- play_arrow Junos Space Security Director
- play_arrow Dashboard
- play_arrow Overview
-
- play_arrow Monitor
- play_arrow Events and Logs-All Events
- Events and Logs Overview
- Creating Alerts
- Creating Reports
- Creating Filters
- Grouping Events
- Using Events and Logs Settings
- Selecting Events and Logs Table Columns
- Viewing Threats
- Viewing Data for Selected Devices
- Using the Detailed Log View
- Using the Raw Log View
- Showing Exact Match
- Using Filter on Cell Data
- Using Exclude Cell Data
- Showing Firewall Policy
- Showing Source NAT Policy
- Showing Destination NAT Policy
- Downloading Packets Captured
- Showing Attack Details
- Using Filters
- play_arrow Events and Logs-Firewall
- play_arrow Events and Logs-Web Filtering
- play_arrow Events and Logs-VPN
- play_arrow Events and Logs-Content Filtering
- play_arrow Events and Logs-Antispam
- play_arrow Events and Logs-Antivirus
- play_arrow Events and Logs-IPS
- play_arrow Events and Logs-Screen
- play_arrow Events and Logs-ATP Cloud
- play_arrow Events and Logs-Apptrack
- play_arrow Threat Prevention-Hosts
- play_arrow Threat Prevention-C&C Servers
- play_arrow Threat Prevention-HTTP File Download
- play_arrow Threat Prevention-Email Quarantine and Scanning
- play_arrow Threat Prevention-IMAP Block
- play_arrow Threat Prevention-Manual Upload
- play_arrow Threat Prevention-Feed Status
- play_arrow Threat Prevention-All Hosts Status
- play_arrow Threat Prevention-DDoS Feeds Status
- play_arrow Applications
- play_arrow Live Threat Map
- play_arrow Threat Monitoring
- play_arrow Alerts and Alarms - Overview
- play_arrow Alerts and Alarms-Alerts
- play_arrow Alerts and Alarms-Alert Definitions
- play_arrow Alerts and Alarms-Alarms
- play_arrow VPN
- play_arrow Insights
- play_arrow Job Management
- Using Job Management in Security Director
- Overview of Jobs in Security Director
- Archiving and Purging Jobs in Security Director
- Viewing the Details of a Job in Security Director
- Canceling Jobs in Security Director
- Reassigning Jobs in Security Director
- Rescheduling and Modifying the Recurrence of Jobs in Security Director
- Retrying a Failed Job on Devices in Security Director
- Exporting the Details of a Job in Security Director
- Job Management Main Page Fields
- play_arrow Audit Logs
- play_arrow Packet Capture
- play_arrow NSX Inventory-Security Groups
- play_arrow vCenter Server Inventory-Virtual Machines
- play_arrow Data Plane Packet Capture
-
- play_arrow Devices
- play_arrow Security Devices
- Using Features in Security Devices
- Security Devices Overview
- Add Devices to Juniper Security Director Cloud
- Updating Security-Specific Configurations or Services on Devices
- Resynchronizing Managed Devices with the Network in Security Director
- Performing Commit Check
- Logical Systems Overview
- Tenant Systems Overview
- Create a Logical System
- Create a Tenant System
- Uploading Authentication Keys to Devices in Security Director
- Modifying the Configuration of Security Devices
- Modifying the Basic Configuration for Security Devices
- Modifying the Static Routes Configuration for Security Devices
- Modifying the Routing Instances Configuration for Security Devices
- Modifying the Physical Interfaces Configuration for Security Devices
- Modifying the Syslog Configuration for Security Devices
- Modifying the Security Logging Configuration for Security Devices
- Modifying the Link Aggregation for Security Devices
- Modifying the User Management Configuration for Security Devices
- Modifying the Screens Configuration for Security Devices
- Modifying the Zones Configuration for Security Devices
- Modifying the IPS Configuration for Security Devices
- Modifying the SSL Initiation Profile for Security Devices
- Modifying the ICAP Redirect Profile for Security Devices
- Configuring Aruba ClearPass for Security Devices
- Configuring APBR Tunables for Security Devices
- Modifying the Express Path Configuration for Security Devices
- Modifying the Device Information Source Configuration for Security Devices
