Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Hot Patch Releases

This section describes the installation procedure, features, and resolved issues in Junos Space Security Director Release 21.3R1 hot patch.

During hot patch installation, the script performs the following operations:

  • Blocks the device communication.

  • Stops JBoss, JBoss Domain Controller (JBoss-dc), and jmp-watchdog services.

  • Backs up existing configuration files and EAR files.

  • Updates the Red Hat Package Manager (RPM) files.

  • Restarts the watchdog process, which restarts JBoss and JBoss-dc services.

  • Unblocks device communication after restarting the watchdog process for device load balancing.

Note:

You must install the hot patch on Security Director Release 21.3R1 or on any previously installed hot patch. The hot patch installer backs up all the files which are modified or replaced during hot patch installation.

Installation Instructions

Note:

You must install the latest Junos Space Network Management Platform Release 21.3 hot patch v2 and above, before installing the latest Security Director hot patch.

Perform the following steps in the CLI of the JBoss-VIP node only:

  1. Download the Security Director 21.3R1 Patch vX from the download site.

    Here, X is the hot patch version. For example, v1, v2, and so on.

  2. Copy the SD-21.3R1-hotpatch-vX.tgz file to the /home/admin location of the VIP node.

  3. Verify the checksum of the hot patch for data integrity:

    md5sum SD-21.3R1-hotpatch-vX.tgz.

  4. Extract the SD-21.3R1-hotptach-vX.tgz file:

    tar -zxvf SD-21.3R1-hotpatch-vX.tgz

  5. Change the directory to SD-21.3R1-hotpatch-vX.

    cd SD-21.3R1-hotpatch-vX

  6. Execute the patchme.sh script from the SD-21.3R1-hotpatch-vX folder:

    sh patchme.sh

    The script detects whether the deployment is a standalone deployment or a cluster deployment and installs the patch accordingly.

A marker file, /etc/.SD-21.3R1-hotpatch-vX, is created with the list of Red-hat Package Manager (RPM) details in the hot patch.

Note:

We recommend that you install the latest available hot-patch version, which is the cumulative patch.

New and Enhanced Features in the Hot Patch

Junos Space Security Director Release 21.3R1 hot patch includes the following enhancements:

  • Manage threat prevention policy without Policy Enforcer—Starting in Junos Space Security Director Release 21.3R1 Hot Patch V1, you can manage threat prevention policies even if you haven’t configured Policy Enforcer. If you create and associate a threat prevention policy or profile with the firewall policy using the device CLI or J-Web without configuring Policy Enforcer, then Security Director doesn’t delete the threat prevention policy or profile when you preview or update the firewall policy. Therefore, you don't have to reconfigure the threat prevention policy or profile, and reassociate it with the firewall policies in the device.

    Note:

    This feature is applicable only when you create a threat prevention policy and associate it to existing rules using the device CLI or J-Web.

  • Legacy log collector and Security Director Insights log collector support for event viewer—Starting in Junos Space Security Director Release 21.3R1 Hot Patch V1, you can add both the legacy log collector node and the Security Director Insights VM on the Logging Nodes page in Security Director. We've added read-only log collector support to enable you to view existing data. This support provides a smooth transition from the legacy log collector to the Security Director Insights VM as the log collector.

    Note:

    You cannot add same type of log collector nodes on the Logging Nodes page.

    The Legacy Node check box appears on all the Events & Logs pages after you add the legacy log collector node. Select the Legacy Node check box to view only the existing log collector data. New logs should point to Security Director Insights VM as the log collector. You see the Security Director Insights log collector data after you clear the Legacy Node check box.

  • Polymorphic address support in source and destination address for NAT rules— Starting in Security Director Release 21.3R1 hot patch V3, while creating NAT rules for group policies you can select polymorphic addresses as source or destination address. The rule points to default address if the device IP address does not match any of the context values in the polymorphic address. If there is a match, the address corresponding to the context value is considered in the source or destination address of the rule.

    Note:

    Polymorphic address is not supported for static NAT destination address.

  • Support for disabling service offload in Security Director— Starting in Security Director Release 21.3R1 hot patch V3, we’ve provided an option to disable service offload on the Edit Profile page of a rule for standard and unified firewall policies. This feature is supported both on logical systems and tenant systems. You can select from the following options:

    • None: Select to delete the configured service on the device.

    • Enable: Select to enable service offload. When services-offload is enabled, only the first packets of a session go to the Services Processing Unit (SPU), rest of packets in services-offload mode does not go to SPU, therefore some security features such as stateful screen are not supported. Only TCP and UDP packets can be services offloaded.

