Known Behaviors and Issues

Known Behaviors

This section lists the known behaviors in Juniper Security Director Release 25.4.1.

When you sign in with a custom role that includes onlylog access, the Monitor page displays only the Infected Hosts chart. This is expected because the infected host information is derived solely from logs—data that the role permits.

All other widgets on the Monitor page remain empty because they rely on additional data sources and permissions.
When you enable the database backup on the Admin > Data Management page, the following information is not included in the backup:
- Logs
- Generated reports
- Global search results
- Software images and packages uploaded from local drives
- Historical device configurations
When you roll back a standalone device or a single node from an L2 cluster, the rollback job completes successfully. However, the landing page might not immediately show the updated OS version. The OS version remains unchanged until you manually resynchronize the device.

Workaround

Steps to manually resynchronize the device:
1. Select Inventory > Devices.
2. Select the device to resynchronize, and click More > Resynchronize with Network.
  
  A job is created for the resynchronization process and the details are displayed on the top of the page. Click Admin > Jobs to view the job.
After the Juniper Security Director upgrade:
- The Insights and Dashboard pages display the top Screens data separately.
- This view includes only data sent after the upgrade and does not show older data (sent before the upgrade) from the past month.
- When you click Total Events on the Insights page, the All Security Events page might show a higher event count because it includes both older (before upgrade) and newer (after upgrade) Screens data.
After the Juniper Security Director upgrade:
- The Insights and Dashboard pages display the top IDP data separately.
- This view includes only data sent after the upgrade and does not show older data (sent before the upgrade) from the past month.
- When you click Total Events on the Insights page, the All Security Events page might show a higher event count because it includes both older (before upgrade) and newer (after upgrade) IDP data.
You might see a tainted status for the Juniper Security Director VM after a reboot or power cycle. The tainted status does not indicate an error. The system logs the tainted status to indicate orchestration progress. Use the show health status command to view a summary of system progress.
Before restoring the database, if you've performed operations such as device discovery, uploading an image, or deleting an image, the resources for these operations might be out of sync with the restored database. This is because, the resources related to these operations are directly stored on to the file system.
For the SRX Series Firewalls that are auto-imported to Juniper Security Director, the default Content Security (also known as UTM) configuration on Juniper Security Director is preferred over the Content Security configuration that is imported from the device.

To prevent conflicts, perform the following steps:
1. After the devices are auto-imported, go to Security > Security Services > Content Security Settings.
2. Review and modify the Content Security settings.
3. Go to Security > SRX Policy, click Global Options > Default Security Settings.
4. Review and modify the default security configurations with system default profiles.
OR
1. Go to Admin > Organization and disable Auto Import.
2. Manually import devices to Juniper Security Director.
3. For any conflicts, overwrite the Juniper Security Director settings with the default Content Security settings.
Note:
The Content Security settings are global settings and must be configured after performing auto import or manual import to avoid any conflicts.
Juniper Security Director doesn't support legacy application security policies.
Juniper Security Director supports a global address book but it does not support a zone address book.
When you import a policy that has rules with unsupported configuration, Juniper Security Director shows information about these rules under Summary on the import wizard. After importing, these rules with unsupported configurations are grayed out and shown with a disabled icon to differentiate between system-disabled rules and a rule disabled by user. The Rule description also shows the reason for disabling these rules.

You cannot delete, edit, or perform any rule actions on these unsupported rules.
Juniper Security Director overwrites the user configuration performed directly from the device CLI or any other interface other than the portal.

To avoid conflicts, you can import the configurations and re-assign the devices from existing policies.
During backup and restore, customer-uploaded Juniper Security Director certificates are not restored from database backups. You’ll need to manually re-upload the certificates. See Update the Certificates for details.
When you view the data on the Dashboard and Intelligence > Insights pages, you might face the following behaviors:
- Some categories might not appear in the Sunburst chart if there is a large value gap between categories—for example, one category is 6000 and another is 5. This is expected behavior.
- On the Insights page, the Device Group filter only includes data from when a device was added to a group. To view the historical data of devices, select only the Device filter.
- When you click the Total Events number in the grid table of the Insights pages, you might notice a discrepancy between the total events displayed there and those shown on the All Security Events page. This difference arises because the All Security Events page presents live data, whereas the Insights pages display aggregated data at discrete intervals.
- When you view data in the charts for Infected Hosts and Top 5 URL Activity widgets that include timelines, the data might not be correctly sorted based on the selected timeline.
  
