Modifying Secure Webfilter policies causes a sync suspended error of 'Networks' - Modifying-CP-Secure-Webfilter-policies-causes-a-sync-suspended-error-of-Networks/Modifying-Secure-Webfilter-policies-causes-a-sync-suspended-error-of-Networks

Modifying Secure Webfilter policies causes a sync suspended error of 'Networks'
NetCloud Feature
Security
ft:locale
en-US
ft:sourceName
Salesforce
allViewCount
2839
Document Type
Article

After modifying Secure Web Filter policies, device goes into a sync-suspended state with error of 'Networks'

Affected Platforms - all
Affected Releases - all

When custom categories are created at the Group level, they are not automatically referenced in the Group configuration. As a result, devices in the Group create device-level configurations that map the custom categories to policies. If the policies are subsequently removed from the Group, the device-level configuration persists but lacks appropriate mapping. This creates a sync-suspended state in NCM.Resolution: 
  • Upgrade to NCOS 7.21.40

Workaround to avoid failure condition:
When adding a new category in group configuration, also add a reference to that category in each policy. Then policies can be deleted in group configuration without issue. See "Additional Information" for details on this process.

Workaround to recover from failure condition:
Remove offending device-level configuration. This can be achieved by either:
  1. Clearing the device-level configuration via NCM -OR-
  2. Deleting the offending configuration using the API (Patch delete of webroot policies)

Steps to avoid this failure condition:

  1. In the group configuration, add a custom category.
  2. In the Web Filter Policies section, edit each policy to reference the new custom category:
    1. if the custom category is a allowlist, verify the action for the custom category is "Allow" (default action). Then click "Save" in the policy and then "Save" in the general Cloud-Based Filtering/Security section.
    2. if the custom category is a blocklist, verify the action for the custom category is "Block". Then click "Save" in the policy and then "Save" in the general Cloud-Based Filtering/Security section.
Group configuration will now contain both the new custom category definition as well as references to that custom category in the policy section.

######################

Steps to create this failure condition:

  1. Create a group with two CPSWF policies.
  2. Move a device into that group; device now has both policies.
  3. In the group configuration, add a custom category; wait for device to sync.
  4. In the group configuration, delete policy two.
  5. Device will become "Sync Suspended" in NCM