I have found a problem with a couple of indirect where used results.
It started when we were trying to do the indirect where used via the API call and after a period of time we would get the error "Management server failed to execute command".
I then tried in SmartConsole and while it doesn’t error in SmartConsole the results didn't seem to be correct and also seem to hit the max limit of 500 objects and 500 policy results?
After looking at the results in SmartConsole however I think I have worked out the problem. I am trying to do an indirect where-used on 2 DNS server objects to find all rules they used on. However these 2 DNS servers are also specified on two different cluster gateway objects as the Office Mode DNS servers.
So what it looks like it is doing, due to being an indirect where used, is including all locations where those two gateways are also used. This explained why results including Host & Network objects (Gateway used on NAT tab), many rules where Gateways where listed as Install On, and many others.
While technically valid I am not sure this is what most people would be expecting?
So I have a few things I would like to see improved:
- Firstly that the API command doesn't return an error. As very min it should just return the same results as SmartConsole limited to 500 objects & policies or with some form of paging.
- Either change where used default behavior or add option to exclude following these types of indirect usages. Only time results of a Gateway I think should be included is when that is the starting point. I don't think indirect where use should follow Gateways. The Gateway object itself should be returned but not followed as part of the indirect searching.
- If this is a 500 limit in SmartConsole this should at min be made clear with a warning or some form of paging done to get the rest of the results.