Known Issues

This section lists the known issues in Security Director Release 17.2R2.

For the most complete and latest information about known Security Director defects, use the Juniper Networks online Junos Problem Report Search application.

• Grid column filter does not work for Internet Explorer 11. PR1161079
• Cluster devices are discovered in different domains. PR1162407
• After you upgrade Security Director, the custom column is not visible in the firewall rule grid. PR1256789
• You must manually synchronize NSX with the vCenter server to view the latest restart or power off status. PR1285312
• The global search for a dynamic address group does not work as expected. PR1285893
• Any Service Groups notification sent from NSX to Security Director triggers an RPC update job for each vSRX device, instead of a single job with all the related vSRX devices. PR1288407
• If there is a change in the login password of NSX Manager, vCenter, or Junos Space, then use the Edit NSX Manager page in Security Director to modify the login password information. Otherwise, synchronization of NSX Manager and dynamic address groups update fails.PR1291965
• If NSX is integrated with Security Director, several login and logout entries are observed in the audit log. PR1291972
• If you delete an NSX service, the associated firewall or IPS policies created by Security Director are also deleted. If you need a copy of the NSX-created group firewall or IPS policies, you must clone them manually before deleting the NSX service. PR1291974
• As Security Director is not aware of the IDP licenses installed on the NSX Manager with vSRX VM, you must perform the full probe during the installation of the IDP signature. PR1291977
• If the Policy Enforcer VM is down or the NSX services are down when there is a change in the service group membership in NSX, you cannot trigger an event to vSRX to poll for the latest service group members from the feed server. PR1295882

  Workaround: Perform one of the following actions to trigger events to vSRX instances:

  • Modify the description of the service group when the services or Policy Enforcer VM is down.
  • Log in to the vSRX device by using the SSH command and execute the following command:

    request security dynamic-address update address-name Dynamic-Address-Name

• If you directly go to the summary page of setup wizard, the summary page might appear blank. As a workaround, follow each step in the guided setup. PR1309366
• After upgrading to Security Director Release 17.1R2 and Policy Enforcer Release 17.1R2 from Security Director Release 17.1R1, when you add a new NSX Manager, intermittently the dynamic address groups are not seen in the firewall rule source and destination address.

  Procedure

  Workaround: Perform the following steps:

  1. Restart the NSX microservice by using the service nsxmicro restart command in Policy Enforcer.
  2. Perform a manual synchronization of NSX Manager from the user interface.

     You should now see all the dynamic address groups in the source and destination addresses of a firewall rule. PR1310322

• When you install the Junos OS Release 17.4 schema on a Junos space server, publish or update operations might fail on SRX Series platforms when UTM custom objects are present as part of the configuration.

  Workaround: Restart JBoss. PR1330089

• Application firewall OCR fails when the OVER WRITE option is selected.

  Workaround: You can choose the RE_NAME option and proceed with the rollback or import. PR1324941

• When you try to add device-specific values for child domains in variable addresses or zones, the changes are not saved in the user interface. PR1330389
• NAT pool is not shown in the OCR screen if the used address has conflicts. PR1330392
• The metadata feed server requires manual restart of the secmgt-skyatp-proxy service when Security Director is installed or upgraded. PR1330400

  Workaround: After Security Director Release 17.2R1 is installed or upgraded, restart the following services manually:

  • service secmgt-skyatp-proxy stop
  • service secmgt-skyatp-proxy start
• NAT policy fails to be imported into Security Director. PR1340682
• In the Threat Prevention Policy page, triggering a rule analysis may throw an error like this: An error occurred while triggering the rule analysis. Please try again later. PR1331439

  Workaround 1: Click the Update Required or View Analysis link after some time. It will successfully trigger the rule analysis.

  Workaround 2: If the problem persists, select Configure > Firewall Policy > Policies. Select the device and click Publish & Update. After this, try threat prevention policy push by clicking the Update Required or View Analysis link.

For known issues in Policy Enforcer, see Policy Enforcer Release Notes.