Will these object-group cause override in CSM?

Similar Messages

• Implementing "object-group service"

  Running 8.2(3) on an ASA 5510
  I have created the two following object groups.
  object-group service gatewayTCP tcp
  port-object eq 88
  port-object eq 135
  port-object eq 445
  port-object eq ldaps
  port-object eq 3268
  port-object eq 3269
  object-group service gatewayTCP-UDP tcp-udp
  port-object eq domain
  port-object eq 389
  port-object eq 464
  port-object range 49152 65535
  I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly?
  access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP
  access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP
  Is this a bug with service object groups? Is there some place I need to enable this feature?

  Hi,
  Have you tried configuring it like this
  object-group service GATEWAY-SERVICES
  service-object tcp eq 88
  service-object tcp eq 135
  service-object tcp eq 445
  service-object tcp eq ldaps
  service-object tcp eq 3268
  service-object tcp eq 3269
  service-object tcp eq 53
  service-object udp eq 53
  service-object tcp eq 389
  service-object udp eq 389
  service-object tcp eq 464
  service-object udp eq 464
  service-object tcp range 49152 65535
  service-object udp eq 49152 65535
  access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
  I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
  - Jouni

• CSCut57898 - C897 ACL object-group leak/miss for BGP tcp 179 / causing deny

  We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
  I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
  Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.  

  We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
  I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
  Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.  

• CSM service-object groups.

  Hello,
  I have a question. I'd like to maintain an ehanced service object group. When I create a service-object, it splits the service-object
  into
  sobjname.tcp
  and then
  sobjname.udp
  But it doesn't tell you its going to do this until you deploy ( very annoying ).
  How can I create an enhanced service-object group with the protocol & port objects. I have both CSM 3.3. and 4.1.
  Also is there an UNDO command that I don't know about when modifying (cutting and pasting access rules around in CSM).?
  Thanks!
  -M-

  Hello Bobby,
  The object-groups look good,
  The way to use them will be with ACLs so config looks cleanear and smaller,
  Regards,
  Julio Carvajal

• Difference between these 2 object groups

  Hi Everyone,
  Need to understand about object-group network below
  when i run the command    sh run object-group id subnet
  on fw1  it shows
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
  Same command on firewall 2 shows   
  network-object object 10.0.0.0
  network-object object 172.16.0.0
  network-object object 192.168.0.0
  Need to understand if contents of both the firewall are same?
  also if i remove config   below from fw2
  network-object object 10.0.0.0
  network-object object 172.16.0.0
  network-object object 192.168.0.0
  and add  the
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
  which are same as fw 1  will it make any difference to the fw2?
  Regards
  Mahesh

  Hi,
  Had not tested this myself before to I configured this on my firewall
  object network TEST
  subnet 10.10.10.0 255.255.255.0
  object network TEST-2
  subnet 10.10.20.0 255.255.255.0
  object-group network TEST-GROUP
  network-object object TEST
  network-object object TEST-2
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  access-list TEST extended permit ip object-group TEST-GROUP any
  ASA(config)# sh access-list TEST
  access-list TEST; 4 elements; name hash: 0xd37fdb2b
  access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb
    access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
    access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
    access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
    access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
  It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.
  I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.
  I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.
  You can naturally browse through the configuration to see where this "object-group" is used with
  show run | inc
  - Jouni

• Using JSP, how to add new items to Fuego Business Object "Group" ?

  Given the classic Fuego Business Object (FBO) example of an Order, which has a few attributes (orderNumber, customerName, Order Date) and a GROUP attribute called OrderItems (ItemName, ItemPrice, etc.), I want to use a JSP to allow user to submit order. My JSP has a form and uses the Fuego Tag Library. There are FORM INPUT elements for Order.orderNumber, Order.customerName, Order.OrderDate, and a table using dynamic HTML to add rows and INPUT elements for new items to add to the GROUP attribute OrderItems - ItemName, ItemPrice, etc.)
  But when the user wants to add "OrderItems" to the order, I don't know how to get Fuego to create OrderItem Objects to add to the array (aka GROUP).
  Thx in advance.

