Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Import Security Policies Overview

Juniper Security Director Cloud supports importing policy configurations from next-generation security devices. You can discover existing policy configuration while onboarding next-generation security device (non-ZTP).

Juniper Security Director Cloud uses object name as the unique identifier for an object (such as addresses, services, schedulers, SSL profiles, content security, IPS, and Layer 7 applications). During policy import, all objects supported by Juniper Security Director Cloud are imported and all objects names are compared between what is in Juniper Security Director Cloud and what is on the next-generation security device. A conflict occurs when the name of the object to be imported matches an existing object, but the value of the object does not match. The object conflict resolution (OCR) operation is triggered to resolve the object name conflicts.

  • If the object name does not exist in Juniper Security Director Cloud, the object is added to Juniper Security Director Cloud.
  • If the object name exists in Juniper Security Director Cloud with the same content, the existing object in Juniper Security Director Cloud is used.
  • If the object name exists in Juniper Security Director Cloud with different content, the object conflict resolution operation is triggered. The following conflict resolution options are available.
    • Rename object
      • This is the default option.
      • By default, the suffix "_1" is added to the object name. Alternatively you can specify a new unique name.
      • Deploying the policy will delete the original object and add the object with the new name.
      • There is no functional change to the security policy (labels only).
    • Overwrite with imported value
      • The object in Juniper Security Director Cloud is replaced with the object from the import operation.
      • The change will be reflected for all other devices that use this object after the policy deployment.
      • There is no functional change to the security policy.
      • There might be possible traffic impact to all other devices that use this object the next time the other device is updated from Juniper Security Director Cloud.
    • Keep existing object
      • The object name in Juniper Security Director Cloud is used instead of what is on the next generation security device.
      • Policy deployment for the imported security policy will show the modification.
      • There might be possible traffic impact to this security because the content is different in some way.

The following section provides an example for importing policies. Here we use Address as an object type and see how to resolve the object name conflicts.

The existing objects in Juniper Security Director Cloud are listed in Table 1.

Table 1: Existing address in Juniper Security Director Cloud
Object Name Existing Value
Address 1 198.51.100.10
Address 2 198.51.100.20
Address 3 198.51.100.30

The existing objects in the next generation security device are listed in Table 2.

Table 2: Existing address in next-generation security device
Object name Existing Value
Address 1 203.0.113.10/32
Address 2 203.0.113.20/32
Address 3 203.0.113.30/32

During policy import, OCR is triggered and the object conflicts between next generation security device and Juniper Security Director Cloud. The resolution that we have chosen is listed in Table 3.

Table 3: OCR while importing policies to Juniper Security Director Cloud
Object Name in Juniper Security Director Cloud Object Type in Juniper Security Director Cloud Existing Value in Juniper Security Director Cloud Imported Value to Juniper Security Director Cloud Conflict Resolution New Object Name in Juniper Security Director Cloud

Address 1

Address

198.51.100.10 203.0.113.10 Keep Existing Object

Address1_1

Address 2

Address 198.51.100.2 203.0.113.20 Overwrite with Imported value

Address2_1

Address 3

Address 198.51.100.30 203.0.113.30 Rename Object

Address3_1

The object values and the result after resolving conflicts are listed in Table 4.

Table 4: After importing policies to Juniper Security Director Cloud
Discovered Object Name in Juniper Security Director Cloud Discovered Value in Juniper Security Director Cloud Result
Address 1 198.51.100.10

No change

Address 2 203.0.113.20

Content changed

Address 3 198.51.100.30

No change

Address3_1

203.0.113.30

Address3_1 create