Hot Patch Releases
This section describes the installation procedure, features, and resolved issues in Junos Space Security Director Release 21.3R1 hot patch.
During hot patch installation, the script performs the following operations:
-
Blocks the device communication.
-
Stops JBoss, JBoss Domain Controller (JBoss-dc), and jmp-watchdog services.
-
Backs up existing configuration files and EAR files.
-
Updates the Red Hat Package Manager (RPM) files.
-
Restarts the watchdog process, which restarts JBoss and JBoss-dc services.
-
Unblocks device communication after restarting the watchdog process for device load balancing.
You must install the hot patch on Security Director Release 21.3R1 or on any previously installed hot patch. The hot patch installer backs up all the files which are modified or replaced during hot patch installation.
Installation Instructions
You must install the latest Junos Space Network Management Platform Release 21.3 hot patch v2 and above, before installing the latest Security Director hot patch.
Perform the following steps in the CLI of the JBoss-VIP node only:
Download the Security Director 21.3R1 Patch vX from the download site.
Here, X is the hot patch version. For example, v1, v2, and so on.
Copy the SD-21.3R1-hotpatch-vX.tgz file to the /home/admin location of the VIP node.
Verify the checksum of the hot patch for data integrity:
md5sum SD-21.3R1-hotpatch-vX.tgz.
Extract the SD-21.3R1-hotptach-vX.tgz file:
tar -zxvf SD-21.3R1-hotpatch-vX.tgzChange the directory to SD-21.3R1-hotpatch-vX.
cd SD-21.3R1-hotpatch-vXExecute the
patchme.shscript from the SD-21.3R1-hotpatch-vX folder:sh patchme.shThe script detects whether the deployment is a standalone deployment or a cluster deployment and installs the patch accordingly.
A marker file, /etc/.SD-21.3R1-hotpatch-vX, is created with the list of Red-hat Package Manager (RPM) details in the hot patch.
We recommend that you install the latest available hot-patch version, which is the cumulative patch.
New and Enhanced Features in the Hot Patch
Junos Space Security Director Release 21.3R1 hot patch includes the following enhancements:
-
Manage threat prevention policy without Policy Enforcer—Starting in Junos Space Security Director Release 21.3R1 Hot Patch V1, you can manage threat prevention policies even if you haven’t configured Policy Enforcer. If you create and associate a threat prevention policy or profile with the firewall policy using the device CLI or J-Web without configuring Policy Enforcer, then Security Director doesn’t delete the threat prevention policy or profile when you preview or update the firewall policy. Therefore, you don't have to reconfigure the threat prevention policy or profile, and reassociate it with the firewall policies in the device.
Note:This feature is applicable only when you create a threat prevention policy and associate it to existing rules using the device CLI or J-Web.
-
Legacy log collector and Security Director Insights log collector support for event viewer—Starting in Junos Space Security Director Release 21.3R1 Hot Patch V1, you can add both the legacy log collector node and the Security Director Insights VM on the Logging Nodes page in Security Director. We've added read-only log collector support to enable you to view existing data. This support provides a smooth transition from the legacy log collector to the Security Director Insights VM as the log collector.
Note:You cannot add same type of log collector nodes on the Logging Nodes page.
The Legacy Node check box appears on all the Events & Logs pages after you add the legacy log collector node. Select the Legacy Node check box to view only the existing log collector data. New logs should point to Security Director Insights VM as the log collector. You see the Security Director Insights log collector data after you clear the Legacy Node check box.
-
Polymorphic address support in source and destination address for NAT rules— Starting in Security Director Release 21.3R1 hot patch V3, while creating NAT rules for group policies you can select polymorphic addresses as source or destination address. The rule points to default address if the device IP address does not match any of the context values in the polymorphic address. If there is a match, the address corresponding to the context value is considered in the source or destination address of the rule.
Note:Polymorphic address is not supported for static NAT destination address.
-
Support for disabling service offload in Security Director— Starting in Security Director Release 21.3R1 hot patch V3, we’ve provided an option to disable service offload on the Edit Profile page of a rule for standard and unified firewall policies. This feature is supported both on logical systems and tenant systems. You can select from the following options:
-
None: Select to delete the configured service on the device.
-
Enable: Select to enable service offload. When services-offload is enabled, only the first packets of a session go to the Services Processing Unit (SPU), rest of packets in services-offload mode does not go to SPU, therefore some security features such as stateful screen are not supported. Only TCP and UDP packets can be services offloaded.
-
Disable: Select to disable service offload.