  ###### below is the response I response I received from a BEA Engineer. From looking at the html source of fuego presentations that implement desired functionality, it appears as though they handle it using the first suggested workaround below ######
  Hi,
  The short answer to your question is that there is no out of the box feature to support directly what you are asking for.
  The problem is that JSPs receives a Fuego Object that is accessed at rendering time (JSP compilation/ HTML rendering). And then all the updated values are sent back to the engine in a new request when you hit the submit button of a FOR tag that has the postResult tag in the action attribute. At this point all these values are automatically taken from the request and the Fuego Object instance variable in the screenflow is updated.
  After saying this you will notice that it doesn’t make sense to update the Fuego Object instance on the JSP. Because you only could do this ate rendering time and because this instance is not going back to the engine (just the values).
  Fuego Object tag Library was designed basically to be able to show Fuego Object data and invoke runs-on-server FO methods.
  I see 3 different approaches to solve the problem you have:
  1)Use JavaScript to call a runs-on-server method that recive the required arguments to extend the group and set the values. You should use the new tag called invokeUrl that allows you to use AjaX, in this way you could update the page with partial rendering.
  2)Use JavaScritp to submit the form when the user click the add row button. And have a loop in the Screenflow with an automatic activity that will extend the group and the go back to the component activity that now will show the page again but with one more row. The drawback is that each time the user wants to add a row, it will require the entire page to be refresh.
  3)Handle the table and values using JavaScritp and DHTML, and put all the new values in the request (input element), then in the Screenflow use an automatic activity to set this values to the Fuego Object.
  Look at the Samples of using Fuego Tag Lib and AJaX
  albpm5.7\studio\samples\Integration\Portlets\PFoodDelivery.fpr
  albpm5.7\studio\samples\Integration\ThirdParty\AJaX.fpr

• ICR - Wrong display of assigned documents in Object Groups.

  Hello ICR gurus,
  Hello,
  We are just about to start with UAT and we have found this error which is a major problem for us.
  When we run the automatic assignment step via FBICA3, the system starts assigning documents automatically based on the matching rules that we
  have customized. After this, it starts classifying the matched documents based on the account groups defined in the customizing.
  The problem is, that sometimes one side of the matching falls into one group and the other side of the matching falls into another group and
  then the user cannot see the assigned documents in the same screen.
  We were thinking of using a BADI that gets called after the automatic assignment but we think this is a huge thing to do with a BADI because we would be changing the way the standard fucntionality works with our code.
  Any other ideas?
  Thanks a lot
  Regards
  Isabel

  Hello Isabel,
  Where in your scenario is the problem:
  #1 The object groups are defined incorrectly.
  #2 The data is posted incorrectly.
  If #1 is the case - change the object group definition
  In case of #2 it seems to me that what you want is more transparency where the issue is so the users can make the necessary adjustment postings. It would be good to have a specific scenario here.
  Why did you create the object groups you created? Are these examples you're referring to based on the fact that the invoices were posted incorrectly?
  In FBICR3 you would usually use either just one object group (Open Items) or two object groups (Payables and Receivables). Are GL open items classified as payables or receivables incorrectly when integrating them into process 003?
  Hope this helps. If you need additional answers, please provide more details and specific examples...
  Ralph
  P.S.: Instead of adding these other documents to the object groups where they don't belong you could also add a function which will display the partner documents for the currently displayed "assigned" documents which don't have their partner documents in the display in a popup. That way you're still showing the problem (partner document is not posted correctly) but give them a little more information how to correct it (item should have been posted to account ABC instead of BAC)...

• Find the std Business content for these objects in CRM..

  Hi,
  Can you please help me in finding
  To identify the standerd BW extractors in the Business Content.
  From the CRM
  Business Content for the following objects
  Product ( New products in CRM and not in R/3)
  Sales Orders à
  à Line items.          
  Quotations            CRM only
  Billing Documents            CRM
  Credit Notes           
  Customers  - àNot fully registered " prospects will be in CRM only.
  Customers will be transported to R/3
  IBASE            àMaster Data Item
  àContent?
  Activities            CRM
  Please help me how can I find the std Business content for these objects in CRM..

