onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 19:27:13 +01:00
Code Issues Releases Wiki Activity

2009-11-09 vadim <vadim@vk.crocodile.org>

Browse Source 
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added
            support for failover configurations for PIX.

            - Interfaces of member firewalls used for failover configuration
            should be marked as "Dedicated failover" interfaces. They should
            have normal IP addresses. These interfaces will be used to
            generate "failover" commands in the PIX configuration.

            - Cluster should have interface with the same name as failover
            interfaces of the members, with protocol set to "PIX failover" and
            members configured as usual. This interface has no ip address.

            - Other interfaces of the cluster have the same name as
            corresponding interfaces of the member firewalls, protocol "None"
            and failover groups that define members as usual. These cluster
            interfaces also have no ip address.

            - Cluster state synchronization group uses protocol "PIX state
            synchrnization" and its members should be configured as usual.
            Use failover interfaces of the members as members of the state
            sync group.

            * Interface.cpp: Added attribute "dedicated_failover" to the
            Interface object. Interfaces with this attribute are treated like
            other "unprotected" interfaces, that is they are not used to
            attach ACLs to and not used in rules. Dedicated failover
            interfaces have special meaning in PIX configurations and are used
            to describe interfaces used for LAN failover.
This commit is contained in:
Vadim Kurland 2009-11-10 05:14:04 +00:00
parent f5c562ae17
commit 85703ff361
11 changed files with 236 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1703
#define BUILD_NUM 1705

31
doc/ChangeLog
View File

@ -1,3 +1,34 @@
2009-11-09 vadim <vadim@vk.crocodile.org>
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added
support for failover configurations for PIX.
- Interfaces of member firewalls used for failover configuration
should be marked as "Dedicated failover" interfaces. They should
have normal IP addresses. These interfaces will be used to
generate "failover" commands in the PIX configuration.
- Cluster should have interface with the same name as failover
interfaces of the members, with protocol set to "PIX failover" and
members configured as usual. This interface has no ip address.
- Other interfaces of the cluster have the same name as
corresponding interfaces of the member firewalls, protocol "None"
and failover groups that define members as usual. These cluster
interfaces also have no ip address.
- Cluster state synchronization group uses protocol "PIX state
synchrnization" and its members should be configured as usual.
Use failover interfaces of the members as members of the state
sync group.
* Interface.cpp: Added attribute "dedicated_failover" to the
Interface object. Interfaces with this attribute are treated like
other "unprotected" interfaces, that is they are not used to
attach ACLs to and not used in rules. Dedicated failover
interfaces have special meaning in PIX configurations and are used
to describe interfaces used for LAN failover.
2009-11-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags):

