Preview only show first 10 pages with watermark. For full document please download

Junos® Space Security Director 15.2 Release

Rating
Date

August 2018
Size

407.9KB
Views

4,239
Categories

Computers & electronics Networking Hardware firewalls

Transcript

® Junos Space Security Director 15.2 Release Notes Release 15.2 15 April 2016 Contents Security Director Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing Junos Space Network Management Platform . . . . . . . . . . . . . . . . . . 2 Installing Security Director Release 15.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Upgrading Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Upgrading Security Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Deploying Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Adding Log Collector to Security Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Loading Schema for SRX Series Junos OS Releases . . . . . . . . . . . . . . . . . . . . . 7 Management Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Supported Junos OS Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Known Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Junos Space Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Copyright © 2016, Juniper Networks, Inc. 1 Junos Space Security Director 15.2 Security Director Release Notes The Junos Space Security Director application is a powerful and easy-to-use solution that lets you secure your network by creating and publishing firewall policies, IPsec VPNs, NAT policies, IPS policies, and application firewalls. NOTE: To push IPS and application firewall signatures to a device, you need IPS and application firewall licenses. • Installing Junos Space Network Management Platform • Installing Security Director Release 15.2 • Upgrading Prerequisites • Upgrading Security Director • Deploying Log Collector • Adding Log Collector to Security Director • Loading Schema for SRX Series Junos OS Releases • Management Scalability • Supported Devices • Supported Junos OS Releases • Supported Browsers • New and Changed Features • Known Behaviors • Known Issues • Documentation Updates Installing Junos Space Network Management Platform Junos Space Security Director Release 15.2R1 is supported only on Junos Space Network Management Platform Release 15.2R1.24 . • To understand more about the virtual appliance installation, see Junos Space Virtual Appliance Deployment Overview. Download the VISO image for the virtual machine (VM) here. • To understand more about the Junos Space appliance installation, see Junos Space Appliance Overview. Download the USB image for the JA2500 appliance here. NOTE: Security Director is not supported on a Junos Space JA1500 appliance. 2 Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes Installing Security Director Release 15.2 In Junos Space Security Director Release 15.2R1, a single image installs Security Director, Log Director, Application Visibility, and the Security Director Logging and Reporting modules. You must deploy the Log Collector and then add it to Security Director to view the log data in the dashboard, events and logs, reports, and alerts. Download the Security Director Release 15.2R1 OVA image from here. Upgrading Prerequisites To upgrade the Security Director, Log Director, and Security Director Logging and Reporting modules, the following prerequisites must be met: • Upgrade to Junos Space Network Management Platform Release 15.2R1 before upgrading Security Director, Log Director, and Security Director Logging and Reporting. • If your current Security Director release is earlier than Security Director Release 15.1R1, you must follow this upgrade sequence: 1. Upgrade to Junos Space Network Management Platform Release 15.1R1 and Security Director to Security Director Release 15.1R1. 2. Upgrade to Junos Space Network Management Platform Release 15.2R1 and to Security Director Release 15.2R1. You can upgrade to Junos Space Network Management Platform Release 15.2R1 and Security Director Release 15.2 R1 from the following releases: • Junos Space Network Management Release 15.1R1 and Security Director Release 15.1 R1 . • Junos Space Network Management Release 15.1R2 and Security Director Release 15.1 R2. Upgrading Security Director To upgrade Security Director Release 15.2R1: • Download the 15.2R1.135 file from the Download Site. • Select Administration > Applications > Security Director. Right-click and select Upgrade Application. Upload the image using the Upload via HTTP or Upload via SCP option. • Click Upgrade. The Job Management tab shows the upgrade status. Copyright © 2016, Juniper Networks, Inc. 3 Junos Space Security Director 15.2 Deploying Log Collector NOTE: • Log Collector is supported only as a VM that can be deployed on VMWare ESX. Log Collector cannot be installed on any physical appliance. • The JA2500 integrated deployment where the Log Collector VM runs within the JA2500 Junos Space appliance is not supported. • Upgrading from earlier