ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Mr_MJ
Posts: 2
Registered: ‎05-02-2012
0

unset dst-address error when amending policy causes corruption

Hi there, 

 

I have a SSG-350m, and I think I may have caused an issue with the names I have given to address objects. 

 

When I amend a policy in the GUI I get the following error in a dialog box:

 

"unset dst-address Internal Prod Network - 10.100.0.0/16"  

"unknown keyword Prod" 

 

When I hit ok on the dialog box it takes me back to the policy.  I then hit cancel, and go back and the policy will be there, but if it was a multiple service policy there will have all gone bar one, and usually that one wasnt in the policy to begin with.  I have seen other odd behaviour after this error, like the source objects change, seemingly randomly. 

 

So I have a couple of questions here.  Firstly are my address names the wrong format, is "Internal Prod Network - 10.100.0.0/16" not advisable?  If so can you give me some guidlines on sensible object names that are suitable for the firewall. 

 

Secondly, is this simply a software bug that is corrected in a later version, and if anyone else has seen this, what did they do to workaround it?

 

Version: 6.2.0r1.0 (Firewall+VPN)

 

Thanks

MJ

Super Contributor
nikolay.semov
Posts: 170
Registered: ‎03-15-2012
0

Re: unset dst-address error when amending policy causes corruption

I'm thinking this has got to be a bug. In the configuration, address object names are enclosed in quotes, so technically the name you have should be quite alright. Likely the WebUI is just buggy. Look through the 6.2 and 6.3 release notes and / or in the PR search tool on Juniper's site.
Visitor
Mr_MJ
Posts: 2
Registered: ‎05-02-2012
0

Re: unset dst-address error when amending policy causes corruption

Thanks for that.  Yeah I looked through the cli output and saw that they are enclosed in quotes. I may upgrade to 6.3 and see if that sorts it out. 

 

Im thinking about going back and renaming all objects to just the IP, and be verbose in the description instead. However, the idea of having a verbose object name makes it easier for others to quickly look at the policies in the gui and see what source / destination is without then having to click through to the adress objects themselves.  I was trying to make support and troubleshooting easier for BAU guys. 

 

 

Super Contributor
nikolay.semov
Posts: 170
Registered: ‎03-15-2012
0

Re: unset dst-address error when amending policy causes corruption

You may want to test upgrade to 6.3 in a sandbox since there are quite a few changes in default behavior between 6.2 and 6.3. I'd recommend going to the latest release of 6.2 and then test out 6.3 if you like as a separate project.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.