93
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -63,6 +63,8 @@
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwcompiler/Preprocessor.h"
@ -170,6 +172,60 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
// PIX failover is dfferent from VRRP and other failover protocols
// in that it does not create new virtual address. Instead, each
// unit is configured with two ip addresses, one for the active
// unit and another for standby one. When active unit fails, the
// other one assumes its address.
//
// This matters because when we use cluster object or one of its
// interfaces in rules, compiler should expand it to the set of
// addresses that includes addresses of the corresponding
// interface of both member firewalls. Method
// CompilerDriver::copyFailoverInterface adds a copy of firewall
// interface to the cluster object. This works for all firewalls,
// but for PIX we need to add copies of interfaces from both
// members.
//
FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
for (; cl_iface != cl_iface.end(); ++cl_iface)
{
FailoverClusterGroup *failover_group =
FailoverClusterGroup::cast(
(*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
if (failover_group)
{
FWObject *this_member_interface = NULL;
list<FWObject*> other_member_interfaces;
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
FWObject *intf = FWObjectReference::getObject(*it);
assert(intf);
if (intf->isChildOf(fw)) this_member_interface = intf;
else other_member_interfaces.push_back(intf);
}
if (!other_member_interfaces.empty())
{
for (list<FWObject*>::iterator it=other_member_interfaces.begin();
it!=other_member_interfaces.end(); ++it)
{
cluster->addCopyOf(*it, true);
}
}
}
}
#if 0
FWObjectTypedChildIterator iface = fw->findByType(Interface::TYPENAME);
for (; iface != iface.end(); ++iface)
{
(*iface)->dump(true, true);
}
#endif
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
@ -177,15 +233,13 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
current_firewall_name = fw->getName().c_str();
QString ofname = determineOutputFileName(fw, !cluster_id.empty(), ".fw");
FWOptions* options = fw->getOptionsObject();
bool pix_acl_basic = options->getBool("pix_acl_basic");
bool pix_acl_no_clear = options->getBool("pix_acl_no_clear");
bool pix_acl_substitution = options->getBool("pix_acl_substitution");
bool pix_add_clear_statements = options->getBool("pix_add_clear_statements");
bool pix_acl_basic=options->getBool("pix_acl_basic");
bool pix_acl_no_clear=options->getBool("pix_acl_no_clear");
bool pix_acl_substitution=options->getBool("pix_acl_substitution");
bool pix_add_clear_statements=options->getBool("pix_add_clear_statements");
if ( !pix_acl_basic &&
!pix_acl_no_clear &&
!pix_acl_substitution )
@ -201,8 +255,22 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
std::list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (std::list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=dynamic_cast<Interface*>(*i);
Interface *iface = dynamic_cast<Interface*>(*i);
assert(iface);
// dedicated failover interfaces are not used in ACLs or anywhere
// else in configuration, except in "failover" commands.
if (iface->isDedicatedFailover()) continue;
// Tests for label, security level and network zone make sense
// only for interfaces that can be used in ACLs or to bind
// ACLs to. Unnumbered interfaces can't, so we do not need to
// run these checks. One example of unnumbered interface is
// parent interface for vlan subinterfaces.
if (iface->isUnnumbered()) continue;
if (iface->getOptionsObject()->getBool("cluster_interface")) continue;
/*
* missing labels on interfaces
*/
@ -228,10 +296,14 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
*/
for (std::list<FWObject*>::iterator j=l2.begin(); j!=l2.end(); ++j)
{
Interface *iface2=dynamic_cast<Interface*>(*j);
Interface *iface2 = dynamic_cast<Interface*>(*j);
assert(iface2);
if (iface2->isDedicatedFailover()) continue;
if (iface2->isUnnumbered()) continue;
if (iface->getId()==iface2->getId()) continue;
if (iface->getOptionsObject()->getBool("cluster_interface") ||
iface2->getOptionsObject()->getBool("cluster_interface")) continue;
if (iface->getSecurityLevel()==iface2->getSecurityLevel())
{
QString err(
@ -292,7 +364,7 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
* too.
*/
list<FWObject*> ol;
helper.expand_group_recursive_no_cache(netzone,ol);
helper.expand_group_recursive(netzone,ol);
FWObject *nz = objdb->createObjectGroup();
assert(nz!=NULL);
@ -344,7 +416,6 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
}
}
}
}
/*

31
src/cisco_lib/Helper.cpp
View File

@ -45,7 +45,8 @@ using namespace std;
static unsigned long calculateDimension(FWObject* obj)
{
if (Group::cast(obj)!=NULL) {
if (Group::cast(obj)!=NULL)
{
unsigned long res=0;
for (FWObject::iterator i1=obj->begin(); i1!=obj->end(); ++i1)
{
@ -67,26 +68,10 @@ static unsigned long calculateDimension(FWObject* obj)
return 0;
}
void Helper::expand_group_recursive_no_cache(FWObject *o,list<FWObject*> &ol)
{
if (Group::cast( o )!=NULL) {
for (FWObject::iterator i2=o->begin(); i2!=o->end(); ++i2)
{
FWObject *o1= *i2;
if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer();
assert(o1);
expand_group_recursive_no_cache(o1,ol);
}
} else {
ol.push_back( o );
}
}
void Helper::expand_group_recursive(FWObject *o,list<FWObject*> &ol)
{
if (Group::cast( o )!=NULL) {
if (Group::cast( o )!=NULL)
{
for (FWObject::iterator i2=o->begin(); i2!=o->end(); ++i2)
{
FWObject *o1= *i2;
@ -141,8 +126,8 @@ int Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
int netzone_id =
FWObjectDatabase::getIntId((*i)->getStr("network_zone"));
FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
#if 0
FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
cerr << "netzone_id=" << netzone_id
<< " " << (*i)->getStr("network_zone")
<< " " << netzone->getName()
@ -151,8 +136,10 @@ int Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
if (netzone_id != -1)
{
FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
for (list<FWObject*>::iterator j=netzone->begin();
j!=netzone->end(); ++j)
list<FWObject*> nz;
expand_group_recursive(netzone, nz);
for (list<FWObject*>::iterator j=nz.begin(); j!=nz.end(); ++j)
{
assert(Address::cast(*j)!=NULL);