version of Log Collector to Log Collector 15.2R1 is not supported. System Requirement Table 1 on page 4 and Table 2 on page 4 provide the VM configuration recommended for the log collection to work effectively: Table 1: With Spinning Disks Memory Number of Nodes CPU Memory CPU Memory CPU Memory (Log Receiver Nodes) (Log Receiver Nodes) (Log Indexer Nodes) (Log Indexer Nodes) (Log Indexer Nodes) Log Query Node Log Query Node Cluster Manager Node Cluster Manager Node Total Nodes 1 4 16 GB - - - - - - - 1 5K eps 1 8 16 GB 1 4 32 GB - - - - 2 10K eps 2 8 32 GB 1 8 32 GB - - - - 3 20K eps 2 16 32 GB 4 16 32 GB 8 16 GB 4 16 GB 8 Number of Nodes CPU (Log Receiver Nodes) 2K events per second (eps) Setup Table 2: With SSD Drives 4 Memory Number of Nodes CPU Memory CPU Memory CPU Memory (Log Receiver Nodes) (Log Receiver Nodes) (Log Indexer Nodes) (Log Indexer Nodes) (Log Indexer Nodes) Log Query Node Log Query Node Cluster Manager Node Cluster Manager Node Total Nodes 4 16 GB - - - - - - - 1 Number of Nodes CPU Setup (Log Receiver Nodes) 4K eps 1 Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes Table 2: With SSD Drives (continued) Memory Number of Nodes CPU Memory CPU Memory CPU Memory (Log Receiver Nodes) (Log Receiver Nodes) (Log Indexer Nodes) (Log Indexer Nodes) (Log Indexer Nodes) Log Query Node Log Query Node Cluster Manager Node Cluster Manager Node Total Nodes 1 4 16 GB 1 4 32 GB - - - - 2 10K eps 1 8 32 GB 1 8 32 GB - - - - 2 20K eps 1 16 32 GB 3 16 32 GB 8 16 GB 4 16 GB 6 Number of Nodes CPU Setup (Log Receiver Nodes) 7K eps Table 3 on page 5 shows different node types in which the Log Collector can be deployed. Table 3: Log Collector Deployment Nodes Node Type Description Log receiver node (distributed deployment) • Receives syslogs from SRX Series devices. • You must configure SRX Series devices with this IP address to send syslogs. • This node parses and forwards logs to the indexer node. • The IP address of the log indexer node must be provided when configuring this node. • Dedicated Indexer node that analyzes, indexes, and stores the logs. • This node receives parsed logs from the log receiver node. • This node serves all the queries from Security Director. • The log indexer node roles are split in to the following three major roles when the scale of the deployment is more than 10K eps: Log indexer node (distributed deployment) All-in-One node (combined deployment) • Log storage node—Dedicated node for storing the indexed syslogs. • Master node—Dedicated cluster manager mode that monitors and maintains the integrity of the log indexer cluster. • Query node—Dedicated query node that receives parsed syslogs from the log receiver node(s) and evenly distributes them across the available log storage nodes. Also, this node acts as the single query point for Security Director and responds to all the syslog queries. • Both collector and indexer nodes run on the same VM. • Supports eps of up to 2K with spinning disks and 4K with SSD drives. • Suitable for demos and small-scale deployments. NOTE: Using vSphere Client version 5.5 and previous versions, you cannot edit the settings of virtual machines using hardware version 10 or earlier. For more details, see VMware Knowledge Base. Copyright © 2016, Juniper Networks, Inc. 5 Junos Space Security Director 15.2 To deploy the Log Collector: 1. Download the latest Log Collector open virtual appliance (OVA) image from here. 2. Using vSphere or vCenter, deploy the Log Collector OVA image Log-Collector-15.2.R1.16.ova onto the ESX server. 3. Edit the CPU and memory as per the system requirement for the required events per second (eps). 4. Power on the Log Collector VM. A configuration script lets you choose the node type and configure the network settings. 5. Use the default credentials to log into Log Collector; username is root and password is juniper123. 6. Change the root password of the VM. 7. Select one of the following node types: • • Enter 1 to deploy Log Collector as a log receiver node. • Ensure that the log indexer node(s) is already configured. • Select the appropriate eps rate as either 10K or 20K. For 10K eps, enter the IP address of the log indexer node. • For 20K eps, enter the IP address of the log query node. Enter 2 to deploy Log Collector as a log indexer node. • • • Select the appropriate eps rate as either 10K or 20K. • For 10K eps, enter the IP address of the log receiver node that needs to be whitelisted to receive logs from the log receiver node. • For 20K eps: • Select the log indexer node role as log storage node, master node, or query node. • Enter the IP address of the master node, which is the cluster manager node on all other log indexer nodes. • Enter the IP address of the log receiver nodes on the log query node that needs to be whitelisted to receive logs from the log receiver nodes. Enter 3 to deploy Log Collector as an all-in-one node. 8. Configure your network settings using the same wizard. 