CN103067203B

CN103067203B - policy consistency auditing method, device and equipment

Info

Publication number: CN103067203B
Application number: CN201210572440.5A
Authority: CN
Inventors: 顾传彪
Original assignee: Huawei Technologies Co Ltd
Current assignee: Guangdong Gaohang Intellectual Property Operation Co ltd; Haining Hi Tech Zone Science And Innovation Center Co ltd
Priority date: 2012-12-25
Filing date: 2012-12-25
Publication date: 2016-03-02
Anticipated expiration: 2032-12-25
Also published as: CN103067203A

Abstract

The invention discloses a policy consistency audit method, device and equipment, belonging to the field of terminal equipment. The method includes: respectively calculating the characteristic values of the policy data of the network management server and the equipment, and each characteristic value of the policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; the first The cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data; Compare the characteristic values of the policy data of the network management server and the device to obtain the audit results. By comparing the characteristic values of the policy data of the network management server and the equipment, the present invention can avoid errors in audit results caused by misjudgment of policies with different serial numbers but the same business content as inconsistencies, improve the accuracy of consistent audit results, and speed up Improve the speed of comparison and improve audit efficiency.

Description

Policy consistency audit method, device and equipment

技术领域 technical field

本发明涉及终端设备领域，特别涉及一种策略一致性审计方法、装置及设备。The present invention relates to the field of terminal equipment, in particular to a policy consistency audit method, device and equipment.

背景技术 Background technique

当前互联网应用日益增多，病毒、木马等危害企业及个人用户信息安全的问题也越来越突出，网络安全受到了极大的关注。由于外网的安全防护和内网的访问控制策略越来越多，所以安全策略的配置和运行维护需求也日趋强烈，策略的管理变得越来越复杂。策略是指防火墙网络的策略配置，可以根据五元组（源地址、源端口、目的地址、目的端口、协议）对经过防火墙的数据包进行过滤和内容安全检测。设备的配置是否和网管服务器配置的策略一致，影响着互联网的正常防护，因此，策略的一致性审计尤为重要。At present, Internet applications are increasing day by day, and problems such as viruses and Trojan horses that endanger the information security of enterprises and individual users are becoming more and more prominent, and network security has received great attention. Due to the increasing number of extranet security protection and intranet access control policies, the requirements for configuration, operation and maintenance of security policies are becoming increasingly strong, and policy management becomes more and more complex. Policy refers to the policy configuration of the firewall network, which can filter and inspect the content security of the data packets passing through the firewall according to the five-tuple (source address, source port, destination address, destination port, protocol). Whether the device configuration is consistent with the policy configured on the network management server affects the normal protection of the Internet. Therefore, the consistency audit of the policy is particularly important.

在现有技术中，一致性审计严格通过按照策略序号比较网管服务器和设备的配置差异，策略序号不同，则认为策略不同，而对于序号相同的策略需要进一步地比较策略所引用的对象名称的字符串，如果字符串相同则认为网管服务器和设备的策略一致，如果字符串不同则认为网管服务器和设备的策略不一致。In the existing technology, the consistency audit strictly compares the configuration differences between the network management server and the device according to the policy serial number. If the policy serial number is different, the policy is considered to be different. For policies with the same serial number, it is necessary to further compare the characters of the object names referenced by the policy. string, if the strings are the same, the policies of the network management server and the device are considered to be consistent; if the strings are different, the policies of the network management server and the device are considered inconsistent.

在实现本发明的过程中，发明人发现现有技术至少存在以下问题：In the process of realizing the present invention, the inventor finds that there are at least the following problems in the prior art:

现有技术的审计方法，按照策略序号比较时，对于序号相同的策略，由于可能发生策略反复添加和删除的场景，而一旦修改的策略复用了以前的策略序号，会导致将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，且在使用字符串进行进一步比较时，在公共对象数量大的情况下，效率较低，同时会出现重复比较的问题，而由于仅对所引用的对象名称进行比较，没有关心里面的内容，对于名字没有变化但是内容发生变化的情况比较不出来，导致审计结果不准确。In the auditing method of the prior art, when comparing according to the policy serial number, for policies with the same serial number, the scenario of repeatedly adding and deleting policies may occur, and once the modified policy reuses the previous policy serial number, the serial number will be different and business Policies with the same content are misjudged as inconsistencies and audit results are wrong, and when using strings for further comparison, in the case of a large number of public objects, the efficiency is low, and the problem of repeated comparisons will occur at the same time, and because only for The referenced object names are compared without caring about the content inside, and the comparison cannot be made for the case where the name has not changed but the content has changed, resulting in inaccurate audit results.

发明内容Contents of the invention

为了解决一致性审计效率低、审计结果不准确的问题，本发明实施例提供了一种策略一致性审计方法、装置及设备。所述技术方案如下：In order to solve the problems of low consistency audit efficiency and inaccurate audit results, embodiments of the present invention provide a policy consistency audit method, device, and equipment. Described technical scheme is as follows:

一方面，提供了一种策略一致性审计方法，所述方法包括：In one aspect, a policy consistency auditing method is provided, the method comprising:

分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；Calculate the eigenvalues of the policy data of the network management server and the equipment respectively, the eigenvalues of each policy data include a first cyclic redundancy check value and a second cyclic redundancy check value; the first cyclic redundancy check The verification value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data;

对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。Compare the characteristic values of the policy data of the network management server and the device to obtain the audit results.

对网管服务器和设备的策略数据的特征值进行比较，获取审计结果，包括：Compare the characteristic values of the policy data of the network management server and equipment to obtain audit results, including:

对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据；Comparing the first cyclic redundancy code check value of the policy data of the network management server and the device, to determine the first policy data;

当经过比较确定所述网管服务器和设备的策略数据还包括第二策略数据时，对所述网管服务器的第二策略数据和设备的第二策略数据的第二循环冗余码校验值进行比较，获取所述网管服务器的第二策略数据和设备的第二策略数据之间的差异。When it is determined through comparison that the policy data of the network management server and the device also include second policy data, comparing the second cyclic redundancy code check value of the second policy data of the network management server and the second policy data of the device , acquiring a difference between the second policy data of the network management server and the second policy data of the device.

对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据，包括：Comparing the first cyclic redundancy code check value of the policy data of the network management server and the equipment, determining the first policy data, including:

分别对网管服务器和设备的策略数据的特征值按照配置顺序进行排序；Respectively sort the feature values of the policy data of the network management server and the device according to the configuration order;

确定第一序列和第二序列，所述第一序列为以网管服务器的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列，所述第二序列为以设备的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列；Determining a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the second sequence is a policy data sequence based on the device's The strategy data is the same strategy data sequence as the first CRC check value determined by the benchmark;

比较所述第一序列和第二序列，将包含具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据。Comparing the first sequence and the second sequence, determining the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

分别计算网管服务器和设备的策略数据的特征值，包括：Calculate the characteristic values of the policy data of the network management server and the device respectively, including:

分别获取网管服务器和设备的策略数据；Obtain the policy data of the network management server and the device respectively;

根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值。According to the policy data of the network management server and equipment and the common objects referenced by each policy data, the characteristic value of the policy data of the network management server and equipment is calculated.

根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值，包括：According to the policy data of the network management server and equipment and the public objects referenced by each policy data, calculating the characteristic value of the policy data of the network management server and equipment, including:

当所述网管服务器和设备的策略数据的形式不同时，将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式，根据所述网管服务器和设备的策略数据以及各个策略数据公共对象的引用关系，计算所述网管服务器和设备的策略数据的特征值。When the form of the policy data of the network management server and the device is different, convert the form of the policy data of the device into the form of the policy data of the network management server, according to the policy data of the network management server and the device and each policy data The reference relationship of public objects is used to calculate the characteristic value of the policy data of the network management server and equipment.

按照所述各个策略数据及公共对象的引用关系层次，从下向上逐层计算各个策略数据的第一循环冗余码校验值和第二循环冗余码校验值。The first cyclic redundancy check value and the second cyclic redundancy check value of each policy data are calculated layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects.

另一方面，提供了一种策略一致性审计装置，所述装置包括：In another aspect, a device for auditing policy consistency is provided, and the device includes:

计算模块，用于分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；The calculation module is used to calculate the eigenvalues of the policy data of the network management server and the equipment respectively, and the eigenvalues of each policy data include a first cyclic redundancy check value and a second cyclic redundancy check value; the first The cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data;

比较模块，用于对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。The comparison module is used to compare the characteristic values of the policy data of the network management server and the equipment, and obtain audit results.

所述比较模块包括：The comparison module includes:

第一比较单元，用于对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据；The first comparison unit is used to compare the first cyclic redundancy code check value of the policy data of the network management server and the device, and determine the first policy data;

第二比较单元，当经过比较确定所述网管服务器和设备的策略数据还包括第二策略数据时，对所述网管服务器的第二策略数据和设备的第二策略数据的第二循环冗余码校验值进行比较，获取所述网管服务器的第二策略数据和设备的第二策略数据之间的差异。The second comparing unit, when determining that the policy data of the network management server and the device also include the second policy data after comparison, the second cyclic redundancy code of the second policy data of the network management server and the second policy data of the device The verification value is compared to obtain the difference between the second policy data of the network management server and the second policy data of the device.

