"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article describes Confd conditional overrides.
Known to apply to the following Sophos product(s) and version(s)
Operating systems v7,v8
The Confd storage is supposed to store the ASG configuration according to the wishes of the ASG administrator. Thus, essentially, it is supposed to be static until the administrator applies the next manual change.
However, in certain situations, the ASG administrator may wish that, when certain temporary conditions hold, certain temporary modifications take effect in the storage - modifications that are not permanent, but go away as soon as the triggering condition ends.
For example, the administrator may wish that, at times when the main Internet uplink happens to be offline, certain additional interface addresses or IPSec tunnels should be brought up or down automatically.
Conditional overrides according to this particular example can be configured on the WebAdmin tab Interfaces&Routing >> UplinkMonitoring >> Actions. The Confd represents such uplink monitoring actions in terms of the override and condition Confd object classes, allowing much more general conditional overrides than supported by the WebAdmin. This reference manual documents the exact effects of having such override objects in the storage. It intends to help support enginieers to debug low-level issues on customer systems, and it intends to help developers to use overrides to implement new features.
Interfaces&Routing >> UplinkMonitoring >> Actions
So far, the condition object class contains one single object type, objref. Confd condition->objref objects specify conditions that depend on the current state of a specific Confd object.
The attributes of a condition->object are:
For example, the following condition triggers when the link on the default internal interface is down:
ref => 'REF_DefaultInternal', attr => 'link', operator => 'eq', value => 0
As a special case, if the attr is of type HASH, the condition triggers if and only if "x operator value" holds for all values x of the hash.
x operator value
So far, the override object class contains one single object type, objref. A Confd override->objref object requests to override an attribute of one specific Confd object.
The attributes of a override->objref object are:
For example, the following override will enable a replacement address on another interface in case the main Internet uplink goes down:
condition => 'REF_UplinkCondition', ref => 'REF_ItfSecReplaAddre', attr => 'status', value => 1
The presence of override objects in the Confd storage modifies the behaviour of the following Confd public functions, but only when the option effective is passed to the Confd functions get_object and get_objects. Without this option, objects are always returned unmangled, ignoring conditional overrides.
The MiddleWare always uses the effective option. Consequently, conditional overrides are always taken into account by the MiddleWare.
The WebAdmin, on the other hand, never uses the effective option. Consequently, in the WebAdmin, the configuration is always shown as configured by the administrator, even when part of it is temporarily modified by conditional overrides.
The Confd command line client does not use the effective option by default, but you can explicitely specify it, for example like this:
# cc get_object REF_ItfSecReplaAddre effective
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.