only_rulesets"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
+          <Option name="ipt_mangle_only_rulesets"></Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"/>
+          <Option name="limit_suffix"></Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -3723,18 +3866,18 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"/>
+          <Option name="mgmt_addr"></Option>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"/>
+          <Option name="openbsd_ip_directed_broadcast"></Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"/>
-          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_ip_redirect"></Option>
+          <Option name="openbsd_ip_sourceroute"></Option>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"/>
-          <Option name="openbsd_path_sysctl"/>
-          <Option name="output_file"/>
+          <Option name="openbsd_path_pfctl"></Option>
+          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -3753,7 +3896,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"/>
+          <Option name="pf_optimization"></Option>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -3805,12 +3948,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"/>
+          <Option name="prolog_script"></Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"/>
+          <Option name="scpArgs"></Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -3821,11 +3964,11 @@
         </FirewallOptions>
       </Firewall>
       <Firewall id="id66523X44763" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1257560747" platform="iosacl" version="12.3" name="testios20-v12.3" comment="" ro="False">
-        <NAT id="id66712X44763" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+        <NAT id="id66712X44763" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </NAT>
-        
         <Policy id="id66539X44763" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
-        <PolicyRule id="id66540X44763" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id66540X44763" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3845,7 +3988,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66552X44763" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66552X44763" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3865,7 +4009,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66564X44763" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66564X44763" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3885,7 +4030,8 @@
               <Option name="color">#C0BA44</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66576X44763" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66576X44763" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3905,7 +4051,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66588X44763" disabled="False" log="False" position="4" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66588X44763" disabled="False" log="False" position="4" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3925,7 +4072,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66600X44763" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66600X44763" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3945,7 +4093,8 @@
               <Option name="color">#8BC065</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66612X44763" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66612X44763" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3964,7 +4113,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66624X44763" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66624X44763" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -3983,7 +4133,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66636X44763" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66636X44763" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -4002,7 +4153,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66648X44763" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66648X44763" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -4022,7 +4174,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66661X44763" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66661X44763" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -4044,7 +4197,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66676X44763" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66676X44763" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -4063,7 +4217,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66688X44763" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66688X44763" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -4082,7 +4237,8 @@
             <PolicyRuleOptions>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
-          </PolicyRule><PolicyRule id="id66700X44763" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
+          </PolicyRule>
+          <PolicyRule id="id66700X44763" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -4101,15 +4257,17 @@
             <PolicyRuleOptions>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
-          </PolicyRule><RuleSetOptions/></Policy>
-        <Routing id="id66713X44763" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id66713X44763" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
         </Routing>
-        
-        <Interface id="id66529X44763" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+        <Interface id="id66529X44763" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
           <IPv4 id="id66532X44763" name="testios20-v12.3:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
-        <Interface id="id66534X44763" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
+        <Interface id="id66534X44763" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
           <IPv4 id="id66537X44763" name="testios20-v12.3:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
@@ -4122,10 +4280,10 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"/>
-          <Option name="altAddress"/>
+          <Option name="admUser"></Option>
+          <Option name="altAddress"></Option>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"/>
+          <Option name="compiler"></Option>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="firewall_dir">/etc</Option>
@@ -4138,21 +4296,21 @@
           <Option name="iosacl_acl_basic">True</Option>
           <Option name="iosacl_acl_no_clear">False</Option>
           <Option name="iosacl_acl_substitution">False</Option>
-          <Option name="iosacl_acl_temp_addr"/>
+          <Option name="iosacl_acl_temp_addr"></Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"/>
+          <Option name="iosacl_epilog_script"></Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
-          <Option name="iosacl_logging_buffered_level"/>
+          <Option name="iosacl_logging_buffered_level"></Option>
           <Option name="iosacl_logging_console">False</Option>
-          <Option name="iosacl_logging_console_level"/>
+          <Option name="iosacl_logging_console_level"></Option>
           <Option name="iosacl_logging_timestamp">False</Option>
-          <Option name="iosacl_logging_trap_level"/>
-          <Option name="iosacl_prolog_script"/>
+          <Option name="iosacl_logging_trap_level"></Option>
