Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Known Behaviors and Issues

Known Behaviors

  • Database restore limitations

    • You can perform the restore operation only on the same node using Juniper Security Director CLI command service configdb restore <SCP URL>.

    • Before restoring the database, if you've performed operations such as device discovery, uploading an image, or deleting an image, the resources for these operations may be out of sync with the restored database. This is because, the resources related to these operations are directly stored on to the file system.

  • For the SRX Series Firewalls that are auto-imported to Juniper Security Director, the default Content Security (also known as UTM) configuration on Juniper Security Director is preferred over the Content Security configuration that is imported from the device.

    To prevent conflicts, perform the following steps:

    1. After the devices are auto-imported, go to SRX > Security Subscription > Content Security Settings.

    2. Review and modify the Content Security settings.

    3. Go to SRX > Security Policy > SRX Policy, click Global Options > Default Security Settings.

    4. Review and modify the default security configurations with system default profiles.

    OR

    1. Go to Administration > Organization and disable Auto Import.

    2. Manually import devices to Juniper Security Director.

    3. For any conflicts, overwrite the Juniper Security Director settings with the default Content Security settings.

    Note:

    The Content Security settings are global settings and must be configured after performing auto import or manual import to avoid any conflicts.

  • Juniper Security Director does not support legacy application security policies.

  • Juniper Security Director supports a global address book but it does not support a zone address book.

  • When you import a policy that has rules with unsupported configuration, Juniper Security Director shows information about these rules under Summary on the import wizard. After importing, these rules with unsupported configurations are grayed out and shown with a disabled icon to differentiate between system-disabled rules and a rule disabled by user. The Rule description also shows the reason for disabling these rules.

    You cannot delete, edit, or perform any rule actions on these unsupported rules.

  • Juniper Security Director overwrites the user configuration performed directly from the device CLI or any other interface other than the portal.

    To avoid conflicts, you can import the configurations and re-assign the devices from existing policies.

  • After importing a NAT policy where rules have Proxy ARP configured, you must edit the imported NAT policy to enable Manage Proxy ARP and then deploy the policy.

Known Issues

  • Deployment failure on devices —After deploying the VM and onboarding devices to Juniper Security Director, following discrepancies are observed:

    • On the Juniper Security Director UI, SRX > Device Management > Devices page shows the device management status as Down.

    • On the device, the output from the SSH client command show system connections | match 7804 indicates that the status is ESTABLISHED, indicating a stale connection.

    Due to these discrepancies, the device-bound configurations will not function.

    Workaround:

    For a successful deployment, login to device via SSH or console and execute restart service-deployment command.

  • View association for imported objects—The View Associations field in Shared Services > Objects > Services and Shared Services > Objects > Addresses may not accurately display object associations. This issue can occur when a high number of objects are imported, indicating that the object is not associated.

  • Report definition cloning issue—If you select an existing report definition from Monitor > Reports > Report Definitions and clone it, the cloned report definition does not show the correct report type for the following report definitions:

    • URLs Visited Per User Report

    • Network Operations Report

    • Top Talkers Report

    Incorrect definition types result in generating reports that lack necessary data, which affects decision-making and analysis.

    Workaround:

    Use the Create button on the Monitor > Reports > Report Definitions page to create new report definitions instead of cloning existing ones.

  • VM snapshot rollback error—When you take a snapshot using the Snapshots > TAKE > SNAPSHOT option and attempt to revert to a previous VM version using REVERT, the status may indicate that the snapshot reversal is complete. However, powering on the VM can result in an error, causing the rollback to fail.

    Workaround:

    1. Login to vSphere Client.

    2. Right-click the VM, select Actions > Power > Power Off.

    3. Right-click the VM, select Edit Settings

    4. Under Virtual Hardware, select the CD/DVD drive's Connect At Power On check-box.

    5. Right-click the VM, select Actions > Power > Power On.

    The VM with rollback version should boot without any issues.

  • CLI admin password validation during VM deployment—During VM deployment, when you configure Juniper Security Director OVA parameters on the Customize template page, the cliadmin user password field accepts any password with 8 characters. However, during the installation process, the system enforces strict validations and rejects the password that does not meet the specified requirements. This discrepancy may result in installation failure.

    Workaround:

    Perform the following steps to set the password that complies with the requirements:

    1. In the vSphere client, right-click the VM and select Actions > Power > Power Off.

    2. Click Yes to confirm and power off the VM.

    3. Right-click the VM, select Configure > Properties.

    4. Select CLI_PASSWORD and select SET VALUE.

    5. Enter the password that meets the following requirements:

      • Must be at least 8 characters long and not more than 32 characters.

      • Must not be dictionary words.

      • Must include at least three of the following:

        • Numbers (0-9)

        • Uppercase letters (A-Z)

        • Lowercase letters (a-z)

        • Special characters (~!@#$%^&*()_-+={}[];:"'<,>.?/|\)

    6. Click OK.

    7. Right-click the VM, select Actions > Power > Power On.

    8. Once the VM powers on, navigate to the Summary tab and click LAUNCH WEB CONSOLE to monitor the software bundle installation status.