6 Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes NOTE: • You can only configure the IP address of all Log Collector nodes by using the configuration script. If an IP address is configured manually, the Log Collector node cannot be added to Security Director. • When deploying Log Collectors in a distributed deployment, first configure the log indexer node and then configure the log receiver node. Adding Log Collector to Security Director Once Log Collector is configured, you can add it to Security Director. To add Log Collector to Security Director: 1. From the Security Director user interface, select Administration > Logging Management > Logging Nodes, and click the plus sign (+). 2. Provide the root credentials of the Log Collector node. 3. Verify the corresponding job status. Log Collector node appears in the Logging Nodes page with the status UP. NOTE: You can add multiple Log Collector nodes at once by selecting the number of nodes in advance. To learn more about increasing the disk size of your VM when log files are too large, see Expanding the Size of the VM Disk for Log Collector. To learn more about enabling vMotion and Fault tolerance logging, see Enabling vMotion and Fault tolerance logging. To learn more about VMWare chassis cluster and fault tolerance, see vSphere Availability. To learn more about configuring vMotion, see Creating a VMkernel port and enabling vMotion on an ESXi/ESX host and Set Up a Cluster for vMotion. Loading Schema for SRX Series Junos OS Releases You must download and install the matching Junos OS schema to manage SRX Series devices. To download the correct schema, under the Network Management Platform drop-down list, select Administration > DMI Schema, and click Update Schema. See Updating a DMI Schema Management Scalability The VM setup must have 32 GB of RAM and must stop running OpenNMS (in a single or a two-node fabric) on it. Security Director supports 15K firewall rules per policy. In concurrent cases, a maximum of 40K firewall rules per policy can be processed at a time Copyright © 2016, Juniper Networks, Inc. 7 Junos Space Security Director 15.2 with different publish, preview, and update jobs (in a two-node VM or a JA 2500 fabric setup). By default, the monitor polling is set to 15 minutes and resource usage polling is set to 10 minutes. This polling time changes to 30 minutes for a large-scale data center setup such as 200 high-end SRX Series devices managed in Security Director. Security Director supports a maximum of 10K SRX Series devices in six-node Space fabric (four JBoss servers and two database nodes). In 10K SRX Series setup, all the monitoring polling settings must be set to 60 minutes. If monitoring is not required, disable for a better publish or update job performance. Supported Devices Security Director Release 15.2 is supported on the following SRX Series and LN Series hardware devices: 8 • SRX100 • SRX110 • SRX210 • SRX220 • SRX240 • SRX240H • SRX300 • SRX320 • SRX320-POE • SRX340 • SRX345 • SRX550 • SRX550M • SRX650 • SRX1400 • SRX1500 • SRX3400 • SRX3600 • SRX5400 • SRX5600 • SRX5800 • LN1000-V • LN2600 Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes Supported Junos OS Releases • Security Director Release 15.2 supports the following Junos OS branches: • 10.4 • 11.4 • 12.1 • 12.1X44 • 12.1X45 • 12.1X46 • 12.1X47 • 12.3X48 • 15.1x49 • vSRX 15.1x49 • SRX Series devices require Junos OS Release 12.1 and later to synchronize the Security Director description field with the device. • The logical systems feature is supported on devices running Junos OS Release 11.4 and later. NOTE: Before you can manage an SRX Series device using Security Director, we recommend that you have the exact matching Junos OS schema installed on the Junos Space Network Management Platform. If there is a mismatch, a warning message is displayed during the publish preview workflow. Supported Browsers Security Director Release 15.2 is best viewed on the following browsers: • Mozilla Firefox • Chrome • Internet Explorer 11 New and Changed Features This section describes the new features and enhancements to existing features in Junos Space Security Director Release 15.2R1. • Improved Security Director User Interface—An enhanced Security Director user interface provides application visibility and actionable intelligence that takes you quickly from knowing to doing. • Improved Usability—Security Director offers the following improved usability features: Copyright © 2016, Juniper Networks, Inc. 9 Junos Space Security Director 15.2 • A Dashboard that is configurable on a per-user basis. Simply drag widgets from the carousel into the workspace and configure the widget parameters. • The Policy Management page shows the publish state of policies as well as when they were last modified and which user made the modification. • Live Threat Maps let you see the attack vectors currently active such as IPS and virus attacks. • An updated log presentation provides a graphic view of all of the events reported by your