Firewall policy is not effective immediately

  • 7003559
  • 10-Apr-2012
  • 15-Jan-2014

Environment

Novell ZENworks 11 Endpoint Security Management
Novell ZENworks 11 Configuration Management Support Pack 1 - ZCM 11 SP1

Situation

ZESM Firewall Policy takes too much time (minutes) to be applied.

Resolution

This is fixed in version 11.2.2 - see KB 7010757 "ZENworks Configuration Management 11.2.2 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7010757
 
A fix for this issue is intended to be included in a future update to the product: however, in the interim, Novell has made a Patch available for testing, as part of a Monthly patch update: it can be obtained at https://download.novell.com/Download?buildid=EWuCrZ4JAO0~ as "ZCM 11.2 Monthly Update 1 - see TID 7004550". This update should only be applied if the symptoms above are being experienced, and are causing problems.

Please report any problems encountered when using this Patch, by using the feedback link on this TID.

Cause

Extract from log:
Firewall: Debug: Firewall Enforcer: FirewallFilter: { type(0x0004, PortType(0x0800) Address(10.10.100.0)
Range(256)}
Firewall: Debug: Firewall Enforcer: FirewallFilter: { type(0x0004, PortType(0x0800) Address(10.10.101.0)
Range(256)}

Firewall Policy enforcer applies one rule per call per class C network.
For large scale network specified in ACL the enforcer will split it into number of class C networks.
Therefore processing might take significantly long time: this depends on the scale of the network.