Known Behaviors and Issues

Known Behaviors

This section lists the known behaviors in Juniper Security Director Release 25.2.2.

You might see a tainted status for the Juniper Security Director VM after a reboot or power cycle. The tainted status does not indicate an error. The system logs the tainted status to indicate orchestration progress. Use the show health status command to view a summary of system progress.
Before restoring the database, if you've performed operations such as device discovery, uploading an image, or deleting an image, the resources for these operations may be out of sync with the restored database. This is because, the resources related to these operations are directly stored on to the file system.
For the SRX Series Firewalls that are auto-imported to Juniper Security Director, the default Content Security (also known as UTM) configuration on Juniper Security Director is preferred over the Content Security configuration that is imported from the device.

To prevent conflicts, perform the following steps:
1. After the devices are auto-imported, go to SRX > Security Subscription > Content Security Settings.
2. Review and modify the Content Security settings.
3. Go to SRX > Security Policy > SRX Policy, click Global Options > Default Security Settings.
4. Review and modify the default security configurations with system default profiles.
OR
1. Go to Administration > Organization and disable Auto Import.
2. Manually import devices to Juniper Security Director.
3. For any conflicts, overwrite the Juniper Security Director settings with the default Content Security settings.
Note:
The Content Security settings are global settings and must be configured after performing auto import or manual import to avoid any conflicts.
Juniper Security Director does not support legacy application security policies.
Juniper Security Director supports a global address book but it does not support a zone address book.
When you import a policy that has rules with unsupported configuration, Juniper Security Director shows information about these rules under Summary on the import wizard. After importing, these rules with unsupported configurations are grayed out and shown with a disabled icon to differentiate between system-disabled rules and a rule disabled by user. The Rule description also shows the reason for disabling these rules.

You cannot delete, edit, or perform any rule actions on these unsupported rules.
Juniper Security Director overwrites the user configuration performed directly from the device CLI or any other interface other than the portal.

To avoid conflicts, you can import the configurations and re-assign the devices from existing policies.
During backup and restore, customer-uploaded Juniper Security Director certificates are not restored from database backups. You’ll need to manually re-upload the certificates. See Update the Certificates for details.
When you view the data on the Dashboard and Monitor > Maps & Charts > Insights pages, you might face the following behaviors:
- Some categories may not appear in the Sunburst chart if there is a large value gap between categories—for example, one category is 6000 and another is 5. This is expected behavior.
- On the Insights page, the Device Group filter only includes data from when a device was added to a group. To view the historical data of devices, select only the Device filter.
- When you click on the Total Events number in the grid table of the Insights pages, you might notice a discrepancy between the total events displayed there and those shown on the All Security Events page. This difference arises because the All Security Events page presents live data, whereas the Insights pages display aggregated data at discrete intervals.
- When you view data in the charts for Infected Hosts and Top 5 URL Activity widgets that include timelines, the data may not be correctly sorted based on the selected timeline.
  
  Workaround
  
  Click any event in the Infected Hosts or Top 5 URL Activity widgets. You will be redirected to the All Security Events page, where you can view the specific event time details.
- When you view data of the third-party DAG feeds on the SecIntel Feeds page, the data might not be complete because the third-party DAG feed might not be enabled even though the toggle switch is enabled.
- When you failover an SRX Series Firewall, the data on the Insights page displays data for current active devices only. To view the logs, it is recommended to choose both the devices of a cluster.
- On the Insights page, the bubble chart does not appear for the Users, Events, Volume, or Sessions tabs when the selected metric has a value of zero. Since the bubble chart visualizes data based on non-zero values, no bubbles will be displayed.
- When you click the number of Rules on the grid table of the Insights pages, a list of rules is displayed on a pane instead of the Security Policies page. This issue doesn't apply to the Insights Applications page.
Previously, if you created a remote access VPN without specifying an install interval, the system incorrectly configured the install interval as 0 and added a matching command. This issue is fixed in latest Juniper Security Director release. After you upgrade to latest Juniper Security Director and deploy the previously created remote access VPN, the system displays the delete security ipsec vpn <vpn-name> ike install-interval command that removes the unwanted configuration. You can set a new interval install value by editing the field. See Create a Remote Access VPN—Juniper Secure Connect for details.
When you export log data from Administration > Data Management page, the exported log data CSV file may fail to open on Windows if the file name (including folder path) is too long.

This is a known limitation in Microsoft Excel and Windows regarding maximum file path length. The issue does not affect Mac systems.

To avoid such error, move the CSV file to a folder with a shorter path before opening it.

Known Issues

This section lists the known issues in Juniper Security Director Release 25.2.2.

