Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

MIP addresses can be deleted even when being referenced by a policy

0

0

Article ID: KB10147 KB Last Updated: 11 Aug 2010Version: 3.0
Summary:
MIP (Mapped IP) addresses aid in one-to-one static NAT translations.  When more than one MIPs are referenced in the same policy (using either ScreenOS 5.4 or 6.0), it's possible to delete these MIPs.  The end result is that a policy will continue to reference one of these deleted MIPs.
Symptoms:

Assume the following sample config:

set interface "ethernet0/2" mip 50.1.1.2 host 172.19.50.2 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 50.1.1.3 host 172.19.50.3 netmask 255.255.255.255 vr "trust-vr"
set policy id 1 from "Untrust" to "Trust" "Any" "MIP(50.1.1.2)" "HTTP" permit
set policy id 1
     set dst-address "MIP(50.1.1.3)"
     exit

Delete these two MIPs via CLI or WebUI.  A "get config | i mip" shows the MIPs are deleted, but the policy still references the MIP:

set policy id 1 from "Untrust" to "Trust" "Any" "MIP(50.1.1.3)" "HTTP" permit

At this point, the only way to clear this policy is to reset the firewall.

This issue is present in ScreenOS 5.4.x and 6.0.x.

Solution:

Engineering has created a patch that has additional checks in place to prevent a user from accidentally deleting all MIPs that are being referenced in a policy.  The patch is planned to be included in a future release of ScreenOS.  Consult the Release Notes for a list of Addressed and Known Issues for your release.


Contact JTAC for a copy of the patch.  To open a JTAC case either:
  • Call in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international
    OR
  • Login to the Case Management tool via the Juniper support site at: Case Management and click on  "Create a Case" .
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search