Comparing Policy Revisions

Overview

In some cases a newly-installed policy can cause unforeseen problems, such as network downtime, leading to business downtime. The ability to compare the new policy easily to an older, known, working policy can significantly improve network and system uptime.

You can either view a side-by-side graphical diff, or generate a report listing the differences.

To locate the user who performed a known change, where the exact revision number is not known, use the Advanced Change Report. The Advanced Change Report lists all the changes between two points in time, with the user that performed each change.

Side-by-Side Comparison

You can compare two firewall policy revisions side-by-side in SecureTrack.

  1. In Compare View, in the left-hand pane, select the relevant monitored device.

  2. In the revisions table, select the two policy revisions to be compared.

  3. Click Compare.

SecureTrack analyzes the differences between the revisions, and displays a side-by-side graphical comparison.

Side-by-Side

Any configuration changes that were made between the two revisions are highlighted.

Policies containing thousands of rules may take a long time or fail to be compared. For comparison of large policies, it is recommended to use Generate Report rather than Compare.

Moving between policies and tabs, and scrolling, affects both revisions, so you are always viewing the same part of both revisions.

You can move quickly between changes by using the navigation arrows, located in the space between the two policies:

compare scroll

By default, in the Objects tab, only modified objects are shown. This behavior can be changed.

In a Check Point policy that contains multiple Policy Packages, you can select a package from the drop-down list, where the packages are arranged according to installation target. For meaningful results, select on both sides packages intended for the same installation targets. Modified packages are colored blue:

compare packages

In Cisco, Fortinet, and Juniper policies, you can view textual differences in the Running Config/Device Configuration tab.

In Fortinet policies, if one or both of the policies contains one or more Global rules, the display is in Global view. If neither policy contains Global rules, Section view is used.

Side-by-side comparison of a Fortinet policy revision containing a Global rule to a Fortinet policy revision that was received by SecureTrack prior to version 5.1 is not supported.

How Do I Get Here?

SecureTrack > Reports > Compare Revisions