Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

About the Policy Sync Settings Page

 

To access this page, click Administration > Policy Sync Settings.

Starting in Junos Space Security Director Release 19.2R1, use the Policy Sync Settings page to automatically synchronize out-of-band firewall policy changes from a device to Security Director. The device must be discovered by Security Director. The out-of-band configuration changes are changes you make to a device configuration through any method other than deploying the configuration change from Security Director. By default, the automatic synchronization is disabled.

This page is displayed only in the global domain and applicable for only device-specific firewall policies. Out-of-band firewall policy changes are applicable for both standard firewall and unified firewall policies.

Starting in Junos Space Security Director Release 19.4R1, you can import or reject out-of-band changes for an IPS policy from a device to Security Director manually or automatically. For devices running Junos OS Release 18.2 and later, you can synchronize the changes from standard or unified firewall policies page. For devices with Junos OS Release 18.1 and earlier, you can synchronize the IPS policy changes from the IPS Policies page.

Starting in Junos Space Security Director Release 20.1R1, you can import or reject out-of-band changes for a NAT policy from a device to Security Director manually or automatically.

When a device is discovered in Security Director, the Managed Status is displayed as Managed in the Security Devices page. For automatic synchronization of out-of-band policy changes, the managed status of the device must be SD Changed, Device Changed, or In Sync. You must update the device atleast once from Security Director. In case of logical systems (LSYS) or tenant systems (TSYS), root device may show the status as Device Changed if a policy is assigned to it. Update the root device so that the status is In Sync.

Note
  • The out-of-band changes are not supported if more than one policy is assigned to a device or if rules are configured in All Devices Policy Pre/Post policies.

  • The out-of-band changes does not support synchronization of duplicate rule-sets in a NAT policy.

Tasks You Can Perform

You can perform the following tasks from this page:

  • Enable automatic synchronization of out-of-band firewall, IPS, and NAT policy changes in the device.

  • Choose an option to automatically accept or reject the out-of-band firewall, IPS, and NAT policy changes.

Field Descriptions

Table 1 provides guidelines on using the fields on the Policy Sync Settings page.

Table 1: Fields on the Policy Sync Settings Page

Field

Description

Auto Sync Policy Changes

By default, the automatic synchronization of out-of-band firewall, IPS, and NAT policy changes is disabled. Enable this option to automatically synchronize out-of-band firewall, IPS, and NAT policy changes from a device to Security Director.

When automatic synchronization of out-of-band policy changes is disabled, you can import the out-of-band changes from a device manually.

After you synchronize the policy changes, the policy shows that you’ll need to republish the policy. A dummy publish and update has to be performed in order to set the managed status as In sync.

The custom rule group in a policy is not supported. If the policy has a custom rule group, then the custom rule group is deleted after synchronizing the policy and all the rules are grouped inside device-specific or predefined rule groups.

Policy Source of Truth

The policy “source of truth” is where the device is synchronized to Security Director. All device side out of sync changes are rejected to match Security Director.

  • Select Security Director to automatically reject all out-of-band firewall, IPS, and NAT policy changes from a device to Security Director.

  • Select Device to automatically synchronize all out-of-band firewall, IPS, and NAT policy changes from a device to Security Director. Select Firewall Policy, IPS Policy, or NAT policy.

    This triggers Auto Policy Sync job in the Job Management page. After the job is successful, the out-of-band changes are synchronized from the device to Security Director.

    Before synchronizing the out-of-band changes automatically, Security Director automatically takes snapshot of the policy so that you can revert/rollback to older version of the policy. To roll back a policy version, see Create and Manage Policy Versions.

Policies

Select one or more policies (Firewall/NAT/IPS) to be automatically synchronized from a device to Security Director.

Default Action for Policies

Select an option. During automatic synchronization of out-of-band firewall, IPS, and NAT policy changes from a device to Security Director, you can choose to rename object, keep existing value, or overwrite with imported value. By default, Rename Object is selected.

Rename object—Provides a new name to the conflicting object. "_1" is added by default to the name. Device Preview or Update deletes the original object and adds the object with the new name.

Overwrite with Imported Value—Overwrites the existing object with the new object. The object is replaced in Security Director with the new object. No change is seen in preview for the imported device. The change appears in the next preview/update for all other devices that use this object.

Keep Existing Object—Keeps the existing object and ignores the new object. The object in Security Director is used instead of the device object.