所述第一比较单元包括：The first comparison unit includes:

排序单元，用于分别对网管服务器和设备的策略数据的特征值按照配置顺序进行排序；The sorting unit is used to sort the characteristic values of the policy data of the network management server and the device respectively according to the configuration order;

序列确定单元，用于确定第一序列和第二序列，所述第一序列为以网管服务器的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列，所述第二序列为以设备的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列；A sequence determining unit, configured to determine a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the second sequence The second sequence is a strategy data sequence with the same first cyclic redundancy code check value determined based on the strategy data of the device;

第一策略确定单元，用于比较所述第一序列和第二序列，将包含具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据。The first policy determination unit is configured to compare the first sequence and the second sequence, and determine the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

所述计算模块包括：The calculation module includes:

获取单元，用于分别获取网管服务器和设备的策略数据；An acquisition unit, configured to acquire the policy data of the network management server and the device respectively;

计算单元，用于根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值。The calculation unit is used to calculate the characteristic value of the policy data of the network management server and the equipment according to the policy data of the network management server and the equipment and the common objects referenced by each policy data.

所述计算单元用于当所述网管服务器和设备的策略数据的形式不同时，将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式，根据所述网管服务器和设备的策略数据以及各个策略数据公共对象的引用关系，计算所述网管服务器和设备的策略数据的特征值。The calculation unit is used to convert the form of the policy data of the device into the form of the policy data of the network management server when the form of the policy data of the network management server and the device is different, according to the form of the policy data of the network management server and the device The policy data and the reference relationship of each public object of the policy data calculate the characteristic value of the policy data of the network management server and the device.

所述计算单元用于按照所述各个策略数据及公共对象的引用关系层次，从下向上逐层计算各个策略数据的第一循环冗余码校验值和第二循环冗余码校验值。The calculation unit is used to calculate the first cyclic redundancy check value and the second cyclic redundancy check value of each policy data layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects.

又一方面，提供了一种策略一致性审计设备，所述设备包括：处理器，In yet another aspect, a policy consistency auditing device is provided, and the device includes: a processor,

所述处理器，用于分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；The processor is used to calculate the characteristic value of the policy data of the network management server and the device respectively, and the characteristic value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; the The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data ;

所述处理器，还用于对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。The processor is also used to compare the characteristic values of the policy data of the network management server and the equipment to obtain audit results.

所述处理器，用于对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据；当经过比较确定所述网管服务器和设备的策略数据还包括第二策略数据时，对所述网管服务器的第二策略数据和设备的第二策略数据的第二循环冗余码校验值进行比较，获取所述网管服务器的第二策略数据和设备的第二策略数据之间的差异。The processor is configured to compare the first cyclic redundancy code check value of the policy data of the network management server and the device to determine the first policy data; When the second policy data is used, compare the second policy data of the network management server with the second cyclic redundancy check value of the second policy data of the device, and obtain the second policy data of the network management server and the second policy data of the device. Differences between policy data.

所述处理器，用于分别对网管服务器和设备的策略数据的特征值按照配置顺序进行排序；The processor is configured to respectively sort the characteristic values of the policy data of the network management server and the device according to the configuration sequence;

所述处理器，用于确定第一序列和第二序列，所述第一序列为以网管服务器的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列，所述第二序列为以设备的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列；The processor is configured to determine a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, the The second sequence is a strategy data sequence with the same first cyclic redundancy check value determined based on the strategy data of the device;

所述处理器，用于比较所述第一序列和第二序列，将包含具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据。The processor is configured to compare the first sequence and the second sequence, and determine the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

所述处理器，还用于分别获取网管服务器和设备的策略数据；The processor is also used to respectively acquire the policy data of the network management server and the device;

所述处理器，还用于根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值。The processor is further configured to calculate the characteristic value of the policy data of the network management server and the device according to the policy data of the network management server and the device and the common objects referenced by each policy data.

所述处理器，用于当所述网管服务器和设备的策略数据的形式不同时，将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式，根据所述网管服务器和设备的策略数据以及各个策略数据公共对象的引用关系，计算所述网管服务器和设备的策略数据的特征值。The processor is configured to convert the form of the policy data of the device into the form of the policy data of the network management server when the forms of the policy data of the network management server and the device are different, according to the form of the policy data of the network management server and the device The policy data of the network management server and the reference relationship of each public object of the policy data are calculated, and the characteristic values of the policy data of the network management server and the device are calculated.

所述处理器，用于按照所述各个策略数据及公共对象的引用关系层次，从下向上逐层计算各个策略数据的第一循环冗余码校验值和第二循环冗余码校验值。The processor is configured to calculate the first cyclic redundancy check value and the second cyclic redundancy check value of each policy data layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects .

本发明实施例提供的一种策略一致性审计方法、装置及设备，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。In the policy consistency auditing method, device and equipment provided by the embodiments of the present invention, the characteristic values of the policy data of the network management server and the equipment are respectively calculated, and the characteristic values of each policy data include the first cyclic redundancy code check value and The second cyclic redundancy check value; the first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the policy data The cyclic redundancy check value of the referenced public object; compare the characteristic value of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency.

附图说明 Description of drawings

为了更清楚地说明本发明实施例中的技术方案，下面将对实施例描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1a是本发明实施例中提供的一种策略一致性审计方法流程图；Figure 1a is a flow chart of a policy consistency audit method provided in an embodiment of the present invention;

图1b是本发明实施例中提供的一种策略一致性审计架构示意图；Fig. 1b is a schematic diagram of a policy consistency audit architecture provided in an embodiment of the present invention;

图2a是本发明实施例中提供的一种策略一致性审计方法流程图；Fig. 2a is a flow chart of a policy consistency audit method provided in an embodiment of the present invention;

图2b是本发明实施例中提供的一种策略一致性审计示意图；Fig. 2b is a schematic diagram of a policy consistency audit provided in an embodiment of the present invention;

图3是本发明实施例中提供的一种策略一致性审计装置结构示意图；FIG. 3 is a schematic structural diagram of a policy consistency auditing device provided in an embodiment of the present invention;

图4是本发明实施例中提供的一种策略一致性审计设备结构示意图。Fig. 4 is a schematic structural diagram of a policy consistency auditing device provided in an embodiment of the present invention.

具体实施方式 detailed description

为使本发明的目的、技术方案和优点更加清楚，下面将结合附图对本发明实施方式作进一步地详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

图1a是本发明实施例提供的一种策略一致性审计方法流程图，本实施例中的执行主体是网管服务器，参见图1a，该方法流程包括：Fig. 1a is a flow chart of a policy consistency audit method provided by an embodiment of the present invention. The execution subject in this embodiment is a network management server. Referring to Fig. 1a, the method flow includes:

101：分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；101: Calculate the feature values of the policy data of the network management server and the device respectively, where the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; the first cyclic redundancy check value The code check value is the cyclic redundancy code check value of the policy data, and the second cyclic redundancy code check value is the cyclic redundancy code check value of the public object referenced by the policy data;

其中，各个循环冗余码校验值是根据数据本身和循环冗余算法计算得到。Wherein, each cyclic redundancy code check value is calculated according to the data itself and a cyclic redundancy algorithm.

102：对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。102: Compare the characteristic values of the policy data of the network management server and the device, and obtain an audit result.

本发明实施例提供的方法，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。In the method provided by the embodiment of the present invention, the feature values of the policy data of the network management server and the device are respectively calculated, and the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data. The verification value; compare the characteristic values of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency.

可选的，在图1a所示实施例的技术方案的基础上，该步骤102“对网管服务器和设备的策略数据的特征值进行比较，获取审计结果”，包括以下步骤：Optionally, on the basis of the technical solution of the embodiment shown in Figure 1a, the step 102 "comparing the characteristic values of the policy data of the network management server and the device to obtain audit results" includes the following steps:

102A：对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据；102A: Compare the first cyclic redundancy code check value of the policy data of the network management server and the device, and determine the first policy data;

其中，第一循环冗余码校验值是根据网管服务器的策略数据的业务内容计算得到的，因此第一循环冗余码校验值与策略的实际含义一一对应，而由于该业务内容包括了策略所引用的对象和公共对象的内容，因此，通过比较网管服务器和设备的策略数据的第一循环冗余码校验值，就可以确定网管服务器和设备的策略数据的业务内容是否一致，当网管服务器和设备的策略数据的第一循环冗余码校验值相同时，则认为网管服务器和设备的策略数据一致，第一策略数据则为网管服务器和设备的策略数据之间第一循环冗余码校验值相同的策略数据。Wherein, the first cyclic redundancy check value is calculated according to the service content of the policy data of the network management server, so the first cyclic redundancy check value corresponds to the actual meaning of the policy one by one, and since the service content includes Therefore, by comparing the first cyclic redundancy code check value of the policy data of the network management server and the device, it can be determined whether the business content of the policy data of the network management server and the device is consistent. When the first cyclic redundancy code check value of the policy data of the network management server and the device is the same, it is considered that the policy data of the network management server and the device are consistent, and the first policy data is the first cycle between the policy data of the network management server and the device. Policy data with the same redundancy code check value.

