Release Notes for Junos Space Security Director

New and Changed Features

This section describes the new features and enhancements to existing features in Junos Space Security Director Release 22.2R1.

• Polymorphic address support in source and destination addresses for NAT rules—Starting in Security Director Release 21.3R1 hot patch v3, while creating NAT rules for a group policy, you can select a polymorphic address as the source or destination address. The rule points to the default address if the device IP address does not match any of the context values in the polymorphic address. If there is a match, the address corresponding to the context value is considered as the source or destination address of the rule.

  Note

  Polymorphic addresses are not supported in static NAT destination addresses.

• Support for disabling service offload in Security Director—Starting in Security Director Release 21.3R1 hot patch v3, we’ve provided options to delete the configured service and disable services offload for standard and unified firewall policies.

  You can select from the following options:

  • None—Select to delete the configured service from the device.

  • Enable—Select to enable services offload. When services offload is enabled, only the first packets of a session go to the SPU. The rest of the packets in services offload mode do not go to the SPU; therefore, some security features such as stateful screen are not supported. You can offload services only for TCP and UDP packets.

  • Disable—Select to disable services offload.

  Note

  Both logical systems and tenant systems support the disable services offload feature.

• Support to terminate CLI/J-Web edit mode user session—Starting in Security Director Release 21.3R1 hot patch v3, when you retry the update job on devices that failed due to device lock failures, you can terminate CLI user sessions on a device from Security Director.

  To terminate the user session:

  1. Select Monitor > Job Management.
  2. Select the job, and then from the More list select Retry on Failed Devices.

     The Retry Update Failed Devices page is displayed.

  3. Select the Evict CLI/J-Web edit mode users option.

For new features and enhancements in Policy Enforcer, see Policy Enforcer Release Notes.

Supported Managed Devices

You can use Security Director Release 22.2R1 to manage the following devices:

• SRX100

• SRX110

• SRX210

• SRX220

• SRX240

• SRX240H

• SRX300

• SRX320

• SRX320-POE

• SRX340

• SRX345

• SRX380

• SRX550

• SRX550M

• SRX650

• SRX1400

• SRX1500

• SRX3400

• SRX3600

• SRX4100

• SRX4200

• SRX5400

• SRX5600

• SRX5800

• SRX4600

• vSRX

• MX240

• MX480

• MX960

• MX2010

• MX2020

• LN1000-V

• LN2600

Supported Log Collection Systems

The following log collection systems are supported:

• Log Collector 22.2 (Security Director Insights VM)

• Integrated Log Collector 20.1R1

• Juniper Networks® Secure Analytics (JSA) Series Virtual Appliance as Log Collector on JSA Release 2014.8.R4 and later

• QRadar as Log Collector on QRadar Release 7.2.8 and later

Supported Junos OS Releases

Security Director Release 22.2R1 supports the following Junos OS releases:

• 10.4

• 11.4

• 12.1

• 12.1X44

• 12.1X45

• 12.1X46

• 12.1X47

• 12.3X48

• 15.1X49

• vSRX 15.1X49

• 16.1R3-S1.3

• 15.1X49-D110

• 17.3

• 17.4

• 18.1

• 18.1R2.6

• 18.2

• 18.2R3.4

• 18.3

• 18.4

• 18.4R3.3

• 19.1

• 19.2

• 19.3

• 19.4

• 20.1

• 20.2

• 20.3

• 20.4

• 21.1

• 21.2

• 21.3

• 21.4

• 22.1

• 22.2

SRX Series devices require Junos OS Release 12.1 or later to synchronize the Security Director description field with the device.

The logical systems feature is supported only on devices running Junos OS Release 11.4 or later.

Supported Policy Enforcer and Juniper® Advanced Threat Prevention (ATP) Cloud Releases

Table 1 shows the supported Policy Enforcer and Juniper ATP Cloud releases.