- Viewing the Active Configuration of a Device in Security Director
- Deleting Devices in Security Director
- Rebooting Devices in Security Director
- Resolving Key Conflicts in Security Director
- Launching a Web User Interface of a Device in Security Director
- Connecting to a Device by Using SSH in Security Director
- Importing Security Policies to Security Director
- Importing Device Changes
- Viewing Device Changes
- Viewing and Exporting Device Inventory Details in Security Director
- Previewing Device Configurations
- Refreshing Device Certificates
- Assigning Security Devices to Domains
- Acknowledging Device SSH Fingerprints in Security Director
- Viewing Security Device Details
- Security Devices Main Page Fields
- play_arrow Device Discovery
- Overview of Device Discovery in Security Director
- Creating Device Discovery Profiles in Security Director
- Editing, Cloning, and Deleting Device Discovery Profiles in Security Director
- Running a Device Discovery Profile in Security Director
- Viewing the Device Discovery Profile Details in Security Director
- Device Discovery Main Page Fields
- play_arrow Secure Fabric
- play_arrow NSX Managers
- Understanding Juniper Connected Security for VMware NSX Integration
- Understanding Juniper Connected Security for VMware NSX-T Integration
- Before You Deploy vSRX in VMware NSX Environment
- Before You Deploy vSRX in VMware NSX-T Environment
- About the NSX Managers Page
- Download the SSH Key File
- Add the NSX Manager
- Registering Security Services
- Editing NSX Managers
- Viewing Service Definitions
- Deleting the NSX Manager
- Delete the NSX-T Manager
- Deploying the vSRX as an Advanced Security Service in a VMware NSX Environment
- Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment
- play_arrow vCenter Servers
- play_arrow Licenses
-
- play_arrow Configure
- play_arrow Firewall Policy-Standard Policies
- Firewall Policies Overview
- Policy Ordering Overview
- Creating Firewall Policies
- Firewall Policies Best Practices
- Creating Firewall Policy Rules
- Rule Base Overview
- Firewall Policy Locking Modes
- Rule Operations on Filtered Rules Overview
- Create and Manage Policy Versions
- Assigning Devices to Policies
- Comparing Policies
- Export Policies
- Creating Custom Columns
- Promoting to Group Policy
- Converting Standard Policy to Unified Policy
- Probe Latest Policy Hits
- Disable Firewall Policy Rules Based on Hits Over a Specified Duration
- Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
- Importing Policies
- Delete and Replace Policies and Objects
- Unassigning Devices from Policies
- Edit and Clone Policies and Objects
- Publishing Policies
- Showing Duplicate Policies and Objects
- Show and Delete Unused Policies and Objects
- Updating Policies on Devices
- Firewall Policies Main Page Fields
- Firewall Policy Rules Main Page Fields
- play_arrow Firewall Policy-Unified Policies
- play_arrow Firewall Policy-Devices
- play_arrow Firewall Policy-Schedules
- play_arrow Firewall Policy-Profiles
- Understanding Firewall Policy Profiles
- Understanding Captive Portal Support for Unauthenticated Browser Users
- Creating Firewall Policy Profiles
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- Firewall Policy Profiles Main Page Fields
- play_arrow Firewall Policy-Templates
- play_arrow Firewall Policy-Secure Web Proxy
- play_arrow Firewall Policy-DNS Security & ETI Profile
- play_arrow Firewall Policy-DNS Security & ETI Policy
- play_arrow Firewall Policy-DNS Sinkhole
- play_arrow Firewall Policy-DNS Filter
- play_arrow Environment
- play_arrow Application Firewall Policy-Policies
- play_arrow Application Firewall Policy-Signatures
- play_arrow Application Firewall Policy-Redirect Profiles
- play_arrow SSL Profiles
- play_arrow User Firewall Management-Active Directory
- play_arrow User Firewall Management-Access Profile
- play_arrow User Firewall Management-Address Pools
- play_arrow User Firewall Management-Identity Management
- play_arrow User Firewall Management-End User Profile
