ZLD CLI / WTH! : The dummy is address-object group / Log messages
I wrote a script to rename a bunch of address-object's. For processing the script i used the zywall Web interface. Before running the script, just in case I made a backup of the config file.
It took a long time till i got an Error message, whiteout any further information. Intrigued by the situation, i restored the backup, bringing the firewall back to the state before running the script, and i gave it a run, this time using the CLI.
Using the CLI run command, the script was running without any messages, which means everything is fine. OK, i said, ZLD shell does not provide a return status of the executed process (unix/linux $?). So i tried some error prone command, to see how the system reacts, what kind of error messages it delivers. For that i used the "address-object rename" command using an object name "dummy", which i never defined. Here is the command and the error message:
IS THERE AN EXPLANATION for this?
Regards,
A.
It took a long time till i got an Error message, whiteout any further information. Intrigued by the situation, i restored the backup, bringing the firewall back to the state before running the script, and i gave it a run, this time using the CLI.
Using the CLI run command, the script was running without any messages, which means everything is fine. OK, i said, ZLD shell does not provide a return status of the executed process (unix/linux $?). So i tried some error prone command, to see how the system reacts, what kind of error messages it delivers. For that i used the "address-object rename" command using an object name "dummy", which i never defined. Here is the command and the error message:
Router(config)# address-object rename dummy fake
% The dummy is address-object group.
retval = -43001
ERROR: The name is used by other object-group
IS THERE AN EXPLANATION for this?
Regards,
A.
0
All Replies
-
Hi @anno_t34,
You can see applying fail error log in "MONITOR > Log > View Log" when applying zysh script.
0 -
Thanks for the hint. Good to know.
I ran the test above at the zwyall console. The error message above, at the console, was no logged or at least I did not found any log entry. Further tests revealed that the message is returned for any non defined address object.
The "View Log" page has "Note:CONFIG CHANGE" records that protocols changes of the Firewall rule set (inserted, modified), but there is no such record for address objects or group objects operations. It would be nice to have that both for security policy review and to document the changes (change management).
A firewall rule can be modified explicit (logged) or implicit (not logged).
Implicit means that the group objects in a firewall rule are modified, not the rule itself.
For example a rule defines the Web access using a ServiceObjectGroup "WebAccess" which contains HTTP(TCP/80) and HTTPS(TCP/443) only. Later a service object HTTP3 (UDP/443) is created (not logged) is inserted to the "WebAccess" group (not logged). As result the firewall rule has been practically modified without any log event.
Regards,
A.
PS: I modified the title of the posting, adding Log messages
0 -
Hi @anno_t34Thanks for your valuable feedback.We will take that into consideration and discuss internally for future improvement.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight