Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Device error: too many objects

    Posted 03-05-2009 08:02

    Hi, I have a dozen firewalls scattered throughout the US. They are a mix of 5GT-ext's and SSG20's; we are in the process of upgrading.

     

    I have received a list of IP addresses from DSS that are known threats and have added them as hosts in NSM. I put them all in a group in NSM and then started pushing them to my remote sites.

     

    The problem is that on some of the FW's, old and new, I get an error doing the update from NSM.

     

    Here is part of the job log:

     

    Error Text:
       Exception caught during Update Device:

           The following parameters did not get updated to the device:
        set group address untrust "DSS Advisory Threats"
        set group address untrust "DSS Advisory Threats" add 195.20.225.152/32
        set group address untrust "DSS Advisory Threats" add 65.107.166.125/32
        set group address untrust "DSS Advisory Threats" add 204.11.167.30/32
        set group address untrust "DSS Advisory Threats" add 65.113.119.140/32
        set group address untrust "DSS Advisory Threats" add 218.38.34.33/32
        set group address untrust "DSS Advisory Threats" add 65.113.119.158/32
        set group address untrust "DSS Advisory Threats" add 61.107.82.134/32
        set group address untrust "DSS Advisory Threats" add 165.132.195.205/32
        set group address untrust "DSS Advisory Threats" add 65.254.5.210/32
        set group address untrust "DSS Advisory Threats" add 67.109.132.215/32
        set group address untrust "DSS Advisory Threats" add 211.233.36.125/32
        set group address untrust "DSS Advi ...

    Error Details:
        No Details Available. 

     

     

    The entire list of threat objects is about 5 times that long.

     

    At the end of the log I see this over and over for each object:

     

    Sending configuration cli commands to device ...
        Device error on command:
          268    set group address untrust "DSS Advisory Threats" add 195.20.225.152/32
              Group: Too many entries
    ...

     

    Verifying configuration ...
        Verification failed
            The following parameters did not get updated to the device:

    set group address untrust "DSS Advisory Threats"...

     

     

    Is there a limit on 5GT's and SSG20's for the total amount of objects?

     

    I noticed that my SSG550's at my main site don't have this problem.

     

    Any help would be appreciated, I really need to block these.

    Message Edited by DeaconZ on 03-05-2009 08:02 AM


  • 2.  RE: Device error: too many objects
    Best Answer

    Posted 03-05-2009 08:30

    There certainly is a max of objects in a group. I believe it's device dependend. Not sure but it might be this when you do a get sys-cfg: max number of objects to add token per tic number: 32 (from a ssg5).


    It could be an idea to nest groups to keep within the limits. You're allowed to add a group to a group. Not nice but maybe a solution.