Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Release Notes for Junos Space Security Director

 

Supported Managed Devices

Security Director Release 19.1R1 manages the following devices:

  • SRX100

  • SRX110

  • SRX210

  • SRX220

  • SRX240

  • SRX240H

  • SRX300

  • SRX320

  • SRX320-POE

  • SRX340

  • SRX345

  • SRX550

  • SRX550M

  • SRX650

  • SRX1400

  • SRX1500

  • SRX3400

  • SRX3600

  • SRX4100

  • SRX4200

  • SRX5400

  • SRX5600

  • SRX5800

  • SRX4600

  • vSRX

  • MX240

  • MX480

  • MX960

  • MX2010

  • MX2020

  • LN1000-V

  • LN2600

The following log collection systems are supported:

  • Security Director Log Collector

  • Juniper Secure Analytics (JSA) as Log Collector on JSA Release 2014.8.R4 and later

  • QRadar as Log Collector on QRadar Release 7.2.8 and later

Supported Junos OS Releases

Security Director Release 19.1R1 supports the following Junos OS releases:

  • 10.4

  • 11.4

  • 12.1

  • 12.1X44

  • 12.1X45

  • 12.1X46

  • 12.1X47

  • 12.3X48

  • 15.1X49

  • vSRX 15.1X49

  • 16.1R3-S1.3

  • 15.1X49-D110

  • 17.3

  • 17.4

  • 18.1

  • 18.2

  • 18.3

  • 18.4

  • 19.1

  • 19.2

  • 19.3

  • 19.4

SRX Series devices require Junos OS Release 12.1 or later to synchronize the Security Director description field with the device.

The logical systems feature is supported only on devices running Junos OS Release 11.4 or later.

Note

To manage an SRX Series device by using Security Director, we recommend you to install the matching Junos OS schema on the Junos Space Network Management Platform. If the Junos OS schemas do not match, a warning message is displayed during the publish preview workflow.

Supported Policy Enforcer and Juniper Sky ATP Releases

Table 1 shows the supported Policy Enforcer and Juniper Sky Advanced Threat Prevention (Juniper Sky ATP) releases.

Table 1: Supported Policy Enforcer and Juniper Sky ATP Releases

Security Director Release

Compatible Policy Enforcer Release

Junos OS Release (Juniper Sky ATP-supported Devices)

16.1R1

16.1R1

Junos OS Release 15.1X49-D60 and later

16.2R1

16.2R1

Junos OS Release 15.1X49-D80 and later

17.1R1

17.1R1

Junos OS Release 15.1X49-D80 and later

17.1R2

17.1R2

Junos OS Release 15.1X49-D80 and later

17.2R1

17.2R1

Junos OS Release 15.1X49-D110 and later

17.2R2

17.2R2

Junos OS Release 15.1X49-D110 and later

18.1R1

18.1R1

Junos OS Release 15.1X49-D110 and later

18.1R2

18.1R2

Junos OS Release 15.1X49-D110 and later

18.2R1

18.2R1

Junos OS Release 15.1X49-D110 and later

18.3R1

18.3R1

Junos OS Release 15.1X49-D110 and later

18.4R1

18.4R1

Junos OS Release 15.1X49-D110 and later

19.1R1

19.1R1

Junos OS Release 15.1X49-D110 and later

Supported Browsers

Security Director Release 19.1R1 is best viewed on the following browsers:

  • Mozilla Firefox

  • Google Chrome

  • Microsoft Internet Explorer 11

Installation and Upgrade Instructions

This section describes how you can install and upgrade Junos Space Security Director and Log Collector.

Installing and Upgrading Security Director Release 19.1R1

Junos Space Security Director Release 19.1R1 is supported only on Junos Space Network Management Platform Release 19.1R1 that can run on the following devices:

  • JA2500

  • Junos Space virtual appliance

  • Kernel-based virtual machine (KVM) server installed on CentOS Release 7.2.1511

In Junos Space Security Director Release 19.1R1, a single image installs Security Director, Log Director, and the Security Director Logging and Reporting modules. All three applications are installed when you install the Security Director Release 19.1R1 image.