102B：当经过比较确定所述网管服务器和设备的策略数据还包括第二策略数据时，对所述网管服务器的第二策略数据和设备的第二策略数据的第二循环冗余码校验值进行比较，获取所述网管服务器的第二策略数据和设备的第二策略数据之间的差异。102B: When it is determined through comparison that the policy data of the network management server and the device also include the second policy data, check the second cyclic redundancy code value of the second policy data of the network management server and the second policy data of the device Performing a comparison to obtain a difference between the second policy data of the network management server and the second policy data of the device.

当第一策略数据包括网管服务器和设备中的所有策略数据时，不需要比较第二策略数据，此时，不存在第二策略数据，也就是网管服务器和设备中的策略数据是一致的，不需要进一步地进行比较；当第一策略数据没有包括网管服务器和设备中的所有策略数据时，网管服务器和设备中的策略数据是不一致的，将网管服务器和设备中的所有策略数据中除第一策略数据以外的数据作为第二策略数据，需要进一步地比较第二策略数据中的网管服务器和设备中的策略数据中的第二循环冗余码校验值。When the first policy data includes all policy data in the network management server and the device, there is no need to compare the second policy data. At this time, there is no second policy data, that is, the policy data in the network management server and the device are consistent. Further comparison is required; when the first policy data does not include all policy data in the network management server and equipment, the policy data in the network management server and equipment are inconsistent, and all policy data in the network management server and equipment are divided into the first The data other than the policy data is used as the second policy data, and the network management server in the second policy data needs to be further compared with the second cyclic redundancy code check value in the policy data in the device.

第二循环冗余码校验值包含了多个引用的公共对象的内容的循环冗余码校验值，通过比较第二循环冗余码校验值，可以找出网管服务器和设备的策略数据所引用的公共对象之间的具体不同，也就找出了网管服务器和设备的策略数据的具体的差异。The second cyclic redundancy code check value contains the cyclic redundancy code check value of the content of multiple referenced public objects. By comparing the second cyclic redundancy code check value, the policy data of the network management server and equipment can be found out The specific difference between the referenced public objects also finds out the specific difference between the policy data of the network management server and the device.

本发明实施例提供的方法，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。进一步地，通过分别对第一循环校验码和第二循环校验码的比较，可以快速获取网管服务器和设备的一致性审计结果。In the method provided by the embodiment of the present invention, the feature values of the policy data of the network management server and the device are respectively calculated, and the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data. The verification value; compare the characteristic values of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency. Further, by comparing the first cyclic check code and the second cyclic check code respectively, the consistency audit results of the network management server and the equipment can be quickly obtained.

进一步可选的，在图1a所示实施例的技术方案的基础上，该步骤102A“对网管服务器和设备的策略数据的特征值进行比较，获取审计结果”，包括步骤：Further optionally, on the basis of the technical solution of the embodiment shown in Figure 1a, the step 102A "comparing the characteristic values of the policy data of the network management server and the device to obtain the audit result" includes the steps:

（一）分别对网管服务器和设备的策略数据的特征值按照配置顺序进行排序；(1) Sorting the characteristic values of the policy data of the network management server and the device according to the order of configuration;

按照网管服务器和设备的策略数据配置好的顺序，分别将网管服务器和设备的策略数据的特征值进行排序，使得网管服务器和设备的策略数据比较过程可以有序进行。According to the order in which the policy data of the network management server and equipment are configured, the feature values of the policy data of the network management server and equipment are respectively sorted, so that the policy data comparison process of the network management server and equipment can be carried out in an orderly manner.

（二）确定第一序列和第二序列，所述第一序列为以网管服务器的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列，所述第二序列为以设备的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列。(2) Determining the first sequence and the second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the second sequence is A policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the device.

当以网管服务器的策略数据为基准时，按照网管服务器的策略数据的顺序，将网管服务器的策略数据中的第一循环冗余码校验值逐个和设备的策略数据的第一循环冗余码校验值进行比较，具体地，先在设备中找出和网管服务器的策略数据中的第一个策略数据的第一循环冗余码校验值相同的策略数据，如果在设备中找出了具有相同的第一循环冗余码校验值的策略数据，记录该策略数据在网管服务器的策略数据和设备的策略数据中的顺序和位置，然后，在设备中的记录的策略数据的位置之下查找和网管服务器的策略数据中的第二个策略数据的第一循环冗余码校验值相同的策略数据；如果在设备中没有找到具有相同的第一循环冗余码校验值相同的策略数据，在设备的策略数据查找和网管服务器的策略数据中的第二个策略数据的第一循环冗余码校验值相同的策略数据。按照第一个策略数据的查找方式在设备的策略数据中查找具有相同的第一循环冗余码校验值的策略数据，直到网管服务器中的所有的策略数据遍历查找完成，所有的具有相同的第一循环冗余码校验值的策略数据一一对应。When the policy data of the network management server is used as the benchmark, according to the order of the policy data of the network management server, the first cyclic redundancy code check value in the policy data of the network management server and the first cyclic redundancy code of the policy data of the device one by one The check value is compared. Specifically, first find the policy data in the device that is the same as the first cyclic redundancy code check value of the first policy data in the policy data of the network management server. If the policy data is found in the device For policy data with the same first cyclic redundancy check value, record the order and position of the policy data in the policy data of the network management server and the policy data of the device, and then, between the positions of the recorded policy data in the device Search for the policy data with the same first cyclic redundancy check value as the second policy data in the policy data of the network management server; if no policy data with the same first cyclic redundancy check value is found in the device For the policy data, the policy data of the device is searched for the policy data having the same first cyclic redundancy code check value as the second policy data in the policy data of the network management server. Search for policy data with the same first cyclic redundancy code check value in the policy data of the device according to the search method of the first policy data, until all the policy data in the network management server are traversed and searched, and all of them have the same There is a one-to-one correspondence with the strategy data of the first cyclic redundancy check value.

当以设备的策略数据为基准时，按照设备的策略数据的顺序，将设备的策略数据中的第一循环冗余码校验值逐个和网管服务器的策略数据的第一循环冗余码校验值进行比较，具体地，先在网管服务器中找出和设备的策略数据中的第一个策略数据的第一循环冗余码校验值相同的策略数据，如果在网管服务器中找出了具有相同的第一循环冗余码校验值的策略数据，记录该策略数据在设备的策略数据和网管服务器的策略数据中的顺序和位置，然后，在网管服务器中的记录的策略数据的位置之下查找和设备的策略数据中的第二个策略数据的第一循环冗余码校验值相同的策略数据；如果在网管服务器中没有找到具有相同的第一循环冗余码校验值相同的策略数据，在网管服务器的策略数据查找和设备的策略数据中的第二个策略数据的第一循环冗余码校验值相同的策略数据。按照第一个策略数据的查找方式在网管服务器的策略数据中查找具有相同的第一循环冗余码校验值的策略数据，直到设备中的所有的策略数据遍历查找完成，所有的具有相同的第一循环冗余码校验值的策略数据一一对应。When the policy data of the device is used as the benchmark, according to the order of the policy data of the device, the first cyclic redundancy code check value in the policy data of the device is checked one by one with the first cyclic redundancy code check value of the policy data of the network management server Specifically, first find out in the network management server the policy data with the same first cyclic redundancy code check value as the first policy data in the policy data of the device, if the network management server finds out the policy data with The policy data of the same first cyclic redundancy code check value records the order and position of the policy data in the policy data of the device and the policy data of the network management server, and then, between the positions of the recorded policy data in the network management server Search for the policy data with the same first cyclic redundancy code check value as the second policy data in the device policy data; if no policy data with the same first cyclic redundancy code check value is found in the network management server For the policy data, the policy data of the network management server is searched for the policy data having the same first cyclic redundancy code check value as the second policy data in the policy data of the device. Search for policy data with the same first cyclic redundancy code check value in the policy data of the network management server according to the search method of the first policy data, until all policy data in the device are traversed and searched, and all of them have the same There is a one-to-one correspondence with the strategy data of the first cyclic redundancy check value.

（三）比较所述第一序列和第二序列，将包含具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据。(3) Comparing the first sequence and the second sequence, and determining the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

由于在获取第一序列和第二序列的过程中，分别采用了网管服务器和设备作为基准，所以得到的第一序列和第二序列中的具有相同的第一循环冗余码校验值的策略数据的数量有可能不同，将具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据。当第一策略数据没有包含网管服务器和设备中的所有策略数据时，将第一策略数据以外的策略数据作为第二策略数据。In the process of obtaining the first sequence and the second sequence, the network management server and the device are respectively used as benchmarks, so the obtained first sequence and the second sequence have the same strategy of the first cyclic redundancy code check value The number of data may be different, and the policy data in a sequence with more policy data having the same first cyclic redundancy check value is determined as the first policy data. When the first policy data does not include all the policy data in the network management server and the device, use policy data other than the first policy data as the second policy data.