- play_arrow IPS Policy-Policies
- Understanding IPS Policies
- Creating IPS Policies
- Creating IPS Policy Rules
- Publishing Policies
- Updating Policies on Devices
- Assigning Devices to Policies
- Create and Manage Policy Versions
- Creating Rule Name Template
- Export Policies
- Unassigning Devices to Policies
- Viewing and Synchronizing Out-of-Band IPS Policy Changes Manually
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- IPS Policies Main Page Fields
- Configure IPS Policy in a Firewall Policy
- Import a Firewall Policy that Has IPS Policy Configured
- play_arrow IPS Policy-Devices
- play_arrow IPS Policy-Signatures
- play_arrow IPS Policy-Templates
- play_arrow NAT Policy-Policies
- NAT Overview
- NAT Global Address Book Overview
- Creating NAT Policies
- Publishing Policies
- NAT Policy Rules Main Page Field
- Creating NAT Rules
- Updating Policies on Devices
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- Comparing Policies
- Create and Manage Policy Versions
- Export Policies
- Assigning Devices to Policies
- Unassigning Devices to Policies
- Creating Rule Name Template
- Viewing and Synchronizing Out-of-Band NAT Policy Changes Manually
- Configuring NAT Rule Sets
- Auto Grouping
- NAT Policies Main Page Fields
- play_arrow NAT Policy-Devices
- play_arrow NAT Policy-Pools
- play_arrow NAT Policy-Port Sets
- play_arrow Content Security Policy-Policies
- Content Security Overview
- Creating Content Security Policies
- Comparing Policies
- Delete and Replace Policies and Objects
- Viewing Policy and Shared Object Details
- Assigning Policies and Profiles to Domains
- Showing Duplicate Policies and Objects
- Edit and Clone Policies and Objects
- Show and Delete Unused Policies and Objects
- Content Security Policies Main Page Fields
- play_arrow Content Security Policy-Web Filtering Profiles
- play_arrow Content Security Policy-Category Update
- play_arrow Content Security Policy-Antivirus Profiles
- play_arrow Content Security Policy-Antispam Profiles
- play_arrow Content Security Policy-Content Filtering Profiles
- play_arrow Content Security Policy-Global Device Profiles
- play_arrow Content Security Policy-Default Configuration
- play_arrow Content Security Policy-URL Patterns
- play_arrow Content Security Policy-Custom URL Categories
- play_arrow Application Routing Policies
- Understanding Application-Based Routing
- About the Application Routing Policies Page
- Configuring Advanced Policy-Based Routing Policy
- About the Rules Page (Advanced Policy-Based Routing)
- Creating Advanced Policy-Based Routing Rules
- About the App Based Routing Page
- Edit and Clone Policies and Objects
- Assigning Devices to Policies
- Customizing Profile Names
- Publishing Policies
- Updating Policies on Devices
- play_arrow Threat Prevention - Policies
- play_arrow Threat Prevention - Feed Sources
- About the Feed Sources Page
- Juniper ATP Cloud Realm Overview
- Juniper ATP Cloud Malware Management Overview
- Juniper ATP Cloud Email Management Overview
- File Inspection Profiles Overview
- Juniper ATP Cloud Email Management: SMTP Settings
- Configure IMAP Settings
- Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- Modifying Juniper ATP Cloud Realm
- Creating File Inspection Profiles
- Creating Allowlist for Juniper ATP Cloud Email and Malware Management
- Creating Blocklists for Juniper ATP Cloud Email and Malware Management
- Add ATP Appliance Server
- Edit or Delete a ATP Appliance Server
- Custom Feed Sources Overview
- Creating Custom Feeds
- Example: Creating a Dynamic Address Custom Feed and Firewall Policy
- Configuring Settings for Custom Feeds
- play_arrow IPsec VPN-VPNs
- IPsec VPN Overview
- Create a Site-to-Site VPN
- Create a Hub-and-Spoke (Establishment All Peers) VPN
- Create a Hub-and-Spoke (Establishment by Spokes) VPN
- Create a Hub-and-Spoke Auto Discovery VPN
- Create a Full Mesh VPN
- Create a Remote Access VPN—Juniper Secure Connect
- Create a Remote Access VPN—NCP Exclusive Client
- IPsec VPN Global Settings
