Thursday, December 15, 2011

How to compare firewall policies between two IBM Proventia M

If you have to RMA an IBM Proventia M firewall and move the policy from one firewall to another one there is a simple test you can perform to make sure the policy on the new RMA firewall is the same as the old one. Once you have applied the snapshot to the new RMA firewall. Run the following command on both firewalls:

[root@proventiaM root]# cd /etc/crm/policies/cml/NetworkProtector/fwm/
[root@proventiaM fwm]# ls -la
total 92
drwxr-xr-x 2 root root 4096 Aug 8 2009 .
drwxr-xr-x 39 root root 4096 Mar 12 2008 ..
-rw-r--r-- 1 root root 27778 Aug 8 2009 npfwm1_0.xml
-rw-r--r---1 root root 16131 Mar 12 2008 npfwm1_0.xml.bak
-rw-r--r-- 1 root root 4908 May 15 2007 npfwm2_0_0.xml
-rw-r--r-- 1 root root 9335 May 15 2007 npfwm3_0_0.xml
-rw-r--r-- 1 root root 11702 May 15 2007 npfwm4_0_0.xml
-rw-r--r-- 1 root root 8169 May 15 2007 npfwm4_1_0.xml

[root@proventiaM fwm]# md5sum npfwm1_0.xml
06e78c571413e8f78fe0db58a0f070b7 npfwm1_0.xml

or simply:

md5sum /etc/crm/policies/cml/NetworkProtector/fwm/npfwm1_0.xml

This gives you the checksum value of the firewall policy file which is npfwm1_0.xml and is a lot quicker than having to compare the policy line by line especially if you have a large policy.

1 comment: