Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The AC policy import may take days to complete and it may appear hung. However, /var/log/action_queue.log show IDS rule import task progressing as shown below May 26 19:49:42 FMC-2 ActionQueueScrape.pl[32424]: add edge from 042f7c8a-9f8a-11ea-9317-4f5387895c61 -> 042f7c8a-9f8a-11ea-9317-4f5387895c61 May 26 19:49:42 FMC-2 ActionQueueScrape.pl[32424]: add edge from 0480732e-9f8a-11ea-9317-4f5387895c61 -> 0480732e-9f8a-11ea-9317-4f5387895c61 May 26 19:49:42 FMC-2 ActionQueueScrape.pl[32424]: add edge from 046e915e-9f8a-11ea-9317-4f5387895c61 -> 046e915e-9f8a-11ea-9317-4f5387895c6 If the policy import is killed or FMC reboot, the second attempt to import the policy may generate the following error due to duplicate object /var/opt/CSCOpx/MDC/log/operation/vmssharedsvcs.log Caused by: com.cisco.nm.vms.buildingblock.exception.BuildingBlockValidationException$NAMEEXISTS_IN_ACTIVITY_NWF: Naming Conflict com.cisco.nm.vms.buildingblock.exception.BuildingBlockValidationException$NAMEEXISTS_IN_ACTIVITY_NWF: Naming Conflict Caused by: com.cisco.nm.vms.buildingblock.exception.BuildingBlockValidationException$NAMEEXISTS_IN_ACTIVITY_NWF: Naming Conflict com.cisco.nm.vms.buildingblock.exception.BuildingBlockValidationException$NAMEEXISTS_IN_ACTIVITY_NWF: Naming Conflict Caused by: com.cisco.nm.vms.buildingblock.exception.BuildingBlockValidationException$NAMEEXISTS_IN_ACTIVITY_NWF: Naming Conflict
+ Intrusion Policy contain thousands of Local Rules + AC policy configured with custom Intrusion policies
Import without non-default Intrusion Policies + Remove all non-default intrusion policies from the AC Policy and replace with Default Connectivity over Security or Balanced Intrusion Policy + Export the modified AC policy and import + To import the Intrusion Policy and rules, there are two options Option 1 - Import the local rules as text and rebuild the Intrusoin Policy - If you don't have the custom rules backup as text file, contact Cisco TAC for assistance. Option 2 - Export and import the intrusion policy as is Note: Depending on the number of custom/local rules, it could take hours or days for the task to complete.
Local Rules can be exported as below and can be formated to imported to FMC OmniQuery.pl -db sdb -e "select action,rule_text from rule_header where sid>1000000;" > local.rules