Failed to edit IDPS profile in NSX-T due to error "Invalid Signature IDs" after updating IDS Signature set
Article ID: 322591
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- You are running NSX-T version 3.1.3.7.
- You are not able to edit IDPS profile.
- You have updated the IDPS signature set.
- Override Signatures are not present in active bundle.
- You receive error when running PUT API:
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>
Response:
{
"httpStatus": "BAD_REQUEST",
"error_code": 523669,
"module_name": "Policy",
"error_message": "Invalid Signature IDs [1116076] passed in IDS Profile /infra/settings/firewall/security/intrusion-services/profiles/SR."
}
Response:
{
"httpStatus": "BAD_REQUEST",
"error_code": 523669,
"module_name": "Policy",
"error_message": "Invalid Signature IDs [1116076] passed in IDS Profile /infra/settings/firewall/security/intrusion-services/profiles/SR."
}
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 3.x
Cause
The NSX UI is not removing the signatures which are not present in the active bundle.
Resolution
This issue is resolved in NSX-T version 3.2.3 available at VMware Downloads.
Workaround:
1. The following API can be used remove these invalid signatures from the IDPS profile.
Once the invalid signature has been removed from the output, copy the remaining output and run PUT API /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id> with this as the payload, to remove the invalid signature from the IDPS profile.
Below is an example of the payload to be used with the above PUT API:
Workaround:
1. The following API can be used remove these invalid signatures from the IDPS profile.
First get the IDPS profile using the API call:
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id> .
Then copy the response/payload of the GET API output and find the invalid signature.
Once the invalid signature has been found, delete the Invalid signature from the payload.
Run the below PUT API again using the updated payload to update the IDPS profile.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id> .
Then copy the response/payload of the GET API output and find the invalid signature.
Once the invalid signature has been found, delete the Invalid signature from the payload.
Run the below PUT API again using the updated payload to update the IDPS profile.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>
Example:
The below is an example of an output you should see when running GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>.
Once you get this output remove the invalid signature.
This scenario what we want to remove is highlighted in bold as seen below.
Once you get this output remove the invalid signature.
This scenario what we want to remove is highlighted in bold as seen below.
{
"profile_severity": [
"HIGH",
"MEDIUM",
"LOW",
"SUSPICIOUS",
"CRITICAL"
],
"overridden_signatures": [
{
"marked_for_delete": false,
"overridden": false,
"action": "ALERT",
"signature_id": "1116076",
"enable": true,
"_protection": "NOT_PROTECTED"
}
],
"resource_type": "IdsProfile",
"id": "SR",
"display_name": "SR",
"path": "/infra/settings/firewall/security/intrusion-services/profiles/SR",
"relative_path": "SR",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"realization_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"owner_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"origin_site_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"marked_for_delete": false,
"overridden": false,
"_create_time": 1677731180496,
"_create_user": "admin",
"_last_modified_time": 1677731607733,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}
"profile_severity": [
"HIGH",
"MEDIUM",
"LOW",
"SUSPICIOUS",
"CRITICAL"
],
"overridden_signatures": [
{
"marked_for_delete": false,
"overridden": false,
"action": "ALERT",
"signature_id": "1116076",
"enable": true,
"_protection": "NOT_PROTECTED"
}
],
"resource_type": "IdsProfile",
"id": "SR",
"display_name": "SR",
"path": "/infra/settings/firewall/security/intrusion-services/profiles/SR",
"relative_path": "SR",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"realization_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"owner_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"origin_site_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"marked_for_delete": false,
"overridden": false,
"_create_time": 1677731180496,
"_create_user": "admin",
"_last_modified_time": 1677731607733,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}
Once the invalid signature has been removed from the output, copy the remaining output and run PUT API /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id> with this as the payload, to remove the invalid signature from the IDPS profile.
Below is an example of the payload to be used with the above PUT API:
{
"profile_severity": [
"HIGH",
"MEDIUM",
"LOW",
"SUSPICIOUS",
"CRITICAL"
],
"overridden_signatures": [
],
"resource_type": "IdsProfile",
"id": "SR",
"display_name": "SR",
"path": "/infra/settings/firewall/security/intrusion-services/profiles/SR",
"relative_path": "SR",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"realization_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"owner_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"origin_site_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"marked_for_delete": false,
"overridden": false,
"_create_time": 1677731180496,
"_create_user": "admin",
"_last_modified_time": 1677731607733,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}
"profile_severity": [
"HIGH",
"MEDIUM",
"LOW",
"SUSPICIOUS",
"CRITICAL"
],
"overridden_signatures": [
],
"resource_type": "IdsProfile",
"id": "SR",
"display_name": "SR",
"path": "/infra/settings/firewall/security/intrusion-services/profiles/SR",
"relative_path": "SR",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"realization_id": "b60c6660-bd7e-4d85-826a-ca11028631e8",
"owner_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"origin_site_id": "aa4dc826-3c88-400e-95c3-caaaff6e9a4a",
"marked_for_delete": false,
"overridden": false,
"_create_time": 1677731180496,
"_create_user": "admin",
"_last_modified_time": 1677731607733,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}
2. On the NSX-T UI the locally modified signatures can be updated by changing the IDPS profile criteria.
Feedback
Yes
No
Powered by
