Hot Patch Releases
This section describes the installation procedure, features, and resolved issues in Junos Space Security Director Release 22.1R1 hot patch.
During hot patch installation, the script performs the following operations:
-
Blocks the device communication.
-
Stops JBoss, JBoss Domain Controller (JBoss-dc), and jmp-watchdog services.
-
Backs up existing configuration files and EAR files.
-
Updates the Red Hat Package Manager (RPM) files.
-
Restarts the watchdog process, which restarts JBoss and JBoss-dc services.
-
Unblocks device communication after restarting the watchdog process for device load balancing.
You must install the hot patch on Security Director Release 22.1R1 or on any previously installed hot patch. The hot patch installer backs up all the files which are modified or replaced during hot patch installation.
Installation Instructions
Perform the following steps in the CLI of the JBoss-VIP node only:
Download the Security Director 22.1R1 Patch vX from the download site.
Here, X is the hot patch version. For example, v1, v2, and so on.
Copy the SD-22.1R1-hotpatch-vX.tgz file to the /home/admin location of the VIP node.
Verify the checksum of the hot patch for data integrity:
md5sum SD-22.1R1-hotpatch-vX.tgz.
Extract the SD-22.1R1-hotptach-vX.tgz file:
tar -zxvf SD-22.1R1-hotpatch-vX.tgzChange the directory to SD-22.1R1-hotpatch-vX.
cd SD-22.1R1-hotpatch-vXExecute the
patchme.shscript from the SD-22.1R1-hotpatch-vX folder:sh patchme.shThe script detects whether the deployment is a standalone deployment or a cluster deployment and installs the patch accordingly.
A marker file, /etc/.SD-22.1R1-hotpatch-vX, is created with the list of Red-hat Package Manager (RPM) details in the hot patch.
You must install Junos Space Network Management Platform Release 22.1R1 hot patch V1 before installing Security Director Release 22.1R1 hot patch V1.
We recommend that you install the latest available hot-patch version, which is the cumulative patch.
New and Enhanced Features in the Hot Patch
Junos Space Security Director Release 22.1R1 hot patch includes the following enhancements:
-
Polymorphic address support in source and destination address for NAT rules— Starting in Security Director Release 22.1R1 hot patch V1, while creating NAT rules for group policies you can select polymorphic addresses as source or destination address. The rule points to default address if the device IP address does not match any of the context values in the polymorphic address. If there is a match, the address corresponding to the context value is considered in the source or destination address of the rule.
Note:Polymorphic address is not supported for static NAT destination address.
-
Support for disabling service offload in Security Director— Starting in Security Director Release 22.1R1 hot patch V1, we’ve provided an option to disable service offload on the Edit Profile page of a rule for standard and unified firewall policies. This feature is supported both on logical systems and tenant systems. You can select from the following options:
-
None: Select to delete the configured service on the device.
-
Enable: Select to enable service offload. When services-offload is enabled, only the first packets of a session go to the Services Processing Unit (SPU), rest of packets in services-offload mode does not go to SPU, therefore some security features such as stateful screen are not supported. Only TCP and UDP packets can be services offloaded.
-
Disable: Select to disable service offload.
-
-
Support to terminate CLI/J-Web edit mode user session— tarting in Security Director Release 22.1R1 hot patch V1, when you retry the update job on failed devices caused due to device lock failures, you can log the user (edit mode user) out who locked the configuration database, from the device CLI. Navigate to Monitor > Job Management. Select the job, and then from the More list select Retry on Failed Devices. On the Retry Update Failed Devices page, enable Evict CLI/J-Web edit mode users option.
Resolved Issues in Hot Patches
Table 1 lists the resolved issues in the Security Director Release 22.1R1 hot patch.
|
PR |
Description |
Hot Patch Version |
|---|---|---|
|
The IPS signature update fails with an error. |
V1 |
|
|
Select and Save functionalities in intrusion prevention system (IPS) policy fails in the firewall rule. |
V1 |
|
|
Search functionality does not work as expected. |
V1 |
|
|
Unable to delete unused address objects from the Security Director application. |
V1 |
|
|
The user is unable to delete unused dynamic objects created as a result of import. |
V1 |
|
|
The logical system device update fails. |
V1 |
|
|
Security Director is unreachable when node 2 is the VIP node. |
V1 |
|
|
Security Director fails to display the latest device configuration in the
preview, and displays the following error message: |
V1 |
|
|
Security Director fails to export the filtered search for a rule to .pdf format. |
V1 |
|
|
Unified Threat Management (UTM) custom categories are deleted from SSL proxy profile whitelist. |
V1 |
|
|
Security Director UI is not accessible when fail over occurs due to faulty rpm upgrade. |
V1 |
|
|
Security Director updates an existing address book to SRX series device. |
V1 |
|
|
Unable to push multiple configurations to a device in Junos Space Security Director application. |
V1 |
|
|
Security Director API call fails for NAT policies with 300 rules. |
V1 |
|
|
Security Director alarms fail to show up after upgrading to 22.1R1. |
V1 |
|
|
The changes made to IPS policy in firewall rule are not visible in the GUI. |
V1 |
|
|
References do not work for dynamic address objects in Security Director. |
V1 |
|
|
The user is unable to disable NAT policies on devices. |
V1 |
|
|
When you update policies, re-synchronize the Security Director with the managed device. |
V1 |
If the hot patch contains a UI fix, then you must clear the Web browser’s cache to reflect the latest changes.