    • Disable: Select to disable service offload.

  • Support to terminate CLI/J-Web edit mode user session— Starting in Security Director Release 21.3R1 hot patch V3, when you retry the update job on failed devices caused due to device lock failures, you can log the user (edit mode user) out who locked the configuration database, from the device CLI.

    Navigate to Monitor > Job Management. Select the job, and then from the More list select Retry on Failed Devices. On the Retry Update Failed Devices page, enable Evict CLI/J-Web edit mode users option.

Known Issues in Hot Patches

This section lists the known issue in Security Director Release 21.3R1 hot patch.

  • The report for the root device event displays Logical System (LSYS) and Tenant System (TSYS) events instead of root device events. PR1712069

Resolved Issues in Hot Patches

lists the resolved issues in Security Director Release 21.3R1 hot patches.

Table 1: Resolved Issues in Hot Patches

PR

Description

Hot Patch Version

PR1751227

Security director is unable to get the policy hit count using the rest API.

v13

PR1765982

Security Director API fails to prevent creation of duplicate addresses.

v13

PR1754290

VPN publishing jobs fail.

v13

PR1760414

When you perform GET request for /api/juniper/sd/policy-management/firewall/policies/detailedPolicy/{Policy-ID} for a device having LSYS, it shows 500 internal server error.

v13

PR1762610

The Service search functionality in Security Director fails to obtain the required result.

v13

PR1728629

User is unable to sort the columns on the Logging Devices page in Security Director.

v12

PR1748252

Unable to import firewall rule in Security Director if the rule has DAG with missing category.

v12

PR1681255

After upgrading to Security Director Release 21.3R1, the user is unable to add a device to the VPN profile.

v12

PR1744649

Security Director displays the device names instead of device IPs under the Device IP column on the Logging Devices page.

v12

PR1653054

The Auto Policy Sync in Security Director does not work.

v11

PR1659212

The service search by port number does not work.

v11

PR1698920

Security Director shows invalid configuration in the update configuration preview.

v11

PR1613930

The user is unable to edit the Policy-based VPN name or description in Security Director.

v11

PR1681035

There are issues with VPN profiles authentication algorithm after you upgrade Security Director.

v11

PR1683173

When the user configures a new IPsec VPN profile for route-based Hub and Spoke using the manual pre-shared key option, the output is set to multiple security IKE policies instead of only one security IKE policy.

v11

PR1689638

When you view device changes, Security Director displays the Managed status as Device Changed for several devices.

v11

PR1694161

Security Director updates multiple policies even when you select only one policy for update.

v11

PR1736563

Security Director modifies the device setup by adding an additional set of VPN configurations.

v11

PR1653687

Security Director does not display the correct time-zone when you change the time-zone using modify configuration.

v11

PR1689302

Address object import from a CSV file fails.

v11

PR1698572

Security director displays An error occurred while requesting the data error message while importing configuration from SRX4100 device.

v11

PR1707744

When you try to preview, publish, or update configuration in Security Director, it fails with an error.

v11

PR1709345

The Maximum Transmission Unit (MTU) is not visible during the edit workflow, when provided as default.

v11

PR1722324

Security Director is unable to import Firewall policy in SRX4200.

v11

PR1723715

Save Comments does not work after upgrade to Security Director 22.3.

v11

PR1731271

Security Director API displays internal server error during policy edit if the policy is locked.

v11

PR1734133

When user performs snapshot rollback policy, Security Director creates a duplicate default IPS policy.

v11

PR1735089

Security Director deletes the configurations for the policy-based VPNs that do not get imported to Security Director.

v11

PR1742002

When you try to preview the changes done to a policy before publishing, it fails with Calculating XML Edit Config error message.

v11

PR1723625

User is unable to modify the zone with more than hundred interface units.

v10

PR1728651

User is unable to import the group policies through zip file and snapshot roll back policy feature in Security Director.

v10

PR1664682

Geographical location report shows incorrect data in Security Director.

v10

PR1687371

Security Director deletes device configuration due to SRX DMI schema 22.1R1.10.

v10

PR1709403

Security Director fails to import the policy zip files with more than 20000 rules.

v10

PR1710418

Security Director fails to publish the SRX Series cluster policy with UTM is not available in the device error message.

v10

PR1659212

The search functionality in Security Director does not work properly when you search by port number.

v10

PR1718065

User is unable to search for the policies after publishing the new device configuration.

v10

PR1719283

The Application visibility feature fails with errors.

v10

PR1701645

SRX series devices do not show any data in the Intrusion Prevention System (IPS) report with log event IDP_ATTACK_LOG_EVENT_LS.