本发明实施例提供的方法，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。进一步地，通过分别对第一循环校验码和第二循环校验码的比较，可以快速获取网管服务器和设备的一致性审计结果。更进一步地，通过获取第一策略数据，可以获知网管服务器和设备中的具有一致性的策略数据。In the method provided by the embodiment of the present invention, the feature values of the policy data of the network management server and the device are respectively calculated, and the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data. The verification value; compare the characteristic values of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency. Further, by comparing the first cyclic check code and the second cyclic check code respectively, the consistency audit results of the network management server and the equipment can be quickly obtained. Furthermore, by acquiring the first policy data, the consistent policy data in the network management server and the device can be obtained.

可选地，在图1a所示实施例的技术方案的基础上，步骤101“分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值”，包括：Optionally, on the basis of the technical solution of the embodiment shown in Figure 1a, step 101 "calculates the feature values of the policy data of the network management server and the device respectively, and each feature value of the policy data includes the first cyclic redundancy check value and a second cyclic redundancy check value; the first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the strategy The cyclic redundancy check value of the public object referenced by the data", including:

101A：分别获取网管服务器和设备的策略数据；101A: Obtain the policy data of the network management server and the device respectively;

其中，策略数据包括策略和策略所引用的公共对象。其中，公共对象包括但不限于：地址集、时间段、服务集等。当网管服务器接收到设备发送的审计请求后，根据审计请求中的设备ID号向网管服务器发送请求消息，网管服务器根据请求消息中的ID返回该设备在网管服务器上配置的策略数据；同时，网管服务器向该设备发送请求消息，使得该设备在接收到请求消息后，将策略配置的命令行回显数据返回给网管服务器，其中，该策略配置的命令行回显数据包括设备的策略数据。Wherein, the policy data includes the policy and the public objects referenced by the policy. Among them, the common objects include but not limited to: address set, time period, service set, etc. When the network management server receives the audit request sent by the device, it sends a request message to the network management server according to the device ID number in the audit request, and the network management server returns the policy data configured on the network management server for the device according to the ID in the request message; at the same time, the network management server The server sends a request message to the device, so that the device returns command line echo data of the policy configuration to the network management server after receiving the request message, wherein the command line echo data of the policy configuration includes policy data of the device.

101B：根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值。101B: Calculate characteristic values of the policy data of the network management server and the device according to the policy data of the network management server and the device and the common objects referenced by each policy data.

策略数据既可以包含各种引用对象，也可以包含引用的公共对象，对于引用的对象，如地址IP、服务http等都可以直接计算其循环冗余码校验值，对于引用的公共对象，则需要计算公共对象名字的循环冗余码校验值和公共对象内容的循环冗余码校验值。对于一个策略，最上层为该策略，下层可以为该策略的子策略，再下层可以为该子策略引用的公共对象，如果该公共对象引用了其他的对象，那么还可以有下层数据，每个策略根据自身的引用关系可以分为不同的层次。在计算网管服务器和设备的策略数据的特征值时，需要计算两类特征值，第一类是第一循环冗余码校验值，第二类是第二循环冗余码校验值。其中，一个策略数据的特征值包含一个具有多个循环冗余码校验值的第一循环冗余码校验值，且该特征值还可以包括至少一个第二循环冗余码校验值，策略数据的特征值所包含的第二循环冗余码校验值的个数由各个策略数据所引用的公共对象的个数决定，一个特征值中可能有至少一个第二循环冗余码校验值，也可能没有第二循环冗余码校验值，但是，策略数据的特征值中仅包含一个第一循环冗余码校验值，第一循环校验码即为该策略数据最上层的策略的循环冗余码校验值。The policy data can include various referenced objects, as well as referenced public objects. For referenced objects, such as address IP, service http, etc., the cyclic redundancy check value can be directly calculated. For referenced public objects, the The cyclic redundancy check value of the public object name and the cyclic redundancy check value of the public object content need to be calculated. For a strategy, the top layer is the strategy, the lower layer can be the sub-strategy of the strategy, and the lower layer can be the public object referenced by the sub-strategy. If the public object references other objects, there can also be data in the lower layer. Each Strategies can be divided into different levels according to their own reference relationship. When calculating the eigenvalues of the policy data of the network management server and equipment, two types of eigenvalues need to be calculated. The first type is the first cyclic redundancy check value, and the second type is the second cyclic redundancy check value. Wherein, the characteristic value of a policy data includes a first cyclic redundancy check value having a plurality of cyclic redundancy check values, and the characteristic value may also include at least one second cyclic redundancy check value, The number of second cyclic redundancy check values included in the feature value of the policy data is determined by the number of common objects referenced by each policy data, and there may be at least one second cyclic redundancy check in a feature value value, and may not have a second cyclic redundancy check value, but the characteristic value of the policy data only contains a first cyclic redundancy check value, and the first cyclic check code is the top layer of the policy data The cyclic redundancy check value for the policy.

本发明实施例提供的方法，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。进一步地，通过分别对第一循环校验码和第二循环校验码的比较，可以快速获取网管服务器和设备的一致性审计结果。通过对第一循环校验码和第二循环校验码的计算，可以缩短一致性比较所用的时间。In the method provided by the embodiment of the present invention, the feature values of the policy data of the network management server and the device are respectively calculated, and the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data. The verification value; compare the characteristic values of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency. Further, by comparing the first cyclic check code and the second cyclic check code respectively, the consistency audit results of the network management server and the device can be quickly obtained. By calculating the first cyclic check code and the second cyclic check code, the time used for consistency comparison can be shortened.

进一步可选的，在图1a所示实施例的技术方案的基础上，该步骤101B中的“根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值”，包括：当所述网管服务器和设备的策略数据的形式不同时，将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式，根据所述网管服务器和设备的策略数据以及各个策略数据公共对象的引用关系，计算所述网管服务器和设备的策略数据的特征值。Further optionally, on the basis of the technical solution of the embodiment shown in Figure 1a, in step 101B, "calculate the network management server's and the characteristic value of the policy data of the device", including: when the form of the policy data of the network management server and the device is different, converting the form of the policy data of the device into the form of the policy data of the network management server, according to the The policy data of the network management server and the device and the reference relationship of each public object of the policy data are calculated, and the characteristic values of the policy data of the network management server and the device are calculated.

网管服务器在一致性审计过程中，从设备上获取到的是策略配置的命令行回显数据，其中，该策略配置的命令行回显数据包括设备的策略数据。当所述网管服务器和设备的策略数据的形式不同时，将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式，根据所述网管服务器和设备的策略数据以及各个策略数据公共对象的引用关系，计算所述网管服务器和设备的策略数据的特征值。具体地，当网管服务器接收到设备发送的策略数据后，判断网管服务器和设备的策略数据的形式是否相同，如果是，直接计算网管服务器和设备的策略数据的特征值；如果否，根据设备发送的策略数据配置的命令行回显数据，对策略数据进行命令行的解析，转化成网管服务器的策略数据的形式，然后计算网管服务器和设备的策略数据的特征值。During the consistency audit process, the network management server obtains the command line echo data of the policy configuration from the device, wherein the command line echo data of the policy configuration includes the policy data of the device. When the form of the policy data of the network management server and the device is different, convert the form of the policy data of the device into the form of the policy data of the network management server, according to the policy data of the network management server and the device and each policy data The reference relationship of public objects is used to calculate the characteristic value of the policy data of the network management server and equipment. Specifically, after the network management server receives the policy data sent by the device, it judges whether the form of the policy data of the network management server and the device is the same, if yes, directly calculates the characteristic value of the policy data of the network management server and the device; The command line echo data of the policy data configuration, analyze the command line of the policy data, convert it into the form of the policy data of the network management server, and then calculate the characteristic value of the policy data of the network management server and equipment.

进一步可选的，在图1a所示实施例的技术方案的基础上，该步骤101B中的“根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值”，包括：按照所述各个策略数据及公共对象的引用关系层次，从下向上逐层计算各个策略数据的第一循环冗余码校验值和第二循环冗余码校验值。Further optionally, on the basis of the technical solution of the embodiment shown in Figure 1a, in step 101B, "calculate the network management server's and the characteristic value of the policy data of the device", including: according to the reference relationship hierarchy of each policy data and public object, calculate the first cyclic redundancy code check value and the second cyclic redundancy check value of each policy data layer by layer from bottom to top The remaining code check value.

