The ENS Firewall Extension on the ePolicy Orchestrator (ePO) server has been updated to the February 2021 version. The firewall policies might become invalidated after you add or modify
Local Network or
Remote network entries using
Subnet values (for example, IP addresses with CIDR notation entries like /24). After the changes are saved, the following error occurs after you try to open the policy again:
An unexpected error occurred
The ePO server
orion.log file contains an
Invalid network specification error as shown below. The IPv6 value (for example,
0000:0000:0000:0000:0000:ffff:0a14:1e28//96 below) differs depending on the IP address entry being used.
2021-02-25 15:06:36,204 DEBUG [http-nio-8443-exec-19] servlet.ControllerServlet - Validating action: EditFireCoreFWRules.do
2021-02-25 15:06:36,204 DEBUG [http-nio-8443-exec-19] servlet.ControllerServlet - Executing action: EditFireCoreFWRules.do
2021-02-25 15:06:36,206 ERROR [http-nio-8443-exec-19] servlet.ControllerServlet - Exception thrown by ActionBean:
com.mcafee.endp.fw.catalog.model.AddressFormatException: Invalid network specification: 0000:0000:0000:0000:0000:ffff:0a14:1e28//96
at com.mcafee.endp.fw.catalog.model.IpAddress.normalizeIpAddress(IpAddress.java:597)
at com.mcafee.endp.fw.catalog.model.IpAddress.setAddressString(IpAddress.java:128)
at com.mcafee.endp.fw.catalog.model.IpAddress.<init>(IpAddress.java:64)
at com.mcafee.endp.fw.catalog.support.FirewallPolicyDao.parseNetwork(FirewallPolicyDao.java:709)
at com.mcafee.endp.fw.catalog.support.FirewallPolicyDao.parseAggregates(FirewallPolicyDao.java:651)
at com.mcafee.endp.fw.catalog.support.FirewallPolicyDao.parseFromPolicy(FirewallPolicyDao.java:165)
at com.mcafee.endp.fw.policies.fw.firecorerules.FirecoreRuleActions.prepareForEdit(FirecoreRuleActions.java:145)
at com.mcafee.endp.fw.policies.ReentrantPolicyAction.editPolicy(ReentrantPolicyAction.java:68)
at sun.reflect.GeneratedMethodAccessor3292.invoke(Unknown Source)
Also, in the above error message, IPv4 addresses are stored in IPv6 format. For example,
0a14:1e28 (hex) translates to the IP address 10.20.30.40 (decimal).
0a = 10
14 = 20
1e = 30
28 = 40