Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

Known Issues

This section lists the known issues in Policy Enforcer Release 17.2R2.

For the most complete and latest information about known Policy Enforcer defects, use the Juniper Networks online Junos Problem Report Search application.

  • In the Edit Connector page, if you want to view the Detailed View page for the second time for the same connector instance, click on a different row and then click on the connector instance. Clicking on the Detailed View page consecutively does not show any data.
  • You cannot edit the generated metadata names, though the tag values are editable.
  • Enrolling devices to Sky ATP through Policy Enforcer takes an average of four minutes to complete. Enrolling devices are done serially, not in parallel. [PR 1222713]
  • The first time you open the Monitoring pages, you will receive an error occurred while requesting the data message. This also happens the first time you open the Top Compromised Host dashboard widget. As a workaround, click your browser refresh button to refresh the page and display the information. [PR 1239956]
  • The top compromised hosts widget in the dashboard does not list all the realms. As a workaround, drag and drop another top compromised host widget to the dashboard to display all realms. [PR 1262410]
  • An infected host can be blocked using a custom feed, however there is no UI to indicate that the host is blocked. To unblock the infected host, remove it’s IP address from the custom feed. [PR 1292394]
  • You can configure only one Radius server as a controller for a connector. [PR 1287908]
  • When an SRX Series device is used as a Layer 3 gateway for a given host or subnet and a switch is part of the Secure Fabric, the block and unblock actions may fail when the Policy Enforcement Group (PEG) is created with the location group type. As a workaround, create the PEG with the IP/Subnet group type and associate that PEG to the threat prevention policy. [PR 1296535]
  • Even when a device is unavailable (for example, the device is down), the removal of the device or site from the realm may state it as a successful dis-enroll.
  • You cannot delete the configuration for an SRX Series device when the threat prevention policy is associated with multiple PEGs. [PR 1309383]
  • Resolving an infected host fails when there is no endpoint session available in the Radius server. [PR 1311081]
  • The following minor UI issues are present:
    • For connectors with IP subnets, sometimes the subnets cannot be moved to available.
    • When you modify a threat prevention policy, the GeoIP state changes from updated to assign to groups. The state should be maintained.
    • Deleting a realm displays an OK message with a red notification window or popup. [PR 1310813]
  • In the Create Secure Fabric and Edit Secure Fabric pages, when you search on the selected devices and click OK, all devices that are added are deleted, except for the searched devices. This may disenroll some of devices. Always clear the search selection and then click OK. [PR 1342960]
  • The port information turns blank when the same host is re-infected and tracked by the Cisco ISE connector. [PR 1346167]
  • The old sessions in ClearPass cannot be terminated and therefore, the actual east-west traffic block cannot be active till there is a re-authentication for that session.

    Workaround: Regularly clear the old sessions in ClearPass. [PR 1317503]

  • Policy Enforcer automatically discovers the vSRX devices for AWS , however the vSRX device is not shown in the available list in the secure fabric. In the Secure Fabric landing page, mouseover the site to see the corresponding device details. [PR 1342028]
  • In the Create Connector page for AWS, it takes about 50 seconds to fetch 10 VPC records from AWS and during this time, if you change the region, it takes additional 50 seconds or more to fetch all the details. [PR 1346533]
  • When AWS infected policy action is taken, the security groups applied to the end host are not updated in the Security Director > Threat Prevention > Monitoring page. [PR 1347164]
  • You cannot delete the next generation firewall policies when only Policy Enforcer provided metadata is used as a source or destination address in the firewall policy rule. [PR 1344388]
  • If you use an incorrect vSRX tag when creating AWS connector, the connector considers this as another EC2 instance and retains this entry in the connector or endpoint table. [PR 1348406]
  • In Cloud only feed mode and Default mode, deleting a site would leave devices pointing to wrong feed source Id. Because of this when the mode is changed to higher modes, SDSN feed downloads may not work correctly.

    Workaround: If you are planning to change the SDSN threat type mode, delete devices that are in site first and then delete the site. [PR 1348376]

  • In Threat Prevention Policy page, triggering a Rule analysis may throw an error message stating that an error has occurred while triggering the rule analysis. You must retry the rule analysis.


    • Click Update Required or View Analysis after some time. These options successfully trigger the rule analysis.
    • If the problem still persists, in Configure >Firewall Policy >Policies, select a device and click Publish & Update. Once this is successful, click Update Required or View Analysis for the threat prevention policy. [PR 1331439].

Modified: 2018-03-26