Import Security Policies Overview
Juniper Security Director Cloud supports importing policy configurations from next-generation security devices. You can discover existing policy configuration while onboarding next-generation security device (non-ZTP).
Juniper Security Director Cloud uses object name as the unique identifier for an object (such as addresses, services, schedulers, SSL profiles, content security, IPS, and Layer 7 applications). During policy import, all objects supported by Juniper Security Director Cloud are imported and all objects names are compared between what is in Juniper Security Director Cloud and what is on the next-generation security device. A conflict occurs when the name of the object to be imported matches an existing object, but the value of the object does not match. The object conflict resolution (OCR) operation is triggered to resolve the object name conflicts.
- If the object name does not exist in Juniper Security Director Cloud, the object is added to Juniper Security Director Cloud.
- If the object name exists in Juniper Security Director Cloud with the same content, the existing object in Juniper Security Director Cloud is used.
- If the object name exists in Juniper Security Director Cloud with different content, the
object conflict resolution operation is triggered. The following conflict resolution options
are available.
- Rename object
- This is the default option.
- By default, the suffix "_1" is added to the object name. Alternatively you can specify a new unique name.
- Deploying the policy will delete the original object and add the object with the new name.
- There is no functional change to the security policy (labels only).
- Overwrite with imported value
- The object in Juniper Security Director Cloud is replaced with the object from the import operation.
- The change will be reflected for all other devices that use this object after the policy deployment.
- There is no functional change to the security policy.
- There might be possible traffic impact to all other devices that use this object the next time the other device is updated from Juniper Security Director Cloud.
- Keep existing object
- The object name in Juniper Security Director Cloud is used instead of what is on the next generation security device.
- Policy deployment for the imported security policy will show the modification.
- There might be possible traffic impact to this security because the content is different in some way.
- Rename object
The following section provides an example for importing policies. Here we use Address as an object type and see how to resolve the object name conflicts.
The existing objects in Juniper Security Director Cloud are listed in Table 1.
Object Name | Existing Value |
---|---|
Address 1 | 198.51.100.10 |
Address 2 | 198.51.100.20 |
Address 3 | 198.51.100.30 |
The existing objects in the next generation security device are listed in Table 2.
Object name | Existing Value |
---|---|
Address 1 | 203.0.113.10/32 |
Address 2 | 203.0.113.20/32 |
Address 3 | 203.0.113.30/32 |
During policy import, OCR is triggered and the object conflicts between next generation security device and Juniper Security Director Cloud. The resolution that we have chosen is listed in Table 3.
Object Name in Juniper Security Director Cloud | Object Type in Juniper Security Director Cloud | Existing Value in Juniper Security Director Cloud | Imported Value to Juniper Security Director Cloud | Conflict Resolution | New Object Name in Juniper Security Director Cloud |
---|---|---|---|---|---|
Address 1 |
Address |
198.51.100.10 | 203.0.113.10 | Keep Existing Object |
Address1_1 |
Address 2 |
Address | 198.51.100.2 | 203.0.113.20 | Overwrite with Imported value |
Address2_1 |
Address 3 |
Address | 198.51.100.30 | 203.0.113.30 | Rename Object |
Address3_1 |
The object values and the result after resolving conflicts are listed in Table 4.
Discovered Object Name in Juniper Security Director Cloud | Discovered Value in Juniper Security Director Cloud | Result |
---|---|---|
Address 1 | 198.51.100.10 |
No change |
Address 2 | 203.0.113.20 |
Content changed |
Address 3 | 198.51.100.30 |
No change |
Address3_1 |
203.0.113.30 |
Address3_1 create |