diff --git a/build_num b/build_num
index f13136158..4c2575efb 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 1711
+#define BUILD_NUM 1712
diff --git a/doc/ChangeLog b/doc/ChangeLog
index da1f29efa..289959c39 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,10 @@
 2009-11-10  vadim  <vadim@vk.crocodile.org>
 
+	* OSConfigurator_pix_os.cpp (OSConfigurator_pix_os::_printInterfaceConfiguration):
+	Using configlet to generate interface configuration commands for
+	PIX. Now user can change generated script if necessary without
+	making changes in the fwbuilder code.
+
 	* ObjectManipulator.cpp (ObjectManipulator::libChanged):
 	Experimental change in the GUI, new feature: Now the program does
 	not switch object in the editor on a single click in the tree.
diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp
index 0e8c901f5..b17c0c6ad 100644
--- a/src/cisco_lib/CompilerDriver_pix_run.cpp
+++ b/src/cisco_lib/CompilerDriver_pix_run.cpp
@@ -162,57 +162,58 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
 {
     Cluster *cluster = NULL;
     if (!cluster_id.empty())
-        cluster = Cluster::cast(
-            objdb->findInIndex(objdb->getIntId(cluster_id)));
+        cluster = Cluster::cast(objdb->findInIndex(objdb->getIntId(cluster_id)));
 
-    Firewall *fw = Firewall::cast(
-        objdb->findInIndex(objdb->getIntId(firewall_id)));
+    Firewall *fw = Firewall::cast(objdb->findInIndex(objdb->getIntId(firewall_id)));
     assert(fw);
 
     // Copy rules from the cluster object
     populateClusterElements(cluster, fw);
 
-    // PIX failover is dfferent from VRRP and other failover protocols
-    // in that it does not create new virtual address. Instead, each
-    // unit is configured with two ip addresses, one for the active
-    // unit and another for standby one. When active unit fails, the
-    // other one assumes its address.
-    //
-    // This matters because when we use cluster object or one of its
-    // interfaces in rules, compiler should expand it to the set of
-    // addresses that includes addresses of the corresponding
-    // interface of both member firewalls. Method
-    // CompilerDriver::copyFailoverInterface adds a copy of firewall
-    // interface to the cluster object. This works for all firewalls,
-    // but for PIX we need to add copies of interfaces from both
-    // members.
-    // 
-    FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
-    for (; cl_iface != cl_iface.end(); ++cl_iface)
+    if (cluster)
     {
-        FailoverClusterGroup *failover_group =
-            FailoverClusterGroup::cast(
-                (*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
-        if (failover_group)
+        // PIX failover is dfferent from VRRP and other failover protocols
+        // in that it does not create new virtual address. Instead, each
+        // unit is configured with two ip addresses, one for the active
+        // unit and another for standby one. When active unit fails, the
+        // other one assumes its address.
+        //
+        // This matters because when we use cluster object or one of its
+        // interfaces in rules, compiler should expand it to the set of
+        // addresses that includes addresses of the corresponding
+        // interface of both member firewalls. Method
+        // CompilerDriver::copyFailoverInterface adds a copy of firewall
+        // interface to the cluster object. This works for all firewalls,
+        // but for PIX we need to add copies of interfaces from both
+        // members.
+        // 
+        FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
+        for (; cl_iface != cl_iface.end(); ++cl_iface)
         {
-            FWObject *this_member_interface = NULL;
-            list<FWObject*> other_member_interfaces;
-            for (FWObjectTypedChildIterator it =
-                     failover_group->findByType(FWObjectReference::TYPENAME);
-                 it != it.end(); ++it)
+            FailoverClusterGroup *failover_group =
+                FailoverClusterGroup::cast(
+                    (*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
+            if (failover_group)
             {
-                FWObject *intf = FWObjectReference::getObject(*it);
-                assert(intf);
-                if (intf->isChildOf(fw)) this_member_interface = intf;
-                else other_member_interfaces.push_back(intf);
-            }
-
-            if (!other_member_interfaces.empty())
-            {
-                for (list<FWObject*>::iterator it=other_member_interfaces.begin();
-                     it!=other_member_interfaces.end(); ++it)
+                FWObject *this_member_interface = NULL;
+                list<FWObject*> other_member_interfaces;
+                for (FWObjectTypedChildIterator it =
+                         failover_group->findByType(FWObjectReference::TYPENAME);
+                     it != it.end(); ++it)
                 {
-                    cluster->addCopyOf(*it, true);
+                    FWObject *intf = FWObjectReference::getObject(*it);
+                    assert(intf);
+                    if (intf->isChildOf(fw)) this_member_interface = intf;
+                    else other_member_interfaces.push_back(intf);
+                }
+
+                if (!other_member_interfaces.empty())
+                {
+                    for (list<FWObject*>::iterator it=other_member_interfaces.begin();
+                         it!=other_member_interfaces.end(); ++it)
+                    {
+                        cluster->addCopyOf(*it, true);
+                    }
                 }
             }
         }
diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp
index ca1e7b885..ff2a2dc15 100644
--- a/src/cisco_lib/NATCompiler_pix.cpp
+++ b/src/cisco_lib/NATCompiler_pix.cpp
@@ -715,15 +715,14 @@ void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel)
     if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
     Address *obj=Address::cast(o);
     if(obj==NULL)
-        compiler->abort(
-            rel->getParent(), 
-                                      "Broken rule element "+
-                                      rel->getTypeName()+
-                                      " in rule "+
-                                      NATRule::cast(rel->getParent())->getLabel()+
-                                      " ( found object with type "+
-                                      string((o!=NULL)?o->getTypeName():"<NULL>") +
-                                      ")");
+        compiler->abort(rel->getParent(), 
+                        "Broken rule element "+
+                        rel->getTypeName()+
+                        " in rule "+
+                        NATRule::cast(rel->getParent())->getLabel()+
+                        " ( found object with type "+
+                        string((o!=NULL)?o->getTypeName():"<NULL>") +
+                        ")");
     const InetAddr *obj_addr = obj->getAddressPtr();
     if (obj_addr==NULL) return;
 
