Is there a failsafe function when deploying rulebase with asdm to a pix?

Unanswered Question
Apr 27th, 2007

I was wondering if there is any form of failsafe when deplying a rulebase to a pix with the asdm. Based on the logs it seems that it simply writes the complete generated config to the pix running config. and ends with a write mem.

For me who hava about 1700 lines of config this is a bit worrying . What if the asdm looses conection to the pix halfway in the process?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mark.j.hodge Fri, 04/27/2007 - 07:40

It is always recommended to take a backup of the PIX configuration before making any significant change, this can be done via tftp.

When you make changes via ASDM, they are not commited untill you select the "Save" icon, until this point the changes are in RAM ( running-config ), and a reload will revert back to the version in NVRAM ( startup-config )

sverre.stokken Sun, 04/29/2007 - 22:49

Yes i keep backups, but my question is how the ASDM deploys the rulebase. Does it overwrite the running config ( i dont se any log entrys indicating that it tryes to write allredy existing entryes) or does it delete the rules and rewrite the complete rulebase, in this case we should se a small amount of drops from the firewall while it writes the new rulebase, but i don't se this either. The smartest ( in my opinion ) would be if it only writes the diff between existing config and new ( like the PDM does. But from the logfile i can see that it writes everything every time.

So what would happen if i loose connection between the firewall and the ASDM computer while it deployes ?

sverre.stokken Sun, 04/29/2007 - 23:32

Correction. > I have missinformed you when i say ASDM, i was wrong, i meen the cisco work firewall management center. I was mixing the products. Sorry.


This Discussion