Supported Browsers

Security Director Release 22.2R1 is best viewed on the following browsers:

• Mozilla Firefox

• Google Chrome

• Microsoft Internet Explorer 11

Installation and Upgrade Instructions

• Installing and Upgrading Security Director Release 22.2R1

Installing and Upgrading Security Director Release 22.2R1

Junos Space Security Director Release 22.2R1 is supported only on Junos Space Network Management Platform Release 22.2R1 that can run on the following devices:

• Junos Space virtual appliance

• Kernel-based virtual machine (KVM) server installed on CentOS Release 7.2.1511

For more information about installing and upgrading Security Director and Log Collector 22.2 (Security Director Insights VM), see Security Director Installation and Upgrade Guide.

Loading Junos OS Schema for SRX Series Devices

You must download and install correct Junos OS schema to manage SRX Series devices. To download the correct schema, from the Network Management Platform list, select Administration > DMI Schema, and click Update Schema. See Updating a DMI Schema.

DMI Schema Compatibility for Junos OS Service Releases

The following tables explain how the Junos Space Network Management Platform chooses Device Management Interface (DMI) schemas for devices running Junos OS Service Releases.

If a Junos OS Service Release is installed on your device with a major release version of a DMI schema installed on Junos Space Network Management Platform, then Junos Space chooses the latest corresponding major release of DMI schemas, as shown in Table 2.

If 18.4R1.8 version is not available, then Junos Space chooses the nearest lower version of DMI schema installed.

If a Junos OS Service Release is installed on your device without a matching DMI schema version in Junos Space Network Management Platform, then Junos Space chooses the nearest lower version of DMI schema installed, as shown in Table 3.

If more than one version of the DMI schemas are installed in Junos Space Platform for a single Junos OS Service Release version, Junos Space chooses the latest version of the DMI schema, as shown in Table 4.

If 18.4R1.x versions are not available, then Junos Space chooses the nearest lower version of DMI schema installed.

If a Junos OS Service Release is installed on your device without a corresponding DMI schema version in Junos Space Network Management Platform, then Junos Space chooses the nearest lower version of DMI schema installed, as shown in Table 5.

For information about Junos OS compatibility, see Junos OS Releases Supported in Junos Space Network Management Platform.

Management Scalability

• By default, monitor polling is set to 15 minutes and resource usage polling is set to 10 minutes. This polling time changes to 30 minutes for a large-scale data center setup such as one for 200 SRX Series devices managed in Security Director.

  Note

  You can manually configure the monitor polling on the Administration>Monitor Settings page.

• Security Director supports up to 15,000 SRX Series devices with a six-node Junos Space fabric. In a setup with 15,000 SRX Series devices, all settings for monitor polling must be set to 60 minutes. If monitoring is not required, disable it to improve the performance of your publish and update jobs.

• To enhance the performance further, increase the number of update subjobs thread in the database. To increase the update subjobs thread in the database, run the following command:

  Note

  For MySQL username and password, contact Juniper Support.

Known Behavior

This section contains the known behavior and limitations in Junos Space Security Director Release 22.2R1.

• To discover the tenant devices in Security Director Release 21.2R1, we recommend the schema to be greater than or equal to 20.1R1. You must install the schema before Security Director discovers a tenant device.

• If you configure VPN in Security Director Release earlier to 19.4R1 and upgrade Security Director to Release 20.1R1 and later, IKE ID is displayed blank if IKE ID is defined as Default.

• Security Director does not generate CLIs for deletion if a VPN is already configured in the device and the same device is used for creating another VPN from Security Director.

• In Security Director Release 20.1R1 and later, you must configure a tunnel IP address for dynamic routing protocols. In Security Director Release 19.4R1 and earlier, if you configure VPN as unnumbered with a dynamic routing protocol, you are prompted to provide a tunnel IP address while editing the VPN after upgrading to Security Director Release 20.1R1 and later.

• After upgrade, you cannot edit profiles with predefined proposals because the profiles in Security Director Release 20.1R1 and later support only custom proposals.

• In Security Director Release 19.4R1 and earlier, if you configure a VPN with static routing or a traffic selector with protected network as the zone or interface, you must perform the following tasks:

  1. Before you upgrade to Security Director Release 20.1R1 and later, update the configuration on the device, and delete the VPN policy from Security Director.
  2. After you upgrade, import the VPN configuration.
  Note

  In Security Director Release 20.1R1 and later, we support only address objects in protected networks for static routing and traffic selector.