@@ -1566,6 +1565,9 @@ void NATCompiler_pix::compile()
         add( new emptyGroupsInTSrv("check for empty groups in TSRV"));
 
         add( new ExpandGroups("expand groups"));
+
+        add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
+
         add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));
         add( new eliminateDuplicatesInODST("eliminate duplicates in ODST"));
         add( new eliminateDuplicatesInOSRV("eliminate duplicates in OSRV"));
diff --git a/src/cisco_lib/OSConfigurator_pix_os.cpp b/src/cisco_lib/OSConfigurator_pix_os.cpp
index de9a4f649..d1f8fa98d 100644
--- a/src/cisco_lib/OSConfigurator_pix_os.cpp
+++ b/src/cisco_lib/OSConfigurator_pix_os.cpp
@@ -34,6 +34,9 @@
 #include "fwbuilder/Management.h"
 #include "fwbuilder/Resources.h"
 
+#include "Configlet.h"
+
+
 #include <list>
 #include <algorithm>
 #include <functional>
@@ -72,10 +75,14 @@ void OSConfigurator_pix_os::processFirewallOptions()
         output << endl;
     }
 
-    output << _printNameif();
-    output << endl;
-    output << _printIPAddress();
+    //output << _printNameif();
+    //output << endl;
+    //output << _printIPAddress();
+    //output << endl;
+
+    output << _printInterfaceConfiguration();
     output << endl;
+
     output << _printLogging();
     output << endl;
     output << _printTimeouts();
@@ -90,87 +97,52 @@ void OSConfigurator_pix_os::processFirewallOptions()
     output << endl;
 }
 
-string OSConfigurator_pix_os::_printNameif()
+string OSConfigurator_pix_os::_printInterfaceConfiguration()
 {
     ostringstream res;
     string version = fw->getStr("version");
     string platform = fw->getStr("platform");
     string::size_type n;
 