managed firewalls. • Application Visibility gives you a visual representation of the types of traffic passing through your network and their relative amounts in a graph view. • You can navigate back to the Junos Space Network Management Platform, where you can manage the Platform and other application preferences, device configuration elements, software images, scripts, and so on. • The utility bar provides access to Security Director utilities including search, a notification center, domain control, and user information. • User Onboarding Guide—This guide is an interactive overlay that loads automatically upon first login after installation or upgrade of Security Director 15.2. It allows you to quickly orient yourself with the new GUI, find features, and access video guidance for using Security Director. • Firewall or Rule Management—On this page, you can create, manage, and deploy firewall policies on one or more SRX Series devices. You can apply group policies before and after device policies. You can also create device and group policies separately. Go to the Firewall Policy > Devices page to view the complete group and device firewall rules on a single device. You do not have an option to view device exceptions. • Application Firewall Policy—The Application Firewall Policy feature allows you to configure application firewall policies and rule sets for policies. The advantages of the application firewall are: • 10 • Permits, rejects, or denies traffic based on the application of the traffic. • Consists of one or more rule sets that specify the match criteria and the action to be taken for the matching traffic. • Identifies not only HTTP but also any application running on top of it, which lets you properly enforce your policies. For example, an application firewall rule could block HTTP traffic from the Facebook application, but permit Web access to HTTP traffic from Microsoft Outlook. NAT—On this page you can perform basic NAT configuration. NAT is a form of network masquerading where you can hide devices between zones or interfaces. NAT modifies the IP addresses of the packets moving between the trust and untrust zones. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes • UTM—Unified threat management (UTM) is a consolidation of several security features into one device to protect against multiple threat types. The advantage of UTM is a streamlined installation and management of these multiple security capabilities. The following security features are provided as part of the UTM solution: • Antispam—Examines transmitted e-mail messages to identify e-mail spam. • Full file-based antivirus—Scans for viruses. A virus is an executable code that infects or attaches itself to other executable code to reproduce itself. • Express antivirus—Offers a less CPU-intensive alternative to the full file-based antivirus feature. • Content filtering—Blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. • Web filtering—Lets you manage Internet usage by preventing access to inappropriate Web content. • IPS—On this page, you can create and manage IPS signatures and IPS policies for one or more SRX Series devices. An IPS policy is independent of a firewall policy. You can create an IPS policy with a Basic or Advanced mode without depending on a firewall policy to publish or update to SRX Series devices. • IPsec VPN—You can create site-to-site, hub-and-spoke, and full-mesh VPNs in the VPN Creation page. All VPNs in the system appear in the Tabular view. You can configure the following parameters for an IPsec VPN: • Endpoints for a site-to-site VPN and full-mesh VPN • Spokes and hubs for a hub-and-spoke VPN • External interface, tunnel zone, and protected networks or zones for each device • Routing settings • VPN endpoint configuration You can also customize endpoint-specific settings such as VPN name, IKE ID, and profile for each tunnel. After the VPN configuration is saved, you can provision this VPN on security devices. • Improved Dashboard—On this page, you can take a snapshot of current events through Event and Device dashboard widgets. • Improved Event and Log Management—On this page, you can view and filter the log messages received from devices. You can also navigate to other configuration features such as firewall and NAT rules, where these logs were generated. • Application and User Visibility—On this page, you can display the top applications used by network users in different views, such as chart and grid views. • Live Threat Map—On this page, you can show the live data of IPS viruses, spam, and device authentication events with a geographic mapping of source and destination countries. Copyright © 2016, Juniper Networks, Inc. 11 Junos Space Security Director 15.2 • Filter Management—You can use filters to search logs and to view information about filter condition, time, or fields in the logs. You can either load existing filters or define a new filter. • Device Discovery—On this page, you can discover and