CN116032764A - Firewall configuration processing method and device, processor and electronic equipment - Google Patents

Abstract

The present application discloses a firewall configuration processing method and device, a processor, and electronic equipment, and relates to the technical field of network security. The method includes: acquiring the current configuration data set of the target data format of the target firewall and the preset configuration of the target data format Data collection; perform difference analysis according to multiple first configuration objects and multiple second configuration objects, and determine a set of difference configuration objects; according to the configuration type corresponding to each difference configuration object in the set of difference configuration objects, determine the order of configuration delivery; Each differential configuration object is converted into the XML corresponding to the target firewall through the converter corresponding to the version information of the target firewall, and the XML is delivered to the target firewall according to the configuration delivery sequence. Through this application, the problem of relatively low efficiency in configuring firewall policies is solved.

Description

Firewall configuration processing method and device, processor and electronic equipment

technical field

The present application relates to the technical field of network security, and in particular, relates to a processing method and device for firewall configuration, a processor, and electronic equipment.

Background technique

XML is an Extensible Markup Language (EXtensible Markup Language). XML is a markup language, very similar to HTML, and its meaning is to transmit data, not to display data. It has no predetermined label and needs to be defined by the user when using it.

The most common means of configuration management is the command line interface, referred to as CLI (Command Line Interface). For example, to configure the IP address of an interface, the command under Linux is: $ifconfig eth1 ip address/netmask.

The feature of CLI (Command Line Interface) is that it is relatively simple and direct. Each time you configure one or multiple associated parameters, what you see is what you get, and the configuration takes effect in real time. If errors are detected during execution, the configuration will not take effect. By mapping XML (EXtensible Markup Language) and operation types to a set of specific CLI commands, the configuration management center can realize the function of executing a set of commands at a time. The configuration center implements a unified configuration difference comparison algorithm to generate differentiated objects, and converts the differentiated objects into XML with action meaning.

An XML instance can be mapped to the following set of CLI commands, but the main problem brought by this technical solution: due to business requirements and other reasons, for some modules of the firewall, the configuration management methods are different, resulting in the original configuration management solution It is too idealized. In order to be compatible with various personalized situations, it needs to use too many branch judgment statements to deal with it, which makes the later maintenance cost of the code higher.

Taking the security policy as an example, if it is necessary to change the configuration of a security policy, such as changing its original address, the system only needs to use the policy id as the primary key, and the branch deletes and adds the original address book node to achieve the goal. But take the snat policy as an example. For example, the source address add1 and translation address add1 of the snat rule need to be changed to add2 and add2. Due to firewall business reasons, the number of original address entries and translation address entries must be the same, so the firewall needs to execute the snat policy first. Delete the action, and then execute the new action of the snat policy to achieve the goal. From the perspective of configuration differences, although the configuration differences are caused by changes in certain attributes, the resulting xml is completely different.

There are not a few modules with the same problem in the system, such as ospf/bgp module, interface module, iQos module and so on. The common feature of these modules is that due to the needs of actual business, there are special requirements for the configuration delivery xml, so that the original configuration management solution has to add a lot of branch judgment statements for special processing, which makes the maintenance cost of the software more and more high.

In order to be compatible with various versions of firewall policies in related technologies, it is necessary to use too many branch judgment statements for processing, resulting in relatively low efficiency in configuring firewall policies, and no effective solution has been proposed yet.

Contents of the invention

The main purpose of this application is to provide a firewall configuration processing method and device, processor and electronic equipment to solve the problem that in the related art, in order to be compatible with various versions of firewall policies, it is necessary to use too many branch judgment statements for processing, resulting in configuration The efficiency of the firewall policy is relatively low.

In order to achieve the above purpose, according to one aspect of the present application, a method for processing firewall configuration is provided. The method includes: acquiring a current configuration data set in a target data format of the target firewall and a preset configuration data set in the target data format, wherein the current configuration data set in the target data format includes a plurality of first configuration objects, Each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute, the preset configuration data set in the target data format includes a plurality of second configuration objects, and each second configuration object includes a plurality of Attributes and configuration information corresponding to each attribute, the first configuration object and the second configuration object are configuration objects in the target firewall; according to the plurality of first configuration objects and the plurality of second configuration objects Perform difference analysis on objects to determine a set of difference configuration objects, wherein the set of difference configuration objects includes a plurality of difference configuration objects, and each difference configuration object includes at least one attribute and configuration information corresponding to each attribute; according to the difference The configuration type corresponding to each difference configuration object in the configuration object set, and determine the configuration delivery sequence; convert each difference configuration object into the extensible markup language corresponding to the target firewall through the converter corresponding to the version information of the target firewall , and deliver the extensible markup language to the target firewall according to the configuration delivery sequence, so as to complete the configuration of the target firewall.

Further, performing difference analysis according to the plurality of first configuration objects and the plurality of second configuration objects, and determining the set of difference configuration objects includes: obtaining the first primary key corresponding to each first configuration object and each second configuration object The second primary key corresponding to the configuration object; sort the multiple first configuration objects according to the first primary key to obtain the sorted first configuration objects; sort the multiple second configuration objects according to the second primary key Perform sorting to obtain the sorted second configuration objects; perform difference analysis on the first configuration objects in the same order and the second configuration objects, and determine the configuration corresponding to the set of difference configuration objects and each difference configuration object type.

Further, the configuration type at least includes: unbinding type, deletion type, creation type and/or update type, binding type, performing difference analysis on the first configuration object and the second configuration object in the same order , determining the set of difference configuration objects and the configuration type corresponding to each difference configuration object includes: if the hash value corresponding to the primary key of the first configuration object in the first target order is greater than the second configuration in the first target order The hash value corresponding to the primary key of the object, then determine that the first configuration object in the first target sequence is the first difference configuration object, and determine that the configuration type of the first difference configuration object is the creation type and/or update type; if the hash value corresponding to the primary key of the first configuration object in the second target sequence is smaller than the hash value corresponding to the primary key of the second configuration object in the target sequence, then determine the The second configuration object is the second difference configuration object, and it is determined that the configuration type of the second difference configuration object is the deletion type; if the hash value corresponding to the primary key of the first configuration object in the third target sequence is equal to the third The hash value corresponding to the primary key of the second configuration object in the target sequence is determined according to each attribute of the first configuration object in the third target sequence and each attribute of the second configuration object in the third target sequence The third difference configuration object and the configuration type of the third difference configuration object.

Further, according to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order, determine the third difference configuration object and the third difference configuration object The configuration type includes: analyzing the difference between the configuration information of each attribute of the first configuration object in the third target order and the configuration information of each attribute of the second configuration object in the third target order, and obtaining the analysis results ; If there is a difference in the analysis result representation, the configuration information of the primary key of the second configuration object in the third target sequence and the difference attribute of the second configuration object in the third target sequence is used as the third difference configuration object, and determine that the configuration type of the third differential configuration object is the creation type and/or the update type.

Further, before performing difference analysis on the configuration information of each attribute of the first configuration object in the third target order and the configuration information of each attribute of the second configuration object in the third target order, the The method also includes: determining the flag bit of each attribute of the second configuration object in the third target order; if the first flag bit of the target attribute is the first preset value, the first flag in the third target The primary key of the second configuration object and the target attribute are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined to be the creation type and/or the update type; if the second flag bit of the target attribute is the second preset value, the primary key of the second configuration object in the third target order and the target attribute are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as binding type; if the second flag of the target attribute is the third preset value, the primary key of the second configuration object in the third target sequence and the target attribute are used as the third difference configuration object, and It is determined that the configuration type of the third difference configuration object is an unbinding type.

Further, acquiring the current configuration data set of the target data format of the target firewall and the preset configuration data set of the target data format includes: acquiring the current configuration data set of the target firewall; acquiring the preset configuration data set set by the target object ; performing format conversion on the current configuration data set and the preset configuration data set to obtain the current configuration data set in the target data format and the preset configuration data set in the target data format.

Further, converting each difference configuration object into the Extensible Markup Language corresponding to the target firewall through the converter corresponding to the version information of the target firewall includes: obtaining the version information of the target firewall, and obtaining the Determine the converter corresponding to the version information, wherein the conversion manager includes a plurality of converters, and each converter corresponds to different version information; convert each difference configuration object through the converter corresponding to the version information XML corresponding to the target firewall.

