Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MAJOR issue with Update-FMCAccessPolicyRule on 6.3.0.x (CSCvo81260) #21

Open
eckdd opened this issue Apr 17, 2019 · 4 comments
Open

MAJOR issue with Update-FMCAccessPolicyRule on 6.3.0.x (CSCvo81260) #21

eckdd opened this issue Apr 17, 2019 · 4 comments
Labels
bug Something isn't working

Comments

@eckdd
Copy link
Owner

eckdd commented Apr 17, 2019

No description provided.

@eckdd eckdd added bug Something isn't working help wanted Extra attention is needed labels Apr 17, 2019
@eckdd
Copy link
Owner Author

eckdd commented Apr 17, 2019

If an ACP contains a source/destination network host literal in dotted decimal format (e.g. 1.1.1.1), the API returns the type as "FQDN". When updating a rule and the invalid type of "FQDN" is sent to the API, it clears the entire source or destination element, resulting in the rule matching any IP.

DO NOT use the Update-FMCAccessPolicyRule function on rules containing host literals in the source/destination networks that are not in CIDR notation in 6.3; otherwise it remove all items in the source/destination networks resulting in a match of any.

@eckdd eckdd changed the title MAJOR issue with Update-FMCAccessPolicyRule on 6.2.3.9 and greater MAJOR issue with Update-FMCAccessPolicyRule on 6.3 and greater Apr 18, 2019
@eckdd eckdd removed the help wanted Extra attention is needed label Apr 18, 2019
@gregdent
Copy link

Is there any workaround for this or planned fix?

@eckdd
Copy link
Owner Author

eckdd commented May 20, 2019

Is there any workaround for this or planned fix?

Hi gregdent,

This is a result of the bug CSCvo81260. It appears to have been fixed in 6.4.0, but not the latest (6.3.0.3) maintenance release. No fix action in PowerFMC is planned. A workaround would be to ensure you have no host literals that are not in CIDR notation (e.g. 1.1.1.1 = BAD; 1.1.1.1/32 = GOOD).

I will be monitoring 6.3.0 for the latest maintenance release and test to see if this bug has been fixed.

@eckdd eckdd changed the title MAJOR issue with Update-FMCAccessPolicyRule on 6.3 and greater MAJOR issue with Update-FMCAccessPolicyRule on 6.3.0.x (CSCvo81260) May 20, 2019
@gregdent
Copy link

thanks for the update! A shame we decided to use 6.3 for the multi instance mode, with the view 6.4 would have been slightly riskier without any maintenance releases. I shall recommend we move to 6.4 for future deployments.

@eckdd eckdd pinned this issue Sep 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants