Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Migrate Policy Enforcer Release 23.1R1 to Policy Enforcer Release 24.1R1.

Starting in Junos Space Security Director Release 24.1R1, you cannot use standalone Policy Enforcer. You'll need to migrate to Policy Enforcer running on Security Director Insights 24.1R1.

You must migrate the standalone Policy Enforcer Release 23.1R1 data to Security Director Insights 24.1R1.

Policy Enforcer migration procedure is based on the existing backup and restore functionality.

Note:

You must migrate the standalone Policy Enforcer Release 23.1R1 data to Security Director Insights 24.1R1.

Before migrating Standalone Policy Enforcer to Security Director Insights Policy Enforcer, you must first upgrade from Junos Space Network Management Platform 23.1R1 or Security Director 23.1R1 to Junos Space Network Management Platform 24.1R1 or Security Director 24.1R1 respectively.

For more details on the upgrade procedure, see Upgrade to Junos Space Network Management Platform Release 24.1R1.

To migrate Standalone Policy Enforcer to Security Director Insights Policy Enforcer:

  1. Take a backup of the changes in Security Director Release 23.1R1 and store in a remote server. Follow the instructions mentioned in Policy Enforcer Backup and Restore

    Before initiating the backup, you must upgrade Standalone Policy Enforcer Release 23.1R1 V2 or Security Director Insights Policy Enforcer to the latest hot patch version available.

  2. Shut down the Policy Enforcer from which the back up has been taken.
  3. Add Security Director Insights 24.1 Policy Enforcer to Security Director.
  4. Initiate the restore process as shown in Figure 1.
    Figure 1: Backup and Restore Backup and Restore interface displaying a list of backups with details such as name, description, IP address, directory, host name, and date. Selected backup is highlighted in blue. Options include Backup, Manual Restore, and Restore. Backup and Restore interface with a selected backup file. Warning dialog: Restoring puts Policy Enforcer in maintenance mode, losing all data. Options: Cancel, Restore.
  5. When the restore process is complete as shown in Figure 2, re-add Policy Enforcer.
    Figure 2: Restore Status Job management interface showing completed restore job ID 393537 with 100 percent success on pcDE 393537.
  6. Go to Administration > Policy Enforcer > Settings and enter the required details on the settings window and click OK. See Figure 3 for more details.
    Figure 3: Re-add Policy Enforcer Policy Enforcer settings page showing status, configuration fields, and options for certificate-based authentication, ATP Cloud, polling timers, and action buttons.
  7. After Policy Enforcer is configured, a prompt appears to confirm if you want to setup the Threat Policies in a guided setup as shown in Figure 4. Click OK but ignore the guided setup for Threat Policies, as it is redundant.
    Figure 4: Threat Policy Prevention Security system settings page with fields for IP address, username, password, and options for certificate authentication and ATP CloudJATP configuration. Pop-up message asks to set up Threat Policies in Guided Setup with Cancel or OK options. Buttons for downloading logs and resetting configurations are present.
  8. Navigate to Configure > Threat Prevention > Feed Sources and re-add the realm and assign a site to the realm. This is to sync the feed and device with the realm and Policy Enforcer.
  9. Make sure the realm comes to sync in sometime and feed status is OK as shown in Figure 5.
    Figure 5: Feed Sources Feed Sources page in cybersecurity software showing ATP Cloud tab with realm bagelman, site Site1, device vmx200-1 at spoke, location North America, enrollment status SUCCESS, token expiry May 24 2025, feed status OK with green checkmark, last downloaded May 24 2024. Options to add or edit feed sources are available.
  10. Ensure that the security intelligence URL and the IP address is displayed for the device. Here is an example:
  11. Navigate to Secure Fabric > Sites and verify if the Feed Source Status shows Success. For more details see, Figure 6
    Figure 6: Secure Fabric Secure Fabric interface listing sites with columns for Tenant, Enforcement Points, IP, Model, Feed Source, and Feed Source Status. One site shows Success with a warning icon in Feed Source Status.
  12. Navigate to Configure > Threat Prevention > Policies > Threat Prevention Policies and verify the status of the policy recovered from backup. For details, see Figure 7.
    Figure 7: Threat Prevention Policies User interface for managing Threat Prevention Policies in a cybersecurity platform. Shows policies with details on configurations, statuses, and actions like edit or delete. Includes navigation and filter options for IT administrators.
  13. Click Update required under the status tab for Threat Prevention Policies and proceed with the update.
    Older policies gets replaced by the newer ones as shown in Figure 8.
    Figure 8: Policy Change List View Change List dialog showing no policies before or after Device Specific Policies; 1 rule added and 1 deleted for vSRX-23.2R1.13 in Global domain.
  14. Go to Configure > Shared Objects > Geo IP and perform the Geo IP analysis and update the generated policies to the device. For details see Figure 9.
    Figure 9: Geo IP Geo IP settings interface with columns for Name, Blocked Countries, Status, Group, and Description. Options to assign groups and add entries. Rule Analysis interface with 20 percent progress on snapshot. Background table lists Bahamas and Antarctica with View Analysis and peg-01 details. View Change List interface showing one device-specific policy named 10.204.241.163_copy_2 with one rule added for vSRX-23.2R1.13 in Global domain. Options to Cancel or Update changes.
  15. Go to Administration > Policy Enforcer > Connectors as shown in Figure 10.
    Figure 10: Connectors Connectors interface listing AWS as active with IP aws.amazon.com and Azure as inactive with IP management.azure.com. Options to add connectors and selection checkboxes.
    The status of the connector shows Inactive by default.
  16. Modify or delete and re-add the failed connectors to make them active.
    If you re-add the connector by editing the existing connector, you must perform the following:

    • Re-add the credentials and pem file again.

    • Ensure that you have selected the other values for tags correctly.

    Migration of Standalone Policy Enforcer to Security Director Insights Policy Enforcer is complete.
    Note:

    The migrated custom feed may take approximately 10 mins to sync due to internal activities involved in schema versioning, manifest generation for the feeds to be available for consumption to SRX devices. The time consumed depends on the feed type and feed volume.