Known Behavior
This section contains the known behavior and limitations in Junos Space Security Director Release 21.3R1.
-
You can generate a temporary password in Security Director under Administration > Users & Roles > Users by either creating a new user or editing an existing user.
Make sure you check the Generate checkbox on the Create User or the Edit User window to create a temporary password.
After you generate the temporary password in Security Director, you must first log in through Junos Space Network Management Platform GUI and not Security Director GUI.
-
To discover the tenant devices in Security Director Release 21.2R1, we recommend the schema to be greater than or equal to 20.1R1. You must install the schema before Security Director discovers a tenant device.
-
If you configure VPN in Security Director Release earlier to 19.4R1 and upgrade Security Director to Release 20.1R1 and later, IKE ID is displayed blank if IKE ID is defined as Default.
-
Security Director does not generate CLIs for deletion if a VPN is already configured in the device and the same device is used for creating another VPN from Security Director.
-
In Security Director Release 20.1R1 and later, you must configure a tunnel IP address for dynamic routing protocols. In Security Director Release 19.4R1 and earlier, if you configure VPN as unnumbered with a dynamic routing protocol, you are prompted to provide a tunnel IP address while editing the VPN after upgrading to Security Director Release 20.1R1 and later.
-
After upgrade, you cannot edit profiles with predefined proposals because the profiles in Security Director Release 20.1R1 and later support only custom proposals.
-
In Security Director Release 19.4R1 and earlier, if you configure a VPN with static routing or a traffic selector with protected network as the zone or interface, you must perform the following tasks:
Before you upgrade to Security Director Release 20.1R1 and later, update the configuration on the device, and delete the VPN policy from Security Director.
After you upgrade, import the VPN configuration.
Note:In Security Director Release 20.1R1 and later, we support only address objects in protected networks for static routing and traffic selector.
-
You must enable the Enable preview and import device change option, which is disabled by default:
Select Network Management Platform > Administration > Applications.
Right-click Security Director, and select Modify Application Settings.
From Update Device, select the Enable preview and import device change option.
-
If you restart the JBoss application servers manually in a six-node setup one by one, the Junos Space Network Management Platform and Security Director user interfaces are launched within 20 minutes, and the devices reconnect to Junos Space Network Management Platform. You can then edit and publish the policies. When the connection status and the configuration status of all devices are UP and IN SYNC, respectively, click Update Changes to update all security-specific configurations or pending services on SRX Series devices.
-
To generate reports in the local time zone of the server, you must modify /etc/sysconfig/clock to configure the time zone. Changing the time zone on the server by modifying /etc/localtime does not generate reports in the local time zone.
-
If the vSRX VMs in NSX Manager are managed in Security Director Release 17.1R1 and Policy Enforcer Release 17.1R1, then after upgrading to Security Director Release 20.3R1 and Policy Enforcer Release 20.3R1, we recommend that you migrate the existing vSRX VMs in NSX Manager from Policy Enforcer Release 17.1R1 to Release 20.3R1.
To migrate the existing vSRX VMs:
Log in to the Policy Enforcer server by using SSH.
Run the following commands:
cd /var/lib/nsxmicro
./migrate_devices.sh
-
If the NSX Server SSL certificate has expired or changed, communication between Security Director and NSX Manager fails, thereby impacting the functionality of NSX Manager, such as sync NSX inventory and security group update.
To refresh the NSX SSL certificate:
Log in to Policy Enforcer by using SSH.
Run the following command:
nsxmicro_refresh_ssl --server <<NSX IP ADDRESS>>--port 443
This script fetches the latest NSX SSL certificate and stores it for communication between Security Director and NSX Manager.
-
In a setup where other applications are installed in Junos Space Network Management Platform along with Security Director, the JBoss PermSize must be increased from 512m to 1024m in the /usr/local/jboss/domain/configuration/host.xml.slave file. Under <jvm name="platform">, change the following values in the <jvm-options> tag:
<option value="-XX:PermSize=1024m"/>
<option value="-XX:MaxPermSize=1024m"/>
-
When you import addresses through CSV, a new address object is created by appending a_1 to the address object name if the address object already exists in Security Director.