  CRM Business content objects:
  0CRM_LEAD_H - Lead Header (Transactional Data)
  0CRM_LEAD_I - Lead Item (Transactional Data)
  0CRM_MIG -  Mail GUID
  Characteristics
  InfoObject     Description
  0CRM_LEAGUI     Lead GUID
  0STAONESYS0     CRM status life cycle (One Order)
  0STAONESYS4     CRM status opportunity/lead (One Order)
  0CRM_RCA     Catalog
  0CRM_RG     Code group
  0CRM_RCO     Code
  0CRM_PROSPE     Prospect
  0BP_CONTPER     CRM contact partner
  0BP_RESPPER     CRM owner
  0CRM_SALESP     CRM sales partner
  0CRM_OBJTYP     Business transaction object type
  0CRM_ITOBTP     CRM item transaction type (object type)
  0CRM_MKTELM     CRM marketing element
  0CRMPLEAGUI     CRM preceding lead GUID
  0CRM_LEADCR     Creation date of the lead
  0CRM_OPPGUI     GUID of a preceding opportunity
  0CRM_OPPCRD     Creation date of the opportunity
  0CRM_PREOTP     Object type of the preceding document
  0DIVISION     Division
  0DISTR_CHAN     Distribution channel
  0CRM_SRVORG     CRM service organization
  0CRM_SALOFF     Sales office
  0CRM_SALORG     Sales organization
  0CRM_SALGRP     Sales group
  0CRMSA_OG_R     Responsible organizational unit (sales)
  0CRMSE_OG_R     Responsible organizational unit (service)
  0CRM_PRHIER     Product category ID
  0CRM_PROD     CRM product
  0CRM_ORDPRD     Product name entered
  0MATERIAL     Material (allocation to R/3)
  Time Characteristics
  InfoObject     Description
  0CALDAY     Calendar day
  0CALMONTH     Calendar year/month
  0CALQUARTER     Calendar year/quarter
  0CALYEAR     Calendar year
  0FISCPER     Fiscal year/period
  0FISCYEAR     Fiscal year
  0FISCVARNT     Fiscal year variant
  Key Figures
  InfoObject     Description
  0CRM_NUMDOC     Number of order headers
  0CRM_NUMOFI     Number of order items
  0CRM_LDOQV     CRM: Expected order quantity in VME
  0CRM_LDOQB     CRM: Expected order quantity in BME
  0CRM_DURLEA     Duration of the lead
  0CRM_EXDULD     Expected duration of the lead
  0CRM_NUMACT     Number of activities per lead
  0CRM_NUMCHL     Number of changes in the qualification level per lead
  0CRM_LEAWON     Won leads
  Units
  InfoObject     Description
  0SALES_UNIT     Sales unit
  0BASE_UOM     Base unit of measure
  InfoCube 0CSAL_C01 - CRM Activities.
  ODS Object 0SAL_DS01 (ODS for Activities)
  Query (technical name)     Query (description)
  0CSAL_C01_Q0006                    Success/Failure Analysis
  0CSAL_C01_Q0016                    Activity History
  0CSAL_C01_Q0002                     Intensity of Customer Care  (Owner) 12M
  InfoCube  Opportunities - 0CRM_C04 (SAP BW Business Content)
  InfoSources
  CRM Opportunities: Header Data - 0CRM_OPPT_H
  CRM Opportunities: Item Data - 0CRM_OPPT_I
  Query (technical name)     Query (description)
  0CRM_C04_Q0100                 Channel Management Sales Forecast
  0CRM_C04_Q001               Win/Loss Analysis for Opportunities
  0CRM_C04_Q002               Sales Volume Forecast
  0CRM_C04_Q003                 Pipeline Analysis per Phase
  Hope it will helps you a lot..........

