Known Issues

• If you configure the inactivity timeout parameter as never and, instead of logging out of the session, close the browser, your session is shown as active until you log out. PR1152754

• After you upgrade Security Director, only superusers can view the data in the dashboard and event viewer.

  Workaround: Enable the View device logs permission under Event Viewer. PR1159530

• Grid column filter is not working for the Internet Explorer 11 browser. PR1161079

• Cluster devices are discovered in different domains. PR1162407

• When you invoke monitoring pages and the Top Compromised hosts dashboard widget, the An Error occurred while requesting the data error is displayed. PR1239956

• After you upgrade Security Director, the custom column is not visible in the firewall rule grid. PR1256789

• The Top Compromised hosts widget in the dashboard might not list all the realms. PR1262410

• You must manually synchronize NSX with the vCenter server to view the latest status. PR1285312

• The global search for a dynamic address group does not work as expected. PR1285893

• Any Service Groups notification sent from NSX to Security Director triggers an RPC update job for each vSRX device, instead of a single job with all the related vSRX devices. PR1288407

• If there is a change in the login password of NSX Manager, vCenter, or Junos Space, then use the Edit NSX Manager page in Security Director to modify the login password information. Otherwise, synchronization of NSX Manager and dynamic address groups update, fails.PR1291965

• If NSX is integrated with Security Director, you will see several login and logout entries in the audit log. PR1291972

• If you delete an NSX service, the associated firewall or IPS policies created by Security Director are also deleted. If you need a copy of the NSX created group firewall or IPS policies, you must clone them manually before deleting the NSX service. PR1291974

• As Security Director is not aware of the IDP licenses installed on the NSX with vSRX device, you must perform the full probe during the installation of the IDP signature. PR1291977

• If you add NSX Manager and deploy the Juniper Networks services before Security Director installs the IDP signatures, the vSRX device is discovered. However, you must install the IDP signature offline, create the IDP policy, and assign the NSX-vSRX devices. PR1291979

• If the Policy Enforcer VM is down or the NSX services are down when there is a change in the service group membership in NSX, you cannot trigger an event to vSRX to poll for the latest service group members from the feed server. PR1295882

  Workaround: Perform one of the following actions to trigger events to vSRX devices:

  • Modify the description of the service group when the services or Policy Enforcer VM is down.

  • Log in to the vSRX device using the SSH command and execute the following command:

    request security dynamic-address update address-name Dynamic-Address-Name

• Some Security Director dashboard preferences, such as dashboard widget selections, are not saved across multiple space fabric nodes. They must be configured independently on each node. PR1299082

• While upgrading Policy Enforcer Release 17.1R1 to Policy Enforcer Release 17.1R2, a blocked host, and firewall filters configured in the switches are not cleared.

  Workaround: Before the upgrade, manually resolve all the hosts as Resolved in the monitoring screen. After the upgrade, revert the status of Host Investigation to Open. This will reapply the firewall filters on to the switch. PR1309908

• If you directly go to the summary page instead of following the guided setup, the summary page may appear blank. As a workaround, follow each step in the guided setup. PR1309366

• Disenrolling the site in the infected custom feed does not remove the firewall filters from the switch for IP addresses that are in the custom feed. As a workaround, remove all the IPs from the custom feed and then disenroll the site from the Infected host feed page. PR1309819

• After upgrading to Security Director Release 17.1R2 and Policy Enforcer Release 17.1R2 from Security Director Release 17.1R1, when you add a new NSX, intermittently the dynamic address groups are not seen in the firewall rule source and destination address.

  Workaround: Perform the following:

  1. Restart the NSX microservice using the service nsxmicro restart command in Policy Enforcer.
  2. Perform a manual synchronization of NSX from the user interface.

     You must see all the dynamic address groups in the source and destination addresses of a firewall rule. PR1310322

• When installing the Junos OS Release 17.4 schema on a Junos space server, publish or update might fail on SRX Series platforms when UTM custom-objects are present as part of the configuration.

  Workaround: You should restart JBoss. PR1330089

• Application firewall OCR is failing when OVER WRITE option is selected.

  Workaround: User can choose RE_NAME option and proceed with the rollback or import. PR1324941

• When user tries to add a child domain device specific values in variable address or zones, the changes are not saved in user interface. PR1330389

• NAT pool is not shown in OCR screen if the used address has conflicts. PR1330392

• Metadata feed server requires manual restart of secmgt-skyatp-proxy service when Security Director is installed or upgraded. PR1330400

  Workaround: After Security Director Release 17.2R1 is installed or upgraded, restart the following services manually:

  • service secmgt-skyatp-proxy stop

  • service secmgt-skyatp-proxy start

For known issues in Policy Enforcer, see Policy Enforcer Release Notes.