Out-of-Band Changes Overview
Out-of-band configuration changes are the changes you make to a device configuration through any method other than deploying the configuration change from Security Director.
Out-of-band changes include configuration changes made by:
Using the device CLI
Using the device Web-based management interface (J-Web interface)
When you make out-of-band changes, Security Director detects the configuration changes on the device. It sets the device configuration state to Out of Sync because the device configuration does not match with the build mode configuration for the device. You cannot deploy configuration on devices that are in the Out of Sync state. To return the device configuration state to In Sync, click Resynchronize with Network. This task resynchronizes the device’s configuration stored in Security Director to match the device configuration.
After the configuration status of the device is In Sync, you can see an icon next to policy for which out of band policy changes have been made in the device. You can automatically or manually synchronize the out-of-band firewall, IPS, and NAT policy changes from a device. Automatic synchronization is applicable for only device-specific policies and manual synchronization is applicable for both device-specific and group policies.
Starting in Junos Space Security Director Release 19.4R1, you can import or reject out-of-band changes for an IPS policy from a device to Security Director manually or automatically. For devices running Junos OS Release 18.2 and later, you can synchronize the IPS policy changes from standard firewall policies or unified firewall policies page. For devices running Junos OS Release 18.1 and earlier, you can synchronize the IPS policy changes from the IPS Policies page.
Starting in Junos Space Security Director Release 20.1R1, you can import or reject out-of-band changes for a NAT policy from a device to Security Director manually or automatically.
If Space as System of Record (SSOR) is enabled, then the device out-of-band changes should be resolved from the Junos Space UI for Security Director out-of-band changes to work.
Device and Security Director always synchronized—You can use our new Auto Sync Policy Changes setting in Administration > Policy Sync Settings page to automatically synchronize the out-of-band device-specific firewall and IPS policy changes made on the device with Security Director. You can also manually synchronize the out-of-band changes.
Better control over configuration changes—You can now view a list of all out-of-band changes made on a managed device. You can accept or reject the changes to synchronize the device with Security Director.
Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
Viewing and Synchronizing Out-of-Band IPS Policy Changes Manually
Viewing and Synchronizing Out-of-Band NAT Policy Changes Manually
Resynchronizing Managed Devices with the Network in Security Director