- Understanding IPsec VPN Modes
- Comparison of Policy-Based VPNs and Route-Based VPNs
- Understanding IPsec VPN Routing
- Understanding IKE Authentication
- Publishing IPsec VPNs
- Updating IPSec VPN
- Modify IPsec VPN Settings
- Viewing Tunnels
- Importing IPsec VPNs
- Deleting IPSec VPN
- IPsec VPN Main Page Fields
- play_arrow IPsec VPN-Extranet Devices
- play_arrow IPsec VPN-Profiles
- play_arrow Insights
- About the Log Parsers Page
- Create a New Log Parser
- Edit and Delete a Log Parser
- About the Log Sources Page
- Add a Log Source
- Edit and Delete a Log Source
- View Log Statistics
- About the Event Scoring Rules Page
- Create an Event Scoring Rule
- Edit and Delete Event Scoring Rules
- About the Incident Scoring Rules Page
- Create an Incident Scoring Rule
- Edit and Delete Incident Scoring Rules
- play_arrow Shared Objects-Geo IP
- play_arrow Shared Objects-Policy Enforcement Groups
- play_arrow Shared Objects-Addresses
- play_arrow Shared Objects-Services
- play_arrow Shared Objects-Variables
- play_arrow Shared Objects-Zone Sets
- Understanding Zone Sets
- Creating Zone Sets
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Finding Usages for Policies and Objects
- Show and Delete Unused Policies and Objects
- Showing Duplicate Policies and Objects
- Viewing Policy and Shared Object Details
- Zone Sets Main Page Fields
- play_arrow Shared Objects-Metadata
- play_arrow Change Management-Change Requests
- Change Control Workflow Overview
- Creating a Firewall or NAT Policy Change Request
- About the Changes Submitted Page
- Approving and Updating Changes Submitted
- Creating and Updating a Firewall Policy Using Change Control Workflow
- Editing, Denying, and Deleting Change Requests
- About the Changes Not Submitted Page
- Discarding Policy Changes
- Viewing Submitted and Unsubmitted Policy Changes
- play_arrow Change Management-Change Request History
- play_arrow Overview of Policy Enforcer and Juniper ATP Cloud
- play_arrow Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Juniper ATP Cloud)
- Policy Enforcer Components and Dependencies
- Policy Enforcer Configuration Concepts
- Juniper ATP Cloud Configuration Type Overview
- Features By Juniper ATP Cloud Configuration Type
- Available UI Pages by Juniper ATP Cloud Configuration Type
- Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
- play_arrow Configuring Policy Enforcer Settings and Connectors
- Policy Enforcer Settings
- Policy Enforcer Connector Overview
- Creating a Policy Enforcer Connector for Public and Private Clouds
- Creating a Policy Enforcer Connector for Third-Party Switches
- Editing and Deleting a Connector
- Viewing VPC or Projects Details
- Integrating ForeScout CounterACT with Juniper Networks Connected Security
- ClearPass Configuration for Third-Party Plug-in
- Cisco ISE Configuration for Third-Party Plug-in
- Integrating Pulse Policy Secure with Juniper Networks Connected Security
- Policy Enforcer Backup and Restore
- Configure Certificate-Based Authentication in Policy Enforcer
- play_arrow Guided Setup-ATP Cloud with SDSN
- play_arrow Guided Setup-ATP Cloud
- play_arrow Guided Setup for No ATP Cloud (No Selection)
- play_arrow Manual Configuration- ATP Cloud with SDSN
- play_arrow Manual Configuration-ATP Cloud
- play_arrow Cloud Feeds Only Threat Prevention
- play_arrow Configuring No ATP Cloud (No Selection) (without Guided Setup)
- play_arrow Migration Instructions for Spotlight Secure Customers
-
- play_arrow Reports
Domain RBAC Overview
A domain is a sphere or a boundary around which you can interact with a system. A Junos Space Network Management Platform domain encompasses all Junos Space objects; it enforces access, controls visibility, and provides for management of network objects. By creating a domain, you create a container for interacting with the system. Devices are the key elements in a domain. You use domains and the devices within those domains to configure a device-management partitioning scheme allowing for role-based access control (RBAC).