In order to achieve the above object, according to another aspect of the present application, an apparatus for processing firewall configuration is provided. The device includes: an acquisition unit, configured to acquire a current configuration data set in a target data format of the target firewall and a preset configuration data set in the target data format, wherein the current configuration data set in the target data format includes a plurality of The first configuration object, each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute, and the preset configuration data set in the target data format includes a plurality of second configuration objects, each second configuration The object includes a plurality of attributes and configuration information corresponding to each attribute, the first configuration object and the second configuration object are configuration objects in the target firewall; the analysis unit is configured to Difference analysis is performed on the configuration object and the plurality of second configuration objects to determine a difference configuration object set, wherein the difference configuration object set includes a plurality of difference configuration objects, and each difference configuration object includes at least one attribute and each The configuration information corresponding to the attribute; the first determination unit is used to determine the configuration delivery sequence according to the configuration type corresponding to each difference configuration object in the difference configuration object set; the conversion unit is used to pass the version information of the target firewall The corresponding converter converts each difference configuration object into the XML corresponding to the target firewall, and sends the XML to the target firewall according to the configuration delivery sequence, so as to complete the target firewall. The configuration of the target firewall.

Further, the first determining unit includes: a third obtaining module, configured to obtain a first primary key corresponding to each first configuration object and a second primary key corresponding to each second configuration object; a first sorting module, configured to Sorting the multiple first configuration objects according to the first primary key to obtain the sorted first configuration objects; a second sorting module, configured to sort the multiple second configuration objects according to the second primary key Sorting to obtain the sorted second configuration objects; the analysis module is used to analyze the difference between the first configuration object and the second configuration object in the same order, and determine the set of difference configuration objects and each difference configuration The configuration type corresponding to the object.

Further, the configuration type at least includes: unbinding type, deletion type, creation type and/or update type, and binding type, and the analysis module includes: a first determination sub-module, configured to if the first target sequence position If the hash value corresponding to the primary key of the first configuration object is greater than the hash value corresponding to the primary key of the second configuration object in the first target sequence, then it is determined that the first configuration object in the first target sequence is the first difference configuration object, and determine that the configuration type of the first difference configuration object is the creation type and/or the update type; the second determination submodule is used for the hash corresponding to the primary key of the first configuration object in the second target order If the Hash value is less than the hash value corresponding to the primary key of the second configuration object in the target sequence, it is determined that the second configuration object in the second target sequence is a second difference configuration object, and the second difference configuration is determined The configuration type of the object is a deletion type; the third determining submodule is used to determine if the hash value corresponding to the primary key of the first configuration object in the third target sequence is equal to the corresponding hash value of the primary key of the second configuration object in the third target sequence hash value, then determine the third difference configuration object and the third difference according to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order The configuration type of the configuration object.

Further, the third determination submodule includes: an analysis submodule, configured to analyze the configuration information of each attribute of the first configuration object in the third target order and the configuration information of the second configuration object in the third target order The configuration information of each attribute is subjected to difference analysis to obtain the analysis result; the processing sub-module is used to combine the primary key of the second configuration object in the third target order and the third target if there is a difference in the representation of the analysis result The configuration information of the differential attribute of the second sequential configuration object is used as the third differential configuration object, and the configuration type of the third differential configuration object is determined as the creation type and/or the update type.

Further, the device further includes: a second determining unit, configured to compare the configuration information of each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order Before the configuration information of each attribute is subjected to difference analysis, determine the flag bit of each attribute of the second configuration object in the third target sequence; the third determining unit is used to determine if the first flag bit of the target attribute is the first preset value, the primary key of the second configuration object in the third target order and the target attribute are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the creation type and/or Or the update type; the fourth determining unit is used to use the primary key of the second configuration object in the third target order and the target attribute as the target attribute if the second flag bit of the target attribute is a second preset value the third difference configuration object, and determine that the configuration type of the third difference configuration object is a binding type; the fifth determining unit is configured to set the The primary key of the second configuration object in the third target order and the target attribute are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined to be an unbinding type.

Further, the acquisition unit includes: a first acquisition module, configured to acquire the current configuration data set of the target firewall; a second acquisition module, configured to acquire a preset configuration data set set by the target object; a first conversion module, and performing format conversion on the current configuration data set and the preset configuration data set to obtain the current configuration data set in the target data format and the preset configuration data set in the target data format.

Further, the converting unit includes: a fourth acquiring module, configured to acquire version information of the target firewall, and determine a converter corresponding to the version information from a conversion manager, wherein the conversion manager includes A plurality of converters, each corresponding to different version information; a second conversion module, configured to convert each difference configuration object into the Extensible Markup Language corresponding to the target firewall through the converter corresponding to the version information.

In order to achieve the above object, according to one aspect of the present application, a processor is provided, and the processor is used to run a program, wherein, when the program is running, the method for processing firewall configuration described in any one of the above items is executed.

In order to achieve the above object, according to one aspect of the present application, an electronic device is provided, the electronic device includes one or more processors and a memory, and the memory is used to store one or more processors to implement any of the above-mentioned How to handle firewall configuration.

Through this application, the following steps are adopted: obtaining the current configuration data set in the target data format and the preset configuration data set in the target data format of the target firewall, wherein the current configuration data set in the target data format includes a plurality of first configuration objects, Each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute, and the preset configuration data set in the target data format includes a plurality of second configuration objects, and each second configuration object includes a plurality of attributes and The configuration information corresponding to each attribute, the first configuration object and the second configuration object are configuration objects in the target firewall; performing difference analysis according to a plurality of first configuration objects and a plurality of second configuration objects, and determining a set of difference configuration objects, Wherein, the difference configuration object set includes a plurality of difference configuration objects, and each difference configuration object includes at least one attribute and configuration information corresponding to each attribute; according to the configuration type corresponding to each difference configuration object in the difference configuration object set, determine the configuration Sequence of distribution: through the converter corresponding to the version information of the target firewall, each difference configuration object is converted into the XML corresponding to the target firewall, and the XML is delivered to the target firewall according to the configuration delivery sequence, so as to The configuration of the target firewall is completed, which solves the problem in related technologies that in order to be compatible with various versions of firewall policies, too many branch judgment statements are required to process, resulting in low efficiency in configuring firewall policies. In this solution, the universality and particularity of different versions of firewalls are taken into account through the target data format, the set of different configuration objects is accurately obtained through difference analysis, the purpose of quickly sorting configuration commands is achieved through configuration types, and each The difference configuration object is converted into the extensible markup language corresponding to the target firewall, thereby achieving the effect of improving the efficiency of configuring the firewall policy.

Description of drawings

The drawings constituting a part of the application are used to provide further understanding of the application, and the schematic embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation to the application. In the attached picture:

FIG. 1 is a flow chart of a processing method for firewall configuration provided according to an embodiment of the present application;

Fig. 2 is a schematic diagram of a set of difference configuration objects provided according to an embodiment of the present application;

Fig. 3 is a schematic diagram of determining difference configuration objects provided according to an embodiment of the present application;

Fig. 4 is a schematic diagram of a difference configuration object provided according to an embodiment of the present application;

Fig. 5 is a schematic diagram of a converter provided according to an embodiment of the present application;

Fig. 6 is a schematic diagram of the difference analysis provided according to the embodiment of the present application;

FIG. 7 is a schematic diagram of a processing device configured with a firewall according to an embodiment of the present application;

Fig. 8 is a schematic diagram of an electronic device provided according to an embodiment of the present application.

Detailed ways

It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other. The present application will be described in detail below with reference to the accompanying drawings and embodiments.

In order to enable those skilled in the art to better understand the solution of the present application, the technical solution in the embodiment of the application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiment of the application. Obviously, the described embodiment is only It is an embodiment of a part of the application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the scope of protection of this application.

It should be noted that the terms "first" and "second" in the description and claims of the present application and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It should be understood that the data so used may be interchanged under appropriate circumstances for the embodiments of the application described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.