manage devices that include all types of Juniper Networks standalone and cluster devices. You can also perform other administrative operations, including device configuration management, Inventory, and monitoring of important aspects of devices. By default, the Import Policies check box is enabled to import firewall, NAT, or IPS configurations from SRX Series devices with the default Junos OS Release 12.X46 D35.1 schema. If you discover a device from the Security Director user interface, the matching schema for the newly discovered device is already installed in the Junos Space Network Management Platform. You do not have to import the configuration to Security Director after the device discovery. • Alarms and Alerts—On this page, you can show active alarms of devices currently managed by Security Director. You can monitor log-based events and generate alert messages on the Monitor tab. To view the alarms in Security Director, add the following configuration to the managed SRX Series devices through the CLI: set snmp trap-group sdfm version all set snmp trap-group sdfm destination-port 10164 set snmp trap-group sdfm categories authentication set snmp trap-group sdfm categories chassis set snmp trap-group sdfm categories link set snmp trap-group sdfm categories routing set snmp trap-group sdfm categories startup set snmp trap-group sdfm categories rmon-alarm set snmp trap-group sdfm categories vrrp-events set snmp trap-group sdfm categories configuration set snmp trap-group sdfm categories services set snmp trap-group sdfm categories chassis-cluster set snmp trap-group sdfm categories sonet-alarms set snmp trap-group sdfm targets x.x.x.x (eth0 IP of space) 12 • Bandwidth Reports—You can generate bandwidth reports based on the bandwidth consumed by applications in the network. Reports are categorized by users, sessions, categories, and risk level. • Actionable Intelligence—You can configure blocking actions from the Application and User Visibility pages with one click. • User Management—You can use this feature to gain information on user roles at a granular level, such as domain separation, remote or local user authentication, and multiple users logged in to Junos Space. • Monitoring—You can poll SRX Series devices on a specific time interval and collect the data to show on the Dashboard. You can poll of information such as Top CPU, Top Memory, most storage, most sessions, most bandwidth and so on. You can change the monitoring settings and enable or disable monitoring to specific devices. By default, Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes monitoring is enabled for all devices after the upgrade or fresh installation of Security Director Release 15.2R1. • • Improved Device Inventory—You can navigate to the Devices > Security Devices page for a list of devices that are discovered on the Junos Space Network Application Platform. Right-click the device and select Configure > Modify Configuration. The Modify Configuration page appears and you can perform the following configurations: • Basic setup • Static routing • Routing instance • Physical interfaces • Syslog • Security logging • Screens • Zones Audit Log—This feature logs all operations that are performed on Security Director. To view audit logs, navigate to Monitor > Audit Logs. The following details are listed on the Audit Log page: • ID • Username • User IP • Task • Description • Timestamp • Result • Job ID • Domain • Application • Job Management—You can navigate to Monitor > Job Management to get a detailed view of jobs. Double-click the job to view the job details. • Security Devices—On this page, you can see both primary and secondary cluster nodes. You can expand or collapse the cluster view. On the Security Devices landing page, there are additional columns added to view information of CPU, storage, RAM of SRX Series devices, and Fab and Control link status of cluster SRX nodes. You must expand the cluster view to check the Fab and Control link status. Copyright © 2016, Juniper Networks, Inc. 13 Junos Space Security Director 15.2 Known Behaviors The following features are not available in Security Director Release 15.2. These features continue to be supported in Release 15.1. 14 • Spotlight Secure • Change Control workflow • AutoVPN • ADVPN • Custom columns for firewall rules • Custom filters for IPS • Drag and drop objects • Custom application signature • Application firewall is supported on Junos OS Release 12.1X47 and later. • Staging configuration from the Security Director Devices page. • NSM migration • For the Update All SD Changes option from the Security Director Devices page, you must perform a column filter of pending services and select-all services. Then you can update the changes to the firewall, NAT, IPS, and VPN services. • To configure the SSL froward proxy profile, you must manually upload the certificate through the CLI. • For the application data to appear in the Application Visibility, you must enable AppTrack on the