Name Collisions

This section includes the following topics:

 

When a firewall (or namespace) is being checked out, the Security Editor checks for Name collisions. This is done by comparing all configuration items in the configuration being checked out, with the corresponding items in the namespaces that the firewall (or namespace) resides in.

If the Security Editor encounters two configuration items with the same name, but with different definitions, it is considered a name collision, and a dialog box similar to the one shown below is displayed.

Name collisions can be caused by a lot of reasons. One could be the scenario discussed in the previous section; the administrator modifies a configuration item in a namespace with the Automatic configuration inheritance option disabled. The result will be that the namespace has a new definition of the actual configuration item, while the underlying firewall(s) have their old definitions of the same item. When the administrator later checks out one of the underlying firewalls, the name collision is detected.

The Name Collisions dialog box

When one or more name collisions have been detected, the Security Editor displays the Name Collision dialog box.

The dialog box contains a list of all the items that are causing collisions. The first column in the list gives a short explanation about the collision, and the second column displays the resolving status. The status is set to Unresolved by default.

Clicking the Resolve... button will allow the administrator to resolve the collision. Please see the section Resolving name collisions below.

Clicking the Close button will close the Name Collisions dialog box and continue the check out process.

Note: It is possible to leave collisions in an unresolved state and close the Name Collision dialog box. However, the next time the actual firewall gets checked out, the unresolved items will cause the Name Collision dialog box to be displayed again.

 

Resolving name collisions

In the sample Name Collision dialog box above, one collision has been detected when checking out the Interior firewall. In this case, it is the http service definition that collides with the http service defined in the Global Namespace.

To resolve the collision, click the Resolve... button. A Resolve dialog box similar to this one is displayed.

There are two possibilities to solve the name collision:

  • Use the item in namespace – selecting this option will cause the local definition of the item to be discarded and replaced by the definition in the namespace.

  • Use local copy with new name – selecting this option will cause the local definition of the item to be saved. Note that a new name has to be given the item; otherwise it will continue causing a collision.

To find out the differences between the two colliding definitions, the Item Properties... buttons can be used. The top button will display the item properties as defined by the namespace. The bottom button will display the item properties as defined by the local firewall. Both dialog boxes can be displayed at the same time in order to simplify item comparison.

In this sample, the left dialog box below displays the properties for the http service definition in the Global Namespace. The right dialog box below displays the properties for the http service definition in the Interior firewall. The difference between the two definitions seems to be that the destination port number has been changed to 81 in the Global Namespace, while it is still defined as port 80 in the Interior firewall.

Now, if the administrator chooses Use the item in namespace option, the http definition in the Interior firewall will be copied from the Global Namespace, and thus start to use port 81. If instead the administrator chooses the Use local copy with new name option, and enters a new name, for instance, local_http, then the local_http service will keep its destination port 81. All references to http in the Interior configuration will be replaced with local_http.