  Workaround
  
  Click any event in the Infected Hosts or Top 5 URL Activity widgets. You will be redirected to the All Security Events page, where you can view the specific event time details.
- When you view data of the third-party DAG feeds on the SecIntel Feeds page, the data might not be complete because the third-party DAG feed might not be enabled even though the toggle switch is enabled.
- When you failover an SRX Series Firewall, the data on the Insights page displays data for current active devices only. To view the logs, we recommend to choose both the devices of a cluster.
- On the Insights page, the bubble chart does not appear for the Users, Events, Volume, or Sessions tabs when the selected metric has a value of zero. Since the bubble chart visualizes data based on nonzero values, no bubbles will be displayed.
- When you click the number of Rules on the grid table of the Insights pages, a list of rules is displayed on a pane instead of the Security Policies page. This issue doesn't apply to the Insights Applications page.
When you export log data from Admin > Data Management page, the exported log data CSV file might fail to open on Windows if the filename (including folder path) is too long.

This is a known limitation in Microsoft Excel and Windows regarding maximum file path length. The issue does not affect Mac systems.

To avoid such error, move the CSV file to a folder with a shorter path before opening it.

Known Issues

This section lists the known issues in Juniper Security Director Release 25.4.1.

Device synchronization may fail after restoring a database backup (rare condition)—In rare cases, restoring a database backup to a newly deployed system that uses the same management IP address and hostname (FQDN) as the original instance may result in device configurations not automatically resynchronizing.

This issue is relevant only if, after a restore, the Inventory Status or Device Config Status for a device still shows Unknown on the Inventory > Devices page. Under normal circumstances, devices automatically resynchronize their configurations from the network.

Workaround

If a device remains in Unknown or Out of Sync state after the restore, manually resynchronize the device:
1. Select Inventory > Devices.
2. Select the affected device, and click More > Resynchronize with Network.
A job is created for the resynchronization process, and the details are displayed at the top of the page. Click Admin > Jobs to view the job status
Inconsistent IP or FQDN validations in UI and CLI messages—Some UI and CLI messages still use older terminology for virtual IP addresses. You might see inconsistent validation or audit-log details when you change UI, device connection, or log collector addresses on the Admin > System Management > System page. The device count in validation messages might not match the number of devices on the Inventory > Devices page. This does not affect basic system operation. When you see unexpected messages, verify the final configuration on the Devices page and in system logs.
VM deployment on KVM fails with USB CD-ROM device bus type—When deploying a VM on KVM, using a USB bus type for the CD-ROM can lead to the error: Error mounting CD-ROM: mount: /media/cdrom: special device /dev/sr0 does not exist. This occurs because the USB bus type for the CD-ROM is unsupported, causing the mount operation to fail. You can use USB bus type for virtual disk.
Deployment failure on devices —After deploying the VM and onboarding devices to Juniper Security Director, following discrepancies are observed:
- On the Juniper Security Director UI, Inventory > Devices page shows the device management status as Down.
- On the device, the output from the SSH client command show system connections | match 7804 indicates that the status is ESTABLISHED, indicating a stale connection.
Due to these discrepancies, the device-bound configurations will not function.

Workaround:

For a successful deployment, login to device through SSH or console and execute restart service-deployment command.
VM snapshot revert error—When you take a snapshot using the Snapshots > TAKE > SNAPSHOT option and attempt to revert to a previous VM version using REVERT, the status might indicate that the snapshot reversal is complete. However, powering on the VM can result in an error, causing the snapshot revert to fail.

