Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Frequently Asked Questions

This topic includes frequently asked questions about Juniper Security Director Cloud. To learn more about the product, please see the Juniper Security Director Cloud User Guide.

Why is device discovery not triggered when I add devices manually or through Zero Touch Provisioning?

The device discovery might not be triggered because of multiple reasons, such as if the management interface is down, if the Juniper Security Director Cloud FQDN fails to resolve in your network, or if the required ports are closed.

To ensure that the device discovery is successfully triggered, please check the following:

  • The in-band management interface is up and is configured with a route to reach the Juniper Security Director Cloud FQDN.

  • The source IP in the data packet being sent to Juniper Security Director Cloud is correct.

  • The Google DNS or your own DNS is configured in the device to resolve the Juniper Security Director Cloud FQDN and is reachable from the device.

  • The firewall filters are configured correctly.

  • The required ports are open. See the Juniper Security Director Cloud Release Notes for more details.

Why is the device I configured using CLI through the Adopt Device method not discovered?

SRX Series devices configured using CLI might not be discovered for multiple reasons.

To ensure that the device configured using CLI through the Adopt Device method is successfully discovered, do the following:

  • Check that the source IP in the data packet being sent to Juniper Security Director Cloud is correct.

  • Check that the firewall filters are configured correctly.

  • Remove the CLI configuration allowing users to log in without a password. For example, the following CLI configuration in a vSRX Series device deployed on AWS must be removed:

    set groups aws-default system services ssh no-passwords

Why does my device display Not configured as the name?

The device name is displayed as Not configured when the host name of the SRX Series device is not configured. The Adopt Devices method does not provide an option to configure the host name of devices.

Use the HOSTNAME template at SRX > Device Management > Configuration Templates to configure the host name of your device.

The device name is correctly displayed after you configure the host name and deploy the device.

Why does my device display srxXXXXXXXX as the name?

The device name is displayed as srxXXXXXXXX when the host name of the SRX Series device is not configured. The Adopt Devices method does provide an option to configure the host name of devices, and the firewall policies cannot be deployed without the host name.

Use one of the following methods to configure the host name:

  • Use the HOSTNAME template at SRX > Device Management > Configuration Templates to configure the host name of your device.
  • Configure the host name directly on your device using CLI.

The device name is correctly displayed after you configure the host name and deploy the device and firewall policies.

Why does the CA certificate import job fail during the device discovery operation?

The CA certificate import might fail for multiple reasons.

To ensure that the CA certificate is successfully imported, do the following:

  • Ensure the original device configuration is not modified.
  • Ensure that the device does not have a conflicting CA profile or an existing certificate with the sd_cloud_ca certificate name.
  • Ensure that the CLI configuration on the device does not display any Commit warning while committing the CLI mode change or while assigning Ethernet switches to the interfaces.
  • Ensure that the device is not configured in another Organization of Juniper Security Director Cloud.
  • Delete the following security PKI configuration for the digital certificates on the device:
    • set security pki ca-profile sd_cloud_ca ca-identity sd_cloud_ca
    • set security pki ca-profile sd_cloud_ca ca-identity sd_cloud_local

Why does the device deletion job fail?

A device can be deleted from the Devices page only if the status of the device is Up or In Sync.

To delete a device whose status is Down or Out of Sync, change the status of the device to Up with the same configuration version, and delete the device.

If you can't change the status of the device to Up, contact JTAC who will help you delete the device using API. You can create a service request with JTAC on the Web or by telephone.

For international or direct-dial options in countries without toll-free numbers, see https://support.juniper.net/support/requesting-support/.

Why is the device configuration not deleted even when I delete the Active Directory profile from Juniper Security Director Cloud?

The device configuration might not be deleted if the configuration changes are not committed or the configuration changes have been modified directly on the device.

To manually delete the device configuration, log in to the SRX Series device using CLI in edit mode and commit the following configuration:

delete services user-identification active-directory-access

Why is the monitoring log analytics data not available in the Dashboard, Event Viewer, and Application Visibility pages?

The log analytics data might not be available if logging is not configured or the logging configuration failed to apply because the required certificates were not deployed during the device discovery.

