Release Notes for Policy Enforcer
New and Changed Features
There are no new features and enhancements for Policy Enforcer Release 22.2R1.
For new features and enhancements in Security Director, see Junos Space Security Director Release Notes.
Product Compatibility
This section describes the supported hardware and software versions for Policy Enforcer. For Security Director requirements, see Junos Space Security Director Release Notes.
Juniper Networks Contrail, Microsoft Azure, and AWS Specifications
Migrate Policy Enforcer CentOS 6.8 Virtual Machine (VM) to CentOS 7.9 VM
Supported Security Director Software Versions
Policy Enforcer is supported only on specific Security Director software versions as shown in Table 1.
Table 1: Supported Security Director Software Versions
Policy Enforcer Software Version | Compatible with Security Director Software Version | Junos OS Release (Juniper ATP Cloud Supported Devices) |
|---|---|---|
22.2R1 | 22.2R1 | Junos OS Release 15.1X49-D120 or Junos OS Release 17.3R1 and later |
The times zones set for Security Director and Policy Enforcer must be the same.
Supported Devices
Table 2 lists the SRX Series devices that support Juniper ATP Cloud and the threat feeds these devices support.
Table 2 lists the general Junos OS release support for each platform. However, each Policy Enforcer software version has specific requirements that take precedence. See Table 1 for more information.
Table 2: Supported SRX Series Devices with Juniper ATP Cloud and Feed Types
Platform | Model | Junos OS Release | Supported Threat Feeds |
|---|---|---|---|
vSRX | 2 vCPUs, 4GB RAM | Junos 15.1X49-D60 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX300, SRX320 | Junos 15.1X49-D90 and later | C&C, GeoIP |
SRX Series | SRX340, SRX345, SRX550M | Junos 15.1X49-D60 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX1500 | Junos 15.1X49-D60 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX5400, SRX5600, SRX5800 | Junos 15.1X49-D62 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX4100, SRX4200 | Junos 15.1X49-D65 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX4600 | Junos 18.1R1 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX3400, SRX3600 | Junos 12.1X46-D25 and later | C&C, GeoIP |
SRX Series | SRX1400 | Junos 12.1X46-D25 and later | C&C, GeoIP |
SRX Series | SRX550 | Junos 12.1X46-D25 and later | C&C, GeoIP |
SRX Series | SRX650 | Junos 12.1X46-D25 and later | C&C, GeoIP |
Table 3 describes the hardware and software components that are compatible with JATP.
Table 3: Supported Hardware and Software Versions Compatible with JATP
Platform | Hardware | Software Versions |
|---|---|---|
vSRX | Junos 19.1R1.6 and above | |
SRX Series | SRX320, SRX300 | Junos 19.1R1 and above |
SRX Series | SRX4100, SRX4200, SRX4600 | Junos 15.1X49-D65 and above for SRX4100 and SRX4200 Junos 18.1R1 and above for SRX4600 |
SRX Series | SRX340, SRX345, SRX550m | Junos 15.1X49-D60 and above |
SRX Series | SRX5800, SRX5600, SRX5400 | Junos 15.1X49-D50 and above |
SRX Series | SRX1500 | Junos 15.1X49-D33 and above |
The SMTP e-mail attachment scan feature is supported only on the SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices running Junos OS Release 15.1X49-D80 and later. vSRX does not support the SMTP e-mail attachment scan feature.
In Policy Enforcer Release 18.3R1, Policy Enforcer supports SRX Series devices running Junos OS Release 17.3R1 and later.
Table 4 lists the supported EX Series and QFX Series switches.
Table 4: Supported EX Series Ethernet Switches and QFX Series Switches
Platform | Model | Junos OS Release |
|---|---|---|
EX Series | EX4200, EX2200, EX3200, EX3300, EX4300 | Junos 15.1R6 and later |
EX Series | EX9200 | Junos 15.1R6 and later |
EX Series | EX3400, EX2300 | Junos 15.1R6 and later Junos 15.1X53-D57 and later |
QFX Series | QFX5100, QFX5200 vQFX | Junos 15.1R6 and later Junos 15.1X53-D60.4 |
Table 5 lists the supported MX Series routers that support the DDoS and C&C feed types.
