Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

7.0.1-5161 - Can't add Access Rules

BWCBWC Cybersecurity Overlord ✭✭✭

Did anyone encountered the situation that adding an Access Rule caused the red error message saying "Invalid API argument"?

Webdeveloper Tools showing this request/response:

15:24:04.638 XHRPOST
https://xxxxxxxxxx/api/sonicos/access-rules/ipv4
[HTTP/1 400 Bad Request 249ms]
	
status	Object { success: false, cli: {…}, info: […] }
success	false
cli	Object { mode: "config_mode", depth: 1, command: "access-rule ipv4 from DEPLOYMENT to WAN action allow source address name DEPLOYMENT_N port any service group HTTP/S destination address any", … }
mode	"config_mode"
depth	1
command	"access-rule ipv4 from DEPLOYMENT to WAN action allow source address name DEPLOYMENT_N port any service group HTTP/S destination address any"
configuring	true
pending_config	false
restart_required	"FALSE"
info	[ {…} ]
0	Object { level: "error", code: "E_INVALID_FXN_ARG", message: "Invalid API argument." }
level	"error"
code	"E_INVALID_FXN_ARG"
message	"Invalid API argument."

This happened to me before on several deployments, it's not -5161 related, other releases of 7.0.1 did the same. It happened on manually configured appliances and with migrated settings as well. I'am always using Firefox, because it's snappier then Chrome.

I guess it gets triggered when adding a Rule like LAN-to-CustomZone and having "Create reflexive Rule" enabled. Only one Rule gets created, no error messages at that point.

Another weird result is when executing a show access-rules ipv4, all custom rules are changed to "from any to any" instead of using the former configuration source and destination address objects. The TSR does show the correct Access Rule.

The only way to get out of this mess is to restart the Firewall.

Because of the impact this is somewhat critical and I cannot leave this appliance in that state until Support reacts.

—Michael@BWC

Category: Mid Range Firewalls
Reply

Answers

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @BWC - I am holding at 5151 for all Gen 7.0.1 devices, including my lab machine (meaning NO to 7.1.1 and absolutely NOT for 7.1.2). I'm not convinced anyone at SonicWall has spent sufficient time walking through the nuances of the changes they have recently released.

    Too hurried, too rushed, too oblivious. None of them are production-ready firmware.

  • RinconmikeRinconmike Enthusiast ✭✭

    I installed 7.0.1-5161 this morning on my TZ670. I have not added rules in years. I just tried added and deleting a test rule and I did not get an error.

  • abhitsabhits Newbie ✭

    Curious if you found a corrective action for this? Exact same situation. Not a good time (of the day) to reboot the firewall…assuming the inability/error goes away upon restart. TIA.

Sign In or Register to comment.