It should be noted that the relevant information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for display, data for analysis, etc.) involved in this disclosure are authorized by the user. Or information and data fully authorized by the parties. For example, there is an interface between this system and relevant users or institutions. Before obtaining relevant information, it is necessary to send an acquisition request to the aforementioned user or institution through the interface, and obtain relevant information after receiving the consent information fed back by the aforementioned user or institution. information.

The present invention is described below in conjunction with preferred implementation steps. Fig. 1 is a flow chart of a processing method for firewall configuration provided according to an embodiment of the present application. As shown in Fig. 1, the method includes the following steps:

Step S101, obtaining the current configuration data set of the target data format and the preset configuration data set of the target data format of the target firewall, wherein the current configuration data set of the target data format includes a plurality of first configuration objects, and each first configuration The object includes a plurality of attributes and configuration information corresponding to each attribute. The preset configuration data set in the target data format includes a plurality of second configuration objects, and each second configuration object includes a plurality of attributes and the configuration information corresponding to each attribute. For configuration information, the first configuration object and the second configuration object are configuration objects in the target firewall;

Specifically, the storage problem of firewall configuration information of different versions is solved through the target data format. The target data format is a generic entity that shields version differences and only stores configurations, which can be referred to as UCO for short.

For example, the attributes of an address book object are limited, just because the different versions of the firewall are actually stored in different ways on the firewall. For example, for the ip range attribute, although the same information is stored, the xml format is different. UCO discards the differences stored between versions and stores the actual object configuration information in the configuration management center. That is to say, the UCO configuration information of a configuration object only includes multiple attributes and the configuration information corresponding to each attribute, and does not include version information. . For example, address book, the corresponding attributes are IP/mask, IP range and so on.

The current configuration data set of the firewall in the target data format is acquired. The current configuration data set in the target data format includes a plurality of first configuration objects, and each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute. Obtain a preset configuration data set in a target data format, where the preset configuration data set is a data set that a user thinks of to be configured on the firewall according to actual needs. The preset configuration data set in the target data format includes multiple second configuration objects, and each second configuration object includes multiple attributes and configuration information corresponding to each attribute.

Step S102, performing difference analysis based on multiple first configuration objects and multiple second configuration objects, and determining a set of differential configuration objects, wherein the set of differential configuration objects includes multiple differential configuration objects, each of which includes at least one Attributes and configuration information corresponding to each attribute;

Specifically, a difference configuration object is used to describe an operation behavior of a configuration object, for example, which attribute is modified, which attribute is deleted, etc., and the difference configuration object may be referred to as CDO for short. The difference configuration object collection is used to carry the configuration operations that need to be performed after two UCO configurations are compared for differences. A collection of differential configuration objects can be converted into a firewall configuration of any version. The differential configuration object collection is composed of four types of differential configuration objects, which are "property release", "property binding", "configuration deletion", "configuration creation and/or update".

[Attribute release] indicates the set of actions that need to unbind or delete an attribute during the comparison of two configuration differences. For example, if the security policy does not refer to an address book, it will be placed in this set. 【Attribute Binding】Indicates the set of actions that need to be bound to an attribute during the comparison of two configuration differences. For example, when a security policy references an address book, it will be placed in this set. 【Delete Configuration】Indicates the configuration collection that needs to be deleted after comparing the differences between the two configurations. If you delete an address book on the management side, you need to put it into this collection. [Configuration creation or update] means that after comparing the differences between the two configurations, a new configuration collection is required. If an address book is created on the management side, it needs to be put into the collection just now.

After the design of this structure, as long as each module compares the configuration type and puts it into the difference configuration object set, the system will automatically convert the difference configuration object set into XML (Extensible Markup Language) according to the dependency relationship. The data structure of the differential configuration object set may be shown in FIG. 2 .

The comparison of two UCOs will generate multiple CDOs, because there will be CDOs of the unbound type, CDOs of the bound type, and so on. As shown in Figure 3. Therefore, a difference analysis is performed on the plurality of first configuration objects and the plurality of second configuration objects, and a set of difference configuration objects and a configuration type of each difference configuration object are determined.

Step S103, according to the configuration type corresponding to each difference configuration object in the difference configuration object set, determine the configuration delivery sequence;

Specifically, in the actual firewall configuration of each manufacturer, the configuration and configuration reference between the modules to be configured will basically be involved, and what is more, it will involve the configuration circular reference between modules, for example, ModuleA, ModuleB , ModuleC is three configuration modules, but the instances in the three configurations have circular references. aname1 in ModuleA refers to bname1, bname1 in ModuleB refers to cname1, and cname1 in ModuleC refers to aname1. In this case, using traditional configuration methods will never succeed, because the creation of each configuration requires another configuration as a prerequisite. But the above configuration can be achieved through a collection of differential configuration objects. In the case that all the configurations are new, the system will convert the above configurations into 6 CDO objects, respectively: create aname1, bname1, cname1 objects, and bind the reference relationship of aname1, bname1, cname1, as shown in Figure 4. Then, determine the configuration delivery order according to the configuration type corresponding to each difference configuration object in the difference configuration object set.

In an optional embodiment, the execution order is as follows: the first configuration type is unbinding CDO, the second configuration type is deletion CDO, and the third configuration type is creation or update CDO. The fourth configuration type is a binding type. There is no strict order for CDOs of the same type.

By issuing the six CDO objects in Figure 4 in the above sequence, the configuration of the three configuration modules ModuleA, ModuleB, and ModuleC can be accurately realized after all.

Step S104, convert each difference configuration object into the XML corresponding to the target firewall through the converter corresponding to the version information of the target firewall, and deliver the XML to the target firewall according to the order of configuration delivery, to complete Configuration of the target firewall.

Specifically, after determining the configuration delivery sequence, each difference configuration object is converted into the corresponding XML of the target firewall through the converter corresponding to the version information of the target firewall, and the XML is delivered to the target firewall, to complete the configuration of the target firewall.

The converter manager provides various versions of the base converter Base Converter, which is used to convert a set of differential configuration objects into xml that can be recognized by the firewall, such as address Base Converter. If the difference between the address book versions is too large, it is supported to customize other version converters, such as addressV1Converter.

Converter Factory Manager (Converter Factory Manager) is a container used to manage converters. Converter Factory Manager provides methods to the outside world, which can return corresponding converters according to the module name and [version information] for xml conversion, as shown in Figure 5 shown. All multi-version adaptations are done by Converter. For each converter, two attributes y, n are supported. y represents which versions the converter can support, and n represents which versions the converter does not support. Unsupported priority overestimates supported priority, i.e., indicates that the converter does not support this version. For example, if the configuration of a certain converter is y={"V1-"}, n={"V2.1-V2.3"}, it means that the current converter is only effective for devices whose version number is greater than V1, but in V2. The configuration between 1 and V2.3 is not supported and needs to be converted by other converters.

To sum up, the universality and particularity of different versions of firewalls are taken into account through the target data format, the set of different configuration objects is accurately obtained through difference analysis, the purpose of quickly sorting configuration commands is achieved through configuration types, and each The difference configuration object is converted into the extensible markup language corresponding to the target firewall, thereby achieving the effect of improving the efficiency of configuring the firewall policy.

In order to accurately perform difference analysis, in the firewall configuration processing method provided in the embodiment of the present application, difference analysis is performed based on multiple first configuration objects and multiple second configuration objects, and determining the set of difference configuration objects includes: obtaining each The first primary key corresponding to each first configuration object and the second primary key corresponding to each second configuration object; sort multiple first configuration objects according to the first primary key to obtain the sorted first configuration objects; according to the second primary key Sorting a plurality of second configuration objects to obtain the sorted second configuration objects; analyzing the difference between the first configuration objects and the second configuration objects in the same order, and determining the set of difference configuration objects and each difference configuration object The corresponding configuration type.

Specifically, performing difference analysis on the plurality of first configuration objects and the plurality of second configuration objects includes: determining a first primary key corresponding to each first configuration object and a second primary key corresponding to each second configuration object. Then sort the first configuration object according to the first primary key and sort the second configuration object according to the second primary key, and then determine the difference configuration object set and each by comparing the first configuration object and the second configuration object in the same order The configuration type corresponding to the difference configuration object.