• Migrate network object group members; risk

         We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

  John,
  if you feel that is risky, you can always go for plan B.
  - you can take closure look at the object groups and decide new object naming convention policy.
  - from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
  - you can see same services used in couple of rules with different service groups.
       - like object-group service WEB-PORTS tcp
                      port-object eq http
                      port-object eq https
               object-group service APPLICATION-PORTS tcp
                      port-object eq http
                      port-object eq https
                 object-group service APPS-PORT tcp
                      port-object eq www
                      port-object eq https
  - you can replace all these different object-group with one object group. like WEB-PORTS.
  - same way you can do excercise for network group as well.
  hope this helps.
  JD...

• Drag & Drop with Fdev6iR2 on Linux / Adding object to an object group

  Hi all
  I experienced a very annoying bug in Forms Developer 6i Release II for Linux when I tried to add a Object to an Object group.
  The drag & drop simply doesn't work and there seems to be no way to work around this.
  Has anybody an idea whether there's another way to add an object to an objectgroup or what could cause this error?
  I'm using KDE 1.1.2-48 on XFree86 4.0.1-1 with Motif WM 1.2.4-3glibc installed, maybe this helps one of you...
  Thanks very much...
  Nik

  drag object using center mouse button.I think
  it will work.don't set caps lock on.
  --viji                                                                                                                                                                                   

• Will multiple Lan cards cause problems using rmi?

  Will multiple Lan cards cause problems using rmi? If a host has two or more network cards (only one of which is Internet-enabled), how does RMI know which IP address to use? There seems to be a problem when such a client registers with an RMI service, and has a client-side callback method invoked by the server.

  You can tell RMI the address you want by defining java.rmi.server.hostname at the JVM which exports the remote object.

• ORA-23326: object group "PUBLIC","REPG" is quiesced

  I am using Oracle 9i Enterprise Manager.
  I have two servers with databases isb.city and rwp.rawat. I completed the whole process of Multimaster Replication. I am working on the SCOTT schema as test. Right now I am working on LAN.
  Two servers are connected with each other. I am facing two problems:
  1) When I try following command, it shows no rows on both servers:
  SQL>SELECT DBLINK FROM DBA_REPSITES WHERE GNAME = 'repg';
  no rows selected
  2) When I try to insert data in the tables, it doesn't allow it and give following:
  ORA-23326: object group "PUBLIC","REPG" is quiesced
  I already made changes in init.ora and changed spfile file as well accordingly.
  What is wrong with my setup?

  Try this:
  1. SELECT DBLINK FROM DBA_REPSITES WHERE GNAME = 'REPG';
  2. You should change init.ora or spfile (database is using one of them):
  show parameter pfile will show you if you are using spfile or not
  execute RESUME_MASTER_ACTIVITY to unquisce replication group
  Best Regards
  Krystian Zieja / mob

• Is it possible to nest object groups in froms?

  Title says it all, but to explain further - I'd like to create some object groups and the objects I'd like to include within these groups are themselves objects groups.
  Is that possible?

  No - But you could subclass an object group and then add extra children to it.

• ASA 5510 & Object-groups

  I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
  access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
  The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.
  Going off these posts:
  - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
  - http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html
  Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
  What am I doing wrong?
  Thanks in advance for any help.

  Hi Adam!
  You are doing it right, you are just missing on little keyword.
  The line should be as this:
  access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any
  or you could specify the subnetmask as:
  access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any
  Regards

• ANM object-group

  Object-groups created with the CLI don't appear in the ANM Config>Devices>Security>Object Groups as they should and ACLs using these groups are displayed incorrectly. SYNC and upgrading to ANM v2.1 hasn't resolved the issue. Object-groups created with ANM don't have this problem. Is this a bug or is there some other way to import/sync the config to ANM?

  Hello,
  No, haven't heard a thing yet. I have learned a bit more though about the symptoms. Some contexts aren't affected by the bug at all. The ACL using the group and the group itself was imported and is displayed correctly by ANM. But they only have a couple of simple object groups and a single line ACL referencing the groups, while the broken contexts have many large object groups and large ACLs. So, maybe it's related to size or complexity.
  I plan to open a TAC Case when I get a minute. I use the CLI to build the contexts and don't use the GUI much, but other people who maintain the servers do.