Note

Starting in Junos Space Security Director Release 17.2R1 onward, Log Collector version information is stored in the /etc/juniper-release file on Log Collector. In previous Junos Space Security Director releases, Log Collector version information is stored in the /etc/redhat-release file on Log Collector.

Note

An integrated Log Collector on a JA2500 appliance or Junos Space virtual appliance supports only 500 events per second (eps).

For more information about installing and upgrading Security Director Release 19.1R1, see Security Director Installation and Upgrade Guide.

Adding Security Director Log Collector Node in Security Director Release 17.2R1 and Later

For distributed Log Collector deployment, you must add only a Log Receiver node. You can add the node directly to Security Director using admin credentials, as in the case of the JSA node. For security reasons, non-root credentials are used to add a node.

Caution

For Security Director Log Collector, provide the default credentials: username is admin and password is juniper123. You must change the default password by using the Log Collector CLI command configureNode.sh as shown in Figure 1.

Figure 1: Change Password
Change Password

For JSA, provide the admin credentials that are used to log in to the JSA console.

For information about how to add the Log Collector node to Security Director, see Security Director Installation and Upgrade Guide.

Loading Junos OS Schema for SRX Series Devices

You must download and install correct Junos OS schema to manage SRX Series devices. To download the correct schema, from the Network Management Platform list, select Administration > DMI Schema, and click Update Schema. See Updating a DMI Schema.

Management Scalability

The following management scalability features are supported in Security Director:

  • By default, monitor polling is set to 15 minutes and resource usage polling is set to 10 minutes. This polling time changes to 30 minutes for a large-scale data center setup such as one for 200 SRX Series devices managed in Security Director.

    Note

    You can manually configure the monitor polling on the Administration>Monitor Settings page.

  • Security Director supports up to 15,000 SRX Series devices with a six-node Junos Space fabric. In a setup with 15,000 SRX Series devices, all settings for monitor polling must be set to 60 minutes. If monitoring is not required, disable it to improve the performance of your publish and update jobs.

  • To enhance the performance further, increase the number of update subjobs thread in the database. To increase the update subjobs thread in the database, run the following command:

    Note

    For mysql username and password, contact Juniper Support.

Table 2 shows the supported firewall rules per policy that are processed concurrently.

Table 2: Supported Firewall Rules per Policy

Number of Device Rules Processed Concurrently

JBoss Node Count

Memory

Platform OpenNMS Function

Log Collector

Hard Disk

5,000–7,000

1

32 GB of RAM

Enabled

Dedicated node

Any

15,000

1

32 GB of RAM

Off or dedicated node

Dedicated node

Any

40,000

2

32 GB of RAM per node

Off or dedicated node

Dedicated node

Any

100,000

2

32 GB of RAM per node

Off or dedicated node

Dedicated node

SSD required

Note

If you use a database dedicated setup (SSD hard disk VMs) for the deployment mentioned in Table 2, the performance of publish and update is better compared to the performance in a normal two-node Junos Space fabric setup.

New and Changed Features

This section describes the enhancements to existing features in Junos Space Security Director 19.1R1.

  • ESXi 6.7 support—Junos Space Security Director Release 19.1R1 is supported on VMware ESXi 6.7 hypervisor.

  • Cleanup scripts—You can now use the following cleanup scripts from the Junos Space CLI:

    • Shared object stale references cleanup script—Removes unwanted stale references from the database. In previous releases, this script was part of Junos Space Security Director deployment, and hence the deployment took longer to finish. Starting in Junos Space Security Director Release 19.1R1, we have added this script as part of the cleanup script and we have also provided a separate Rest API.

    • Stale device entries cleanup script—Removes unwanted stale devices from the database. If you delete a device from Junos Space Network Management Platform and if the device is still present in Junos Space Security Director, you can use the cleanup script to delete those entries from the database.

    • Stale VPN entries cleanup script—Removes any stale VPN entries from the database.

    • Unresponsive job cleanup script—Removes any job that is unresponsive. A job may become unresponsive in the following scenarios:

      • If rule entries are present in Security Director CLI model tables and are not present in Security Director rule page, then those entries will be updated with deleted field as true in Security Director database.