zone. • The Integrated Log Collector on Space Server option under Administration > Applications > Modify Application Settings is not supported. • On the Administration > Logging Management > Statistics & Troubleshooting page, node time and disk information are not shown for the log receiver nodes. • On the Administration > Logging Management > Logging Devices page, data is loaded only after the log receiver nodes start receiving logs. The first time logs are received on a node, data might take 15 minutes to get displayed. • If you want to discover more than 50 devices, you must discover devices from the Network Management Platform > Device > Device Discovery page. If you discover devices from the Security Director user interface, you must clear the Import Policies check box. Copyright © 2016, Juniper Networks, Inc. Security Director Release Notes Known Issues This section lists the known issues in Junos Space Security Director Release 15.2R1. • Users other than the super user cannot view the data in the Dashboard and the Event Viewer. [PR 1159530] Workaround: Enable the View device logs permission on the Administration > Users & Roles >Event Viewer. • On all the Shared Objects landing pages, unused objects that are filtered and listed as a result of the Show Unused options cannot be cleared. [PR 1125913] Workaround: Click the left navigation menu to clear the filtered data. • Users having full permission for only firewall or NAT policies but not for shared objects cannot configure addresses, services, and other objects in firewall and NAT policies. [PR 1140318] Workaround: Add users to the Security Director read-only predefined role along with the specific RBAC permissions such as modifying policies. • Once you upgrade to Security Director Release 15.2R1, snapshots of firewall or NAT policies are not available. Therefore you cannot compare or roll back snapshots of firewall or NAT policies with snapshots taken in earlier releases. [PR 1148530] • The plus (+) grid tooltip does not work in the Safari browser as expected. [PR 1157968] • The grid column filter does not work in the Internet Explorer 11 browser as expected. [PR 1161079] • If the inactivity time out parameter is configured as Never and if the user does not log out of the session, the user sessions are not getting terminated even when the browser is closed or the browser session ends. [PR 1152754] Workaround: Restart the JBoss application server on all nodes using the command service jboss restart. This terminates all user sessions. • The traffic passing through the logical systems is not captured in the widgets. [PR 1137173] • The junos-host zone must not be listed in the VPN for tunnel zone and protected network. If junos-host zone is selected, the update process fails. [PR 1164596] • The cluster device is getting discovered in different domains. [PR 1162407] • If a user logs out and logs in again, the information the user selected in the show or hide column on all landing pages is not saved. [PR 1164332] • The audit log does not captures the protocol values changed during the creation or editing of the NAT rules. [PR 1165630] • For a root device, clicking the LSYS link does not show all the logical systems of that particular root device. [PR 1155562] Workaround: To view the logical systems of a root device, go to the Devices page in the Junos Space Network Management Platform. Copyright © 2016, Juniper Networks, Inc. 15 Junos Space Security Director 15.2 • The Import VPN wizard might freeze when you expand a VPN that has more than 1000 spokes to list on the Select Endpoints page. [PR 1159429] Workaround: You must wait for the browser to function normally. • If you use a custom group inside the nested custom application signature group, the policy update fails if the CLI commands are not generated properly. [PR 1167641] Workaround: Do not use a custom group inside another custom group. Use the custom group directly in the application firewall profile. • You cannot import VPNs when there are conflicting endpoints on SRX Series devices. [PR 1123614] • There is no option to customize the VPN profile at the endpoint level. [PR 1129612] Workaround: You can create a separate VPN profile with the required configuration and assign that profile to the endpoint. • When Multi-Proxy ID is enabled for hub-and-spoke or full mesh VPNs, the Numbered tunnel option must not be selected. [PR 1164645] Workaround: Do not select the Numbered tunnel option. If you select this option, VPN creation will fail. • To control the polling interval of widgets on the dashboard in a multinode setup, an intermittent behavioral changes are observed in the Monitor Settings page. During this time, you cannot change anything on the UI. [PR 1158855] Workaround: Check the user node and restart the JBoss application server using the command service jboss restart. • If you check the Select All check box (anywhere in the grid), and then try to filter any of those selections, then the