Excellent, subscribed to the article for upcoming resolution.  

Hello @ktankink ,

Have you guys got an estimate on when this issue is likely to be fixed?

I'd rather not implement workarounds or reconfigure firewall rules if a fix is to be expected soon.

Thank you

Hi @ezim I can't share an exact date, but this is tentatively scheduled for a late April fix.  I would recommend implementing the workaround though as it's just a single file replacement and it doesn't require anything special beyond that.  Simply reloading the ePO Policy Catalog page for ENS Firewall will implement workaround the issue with the new ip.js file from the KB (e.g., no need to restart ePO services, etc.)

Or avoid using any Subnet CIDR values in your firewall rules for now.  Alternatively, you can also use Subnet Range values instead and they would still be the same subnet entries as defined with CIDR notation values.

Hello @ktankink 

Thank you for your reply.

Am I correct in thinking then, that the issue only occurs if you try to update a firewall policy or "Firewall Catalog - Network" entry after the extension has been updated to 10.6.1.1489 (Feb 21 update) and the ip.js file has not been replaced?

The KB94226 mentions to export the FW policies and after replacing the ip.js file importing them again.
Is this only necessary if you've already got "broken" policies?

Hi @ezim 

• The issue (affecting FW policies or Catalog entries) only occurs after you upgrade to the ENS 10.6.1 or 10.7 Feb2021 Extension Update (and if the KB ip.js file is not implemented).
• The ip.js file replacement is to prevent the issue from occurring and includes the same fix that will be in the future solution.
• Having an export of the Firewall policies is suggested anytime changes are being made to the ePO server or having a good ePO database backup.
• If any firewall policies are affected by this issue, they will need to be corrected by McAfee Support.  The workaround/solution does not fix any affected policies.
• Alternatively, if you have a backup of the Firewall policies, you can restore those policies back to an unaffected state.
• If you don't have the KB94226 ip.js file replacement: avoid using the Subnet CIDR values.
• If you do have the KB94226 ip.js file replacement: fix the affected firewall policies (either through restoring backups or via McAfee Support) and continue using the Subnet CIDR values.