Domains allow you to control and partition a network from the management point of view. You can create a network based on certain criteria while providing users with management access to their devices. At the same time, domains allow sharing of objects and certain configuration enforcements. Objects in the Global domain can only be accessed in read-only mode by the child domains, if view parent is enabled. Access across peer domains is not allowed. This kind of network partitioning is required for both managed security service providers (MSSP) and enterprise customers. The Network Management Platform enables users to manage objects from all the allowed domains in the aggregated view. However, Security Director does not support this functionality. Starting in Security Director 15.2, RBAC is available on the Administration tab, under the Users & Roles section on the left navigation pane.
The following sections explain the impact of domain RBAC on Security Director objects and services.
About Domains
By default, Junos Space and, therefore, Security Director comes with only the Global domain defined. New domains can be created as child domains of the Global domain. When you create a domain, you work with roles and users. Figure 1 shows a simple domain scheme that will be used as a reference throughout this document. For more information about creating domains, see Creating Domains in Security Director.
Working with Roles
Roles are used to group access permissions for easier assignment to users. For example, the Super Administrator role assigns read and write access to all aspects of Junos Space, Security Director, and the functions within. On the other hand, the Domain Administrator has read and write access to some functions, read-only access to other functions, and no access to some other functions. Security Director comes with several predefined roles that cannot be changed, including the Super Administrator and the Domain Administrator. User-defined roles can be created by cloning and then editing the predefined roles or by creating new roles from scratch. Users are assigned to roles during the creation of their accounts or by editing the user accounts after creation.
Users can be assigned to multiple roles. If a user is assigned to multiple roles that have conflicting permissions, the least restrictive permissions are applied to that user account. For example, suppose the Administrative Auditor role restricts users to only viewing report definitions and the Report Definition Administrator role allows users to modify report definitions. If a user is assigned to both roles, that user will be able to modify report definitions. Figure 2 illustrates this principle.
Working with Users
User accounts can be thought of as the recipients of RBAC policies. In Security Director, users are assigned to specific domains and to specific roles. Access to domains defines which devices and objects users can work with and assignment of users to roles defines what functions users can perform on the objects to which they have access. For more information about working with users, see Creating Users in Security Director.
Figure 3 shows the Global domain view of the Junos Space users list. Note the Assigned Domain column outlined in green.
About Objects or Services
Prior to domain RBAC, you only needed write permission for a domain to create an object or service in it. Now with domain RBAC, you also need access to a domain to create an object or service in that domain. For example, suppose you have domains D1, D2, and Global. To create an object in D1, you must switch to the D1 domain before you can create an object in that domain.
You cannot create an object or service in one domain while you are in a different domain.
In Security Director Release 13.2 and later, the REST API cannot be used to create objects in child domains, even if the user account used with the API has write access to the child domain. All objects created through the REST API are created in the Global domain.
All the objects that are created internally as part of an operation are part of the domain in which the operation is triggered. For example, all audit logs for an operation are created in the domain in which the operation is triggered.