+    bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0;
+    bool configure_addresses = fw->getOptionsObject()->getBool("pix_ip_address");
+
     list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
     for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
     {
 	Interface *iface=dynamic_cast<Interface*>(*i);
 	assert(iface);
 
-        string nameifCmd = Resources::platform_res[platform]->getResourceStr(
-            string("/FWBuilderResources/Target/options/version_")+
-            version+"/pix_commands/nameif");
-        
-        if ((n = nameifCmd.find("%il"))!=string::npos)
-            nameifCmd.replace(n,3,iface->getLabel());
-        if ((n = nameifCmd.find("%in"))!=string::npos)
-            nameifCmd.replace(n,3,iface->getName());
-        if ((n = nameifCmd.find("%sl"))!=string::npos)
+        Configlet interface_config(fw, "pix_os", "configure_interfaces");
+        interface_config.removeComments();
+        interface_config.collapseEmptyStrings(true);
+
+        interface_config.setVariable("pix_version_lt_70", ! version_ge_70);
+        interface_config.setVariable("pix_version_ge_70",   version_ge_70);
+        interface_config.setVariable("configure_interface_address",
+                                     configure_addresses);
+
+        interface_config.setVariable("interface_name",  iface->getName().c_str());
+        interface_config.setVariable("interface_label", iface->getLabel().c_str());
+        interface_config.setVariable("security_level",  iface->getSecurityLevel());
+
+        interface_config.setVariable("static_address", ! iface->isDyn());
+        interface_config.setVariable("dhcp_address",     iface->isDyn());
+        if (!iface->isDyn())
         {
-            ostringstream sls;
-            sls << iface->getSecurityLevel();
-            nameifCmd.replace(n,3,sls.str());
+            QString addr = iface->getAddressPtr()->toString().c_str();
+            QString netm = iface->getNetmaskPtr()->toString().c_str();
+            interface_config.setVariable("address", addr);
+            interface_config.setVariable("netmask", netm);
         }
-        res << nameifCmd;
+
+        res << interface_config.expand().toStdString();
+        res << endl;
+        res << endl;
     }
-
-    res << endl;
-
     return res.str();
 }
 
-string OSConfigurator_pix_os::_printIPAddress()
-{
-    ostringstream res;
-    string version = fw->getStr("version");
-    string platform = fw->getStr("platform");
-    string setAddrCmd;
-    string::size_type n;
-
-    if ( fw->getOptionsObject()->getBool("pix_ip_address") )
-    {
-        list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
-        for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
-        {
-            Interface *iface=dynamic_cast<Interface*>(*i);
-            assert(iface);
-            if (iface->isDyn())
-            {
-                setAddrCmd = Resources::platform_res[platform]->getResourceStr(
-                    string("/FWBuilderResources/Target/options/version_")+
-                    version+"/pix_commands/ip_addr_dyn");
-            } else
-            {
-                setAddrCmd = Resources::platform_res[platform]->getResourceStr(
-                    string("/FWBuilderResources/Target/options/version_")+
-                    version+"/pix_commands/ip_addr_static");
-            }
-
-            if ((n = setAddrCmd.find("%il"))!=string::npos)
-                setAddrCmd.replace(n,3,iface->getLabel());
-            if ((n = setAddrCmd.find("%in"))!=string::npos)
-                setAddrCmd.replace(n,3,iface->getName());
-            if ((n = setAddrCmd.find("%a"))!=string::npos)
-                setAddrCmd.replace(n,2,iface->getAddressPtr()->toString());
-            if ((n = setAddrCmd.find("%n"))!=string::npos)
-                setAddrCmd.replace(n,2,iface->getNetmaskPtr()->toString());
-
-            res << setAddrCmd;
-        }        
-    }
-
-    res << endl;
-
-    return res.str();
-}
-
-
 string OSConfigurator_pix_os::_printLogging()
 {
     Helper helper(this);
@@ -278,7 +250,7 @@ string  OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,
     return str.str();
 }
 
