Applies To:

Show Versions Show Versions

Manual Chapter: Comparing Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Comparing security policies

Application Security Manager™ has a Policy Diff feature that lets you compare two security policies, view the differences between them, and copy the settings from one policy to the other. You can use the comparison for auditing purposes, to make two policies act similarly, or to simply view the differences between two security policies. The Policy Diff feature is particularly useful for comparing a security policy in staging and a production version. You can compare active security policies (with or without Policy Builder running), inactive security policies, and exported security policies. When you import security policies that were exported from another system, they are placed in the inactive policies list.

You need to have a user role on the BIG-IP® system of Administrator or Web Application Security Editor to use Policy Diff to compare security policies.

Comparing security policies

Before you can compare security policies, the two policies must be on the same BIG-IP system, or accessible from the system you are using (such as imported policies). They must also have the same language encoding, the same protocol independence (Differentiate between HTTP and HTTPS URLs) configuration, and the same case sensitivity configuration. You can compare policies even if they are running Policy Builder, but because they are constantly changing, the comparison is done on copies of the policies to avoid corrupting them.
Note: Only users with a role of Administrator, Application Security Administrator, or Application Security Editor can use Policy Diff to compare security policies.
You can compare two security policies to review the differences between them. While the two security policies are being compared, the system prevents other users from saving changes to them.
  1. On the Main tab, click Security > Application Security > Security Policies > Policy Diff.
  2. From the First Policy and Second Policy lists, select the security policies you want to compare or merge, or click Browse to search your computer for an exported security policy. The two security policies you are comparing can be active, inactive, policies imported in binary or XML format, or a combination of both.
  3. If you plan to merge security policy attributes, it is a good idea to safeguard the original security policy. In the Working Mode field, select how you want to work.
    Option Description
    Work on Original Incorporate changes to one (or both) of the original security policies depending on the merge options you select without making a copy of it.
    Make a Copy Make a copy of the security policy into which you are incorporating changes.
    Work on Copy Work on a copy of the original security policy. First, a copy is made, then incorporate possible changes on the original policies. If comparing one or more policies with Policy Builder enabled, this option is automatically selected (and the other options become unavailable).
  4. Click the Calculate Differences button to compare the two security policies.
    Note: The system does not compare navigation parameters. They are ignored and do not appear in the results.
    The Policy Differences Summary lists the number of differences for each entity type.
  5. Click any row in the Policy Differences Summary to view the differing entities with details about the conflicting attributes. The system displays a list of the differing entities and shows details about each entity's conflicting attributes.
  6. Review the differences between the two policies and determine whether or not you want to merge attributes from one policy to the other.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)