Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Migrate Policy Enforcer Release 23.1R1 to Policy Enforcer Release 24.1R1.

Starting in Junos Space Security Director Release 24.1R1, you cannot use standalone Policy Enforcer. You'll need to migrate to Policy Enforcer running on Security Director Insights 24.1R1.

You must migrate the standalone Policy Enforcer Release 23.1R1 data to Security Director Insights 24.1R1.

Policy Enforcer migration procedure is based on the existing backup and restore functionality.

Note:

You must migrate the standalone Policy Enforcer Release 23.1R1 data to Security Director Insights 24.1R1.

Before migrating Standalone Policy Enforcer to Security Director Insights Policy Enforcer, you must first upgrade from Junos Space Network Management Platform 23.1R1 or Security Director 23.1R1 to Junos Space Network Management Platform 24.1R1 or Security Director 24.1R1 respectively.

For more details on the upgrade procedure, see Upgrade to Junos Space Network Management Platform Release 24.1R1.

To migrate Standalone Policy Enforcer to Security Director Insights Policy Enforcer:

  1. Take a backup of the changes in Security Director Release 23.1R1 and store in a remote server. Follow the instructions mentioned in Policy Enforcer Backup and Restore

    Before initiating the backup, you must upgrade Standalone Policy Enforcer Release 23.1R1 V2 or Security Director Insights Policy Enforcer to the latest hot patch version available.

  2. Shut down the Policy Enforcer from which the back up has been taken.
  3. Add Security Director Insights 24.1 Policy Enforcer to Security Director.
  4. Initiate the restore process as shown in Figure 1.
    Figure 1: Backup and Restore Backup and Restore Backup and Restore
  5. When the restore process is complete as shown in Figure 2, re-add Policy Enforcer.
    Figure 2: Restore Status Restore Status
  6. Go to Administration > Policy Enforcer > Settings and enter the required details on the settings window and click OK. See Figure 3 for more details.
    Figure 3: Re-add Policy Enforcer Re-add Policy Enforcer
  7. After Policy Enforcer is configured, a prompt appears to confirm if you want to setup the Threat Policies in a guided setup as shown in Figure 4. Click OK but ignore the guided setup for Threat Policies, as it is redundant.
    Figure 4: Threat Policy Prevention Threat Policy Prevention
  8. Navigate to Configure > Threat Prevention > Feed Sources and re-add the realm and assign a site to the realm. This is to sync the feed and device with the realm and Policy Enforcer.
  9. Make sure the realm comes to sync in sometime and feed status is OK as shown in Figure 5.
    Figure 5: Feed Sources Feed Sources
  10. Ensure that the security intelligence URL and the IP address is displayed for the device. Here is an example:
  11. Navigate to Secure Fabric > Sites and verify if the Feed Source Status shows Success. For more details see, Figure 6
    Figure 6: Secure Fabric Secure Fabric
  12. Navigate to Configure > Threat Prevention > Policies > Threat Prevention Policies and verify the status of the policy recovered from backup. For details, see Figure 7.
    Figure 7: Threat Prevention Policies Threat Prevention Policies
  13. Click Update required under the status tab for Threat Prevention Policies and proceed with the update.
    Older policies gets replaced by the newer ones as shown in Figure 8.
    Figure 8: Policy Change List Policy Change List
  14. Go to Configure > Shared Objects > Geo IP and perform the Geo IP analysis and update the generated policies to the device. For details see Figure 9.
    Figure 9: Geo IP Geo IP Geo IP Geo IP
  15. Go to Administration > Policy Enforcer > Connectors as shown in Figure 10.
    Figure 10: Connectors Connectors
    The status of the connector shows Inactive by default.
  16. Modify or delete and re-add the failed connectors to make them active.
    If you re-add the connector by editing the existing connector, you must perform the following:

    • Re-add the credentials and pem file again.

    • Ensure that you have selected the other values for tags correctly.

    Migration of Standalone Policy Enforcer to Security Director Insights Policy Enforcer is complete.
    Note:

    The migrated custom feed may take approximately 10 mins to sync due to internal activities involved in schema versioning, manifest generation for the feeds to be available for consumption to SRX devices. The time consumed depends on the feed type and feed volume.