Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Viewing and Synchronizing Out-of-Band IPS Policy Changes Manually

Starting in Junos Space Security Director Release 19.4R1, when there is an out-of-band IPS policy change in the device, you can see an icon next to the corresponding policy in device-specific and group IPS policies in Security Director. You can manually synchronize the out-of-band changes for a device-specific policy, only when the automatic synchronization is disabled.

When you hover over the icon next to the policy, the tooltip indicates the out-of-band changes.

Note:

For devices running Junos OS Release 18.2 and later, you can synchronize the IPS policy changes from standard or unified firewall policies page. For devices with Junos OS Release 18.1 and earlier, you can synchronize the IPS policy changes from the IPS Policies page.

When a device is discovered in Security Director, the Managed Status is displayed as Managed in the Security Devices page. For manual synchronization of out-of-band policy changes, the managed status of the device must be SD Changed, Device Changed, or In Sync. For this, you must update the device atleast once from Security Director. In case of logical system (LSYS) or tenant system (TSYS), root device may show the status as Device Changed if a policy is assigned to it. Update the root device so that the status is In Sync.

Note:

Out-of-band changes are not supported if more than one policy is assigned to a device or if rules are configured in All Devices Policy Pre/Post policies.

Viewing Out-of-Band IPS Policy Changes

To view out-of-band IPS policy changes:

  1. Select Configure > IPS Policy > Policies.

    The IPS Policies page appears. An icon is displayed for the policies indicating the out-of-band policy changes.

  2. Right-click the policy or select View Device Policy Changes from the More menu.

    The Out of Band Changes page appears.

  3. Click View to view the configuration changes for a device in CLI and XML format.

    The view configuration page for the device is displayed.

    After viewing the changes, you can choose to import or reject the out-of-band changes from the device.

  4. Click OK.
    Note:

    To reject all the out-of-band changes, select Reject all changes option. The icon next to the policy will be cleared and the policy changes from the device will not be imported into Security Director. During the subsequent update from Security Director, the out-of-band changes will be overwritten in the device.

    To import the out-of-band changes to Security Director, see Importing Out-of-Band IPS Policy Changes Manually.

Importing Out-of-Band IPS Policy Changes Manually

To import out-of-band IPS policy changes:

  1. Select Configure > IPS Policy > Policies.

    The IPS Policies page appears. An icon is displayed for the policies indicating the out-of-band policy changes.

  2. Right-click the policy or select View Device Policy Changes from the More menu.

    The Out of Band Changes page appears.

  3. Select Select Changes from Device to accept the out of band IPS policy changes from a device.
  4. Select a device and click OK.
    Note:

    In the case of group policy, you can view all the devices where the policy is associated, but you can select only one device and import the changes. After selecting a device, click Affected Devices to see all the devices where the policy is assigned.

    In case of both, group policy and device specific policy, an icon is seen next to the device(s) indicating the out-of-band changes.

    The Import Device Configuration Changes page appears.

  5. Select the IPS policy and click Next.

    Objects with conflicts are displayed, if any.

  6. Select objects and choose a conflict resolution type. Resolve any conflicts after you verify the information, if needed.
  7. Click Finish.

    A summary of the configuration changes is displayed.

    You can download the summary report as a ZIP file. The summaryreport.zip file contains the complete rules report as a PDF.

  8. Click OK to complete the import process.

    The Job Details page is displayed with status of the import job.

  9. Click OK.

    The policies page is displayed with an icon which indicates that the policy was edited and needs publishing to the device.

  10. Click Publish to publish the changes.

    During the subsequent update from Security Director, the out-of-band changes will be overwritten in the device(s).