Is there a way to see what changes will be applied to firewalls from the web GUI?
I can do it by diffing the config.xml and the most recent backup, but that's kind of ugly.
Same with cancelling the changes.
At the moment the big "Apply Changes" button can appear in the firewall rules section without any obvious cause. Clicking the "disable log" button and re-enabling it makes it appear just as much as adding a "pass any/any in on WAN" rule does, and there's no way to review the changes without SSH'ing in and diffing the XML.
This is quite a big issue for production environments.
Thanks.
AFAIK, any changes made in the GUI (or invoking the API) results in an update to the config.xml.
You can compare any versions in System: Configuration: History.
Some changes are not applied immediately, especially these that might need to be applied as a set.
The apply button is essentially getting the underlying service to pick up the set of changes.
Edit: There's no cancel of pending changes. The changes are already persisted in config.xml. You can revert back to an old config in the History.
Reverting back apparently does not "apply" the reverted changes. You'll want to reboot...
Thank you Eric.
Sorry for the reply lag, I failed to turn on notifications for this topic.
I can use the configuration history to see the changes. Even though reading the XML isn't ideal, it'll do.
It's unfortunate that one can't easily discard changes or 'Apply' a rolled-back config without rebooting the whole box. That's quite painful for an enterprise firewall.
It seems like some things, like firewall categories do change immediately when the configuration is rolled back. For rules, they show up back in the UI list but the "Apply" button isn't there.
Toggling a trivial change, like whether a rule logs or not, does make the Apply button appear though, and clicking that will apply the whole ruleset as seen in the UI. It's not a great user experience, but it does seem to work.
Thanks for pointing me in the right direction.