VM deployment on KVM fails with USB CD-ROM device bus type—When deploying a VM on KVM, using a USB bus type for the CD-ROM can lead to the error: Error mounting CD-ROM: mount: /media/cdrom: special device /dev/sr0 does not exist. This occurs because the USB bus type for the CD-ROM is unsupported, causing the mount operation to fail. You can use USB bus type for virtual disk.
Deployment failure on devices —After deploying the VM and onboarding devices to Juniper Security Director, following discrepancies are observed:
- On the Juniper Security Director UI, SRX > Device Management > Devices page shows the device management status as Down.
- On the device, the output from the SSH client command show system connections | match 7804 indicates that the status is ESTABLISHED, indicating a stale connection.
Due to these discrepancies, the device-bound configurations will not function.

Workaround:

For a successful deployment, login to device via SSH or console and execute restart service-deployment command.
VM snapshot revert error—When you take a snapshot using the Snapshots > TAKE > SNAPSHOT option and attempt to revert to a previous VM version using REVERT, the status may indicate that the snapshot reversal is complete. However, powering on the VM can result in an error, causing the snapshot revert to fail.

Workaround:
1. Login to vSphere Client.
2. Right-click the VM, select Actions > Power > Power Off.
3. Right-click the VM, select Edit Settings
4. Under Virtual Hardware, select the CD/DVD drive's Connect At Power On check-box.
5. Right-click the VM, select Actions > Power > Power On.
The VM with snapshot version should boot without any issues.
CLI admin password validation during VM deployment—During VM deployment, when you configure Juniper Security Director OVA parameters on the Customize template page, the cliadmin user password field accepts any password with 8 characters. However, during the installation process, the system enforces strict validations and rejects the password that does not meet the specified requirements. This discrepancy may result in installation failure.

Workaround:

Perform the following steps to set the password that complies with the requirements:
1. In the vSphere client, right-click the VM and select Actions > Power > Power Off.
2. Click Yes to confirm and power off the VM.
3. Right-click the VM, select Configure > Properties.
4. Select CLI_PASSWORD and select SET VALUE.
5. Enter the password that meets the following requirements:
  - Must be at least 8 characters long and not more than 32 characters.
  - Must not be dictionary words.
  - Must include at least three of the following:
    - Numbers (0-9)
    - Uppercase letters (A-Z)
    - Lowercase letters (a-z)
    - Special characters (~!@#$%^&*()_-+={}[];:"'<,>.?/|\)
6. Click OK.
7. Right-click the VM, select Actions > Power > Power On.
8. Once the VM powers on, navigate to the Summary tab and click LAUNCH WEB CONSOLE to monitor the software bundle installation status.
9. A successful installation requires approximately 30 minutes. If the installation lasts longer, check the web console for potential errors. You can ssh to the VM IP with the CLI admin user and use show bundle install status command to view the installation status.
New user activation—When you add a user to Juniper Security Director on the Administration > Users & Roles > Users page, the user receives an email with a link to set a password and join the organization. The email incorrectly states that the link is valid for 7 days. The actual validity for setting the password is 24 hours. If the user does not set the password within 24 hours, the link expires and shows an invalid request error.

Workaround:
1. Log in to Juniper Security Director UI.
2. Go to Administration > Users & Roles > Users, select the user to resend the activation link.
3. Click More > Resend activation mail to resend the activation link.
Security log configuration timeout during device discovery—During device discovery, the configure-security-log job might timeout or fail after running for a long time. Consequently, the SRX > Device Management > Devices > Security Logs Configuration page displays security log status as Not configured.

Workaround:

Manually configure the security logs. For details, see Configure Security Logs.
SMTP server connection error during onboarding—When you log in to the web GUI for customer onboarding, you might encounter an error message after providing valid SMTP server details, enabling SMTP server authentication, and clicking Test SMTP Server. The error might indicate the system cannot connect to the SMTP server and suggests checking your SMTP settings. You can ignore the error message if you’ve provided valid SMTP settings.
ICAP profile server deployment issue—When you create an Internet Content Adaptation Protocol (ICAP) profile server with a routing instance, the deployment might fail.

Workaround:
1. Create the ICAP profile server without the routing instance.
2. Deploy the ICAP profile server with the security policy.
3. Add the routing instance in the ICAP profile server after the deployment.
ICAP profile server import removes routing instance—When you import an ICAP profile server with a routing instance, the deployment process removes routing instance from the profile server.