具体地，按照所述各个策略数据及公共对象的引用关系层次，先计算处于下层的各个策略数据所引用的公共对象的循环冗余码校验值作为第二循环冗余码校验值，再根据层次逻辑关系，对上层所引用的对象和业务数据进行计算，将第二循环冗余码校验值和计算得到的上层策略数据的循环冗余码校验值作为第一循环冗余码校验值，第一循环冗余码校验值中包括至少一个第二循环冗余码校验值，获取到的第一循环冗余码校验值和策略数据实际代表的业务含义是一一对应的。在计算第一循环冗余码校验值时，只要按照配置顺序计算即可，对于直接引用的对象，计算其对应的循环冗余码校验值，对于引用的公共对象，则需要计算公共对象名字的循环冗余码校验值和公共对象内容的循环冗余码校验值。例如，策略只引用了公共对象，则策略的第一循环冗余码校验值的格式为：Specifically, according to the reference relationship levels of each policy data and public object, first calculate the cyclic redundancy code check value of the public object referenced by each policy data in the lower layer as the second cyclic redundancy code check value, and then According to the hierarchical logical relationship, the objects and business data referenced by the upper layer are calculated, and the second cyclic redundancy code check value and the calculated cyclic redundancy code check value of the upper layer policy data are used as the first cyclic redundancy code check value. Check value, the first cyclic redundancy check value includes at least one second cyclic redundancy check value, the obtained first cyclic redundancy check value and the business meaning actually represented by the policy data are in one-to-one correspondence of. When calculating the first cyclic redundancy check value, you only need to calculate it according to the configuration order. For directly referenced objects, calculate the corresponding cyclic redundancy check value. For referenced public objects, you need to calculate the public object The CRC value of the name and the CRC value of the public object content. For example, if the strategy only references public objects, the format of the first cyclic redundancy check value of the strategy is:

策略数据引用的公共对象1的名字的循环冗余码校验值+策略数据引用的公共对象1的内容的循环冗余码校验值+……+策略数据引用的公共对象N的名字的循环冗余码校验值+策略数据引用的公共对象N的内容的循环冗余码校验值。The cyclic redundancy check value of the name of the public object 1 referenced by the policy data + the cyclic redundancy check value of the content of the public object 1 referenced by the policy data + ... + the cycle of the name of the public object N referenced by the policy data Redundancy code check value + cyclic redundancy code check value of the content of the public object N referenced by the policy data.

其中，策略的第一循环冗余码校验值中的各个公共对象的名字的循环冗余码校验值和公共对象的循环冗余码校验值相邻，各个公共对象的名字的循环冗余码校验值和公共对象的循环冗余码校验值按它们在策略中的配置的先后顺序计算。Among them, the cyclic redundancy check value of the name of each public object in the first cyclic redundancy check value of the policy is adjacent to the cyclic redundancy check value of the public object, and the cyclic redundancy check value of the name of each public object The residual code check value and the cyclic redundancy code check value of public objects are calculated according to the order in which they are configured in the policy.

例如，策略既引用了公共对象，又直接引用了对象如IP和服务，则策略的第一循环冗余码校验值的格式为：For example, if a policy references both public objects and objects such as IP and service directly, the format of the first cyclic redundancy check value of the policy is:

策略数据引用的公共对象1的名字的循环冗余码校验值+策略数据引用的公共对象1的内容的循环冗余码校验值+……+策略数据引用的公共对象N的名字的循环冗余码校验值+策略数据引用的公共对象N的内容的循环冗余码校验值+IP的循环冗余码校验值+服务的循环冗余码校验值。The cyclic redundancy check value of the name of the public object 1 referenced by the policy data + the cyclic redundancy check value of the content of the public object 1 referenced by the policy data + ... + the cycle of the name of the public object N referenced by the policy data Redundancy code check value + cyclic redundancy check value of the content of the public object N referenced by the policy data + cyclic redundancy check value of IP + cyclic redundancy check value of the service.

策略的第二循环冗余码校验值中的各个公共对象的名字的循环冗余码校验值和公共对象的循环冗余码校验值相邻，各个公共对象的名字的循环冗余码校验值和公共对象的循环冗余码校验值、IP的循环冗余码校验值、服务的循环冗余码校验值按它们在策略中的配置的先后顺序进行计算。The cyclic redundancy check value of the name of each public object in the second cyclic redundancy check value of the policy is adjacent to the cyclic redundancy check value of the public object, and the cyclic redundancy code of the name of each public object The check value and the cyclic redundancy check value of the public object, the cyclic redundancy check value of the IP, and the cyclic redundancy check value of the service are calculated according to the order in which they are configured in the policy.

图1b是本发明实施例中提供的一种策略一致性审计架构示意图，参见图1b，图1b中，在审计准备阶段，获取到网管服务器和设备的策略数据后，对设备的策略数据进行解析，转换成和网管服务器的策略数据的形式一致的数据，然后计算公共对象的循环冗余码校验值，即第二循环冗余码校验值，如图中所示的服务集、地址集和其他集，然后根据引用关系，计算上层的策略的循环冗余码校验值，即第一循环冗余码校验值。在审计过程中，先进行第一循环冗余码校验值的比较，获取第一策略数据，当第一循环冗余码校验值，比较公共对象的第二循环冗余码校验值，先比较服务集、地址集和其他集的名字的第二循环冗余码校验值，找出第二循环冗余码校验值不同的集合，然后再该集合的内容的第二循环冗余码校验值，获取具体的不一致数据。Figure 1b is a schematic diagram of a policy consistency audit architecture provided in the embodiment of the present invention, see Figure 1b, in Figure 1b, in the audit preparation stage, after obtaining the policy data of the network management server and equipment, the policy data of the equipment is analyzed , converted into data in the same form as the policy data of the network management server, and then calculate the cyclic redundancy check value of the public object, that is, the second cyclic redundancy check value, such as the service set and address set shown in the figure and other sets, and then calculate the cyclic redundancy check value of the strategy of the upper layer according to the reference relationship, that is, the first cyclic redundancy check value. In the audit process, first compare the first cyclic redundancy code check value to obtain the first policy data, when the first cyclic redundancy code check value is compared with the second cyclic redundancy code check value of the public object, First compare the second cyclic redundancy check value of the name of the service set, address set and other sets, find out the sets with different second cyclic redundancy check values, and then check the second cyclic redundancy check value of the content of the set Code check value to obtain specific inconsistent data.

图2a是本发明实施例提供的一种策略一致性审计方法流程图，本实施例中的执行主体是网管服务器，参见图2a，方法流程包括：Fig. 2a is a flow chart of a policy consistency audit method provided by an embodiment of the present invention. The execution subject in this embodiment is a network management server. Referring to Fig. 2a, the method flow includes:

201：网管服务器分别获取网管服务器和设备的策略数据；201: The network management server obtains the policy data of the network management server and the device respectively;

202：将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式；202: Convert the form of the policy data of the device into the form of the policy data of the network management server;

本发明实施例仅以网管服务器的策略数据与设备的策略数据的形式不同为例进行说明。In the embodiment of the present invention, the policy data of the network management server is different from the policy data of the device as an example for illustration.

203：根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值；203: Calculate characteristic values of the policy data of the network management server and the device according to the policy data of the network management server and the device and the common objects referenced by each policy data;

按照所述各个策略数据及公共对象的引用关系层次，从下向上逐层计算各个策略数据的第一循环冗余码校验值和第二循环冗余码校验值。每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值。The first cyclic redundancy check value and the second cyclic redundancy check value of each policy data are calculated layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects. The feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; the first cyclic redundancy check value is the cyclic redundancy check of the policy data value, the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data.

为了使本领域技术人员更好地理解策略数据的特征值计算过程，下面举例说明。如，一个策略数据的形式为：In order to enable those skilled in the art to better understand the process of calculating the feature value of the policy data, an example is given below. For example, the form of a policy data is:

Policy100sourceaddress-setaddrset002destinationaddrset_serverservicehttpftpPolicy100sourceaddress-setaddrset002destinationaddrset_serverservicehttpftp

addrset002addrset002

item12.2.2.0/24item12.2.2.0/24

item23.3.3.0/24item23.3.3.0/24

addrset_serveraddrset_server

item15.5.5.0/24item15.5.5.0/24

item25.5.6.0/24item25.5.6.0/24

其中，100是该策略的序号，addrset002是该策略引用的源地址服务集，addrset_server是该策略引用的目的地址服务集，httpftp是该协议使用的服务，2.2.2.0/24和3.3.3.0/24是该策略引用的源地址服务集中的地址内容，5.5.5.0/24和5.5.6.0/24是该策略引用的目的地址服务集中的地址内容。Among them, 100 is the serial number of the policy, addrset002 is the source address service set referenced by the policy, addrset_server is the destination address service set referenced by the policy, httpftp is the service used by the protocol, 2.2.2.0/24 and 3.3.3.0/24 is the address content in the source address service set referenced by the policy, and 5.5.5.0/24 and 5.5.6.0/24 are the address content in the destination address service set referenced by the policy.

