This section lists the known issues in Policy Enforcer Release 18.2R1.
For the most complete and latest information about known Policy Enforcer defects, use the Juniper Networks online Junos Problem Report Search application.
After a connector-instance is created with only the NGFW option and if you edit the connector-instance to enable Threat Remediation also, the system does not initiate the enrollment of these enforcement points. The vSRX in the service chain of the cloud resource is not added to SkyATP realm for malware scanning.
Workaround: Once you edit the connector and enable Threat Remediation along with NGFW, navigate to the SkyATP realm page and edit the realm to first remove the site that is associated to the connector-instance and save the changes. Once the system successfully saves the changes, edit the realm again and add back the site to the realm. This triggers the enrollment of the enforcement points in the connector-instance. [PR 1365715]
On the Edit Connector page, if you want to view the Detailed View page for the second time for the same connector instance, click a different row and then click on the connector instance. Clicking the Detailed View page consecutively does not show any data.
You cannot edit the generated metadata names, although the tag values are editable.
Enrolling devices to Sky ATP through Policy Enforcer takes an average of four minutes to complete. Devices are enrolled serially, not in parallel. [PR 1222713]
The first time you open the Monitoring pages, you receive the error occurred while requesting the data message. This also happens the first time you open the Top Compromised Host dashboard widget. As a workaround, click your browser’s refresh icon to refresh the page and display the information. [PR 1239956]
The Top Compromised Hosts widget on the dashboard does not list all the realms. As a workaround, drag and drop another top compromised host widget to the dashboard to display all realms. [PR 1262410]
An infected host can be blocked by using a custom feed; however, there is no UI to indicate that the host is blocked. To unblock the infected host, remove its IP address from the custom feed. [PR 1292394]
You can configure only one RADIUS server as a controller for a connector. [PR 1287908]
When an SRX Series device is used as a Layer 3 gateway for a given host or subnet and a switch is part of the secure fabric, the block and unblock actions might fail when the Policy Enforcement Group (PEG) is created with the location group type. As a workaround, create the PEG with the IP/Subnet group type and associate that PEG to the threat prevention policy. [PR 1296535]
Even when a device is unavailable (for example, when the device is down), the removal of the device or site from the realm might result in its disenrollment from the realm.
You cannot delete the configuration for an SRX Series device when the threat prevention policy is associated with multiple PEGs. [PR 1309383]
Resolving an infected host fails when there is no endpoint session available in the RADIUS server. [PR 1311081]
The following minor UI issues are observed:
For connectors with IP subnets, sometimes the subnets cannot be moved to the list of available subnets.
When you modify a threat prevention policy, the GeoIP state changes from updated to assign to groups. The state should be maintained.
Deleting a realm displays an OK message with a red notification window. [PR 1310813]
On the Create Secure Fabric and Edit Secure Fabric pages, when you search on selected devices and click OK, all devices that are added are deleted, except for the searched devices. Searching might disenroll some of the devices. Always clear the search selection and then click OK. [PR 1342960]
The port information turns blank when the same host is re-infected and tracked by the Cisco ISE connector. [PR 1346167]
The old sessions in ClearPass cannot be terminated and, therefore, the actual east-west traffic block cannot be active till those old sessions are reauthenitcated.
Workaround: Regularly clear the old sessions in ClearPass. [PR 1317503]
When a policy action is taken on devices on the AWS public cloud, the security groups applied to the end host are not updated on the Security Director > Threat Prevention > Monitoring page. [PR 1347164]
You cannot delete the next-generation firewall policies when metadata provided only by Policy Enforcer is used as a source or destination address in the firewall policy rule. [PR 1344388]
If you use an incorrect vSRX tag when creating AWS connector, the connector considers this as another EC2 instance and retains this entry in the connector or endpoint table. [PR 1348406]
In Cloud only feed mode and Default mode, deleting a site would leave devices pointing to wrong feed source Id. Because of this when the mode is changed to higher modes, SDSN feed downloads may not work correctly.
Workaround: If you are planning to change the SDSN threat type mode, delete devices that are in site first and then delete the site. [PR 1348376]
In Threat Prevention Policy page, triggering a Rule analysis may throw an error message stating that an error has occurred while triggering the rule analysis. You must retry the rule analysis.
Click Update Required or View Analysis after some time. These options successfully trigger the rule analysis.
If the problem still persists, in Configure >Firewall Policy >Policies, select a device and click Publish & Update. Once this is successful, click Update Required or View Analysis for the threat prevention policy. [PR 1331439].
During the device enrollment to SkyATP, security devices might show the enrollment status as Failed along with Retry option.
Workaround: Check the enrollment status of that particular device after 15 minutes by refreshing the page. If it still shows failed, use the retry option to enroll it. [PR 1350264]