-string    OSConfigurator_pix_os::_printSNMP()
+string OSConfigurator_pix_os::_printSNMP()
 {
     ostringstream  str;
     string version = fw->getStr("version");
@@ -304,14 +276,16 @@ string    OSConfigurator_pix_os::_printSNMP()
     } else
     {
 
-        if (set_communities) {
+        if (set_communities)
+        {
             string read_c = fw->getManagementObject()->
                 getSNMPManagement()->getReadCommunity();
             str << endl;
             str << "snmp-server community " << read_c << endl;
         }
 
-        if (set_sysinfo) {
+        if (set_sysinfo)
+        {
             string location=fw->getOptionsObject()->getStr("snmp_location");
             string contact =fw->getOptionsObject()->getStr("snmp_contact");
             str << endl;
@@ -321,7 +295,8 @@ string    OSConfigurator_pix_os::_printSNMP()
                 str << "snmp-server contact  " << contact  << endl;
         }
 
-        if (enable_traps) {
+        if (enable_traps)
+        {
             str << endl;
             str << "snmp-server enable traps" << endl;
         } else {
@@ -364,7 +339,7 @@ string  OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
     return str.str();
 }
 
-string    OSConfigurator_pix_os::_printNTP()
+string OSConfigurator_pix_os::_printNTP()
 {
     ostringstream  res;
     string version = fw->getStr("version");
@@ -396,7 +371,7 @@ string    OSConfigurator_pix_os::_printNTP()
     return res.str();
 }
 
-string    OSConfigurator_pix_os::_printSysopt()
+string OSConfigurator_pix_os::_printSysopt()
 {
     ostringstream  res;
     string platform = fw->getStr("platform");
diff --git a/src/cisco_lib/OSConfigurator_pix_os.h b/src/cisco_lib/OSConfigurator_pix_os.h
index e41832ca4..4ec93a0dd 100644
--- a/src/cisco_lib/OSConfigurator_pix_os.h
+++ b/src/cisco_lib/OSConfigurator_pix_os.h
@@ -37,8 +37,10 @@ namespace fwcompiler {
 
     class OSConfigurator_pix_os : public OSConfigurator {
 
-        std::string _printNameif();
-        std::string _printIPAddress();
+        //std::string _printNameif();
+        //std::string _printIPAddress();
+
+        std::string _printInterfaceConfiguration();
 
         std::string _printLogging();
         std::string _printSNMPServer(const std::string &srv,int poll_trap);
diff --git a/src/res/configlets/pix_os/configure_interfaces b/src/res/configlets/pix_os/configure_interfaces
new file mode 100644
index 000000000..6db2ffe2d
--- /dev/null
+++ b/src/res/configlets/pix_os/configure_interfaces
@@ -0,0 +1,47 @@
+## -*- mode: shell-script; -*- 
+##
+
+{{if static_address}}
+
+{{if pix_version_lt_70}}
+nameif {{$interface_name}} {{$interface_label}} security{{$security_level}}
+{{if configure_interface_address}}
+ip address {{$interface_label}} {{$address}} {{$netmask}}
+{{endif}}
+{{endif}}
+
+{{if pix_version_ge_70}}
+interface {{$interface_name}}
+  nameif {{$interface_label}}
+{{if configure_interface_address}}
+  ip address {{$address}} {{$netmask}}
+{{endif}}
+  security-level {{$security_level}}
+exit
+{{endif}}
+
+{{endif}}
+
+
+
+{{if dhcp_address}}
+
+{{if pix_version_lt_70}}
+nameif {{$interface_name}} {{$interface_label}} security{{$security_level}}
+{{if configure_interface_address}}
+ip address {{$interface_label}} dhcp setroute retry 10
+{{endif}}
+{{endif}}
+
+{{if pix_version_ge_70}}
+interface {{$interface_name}}
+  nameif {{$interface_label}}
+{{if configure_interface_address}}
+  ip address dhcp setroute
+{{endif}}
+  security-level {{$security_level}}
+exit
+{{endif}}
+
+{{endif}}
+
diff --git a/src/res/platform/pix.xml b/src/res/platform/pix.xml
index 8a4c51ee8..aa40b0a98 100644
--- a/src/res/platform/pix.xml
+++ b/src/res/platform/pix.xml
@@ -44,6 +44,7 @@
           <pix_route_dnat_supported>true</pix_route_dnat_supported>
           <pix_outbound_acl_supported>false</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+
           <pix_commands>
             <clear_acl>clear access-list</clear_acl>
             <clear_og>clear object-group</clear_og>
@@ -56,15 +57,6 @@
             <clear_static>clear static</clear_static>
             <clear_global>clear global</clear_global>
             <clear_nat>clear nat</clear_nat>
-            <ip_addr_static>
-ip address %il %a %n
-            </ip_addr_static>
-            <ip_addr_dyn>
-ip address %il dhcp setroute retry 10
-            </ip_addr_dyn>
-            <nameif>
-nameif %in %il security%sl
-            </nameif>
           </pix_commands>
 