10
src/cisco_lib/Helper.h
View File

@ -65,19 +65,11 @@ namespace fwcompiler {
/**
* recursively expands object 'o' and places all its children
* objects in the list 'ol'. Uses cache in compiler.
* objects in the list 'ol'.
*/
void expand_group_recursive(libfwbuilder::FWObject *o,
std::list<libfwbuilder::FWObject*> &ol);
/**
* recursively expands object 'o' and places all its children
* objects in the list 'ol'. Does not use cache in compiler,
* therefore can be called even if compiler object has not
* been created yet.
*/
void expand_group_recursive_no_cache(libfwbuilder::FWObject *o,
std::list<libfwbuilder::FWObject*> &ol);
};

9
src/compiler_lib/CompilerDriver.cpp
View File

@ -899,6 +899,15 @@ void CompilerDriver::copyFailoverInterface(Cluster *cluster,
new_cl_if->getOptionsObject()->setBool("failover_master",
master_id == iface_str_id);
// cluster interface should "inherit" some of the
// attributes of the member interfaces it
// represents. For example, if member interfaces are
// marked "unprotected" or "dedicated failover", so
// should be the cluster interface. What else?
new_cl_if->setDedicatedFailover(iface->isDedicatedFailover());
new_cl_if->setUnprotected(iface->isUnprotected());
fw->getOptionsObject()->setBool("cluster_member", true);

1
src/gui/FWObjectPropertiesFactory.cpp
View File

@ -207,6 +207,7 @@ QString FWObjectPropertiesFactory::getObjectPropertiesBrief(FWObject *obj)
}
if (intf->isDyn()) q.push_back("dyn");
if (intf->isUnnumbered()) q.push_back("unnum");
if (intf->isDedicatedFailover()) q.push_back("failover");
if (intf->isBridgePort()) q.push_back("bridge port");
if (intf->isSlave()) q.push_back("slave");
if (intf->isUnprotected()) q.push_back("unp");

16
src/gui/InterfaceDialog.cpp
View File

@ -103,6 +103,7 @@ void InterfaceDialog::loadFWObject(FWObject *o)
m_dialog->dynamic->setChecked( s->isDyn() );
m_dialog->unnumbered->setChecked( s->isUnnumbered() );
m_dialog->dedicated_failover->setChecked( s->isDedicatedFailover() );
m_dialog->management->setChecked( s->isManagement() );
@ -132,6 +133,9 @@ void InterfaceDialog::loadFWObject(FWObject *o)
m_dialog->unprotected->setEnabled(!o->isReadOnly());
setDisabledPalette(m_dialog->unprotected);
m_dialog->dedicated_failover->setEnabled(!o->isReadOnly());
setDisabledPalette(m_dialog->dedicated_failover);
m_dialog->seclevel->setEnabled(!o->isReadOnly());
setDisabledPalette(m_dialog->seclevel);
@ -145,6 +149,7 @@ void InterfaceDialog::loadFWObject(FWObject *o)
m_dialog->unnumbered->hide();
m_dialog->management->hide();
m_dialog->unprotected->hide();
m_dialog->dedicated_failover->hide();
m_dialog->bridge_port_label->show();
} else
{
@ -153,6 +158,7 @@ void InterfaceDialog::loadFWObject(FWObject *o)
m_dialog->unnumbered->show();
m_dialog->management->show();
m_dialog->unprotected->show();
m_dialog->dedicated_failover->show();
m_dialog->bridge_port_label->hide();
}
@ -163,6 +169,7 @@ void InterfaceDialog::loadFWObject(FWObject *o)
{
m_dialog->management->setEnabled(false);
m_dialog->unprotected->setEnabled(false);
m_dialog->dedicated_failover->setEnabled(false);
m_dialog->seclevel->setEnabled(false);
m_dialog->seclevelLabel->setEnabled(false);
m_dialog->netzone->setEnabled(false);
@ -196,10 +203,16 @@ void InterfaceDialog::loadFWObject(FWObject *o)
if (Cluster::isA(s->getParent()))
supports_advanced_ifaces = false;
if (s->isDedicatedFailover())
{
supports_security_levels = false;
supports_network_zones = false;
}
} catch (FWException &ex) { }
/* if parent is a firewall or a fw cluster, it is more complex ... */
if (Firewall::isA( f ) || Cluster::isA( f ))
if (Firewall::isA(f) || Cluster::isA(f))
{
if (supports_security_levels)
{
@ -385,6 +398,7 @@ void InterfaceDialog::applyChanges()
s->setLabel( string(m_dialog->label->text().toUtf8().constData()) );
s->setDyn( m_dialog->dynamic->isChecked() );
s->setUnnumbered( m_dialog->unnumbered->isChecked() );
s->setDedicatedFailover( m_dialog->dedicated_failover->isChecked() );
FWObject *f = s->getParentHost();
bool supports_security_levels = false;