The configuration type at least includes: unbinding type, deletion type, creation type and/or update type, binding type, performing difference analysis on the first configuration object and the second configuration object in the same order, and determining the set of difference configuration objects and The configuration type corresponding to each difference configuration object includes: if the hash value corresponding to the primary key of the first configuration object in the first target sequence is greater than the hash value corresponding to the primary key of the second configuration object in the first target sequence, Then determine that the first configuration object in the first target order is the first difference configuration object, and determine that the configuration type of the first difference configuration object is the creation type and/or update type; if the first configuration in the second target order If the hash value corresponding to the primary key of the object is less than the hash value corresponding to the primary key of the second configuration object in the target sequence, it is determined that the second configuration object in the second target sequence is the second difference configuration object, and the second The configuration type of the difference configuration object is the deletion type; if the hash value corresponding to the primary key of the first configuration object in the third target order is equal to the hash value corresponding to the primary key of the second configuration object in the third target order, then The configuration types of the third difference configuration object and the third difference configuration object are determined according to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order.

Specifically, as shown in FIG. 6 , the objects in the set a are the second configuration objects, and the objects in the set b are the first configuration objects.

1. Sort the two collections (by primary key)

2. If a[i]<b[j], convert a[i] data into a difference configuration object, the configuration type is the creation type and/or update type, and add it to the result list, i++;

3. If a[i]>b[j], convert the b[j] data into a difference configuration object, the configuration type is the deletion type, and add it to the result list, j++;

4. If a[i]=b[j], generate difference configuration objects and configuration types through each attribute of the first configuration object and each attribute of the second configuration object in the third target order, and collect the difference objects added to the result list.

5. If a has been traversed and b has not been completed, convert the remaining first configuration object in b into a difference configuration object of deletion type, and add it to the result list;

6. If b has been traversed and a has not been completed, convert the remaining second configuration object in a into a difference configuration object of the created type, and add it to the result list.

7. Return the difference configuration object and configuration type in the result list.

For configuration objects with the same primary key, determining the difference object includes: configuration information for each attribute of the first configuration object in the third target order and configuration information for each attribute of the second configuration object in the third target order Perform difference analysis to obtain the analysis result; if the analysis result indicates that there is a difference, the configuration information of the primary key of the second configuration object in the third target order and the difference attribute of the second configuration object in the third target order are used as The third difference configures the object, and determines that the configuration type of the third difference configuration object is the creation type and/or the update type.

Specifically, compare the differences between two configuration objects with the same primary key, and return the difference result. Traverse the configuration information corresponding to all attributes, compare them one by one, and get the analysis results. If there are differences in the representation of the analysis results, it means that the configuration information of a certain attribute is different. When there are differences in the configuration information of certain attributes, a third difference configuration object is generated according to the configuration information of the difference attributes and the primary key of the second configuration object, and the configuration type of the third difference configuration object is determined as the creation type and/or or update type.

Since features such as binding and unbinding are implemented through attribute flags, in the firewall configuration processing method provided in the embodiment of this application, each attribute of the first configuration object in the third target sequence Before the difference analysis is performed between the configuration information of the configuration information of the second configuration object and the configuration information of each attribute of the second configuration object in the third target order, the method also includes: determining the configuration information of each attribute of the second configuration object in the third target order flag; if the first flag of the target attribute is the first preset value, the primary key and target attribute of the second configuration object in the third target sequence will be used as the third difference configuration object, and the third difference configuration will be determined The configuration type of the object is the creation type and/or the update type; if the second flag of the target attribute is the second preset value, the primary key and target attribute of the second configuration object in the third target order are used as the third difference Configure the object, and determine that the configuration type of the third difference configuration object is the binding type; if the second flag of the target attribute is the third preset value, the primary key and target of the second configuration object in the third target sequence will be attribute as the third difference configuration object, and determine that the configuration type of the third difference configuration object is the unbinding type.

Specifically, read the flag bit of each attribute of the second configuration object in the third target sequence, if the first flag bit (unset property) of the target attribute is the first preset value (for example, 1), then Indicates that the configuration information of the target attribute has been deleted. Therefore, the primary key and the target attribute of the second configuration object in the third target order are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the creation type and/or the update type.

If the second flag (binding property) of the target attribute is the second preset value (for example, 1), it indicates that the target attribute refers to other attributes, and the primary key of the second configuration object in the third target sequence will be and the target attribute as the third difference configuration object, and determine that the configuration type of the third difference configuration object is the binding type.

If the second flag of the target attribute is the third preset value (for example, 0), it indicates that the target attribute no longer refers to other attributes, and the primary key and target attribute of the second configuration object in the third target sequence are used as The third difference configures the object, and determines that the configuration type of the third difference configuration object is the unbinding type.

Optionally, in the firewall configuration processing method provided in the embodiment of the present application, acquiring the current configuration data set in the target data format of the target firewall and the preset configuration data set in the target data format includes: acquiring the current configuration data set of the target firewall ; Obtain the preset configuration data set set by the target object; perform format conversion on the current configuration data set and the preset configuration data set to obtain the current configuration data set in the target data format and the preset configuration data set in the target data format.

Specifically, collect the current configuration data set of the current target firewall and the preset configuration data set set by the user; perform format conversion on the current configuration data set and the preset configuration data set, and obtain the current configuration data set and the target data format of the target data format The preset configuration data set for . The storage problem of firewall configuration information of different versions can be effectively solved through the target data format

In order to be able to configure firewalls of different versions, in the firewall configuration processing method provided in the embodiment of the present application, converting each difference configuration object into an Extensible Markup Language corresponding to the target firewall through a converter corresponding to the version information of the target firewall includes: Obtain the version information of the target firewall, and determine the converter corresponding to the version information from the conversion manager, wherein the conversion manager includes multiple converters, and each converter corresponds to different version information; through the converter corresponding to the version information Convert each differential configuration object to the corresponding Extensible Markup Language of the target firewall.

All multi-version adaptations are done by Converter. For each converter, two attributes y, n are supported. y represents which versions the converter can support, and n represents which versions the converter does not support. Unsupported precedence, i.e., a version in a definition that does not match, means that the converter does not support this version. For example, if the configuration of a certain converter is y={"V1-"}, n={"V2.1-V2.3"}, it means that the current converter is only effective for devices whose version number is greater than V1, but in V2. The configuration between 1 and V2.3 is not supported and needs to be converted by other converters.

The firewall configuration processing method provided by the embodiment of the present application obtains the current configuration data set in the target data format of the target firewall and the preset configuration data set in the target data format, wherein the current configuration data set in the target data format includes multiple The first configuration object, each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute, the preset configuration data set in the target data format includes a plurality of second configuration objects, each second configuration object Including multiple attributes and configuration information corresponding to each attribute, the first configuration object and the second configuration object are configuration objects in the target firewall; performing difference analysis based on multiple first configuration objects and multiple second configuration objects to determine A set of difference configuration objects, wherein the set of difference configuration objects includes a plurality of difference configuration objects, and each difference configuration object includes at least one attribute and configuration information corresponding to each attribute; The configuration type determines the order of configuration delivery; through the converter corresponding to the version information of the target firewall, each difference configuration object is converted into the Extensible Markup Language corresponding to the target firewall, and the Extensible Markup Language is delivered according to the order of configuration delivery to the target firewall to complete the configuration of the target firewall, which solves the problem in related technologies that in order to be compatible with various versions of firewall policies, too many branch judgment statements are required to process, resulting in relatively low efficiency in configuring firewall policies. In this solution, the universality and particularity of different versions of firewalls are taken into account through the target data format, the set of different configuration objects is accurately obtained through difference analysis, the purpose of quickly sorting configuration commands is achieved through configuration types, and each The difference configuration object is converted into the extensible markup language corresponding to the target firewall, thereby achieving the effect of improving the efficiency of configuring the firewall policy.

It should be noted that the steps shown in the flowcharts of the accompanying drawings may be performed in a computer system, such as a set of computer-executable instructions, and that although a logical order is shown in the flowcharts, in some cases, The steps shown or described may be performed in an order different than here.