           <timeouts>
@@ -132,6 +124,7 @@ nameif %in %il security%sl
           <pix_route_dnat_supported>true</pix_route_dnat_supported>
           <pix_outbound_acl_supported>false</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+
           <pix_commands>
             <clear_acl>clear access-list</clear_acl>
             <clear_og>clear object-group</clear_og>
@@ -144,15 +137,6 @@ nameif %in %il security%sl
             <clear_static>clear static</clear_static>
             <clear_global>clear global</clear_global>
             <clear_nat>clear nat</clear_nat>
-            <ip_addr_static>
-ip address %il %a %n
-            </ip_addr_static>
-            <ip_addr_dyn>
-ip address %il dhcp setroute retry 10
-            </ip_addr_dyn>
-            <nameif>
-nameif %in %il security%sl
-            </nameif>
           </pix_commands>
     
           <timeouts>
@@ -220,6 +204,7 @@ nameif %in %il security%sl
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>false</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+
           <pix_commands>
             <clear_acl>clear access-list</clear_acl>
             <clear_og>clear object-group</clear_og>
@@ -232,15 +217,6 @@ nameif %in %il security%sl
             <clear_static>clear static</clear_static>
             <clear_global>clear global</clear_global>
             <clear_nat>clear nat</clear_nat>
-            <ip_addr_static>
-ip address %il %a %n
-            </ip_addr_static>
-            <ip_addr_dyn>
-ip address %il dhcp setroute retry 10
-            </ip_addr_dyn>
-            <nameif>
-nameif %in %il security%sl
-            </nameif>
           </pix_commands>
     
           <timeouts>
@@ -308,6 +284,7 @@ nameif %in %il security%sl
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
+
           <pix_commands>
             <clear_acl>clear config access-list</clear_acl>
             <clear_og>clear config object-group</clear_og>
@@ -320,22 +297,6 @@ nameif %in %il security%sl
             <clear_static>clear config static</clear_static>
             <clear_global>clear config global</clear_global>
             <clear_nat>clear config nat</clear_nat>
-            <ip_addr_static>
-interface %in
-  ip address %a %n
-exit
-            </ip_addr_static>
-            <ip_addr_dyn>
-interface %in
-  ip address dhcp setroute
-exit
-            </ip_addr_dyn>
-            <nameif>
-interface %in
-  nameif %il
-  security-level %sl
-exit
-            </nameif>
           </pix_commands>
     
           <timeouts>
diff --git a/test/pix/run.all b/test/pix/run.all
index 5949d9ae4..2939bfb7d 100755
--- a/test/pix/run.all
+++ b/test/pix/run.all
@@ -9,7 +9,7 @@ while (<>) {
     $str=~ /<Firewall [^>]+name="([^"]*).*$"/;
     $fw=$1;
     printf "echo ====================== $fw =========================================\n";
-    printf "fwb_pix -v  -f $XMLFILE $fw \n";
+    printf "fwb_pix -v -xt  -f $XMLFILE $fw \n";
     $str=~ s/^.*<Firewall [^>]+name="$fw"[^>]+>//;
   }
 }