由于该策略引用了两个公共对象，即addrset002和addrset_server，所以会得到两个第二循环冗余码校验值。在计算该策略的第二循环冗余码校验值时，需要先分别计算2.2.2.0/24和3.3.3.0/24的循环冗余码校验值，然后将二者的值相加，作为addrset002的内容的第二循环冗余码校验值，同理，需要先分别计算5.5.5.0/24和5.5.6.0/24的循环冗余码校验值，然后将二者的值相加，作为addrset_server的内容的第二循环冗余码校验值。在计算完第二循环冗余码校验值后，再计算该策略的第一循环冗余码校验值，该策略的第一循环冗余码校验值的组成为：Since the policy references two public objects, namely addrset002 and addrset_server, two second CRC values will be obtained. When calculating the second cyclic redundancy check value of this strategy, it is necessary to calculate the cyclic redundancy check values of 2.2.2.0/24 and 3.3.3.0/24 respectively, and then add the two values together as The second cyclic redundancy check value of the content of addrset002, similarly, it is necessary to calculate the cyclic redundancy check value of 5.5.5.0/24 and 5.5.6.0/24 respectively, and then add the two values together, Second cyclic redundancy check value as content of addrset_server. After calculating the second cyclic redundancy check value, then calculate the first cyclic redundancy check value of the strategy, the composition of the first cyclic redundancy check value of the strategy is:

addrset002的名字的循环冗余码校验值+addrset002的内容的循环冗余码校验值+addrset_server的名字的循环冗余码校验值+addrset_server的内容的循环冗余码校验值+httpftp的循环冗余码校验值。The cyclic redundancy check value of the name of addrset002+the cyclic redundancy check value of the content of addrset002+the cyclic redundancy check value of the name of addrset_server+the cyclic redundancy check value of the content of addrset_server+httpftp Cyclic redundancy check value.

204：分别对网管服务器和设备的策略数据的特征值按照配置顺序进行排序；204: respectively sort the characteristic values of the policy data of the network management server and the device according to the configuration order;

205：确定第一序列和第二序列，所述第一序列为以网管服务器的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列，所述第二序列为以设备的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列；205: Determine a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the second sequence is a policy data sequence based on The policy data of the device is a policy data sequence with the same first cyclic redundancy code check value determined by the benchmark;

在确定第一序列和第二序列的过程中，需要分别以网管服务器和设备的策略数据为基准，通过对网管服务器和设备的策略数据逐个进行比较，直到所有的具有相同的第一循环冗余码校验值的策略数据一一对应，获取第一循环冗余码校验值相同的策略数据序列。In the process of determining the first sequence and the second sequence, it is necessary to use the policy data of the network management server and the device as a benchmark, and compare the policy data of the network management server and the device one by one until all have the same first cyclic redundancy One-to-one correspondence between the strategy data of the code check value, and obtain the strategy data sequence with the same first cyclic redundancy code check value.

例如，网管服务器中的策略数据为EABC，设备中的策略数据为CABD，则以网管服务器的策略数据为基准，从网管服务器中的策略数据中取出策略E，获取E的第一循环冗余码校验值，和设备中的策略数据中的第一循环冗余码校验值进行比较，通过比较可知，网络的策略数据中的E在设备的策略数据中没有对应的策略。在比较完网管服务器的E后，获取网管服务器的下一个策略A的第一循环冗余码校验值，和设备中的各个策略数据中的第一循环冗余码校验值进行比较，当比较到设备中的A时，找到了具有相同第一循环冗余码校验值的策略，记录具有相同第一循环冗余码校验值的策略A在网管服务器和设备中的顺序和位置。获取网管服务器中的B的第一循环冗余码校验值，和设备中的A以下的策略数据进行比较，可以获取设备中的具有相同第一循环冗余码校验值的策略B，记录具有相同第一循环冗余码校验值的策略B在网管服务器和设备中的顺序和位置。最后，获取网管服务器中的C的第一循环冗余码校验值，和设备中的B以下的策略数据进行比较，通过比较可知，网络的策略数据中的C在设备的策略数据中没有对应的策略。比较后，将具有相同的第一循环冗余码校验值的策略一一对应，得到的数据如表1所示：For example, the policy data in the network management server is EABC, and the policy data in the device is CABD, then take the policy E from the policy data in the network management server based on the policy data in the network management server, and obtain the first cyclic redundancy code of E The check value is compared with the first cyclic redundancy code check value in the policy data in the device. From the comparison, it can be known that E in the policy data of the network has no corresponding policy in the policy data of the device. After comparing the E of the network management server, obtain the first cyclic redundancy check value of the next policy A of the network management server, and compare it with the first cyclic redundancy check value in each policy data in the device, when When comparing to A in the device, a strategy with the same first cyclic redundancy check value is found, and the sequence and position of the strategy A with the same first cyclic redundancy check value in the network management server and the device are recorded. Obtain the first cyclic redundancy check value of B in the network management server, compare it with the policy data below A in the device, and obtain the policy B with the same first cyclic redundancy check value in the device, record The order and position of policies B with the same first cyclic redundancy check value in the network management server and equipment. Finally, obtain the first cyclic redundancy check value of C in the network management server, and compare it with the policy data below B in the device. The comparison shows that C in the policy data of the network does not correspond to the policy data of the device strategy. After the comparison, the policies with the same first cyclic redundancy check value are matched one by one, and the obtained data are shown in Table 1:

表1Table 1

网管服务器 Network management server 设备 equipment E E. C C A A A A B B B B C C D D.

从表1中可以看出，第一序列由网管服务器的A和设备的A、网管服务器的B和设备的B组成。It can be seen from Table 1 that the first sequence consists of A of the network management server and A of the device, B of the network management server and B of the device.

以设备的策略数据为基准，逐个比较设备中的策略数据和网管服务器中的策略数据，比较的方式和上述方式类似，这里不再赘述，比较后，将具有相同的第一循环冗余码校验值的策略一一对应，得到的数据如表2所示：Based on the policy data of the device, compare the policy data in the device with the policy data in the network management server one by one. One-to-one correspondence with the verification strategy, the obtained data is shown in Table 2:

表2Table 2

设备 equipment 网管服务器 Network management server N/A N/A E E. N/A N/A A A N/A N/A B B C C C C A A N/A N/A B B N/A N/A D D. N/A N/A

从表2中可以看出，第二序列由设备的C和网管服务器的C组成，其中，N/A表示空。It can be seen from Table 2 that the second sequence is composed of C of the device and C of the network management server, where N/A means empty.

206：比较所述第一序列和第二序列，将包含具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据；206: Compare the first sequence and the second sequence, and determine the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data;

在步骤205中的例子中，从表1中可以看出，第一序列中的具有相同的第一循环冗余码校验值的策略数据的数量为2，即网管服务器中的A和设备中的A对应，网管服务器中的B和设备中的B对应。从表2中可以看出，第二序列中的具有相同的第一循环冗余码校验值的策略数据的数量为1，即设备中的C和网管服务器中的C对应，通过比较，第一序列中具有相同的第一循环冗余码校验值的策略数据的数量较多，所以，将第一序列中的各个策略数据均作为第一策略数据。In the example in step 205, it can be seen from Table 1 that the number of policy data with the same first cyclic redundancy check value in the first sequence is 2, that is, A in the network management server and A in the device A corresponds to A, and B on the network management server corresponds to B on the device. As can be seen from Table 2, the number of policy data with the same first cyclic redundancy check value in the second sequence is 1, that is, C in the device corresponds to C in the network management server. By comparison, the first There are many strategy data in a sequence having the same first cyclic redundancy check value, so each strategy data in the first sequence is used as the first strategy data.

步骤204-206是对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据的过程。Steps 204-206 are a process of comparing the first cyclic redundancy code check value of the policy data of the network management server and the device to determine the first policy data.

207：当经过比较确定所述网管服务器和设备的策略数据还包括第二策略数据时，对所述网管服务器的第二策略数据和设备的第二策略数据的第二循环冗余码校验值进行比较，获取所述网管服务器的第二策略数据和设备的第二策略数据之间的差异。207: When it is determined through comparison that the policy data of the network management server and the device also include second policy data, check the second cyclic redundancy check value of the second policy data of the network management server and the second policy data of the device Performing a comparison to obtain a difference between the second policy data of the network management server and the second policy data of the device.

当第一策略数据包括网管服务器和设备中的所有策略数据时，不需要比较第二策略数据，此时，不存在第二策略数据，也就是网管服务器和设备中的策略数据是一致的，不需要进一步地进行比较；当第一策略数据没有包括网管服务器和设备中的所有策略数据时，网管服务器和设备中的策略数据是不一致的，将网管服务器和设备中的所有策略数据中第一策略数据以外的数据作为第二策略数据，需要进一步地比较第二策略数据中的网管服务器和设备中的策略数据中的第二循环冗余码校验值。When the first policy data includes all policy data in the network management server and the device, there is no need to compare the second policy data. At this time, there is no second policy data, that is, the policy data in the network management server and the device are consistent. Further comparison is required; when the first policy data does not include all policy data in the network management server and equipment, the policy data in the network management server and equipment are inconsistent, and all policy data in the network management server and equipment are included in the first policy The data other than data is used as the second policy data, and the network management server in the second policy data needs to be further compared with the second cyclic redundancy code check value in the policy data in the device.