The embodiment of the present application also provides a firewall configuration processing device. It should be noted that the firewall configuration processing device in the embodiment of the present application can be used to execute the processing method for firewall configuration provided in the embodiment of the present application. The device for processing the firewall configuration provided by the embodiment of the present application is introduced below.

Fig. 7 is a schematic diagram of a processing device for a firewall configuration according to an embodiment of the present application. As shown in FIG. 7 , the device includes: an acquisition unit 701 , an analysis unit 702 , a first determination unit 703 and a conversion unit 704 .

The acquiring unit 701 is configured to acquire a current configuration data set in a target data format and a preset configuration data set in a target data format of the target firewall, wherein the current configuration data set in the target data format includes a plurality of first configuration objects, each The first configuration object includes a plurality of attributes and configuration information corresponding to each attribute, and the preset configuration data set in the target data format includes a plurality of second configuration objects, and each second configuration object includes a plurality of attributes and each The configuration information corresponding to the attribute, the first configuration object and the second configuration object are configuration objects in the target firewall;

The analysis unit 702 is configured to perform difference analysis based on multiple first configuration objects and multiple second configuration objects, and determine a set of difference configuration objects, wherein the set of difference configuration objects includes a plurality of difference configuration objects, and each difference configuration object Including at least one attribute and configuration information corresponding to each attribute;

The first determining unit 703 is configured to determine the configuration delivery sequence according to the configuration type corresponding to each difference configuration object in the difference configuration object set;

The conversion unit 704 is configured to convert each difference configuration object into the XML corresponding to the target firewall through the converter corresponding to the version information of the target firewall, and deliver the XML to the target firewall according to the configuration delivery sequence , to complete the configuration of the target firewall.

Specifically, the storage problem of firewall configuration information of different versions is solved through the target data format. The target data format is a generic entity that shields version differences and only stores configurations, which can be referred to as UCO for short.

For example, the attributes of an address book object are limited, just because the different versions of the firewall are actually stored in different ways on the firewall. For example, for the ip range attribute, although the same information is stored, the xml format is different. UCO discards the differences stored between versions and stores the actual object configuration information in the configuration management center. That is to say, the UCO configuration information of a configuration object only includes multiple attributes and the configuration information corresponding to each attribute, and does not include version information. . For example, address book, the corresponding attributes are IP/mask, IP range and so on.

The current configuration data set of the firewall in the target data format is acquired. The current configuration data set in the target data format includes a plurality of first configuration objects, and each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute. Obtain a preset configuration data set in a target data format, where the preset configuration data set is a data set that a user thinks of to be configured on the firewall according to actual needs. The preset configuration data set in the target data format includes multiple second configuration objects, and each second configuration object includes multiple attributes and configuration information corresponding to each attribute.

The difference configuration object is used to describe the operation behavior of a configuration object, for example, which attribute is modified, which attribute is deleted, etc., and the difference configuration object can be called CDO for short. The difference configuration object collection is used to carry the configuration operations that need to be performed after two UCO configurations are compared for differences. A collection of differential configuration objects can be converted into a firewall configuration of any version. The differential configuration object collection is composed of four types of differential configuration objects, which are "property release", "property binding", "configuration deletion", and "configuration creation or update".

[Attribute release] indicates the set of actions that need to unbind or delete an attribute during the comparison of two configuration differences. For example, if the security policy does not refer to an address book, it will be placed in this set. 【Attribute Binding】Indicates the set of actions that need to be bound to an attribute during the comparison of two configuration differences. For example, when a security policy references an address book, it will be placed in this set. 【Delete Configuration】Indicates the configuration collection that needs to be deleted after comparing the differences between the two configurations. If you delete an address book on the management side, you need to put it into this collection. [Configuration creation or update] means that after comparing the differences between the two configurations, a new configuration collection is required. If an address book is created on the management side, it needs to be put into the collection just now.

After the design of this structure, as long as each module compares the configuration type and puts it into the difference configuration object set, the system will automatically convert the difference configuration object set into XML (Extensible Markup Language) according to the dependency relationship. The data structure of the differential configuration object set may be shown in FIG. 2 .

The comparison of two UCOs will generate multiple CDOs, because there will be CDOs of the unbound type, CDOs of the bound type, and so on. As shown in Figure 3. Therefore, a difference analysis is performed on the plurality of first configuration objects and the plurality of second configuration objects, and a set of difference configuration objects and a configuration type of each difference configuration object are determined.

In the actual firewall configuration of each manufacturer, it will basically involve the configuration and configuration reference between the modules to be configured, and what is more, it will involve the configuration circular reference between the modules. ModuleA, ModuleB, and ModuleC are three configurations. module, but instances in the three configurations have circular references. aname1 refers to bname1, bname1 refers to cname1, and cname1 refers to aname1. In this case, using traditional configuration methods will never succeed, because the creation of each configuration requires another configuration as a prerequisite. But the above configuration can be achieved through a collection of differential configuration objects. In the case that all the configurations are new, the system will convert the above configurations into 6 CDO objects, respectively: create aname1, bname1, cname1 objects, and bind the reference relationship of aname1, bname1, cname1, as shown in Figure 4. Then, determine the configuration delivery order according to the configuration type corresponding to each difference configuration object in the difference configuration object set.

In an optional embodiment, the execution order is as follows: the first configuration type is unbinding CDO, the second configuration type is deletion CDO, and the third configuration type is creation or update CDO. The fourth configuration type is a binding type. There is no strict order for CDOs of the same type.

By issuing the six CDO objects in Figure 4 in the above order, the configuration of the three configuration modules ModuleA, ModuleB, and ModuleC can be accurately realized after all.

After determining the configuration delivery sequence, convert each difference configuration object into the corresponding XML of the target firewall through the converter corresponding to the version information of the target firewall, and deliver the XML to the target firewall to complete the The configuration of the target firewall.

The converter manager provides various versions of the base converter Base Converter, which is used to convert a set of differential configuration objects into xml that can be recognized by the firewall, such as address Base Converter. If the difference between the address book versions is too large, it is supported to customize other version converters, such as addressV1Converter.

Converter Factory Manager (Converter Factory Manager) is a container used to manage converters. Converter Factory Manager provides methods to the outside world, which can return corresponding converters according to the module name and [version information] for xml conversion, as shown in Figure 5 shown. All multi-version adaptations are done by Converter. For each converter, two attributes y, n are supported. y represents which versions the converter can support, and n represents which versions the converter does not support. The priority of unsupported overestimates the priority of supported, i.e., the version is not supported by the converter. For example, if the configuration of a certain converter is y={"V1-"}, n={"V2.1-V2.3"}, it means that the current converter is only effective for devices whose version number is greater than V1, but in V2. The configuration between 1 and V2.3 is not supported and needs to be converted by other converters.

To sum up, the universality and particularity of different versions of firewalls are taken into account through the target data format, the set of different configuration objects is accurately obtained through difference analysis, the purpose of quickly sorting configuration commands is achieved through configuration types, and each The difference configuration object is converted into the extensible markup language corresponding to the target firewall, thereby achieving the effect of improving the efficiency of configuring the firewall policy.

The firewall configuration processing device provided in the embodiment of the present application obtains the current configuration data set in the target data format and the preset configuration data set in the target data format of the target firewall through the acquisition unit 701, wherein the current configuration data set in the target data format Including multiple first configuration objects, each first configuration object includes multiple attributes and configuration information corresponding to each attribute, and the preset configuration data set in the target data format includes multiple second configuration objects, each second The configuration object includes a plurality of attributes and configuration information corresponding to each attribute, and the first configuration object and the second configuration object are configuration objects in the target firewall; the analysis unit 702 Perform difference analysis to determine a set of difference configuration objects, wherein the set of difference configuration objects includes a plurality of difference configuration objects, and each difference configuration object includes at least one attribute and configuration information corresponding to each attribute; the first determination unit 703 according to the difference The configuration type corresponding to each difference configuration object in the configuration object set determines the configuration delivery order; the conversion unit 704 converts each difference configuration object into the extensible markup language corresponding to the target firewall through the converter corresponding to the version information of the target firewall, And according to the order of configuration delivery, the Extensible Markup Language is delivered to the target firewall to complete the configuration of the target firewall, which solves the problem that in related technologies, in order to be compatible with various versions of firewall policies, it is necessary to use too many branch judgment statements to process , leading to the problem that the efficiency of configuring firewall policies is relatively low. In this solution, the universality and particularity of different versions of firewalls are taken into account through the target data format, the set of different configuration objects is accurately obtained through difference analysis, the purpose of quickly sorting configuration commands is achieved through configuration types, and each The difference configuration object is converted into the extensible markup language corresponding to the target firewall, thereby achieving the effect of improving the efficiency of configuring the firewall policy.