      • If the older versions of a published rule still has the deleted field as false, then those are updated to true in Security Director database.

      • On renaming a rule if you still see the deleted field of the old rule as false, then it is updated to true in Security Director database.

    Note

    Download and run the cleanup script:

  • Device polling for dashboard monitors—Device polling performance is now improved. All polling threads run in parallel, which reduces memory usage.

  • Optimized refresh search index—Following are the performance improvements:

    • The performance of the manual refresh search index has been improved.

    • The scheduled refresh search index has been implemented. By default, scheduled time is every Saturday 2 AM. Administrators can change the scheduled time by navigating to Junos Space Network Management Platform > Administration > Applications. Right-click Security Director, select Modify Application Settings, and then select Search-Index.

    • Security Director elastic search is upgraded from version 5.4 to version 6.5. The performance of the manual refresh search index has been improved.

  • MySQL queries—Optimized MySQL queries related to edit and unused shared objects.

Known Behavior

This section contains the known behavior and limitations in Junos Space Security Director Release 19.1R1.

  • You must disable OpenNMS before installing the integrated Log Collector.

    To disable OpenNMS:

    1. Select Network Management Platform > Administration > Applications.
    2. Right-click Network Management Platform, and select Manage Services.
    3. Select Network Monitoring, and click the Stop Service icon.

      The network monitoring service is stopped, and the status of OpenNMS is changed to Disabled.

    Note

    You must ensure that Junos Space Network Management Platform and Security Director are already installed on a JA2500 appliance or Junos Space virtual appliance.

  • The Enable preview and import device change option is disabled by default.

    To enable this option:

    1. Select Network Management Platform > Administration > Applications.
    2. Right-click Security Director, and select Modify Application Settings.
    3. From Update Device, select the Enable preview and import device change option.
  • If you restart the JBoss application servers manually in a six-node setup one-by-one, Junos Space Network Management Platform and the Security Director user interfaces are launched within 20 minutes, and the devices reconnect to Junos Space Network Management Platform. You can then edit and publish the policies. When the connection status and the configuration status of all devices are UP and IN SYNC, respectively, click Update Changes to update all security-specific configurations or pending services on SRX Series devices.

  • To generate reports in the local time zone of the server, you must modify /etc/sysconfig/clock to configure the time zone. Changing the time zone on the server by modifying /etc/localtime, does not generate report in the local time zone.

  • If the vSRX VMs in NSX Manager are managed in Security Director Release 17.1R1 and Policy Enforcer Release 17.1R1, then after upgrading to Security Director Release 18.1R1 and Policy Enforcer Release 18.1R1, log in to the Policy Enforcer server by using SSH and run the following commands:

    cd /var/lib/nsxmicro

    ./migrate_devices.sh

    This script migrates the existing vSRX VMs in NSX Manager from Policy Enforcer Release 17.1R1 to Release 18.1R1.

  • If the NSX Server SSL certificate has expired or changed, communication between Security Director and NSX Manager fails, thereby impacting the functionality of NSX Manager, such as sync NSX inventory and security group update.

    To refresh the NSX SSL certificate:

    1. Log in to Policy Enforcer by using SSH.
    2. Run the following command:

      nsxmicro_refresh_ssl --server <<NSX IP ADDRESS>>--port 443

      This script gets the latest NSX SSL certificate and stores it for communication between Security Director and NSX Manager.

  • In a setup where other applications are installed in Junos Space along with Security Director, the JBoss PermSize must be increased from 512m to 1024m in the /usr/local/jboss/domain/configuration/host.xml.slave file. Under <jvm name="platform">, change the following values in the <jvm-options> tag:

    <option value="-XX:PermSize=1024m"/>

    <option value="-XX:MaxPermSize=1024m"/>

  • When you import addresses via CSV, a new address object is created by appending a _1 to the address object name, if the address object is already present in Security Director.

Known Issues

This section lists the known issues in Security Director Release 19.1R1.

For the most complete and latest information about known Security Director defects, use the Juniper Networks online Junos Problem Report Search application.