v9

PR1568417

In Security Director, Security Director Insights shows the log source as 127.0.0.1 for all logs rather than the SRX IP address or the actual source from where the logs are originated.

v8

PR1689483

The search functionality in Security Director does not work for newly created address objects.

v8

PR1700163

User is unable to change the destination address for static NAT rules in Security Director.

v8

PR1705221

Security Director displays the following error message while saving IPS/NAT policy rule: java.lang.NullPointerException

v8

PR1679106

Security Director updates the database with incorrect cyclic service group.

v8

PR1703135

User is unable to search for an object in Security Director even when the objects exist in Shared Objects.

v8

PR1701008

When you change the sequence of three or more set of rules in the Security Director, the changed order does not appear correctly after saving the changes.

v7

PR1683144

The search and find usage functionality does not work properly in Security Director.

v7

PR1698840

Update to the LSYS fail at times in Security Director.

v7

PR1676755

Security Director fails to import the security policies with the object address 0.0.0.0/0.

v6

PR1695528

Intrusion Detection and Prevention (IDP) signature continues to install the updates on SRX series devices from IDP files even when the file transfer fails.

v6

PR1662267

The search functionality in Security Director does not work for newly configured rules.

v6

PR1684862

Address objects fails to update properly in Security Director.

v5

PR1638491

The maximum transmission unit (MTU) is set to 1500 by default when the size of MTU is not predefined.

v4

PR1665789

In Security Director, the value of security log transport TLS-profile is incorrectly set to NONE.

v4

PR1666574

Security Director alarms fail to show up after upgrading to 22.1R1.

v4

PR1666710

Security Director pushes invalid configurations for IKE gateway fragmentation size.

v4

PR1669804

Automatic firewall policy in Junos Space Network Management Platform wrongly imports firewall policy rules.

v4

PR1672405

Unable to add Security Director Insights under Security Director > Administration > Insight Management > Insights Node.

v4

PR1675551

User is unable to delete files under SD_Device_Config.

v4

PR1669807

During auto policy sync, unused objects are stuck in firewall/NAT policy updates.

v4

PR1665842

User is automatically logged out from Security Director despite activity.

v4

PR1669805

When you update policies, re-synchronize the Security Director with the managed device.

v3

PR1666924

When the user rollbacks firewall policy, the associated IPS policy is created with _1 in the policy name.

v3

PR1664637

References do not work for dynamic address objects in Security Director.

v3

PR1662493

Unified Threat Management (UTM) custom categories are deleted from SSL proxy profile whitelist.

v3

PR1660892

Security Director fails to export the filtered search for a rule to .pdf format.

v3

PR1660583

Security Director fails to display the latest device configuration in the preview, and displays the following error message: Statement creation failed.

v3

PR1654639

Search functionality does not work as expected.

v3

PR1654241

Select and save functionalities in Intrusion Prevention System (IPS) policy fails in the firewall rule.

v3

PR1653847

The user is unable to disable Network Address Translation (NAT) policies on devices.

v3

PR1653543

The IPS signature update fails with an error.

v3

PR1655473

The logical system device update fails.

v2

PR1651792

The user is unable to import URL patterns and categories.

v2

PR1650817

There are issues with the VPN delete API call.

v2

PR1655401

The user is unable to delete unused dynamic objects created as a result of import.

v2

PR1647300

When Security Director Insights is unreachable, the status is not displayed on the Logging Node page.

v2

PR1644063

The Security Director Insights log collector does not display logging devices.

v2

PR1656449

Security Director is unreachable when node 2 is the VIP node.

v2

PR1636657

Unable to push license from Security Director in multi node setup.

v1

PR1637747

Security Director deletes the threat Prevention Policy that is added via J-Web or device CLI on root and logical system.

v1

PR1638876

There are auto policy sync job issues.

v1

PR1644157

User is unable to add devices to Juniper Security Director Cloud after on-prem Security Director upgrade.

v1

PR1644238

User is unable to create or modify variable objects in Security Director.

v1

PR1644736

IPsec VPN update fails from Security Director due to incorrect CLI for IKE and IPsec VPN profiles.

v1

PR1644737

Unable to view data on the VPN Monitoring page.

v1

PR1644877

Packet capture functionality does not work as expected.

v1

PR1646550

Update firewall policy fails.

v1

PR1647181

Unable to create polymorphic object in Security Director.

v1

PR1648031

The NAT rule Disable option does not work as expected.

v1

PR1648126

User is unable to view packet capture data for IDP policy.

v1