Optionally, in the firewall configuration processing apparatus provided in the embodiment of the present application, the first determination unit 703 includes: a third acquisition module, configured to acquire the first primary key corresponding to each first configuration object and each second configuration object The second primary key corresponding to the object; the first sorting module is used to sort multiple first configuration objects according to the first primary key to obtain the sorted first configuration objects; the second sorting module is used to sort multiple configuration objects according to the second primary key The second configuration objects are sorted to obtain the sorted second configuration objects; the analysis module is used to analyze the differences between the first configuration objects and the second configuration objects in the same order, and determine the set of difference configuration objects and each The configuration type corresponding to the difference configuration object.

Specifically, performing difference analysis on the plurality of first configuration objects and the plurality of second configuration objects includes: determining a first primary key corresponding to each first configuration object and a second primary key corresponding to each second configuration object. Then sort the first configuration object according to the first primary key and sort the second configuration object according to the second primary key, and then determine the difference configuration object set and each by comparing the first configuration object and the second configuration object in the same order The configuration type corresponding to the difference configuration object.

Optionally, in the firewall configuration processing device provided in the embodiment of the present application, the configuration type includes at least: unbinding type, deletion type, creation type and/or update type, and binding type, and the analysis module includes: a first determiner A module, configured to determine that the primary key of the first configuration object in the first target sequence corresponds to a hash value greater than the hash value corresponding to the primary key of the second configuration object in the first target sequence. The first configuration object of the bit is the first difference configuration object, and it is determined that the configuration type of the first difference configuration object is the creation type and/or the update type; the second determination submodule is used if the first The hash value corresponding to the primary key of the configuration object is less than the hash value corresponding to the primary key of the second configuration object in the target sequence, then determine that the second configuration object in the second target sequence is the second difference configuration object, and determine the first The configuration type of the second difference configuration object is the deletion type; the third determining submodule is used to determine if the hash value corresponding to the primary key of the first configuration object in the third target sequence is equal to the second configuration object in the third target sequence According to the hash value corresponding to the primary key of , then determine the third difference configuration object and the third The configuration type of the diff configuration object.

Specifically, as shown in FIG. 6 , the objects in the set a are the second configuration objects, and the objects in the set b are the first configuration objects.

1. Sort the two collections (by primary key)

2. If a[i]<b[j], convert a[i] data into a difference configuration object, the configuration type is the creation type and/or update type, and add it to the result list, i++;

3. If a[i]>b[j], convert the b[j] data into a difference configuration object, the configuration type is the deletion type, and add it to the result list, j++;

4. If a[i]=b[j], generate difference configuration objects and configuration types through each attribute of the first configuration object and each attribute of the second configuration object in the third target order, and collect the difference objects added to the result list.

5. If a has been traversed and b has not been completed, convert the remaining first configuration object in b into a difference configuration object of deletion type, and add it to the result list;

6. If b has been traversed and a has not been completed, convert the remaining second configuration object in a into a difference configuration object of the created type, and add it to the result list.

7. Return the difference configuration object and configuration type in the result list.

Optionally, in the firewall configuration processing device provided in the embodiment of the present application, the third determination submodule includes: an analysis submodule, configured to analyze the configuration information of each attribute of the first configuration object in the third target order Perform difference analysis with the configuration information of each attribute of the second configuration object in the third target sequence to obtain the analysis result; the processing sub-module is used to convert the The primary key of the second configuration object and the configuration information of the difference attribute of the second configuration object in the third target order are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the creation type and/or the update type.

Specifically, compare the differences between two configuration objects with the same primary key, and return the difference result. Traverse the configuration information corresponding to all attributes, compare them one by one, and get the analysis results. If there are differences in the representation of the analysis results, it means that the configuration information of a certain attribute is different. When there are differences in the configuration information of certain attributes, a third difference configuration object is generated according to the configuration information of the difference attributes and the primary key of the second configuration object, and the configuration type of the third difference configuration object is determined as the creation type and/or or update type.

Optionally, in the device for processing firewall configuration provided in the embodiment of the present application, the device further includes: a second determining unit, configured to configure the configuration information of each attribute of the first configuration object in the third target order Before performing difference analysis with the configuration information of each attribute of the second configuration object in the third target order, determine the flag bit of each attribute of the second configuration object in the third target order; the third determination unit, It is used to use the primary key and target attribute of the second configuration object in the third target order as the third difference configuration object if the first flag bit of the target attribute is the first preset value, and determine the third difference configuration object The configuration type is the creation type and/or the update type; the fourth determining unit is used to set the primary key and The target attribute is used as the third difference configuration object, and it is determined that the configuration type of the third difference configuration object is the binding type; the fifth determination unit is used to set the target attribute to the third preset value if the second flag bit is the third preset value. The primary key and target attribute of the second configuration object in the three-target sequence are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the unbinding type.

Specifically, read the flag bit of each attribute of the second configuration object in the third target sequence, if the first flag bit (unset property) of the target attribute is the first preset value (for example, 1), then Indicates that the configuration information of the target attribute has been deleted. Therefore, the primary key and the target attribute of the second configuration object in the third target order are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the creation type and/or the update type.

If the second flag (binding property) of the target attribute is the second preset value (for example, 1), it indicates that the target attribute refers to other attributes, and the primary key of the second configuration object in the third target sequence will be and the target attribute as the third difference configuration object, and determine that the configuration type of the third difference configuration object is the binding type.

If the second flag of the target attribute is the third preset value (for example, 0), it indicates that the target attribute no longer refers to other attributes, and the primary key and target attribute of the second configuration object in the third target sequence are used as The third difference configures the object, and determines that the configuration type of the third difference configuration object is the unbinding type.

Optionally, in the firewall configuration processing device provided in the embodiment of the present application, the acquiring unit 701 includes: a first acquiring module, configured to acquire the current configuration data set of the target firewall; a second acquiring module, configured to acquire the target object setting The preset configuration data set; the first conversion module is configured to perform format conversion on the current configuration data set and the preset configuration data set to obtain the current configuration data set in the target data format and the preset configuration data set in the target data format.

Specifically, collect the current configuration data set of the current target firewall and the preset configuration data set set by the user; perform format conversion on the current configuration data set and the preset configuration data set, and obtain the current configuration data set and the target data format of the target data format The preset configuration data set for . The storage problem of firewall configuration information of different versions can be effectively solved through the target data format.

Optionally, in the processing device for firewall configuration provided in the embodiment of the present application, the conversion unit includes: a fourth acquisition module, configured to acquire version information of the target firewall, and determine a converter corresponding to the version information from the conversion manager, Wherein, the conversion manager includes a plurality of converters, and each converter corresponds to different version information; the second conversion module is used to convert each difference configuration object into an extensible configuration object corresponding to the target firewall through the converter corresponding to the version information. markup language.

The processing device configured by the firewall includes a processor and a memory. The above-mentioned acquisition unit 701, analysis unit 702, first determination unit 703, and conversion unit 704 are all stored in the memory as program units, and the above-mentioned programs stored in the memory are executed by the processor. Program unit to realize the corresponding function.

The processor includes a kernel, and the kernel fetches corresponding program units from the memory. One or more kernels can be set, and the configuration of the firewall can be realized by adjusting kernel parameters.

Memory may include non-permanent memory in computer-readable media, in the form of random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM), memory including at least one memory chip.

An embodiment of the present invention provides a processor, and the processor is used to run a program, wherein, when the program is running, the firewall configuration processing method is executed.