Workaround:
1. Login to vSphere Client.
2. Right-click the VM, select Actions > Power > Power Off.
3. Right-click the VM, select Edit Settings
4. Under Virtual Hardware, select the CD/DVD drive's Connect At Power On check-box.
5. Right-click the VM, select Actions > Power > Power On.
The VM with snapshot version should boot without any issues.
CLI admin password validation during VM deployment—During VM deployment, when you configure Juniper Security Director OVA parameters on the Customize template page, the cliadmin user password field accepts any password with 8 characters. However, during the installation process, the system enforces strict validations and rejects the password that does not meet the specified requirements. This discrepancy might result in installation failure.

Workaround:

Perform the following steps to set the password that complies with the requirements:
1. In the vSphere client, right-click the VM and select Actions > Power > Power Off.
2. Click Yes to confirm and power off the VM.
3. Right-click the VM, select Configure > Properties.
4. Select CLI_PASSWORD and select SET VALUE.
5. Enter the password that meets the following requirements:
  - Must be at least 8 characters long and not more than 32 characters.
  - Must not be dictionary words.
  - Must include at least three of the following:
    - Numbers (0-9)
    - Uppercase letters (A-Z)
    - Lowercase letters (a-z)
    - Special characters (~!@#$%^&*()_-+={}[];:"'<,>.?/|\)
6. Click OK.
7. Right-click the VM, select Actions > Power > Power On.
8. Once the VM powers on, navigate to the Summary tab and click LAUNCH WEB CONSOLE to monitor the software bundle installation status.
9. A successful installation requires approximately 30 minutes. If the installation lasts longer, check the web console for potential errors. You can ssh to the VM IP with the CLI admin user and use show bundle install status command to view the installation status.
New user activation—When you add a user to Juniper Security Director on the Administration > Users & Roles > Users page, the user receives an email with a link to set a password and join the organization. The email incorrectly states that the link is valid for 7 days. The actual validity for setting the password is 24 hours. If the user does not set the password within 24 hours, the link expires and shows an invalid request error.

Workaround:
1. Log in to Juniper Security Director UI.
2. Go to Admin > Users, select the user to resend the activation link.
3. Click More > Resend activation mail to resend the activation link.
Security log configuration timeout during device discovery—During device discovery, the configure-security-log job might timeout or fail after running for a long time. Consequently, the Inventory > Devices > Security Logs Configuration page displays security log status as Not configured.

Workaround:

Manually configure the security logs. For details, see Configure Security Logs.
MNHA resynchronization job failure—When you reboot a device after enabling or disabling Multinode High Availability (MNHA) configuration, the job fails with a sync inventory issue. The device’s inventory and configuration status remain stuck in an out of sync state.

Workaround:

Perform a manual resynchronization to restore inventory and configuration status.
1. Select Inventory > Devices.
2. Select the device to resynchronize, and click More > Resynchronize with Network.
  
  A job is created for the resynchronization process and the details are displayed on the top of the page
ICAP profile server routing instance limitation—
- When you edit the routing instance of a deployed ICAP profile server and redeploy it, the routing instance is removed automatically.
- When you import an ICAP profile server with a routing instance and deploy it in Juniper Security Director, the routing instance is removed during the deployment process.
- When you import an ICAP profile server without a routing instance and deploy it in Juniper Security Director, the deployment succeeds. However, if you later edit the profile server to add a routing instance and redeploy it, the routing instance is removed automatically.
Workaround:
1. Create a new ICAP profile server with a routing instance.
2. Deploy the ICAP profile server with the security policy.
Out-of-band connection status issue—The out-of-band connection between the Juniper® Networks SRX Series Firewall and Juniper Security Director doesn't close in the SRX Series Firewall. This issue occurs because the device status in Juniper Security Director changes to DOWN after the connection is closed, but the connection remains active on the SRX Series Firewall.

Workaround:
Restart the outbound SSH service in the SRX Series Firewall to will resynchronize the SRX Series Firewall device with Juniper Security Director and change the status of the device to UP.
1. Log in to the SRX Series Firewall using CLI.
2. Run the following command to check the status of the flow session:show security flow session destination-port 7804
3. If the flow session is active but Juniper Security Director shows the device status as DOWN or OUT OF SYNC, execute the restart service-deployment command to restart the SRX Series Firewall outbound SSH service.
Image installation issue on Juniper Security Director—You may notice image installation failures if there are issues copying the image from Juniper Security Director to the device. Image transfers are faster when both Juniper Security Director and the device are in the same geographic region, and slower when they are in different regions. In such cases, we recommend that you stage the image using the remote server option. For optimal transfer speed and reliability, ensure that the remote server and the device are in the same region.

