UTM Confd conditional overrides

  • Article ID: 116041
  • Updated: 22 Nov 2013

This article describes Confd conditional overrides.

Known to apply to the following Sophos product(s) and version(s)

Sophos UTM

Operating systems


The Confd storage is supposed to store the ASG configuration according to the wishes of the ASG administrator.  Thus, essentially, it is supposed to be static until the administrator applies the next manual change.

However, in certain situations, the ASG administrator may wish that, when certain temporary conditions hold, certain temporary modifications take effect in the storage - modifications that are not permanent, but go away as soon as the triggering condition ends.

For example, the administrator may wish that, at times when the main Internet uplink happens to be offline, certain additional interface addresses or IPSec tunnels should be brought up or down automatically.

Conditional overrides according to this particular example can be configured on the WebAdmin tab Interfaces&Routing >> UplinkMonitoring >> Actions. The Confd represents such uplink monitoring actions in terms of the override and condition Confd object classes, allowing much more general conditional overrides than supported by the WebAdmin. This reference manual documents the exact effects of having such override objects in the storage. It intends to help support enginieers to debug low-level issues on customer systems, and it intends to help developers to use overrides to implement new features.

Object classes


So far, the condition object class contains one single object type, objref. Confd condition->objref objects specify conditions that depend on the current state of a specific Confd object.

The attributes of a condition->object are:

The reference string of the Confd object this condition depends on.
The attribute name of the object attribute this condition depends on. This attribute will be watched in the object specified by the ref attribute.
The value the above attribute will be checked against.
The relational operator to use for comparing the attribute against the value. When it is "eq", the condition triggers when the attribute equals the value; when it is "ne", the condition triggers when the attribute does not equal the value.

For example, the following condition triggers when the link on the default internal interface is down:

ref => 'REF_DefaultInternal',
attr => 'link',
operator => 'eq',
value => 0

As a special case, if the attr is of type HASH, the condition triggers if and only if "x operator value" holds for all values x of the hash.


So far, the override object class contains one single object type, objref. A Confd override->objref object requests to override an attribute of one specific Confd object.

The attributes of a override->objref object are:

A reference to a Confd condition object. When the condition triggers, the override takes effect. When the condition does not trigger, the override has no effect.
The reference string of the Confd object modified by this override.
The attribute name of the object attribute modified by this override. When the condition triggers, this attribute will be overridden in the object specified by the ref attribute.
The value to substitute for the above attribute, when the condition triggers.

For example, the following override will enable a replacement address on another interface in case the main Internet uplink goes down:

condition => 'REF_UplinkCondition',
ref => 'REF_ItfSecReplaAddre',
attr => 'status',
value => 1

Confd functions

The presence of override objects in the Confd storage modifies the behaviour of the following Confd public functions, but only when the option effective is passed to the Confd functions get_object and get_objects. Without this option, objects are always returned unmangled, ignoring conditional overrides.

  • get_object
  • get_object_by_name
  • get_user_by_name
  • get_objects
  • get_objects_filtered

The MiddleWare always uses the effective option. Consequently, conditional overrides are always taken into account by the MiddleWare.

The WebAdmin, on the other hand, never uses the effective option. Consequently, in the WebAdmin, the configuration is always shown as configured by the administrator, even when part of it is temporarily modified by conditional overrides.

The Confd command line client does not use the effective option by default, but you can explicitely specify it, for example like this:

# cc get_object REF_ItfSecReplaAddre effective

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent