MAJOR issue with Update-FMCAccessPolicyRule on 6.3.0.x (CSCvo81260)

Question

MAJOR issue with Update-FMCAccessPolicyRule on 6.3.0.x (CSCvo81260)

Opened this issue 6 years ago · 4 comments

Answer 1 · 2019-04-17T06:06:55.000Z

If an ACP contains a source/destination network host literal in dotted decimal format (e.g. 1.1.1.1), the API returns the type as "FQDN". When updating a rule and the invalid type of "FQDN" is sent to the API, it clears the entire source or destination element, resulting in the rule matching any IP.

DO NOT use the Update-FMCAccessPolicyRule function on rules containing host literals in the source/destination networks that are not in CIDR notation in 6.3; otherwise it remove all items in the source/destination networks resulting in a match of any.

Answer 2 · 2019-05-20T11:15:24.000Z

Is there any workaround for this or planned fix?

Answer 3 · 2019-05-20T19:33:04.000Z

Is there any workaround for this or planned fix?

Hi gregdent,

This is a result of the bug CSCvo81260. It appears to have been fixed in 6.4.0, but not the latest (6.3.0.3) maintenance release. No fix action in PowerFMC is planned. A workaround would be to ensure you have no host literals that are not in CIDR notation (e.g. 1.1.1.1 = BAD; 1.1.1.1/32 = GOOD).

I will be monitoring 6.3.0 for the latest maintenance release and test to see if this bug has been fixed.

Answer 4 · 2019-05-21T08:28:16.000Z

thanks for the update! A shame we decided to use 6.3 for the multi instance mode, with the view 6.4 would have been slightly riskier without any maintenance releases. I shall recommend we move to 6.4 for future deployments.