Cross Conflict

The Cross Conflict operation compares the functionality defined by a pair of network security device configurations. These may be configurations from two different versions of a configuration for the same device, or they may be configurations from two devices that should be performing equivalent roles in a network security architecture (potentially configurations from different versions or different vendors).

Textual differences can be used as a quick approximation to a functional difference, but the textual difference has some problems. A straight textual difference will catch changes that have no functional impact (e.g. configuration element name changes). The textual difference may miss functionality changes caused by lines that are not changed directly but affected by textual changes to earlier lines.

Change Review

Changes to large ordered rule tables can easily have unintended consequences. By enumerating how packets will be handled differently between the two configurations, you can easily review and understand all differences. Cross Conflict reports can streamline your organization's change review process. Rather than looking over all configuration lines in the new version of a configuration file, you can concentrate on the lines that affect functionality changes as indicated in the Cross Conflict report.

Device Migration

The Cross Conflict operation is useful when you are migrating from one firewall device to another (say from a PIX to ASA or a IOS to Netscreen). InfoSecter build common models from the configurations and performs a functional comparison. Therefore, you can build a proposed configuration for the new device and then use the Cross Conflict operation to generate a report of the packets that are handled differently between the two configurations, and review that hopefully small set of packets to update your new device's configuration as necessary.

The Cross Conflict operation can be performed against single interfaces or it can analyze flows over pairs of interfaces using Cross Interface mode.