-
-
Support to terminate CLI/J-Web edit mode user session— Starting in Security Director Release 21.3R1 hot patch V3, when you retry the update job on failed devices caused due to device lock failures, you can log the user (edit mode user) out who locked the configuration database, from the device CLI.
Navigate to Monitor > Job Management. Select the job, and then from the More list select Retry on Failed Devices. On the Retry Update Failed Devices page, enable Evict CLI/J-Web edit mode users option.
Known Issues in Hot Patches
This section lists the known issue in Security Director Release 21.3R1 hot patch.
-
The report for the root device event displays Logical System (LSYS) and Tenant System (TSYS) events instead of root device events. PR1712069
Resolved Issues in Hot Patches
lists the resolved issues in Security Director Release 21.3R1 hot patches.
|
PR |
Description |
Hot Patch Version |
|---|---|---|
|
Security director is unable to get the policy hit count using the rest API. |
v13 |
|
|
Security Director API fails to prevent creation of duplicate addresses. |
v13 |
|
|
VPN publishing jobs fail. |
v13 |
|
|
When you perform GET request for /api/juniper/sd/policy-management/firewall/policies/detailedPolicy/{Policy-ID} for a device having LSYS, it shows 500 internal server error. |
v13 |
|
|
The Service search functionality in Security Director fails to obtain the required result. |
v13 |
|
|
User is unable to sort the columns on the Logging Devices page in Security Director. |
v12 |
|
|
Unable to import firewall rule in Security Director if the rule has DAG with missing category. |
v12 |
|
|
After upgrading to Security Director Release 21.3R1, the user is unable to add a device to the VPN profile. |
v12 |
|
|
Security Director displays the device names instead of device IPs under the Device IP column on the Logging Devices page. |
v12 |
|
|
The Auto Policy Sync in Security Director does not work. |
v11 |
|
|
The service search by port number does not work. |
v11 |
|
|
Security Director shows invalid configuration in the update configuration preview. |
v11 |
|
|
The user is unable to edit the Policy-based VPN name or description in Security Director. |
v11 |
|
|
There are issues with VPN profiles authentication algorithm after you upgrade Security Director. |
v11 |
|
|
When the user configures a new IPsec VPN profile for route-based Hub and Spoke using the manual pre-shared key option, the output is set to multiple security IKE policies instead of only one security IKE policy. |
v11 |
|
|
When you view device changes, Security Director displays the Managed status as Device Changed for several devices. |
v11 |
|
|
Security Director updates multiple policies even when you select only one policy for update. |
v11 |
|
|
Security Director modifies the device setup by adding an additional set of VPN configurations. |
v11 |
|
|
Security Director does not display the correct time-zone when you change the time-zone using modify configuration. |
v11 |
|
|
Address object import from a CSV file fails. |
v11 |
|
|
Security director displays An error occurred while requesting the data error message while importing configuration from SRX4100 device. |
v11 |
|
|
When you try to preview, publish, or update configuration in Security Director, it fails with an error. |
v11 |
|
|
The Maximum Transmission Unit (MTU) is not visible during the edit workflow, when provided as default. |
v11 |
|
|
Security Director is unable to import Firewall policy in SRX4200. |
v11 |
|
|
Save Comments does not work after upgrade to Security Director 22.3. |
v11 |
|
|
Security Director API displays internal server error during policy edit if the policy is locked. |
v11 |
|
|
When user performs snapshot rollback policy, Security Director creates a duplicate default IPS policy. |
v11 |
|
|
Security Director deletes the configurations for the policy-based VPNs that do not get imported to Security Director. |
v11 |
|
|
When you try to preview the changes done to a policy before publishing, it fails
with |
v11 |
|
|
User is unable to modify the zone with more than hundred interface units. |
v10 |
|
|
User is unable to import the group policies through zip file and snapshot roll back policy feature in Security Director. |
v10 |
|
|
Geographical location report shows incorrect data in Security Director. |
v10 |
|
|
Security Director deletes device configuration due to SRX DMI schema 22.1R1.10. |
v10 |
|
|
Security Director fails to import the policy zip files with more than 20000 rules. |
v10 |
|
|
Security Director fails to publish the SRX Series cluster policy with |
v10 |
|
|
The search functionality in Security Director does not work properly when you search by port number. |
v10 |
|
|
User is unable to search for the policies after publishing the new device configuration. |
v10 |
|
|
The Application visibility feature fails with errors. |
v10 |
|
|