• You must enable the Enable preview and import device change option, which is disabled by default:

  1. Select Network Management Platform > Administration > Applications.
  2. Right-click Security Director, and select Modify Application Settings.
  3. From Update Device, select the Enable preview and import device change option.

• If you restart the JBoss application servers manually in a six-node setup one by one, the Junos Space Network Management Platform and Security Director user interfaces are launched within 20 minutes, and the devices reconnect to Junos Space Network Management Platform. You can then edit and publish the policies. When the connection status and the configuration status of all devices are UP and IN SYNC, respectively, click Update Changes to update all security-specific configurations or pending services on SRX Series devices.

• To generate reports in the local time zone of the server, you must modify /etc/sysconfig/clock to configure the time zone. Changing the time zone on the server by modifying /etc/localtime does not generate reports in the local time zone.

• If the vSRX VMs in NSX Manager are managed in Security Director Release 17.1R1 and Policy Enforcer Release 17.1R1, then after upgrading to Security Director Release 20.3R1 and Policy Enforcer Release 20.3R1, we recommend that you migrate the existing vSRX VMs in NSX Manager from Policy Enforcer Release 17.1R1 to Release 20.3R1.

  To migrate the existing vSRX VMs:

  1. Log in to the Policy Enforcer server by using SSH.
  2. Run the following commands:

     cd /var/lib/nsxmicro

     ./migrate_devices.sh

• If the NSX Server SSL certificate has expired or changed, communication between Security Director and NSX Manager fails, thereby impacting the functionality of NSX Manager, such as sync NSX inventory and security group update.

  To refresh the NSX SSL certificate:

  1. Log in to Policy Enforcer by using SSH.
  2. Run the following command:

     nsxmicro_refresh_ssl --server <<NSX IP ADDRESS>>--port 443

     This script fetches the latest NSX SSL certificate and stores it for communication between Security Director and NSX Manager.

• In a setup where other applications are installed in Junos Space Network Management Platform along with Security Director, the JBoss PermSize must be increased from 512m to 1024m in the /usr/local/jboss/domain/configuration/host.xml.slave file. Under <jvm name="platform">, change the following values in the <jvm-options> tag:

  <option value="-XX:PermSize=1024m"/>

  <option value="-XX:MaxPermSize=1024m"/>

• When you import addresses through CSV, a new address object is created by appending a_1 to the address object name if the address object already exists in Security Director.

Known Issues

This section lists the known issues in Junos Space Security Director Release 22.2R1.

For the most complete and latest information about known Security Director defects, use the Juniper Networks online Junos Problem Report Search application.

• SSL certificate error is displayed while analyzing threat prevention policy. PR1648734

• When you use Security Director Insights as a log collector, device selection on Monitor page does not work when a logical system or a tenant system device is selected. PR1621052

• Security Director displays device lookup failed error during preview. PR1617742

  Workaround:

  1. Move the device to RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Put in RMA State.
  2. Reactivate the device from RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Reactivate from RMA.

• Primary cluster displays the status as DOWN while both devices in the device cluster displays the status as UP. PR1616993

  Workaround:

  1. Move the device to RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Put in RMA State.
  2. Reactivate the device from RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Reactivate from RMA.

• Security Director does not clear uncommitted logical system or tenant system device management configuration in case of job failure, which causes subsequent updates to fail. You must clear the configuration from space node before proceeding with next update. PR1603146

  Workaround: Navigate to Junos Space Network Management Platform > Devices > Device Management > Modify Configuration > Deploy > Reject Changes.