在步骤206例子的基础上，由于第一策略数据没有包括网管服务器和设备中的所有策略数据，则需要对第二策略数据进行比较，所以将网管服务器和设备中的所有策略数据中除第一策略数据以外的数据作为第二策略数据。从表1中可以看出，第二策略数据由网管服务器的E和设备的C、网管服务器的C和设备的D组成。在获取第二策略数据后，对于存在对应关系的网管服务器和设备的策略数据，还需要进一步比较网管服务器的E和设备的C的第二循环冗余码校验值，以及网管服务器的C和设备的D的第二循环冗余码校验值，找出网管服务器和设备中的策略数据中的差异，对于不存在对应关系的网管服务器和设备的策略数据，如表2中的第2、3、4、6、7、8行都是一个策略数据对空的情况，那么无需在比较，直接将该策略数据作为差异数据。On the basis of the example in step 206, since the first policy data does not include all the policy data in the network management server and equipment, it is necessary to compare the second policy data, so all policy data in the network management server and equipment except the first Data other than the policy data is used as the second policy data. It can be seen from Table 1 that the second policy data consists of E of the network management server and C of the device, C of the network management server and D of the device. After obtaining the second policy data, for the policy data of the corresponding network management server and device, it is necessary to further compare the second cyclic redundancy check value of the network management server's E and the device's C, and the network management server's C and The second cyclic redundancy code check value of the D of equipment finds out the difference in the policy data in the network management server and the equipment, for the policy data of the network management server and the equipment that do not have corresponding relationship, as the 2nd, 2nd in table 2 Lines 3, 4, 6, 7, and 8 are all cases where the policy data is empty, so there is no need to compare, and the policy data is directly used as the difference data.

步骤203-207是对网管服务器和设备的策略数据的特征值进行比较，获取审计结果的过程。Steps 203-207 are the process of comparing the characteristic values of the policy data of the network management server and the equipment, and obtaining the audit results.

图2b是本发明实施例提供的一种策略一致性审计示意图，参见图2b，图中将策略引用关系划分为三个层次，第一层为策略，第二层为子策略（如图2b中所示的服务子策略（fwpolicy）、网络协议子策略（ipspolicy）和分辨率子策略（dpipolicy）），第三层为公共对象（如图2b所示的源地址、目的地址、服务、时间段、例外签名、签名集、应用协议集等）。该第三层的公共对象还可以有引用的公共对象（如图2b所示的自定义签名），在比较时，先比较网管服务器和设备的第一层策略的第一循环冗余校验码值，当第一循环冗余校验码值不同时，再比较网管服务器和设备的第二层的子策略的第二循环冗余码校验值，如果第二层的子策略的第二循环冗余码校验值相同，则不进一步地比较，如果第二层的子策略的第二循环冗余码校验值不同，找出第二循环冗余码校验值不同的子策略，比较网管服务器和设备的该子策略对应的第三层的公共对象的第二循环冗余码校验值，找出第二循环冗余码校验值不同的公共对象。Figure 2b is a schematic diagram of a policy consistency audit provided by an embodiment of the present invention, see Figure 2b, in which the policy reference relationship is divided into three levels, the first level is the policy, and the second level is the sub-policy (as shown in Figure 2b service sub-policy (fwpolicy), network protocol sub-policy (ipspolicy) and resolution sub-policy (dpipolicy)), the third layer is public objects (source address, destination address, service, time period as shown in Figure 2b , exception signatures, signature sets, application protocol sets, etc.). The public object of the third layer can also have a referenced public object (custom signature as shown in Figure 2b), when comparing, first compare the first cyclic redundancy check code of the first layer policy of the network management server and the device When the value of the first cyclic redundancy check code is different, then compare the second cyclic redundancy check value of the sub-strategy of the second layer of the network management server and the device, if the second cyclic redundancy check value of the sub-strategy of the second layer The redundancy code check value is the same, then no further comparison is made, if the second cyclic redundancy code check value of the sub-strategies of the second layer is different, find out the sub-strategies with different second cyclic redundancy code check values, and compare The network management server and the second cyclic redundancy code check value of the third-layer public object corresponding to the sub-policy of the device find out the public objects with different second cyclic redundancy code check values.

图3是本发明实施例中提供的一种策略一致性审计装置，参见图3，该装置包括：Figure 3 is a policy consistency audit device provided in the embodiment of the present invention, referring to Figure 3, the device includes:

计算模块301，用于分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；The calculation module 301 is used to calculate the characteristic value of the policy data of the network management server and the device respectively, and the characteristic value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; the first A cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data;

比较模块302，用于对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。The comparison module 302 is configured to compare the characteristic values of the policy data of the network management server and the equipment, and obtain audit results.

所述比较模块302包括：The comparison module 302 includes:

所述第一比较单元包括：The first comparison unit includes:

所述计算模块301包括：The calculation module 301 includes:

本发明实施例提供的装置，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。The device provided by the embodiment of the present invention calculates the feature values of the policy data of the network management server and the equipment respectively, and the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data. The verification value; compare the characteristic values of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency.

图4是本发明实施例中提供的一种策略一致性审计设备，参见图4，该设备包括：处理器，Fig. 4 is a policy consistency auditing device provided in an embodiment of the present invention, referring to Fig. 4, the device includes: a processor,

所述处理器401，用于分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；The processor 401 is configured to separately calculate the characteristic values of the policy data of the network management server and the device, and each characteristic value of the policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data value;

所述处理器401，还用于对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。The processor 401 is further configured to compare the characteristic values of the policy data of the network management server and the device, and obtain an audit result.

所述处理器401，用于对网管服务器和设备的策略数据的第一循环冗余码校验值进行比较，确定第一策略数据；当经过比较确定所述网管服务器和设备的策略数据还包括第二策略数据时，对所述网管服务器的第二策略数据和设备的第二策略数据的第二循环冗余码校验值进行比较，获取所述网管服务器的第二策略数据和设备的第二策略数据之间的差异。The processor 401 is configured to compare the first cyclic redundancy check value of the policy data of the network management server and the device to determine the first policy data; when it is determined through comparison that the policy data of the network management server and the device also include For the second policy data, compare the second policy data of the network management server with the second cyclic redundancy code check value of the second policy data of the device, and obtain the second policy data of the network management server and the first policy data of the device The difference between the two strategy data.

所述处理器401，用于分别对网管服务器和设备的策略数据的特征值按照配置顺序进行排序；The processor 401 is configured to respectively sort the characteristic values of the policy data of the network management server and the device according to the order of configuration;

所述处理器401，用于确定第一序列和第二序列，所述第一序列为以网管服务器的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列，所述第二序列为以设备的策略数据为基准所确定的第一循环冗余码校验值相同的策略数据序列；The processor 401 is configured to determine a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the The second sequence is a strategy data sequence with the same first cyclic redundancy code check value determined based on the strategy data of the device;

所述处理器401，用于比较所述第一序列和第二序列，将包含具有相同的第一循环冗余码校验值的策略数据多的序列中的策略数据确定为第一策略数据。The processor 401 is configured to compare the first sequence and the second sequence, and determine the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

所述处理器401，还用于分别获取网管服务器和设备的策略数据；The processor 401 is further configured to respectively acquire policy data of the network management server and the device;

所述处理器401，还用于根据所述网管服务器和设备的策略数据以及各个策略数据所引用的公共对象，计算所述网管服务器和设备的策略数据的特征值。The processor 401 is further configured to calculate the characteristic value of the policy data of the network management server and the device according to the policy data of the network management server and the device and the common objects referenced by each policy data.

所述处理器401，用于当所述网管服务器和设备的策略数据的形式不同时，将所述设备的策略数据的形式转换为所述网管服务器的策略数据的形式，根据所述网管服务器和设备的策略数据以及各个策略数据公共对象的引用关系，计算所述网管服务器和设备的策略数据的特征值。The processor 401 is configured to convert the form of the policy data of the device into the form of the policy data of the network management server when the forms of the policy data of the network management server and the device are different, according to the form of the policy data of the network management server and the The policy data of the device and the reference relationship of each public object of the policy data are used to calculate the characteristic value of the network management server and the policy data of the device.

所述处理器401，用于按照所述各个策略数据及公共对象的引用关系层次，从下向上逐层计算各个策略数据的第一循环冗余码校验值和第二循环冗余码校验值。The processor 401 is configured to calculate the first cyclic redundancy check value and the second cyclic redundancy check value of each policy data layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects value.