To verify the log configuration, do the following:

  • Use the device ILP pages to verify that the security log configuration is pushed to the device.
  • Do the following to enable security logging for the device:

    1. Click SRX > Device Management > Devices.
    2. Click Enable Security Logs to open the Enable Security Logs window.
    3. Select the device interface, and click OK to create a Deploy job.

  • Use the following commands to check the status of the deploy-ca-certificate and deploy-ca-local-certificate jobs in Juniper Security Director Cloud:

    CA certificate—show security pki ca-certificate

    Local certificate—show security pki local-certificate

Why does the Enable Security Logs window not display all my devices?

The Enable Security Logs window displays only the devices that are managed by Juniper Security Director Cloud and have the In Sync status. By default, the window also displays a filtered list of only configured devices.

Do the following:

  • Check whether the device status is In Sync. The Enable Security Logs window displays only synchronized devices.
  • If all the devices are synchronized, check whether the device list is filtered. Select All from the Group by dropdown list to view the complete list of devices.
  • If you still do not see the complete device list, resychronize the device with Juniper Security Director Cloud.

Why is the log analytics data missing even after I installed and configured security logging?

The log analytics data might be missing if the Juniper Security Director Cloud load balancer is not reachable.

To verify that Juniper Security Director Cloud is reachable for security logging over TLS, do the following:

  • Connect to the device using CLI.
  • Use the following command to check whether port 6514 on the device is open: telnet srx.sdcloud.juniperclouds.net 6514
  • Use the following command to check the flow of security session data through port 6514: show security flow session destination-port 6514

    The following is an example of a security session data flow:

  • Ensure that the correct interface is selected for the device in the SecureCRT configuration.
  • Ensure that the security log, security PKI, and SSL services are not deactivated from the device.
  • Ensure log session-init and session-close is enabled on the firewall rule for seeing the RT_FLOW logs.
  • If you still cannot see the log analytics data, use the following command to restart the security logging from the device:

    restart security-log gracefully

Why did the deployment of my device fail with the Statement Creation Failed message?

The device deployment fails because of multiple reasons, such as if the device configuration is not synchronized with Juniper Security Director Cloud.

To ensure a successful device deployment, do the following:

  • If the configuration was changed directly on the device and not synchronized with Juniper Security Director Cloud, resynchronize the device.
  • If multiple policies assigned to the device contain similar rules, remove the rules with identical names.

Why is the Save and Close buttons not displayed on the IPS policy rule window?

When you do not save the IPS policy rule and select No to navigate away from the window, the Save (✓) and Close (x) buttons might not be visible.

To ensure that the Save (✓) and Close (x) buttons are always visible, close the left navigation pane by clicking the Close (x) button.

Why is the default configuration of IPS, UTM, and SSL profiles not imported during the auto import operation?

The global settings of firewall policies are applied at the tenant level. Modifications to these settings impact all the device policies that have firewall rules enabled with IPS, UTM, and SSL profiles, so the default conflict resolution option is set to Keep Existing to prevent conflicts during the auto import operation. The default Keep Existing setting of the OCR action might prevent the import of the default configuration of IPS, UTM, SSL profiles during the auto import operation of device configuration.

To ensure that the default configuration of IPS, UTM, and SSL profiles is successfully imported during the auto import operation, do one of the following:

  • Change the OCR action in the default IPS, UTM, and SSL profiles using the global settings to Overwrite with the Imported value and deploy the policies again.
  • Manually import the device configuration. The manual import operation triggers a conflict resolution option where you can change the OCR action to Overwrite with the Imported value.

Why does my device deployment fail with the 'No matching members found. Group is empty.' message after I configured the dynamic IPS signature group?

The device deployment fails after configuring the dynamic IPS signature group when none of the available IPS signatures match the filter criteria.

To ensure a successful device deployment, do the following:

  • Ensure that the IPS signatures are downloaded in the device.
  • Use the Preview Filtered Signatures in the bottom of the page to check the filters in the dynamic IPS signature group and ensure that the filter criteria matches the available IPS signatures.

Why does the SSL proxy profile deployment on the device fail?

There are multiple reasons for the SSL proxy profile deployment failure.

To ensure a successful SSL proxy profile deployment, before deploying the profile, do the following to check whether the root certificate and trusted CA certificate selected in Juniper Security Director Cloud is imported in the device:

  • View the certificates on Juniper Security Director Cloud.