Workaround:
- For failure due to copying image file from Juniper Security Director to device:
  1. Ensure that the device can access the location of the image.
  2. Go to Inventory > Software images.
  3. Click Upload and select From remote server.
  4. Enter the URL for the remote server where the image is located. You can generate the URL on the product-specific Support page of the Juniper Networks website. See Add an Image for details.
- For failure due to upgrade path: refer Junos OS documentation to understand the upgrade path for specific Junos OS release.

When you configure SRX Series Firewalls in the Device Configurations tab, you might face the following issues:

Setting	Known Issue	Workaround
Basic Settings > Management > SNMP	If you configure Remote Engine for SNMP, the configuration deployment fails because the Privacy configuration is deployed before the Authentication configuration. The following error message is displayed: `deploy failed with error:[ErrorSeverity:error,ErrorPath:,ErrorMessage: Authentication should be configured before configuring the privacy ,BadElement:]`	Configure the Remote Engine user settings in the following sequence: Select the Authentication method while adding a Remote Engine user at SNMP > V3 > USM > Remote Engine > User. Deploy the device configuration. Select the Privacy setting. Deploy the device configuration again.
Network Settings > Interfaces	If you configure both the unit number and the VLAN ID as the outer tag for interfaces, the configuration deployment fails. The following error message is displayed: `error: 'unit' statement cannot be included along with 'vlan-tags-outer' statement`	Do not configure both the options as the outer tag for interfaces. Select either Vlan_tag_mode or Unit as the outer tag.
Network Settings > Interfaces	If you configure Pic Set for interfaces, the configuration deployment fails. The following error message is displayed:`Segmentation fault (core dumped)`	Configure Pic Set only for interfaces of the SRX5400, SRX5600, and SRX5800 SRX Firewalls.
Security Settings > User Firewall > Device Information	The existing configuration of onboarded SRX Series Firewalls is not displayed on the User Firewall page because of a mismatch of the Authentication Source field name between the Juniper Security Director GUI and the device CLI.	None
Advanced Settings > Security > GTP > Message IE Profile V2	If you don't configure all the mandatory settings for Message IE Profile V2, the configuration is not deployed on the devices even though the Juniper Security Director GUI displays a success message.	Configure all the mandatory settings for Message IE Profile V2. See message-ie-profile-v2 for the mandatory settings.
Advanced Settings > Security > Grouped IE Profile	If you don't configure all the mandatory settings while adding a Grouped IE Profile, the configuration is not deployed on the devices even though the Juniper Security Director GUI displays a success message.	Configure all the mandatory settings for Grouped IE Profile. See grouped-ie-profile for the mandatory settings.
Advanced Settings > Protocols > IS-IS Instance	If you don't configure all the mandatory settings while adding an IS-IS Instance, the configuration is not deployed on the devices even though the Juniper Security Director GUI displays a success message.	Configure all the mandatory settings for IS-IS Instance. See level (IS-IS Interfaces) for the mandatory settings.
Network Settings > Forwarding Options > Load Balance > Indexed Load Balance	If you enable Indexed Load Balance while configuring Load Balance, the configurations are not deployed on the devices even though the Juniper Security Director GUI displays a success message. The following error message is displayed if you deploy the configuration using CLI: `Could not retrieve the two-level-multi-next-hop setting`	Don't enable Indexed Load Balance. The option is not applicable to SRX Series Firewalls.
Advanced Settings > Chassis > Network Services	If you configure ethernet for Network Services, the configuration deployment fails because the option is not applicable to SRX Series Firewalls.	Don’t configure ethernetb for Network Services in SRX Series Firewalls. The option is not applicable to SRX Series Firewalls.
Advanced Settings > Chassis	If you configure Ambient Temperature, the configuration deployment fails because the option is applicable only to specific SRX Series Firewalls. The following error message is displayed: `:[ErrorSeverity:error,ErrorPath:,ErrorMessage:Invalid trailing data 'C' for numeric value: '40C',BadElement:40C]`	Configure Ambient Temperature only on the supported SRX Series Firewalls. See Feature Explorer for the supported models.
Advanced Settings > Protocols > PPP	If you configure PPP services for Protocols, the configuration deployment fails because the option is applicable only to specific SRX Series Firewalls.	Configure PPP services for Protocols using CLI only on SRX4000 and SRX1600 Series Firewalls. See Point-to-Point protocol (PPP) for how to configure PPP using CLI.
Advanced Settings > Protocols > R2CP	If you configure Port any for Client Port Value while configuring the R2CP protocols in the device CLI, the setting changes to Not configured on the Juniper Security Director GUI after deploying the device configuration.	Configure a specific port for Client Port Value on the Juniper Security Director GUI.
Device Configurations	If you configure an onboarded device, the configuration deployment shows as out-of-band changes.	Wait 5 to 10 minutes for the device onboarding process to complete before updating and deploying the device configuration.
Device Configurations	If you configure certain device settings, the configuration deployment fails because the settings might be applicable only to specific SRX Series Firewalls. For example, Advanced Settings -> Services -> Hosted-services Advanced Settings->Services > Mobile Flow Tap Advanced Settings->Services > Network Slicing	Configure the settings applicable to the SRX Series Firewalls. See Feature Explorer for the supported models.
Device Configurations	If you deactivate device settings in the SRX Series Firewalls using CLI, the device configuration deployment might fail when you configure settings on the Device Configurations tab of the Juniper Security Director GUI.	Activate and commit the settings or delete the settings using CLI before configuring the settings using the Juniper Security Director GUI.