44
src/gui/interfacedialog_q.ui
View File

@ -8,8 +8,8 @@
<rect>
<x>0</x>
<y>0</y>
<width>922</width>
<height>262</height>
<width>1017</width>
<height>308</height>
</rect>
</property>
<property name="sizePolicy" >
@ -272,15 +272,6 @@ If network zone for this interface consists of only one subnet, you can simply c
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout" >
<property name="topMargin" >
<number>6</number>
</property>
<property name="bottomMargin" >
<number>6</number>
</property>
<property name="verticalSpacing" >
<number>6</number>
</property>
<item row="0" column="0" >
<widget class="QCheckBox" name="management" >
<property name="toolTip" >
@ -302,27 +293,34 @@ If network zone for this interface consists of only one subnet, you can simply c
</widget>
</item>
<item row="2" column="0" >
<widget class="QCheckBox" name="dedicated_failover" >
<property name="text" >
<string>Dedicated failover interface</string>
</property>
</widget>
</item>
<item row="3" column="0" >
<widget class="QRadioButton" name="regular" >
<property name="text" >
<string>Regular interface</string>
</property>
</widget>
</item>
<item row="3" column="0" >
<item row="4" column="0" >
<widget class="QRadioButton" name="dynamic" >
<property name="text" >
<string>Address is assigned dynamically</string>
</property>
</widget>
</item>
<item row="4" column="0" >
<item row="5" column="0" >
<widget class="QRadioButton" name="unnumbered" >
<property name="text" >
<string>Unnumbered interface</string>
</property>
</widget>
</item>
<item row="5" column="0" >
<item row="6" column="0" >
<widget class="QLabel" name="bridge_port_label" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Preferred" >
@ -338,7 +336,7 @@ If network zone for this interface consists of only one subnet, you can simply c
</property>
</widget>
</item>
<item row="6" column="0" >
<item row="7" column="0" >
<widget class="QPushButton" name="advancedconfig" >
<property name="text" >
<string>Advanced Interface Settings ...</string>
@ -584,6 +582,22 @@ If network zone for this interface consists of only one subnet, you can simply c
</hint>
</hints>
</connection>
<connection>
<sender>dedicated_failover</sender>
<signal>clicked()</signal>
<receiver>InterfaceDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel" >
<x>520</x>
<y>110</y>
</hint>
<hint type="destinationlabel" >
<x>508</x>
<y>153</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>changed()</slot>

18
src/res/os/pix_os.xml
View File

@ -78,17 +78,25 @@
<protocols>
<failover>
<string>vrrp,VRRP</string>
<string>pix_failover,PIX failover protocol</string>
<string>none,</string>
</failover>
<state_sync>
<string>pix,pix</string>
<string>pix_state_sync,PIX state synchronization</string>
<string>none,</string>
</state_sync>
<vrrp>
<pix_failover>
<needs_master>True</needs_master>
<no_ip_ok>False</no_ip_ok>
<no_ip_ok>True</no_ip_ok>
<manage_addresses>True</manage_addresses>
</vrrp>
</pix_failover>
<none>
<needs_master>True</needs_master>
<no_ip_ok>True</no_ip_ok>
<manage_addresses>True</manage_addresses>
</none>
</protocols>
<interfaces>