Table 5: Supported MX Routers and Feed Types
Platform | Model | Junos OS Release | Supported Feed Types |
|---|---|---|---|
MX Series | MX240, MX480, MX960 | Junos 14.2R1 and later | DDoS |
MX240, MX480, MX960 | Junos 18.4R1 and later | C&C (Mark MX Series router as perimeter device in secure fabric). The C&C feed is global and is overridden if the C&C custom feed is set on Policy Enforcer. | |
vMX | Junos 16.2R2.8 | - |
Table 6 shows the supported SDN and cloud platforms.
Table 6: Supported SDN and Cloud Platforms
Component | Specification |
|---|---|
VMware NSX for vSphere | 6.3.1 and later Note: For sites that are running vSphere 6.5, vSphere 6.5a is the minimum supported version with NSX for vSphere 6.3.0. |
VMware NSX Manager | 6.3.1 and later |
Third-Party Wired and Wireless Access Network
Table 7 lists the third-party support and required server.
Table 7: Third-Party Wired and Wireless Access Network
Switch/Server | Notes |
|---|---|
Third-party switch | Any switch model that adheres to RADIUS IETF attributes and supports RADIUS Change of Authorization from ClearPass is supported by Policy Enforcer for threat remediation. |
ClearPass RADIUS server | Must be running software version 6.6.0. |
Cisco ISE | Must be running software version 2.1 or 2.2. |
Forescout CounterACT | Must be running software version 7.0.0. Note: To obtain an evaluation copy of CounterACT for use with Policy Enforcer. |
Pulse Secure | Must be running software version 9.0R3. |
If you use Juniper Networks EX4300 Ethernet switch to integrate with the third-party switches, the EX4300 must be running Junos OS Release 15.1R6 or later.
Juniper Networks Contrail, Microsoft Azure, and AWS Specifications
Table 8 shows the required components for Juniper Networks Contrail.
Table 8: Juniper Networks Contrail Components
Model | Software Version | Supported Policy Enforcer Mode |
|---|---|---|
Juniper Networks Contrail | 5.0 | Microsegmentation and threat remediation with vSRX |
vSRX | Junos OS 15.1X49-D120 and later | Microsegmentation and threat remediation with vSRX |
Table 9 shows the required Policy Enforcer components for AWS.
Table 9: AWS Support Components
Model | Software Version | Supported Policy Enforcer Mode |
|---|---|---|
vSRX | Junos OS 15.1X49-D100.6 and later Junos OS 19.2R1 and later | vSRX policy based on workload discovery AWS with JATP |
To get started with Microsoft Azure, see Getting Started with Microsoft Azure.
Table 10 shows the required Policy Enforcer components for Microsoft Azure.
Table 10: Microsoft Azure Support Components
Model | Software Version | Supported Policy Enforcer Mode |
|---|---|---|
vSRX | Junos OS 15.1X49-D110.4 and later | vSRX policy based on workload discovery |
Virtual Machine
Policy Enforcer is delivered as an open virtual appliance (OVA) or a kernel-based virtual machine (KVM) package to be deployed inside your VMware ESX or Quick Emulator (QEMU)/KVM network with the following configuration:
2 CPUs
8-GB RAM (16 GB recommended)
You must increase the RAM to 16 GB if you configure more than 256 custom dynamic addresses, allowlist, or blocklist.
120-GB disk space
Table 11: Supported Virtual Machine Versions
Virtual Machine | Version |
|---|---|
VMware | VMware ESX server version 4.0 or later or a VMware ESXi server version 4.0 or later |
QEMU/KVM | CentOS Release 7.9 or later |
Supported Browser Versions
Security Director and Policy Enforcer are best viewed on the following browsers.
Table 12: Supported Browser Versions
Browser | Version |
|---|---|
Google Chrome | 75.x |
Internet Explorer | 11 on Windows 7 |
Firefox | 67.0 and later |
Upgrade Support
You can upgrade to Policy Enforcer Release 22.2R1 from Policy Enforcer Release 21.3R1.