Workaround:
1. Create the ICAP profile server without the routing instance.
2. Deploy the ICAP profile server with the security policy.
3. Add the routing instance in the ICAP profile server after the deployment.
Out-of-band connection status issue—The out-of-band connection between the Juniper® Networks SRX Series Firewall and Juniper Security Director doesn't close in the SRX Series Firewall. This issue occurs because the device status in Juniper Security Director changes to DOWN after the connection is closed, but the connection remains active on the SRX Series Firewall.

Workaround:
Restart the outbound SSH service in the SRX Series Firewall to will resynchronize the SRX Series Firewall device with Juniper Security Director and change the status of the device to UP.
1. Log in to the SRX Series Firewall using CLI.
2. Run the following command to check the status of the flow session:show security flow session destination-port 7804
3. If the flow session is active but Juniper Security Director shows the device status as DOWN or OUT OF SYNC, execute the restart service-deployment command to restart the SRX Series Firewall outbound SSH service.
Software upgrade limitation for SRX1600 and SRX2300 firewalls—For Juniper Networks® SRX1600 and Juniper Networks® SRX2300 firewalls, Juniper Security Director is unable to upgrade the software image from 23.4R1.9 to any other version.
Image installation issue on Juniper Security Director—You may encounter failures when installing images available on Juniper Security Director because of failure in copying image file from Juniper Security Director to device, or due to image upgrade failure.

Workaround:
- For failure due to copying image file from Juniper Security Director to device:
  1. Ensure that the device can access the location of the image.
  2. Go to SRX > Device Management > Software images.
  3. Click Upload and select From remote server.
  4. Enter the URL for the remote server where the image is located. You can generate the URL on the product-specific Support page of the Juniper Networks website. See Add an Image for details.
- For failure due to upgrade path: refer Junos OS documentation to understand the upgrade path for specific Junos OS release.

When you configure SRX Series Firewalls in the Device Configurations tab, you might face the following issues:

Setting	Known Issue	Workaround
Basic Settings > Management > SNMP	If you configure Remote Engine for SNMP, the configuration deployment fails because the Privacy configuration is deployed before the Authentication configuration. The following error message is displayed: `deploy failed with error:[ErrorSeverity:error,ErrorPath:,ErrorMessage: Authentication should be configured before configuring the privacy ,BadElement:]`	Configure the Remote Engine user settings in the following sequence: Select the Authentication method while adding a Remote Engine user at SNMP > V3 > USM > Remote Engine > User. Deploy the device configuration. Select the Privacy setting. Deploy the device configuration again.
Network Settings > Interfaces	If you configure both the unit number and the VLAN ID as the outer tag for interfaces, the configuration deployment fails. The following error message is displayed: `error: 'unit' statement cannot be included along with 'vlan-tags-outer' statement`	Do not configure both the options as the outer tag for interfaces. Select either Vlan_tag_mode or Unit as the outer tag.
Network Settings > Interfaces	If you configure Pic Set for interfaces, the configuration deployment fails. The following error message is displayed:`Segmentation fault (core dumped)`	Configure Pic Set only for interfaces of the SRX5400, SRX5600, and SRX5800 SRX Firewalls.
Security Settings > User Firewall > Device Information	The existing configuration of onboarded SRX Series Firewalls is not displayed on the User Firewall page because of a mismatch of the Authentication Source field name between the Juniper Security Director GUI and the device CLI.	None
Advanced Settings > Security > GTP > Message IE Profile V2	If you don't configure all the mandatory settings for Message IE Profile V2, the configuration is not deployed on the devices even though the Juniper Security Director GUI displays a success message.	Configure all the mandatory settings for Message IE Profile V2. See message-ie-profile-v2 for the mandatory settings.
Advanced Settings > Security > Grouped IE Profile	If you don't configure all the mandatory settings while adding a Grouped IE Profile, the configuration is not deployed on the devices even though the Juniper Security Director GUI displays a success message.	Configure all the mandatory settings for Grouped IE Profile. See grouped-ie-profile for the mandatory settings.
Advanced Settings > Protocols > IS-IS Instance	If you don't configure all the mandatory settings while adding an IS-IS Instance, the configuration is not deployed on the devices even though the Juniper Security Director GUI displays a success message.	Configure all the mandatory settings for IS-IS Instance. See level (IS-IS Interfaces) for the mandatory settings.
Network Settings > Forwarding Options > Load Balance > Indexed Load Balance	If you enable Indexed Load Balance while configuring Load Balance, the configurations are not deployed on the devices even though the Juniper Security Director GUI displays a success message. The following error message is displayed if you deploy the configuration using CLI: `Could not retrieve the two-level-multi-next-hop setting`	Don't enable Indexed Load Balance. The option is not applicable to SRX Series Firewalls.
Advanced Settings > Chassis > Network Services	If you configure ethernet for Network Services, the configuration deployment fails because the option is not applicable to SRX Series Firewalls.	Don’t configure ethernetb for Network Services in SRX Series Firewalls. The option is not applicable to SRX Series Firewalls.
Advanced Settings > Chassis	If you configure Ambient Temperature, the configuration deployment fails because the option is applicable only to specific SRX Series Firewalls. The following error message is displayed: `:[ErrorSeverity:error,ErrorPath:,ErrorMessage:Invalid trailing data 'C' for numeric value: '40C',BadElement:40C]`	Configure Ambient Temperature only on the supported SRX Series Firewalls. See Feature Explorer for the supported models.
Advanced Settings > Protocols > PPP	If you configure PPP services for Protocols, the configuration deployment fails because the option is applicable only to specific SRX Series Firewalls.	Configure PPP services for Protocols using CLI only on SRX4000 and SRX1600 Series Firewalls. See Point-to-Point protocol (PPP) for how to configure PPP using CLI.
Advanced Settings > Protocols > R2CP	If you configure Port any for Client Port Value while configuring the R2CP protocols in the device CLI, the setting changes to Not configured on the Juniper Security Director GUI after deploying the device configuration.	Configure a specific port for Client Port Value on the Juniper Security Director GUI.
Device Configurations	If you configure an onboarded device, the configuration deployment shows as out-of-band changes.	Wait 5 to 10 minutes for the device onboarding process to complete before updating and deploying the device configuration.
Device Configurations	If you configure certain device settings, the configuration deployment fails because the settings might be applicable only to specific SRX Series Firewalls. For example, Advanced Settings -> Services -> Hosted-services Advanced Settings->Services > Mobile Flow Tap Advanced Settings->Services > Network Slicing	Configure the settings applicable to the SRX Series Firewalls. See Feature Explorer for the supported models.
Device Configurations	If you deactivate device settings in the SRX Series Firewalls using CLI, the device configuration deployment might fail when you configure settings on the Device Configurations tab of the Juniper Security Director GUI.	Activate and commit the settings or delete the settings using CLI before configuring the settings using the Juniper Security Director GUI.

