Rules lost during VPM installation when multiple administrators are managing policy

book

Article ID: 168337

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

This issue appears under the following circumstances:
  • Administrators log in to the ProxySG appliance from two different workstations
  • Both administrators use the same admin credentials
  • Administrator A loads the VPM and saves policy A
  • Administrator B loads the VPM and saves policy B
  • Policy A is lost, and no longer applied to proxied traffic.

Resolution

By looking at the event log, you can observe that there are several administrator IP addresses found that might be the issue one saved the VPM after the second machined loaded the VPM policy. To avoid this, reload the VPM with new policy file before making the second save on policy 2.

2014-12-29 19:03:04+05:30IST "Config admin at 172.x.13.97 'admin', installed new VPM Policy File and VPM XML File (with 8 warnings)." 0 140002:7D cli_parse.hpp:268
2014-12-30 12:36:46+05:30IST "Config admin at 172.x.13.171 'admin', installed new VPM Policy File and VPM XML File (with 8 warnings)." 0 140002:7D cli_parse.hpp:268
2014-12-30 14:11:30+05:30IST "Config admin at 172.x.13.171 'admin', installed new VPM Policy File and VPM XML File (with 8 warnings)." 0 140002:7D cli_parse.hpp:268
2014-12-30 16:49:20+05:30IST "Config admin at 172.x.13.218 'admin', installed new VPM Policy File and VPM XML File (with 8 warnings)." 0 140002:7D cli_parse.hpp:268
2014-12-30 16:59:46+05:30IST "Config admin at 172.x.13.218 'admin', installed new VPM Policy File and VPM XML File (with 8 warnings)." 0 140002:7D cli_parse.hpp:268
 

Workaround

Multiple users working on VPM at the same time is NOT recommended.

VPM is an applet, a framework designed to create XML code from VPM.
In order to display rules, the VPM applet needs to query the SG for the current policy. It does that ONLY at the time that VPM is opened, it won't refresh policy while VPM is open (until you install the policy).

So for example you have 2 users:
- User A and B both open VPM, meaning both see the same rules because VPM was opened at the same time.
- User A now makes a policy change and installs policy.
- User B also makes a policy change and installs policy a few minutes later.
- Policy A will have installed
- Policy B will have installed, overwriting Policy A.

The reason that policy B will overwrite A is that when user B made the changes, he made them based on the policy that the SG had at the time of launching VPM. When this policy is installed, it will take that policy as a basis that was active when VPM was launched. Effectively this means that you can't have 2 users making VPM changes at the same time.

To avoid this, reload the VPM with new policy file before making the second save on policy 2.