+          <Option name="iosacl_prolog_script"></Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"/>
-          <Option name="iosacl_syslog_host"/>
+          <Option name="iosacl_syslog_facility"></Option>
+          <Option name="iosacl_syslog_host"></Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">true</Option>
@@ -4162,10 +4320,10 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">true</Option>
-          <Option name="mgmt_addr"/>
+          <Option name="mgmt_addr"></Option>
           <Option name="mgmt_ssh">False</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"/>
+          <Option name="output_file"></Option>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -4187,7 +4345,7 @@
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"/>
+          <Option name="sshArgs"></Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
@@ -4196,16 +4354,7 @@
     <IntervalGroup id="id4511637523682" name="Time" comment="" ro="False"/>
   </Library>
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
-    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
-    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
     <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
-      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
-        <CustomServiceCommand platform="Undefined"/>
-        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipfilter"/>
-        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
-        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
-      </CustomService>
       <ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
         <TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
         <TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
@@ -4238,14 +4387,23 @@
         <IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation&#10;" ro="False"/>
         <IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
       </ServiceGroup>
-      <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
-        <CustomServiceCommand platform="Undefined"/>
+      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
         <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipfilter"/>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
+        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+      </CustomService>
+      <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
         <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
         <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
       </CustomService>
     </ServiceGroup>
+    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
+    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
     <AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
   </Library>
 </FWObjectDatabase>
diff --git a/test/iosacl/quick-cmp.sh b/test/iosacl/quick-cmp.sh
index d4f939c2a..3d4d4c6a3 100755
--- a/test/iosacl/quick-cmp.sh
+++ b/test/iosacl/quick-cmp.sh
@@ -7,7 +7,7 @@ for f in $(ls *.fw.orig)
 do
     V="$f   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
     echo "echo \"$V\" | cut -c1-72"
-    new_f=$(echo $f | sed 's/.org//')
+    new_f=$(echo $f | sed 's/.orig//')
     echo "$DIFFCMD $f $new_f"
 done
 exit 0
diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb
index 024610533..43534539b 100644
--- a/test/pix/objects-for-regression-tests.fwb
+++ b/test/pix/objects-for-regression-tests.fwb
@@ -892,7 +892,7 @@
       <ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
     </ServiceGroup>
     <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
-      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1231214031" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
+      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1261965298" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
         <NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -1808,6 +1808,7 @@
           <Option name="dns_fixup">2 65535 0 nil 0</Option>
           <Option name="dyn_addr">False</Option>
           <Option name="espike_fixup">2 0 0 nil 0</Option>
+          <Option name="filesystem"></Option>
           <Option name="firewall_dir"></Option>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
@@ -1828,6 +1829,7 @@
           <Option name="inst_cmdline"></Option>
           <Option name="inst_script"></Option>
           <Option name="install_script"></Option>
+          <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -1844,8 +1846,8 @@
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
           <Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
-          <Option name="mgmt_addr"></Option>
-          <Option name="mgmt_ssh">False</Option>
+          <Option name="mgmt_addr">192.168.1.100</Option>
+          <Option name="mgmt_ssh">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
@@ -1880,6 +1882,7 @@
           <Option name="pix_epilog_script"></Option>
           <Option name="pix_floodguard">False</Option>
           <Option name="pix_fragguard">True</Option>
+          <Option name="pix_generate_out_acl">False</Option>
           <Option name="pix_h323_abs">True</Option>
           <Option name="pix_h323_hh">0</Option>
           <Option name="pix_h323_inact">False</Option>
@@ -1888,11 +1891,11 @@
           <Option name="pix_include_comments">True</Option>
           <Option name="pix_ip_address">False</Option>
           <Option name="pix_logging_buffered">False</Option>
-          <Option name="pix_logging_buffered_level">0</Option>
+          <Option name="pix_logging_buffered_level">1</Option>
           <Option name="pix_logging_console">False</Option>
-          <Option name="pix_logging_console_level">0</Option>
+          <Option name="pix_logging_console_level">1</Option>
           <Option name="pix_logging_timestamp">False</Option>
-          <Option name="pix_logging_trap_level">0</Option>
+          <Option name="pix_logging_trap_level">1</Option>
           <Option name="pix_max_conns">0</Option>
           <Option name="pix_nodnsalias_inbound">True</Option>
           <Option name="pix_nodnsalias_outbound">True</Option>
@@ -1956,6 +1959,7 @@
           <Option name="pix_unauth_mm">0</Option>
           <Option name="pix_unauth_ss">0</Option>
           <Option name="pix_use_acl_remarks">False</Option>
+          <Option name="pix_use_manual_commit">False</Option>
           <Option name="pix_xlate_abs">True</Option>
           <Option name="pix_xlate_hh">3</Option>
           <Option name="pix_xlate_inact">False</Option>
@@ -1968,7 +1972,9 @@
           <Option name="rpc_ss">0</Option>
           <Option name="rsh_fixup">0 514 0 nil 0</Option>
           <Option name="rtsp_fixup">0 554 0 nil 0</Option>
+          <Option name="scpArgs"></Option>
           <Option name="script_env_path"></Option>
+          <Option name="short_script">False</Option>
           <Option name="sip_fixup">0 5060 5060 nil 0</Option>
           <Option name="sip_hh">0</Option>
           <Option name="sip_media_hh">0</Option>
@@ -1996,6 +2002,7 @@
           <Option name="udp_mm">2</Option>
           <Option name="udp_ss">0</Option>
           <Option name="use_numeric_log_levels">False</Option>
+          <Option name="use_scp">False</Option>
           <Option name="xlate_hh">3</Option>
           <Option name="xlate_mm">0</Option>
           <Option name="xlate_ss">0</Option>