  • Junos Space Security Director fails to import UTM configuration from devices with Junos OS version 18.2R1 or later because the new CLI changes are not supported. PR1431759

  • Junos Space Security Director fails to import IPS policies from devices with Junos OS version 18.2R1 or later because the new CLI changes are not supported. PR1411089

  • After upgrading Junos Space Security Director release to 19.1R1, predefined reports are not shown in Reports page. PR1431601

    Workaround: Restart JBoss node to see the predefined reports.

  • Update fails for unified policies when an SSL proxy profile that is set as global in a device is not used in any policy for that device. PR1407389

  • Devices without unified support can be assigned under unified policies as Security Director does not have a validation check in the user interface. PR1407283

  • While upgrading Security Director Log Collector along with Junos Space Network Management Platform, dashboard widget preferences are not retained. PR1350292

  • Junos Space Security Director fails to import VPN if a device uses master password encryption because VPN preshared key with $8$ format is not supported. PR1416285

  • Junos Space Security Director tries to delete the UTM custom object URL pattern used in the firewall with UTM services, which causes policy update to fail. PR1406969

  • Junos Space Security Director generates wrong CLI commands for deleting Application Based Routing (APBR) rules. PR1417708

  • A policy analysis report with huge number of rules cannot be generated. PR1418125

  • When a column filter is used, deselect all and clear all sometimes do not clear selected items. PR1424112

  • The Create Exempt Rule option does not work in the IPS event viewer. PR1380415

  • The scheduled report is not sent when the user is logged out. PR1352984

  • The Show Unused option is removed for URL categories. PR1431345

For known issues in Policy Enforcer, see Policy Enforcer Release Notes.

Resolved Issues

This section lists the issues fixed in Security Director Release 19.1R1.

For the most complete and latest information about resolved Security Director issues, use the Juniper Networks online Junos Problem Report Search application.

  • JSA system logs are not parsed correctly. PR1372721

  • There are issues related to search and filter in policy rules. PR1398589

  • There is a mismatch in the device details in IP domain mapping. PR1390925

  • Unable to navigate to firewall policy from an SRX log. PR1390963

  • When you update a device, an error message is displayed. PR1395550

  • Applications are displayed as Unknown. PR1399255

  • There are issues while adding JSA to Junos Space Security Director. PR1401510

  • Existing VPN configurations are altered in a device. PR1402386

  • A few changes made in the device are not displayed. PR1403916

  • While deploying changes through Junos Space Security Director, you can see a display issue. PR1407168

  • There is an issue related to deletion of address group object. PR1408463

  • There is an issue related to number of usages displayed in the Find Usage option. PR1408519

  • After upgrade, latest signature list is not updated. PR1409305

  • You can see a publishing error. PR1411325

  • Search issue in Junos Space Security Director. PR1411949

  • After upgrade, preview configuration fails for a specific policy. PR1412836

  • Recurrence job issue in download URL categories. PR1413658

  • There are issues with Publish View button display in Internet Explorer browser. PR1414777

  • There is an issue with display of unused address objects. PR1414866

  • Update issue is seen on an SRX5400 device. PR1415302

  • When you create a new rule, a duplicate entry is seen. PR1415869

  • An issue is seen with scheduler configuration. PR1415924

  • SRX Series device does not generate IPS logs in the correct format. PR1419022

  • There are issues with VPN monitoring. PR1419205

  • There are issues with assigning policies to newly discovered devices. PR1419289 and PR1424996

  • After upgrade, an issue is seen with publish jobs. PR1421731

  • There is an issue while deleting the unused address objects. PR1409740

Hot Patch Releases

This section describes the installation procedure and resolved issues in Junos Space Security Director Release 19.1R1 hot patches.

During hot patch installation, the script performs the following operations:

  • Blocks the device communication.

  • Stops JBoss, JBoss Domain Controller (JBoss-dc), and jmp-watchdog services.

  • Backs up existing configuration files and EAR files.

  • Updates the Red Hat Package Manager (RPM) files.

  • Restarts the watchdog process, which restarts JBoss and JBoss-dc services.