filtered items do not show up correctly. Also, notice that the selection changes even though you did not make the changes. Similarly, if you filter items, select Select All, and then filter some items again, then this action removes your previously filtered items. [PR 1167646] Workaround: If you use the Select All option and need to unselect some of the items, then manually remove the items instead of using a filter. Otherwise, filter the items first and then use the Select All option. • If you select predefined templates, the total number of rules in the IPS policy shows incorrect values in the device view. [PR 1167900] Workaround: Click the rule count to view the total number of rules. • If you add a Firewall Policy Rules with No Hits widget to the dashboard and click More Details option, Events and Logs page is not loading. [PR 1168178] Workaround: You must reload the page to see the Events and Logs page. • You can only configure the IP address of all Log Collector nodes by using the configuration script. If an IP address is configured manually, the Log Collector node cannot be added to Security Director. Workaround: If you manually configure the IP address and cannot add the node in Security Director, verify that in the /etc/hosts file there is the following entry: “ 16 Copyright © 2016, Juniper Networks, Inc. Junos Space Documentation and Release Notes LOG-COLLECTOR localhost.localdomain localhost”. If you do not see this entry, then create the entry and add the node back through the Security Director administration. • If the time on the ESX host where the Log Collector is deployed is incorrect, then the indexes are generated at incorrect times, causing queries to fail. You must ensure that the time on Log Collector node(s) and the time on the Junos Space server are in sync by using NTP sync. • When configuring Log Collector in the all-in-one mode, after entering the IP address, you might see this message: Indexer cluster status is red. Collector will not be active until you configure indexer properly. This is because of a few seconds delay in getting the indexer service up and running. You can ignore this message because this issue does not have any impact. • The event viewer filters defined in the earlier releases do not work. You must redefine the filters and save to make them work . This applies to filters used within reports as well. • Security Director drops the alert definitions defined in earlier releases. You must redefine the syslog-based alerts. • After upgrading to Security Director Release 15.2R1, all monitors defined in earlier releases are dropped. Documentation Updates This section lists the errata and changes in the software documentation. • In Junos Space Security Director Release 15.2, the Table of Contents (TOC) was restructured to align with the Security Director user interface. • In Junos Space Security Director Release 15.2, the content from the Security Director Logging and Reporting Getting Started Guide was moved to the Security Director Application Guide. You can find this information in the Administration > Logging Management-Logging Devices section. Therefore, the Security Director Logging and Reporting Getting Started Guide is now discontinued. • The RESTful API Reference for Security Director is not available for Junos Space Security Director Release 15.2. For any queries related to RESTful API, contact the Juniper Networks Technical Assistance Center (JTAC). Junos Space Documentation and Release Notes For a list of related Junos Space documentation, see http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the Junos Space Release Notes. ® To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/. Copyright © 2016, Juniper Networks, Inc. 17 Junos Space Security Director 15.2 Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: • Online feedback rating system—On any page of the Juniper Networks TechLibrary site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/. • E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. • JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. • Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/. • JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: 18 • Find CSC offerings: http://www.juniper.net/customers/support/ • Search for known bugs: http://www2.juniper.net/kb/ Copyright © 2016, Juniper Networks, Inc. Requesting Technical Support • Find product documentation: http://www.juniper.net/techpubs/ • Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ • Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/ • Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. • Use the Case Management tool in the CSC at http://www.juniper.net/cm/. • Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html. Revision History 15 April 2016— Copyright © 2016, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright © 2016, Juniper Networks, Inc. 19

Junos® Space Security Director 15.2 Release

Rating

Date

Size

Views

Categories

Share

Transcript