As shown in FIG. 8 , an embodiment of the present invention provides an electronic device. The device includes a processor, a memory, and a program stored on the memory and operable on the processor. When the processor executes the program, the following steps are implemented: obtain the target firewall The current configuration data set in the target data format and the preset configuration data set in the target data format, wherein the current configuration data set in the target data format includes a plurality of first configuration objects, and each first configuration object includes a plurality of attributes The configuration information corresponding to each attribute, the preset configuration data set in the target data format includes multiple second configuration objects, each second configuration object includes multiple attributes and configuration information corresponding to each attribute, the first configuration The object and the second configuration object are configuration objects in the target firewall; performing difference analysis based on multiple first configuration objects and multiple second configuration objects to determine a set of differential configuration objects, wherein the set of differential configuration objects includes multiple differential configurations Object, each difference configuration object includes at least one attribute and configuration information corresponding to each attribute; according to the configuration type corresponding to each difference configuration object in the difference configuration object set, determine the order of configuration delivery; through the version information of the target firewall The converter converts each difference configuration object into the corresponding XML of the target firewall, and sends the XML to the target firewall according to the order of configuration distribution, so as to complete the configuration of the target firewall.

Optionally, performing difference analysis based on a plurality of first configuration objects and a plurality of second configuration objects, and determining a set of difference configuration objects includes: obtaining the first primary key corresponding to each first configuration object and the corresponding the second primary key; sort multiple first configuration objects according to the first primary key to obtain the sorted first configuration objects; sort multiple second configuration objects according to the second primary key to obtain the sorted second configuration objects ; Analyzing the difference between the first configuration object and the second configuration object in the same order, and determining the set of difference configuration objects and the configuration type corresponding to each difference configuration object.

Optionally, the configuration type at least includes: unbinding type, deletion type, creation type and/or update type, binding type, performing difference analysis on the first configuration object and the second configuration object in the same order, and determining the difference The configuration object set and the configuration type corresponding to each difference configuration object include: if the hash value corresponding to the primary key of the first configuration object in the first target sequence is greater than the hash value corresponding to the primary key of the second configuration object in the first target sequence hash value, it is determined that the first configuration object in the first target order is the first difference configuration object, and the configuration type of the first difference configuration object is determined to be the creation type and/or the update type; if it is in the second target order The hash value corresponding to the primary key of the first configuration object is smaller than the hash value corresponding to the primary key of the second configuration object in the target sequence, then determine that the second configuration object in the second target sequence is the second difference configuration object, And determine that the configuration type of the second difference configuration object is the deletion type; if the hash value corresponding to the primary key of the first configuration object in the third target sequence is equal to the hash value corresponding to the primary key of the second configuration object in the third target sequence According to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order, determine the configuration of the third difference configuration object and the third difference configuration object type.

Optionally, determine the configurations of the third difference configuration object and the third difference configuration object according to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order The type includes: analyzing the difference between the configuration information of each attribute of the first configuration object in the third target order and the configuration information of each attribute of the second configuration object in the third target order, and obtaining the analysis result; If there is a difference in the analysis result representation, the configuration information of the primary key of the second configuration object in the third target sequence and the difference attribute of the second configuration object in the third target sequence is used as the third difference configuration object, and the first difference is determined. The configuration type of the three-difference configuration object is a creation type and/or an update type.

Optionally, before performing difference analysis on the configuration information of each attribute of the first configuration object in the third target order and the configuration information of each attribute of the second configuration object in the third target order, the method It also includes: determining the flag bit of each attribute of the second configuration object in the third target sequence; if the first flag bit of the target attribute is the first preset value, the second configuration object in the third target sequence The primary key and target attribute of the configuration object are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined to be the creation type and/or the update type; if the second flag bit of the target attribute is the second preset value, then the The primary key and target attribute of the second configuration object in the third target order are used as the third differential configuration object, and the configuration type of the third differential configuration object is determined to be the binding type; if the second flag of the target attribute is the third preset If the value is set, the primary key and target attribute of the second configuration object in the third target sequence are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the unbinding type.

Optionally, obtaining the current configuration data set in the target data format of the target firewall and the preset configuration data set in the target data format includes: acquiring the current configuration data set of the target firewall; acquiring the preset configuration data set set by the target object; Format conversion is performed on the configuration data set and the preset configuration data set to obtain the current configuration data set in the target data format and the preset configuration data set in the target data format.

Optionally, using the converter corresponding to the version information of the target firewall to convert each difference configuration object into the Extensible Markup Language corresponding to the target firewall includes: obtaining the version information of the target firewall, and determining the corresponding version information from the conversion manager. A converter, wherein the conversion manager includes a plurality of converters, and each converter corresponds to different version information; each difference configuration object is converted into the Extensible Markup Language corresponding to the target firewall through the converter corresponding to the version information.

The devices in this article can be servers, PCs, PADs, mobile phones, etc.

The present application also provides a computer program product, which, when executed on a data processing device, is adapted to execute a program initialized with the method steps of: obtaining a current configuration data set of a target data format of a target firewall and a preset of the target data format The configuration data set, wherein the current configuration data set in the target data format includes a plurality of first configuration objects, each first configuration object includes a plurality of attributes and configuration information corresponding to each attribute, and the preset configuration of the target data format The data set includes a plurality of second configuration objects, and each second configuration object includes a plurality of attributes and configuration information corresponding to each attribute, and the first configuration object and the second configuration object are configuration objects in the target firewall; A difference analysis is performed on a first configuration object and a plurality of second configuration objects to determine a difference configuration object set, wherein the difference configuration object set includes a plurality of difference configuration objects, and each difference configuration object includes at least one attribute and each attribute Corresponding configuration information; according to the configuration type corresponding to each difference configuration object in the difference configuration object set, determine the configuration delivery sequence; convert each difference configuration object into the corresponding version information of the target firewall through the converter corresponding to the version information of the target firewall Extensible Markup Language, and according to the order of configuration delivery, the Extensible Markup Language is delivered to the target firewall to complete the configuration of the target firewall.

Optionally, performing difference analysis based on a plurality of first configuration objects and a plurality of second configuration objects, and determining a set of difference configuration objects includes: obtaining the first primary key corresponding to each first configuration object and the corresponding the second primary key; sort multiple first configuration objects according to the first primary key to obtain the sorted first configuration objects; sort multiple second configuration objects according to the second primary key to obtain the sorted second configuration objects ; Analyzing the difference between the first configuration object and the second configuration object in the same order, and determining the set of difference configuration objects and the configuration type corresponding to each difference configuration object.

Optionally, the configuration type at least includes: unbinding type, deletion type, creation type and/or update type, binding type, performing difference analysis on the first configuration object and the second configuration object in the same order, and determining the difference The configuration object set and the configuration type corresponding to each difference configuration object include: if the hash value corresponding to the primary key of the first configuration object in the first target sequence is greater than the hash value corresponding to the primary key of the second configuration object in the first target sequence hash value, it is determined that the first configuration object in the first target order is the first difference configuration object, and the configuration type of the first difference configuration object is determined to be the creation type and/or the update type; if it is in the second target order The hash value corresponding to the primary key of the first configuration object is smaller than the hash value corresponding to the primary key of the second configuration object in the target sequence, then determine that the second configuration object in the second target sequence is the second difference configuration object, And determine that the configuration type of the second difference configuration object is the deletion type; if the hash value corresponding to the primary key of the first configuration object in the third target sequence is equal to the hash value corresponding to the primary key of the second configuration object in the third target sequence According to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order, determine the configuration of the third difference configuration object and the third difference configuration object type.

Optionally, determine the configurations of the third difference configuration object and the third difference configuration object according to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order The type includes: analyzing the difference between the configuration information of each attribute of the first configuration object in the third target order and the configuration information of each attribute of the second configuration object in the third target order, and obtaining the analysis result; If there is a difference in the analysis result representation, the configuration information of the primary key of the second configuration object in the third target sequence and the difference attribute of the second configuration object in the third target sequence is used as the third difference configuration object, and the first difference is determined. The configuration type of the three-difference configuration object is a creation type and/or an update type.

