Unable to edit a policy that contains a Subnet value using CIDR notation

Technical Articles ID: KB94226
Last Modified: 3/2/2022

Environment

Endpoint Security (ENS) Firewall 10.7.0 February 2021 Update extension 10.7.0.843
ENS Firewall 10.6.1 February 2021 Update extension 10.6.1.1489

Summary

Recent updates to this article

Date	Update
March 2, 2022	Updated the Solution statement with more detail about affected Firewall policies needing to be fixed manually.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Problem

The ENS Firewall Extension on the ePolicy Orchestrator (ePO) server has been updated to the February 2021 version. The firewall policies might become invalidated after you add or modify Local Network or Remote network entries using Subnet values (for example, IP addresses with CIDR notation entries like /24). After the changes are saved, the following error occurs after you try to open the policy again:

An unexpected error occurred

The ePO server orion.log file contains an Invalid network specification error as shown below. The IPv6 value (for example, 0000:0000:0000:0000:0000:ffff:0a14:1e28//96 below) differs depending on the IP address entry being used.

2021-02-25 15:06:36,204 DEBUG [http-nio-8443-exec-19] servlet.ControllerServlet - Validating action: EditFireCoreFWRules.do
2021-02-25 15:06:36,204 DEBUG [http-nio-8443-exec-19] servlet.ControllerServlet - Executing action: EditFireCoreFWRules.do
2021-02-25 15:06:36,206 ERROR [http-nio-8443-exec-19] servlet.ControllerServlet - Exception thrown by ActionBean:
com.mcafee.endp.fw.catalog.model.AddressFormatException: Invalid network specification: 0000:0000:0000:0000:0000:ffff:0a14:1e28//96
   at com.mcafee.endp.fw.catalog.model.IpAddress.normalizeIpAddress(IpAddress.java:597)
   at com.mcafee.endp.fw.catalog.model.IpAddress.setAddressString(IpAddress.java:128)
   at com.mcafee.endp.fw.catalog.model.IpAddress.<init>(IpAddress.java:64)
   at com.mcafee.endp.fw.catalog.support.FirewallPolicyDao.parseNetwork(FirewallPolicyDao.java:709)
   at com.mcafee.endp.fw.catalog.support.FirewallPolicyDao.parseAggregates(FirewallPolicyDao.java:651)
   at com.mcafee.endp.fw.catalog.support.FirewallPolicyDao.parseFromPolicy(FirewallPolicyDao.java:165)
   at com.mcafee.endp.fw.policies.fw.firecorerules.FirecoreRuleActions.prepareForEdit(FirecoreRuleActions.java:145)
   at com.mcafee.endp.fw.policies.ReentrantPolicyAction.editPolicy(ReentrantPolicyAction.java:68)
   at sun.reflect.GeneratedMethodAccessor3292.invoke(Unknown Source)

Also, in the above error message, IPv4 addresses are stored in IPv6 format. For example, 0a14:1e28 (hex) translates to the IP address 10.20.30.40 (decimal).

0a = 10
14 = 20
1e = 30
28 = 40

System Change

This issue occurs after you upgrade to either of the following ENS Firewall extensions:

ENS Firewall 10.7.0 February 2021 Update extension 10.7.0.843
ENS Firewall 10.6.1 February 2021 Update extension 10.6.1.1489

Solution

This issue is resolved in ENS 10.6.1 April 2021 Update and ENS 10.7.0 April 2021 Update. Firewall policies that are already affected by this issue aren't automatically fixed after upgrading the ENS Firewall extension. Technical Support must manually fix the affected Firewall policies.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Workaround 1

Workaround for on-premises ePO server customers

NOTES:

This workaround doesn't fix policies that have become invalidated; it only prevents new occurrences of the issue.
If your Firewall Rules policy can't be opened because of this issue and the error in the ePO server orion.log file, contact Technical Support to fix any affected Firewall Rule policies. Provide an XML file export of the affected Firewall Rule policy from the ePO Policy Catalog so Technical Support can make the appropriate corrections. Make sure to test any modified policy on a few systems first before you apply it to production environments.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

To prevent the issue from occurring, use the following instructions to replace the ip.js file on the ePO server with the version in the Attachment section of this article.

Back up all Firewall Rule policies by exporting them from the ePO server. Make sure to back up the affected Firewall Rule policies with this issue.
Back up the following file on the ePO server:

If the ENS 10.7 Extension is installed:
\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions\installed\ENDP_FW_META\10.7.0.843\webapp\fw\rules\ip.js

If the ENS 10.6.1 Extension is installed:
\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions\installed\ENDP_FW_META\10.6.1.1489\webapp\fw\rules\ip.js
Replace the ip.js file on the ePO server with the copy in the Attachment section of this article.
Import the "fixed" Firewall Rule policy that Technical Support provided. After the "fixed" policy is imported, the original Subnet value should be correctly stated.

Workaround 2

Workaround for MVISION ePO server customers:

A workaround has been deployed to MVISION ePO servers that uses the same ip.js file fix. The issue should no longer occur with any new changes with Subnet values. This workaround doesn't fix policies that have become invalidated; it only prevents new occurrences of the issue.
If your Firewall Rules policy can't be opened due to this issue and the error in the ePO server orion.log file, contact Technical Support to fix any affected Firewall Rule policies. Provide an XML file export of the affected Firewall Rule policy from the ePO Policy Catalog so Technical Support can make the appropriate corrections. Make sure to test any modified policy on a few systems first before you apply it to production environments.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Attachment

ip.zip
3K • < 1 minute @ broadband

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Unable to edit a policy that contains a Subnet value using CIDR notation

Environment

Summary

Problem

System Change

Solution

Workaround 1

Workaround 2

Attachment

Affected Products

Languages:

Title

Title

Knowledge Center

Unable to edit a policy that contains a Subnet value using CIDR notation

Environment

Summary

Problem

System Change

Solution

Workaround 1

Workaround 2

Attachment

Affected Products

Languages:

Choose your region

Title

Title