  • Unblocks device communication after restarting the watchdog process for device load balancing.

Note

You must install the hot patch on Security Director Release 19.1R1.104 or on any previously installed hot patch. The hot patch installer backs up all the files which are modified or replaced during hot patch installation.

Installation Instructions

Perform the following steps in the CLI of the JBoss-VIP node only:

  1. Download the Security Director 19.1R1 Patch vX from the download site.

    Here, X is the hot patch version. For example, v1, v2, and so on.

  2. Copy the SD-19.1R1-hotpatch-vX.tgz file to the /home/admin location of the VIP node.
  3. Verify the checksum of the hot patch for data integrity:

    md5sum SD-19.1R1-hotpatch-vX.tgz.

  4. Extract the SD-19.1R1-hotptach-vX.tgz file:

    tar -zxvf SD-19.1R1-hotpatch-vX.tgz

  5. Change the directory to SD-19.1R1-hotpatch-vX.

    cd SD-19.1R1-hotpatch-vX

  6. Execute the patchme.sh script from the SD-19.1R1-hotpatch-vX folder:

    sh patchme.sh

    The script detects whether the deployment is a standalone deployment or a cluster deployment and installs the patch accordingly.

A marker file, /etc/.SD-19.1R1-hotpatch-vX, is created with the list of Red-hat Package Manager (RPM) details in the hot patch.

Note

We recommend that you install the latest available hot-patch version, which is the cumulative patch.

Supported Junos OS Releases

Security Director Release 19.1R1 V3 and later hot patches support the following Junos OS releases:

  • 20.1

  • 20.2

Resolved Issues in Hot Patches

Table 3 lists the resolved issues in Security Director Release 19.1R1 hot patches.

Table 3: Resolved Issues in Hot Patches

PR

Description

Hot Patch Version

PR1505663

Unexpected results are returned when using global search for Policies.

V3

PR1513934

There is an issue with the hit count settings.

V3

PR1478921

Firewall policy loading in user interface and rule expansion takes longer to display.

V3

PR1517134

Some devices do not show logical system (LSYS) information correctly.

V3

PR1505663

Unexpected results are returned when using global search for policies.

V2

PR1447083

The source-identity field does not get populated in the Policy Enforcer rules.

V2

PR1468161

Security Director does not push the proper detector version or signature database for vSRX 3.0.

V2

PR1472215

An unexpected behavior is seen when you enable the Policy Sync Settings option.

V2

PR1472468

Event logs from Juniper Secure Analytics (JSA) to Security Director show a wrong subdomain.

V2

PR1477417

The latest list of signatures is not shown intermittently

V2

PR1478255

Policy rule edition does not discard changes when you click "X" icon.

V2

PR1479795

Security Director device updates fail when an SRX Series cluster failover occurs.

V2

PR1479934

There is inconsistency in the grid view of application visibility data.

V2

PR1480647

VPNs on Security Director remain down as Security Director is unable to generate a unique IKE policy name.

V2

PR1482324

Logs are not seen in subdomain.

V2

PR1483279

Search does not work for user IDs in security policies.

V2

PR1484611

Security Director does not push the pre-shared key (PSK) to the VPNs as the PSKs are getting encrypted twice.

V2

PR1485485

Device-related jobs on Security Director fail.

V2

PR1485662

The Log Collector node status changes between red (down) and green (up).

V2

PR1485780

The users are unable to export the filtered PDF.

V2

PR1486055

Multiple IKE policy pre-shared-key statements are pushed to the firewall.

V2

PR1486200

After you configure a VPN, the traffic-selector information does not get saved.

V2

PR1486311

Transaction rolled back for device update job.

V2

PR1486740

Search does not work for objects in the firewall, IPS, or NAT policies.

V2

PR1487675

The policy sync job fails.

V2

PR1488680

Failure reason is not displayed for device updates with or without out-of-band changes.

V2

PR1488781

The pre-shared keys for the VPNs in Security Director do not get updated on the devices correctly.

V2

PR1488858

Update fails after editing a VPN.

V2

PR1489303

When a rule is cloned in firewall policies, the cloned rule does not contain the tunnel information.

