ZLD CLI / WTH! : The dummy is address-object group / Log messages

Options
anno_t34
anno_t34 Posts: 12  Freshman Member
First Anniversary Friend Collector
edited December 2021 in Security
I wrote a script to rename a bunch of address-object's. For processing the script i used the zywall Web interface. Before running the script, just in case I made a backup of the config file.

It took a long time till i got an Error message, whiteout any further information. Intrigued by the situation, i restored the backup, bringing the firewall back to the state before running the script, and i gave it a run, this time using the CLI.

Using the CLI run command, the script was running without any messages, which means everything is fine. OK, i said, ZLD shell does not provide a return status of the executed process (unix/linux $?). So i tried some error prone command, to see how the system reacts, what kind of error messages it delivers. For that i used the "address-object rename" command using an object name "dummy", which i never defined. Here is the command and the error message:

Router(config)# address-object rename dummy fake
% The dummy is address-object group.
retval = -43001
ERROR: The name is used by other object-group

IS THERE AN EXPLANATION for this?

Regards,
A.


All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @anno_t34,
    You can see applying fail error log in "MONITOR > Log > View Log" when applying zysh script. 

  • anno_t34
    anno_t34 Posts: 12  Freshman Member
    First Anniversary Friend Collector
    edited December 2021
    Options
    Thanks for the hint. Good to know.

    I ran the test above at the zwyall console. The error message above, at the console, was no logged or at least I did not found any log entry. Further tests revealed that the message is returned for any non defined address object.

    The "View Log" page has "Note:CONFIG CHANGE" records that protocols changes of the Firewall rule set (inserted, modified), but there is no such record for address objects or group objects operations. It would be nice to have that both for security policy review and to document the changes (change management).

    A firewall rule can be modified explicit (logged) or implicit (not logged).
    Implicit means that the group objects in a firewall rule are modified, not the rule itself.
    For example a rule defines the Web access using a ServiceObjectGroup "WebAccess" which contains HTTP(TCP/80) and HTTPS(TCP/443) only. Later a service object HTTP3 (UDP/443) is created (not logged) is inserted to the "WebAccess" group (not logged). As result the firewall rule has been practically modified without any log event.

    Regards,
    A.

    PS: I modified the title of the posting, adding Log messages

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thanks for your valuable feedback. 
    We will take that into consideration and discuss internally for future improvement.

Security Highlight