    1. Click SRX > Device Management > Devices.
    2. Click the device to open the device page.
    3. Click Inventory > Certificates.
  • View the certificates on the device.

    1. Connect to the device using CLI.
    2. Use the following CLI command to view the root on the device: show security local-certificate
    3. Use the following CLI command to view the trusted CA certificate on the device:

      show security pki ca-certificate

Why does the UTM profile deployment on my device fail?

There are multiple reasons for the UTM profile deployment failure, such as if the UTM license is not installed.

To ensure a successful UTM profile deployment, do the following:

  1. Connect to the device using CLI.
  2. Use the following command to check whether the UTM license is installed on the device:

    show system licence detail
  3. Use the following command to check whether the traffic is passing through the policy that is configured with the UTM profile:

    how security policies hit-count
  4. Use the following command to check whether the UTM objects, such as Webfiltering, Antivirus, Antispam, and contentfiltering, hits that helps to determine the allowlist, blocklist, customcategory, virus, and spammail hits:

    show security <utm-objects> statistics

Why are applications not listed in the Application Signatures page?

The application signatures must be downloaded in Juniper Security Director Cloud. The SRE administrators will download the signatures when new signature versions are available.

Why do the image management jobs fail?

The image management jobs, such as stage, deploy, and upgrade, might fail when the network download speed to Juniper Security Director Cloud is lower than 500Kbps.

Use the Images page at the Organization level to add images and to perform other image management operations.

Why does the IPS, UTM, Application Signature bundle installation on my device fail?

The IPS, UTM, Application Signature bundle Installation might fail when the network download speed to Juniper Security Director Cloud is lower than 500Kbps.

  • Try the IPS, UTM, Application Signature bundle installation again after some time.
  • If the signature installation still fails, connect to the device using CLI, and use the following command to manually install the signature:

    request security utm web-filtering category download-install

Why does the URL category installation to my device fail with the No category file found message?

The URL category installation to a device might fail because of issues with DNS resolution.

To ensure a successful installation of the URL category, use the following predefined or default path for the installation: http://update.juniper-updates.net/EWF/

Why do I get an invalid request message when I click the account activation link sent in the email?

The invalid request message is displayed because the activation link expires 24 hours after the email is sent.

If you do not activate your Juniper Security Director Cloud account within 24 hours, Juniper Security Director Cloud purges the users who created an organization on the portal but did not activate their accounts.

Where can I see the user activity logs?

The user activity logs are available at Administration > Audit Logs.

Why did the user I created in an existing organization not receive the activation email?

The user might not receive the activation email when emails from Juniper Security Director Cloud are blocked by the user's organization network.

To ensure that users in your organization receive the activation email, verify that the Juniper Security Director Cloud emails are not blocked by your organization network.

Why is the license I installed not immediately visible?

The installed licenses are only visible after you resynchronize the device.

To ensure that the installed license is immediately visible, resynchronize the device with Juniper Security Director Cloud.

Why is the local certificate I imported not immediately visible?

The installed certificates are only visible after you resynchronize the device.

To ensure that the imported local certificate is immediately visible, resynchronize the device with Juniper Security Director Cloud.

Why is the image upgrade job very slow?

The image upgrade job might be slow if you use Junos images in Juniper Security Director Cloud because the images are copied to the device for the upgrade job. The time taken depends on the bandwidth capacity of the network connection between Juniper Security Director Cloud and the device.

To ensure quick upgrade jobs of Junos images, create a download Junos image URL from support.juniper.net and use the URl to upgrade the images.

How can I create multiple users for my organization?

You can create multiple users with different roles for your organization as an Organization Administrator at Administration > Users & Roles.

Why does the Top Unstable Tunnels section of the IPsec VPN monitoring page not list some tunnels that are down?

The Top Unstable Tunnels section displays the filtered list of the tunnels that are down based on the selected time span. If a tunnel is not included in the list, the tunnel might be down for longer than the selected time span.

To display a complete list of the tunnels that are down, select a longer time span in the Top Unstable Tunnels section.

Why are some devices imported as extranet devices while importing IPsec VPNs?

There are multiple reasons why devices might be imported as extranet devices along with the imported IPsec VPNs.