SRX series devices do not show any data in the Intrusion Prevention System (IPS) report with log event IDP_ATTACK_LOG_EVENT_LS. |
v9 |
|
|
In Security Director, Security Director Insights shows the log source as 127.0.0.1 for all logs rather than the SRX IP address or the actual source from where the logs are originated. |
v8 |
|
|
The search functionality in Security Director does not work for newly created address objects. |
v8 |
|
|
User is unable to change the destination address for static NAT rules in Security Director. |
v8 |
|
|
Security Director displays the following error message while saving IPS/NAT
policy rule: |
v8 |
|
|
Security Director updates the database with incorrect cyclic service group. |
v8 |
|
|
User is unable to search for an object in Security Director even when the objects exist in Shared Objects. |
v8 |
|
|
When you change the sequence of three or more set of rules in the Security Director, the changed order does not appear correctly after saving the changes. |
v7 |
|
|
The search and find usage functionality does not work properly in Security Director. |
v7 |
|
|
Update to the LSYS fail at times in Security Director. |
v7 |
|
|
Security Director fails to import the security policies with the object address
|
v6 |
|
|
Intrusion Detection and Prevention (IDP) signature continues to install the updates on SRX series devices from IDP files even when the file transfer fails. |
v6 |
|
|
The search functionality in Security Director does not work for newly configured rules. |
v6 |
|
|
Address objects fails to update properly in Security Director. |
v5 |
|
|
The maximum transmission unit (MTU) is set to 1500 by default when the size of MTU is not predefined. |
v4 |
|
|
In Security Director, the value of security log transport TLS-profile is
incorrectly set to |
v4 |
|
|
Security Director alarms fail to show up after upgrading to 22.1R1. |
v4 |
|
|
Security Director pushes invalid configurations for IKE gateway fragmentation size. |
v4 |
|
|
Automatic firewall policy in Junos Space Network Management Platform wrongly imports firewall policy rules. |
v4 |
|
|
Unable to add Security Director Insights under Security Director > Administration > Insight Management > Insights Node. |
v4 |
|
|
User is unable to delete files under SD_Device_Config. |
v4 |
|
|
During auto policy sync, unused objects are stuck in firewall/NAT policy updates. |
v4 |
|
|
User is automatically logged out from Security Director despite activity. |
v4 |
|
|
When you update policies, re-synchronize the Security Director with the managed device. |
v3 |
|
|
When the user rollbacks firewall policy, the associated IPS policy is created with _1 in the policy name. |
v3 |
|
|
References do not work for dynamic address objects in Security Director. |
v3 |
|
|
Unified Threat Management (UTM) custom categories are deleted from SSL proxy profile whitelist. |
v3 |
|
|
Security Director fails to export the filtered search for a rule to .pdf format. |
v3 |
|
|
Security Director fails to display the latest device configuration in the
preview, and displays the following error message: |
v3 |
|
|
Search functionality does not work as expected. |
v3 |
|
|
Select and save functionalities in Intrusion Prevention System (IPS) policy fails in the firewall rule. |
v3 |
|
|
The user is unable to disable Network Address Translation (NAT) policies on devices. |
v3 |
|
|
The IPS signature update fails with an error. |
v3 |
|
|
The logical system device update fails. |
v2 |
|
|
The user is unable to import URL patterns and categories. |
v2 |
|
|
There are issues with the VPN delete API call. |
v2 |
|
|
The user is unable to delete unused dynamic objects created as a result of import. |
v2 |
|
|
When Security Director Insights is unreachable, the status is not displayed on the Logging Node page. |
v2 |
|
|
The Security Director Insights log collector does not display logging devices. |
v2 |
|
|
Security Director is unreachable when node 2 is the VIP node. |
v2 |
|
|
Unable to push license from Security Director in multi node setup. |
v1 |
|
|
Security Director deletes the threat Prevention Policy that is added via J-Web or device CLI on root and logical system. |
v1 |
|
|
There are auto policy sync job issues. |
v1 |
|
|
User is unable to add devices to Juniper Security Director Cloud after on-prem Security Director upgrade. |
v1 |
|
|
User is unable to create or modify variable objects in Security Director. |
v1 |
|
|
IPsec VPN update fails from Security Director due to incorrect CLI for IKE and IPsec VPN profiles. |
v1 |
|
|
Unable to view data on the VPN Monitoring page. |
v1 |
|
|
Packet capture functionality does not work as expected. |
v1 |
|
|
Update firewall policy fails. |
v1 |
|
|
Unable to create polymorphic object in Security Director. |
v1 |
|
|
The NAT rule Disable option does not work as expected. |
v1 |
|
|
User is unable to view packet capture data for IDP policy. |
v1 |