NSM sends email alerts stating "Device has been locally modified".
Description
NSM sends email alerts stating "Warning : Device XXXX has been locally modified. Please synchronize your NSM with the Firewall"
XXXX is the firewall name and serial.
Cause
Firewall may not be generating all the Audit logs. There are many reasons why these alerts will be generated.
Following may be the reasons:
1. Introduction of new tags in a new firmware (seen after reboot of firmware upgrade)
2. Built-in automatic prefs correction code (for known corruption detected/fixed by firmware on reboot; disable/enable NAT policies)
3. System-added entries upon bootup that requires saving (possible items: FQDN address objects, DHCP WAN, etc)
4. Security Services changes (DB updates, license expiration)
5. AppFlow changes
6. Module detection (add/remove modules)
7. User password update (updates via GVC or other authentication methods)
These changes are by design from firmware side not from NSM. NSM is getting alerts as we are getting "Locally changed" flag from the firewall for one of above reasons.
NSM generates alerts for "Unit Locally Modified" when it receives the heartbeat message from the firewall with the "unsynched" flag set. The firewall sets "unsynched" flag whenever any of the above mentioned changes takes place on the firewall or if there are any manual configuration change done.
This is a sample heartbeat message sent by a firewall to NSM:
<134> id=firewall sn=XXXXXXXXXXXX mgmtip=1.1.1.1 time="2019-11-26 19:24:33 UTC" fw=1.1.1.1 m=96 n=67343 i=60 lic=0 unsynched=1896162 pt=80.9090 usestandbysa=0 dyn=p.e ai=1 fwlan=192.168.1.254 conns=791
NOTE: Here "sn" is the firewall serial.