For complete upgrade instructions, see Upgrading Your Policy Enforcer Software.
For more information about the Security Director upgrade path, see Upgrading Security Director.
Migrate Policy Enforcer CentOS 6.8 Virtual Machine (VM) to CentOS 7.9 VM
Before you begin the migration process, you must:
- Download the 22.2R1 Red Hat Package Manager (rpm) file from the download site and upgrade Policy Enforcer from Release 21.3R1 to Release 22.2R1. See Upgrade Your Policy Enforcer Software.
- Release the existing IP address of the Policy Enforcer
CentOS 6.8 VM and then use that IP address for installing the Policy
Enforcer CentOS 7.9 VM.
To release the existing IP address of the Policy Enforcer CentOS 6.8 VM:
- Download the
pe_migration_backup_script.shscript from the download site to the Policy Enforcer CentOS 6.8 node. - Execute the following script in the Policy Enforcer CentOS
6.8 VM CLI:
sh ./pe_migration_backup_script.sh
The script performs the following tasks:
Releases the Policy Enforcer CentOS 6.8 VM IP address.
Note You must use the released IP address to install the Policy Enforcer CentOS 7.9 VM.
Takes a backup of the Policy Enforcer database and settings and places the file in
/opt/policy-enforcer/feeder/<peDB-XXXX>.tar
- Enter the new IP address for the Policy Enforcer CentOS
6.8 VM.
Note We recommend that you use the new IP address from the same subnet as the released IP address.
The released IP address of the Policy Enforcer CentOS 6.8 VM is no longer reachable.
- Download the
To migrate the Policy Enforcer CentOS 6.8 VM to CentOS 7.9 VM:
- Install the Policy Enforcer Release
22.2R1 VM with CentOS 7.9 using the Open Virtual Appliance (OVA) file
from the download site. See Install Policy Enforcer.
Note While installing Policy Enforcer, provide the IP address that was released from the CentOS 6.8 Policy Enforcer VM.
- Log in to Security Director and navigate
to Administration > Policy Enforcer > Settings.
Reconfigure the Settings page with the existing IP address (released from the Policy Enforcer CentOS 6.8 VM) and the password of the new Policy Enforcer VM. See Policy Enforcer Settings.
- Navigate to Administration > Policy Enforcer > Backup and restore, select
the <peDB-XXXX>.tar file, and click Restore. See Policy Enforcer Backup and Restore.
Restore the file remotely by clicking on the Remote Restore option. You must remotely restore
/opt/policy-enforcer/feeder/<peDB-XXXX>.tarfile from the Policy Enforcer CentOS 6.8 VM. - Migrate the feeds from the Policy Enforcer CentOS 6.8
VM:
- Log in to the Policy Enforcer CentOS 7.9 VM CLI.
- Download the
migrateFeeds.pyscript from the download site and execute the script using the python2.7 migrateFeeds.py command.When prompted, provide the following inputs:
- Enter the new IP address of the Policy Enforcer CentOS 6.8 VM.
- Enter the root password of the Policy Enforcer CentOS 6.8 VM.
- Provide the number of days for which you want to copy
the feeds and press Enter.
Note You can copy the feeds for a maximum of 365 days.
Note It may take 30 minutes to 1 hour to migrate the feeds to Policy Enforcer CentOS 7.9 VM depending upon the size of feeds and the number of days for which you want to migrate the feeds.
Migrate NSX Manager Data
If you are using the NSX Manager, then after you migrate to Policy Enforcer CentOS 7.9 VM, you must migrate the NSX manager data.
You must perform the before you begin steps mentioned in Migrate Policy Enforcer CentOS 6.8 Virtual Machine (VM) to CentOS 7.9 VM, Step 1, Step 2, and Step 3 before proceeding with NSX Manager data migration.