V2

PR1490484

The policy filter does not work.

V2

PR1490851

The IPS signature installation fails from Junos Space on vSRX, which is installed on KVM.

V2

PR1490998

Junos Space is unable to push policy changes due to the connection limit for Enhanced Web Filtering.

V2

PR1491008

Users cannot create a usable custom role name to be used in the source-identity field of the policy.

V2

PR1492280

Data is not seen in the application-related widgets when a specific device is selected.

V2

PR1492512

The Select services drop-down in IPS policy does not list the objects.

V2

PR1493016

Security Director is unable to export the filtered search results for a rule to PDF.

V2

PR1493326

Unable to change the name of the IPS policy for an SRX Series device.

V2

PR1493795

When you run a publish or update job from Security Director, an error message is seen.

V2

PR1494500

After you upgrade Junos Space Security Director, an error message is seen in the global policy rules.

V2

PR1496012

IPv6 address object search does not work as expected.

V2

PR1497220

Security Director sends license expiry e-mails to the users for all the devices.

V2

PR1497931

When user is creating an application or service object, a warning message appears for the source port.

V2

PR1497963

Unable to push license to an SRX Series cluster device.

V2

PR1499371

If the VPN name exceeds 32 characters in the device end point settings, Security Director fails to truncate the VPN name.

V2

PR1499379

Search does not work as expected.

V2

PR1499409

Security Director is unable to search for a shared object.

V2

PR1500407

There is an issue with address object replacement.

V2

PR1501723

Policy update fails when the same IDP or IPS policy is assigned to group device policies or device-specific policies for two or more devices.

V2

PR1447992

Security Director does not delete unused objects.

V2

PR1471546

Tunnel name is not updated.

V2

PR1478948

The routing-instance does not bind to the interface while a VPN is being created or edited.

V2

PR1475408

Random digits are appended to the VPN name.

V2

PR1474842

Migration from NSM jobs fails.

V2

PR1506356

Disabling monitoring for a device does not stop polling the device.

V2

PR1429366

Conflict resolution displays UUID values instead of names for address groups.

V1

PR1434244

Reports do not generate proper hit counts for the corresponding policies.

V1

PR1438257

Conflict Resolution page displays an error during an import device job.

V1

PR1438931

Applications are not seen on the Application Visibility page after upgrade.

V1

PR1445664

Deleting a device from Junos Space Platform does not delete it from Security Director.

V1

PR1449442

When a predefined report definition is cloned, the clone does not contain the filter.

V1

PR1451018

Logs are visible under the global domain, but not under any other subdomains.

V1

PR1458967

When the user is editing a policy, the search operation stops working.

V1

PR1464623

After restoring the Junos Space database, the user is unable to add JSA as a logging node.

V1

PR1469852

Data is not available on the Security Director Application Visibility page.

V1

PR1478802

When the user publishes more devices, jobs fail on the VIP node.

V1

PR1478919

The NAT pool drop-down list in the user interface takes more time to load.

V1

PR1483279

Search is not working for user IDs in security policies.

V1

PR1441658

Column filters are not persistent on the Security Director Events & Logs page and they disappear after pages are switched.

V1

PR1456719

If a policy name has a special character, Security Director traffic log search by policy name fails.

V1

PR1463934

The user is unable to edit the Show Top Records value on the Report Definition page.

V1

PR1475903

The user is unable to add an existing address object to address groups.

V1

PR1444922

The Security Director import device process displays the shared objects with numbers and characters instead of the actual names.

V1

PR1464513

The Security Director policy update fails with the transaction rollback exception.

V1

PR1468881

IPS or Application Signature download fails.

V1

PR1458913

In Security Director, some of the firewall policies display a failure message after you update the device.

V1

PR1486311

A transaction rollback exception is displayed for the Device Update job.

V1

PR1479934

Data inconsistency is seen in the grid view of the Application Visibility page.

V1

PR1436491

Security Director supports new IDP templates.

V1

Note

If the hot patch contains a user interface fix, you must clear the Web browser’s cache to reflect the latest changes.