Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Multi-Cell policy installs only the top address elements if Application IGNORE is selected, even though policy install fails

0

0

Article ID: KB20844 KB Last Updated: 20 Apr 2011Version: 1.0
Summary:
Multi-Cell policy installs only the top address elements if Application IGNORE is selected, even though policy install fails.
Symptoms:
  • While creating policy with multi-cell entries (More than one source and destination is the to and from field) with application setting as IGNORE and service as ANY. The following errors are seen:
  • policy has service any with port any.
    policy cant be modified .
  • After which if “OK” or “CANCEL” is clicked the policy is still created but with just the top most address entry defined in the multi-cell policy.
Solution:
The issue seen is by design due to the following reasons:
  1. If service ANY is used by a policy, you must not set a specific application for it, including application IGNORE.

  2. Once "OK" is clicked for policy installation the complete policy configuration would not have been finished due to ‘set application failure’. However the partial policy configuration has been set and taken effect, the page has shown the current policy setting. To click Cancel or OK does not remove the policy and it just means to discard further policy modification done on the web page.

  3. Note:
    Application IGNORE option is used specifically for avoiding ALG being triggered, if global ALG option is enabled for the respective services.
    As ALG's are specific to only certain services the ANY service on the policy would not be applicable even for the IGNORE option. As the ANY service is used to allow all types of traffic even those which do not have any ALG's defined.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search