Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

Known Issues

  • If you have access permissions for a firewall or NAT policy but do not have the permission to create objects, you cannot configure address, service, and other objects in the firewall or NAT policy. PR1140318
  • If you configure the inactivity timeout parameter as never and, instead of logging out of the session, close the browser, your session is shown as active until you log out. PR1152754
  • After you upgrade Security Director, only superusers can view the data in dashboard and event viewer.

    Workaround: Enable the View device logs permission under Event Viewer. PR1159530

  • Grid column filter is not working in Internet Explorer 11 browser. PR1161079
  • Cluster devices are discovered in different domains. PR1162407
  • Upgrading Log Collector or Indexer from Security Director Release 15.2R1 to Security Director Release 15.2R2 does not update the version as expected. Log Collector is upgraded from Security Director Release 15.2R1 to Security Director Release 15.2R2. However, the version is displayed as Security Director Release 15.2R1 on the Security Director > Administration > Logging Management > Logging nodes page. PR1182608
  • When you invoke monitoring pages and the Top Compromised hosts dashboard widget, the An Error occurred while requesting the data error is displayed. PR1239956
  • Custom column is not visible in the firewall rule grid after a Security Director upgrade. PR1256789
  • The Top Compromised hosts widget in dashboard might not list all the realms. PR1262410
  • The uploaded schema TAR file must be in the /dmi/<device-type>/releases/<schema-version>/ folder. If the TAR is not in that folder, then although the installation is a success, the loading of the schema fails and, as a result, the Modify Configuration page does not load. PR1268413
  • You must manually synchronize NSX with the vCenter server to view the latest status. PR1285312
  • The global search for a dynamic address group does not work as expected. PR1285893
  • Any Service Groups notification sent from NSX to Security Director triggers an RPC update job for each vSRX device, instead of a single job with all the related vSRX devices. PR1288407
  • If there is a change in the login password of NSX Manager, vCenter, or Junos Space, use the Edit NSX Manager page in Security Director to modify the login password information. Otherwise, synchronization of NSX Manager and updating of dynamic address groups fail. PR1291965
  • If NSX is integrated with Security Director, you will see several login and logout entries in the audit log. PR1291972
  • Because Security Director is not aware of the IDP licenses installed on the NSX with vSRX device, you must perform the full probe during the installation of the IDP signature. PR1291977
  • If you add NSX Manager and deploy the Juniper Networks services before Security Director installs the IDP signatures, vSRX device is discovered. However, you must install the IDP signature offline, create the IDP policy, and assign the NSX-vSRX devices. PR1291979
  • When you add NSX Manager and deploy Security Director as a service manager in NSX, the audit log shows the Policy Enforcer IP address as the currently logged-in user. At the back end, the communication between NSX and Security Director happens through the REST API. PR1293841
  • If the Policy Enforcer VM is down or the NSX services are down when there is a change in the service group membership in NSX, you cannot trigger an event to vSRX to poll for the latest service group members from the feed server. PR1295882

    Workaround: Perform one of the following actions to trigger events to vSRX devices:

    • Modify the description of the service group when the services or Policy Enforcer VM is down.
    • Login to the vSRX device using the SSH command and execute the following command:

      request security dynamic-address update address-name Dynamic-Address-Name

  • During the Aruba ClearPass configuration, if you want to add user-query and no-user-query parameters at the same time, you must clear the Aruba ClearPass node completely and configure again.
  • After the NSX discovery, you can view the VM details. However, if you click View Networks, only Network Adaptors are listed but the corresponding IPv4 and IPv6 addresses are not shown.

    Workaround: You must install VMware tools in all the VM payloads. PR1281873

  • After the NSX discovery, you can view a list of service groups and corresponding dynamic address groups. However, if you click View members of any service group, the corresponding members of that selected service group is not shown. PR1281871
  • If you delete a NSX service, the associated firewall or IPS policies created by Security Director are also deleted. If you need a copy of the NSX created group firewall or IPS policies, you must clone them manually, before deleting the NSX service. PR1291974
  • While upgrading Policy Enforcer Release 17.1R1 to Policy Enforcer Release 17.1R2, blocked host in switch is not getting cleared and firewall filters configured in switches are not cleared.

    Workaround: Before the upgrade, manually resolve all the hosts as Resolved in the monitoring screen. After the upgrade, revert the status of Host Investigation to Open. This will reapply the firewall filters on to the switch. PR1309908

  • After upgrading to Security Director Release 17.1R2 and Policy Enforcer Release 17.1R2 from Security Director Release 17.1R1, when you add a new NSX, intermittently the dynamic address groups are not seen in firewall rule source and destination address.

    Workaround: Perform the following:

    1. Restart the NSX microservice using the service nsxmicro restart command in Policy Enforcer.
    2. Perform a manual synchronization of NSX from the user interface.

      You must see all the dynamic address groups in the source and destination addresses of a firewall rule. PR1310322

  • Unable to update reth interface speed from Security Director. Device update fails due to wrong CLI.

