Issue
When updating a Device from the NSM the Job Information dialog shows as successful. The Device Status shows as “In Sync” but the device does not show the new configuration, and an additional Delta Config Summerization shows that the NSM configuration is different to that of the device.
Cause
ScreenOS has a source/destination object limit per policy. Due to the NSM not “screening” the number of objects that are added to the policy via the GUI when the NSM updates the device, the NSM believes that the update has been successful and reports so via the Job Info dialog log.
In addition to this when trying to add the commands to the device itself via the CLI you may see the following
netscreen-SSG350(policy:18)-> set dst-address grp-servers
Group: Too many entries
Failed command - set group address "Untrust" "hosta" add "grp-servers"
Set address failed
Policy: can't be modified
Failed command - set dst-address grp-servers
Due to this you will not see the commands executed via the NSM (sme_bulkcli) from the output of the Devices “get event” command.
Solution
You can either :
* Create another policy to allow you to add more objects to either the source or destination.
* Reduce the number of objects in either the source or destination field.
Additional Notes :
This issue was found on NSM Xpress 2008.2r2 of which no issues relating to the above were found in the NSM 2009.r1/r1a release notes.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial