ScreenOS Firewalls (NOT SRX)
Reply
Contributor
DeaconZ
Posts: 136
Registered: ‎01-14-2009
0
Accepted Solution

Device error: too many objects

[ Edited ]

Hi, I have a dozen firewalls scattered throughout the US. They are a mix of 5GT-ext's and SSG20's; we are in the process of upgrading.

 

I have received a list of IP addresses from DSS that are known threats and have added them as hosts in NSM. I put them all in a group in NSM and then started pushing them to my remote sites.

 

The problem is that on some of the FW's, old and new, I get an error doing the update from NSM.

 

Here is part of the job log:

 

Error Text:
   Exception caught during Update Device:

       The following parameters did not get updated to the device:
    set group address untrust "DSS Advisory Threats"
    set group address untrust "DSS Advisory Threats" add 195.20.225.152/32
    set group address untrust "DSS Advisory Threats" add 65.107.166.125/32
    set group address untrust "DSS Advisory Threats" add 204.11.167.30/32
    set group address untrust "DSS Advisory Threats" add 65.113.119.140/32
    set group address untrust "DSS Advisory Threats" add 218.38.34.33/32
    set group address untrust "DSS Advisory Threats" add 65.113.119.158/32
    set group address untrust "DSS Advisory Threats" add 61.107.82.134/32
    set group address untrust "DSS Advisory Threats" add 165.132.195.205/32
    set group address untrust "DSS Advisory Threats" add 65.254.5.210/32
    set group address untrust "DSS Advisory Threats" add 67.109.132.215/32
    set group address untrust "DSS Advisory Threats" add 211.233.36.125/32
    set group address untrust "DSS Advi ...

Error Details:
    No Details Available. 

 

 

The entire list of threat objects is about 5 times that long.

 

At the end of the log I see this over and over for each object:

 

Sending configuration cli commands to device ...
    Device error on command:
      268    set group address untrust "DSS Advisory Threats" add 195.20.225.152/32
          Group: Too many entries
...

 

Verifying configuration ...
    Verification failed
        The following parameters did not get updated to the device:

set group address untrust "DSS Advisory Threats"...

 

 

Is there a limit on 5GT's and SSG20's for the total amount of objects?

 

I noticed that my SSG550's at my main site don't have this problem.

 

Any help would be appreciated, I really need to block these.

Message Edited by DeaconZ on 03-05-2009 08:02 AM
Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: Device error: too many objects

There certainly is a max of objects in a group. I believe it's device dependend. Not sure but it might be this when you do a get sys-cfg: max number of objects to add token per tic number: 32 (from a ssg5).


It could be an idea to nest groups to keep within the limits. You're allowed to add a group to a group. Not nice but maybe a solution.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.