    9. A successful installation requires approximately 30 minutes. If the installation lasts longer, check the web console for potential errors. You can ssh to the VM IP with the CLI admin user and use show bundle install status command to view the installation status.

  • New user activation—When you add a user to Juniper Security Director on the Administration > Users & Roles > Users page, the user receives an email with a link to set a password and join the organization. The email incorrectly states that the link is valid for 7 days. The actual validity for setting the password is 24 hours. If the user does not set the password within 24 hours, the link expires and shows an invalid request error.

    Workaround:

    1. Log in to Juniper Security Director UI.

    2. Go to Administration > Users & Roles > Users, select the user to resend the activation link.

    3. Click More > Resend activation mail to resend the activation link.

  • Security log configuration timeout during device discovery—During device discovery, the configure-security-log job might timeout or fail after running for a long time. Consequently, the SRX > Device Management > Devices > Security Logs Configuration page displays security log status as Not configured.

    Workaround:

    Manually configure the security logs. For details, see Configure Security Logs.

  • SMTP server connection error during onboarding—When you log in to the web GUI for customer onboarding, you might encounter an error message after providing valid SMTP server details, enabling SMTP server authentication, and clicking Test SMTP Server. The error might indicate the system cannot connect to the SMTP server and suggests checking your SMTP settings. You can ignore the error message if you’ve provided valid SMTP settings.

  • ICAP profile server deployment issue—When you create an Internet Content Adaptation Protocol (ICAP) profile server with a routing instance, the deployment might fail.

    Workaround:

    1. Create the ICAP profile server without the routing instance.

    2. Deploy the ICAP profile server with the security policy.

    3. Add the routing instance in the ICAP profile server after the deployment.

  • ICAP profile server import removes routing instance—When you import an ICAP profile server with a routing instance, the deployment process removes routing instance from the profile server.

    Workaround:

    1. Create the ICAP profile server without the routing instance.

    2. Deploy the ICAP profile server with the security policy.

    3. Add the routing instance in the ICAP profile server after the deployment.

  • Out-of-band connection status issue—The out-of-band connection between the Juniper® Networks SRX Series Firewall and Juniper Security Director doesn't close in the SRX Series Firewall. This issue occurs because the device status in Juniper Security Director changes to DOWN after the connection is closed, but the connection remains active on the SRX Series Firewall.

    Workaround:

    Restart the outbound SSH service in the SRX Series Firewall to will resynchronize the SRX Series Firewall device with Juniper Security Director and change the status of the device to UP.

    1. Log in to the SRX Series Firewall using CLI.

    2. Run the following command to check the status of the flow session: show security flow session destination-port 7804

    3. If the flow session is active but Juniper Security Director shows the device status as DOWN or OUT OF SYNC, execute the restart service-deployment command to restart the SRX Series Firewall outbound SSH service.

  • Software upgrade limitation for SRX1600 and SRX2300 firewalls—For Juniper Networks® SRX1600 and Juniper Networks® SRX2300 firewalls, Juniper Security Director is unable to upgrade the software image from 23.4R1.9 to any other version.

  • Image installation issue on Juniper Security Director—You may encounter failures when installing images available on Juniper Security Director.

    Workaround:

    • Add the images from the SRX > Device Management > Software Images page, and deploy the images for the device.

    • Try a manual CLI command execution on the device.

  • Security policy import failure due to hidden commands—If hidden commands exist in SRX Series Firewalls, importing and deploying security policies might fail due to version incompatibility. This issue can affect configurations such as Content Security and security policies.

    Workaround:

    Delete any hidden or undocumented commands from SRX Series Firewalls, re-import the policy configuration to Juniper Security Director, and then deploy the security policy.

  • SMB protocol issue in AAMW profile—Devices running versions before Junos OS 21.1 experience commit failures when using the Server Message Block (SMB) protocol option in the predefined Advanced Anti-Malware (AAMW) profile.

    Workaround:

    Clone the default AAMW profile and disable the SMB protocol. Use the cloned profile in the Security Policy or global options to ensure successful commits.

  • Clock synchronization upgrade issue—When you upgrade a device to Junos OS 21.1 or later using a software image, you might encounter an error message indicating that in-service software upgrade (ISSU) is not supported for Clock Synchronization (SyncE).

    Workaround:

    Upgrade the cluster from CLI using the workaround provided inhttps://prsearch.juniper.net/problemreport/PR1632810.

  • Log visibility limitations for SRX Series Firewall—You cannot view certain logs in Juniper Security Director for SRX Series Firewalls running Junos OS version 21.4 R3-S3.4 and later. The logs affected include:

    • Web filtering logs

    • RT_FLOW logs

    • Content Security logs

  • NAT pool re-import conflicts—While re-importing NAT pool with preconfigure address object and deploying it using NAT rule, object conflict resolution (OCR) is detected for address name field.

  • Peer synchronization in Multinode High Availability—If peer synchronization is enabled for Multinode High Availability solution, then any deployment or configuration change might result in multiple synchronization jobs.

    Workaround:

    Delete the set system commit peers-synchronize command from device configuration for Multinode High Availability solution.