To ensure that all devices are imported correctly with the imported IPsec VPNs, check the following:

  • All relevant devices were selected while importing the IPsec VPN.
  • There is no mismatch in the configuration of the device profile in Juniper Security Director Cloud and on the device.
  • Juniper Security Director Cloud supports the device topology.

Why does the Import VPNs page not display my device while importing IPsec VPNs?

The Import VPNs page displays only devices with the Up and In Sync status.

To ensure that the Import VPNs page displays all your devices, ensure that the devices are in the Up and In Sync status.

Why does the IPsec VPN monitoring page not display my VPN?

The IPsec VPN monitoring does not support the following VPNs:

  • Hub-and-Spoke Auto Discovery VPN
  • Remote Access VPN—Juniper Secure Connect
  • Auto VPNs

To verify why the IPsec VPN monitoring page does not display your VPN, check whether the VPN type is supported for monitoring.

Why does the Tunnels Status section of the IPsec VPN monitoring page not display some VPNs?

There are multiple reasons why the status of some VPNs is not displayed in the Tunnels Status section of the IPsec VPN monitoring page.

To ensure that the Tunnels Status section displays the status of all your VPNs, check that:

  • Subscriptions are associated with all your devices
  • VPNs are deployed on all devices.
  • The status of all devices is Up and In Sync.

Why does the Tunnels Status section of the IPsec VPN monitoring page display the Up status of a VPN that is down?

The Tunnels Status section of the IPsec VPN monitoring page displays the status of the VPN tunnels based on a status poll conducted at regular intervals, so if the status of a VPN tunnel is incorrect, the tunnel might have failed after the poll was conducted.

To verify that the correct status of all the VPN tunnels is displays, wait for the poll to be conducted. The status poll is conducted every 10 minutes by default.

Why does the Device Health Status column on the Devices page display the Unknown status for my SRX Series device?

The Device Health Status column in the Device page displays the status of only devices with subscriptions.

To ensure that Device Health Status column displays the correct status of your SRX Series device, ensure that you assign a trial or a paid subscription with the device. The correct device status is displayed a few minutes after associating subscriptions.

Why does the Device Health Status column on the Devices page display the No data available status for my SRX Series device?

The Device Health Status column in the Device page displays the status of only devices with subscriptions.

To ensure that Device Health Status column displays the correct status of your SRX Series device, ensure that you assign a trial or a paid subscription with the device. The correct device status is displayed a few minutes after associating subscriptions.

How frequently is the status of SRX Series devices updated in the Device Health Status column on the Devices page?

The Device Health Status column on the Devices page is updated every 15 minutes. Juniper Security Director Cloud polls all SRX Series devices with subscriptions in an organization for the CPU, memory usage, and storage usage data.

How do I check the chassis details of my SRX Series device?

The chassis details are displayed on the device-specific page.

To view the chassis details of your SRX Series device, do the following:

  1. Click SRX > Devices Management > Devices to open the Devices page.
  2. Click the device name in the Host Name column to open the device-specific page that displays the details of the device.

How do I check the bandwidth speed of my SRX Series device?

The bandwidth speed is displayed on the device-specific page.

To view the bandwidth speed of your SRX Series device, do the following:

  1. Click SRX > Devices Management > Devices to open the Devices page.
  2. Click the device name in the Host Name column to open the device-specific page that displays the details of the device.
  3. Click the Inventory > Interfaces tab that displays the bandwidth speed in the Speed column.

How much storage space does Juniper Security Director Cloud provide?

Juniper Security Director Cloud provides the following storage space to users:

  • Trial subscription—10GB free storage space with a maximum limit of 5 devices.
  • Paid subscription—10GB free storage space for each device based on device subscription entitlements with an option to purchase multiple storage subscriptions worth 1TB each. For example, if you purchase 10 storage subscriptions, you get 10TB storage space.

What is the minimum bandwidth required for working in Juniper Security Director Cloud?

There is no specific minimum bandwidth required to work in Juniper Security Director Cloud.

The bandwidth requirement varies based on the tasks performed and processes in progress. For example, processes such as device synchronization depends on the device configuration and the number of session logs sent over the syslog channel. However, some processes, such as Signature bundle installation and image management require minimum 500Kbps bandwidth.