- Run the
nsx_backup.shscript on the Policy Enforcer CentOS 6.8 VM node. Enter the backup file path.This script creates a
.tgzfile with the NSX database and the certificate files. - Copy the
.tgzfile to the Policy Enforcer CentOS 7.9 VM node. - Run the
nsx_restore.shscript in the Policy Enforcer CentOS 7.9 VM CLI. Enter the.tgzbackup file path. - Copy the required vSRX OVA files from
/uploads/images/publish/in the Policy Enforcer CentOS 6.8 VM node to/uploads/images/publish/in the Policy Enforcer CentOS 7.9 VM CLI using secure copy protocol (scp).
Known Behavior
This section lists the known behavior in Policy Enforcer Release 22.2R1.
An error may be displayed in the Status column on the vCenter Task pane when deploying vSRX in host based mode for east-west traffic. To overcome this resource pool error, you must enable DRS mode on the cluster in which you deploy vSRX device.
When you open the vSRX console through vCenter, ignore the displayed warning.
You can associate a tenant with only one VRF instance.
A realm can have all the sites either with tenants or without tenants.
Tenants and VRF-based feeds are supported only on MX Series devices.
To take action on the feeds from Policy Enforcer, you must configure policies on the MX Series device through the CLI and not from Security Director.
To upload certificates for Policy Enforcer, to be used in certificate-based authentication mode of Junos Space, Junos Space must be in password authentication mode to complete the Policy Enforcer settings workflow. The mode can be switched to certificate-based authentication after the Policy Enforcer settings are completed.
Policy Enforcer supports only the default global domain in Junos Space Network Management.
When you are creating a connector for third-party devices, it is mandatory to add at least one IP subnet to a connector. You cannot complete the configuration without adding a subnet.
If you replace a device as part of RMA and if that device is already in secure fabric, you must remove the device from secure fabric and add it again. Otherwise, feeds are not downloaded to the replaced device.
JATP zone creation or assignment cannot be done in the General Setup Wizard.
Ensure that the time difference between the JATP and the SRX Series devices is less than 20 seconds to avoid the enrollment failure.
When the vSRX device is disenrolled with JATP and enrolled again, you might see the device shown twice in the Feed Sources page in Security Director.
When the feed source is JATP, you must change the Infected host state in the JATP portal. There are no Dashboard widgets to show the JATP related threats or Infected hosts in Security Director.
During the JATP enrollment, it may state that Juniper ATP Cloud license is not present. You can ignore this warning.
For SRX Series devices in a chassis cluster, both primary and secondary chassis cluster nodes need to be discovered in Security Director before adding them to secure fabric. If only one chassis cluster node is discovered and added to secure fabric, the feed download does not work after failover to secondary node.
Known Issues
This section lists the known issues in Policy Enforcer Release 22.2R1.
For the most complete and latest information about known Policy Enforcer defects, use the Juniper Networks online Junos Problem Report Search application.
You may not be allowed to edit the ClearPass connector password on the Policy Enforcer Connector page.
Workaround: Delete the connector and add it again with the right credentials. [PR1464446]
Sites associated with tenants (multitenant sites) are shown while creating policy enforcement group. This is applicable for guided setup also. UC-334
You will be unable to add enforcement points to site after changing the mode when the certificate based authentication is enabled. UC-368
After changing the Policy Enforcer mode in Policy Enforcer settings page, go to Junos Space® Network Management Platform > Users > pe_user and manually upload the client certificate.
OR
Go to Junos Space Network Management Platform and change the mode to Password Authentication and perform Policy Enforcer settings again.
When you download feeds to a device after the realm is deleted and added again in Policy Enforcer, an internal server error is identified.
Workaround:
On Junos OS CLI on the SRX Series device, execute the command
request services security-intelligence download. [PR1586287]
Resolved Issues
This section list the issue fixed in Policy Enforcer Release 22.2R1.
For the most complete and latest information about resolved Policy Enforcer defects, use the Juniper Networks online Junos Problem Report Search application.
After you upgrade Security Director Insights 21.1R1 to Security Director Insights 21.3R1, the Policy Enforcer mode changes from cloudfeeds to ATP Cloud/JATP. [PR1669675]
For resolved issues in Security Director, see Junos Space Security Director Release Notes.