About the Policy Sync Settings Page
To access this page, click Administration > Policy Sync Settings.
Starting in Junos Space Security Director Release 19.2R1, use the Policy Sync Settings page to automatically synchronize out-of-band firewall policy changes from a device to Security Director. The device must be discovered by Security Director. The out-of-band configuration changes are changes you make to a device configuration through any method other than deploying the configuration change from Security Director. By default, the automatic synchronization is disabled.
This page is displayed only in the global domain and applicable for only device-specific firewall policies. Out-of-band firewall policy changes are applicable for both standard firewall and unified firewall policies.
When a device is discovered in Security Director, the Managed Status is displayed as Managed in the Security Devices page. For automatic synchronization of out-of-band policy changes, the managed status of the device must be SD Changed, Device Changed, or In Sync. For this, you must update the device at least once from Security Director. In case of logical systems (LSYS), the root device may show the status as Device Changed if a policy is assigned to it. Update the root device so that the status is In Sync.
Out-of-band changes are not supported if more than one policy is assigned to a device or if rules are configured in All Devices Policy Pre/Post policies.
Tasks You Can Perform
You can perform the following tasks from this page:
Enable automatic synchronization of out-of-band firewall policy changes in the device.
Choose an option to automatically accept or reject the out-of-band firewall policy changes.
Table 1 provides guidelines on using the fields on the Policy Sync Settings page.
Table 1: Fields on the Policy Sync Settings Page
Auto Sync Policy Changes
By default, the automatic synchronization of out-of-band firewall policy changes is disabled. Enable this option to automatically synchronize out-of-band firewall policy changes from a device to Security Director.
When automatic synchronization of out-of-band firewall policy changes is disabled, you can import the out-of-band changes from a device manually.
Policy Source of Truth
The policy “source of truth” is where the device is synchronized to Security Director. All device side out of sync changes will be rejected to match Security Director.