65
test/pix/cluster-tests.fwb
View File

@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1257810272" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1257815261" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<Interface id="id3213X42281" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False">
<Interface id="id3213X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
@ -100,10 +100,17 @@
</Policy>
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2374X75741"/>
<Interface id="id2875X71781" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<ObjectRef ref="id3188X29979"/>
<ObjectRef ref="id2263X68642"/>
<IPv4 id="id2375X75741" name="cluster1:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
<IPv4 id="id2380X75741" name="cluster1:FastEthernet0/1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1248670597" lastInstalled="0" lastModified="1257811144" platform="pix" name="cluster1" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1248670597" lastInstalled="0" lastModified="1257829296" platform="pix" name="cluster1" comment="" ro="False">
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -239,13 +246,12 @@
</PolicyRule>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id2374X75741" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="" ro="False">
<IPv4 id="id2375X75741" name="cluster1:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
<Interface id="id2374X75741" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2377X75741" master_iface="id3188X29979" type="vrrp" name="cluster1:vrrp0:members" comment="">
<FailoverClusterGroup id="id2377X75741" master_iface="id3188X29979" type="none" name="cluster1:vrrp0:members" comment="">
<ObjectRef ref="id3188X29979"/>
<ObjectRef ref="id2263X68642"/>
<ClusterGroupOptions>
@ -254,21 +260,28 @@
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id2379X75741" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
<IPv4 id="id2380X75741" name="cluster1:FastEthernet0/1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<Interface id="id2379X75741" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2382X75741" master_iface="id2844X69605" type="vrrp" name="cluster1:vrrp1:members" comment="">
<FailoverClusterGroup id="id2382X75741" master_iface="id2844X69605" type="none" name="cluster1:vrrp1:members" comment="">
<ObjectRef ref="id2844X69605"/>
<ObjectRef ref="id2268X68642"/>
</FailoverClusterGroup>
</Interface>
<Interface id="id2335X71781" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
<InterfaceOptions/>
<FailoverClusterGroup id="id2337X71781" type="pix_failover" name="Failover group" comment="">
<ObjectRef ref="id2331X71781"/>
<ObjectRef ref="id2333X71781"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
<StateSyncClusterGroup id="id2372X75741" type="pix" name="State Sync Group" comment="">
<ObjectRef ref="id3188X29979"/>
<ObjectRef ref="id2263X68642"/>
<StateSyncClusterGroup id="id2372X75741" type="pix_state_sync" name="State Sync Group" comment="">
<ObjectRef ref="id2331X71781"/>
<ObjectRef ref="id2333X71781"/>
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
@ -308,16 +321,16 @@
<ServiceGroup id="id1513X69605" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2735X69605" host_OS="pix_os" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1257811140" platform="pix" version="7.0" name="pix-1" comment=" " ro="False">
<Firewall id="id2735X69605" host_OS="pix_os" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1257822623" platform="pix" version="7.0" name="pix-1" comment=" " ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id2843X69605" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="True" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
<Interface id="id2843X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="True" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
<Interface id="id3188X29979" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="vlan interface " ro="False">
<Interface id="id3188X29979" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="vlan interface " ro="False">
<IPv4 id="id10439X39874" name="pix-1:FastEthernet0/0:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="dev_plus_vid">False</Option>
@ -329,13 +342,19 @@
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id2844X69605" dyn="False" label="outside" mgmt="True" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
<Interface id="id2844X69605" dedicated_failover="False" dyn="False" label="outside" mgmt="True" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
<IPv4 id="id2846X69605" name="pix-1:FastEthernet0/1:ip" comment="" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Interface id="id2331X71781" dedicated_failover="True" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
<IPv4 id="id2877X71781" name="pix-1:Ethernet0/0:ip" comment="" ro="False" address="172.17.1.253" netmask="255.255.255.252"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="192.168.1.2">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
@ -440,16 +459,16 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id2251X68642" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1257811144" platform="pix" version="7.0" name="pix-2" comment=" " ro="False">
<Firewall id="id2251X68642" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1257822627" platform="pix" version="7.0" name="pix-2" comment=" " ro="False">
<NAT id="id2287X68642" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2273X68642" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2288X68642" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id2257X68642" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="True" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
<Interface id="id2257X68642" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="True" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
<Interface id="id2263X68642" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="vlan interface " ro="False">
<Interface id="id2263X68642" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="vlan interface " ro="False">
<IPv4 id="id2266X68642" name="pix-2:FastEthernet0/0:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.254" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="dev_plus_vid">False</Option>
@ -461,13 +480,19 @@
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id2268X68642" dyn="False" label="outside" mgmt="True" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
<Interface id="id2268X68642" dedicated_failover="False" dyn="False" label="outside" mgmt="True" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
<IPv4 id="id2271X68642" name="pix-2:FastEthernet0/1:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Interface id="id2333X71781" dedicated_failover="True" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
<IPv4 id="id2878X71781" name="pix-2:Ethernet0/0:ip" comment="" ro="False" address="172.17.1.254" netmask="255.255.255.252"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="192.168.1.2">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>