• Security Director fails to import policies when custom dynamic-applications are configured at root-level and referred in logical system or tenant system policies. PR1602677

• Integrated Log Collector node is not added in Security Director. PR1587916

  Workaround: Perform the following after installing the integrated Log Collector script: Integrated-Log-Collector-20.1R1v.130

  1. Log in to the Junos Space console.
  2. Update Dir permission.

     chmod -R 777 /var/run/

  3. Restart the ElasticSearch service:

     systemctl restart elasticsearch

     systemctl status elasticsearch

  4. Update the eth0 IP address in /opt/jIngest/config/config.properties:

     bindIp=<Junos Space eth0 IP>

  5. Restart the JIngest service:

     service jingest restart

     service jingest status

  6. Run the following commands to add Log Collector in Security Director:
     1. ip=$(ifconfig eth0 | grep "inet" | awk '{print $2}')
     2. curl -X POST -k -H 'Accept: application/json' -H 'Content-Type: application/json' -i 'http://localhost:8080/api/juniper/ecm/log-collector-nodes/' -data '{"log-collector-credential":{"user-name":"admin","ip-address":"'"$ip"'","password":"juniper_123","name":"Integrated","node-type":"Integrated"}}'
  7. Log in to Security Director, and verify the Log Collector details.

• An icon showing out-of-band changes is seen for firewall and IPS policies, although the corresponding policy changes are not made on the device. PR1484953

  Workaround: Clear the out-of-band icon on the policies when changes are not made on the device. Navigate to the corresponding policy, and right-click the policy. Select View Device Policy Changes and reject all changes, and then click OK.

• Deployment of cipher list CLI works only when you perform Save, or Save and Deploy. PR1485949

  Workaround: You must save or deploy the selected Cipher list before you view the preview changes.

• An object conflict occurs when you import Web filter profiles with duplicate names, although the values are the same. PR1420341

  Workaround: Select either Overwrite with Imported Value or Keep Existing Object to avoid duplicate objects.

• Junos Space Security Director does not support routing instances and proxy profiles in an antivirus pattern update for the unified threat management (UTM) default configuration. PR1462331

• When you import out-of-band changes to a logical system device, a job is created for the root device along with the logical system device, although changes are made only in the logical system device. PR1448667

• Import fails when a device is imported only with UTM custom objects without a UTM policy. PR1447779

  Workaround: Delete the UTM custom objects if they are not used in a policy, or assign a UTM policy.

• Update fails for unified policies when an SSL proxy profile that is set as global in a device is not used in any policy for that device. PR1407389

• A policy analysis report with a large number of rules cannot be generated. PR1418125

• When a column filter is used, the Deselect all and Clear all options do not clear selected items occasionally. PR1424112

• The Show Unused option is not available for URL categories. PR1431345

• Restart of a single JBoss node does not recover the system even if the issue is present on a single node. PR1478804

  Workaround: Restart all JBoss nodes.

For known issues in Policy Enforcer, see Policy Enforcer Release Notes.

Resolved Issues

This section lists the issues fixed in Junos Space Security Director 22.2R1:

For the most complete and latest information about resolved issues, use the Juniper Networks online Junos Problem Report Search application.

• Security Log transport TLS-Profile is set incorrectly as NONE in Security Director. PR1665789

• Security Director API call does not work for NAT policies with more than 300 rules. PR1664941

• References do not work for dynamic address objects in Security Director. PR1664637

• The user is unable to push multiple configurations to the device. PR1664618

• Security Director updates an existing address book to the SRX Series device. PR1663898

• Unified Threat Management (UTM) custom categories gets deleted from the SSL proxy profile allowlist. PR1662493

• Security Director fails to export the filtered search for a rule to .pdf format. PR1660892

• Security Director fails to display the latest device configuration in the preview. PR1660583

• The user is unable to create route based VPN. PR1659421

• Security Director is unreachable when node 2 is the VIP node. PR1656449

• The policy update job fails. PR1655881

• The user is unable to delete unused dynamic objects created as a result of import. PR1655401

• The user cannot delete unused address objects. PR1655068

• Select and save functionalities in Intrusion Prevention System (IPS) policy fails in the firewall rule. PR1654241

• Incorrect fabric and control link status is displayed for logical systems. PR1651838

• Security Director pushes the same configuration to SRX Series device and then deletes it. PR1650529

• Search does not work for rules inside firewall policy. PR1649454

• The firewall policy update fails when you associate a dynamic address group. PR1649267

• The firewall policy update fails. PR1646550

• Address objects that are deleted from an address group does not show in delta. PR1684862

For resolved issues in Policy Enforcer, see Policy Enforcer Release Notes.