    Workaround: Configure reth interface speed directly from Device. To discard reth speed changes already made on Security Director user interface, use NMP schema based editor approve and deploy workflow. You can start updating device for other pending configuration. PR1296675

  • In the default mode, when you go through the general setup wizard, blank page is shown in summary and user is unable to click OK. To exit, you need to cancel the wizard.

    Workaround: Go through each of the guided setup pages in sequence. PR1309366

  • While upgrading to 17.1R2 from 16.1R1 or 16.2R1, data migration is not supported on multimode Log Collector. PR1309790
  • On rebooting JA2500 Log Collector, eth1 interface configuration is lost . PR1310033
  • Enrolling devices to Sky ATP through Policy Enforcer takes an average of four minutes to complete. Enrolling devices are done serially, not in parallel. [PR 1222713]
  • The first time you open the Monitoring pages, you will receive an Error occurred while requesting the data message. This also happens the first time you open the Top Compromised Host dashboard widget. As a workaround, click your browser refresh button to refresh the page and display the information. [PR 1239956]
  • The top compromised hosts widget in the dashboard does not list all the realms. As a workaround, drag and drop another top compromised host widget to the dashboard to display all realms. [PR 1262410]
  • Connectors assigned to a site cannot be deleted. You must first unassign it from the site and then go to the Connectors window (Administration > Policy Enforcer > Connectors) to delete it.
  • An infected host can be blocked using a custom feed, however there is no UI to indicate that the host is blocked. To unblock the infected host, remove its IP address from the custom feed. [PR 1292394]
  • You can configure only one Radius server as a controller for a connector. [PR 1287908]
  • When an SRX Series device is used as a Layer 3 gateway for a given host or subnet and a switch is part of the Secure Fabric, the block and unblock actions may fail when the PEG is created with the location group type. As a workaround, create the PEG with the IP/Subnet group type and associate that PEG to the threat prevention policy. [PR 1296535]
  • Even when a device is unavailable (for example, the device is down), the removal of the device or site from the realm may state it as a successful dis-enroll.
  • Adding the Malware Top Identified, File Categories Top Infected, File Categories Top Scanned, and Source Locations C & C Server and Malware dashlets to the dashboard before configuring Policy Enforcer or Sky ATP realms in Security Director, causes the dashboard not to save any dashlets that are added. The dashlets do not appear on the dashboard after navigating to other pages or if you logout and login back.

    Workaround: Do one of the following steps:

    • If a Sky ATP or Policy Enforcer setup is not available, delete the dashboard having the Malware Top Identified, File Categories Top Infected, File Categories Top Scanned, and Source Locations C&C Server and Malware widgets, and refresh the page.
    • If a Sky ATP or Policy Enforcer setup is available, configure Policy Enforcer under Administration > Policy Enforcer > Settings in Security Director. Once Policy Enforcer is configured successfully, add a minimum of one realm in Sky ATP Realms page under Configure > Threat Prevention > Sky ATP Realms in Security Director. Refresh the dashboard widgets again.
  • If you entered incorrect credentials in the Realm window, the OK button is disabled. As a workaround, close this window, re-open it and enter your correct credentials. [1310817]
  • After upgrading the Policy Enforcer software, logs are incorrectly appended to the latest logs (config_server.log.1) instead of following the log file rotation method. [1310695]
  • Disenrolling the site in the infected custom feed does not remove the firewall filters from the switch for IP addresses that are in the custom feed. As a workaround, remove all the IPs from the custom feed and then disenroll the site from the Infected host feed page. [1309819]
  • In a multi-site scenario with a Radius server as the DOT1X for AAA services, assigning all sites and the enforcement points ( firewalls and switches) within a single Sky ATP realm may cause issues in picking the correct threat prevention infected host policy. As a workaround, after creating a connector for the Radius Controller and assigning it to all the sites, register or create a unique Sky ATP realm and associate it with a site. [1309881]
  • When multiple sites are configured with multiple realms (and all sites have connectors), the Sky ATP policy overwrites all SRX Series devices in the site instead of the specific SRX Series device. [1308737]
  • If you go directly to the summary page instead of following each step in the guided setup, the summary page may appear blank. As a workaround, go follow each step in the guided setup. [1309366]
  • You cannot delete the configuration for an SRX Series device when the threat prevention policy is associated with multiple PEGS. [1309383]
  • Resolving an infected host fails when there is no endpoint session available in the Radius server. [1311081]
  • The following minor UI issues are present:
    • For connectors with IP subnets, sometimes the subnets cannot be moved to available.
    • When you modify a threat prevention policy, the GeoIP state changes from updated to assign to groups. The state should be maintained.
    • Deleting a realm displays an OK message with a red notification window or popup. [1310813]
  • The third-party adapter package for KVM displays version 17.1R1 instead of 17.1R2. For example:

    [user@host]# cat /etc/redhat-release

    CentOS release 6.8 (Final)

    Policy Enforcer Package Version: 17.1R2-3-

    3rd Party Adapter Package Version: 17.1R1-24

Modified: 2017-10-04