Security policy import failure due to hidden commands—If hidden commands exist in SRX Series Firewalls, importing and deploying security policies might fail due to version incompatibility. This issue can affect configurations such as Content Security and security policies.

Workaround:

Delete any hidden or undocumented commands from SRX Series Firewalls, re-import the policy configuration to Juniper Security Director, and then deploy the security policy.
SMB protocol issue in AAMW profile—Devices running versions before Junos OS 21.1 experience commit failures when using the Server Message Block (SMB) protocol option in the predefined Advanced Anti-Malware (AAMW) profile.

Workaround:

Clone the default AAMW profile and disable the SMB protocol. Use the cloned profile in the Security Policy or global options to ensure successful commits.
Clock synchronization upgrade issue—When you upgrade a device to Junos OS 21.1 or later using a software image, you might encounter an error message indicating that in-service software upgrade (ISSU) is not supported for Clock Synchronization (SyncE).

Workaround:

Upgrade the cluster from CLI using the workaround provided inhttps://prsearch.juniper.net/problemreport/PR1632810.
Log visibility limitations for SRX Series Firewall—You cannot view certain logs in Juniper Security Director for SRX Series Firewalls running Junos OS version 21.4 R3-S3.4 and later. The logs affected include:
- Web filtering logs
- RT_FLOW logs
- Content Security logs
For details, see https://prsearch.juniper.net/problemreport/PR1716776.
NAT pool re-import conflicts—While re-importing NAT pool with preconfigure address object and deploying it using NAT rule, object conflict resolution (OCR) is detected for address name field.
Peer synchronization in Multinode High Availability—If peer synchronization is enabled for Multinode High Availability solution, then any deployment or configuration change might result in multiple synchronization jobs.

Workaround:

Delete the set system commit peers-synchronize command from device configuration for Multinode High Availability solution.
Backup and restore limitations—Backup and restore operations in the current release do not support junos image, schema, application signature, and URL categories.
Custom server certificate updates—Uploading a new custom Server Certificate in Juniper Security Director does not terminate active user sessions, and requires manual page refreshes for the certificate to take effect.
Insights pages error for restricted-role users—Users with custom roles and restricted access to features might encounter an error when navigating to the Insights pages.
Threat summary pivot limitations—After upgrading, you may notice that when pivoting from the Threat Summary widget on the Dashboard page, the system displays only zone-based details. It does not display the selected risk level and service details.

Workaround:

To view the required data, go to the Insights page and use View Settings to manually select the required filters.

ON THIS PAGE

Known Behaviors and Issues

Known Behaviors

Known Issues