本发明实施例提供的设备，通过分别计算网管服务器和设备的策略数据的特征值，每个策略数据的特征值包括第一循环冗余码校验值和第二循环冗余码校验值；所述第一循环冗余码校验值为该策略数据的循环冗余码校验值，所述第二循环冗余码校验值为该策略数据所引用的公共对象的循环冗余码校验值；对网管服务器和设备的策略数据的特征值进行比较，获取审计结果。采用本发明实施例提供的技术方案，可以避免将序号不同而业务内容相同的策略误判成不一致而造成的审计结果错误，提高了一致性审计结果的准确度，同时通过对特征值的比较，加快了比较的速度，提高了审计效率。The device provided by the embodiment of the present invention calculates the feature values of the policy data of the network management server and the device respectively, and the feature value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; The first cyclic redundancy check value is the cyclic redundancy check value of the policy data, and the second cyclic redundancy check value is the cyclic redundancy check value of the public object referenced by the policy data. The verification value; compare the characteristic values of the policy data of the network management server and the device to obtain the audit result. By adopting the technical solution provided by the embodiment of the present invention, it is possible to avoid errors in audit results caused by misjudgment of policies with different serial numbers and the same business content as inconsistencies, and improve the accuracy of consistent audit results. At the same time, by comparing the characteristic values, Speed up the comparison and improve audit efficiency.

需要说明的是：上述实施例提供的策略一致性审计装置在策略一致性审计时，仅以上述各功能模块的划分进行举例说明，实际应用中，可以根据需要而将上述功能分配由不同的功能模块完成，即将设备的内部结构划分成不同的功能模块，以完成以上描述的全部或者部分功能。另外，上述实施例提供的策略一致性审计装置与策略一致性审计方法实施例属于同一构思，其具体实现过程详见方法实施例，这里不再赘述。It should be noted that: the policy consistency auditing device provided by the above-mentioned embodiment only uses the division of the above-mentioned functional modules as an example during the policy consistency audit. In practical applications, the above-mentioned functions can be assigned to different function modules according to needs Module completion means that the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the policy consistency auditing device provided by the above embodiment and the policy consistency auditing method embodiment belong to the same idea, and its specific implementation process is detailed in the method embodiment, and will not be repeated here.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成，也可以通过程序来指令相关的硬件完成，所述的程序可以存储于一种计算机可读存储介质中，上述提到的存储介质可以是只读存储器，磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

以上所述仅为本发明的较佳实施例，并不用以限制本发明，凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims

1. A policy consistency auditing method, is characterized in that, described method comprises:

Calculate the eigenvalues of the policy data of the network management server and the equipment respectively, the eigenvalues of each policy data include a first cyclic redundancy check value and a second cyclic redundancy check value; the first cyclic redundancy check The verification value is the cyclic redundancy check value of the policy data, the first cyclic redundancy check value is calculated according to the business content of the policy data, and the second cyclic redundancy check value is the policy data a cyclic redundancy check value of the referenced public object, the second cyclic redundancy check value comprising a cyclic redundancy check value of the contents of the plurality of referenced public objects;

Compare the characteristic values of the policy data of the network management server and the device to obtain the audit results;

The respectively calculating the characteristic value of the policy data of the network management server and the equipment includes:

Obtain the policy data of the network management server and the device respectively;

According to the policy data of the network management server and equipment and the public objects referenced by each policy data, calculate the characteristic value of the policy data of the network management server and equipment;

The comparison of the characteristic values of the policy data of the network management server and the equipment to obtain the audit results includes:

Comparing the first cyclic redundancy code check value of the policy data of the network management server and the device, to determine the first policy data;

When it is determined through comparison that the policy data of the network management server and the device also include second policy data, comparing the second cyclic redundancy code check value of the second policy data of the network management server and the second policy data of the device , acquiring a difference between the second policy data of the network management server and the second policy data of the device.

2. The method according to claim 1, characterized in that, comparing the first cyclic redundancy check value of the strategy data of the network management server and the equipment, determining the first strategy data, comprising:

Respectively sort the feature values of the policy data of the network management server and the device according to the configuration order;

Determining a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the second sequence is a policy data sequence based on the device's The strategy data is the same strategy data sequence as the first CRC check value determined by the benchmark;

Comparing the first sequence and the second sequence, determining the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

3. The method according to claim 1, characterized in that, according to the policy data of the network management server and equipment and the public objects referenced by each policy data, calculating the characteristic value of the policy data of the network management server and equipment, including :

When the form of the policy data of the network management server and the device is different, convert the form of the policy data of the device into the form of the policy data of the network management server, according to the policy data of the network management server and the device and each policy data The reference relationship of public objects is used to calculate the characteristic value of the policy data of the network management server and equipment.

4. The method according to claim 1, characterized in that, according to the policy data of the network management server and equipment and the public objects referenced by each policy data, calculating the characteristic value of the policy data of the network management server and equipment, including :

The first cyclic redundancy check value and the second cyclic redundancy check value of each policy data are calculated layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects.

5. A policy consistency auditing device, characterized in that the device comprises:

The calculation module is used to calculate the eigenvalues of the policy data of the network management server and the equipment respectively, and the eigenvalues of each policy data include a first cyclic redundancy check value and a second cyclic redundancy check value; the first The cyclic redundancy check value is the cyclic redundancy check value of the policy data, the first cyclic redundancy check value is calculated according to the business content of the policy data, and the second cyclic redundancy check The value is the cyclic redundancy check value of the public object referenced by the policy data, and the second cyclic redundancy check value includes the cyclic redundancy check value of the contents of multiple referenced public objects;

The comparison module is used to compare the characteristic value of the policy data of the network management server and the equipment, and obtain the audit result;

The calculation module includes:

An acquisition unit, configured to acquire the policy data of the network management server and the device respectively;

A calculation unit, configured to calculate characteristic values of the policy data of the network management server and equipment according to the policy data of the network management server and equipment and the common objects referenced by each policy data;

The comparison module includes:

The first comparison unit is used to compare the first cyclic redundancy code check value of the policy data of the network management server and the device, and determine the first policy data;

The second comparing unit, when determining that the policy data of the network management server and the device also include the second policy data after comparison, the second cyclic redundancy code of the second policy data of the network management server and the second policy data of the device The verification value is compared to obtain the difference between the second policy data of the network management server and the second policy data of the device.

6. The device according to claim 5, wherein the first comparison unit comprises:

The sorting unit is used to sort the characteristic values of the policy data of the network management server and the device respectively according to the configuration order;

A sequence determining unit, configured to determine a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, and the second sequence The second sequence is a strategy data sequence with the same first cyclic redundancy code check value determined based on the strategy data of the device;

The first policy determination unit is configured to compare the first sequence and the second sequence, and determine the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

7. The device according to claim 5, wherein the calculation unit is configured to convert the form of the policy data of the device into the form of the policy data of the network management server when the form of the policy data of the network management server is different In the form of the policy data of the server, the characteristic value of the policy data of the network management server and the equipment is calculated according to the policy data of the network management server and the equipment and the reference relationship of each public object of the policy data.

8. The device according to claim 5, wherein the calculation unit is used to calculate the first cyclic redundancy of each policy data layer by layer from bottom to top according to the reference relationship hierarchy of each policy data and public object A code check value and a second cyclic redundancy code check value.

9. A policy consistency auditing device, characterized in that the device comprises: a processor,

The processor is used to calculate the characteristic value of the policy data of the network management server and the device respectively, and the characteristic value of each policy data includes a first cyclic redundancy check value and a second cyclic redundancy check value; the The first cyclic redundancy code check value is the cyclic redundancy code check value of the policy data, the first cyclic redundancy code check value is calculated according to the business content of the policy data, and the second cyclic redundancy code check value The check value is the cyclic redundancy check value of the public object referenced by the policy data, and the second cyclic redundancy check value includes the cyclic redundancy check value of the contents of multiple referenced public objects;

The processor is also used to compare the characteristic values of the policy data of the network management server and the equipment to obtain audit results;

The processor is further configured to separately obtain policy data of the network management server and equipment; and calculate the characteristics of the policy data of the network management server and equipment according to the policy data of the network management server and equipment and the public objects referenced by each policy data value;

The processor is also used to compare the first cyclic redundancy code check value of the policy data of the network management server and the device to determine the first policy data; when it is determined that the policy data of the network management server and the device also include For the second policy data, compare the second policy data of the network management server with the second cyclic redundancy code check value of the second policy data of the device, and obtain the second policy data of the network management server and the first policy data of the device The difference between the two strategy data.

10. The device according to claim 9, wherein the processor is configured to sort the characteristic values of the policy data of the network management server and the device respectively according to a configuration order;

The processor is configured to determine a first sequence and a second sequence, the first sequence is a policy data sequence with the same first cyclic redundancy code check value determined based on the policy data of the network management server, the The second sequence is a strategy data sequence with the same first cyclic redundancy check value determined based on the strategy data of the device;

The processor is configured to compare the first sequence and the second sequence, and determine the policy data in the sequence containing more policy data with the same first cyclic redundancy check value as the first policy data.

11. The device according to claim 9, wherein the processor is configured to convert the form of the policy data of the device into the In the form of the policy data of the network management server, the characteristic value of the policy data of the network management server and the device is calculated according to the policy data of the network management server and the device and the reference relationship of each public object of the policy data.

12. The device according to claim 9, wherein the processor is configured to calculate the first cyclic redundancy of each policy data layer by layer from bottom to top according to the reference relationship levels of each policy data and public objects. A residual code check value and a second cyclic redundancy code check value.