Optionally, before performing difference analysis on the configuration information of each attribute of the first configuration object in the third target order and the configuration information of each attribute of the second configuration object in the third target order, the method It also includes: determining the flag bit of each attribute of the second configuration object in the third target sequence; if the first flag bit of the target attribute is the first preset value, the second configuration object in the third target sequence The primary key and target attribute of the configuration object are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined to be the creation type and/or the update type; if the second flag bit of the target attribute is the second preset value, then the The primary key and target attribute of the second configuration object in the third target order are used as the third differential configuration object, and the configuration type of the third differential configuration object is determined to be the binding type; if the second flag of the target attribute is the third preset If the value is set, the primary key and target attribute of the second configuration object in the third target sequence are used as the third difference configuration object, and the configuration type of the third difference configuration object is determined as the unbinding type.

Optionally, obtaining the current configuration data set in the target data format of the target firewall and the preset configuration data set in the target data format includes: acquiring the current configuration data set of the target firewall; acquiring the preset configuration data set set by the target object; Format conversion is performed on the configuration data set and the preset configuration data set to obtain the current configuration data set in the target data format and the preset configuration data set in the target data format.

Optionally, using the converter corresponding to the version information of the target firewall to convert each difference configuration object into the Extensible Markup Language corresponding to the target firewall includes: obtaining the version information of the target firewall, and determining the corresponding version information from the conversion manager. A converter, wherein the conversion manager includes a plurality of converters, and each converter corresponds to different version information; each difference configuration object is converted into the Extensible Markup Language corresponding to the target firewall through the converter corresponding to the version information.

Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. The memory is an example of a computer readable medium.

Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus that includes the element.

Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems or computer program products. Accordingly, the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The above are only examples of the present application, and are not intended to limit the present application. For those skilled in the art, various modifications and changes may occur in this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included within the scope of the claims of the present application.

Claims (10)

1. A method for processing firewall configuration, comprising:

acquiring a current configuration data set of a target data format of a target firewall and a preset configuration data set of the target data format, wherein the current configuration data set of the target data format comprises a plurality of first configuration objects, each first configuration object comprises a plurality of attributes and configuration information corresponding to each attribute, the preset configuration data set of the target data format comprises a plurality of second configuration objects, each second configuration object comprises a plurality of attributes and configuration information corresponding to each attribute, and the first configuration objects and the second configuration objects are configuration objects in the target firewall;

performing differential analysis according to the plurality of first configuration objects and the plurality of second configuration objects to determine a differential configuration object set, wherein the differential configuration object set comprises a plurality of differential configuration objects, and each differential configuration object comprises at least one attribute and configuration information corresponding to each attribute;

determining a configuration issuing sequence according to the configuration type corresponding to each difference configuration object in the difference configuration object set;

And converting each difference configuration object into an extensible markup language corresponding to the target firewall through a converter corresponding to the version information of the target firewall, and issuing the extensible markup language to the target firewall according to the configuration issuing sequence so as to complete the configuration of the target firewall.

2. The method of claim 1, wherein determining a set of differential configuration objects from the plurality of first configuration objects and the plurality of second configuration objects for differential analysis comprises:

acquiring a first main key corresponding to each first configuration object and a second main key corresponding to each second configuration object;

sorting the plurality of first configuration objects according to the first primary key to obtain sorted first configuration objects;

sorting the plurality of second configuration objects according to the second primary key to obtain sorted second configuration objects;

and carrying out differential analysis on the first configuration object and the second configuration object which are in the same sequence, and determining the differential configuration object set and the configuration type corresponding to each differential configuration object.

3. The method according to claim 2, wherein the configuration type comprises at least: unbinding type, deleting type, creating type and/or updating type, binding type, carrying out differential analysis on the first configuration object and the second configuration object which are in the same sequence, and determining the differential configuration object set and the configuration type corresponding to each differential configuration object comprises the following steps:

If the hash value corresponding to the main key of the first configuration object in the first target sequence is larger than the hash value corresponding to the main key of the second configuration object in the first target sequence, determining that the first configuration object in the first target sequence is a first difference configuration object, and determining that the configuration type of the first difference configuration object is a creation type and/or an update type;

if the hash value corresponding to the main key of the first configuration object in the second target sequence is smaller than the hash value corresponding to the main key of the second configuration object in the target sequence, determining that the second configuration object in the second target sequence is a second difference configuration object, and determining that the configuration type of the second difference configuration object is a deletion type;

if the hash value corresponding to the primary key of the first configuration object in the third target order is equal to the hash value corresponding to the primary key of the second configuration object in the third target order, determining a third difference configuration object and the configuration type of the third difference configuration object according to each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order.

4. A method according to claim 3, wherein determining a third differential configuration object and a configuration type of the third differential configuration object from each attribute of the first configuration object in the third target order and each attribute of the second configuration object in the third target order comprises:

Performing differential analysis on the configuration information of each attribute of the first configuration object positioned in the third target sequence and the configuration information of each attribute of the second configuration object positioned in the third target sequence to obtain an analysis result;

if the analysis result represents that the difference exists, the configuration information of the primary key of the second configuration object positioned in the third target sequence and the difference attribute of the second configuration object positioned in the third target sequence is used as the third difference configuration object, and the configuration type of the third difference configuration object is determined to be the creation type and/or the update type.

5. The method of claim 4, wherein prior to performing the differential analysis on the configuration information for each attribute of the first configuration object in the third target order and the configuration information for each attribute of the second configuration object in the third target order, the method further comprises:

determining a flag bit of each attribute of the second configuration object in the third target sequence;

if the first flag bit of the target attribute is a first preset value, taking a main key of a second configuration object positioned in a third target sequence bit and the target attribute as the third difference configuration object, and determining the configuration type of the third difference configuration object as a creation type and/or an update type;

If the second flag bit of the target attribute is a second preset value, taking a primary key of a second configuration object in a third target sequence bit and the target attribute as the third difference configuration object, and determining that the configuration type of the third difference configuration object is a binding type;

and if the second flag bit of the target attribute is a third preset value, taking a primary key of a second configuration object positioned in a third target sequence bit and the target attribute as the third difference configuration object, and determining that the configuration type of the third difference configuration object is a unbinding type.

6. The method of claim 1, wherein obtaining a current configuration data set of a target data format for a target firewall and a preset configuration data set of the target data format comprises:

acquiring a current configuration data set of the target firewall;

acquiring a preset configuration data set by a target object;

and performing format conversion on the current configuration data set and the preset configuration data set to obtain the current configuration data set of the target data format and the preset configuration data set of the target data format.

7. The method of claim 1, wherein converting each differential configuration object into an extensible markup language corresponding to the target firewall by a converter corresponding to version information of the target firewall comprises:

The method comprises the steps of obtaining version information of a target firewall, and determining a converter corresponding to the version information from a conversion manager, wherein the conversion manager comprises a plurality of converters, and each converter corresponds to different version information;

and converting each difference configuration object into an extensible markup language corresponding to the target firewall through a converter corresponding to the version information.

8. A processing apparatus for firewall configuration, comprising:

the device comprises an acquisition unit, a target firewall and a target data format, wherein the current configuration data set of the target data format and the preset configuration data set of the target data format comprise a plurality of first configuration objects, each first configuration object comprises a plurality of attributes and configuration information corresponding to each attribute, the preset configuration data set of the target data format comprises a plurality of second configuration objects, each second configuration object comprises a plurality of attributes and configuration information corresponding to each attribute, and the first configuration objects and the second configuration objects are configuration objects in the target firewall;

the analysis unit is used for carrying out differential analysis according to the plurality of first configuration objects and the plurality of second configuration objects to determine a differential configuration object set, wherein the differential configuration object set comprises a plurality of differential configuration objects, and each differential configuration object comprises at least one attribute and configuration information corresponding to each attribute;

The first determining unit is used for determining a configuration issuing sequence according to the configuration type corresponding to each difference configuration object in the difference configuration object set;

and the conversion unit is used for converting each difference configuration object into an extensible markup language corresponding to the target firewall through a converter corresponding to the version information of the target firewall, and issuing the extensible markup language to the target firewall according to the configuration issuing sequence so as to complete the configuration of the target firewall.

9. A processor, characterized in that the processor is configured to run a program, wherein the program runs to perform the method of processing a firewall configuration according to any one of claims 1 to 7.

10. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of firewall configuration of any of claims 1-7.

Images