This article describes Confd conditional overrides.
Known to apply to the following Sophos product(s) and version(s)
The Confd storage is supposed to store the ASG configuration according to the wishes of the ASG administrator. Thus, essentially, it is supposed to be static until the administrator applies the next manual change.
However, in certain situations, the ASG administrator may wish that, when certain temporary conditions hold, certain temporary modifications take effect in the storage - modifications that are not permanent, but go away as soon as the triggering condition ends.
For example, the administrator may wish that, at times when the main Internet uplink happens to be offline, certain additional interface addresses or IPSec tunnels should be brought up or down automatically.
Conditional overrides according to this particular example can be configured on the WebAdmin tab
Interfaces&Routing >> UplinkMonitoring >> Actions. The Confd represents such uplink monitoring actions in terms of the
condition Confd object classes, allowing much more general conditional overrides than supported by the WebAdmin. This reference manual documents the exact effects of having such
override objects in the storage. It intends to help support enginieers to debug low-level issues on customer systems, and it intends to help developers to use overrides to implement new features.
So far, the
condition object class contains one single object type,
condition->objref objects specify conditions that depend on the current state of a specific Confd object.
The attributes of a
- The reference string of the Confd object this condition depends on.
- The attribute name of the object attribute this condition depends on. This attribute will be watched in the object specified by the
- The value the above attribute will be checked against.
- The relational operator to use for comparing the attribute against the value. When it is "
eq", the condition triggers when the attribute equals the value; when it is "
ne", the condition triggers when the attribute does not equal the value.
For example, the following condition triggers when the link on the default internal interface is down:
ref => 'REF_DefaultInternal',
attr => 'link',
operator => 'eq',
value => 0
As a special case, if the
attr is of type
HASH, the condition triggers if and only if "
x operator value" holds for all values
x of the hash.
So far, the
override object class contains one single object type,
objref. A Confd
override->objref object requests to override an attribute of one specific Confd object.
The attributes of a
override->objref object are:
- A reference to a Confd
condition object. When the condition triggers, the override takes effect. When the condition does not trigger, the override has no effect.
- The reference string of the Confd object modified by this override.
- The attribute name of the object attribute modified by this override. When the
condition triggers, this attribute will be overridden in the object specified by the
- The value to substitute for the above attribute, when the
For example, the following override will enable a replacement address on another interface in case the main Internet uplink goes down:
condition => 'REF_UplinkCondition',
ref => 'REF_ItfSecReplaAddre',
attr => 'status',
value => 1
The presence of
override objects in the Confd storage modifies the behaviour of the following Confd public functions, but only when the option
effective is passed to the Confd functions
get_objects. Without this option, objects are always returned unmangled, ignoring conditional overrides.
The MiddleWare always uses the
effective option. Consequently, conditional overrides are always taken into account by the MiddleWare.
The WebAdmin, on the other hand, never uses the
effective option. Consequently, in the WebAdmin, the configuration is always shown as configured by the administrator, even when part of it is temporarily modified by conditional overrides.
The Confd command line client does not use the
effective option by default, but you can explicitely specify it, for example like this:
# cc get_object REF_ItfSecReplaAddre effective