Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

Known Issues

  • If you have access permissions for a firewall or NAT policy but do not have the permission to create objects, you cannot configure address, service, and other objects in the firewall or NAT policy. PR1140318
  • If you configure the inactivity timeout parameter as never and, instead of logging out of the session, close the browser, your session is shown as active until you log out. PR1152754
  • After you upgrade Security Director, only superusers can view the data in dashboard and event viewer.

    Workaround: Enable the View device logs permission under Event Viewer. PR1159530

  • Grid column filter is not working in Internet Explorer 11 browser. PR1161079
  • Cluster devices are discovered in different domains. PR1162407
  • Upgrading Log Collector or Indexer from Security Director Release 15.2R1 to Security Director Release 15.2R2 does not update the version as expected. Log Collector is upgraded from Security Director Release 15.2R1 to Security Director Release 15.2R2. However, the version is displayed as Security Director Release 15.2R1 on the Security Director > Administration > Logging Management > Logging nodes page. PR1182608
  • When you invoke monitoring pages and the Top Compromised hosts dashboard widget, the An Error occurred while requesting the data error is diplayed. PR1239956
  • Custom column is not visible in the firewall rule grid after a Security Director upgrade. PR1256789
  • The Top Compromised hosts widget in dashboard might not list all the realms. PR1262410
  • The uploaded schema TAR file must be in the /dmi/<device-type>/releases/<schema-version>/ folder. If the TAR is not in that folder, then although the installation is a success, the loading of the schema fails and, as a result, the Modify Configuration page does not load. PR1268413
  • You must manually synchronize NSX with the vCenter server to view the latest status. PR1285312
  • The global search for a dynamic address group does not work as expected. PR1285893
  • Any Service Groups notification sent from NSX to Security Director triggers an RPC update job for each vSRX device, instead of a single job with all the related vSRX devices. PR1288407
  • If there is a change in the login password of NSX Manager, vCenter, or Junos Space, use the Edit NSX Manager page in Security Director to modify the login password information. Otherwise, synchronization of NSX Manager and updating of dynamic address groups fail. PR1291965
  • If NSX is integrated with Security Director, you will see several login and logout entries in the audit log. PR1291972
  • Because Security Director is not aware of the IDP licenses installed on the NSX with vSRX device, you must perform the full probe during the installation of the IDP signature. PR1291977
  • If you add NSX Manager and deploy the Juniper Networks services before Security Director installs the IDP signatures, vSRX device is discovered. However, you must install the IDP signature offline, create the IDP policy, and assign the NSX-vSRX devices. PR1291979
  • When you add a NSX Manager that has more than 100 security groups, a proxy timeout error is shown on the Security Director UI. You can ignore this error because NSX Manager is already added to Security Director. Discard the Add NSX Manager page and manually synchronize the newly added NSX Manager. PR1292036
  • When you add NSX Manager and deploy Security Director as a service manager in NSX, the audit log shows the Policy Enforcer IP address as the currently logged-in user. At the back end, the communication between NSX and Security Director happens through the REST API. PR1293841
  • If Policy Enforcer is not configured in Security Director and you access the NSX Manager or vCenter page, the page loading icon is shown forever. PR1294177
  • RPC jobs are triggered for all the vSRX devices across services, on the same NSX Manager. PR1294566
  • If you create firewall rules for group policies on multiple NSX Managers, and publish and update the firewall policies of all the vSRX devices belonging to the NSX Managers, then the auto redirect rule is created for only one NSX Manager and it fails for the other NSX Managers. PR1294568
  • If the Policy Enforcer VM is down or the NSX services are down when there is a change in the service group membership in NSX, you cannot trigger an event to vSRX to poll for the latest service group members from the feed server. PR1295882

    Workaround: Perform one of the following actions to trigger events to vSRX devices:

    • Modify the description of the service group when the services or Policy Enforcer VM is down.
    • Login to the vSRX device using the SSH command and execute the following command:

      request security dynamic-address update address-name Dynamic-Address-Name

  • During the Aruba ClearPass configuration, if you want to add user-query and no-user-query parameters at the same time, you must clear the Aruba ClearPass node completely and configure again.
  • If the vSRX device is down or during the reboot, traffic still flows across VMs in NSX.

    Workaround: Double-click the Juniper service in the VMware vCenter and select the service instance, in the left pane. On the right pane, under the Manage tab, set the failOpen key value to False from True. PR1296801

  • Enrolling devices to Sky ATP through Policy Enforcer takes an average of four minutes to complete. Enrolling devices are done serially, not in parallel. [PR 1222713]
  • The first time you open the Monitoring pages, you will receive an Error occurred while requesting the data message. This also happens the first time you open the Top Compromised Host dashboard widget. As a workaround, click your browser refresh button to refresh the page and display the information. [PR 1239956]
  • The top compromised hosts widget in the dashboard does not list all the realms. As a workaround, drag and drop another top compromised host widget to the dashboard to display all realms. [PR 1262410]
  • Connectors assigned to a site cannot be deleted. You must first unassign it from the site and then go to the Connectors window (Administration > Policy Enforcer > Connectors) to delete it.
  • If a vSRX is properly enrolled in Sky ATP and you create a site within Policy Enforcer with that vSRX and a connector, the secure fabric page for that site shows the vSRX enroll status as failed. [PR 1284258]
  • An infected host can be blocked using a custom feed, however there is no UI to indicate that the host is blocked. To unblock the infected host, remove it’s IP address from the custom feed. [PR 1292394]
  • If a site is created with a CPPM connector, the site can be created only based on a location-based policy enforcement group. It cannot be created with an IP-based policy enforcement group. [PR 1288247]
  • You can configure only one Radius server as a controller for a connector. [PR 1287908]
  • Moving the C&C Threat Score slider in the Threat Prevention Policy window (Configure > Threat Prevention > Policy), for example from 10 to 8, may cause the Actions dropdown menu to appear empty. Click the arrow in the Actions menu to see the options. [PR 1296098]
  • Removing a site from a realm may remove the SRX Series device from the Secure Fabric site. As a workaround, re-add the device to the site. [PR 1295460]
  • When an SRX Series device is used as a Layer 3 gateway for a given host or subnet and a switch is part of the Secure Fabric, the block and unblock actions may fail when the PEG is created with the location group type. As a workaround, create the PEG with the IP/Subnet group type and associate that PEG to the threat prevention policy. [PR 1296535]
  • Even when a device is unavailable (for example, the device is down), the removal of the device or site from the realm may state it as a successful dis-enroll.

Modified: 2017-08-01