Security policy import failure due to hidden commands—If hidden commands exist in SRX Series Firewalls, importing and deploying security policies might fail due to version incompatibility. This issue can affect configurations such as Content Security and security policies.

Workaround:

Delete any hidden or undocumented commands from SRX Series Firewalls, re-import the policy configuration to Juniper Security Director, and then deploy the security policy.
SMB protocol issue in AAMW profile—Devices running versions before Junos OS 21.1 experience commit failures when using the Server Message Block (SMB) protocol option in the predefined Advanced Anti-Malware (AAMW) profile.

Workaround:

Clone the default AAMW profile and disable the SMB protocol. Use the cloned profile in the Security Policy or global options to ensure successful commits.
Clock synchronization upgrade issue—When you upgrade a device to Junos OS 21.1 or later using a software image, you might encounter an error message indicating that in-service software upgrade (ISSU) is not supported for Clock Synchronization (SyncE).

Workaround:

Upgrade the cluster from CLI using the workaround provided in https://prsearch.juniper.net/problemreport/PR1632810.
Log visibility limitations for SRX Series Firewall—You cannot view certain logs in Juniper Security Director for SRX Series Firewalls running Junos OS version 21.4 R3-S3.4 and later. The logs affected include:
- Web filtering logs
- RT_FLOW logs
- Content Security logs
For details, see https://prsearch.juniper.net/problemreport/PR1716776.
NAT pool re-import conflicts—While re-importing NAT pool with preconfigure address object and deploying it using NAT rule, object conflict resolution (OCR) is detected for address name field.
Peer synchronization in Multinode High Availability—If peer synchronization is enabled for Multinode High Availability solution, then any deployment or configuration change might result in multiple synchronization jobs.

Workaround:

Delete the set system commit peers-synchronize command from device configuration for Multinode High Availability solution.
Custom server certificate updates—Uploading a new custom Server Certificate in Juniper Security Director does not terminate active user sessions, and requires manual page refreshes for the certificate to take effect.
Insights pages error for restricted-role users—Users with custom roles and restricted access to features might encounter an error when navigating to the Insights pages.
Threat summary pivot limitations—After upgrading, you might notice that when pivoting from the Threat Summary widget on the Dashboard page, the system displays only zone-based details. It does not display the selected risk level and service details.

Workaround:

To view the required data, go to the Insights page and use View Settings to manually select the required filters.

ON THIS PAGE

Known Behaviors and Issues

Known Behaviors

Known Issues