- Reading or Viewing Objects or Services
- Updating or Modifying Objects or Services
- Deleting Objects or Services
- Referencing Objects
- Moving Objects Across Domains
- Naming Objects in a Domain
Reading or Viewing Objects or Services
You can view all objects in a domain to which you have access. In Security Director, you must switch the view to the D1 domain to view objects in that domain. If you have read access to both the D1 and D2 domains, you cannot see D2 domain objects from the D1 domain view, and vice versa. You can see objects in the Global domain from the D1 domain, provided the D1 domain has view parent permission. You cannot see D1 or D2 objects from the Global domain.
The ability to read or write objects in any given domain is dependent on switching your view to that specific domain from the Domains menu. However, Security Director also allows you to view objects in the parent domain as read-only if the view parent setting is enabled. For example, given the domain structure shown in Figure 1, the resulting views of the shared address objects in domains D1 and D2 are shown in Figure 4 and Figure 5 and respectively.
In the D1 Domain view, address objects from the System, Global, and D1 Domains are visible. These address objects can be used with devices and policies in the D1 Domain.
Because the view parent setting is disabled in D2, the only visible addresses in the D2 domain are the ones that exist in the System Domain. Any address created later in the D2 Domain would also show in this view.
Updating or Modifying Objects or Services
To modify a domain object through Security Director, you must switch to that domain. You cannot switch to a domain for which you do not have access. You cannot modify an object in one domain if you are in a different domain.
Modifying objects through REST is ID based. To modify an object in a domain, you must have write access to that domain and your user role must include modify permissions for the object type in question. Objects in the System domain are in read-only mode so you cannot modify them.
Deleting Objects or Services
To delete a domain object through Security Director, you must switch to that domain. You cannot delete an object in one domain if you are in a different domain.
Deleting objects through REST is ID based. To delete an object in a domain, you must have write access to that domain and your user role must include delete permissions for the object type in question. Objects in the System domain are in read-only mode so you cannot delete them.
Referencing Objects
An object can always reference another object in the same domain, with no restrictions. An object in the D1 domain can reference other objects in the D1 domain. The rules are more complex for referencing objects in a different domain. For example, a D1 domain object can reference objects in the D1 domain or in its parent domain, the Global domain. However, D1 objects cannot reference D2 objects. Objects in the Global domain cannot reference objects in child domains, D1 and D2. See Figure 6.
There is an exception to this rule when it comes to referencing devices. Objects in the D1 domain can reference devices in the same domain or they can reference devices in the D2 domain. But this is not true in reverse; that is, objects in the D1 domain cannot reference devices in the Global domain.
Services cannot reference other services even within the same domain.
Moving Objects Across Domains
You can move objects from one domain to another, in general. For example, you can move an object from the D1 domain to the Global domain and from the Global domain back to the D1 domain. A validation is performed to check that the move was valid. Invalid moves are not allowed. Moving an object becomes complex if the object is referenced by another object. An object in the D1 domain can be moved up to the Global domain if it is referenced by another object that is either in the D1 domain or in the Global domain. However, moving an object from the Global domain to the D1 domain is not allowed if the object is referenced by another object in the Global domain.
The rules are different for moving device objects between domains. You can move a device from the Global domain to the D1 domain if the device is used by an object in either the Global or the D1 domain. However, moving a device from the D1 domain to the Global domain is not allowed if an object in the D1 domain is using that device.
To move a device that is part of a cluster, you must move both members of the cluster. You cannot move only the primary or only the secondary device. You can move an object from the D1 domain to the Global domain only if you have write access to the Global domain and view parent access enabled in the D1 domain.
Naming Objects in a Domain
The name of an object must be unique within a domain hierarchy. Objects with the same name cannot be created in both the D1 and Global domains. The domain hierarchy includes the current domain, its parent, and its child domains.
All the name validations consider domains as one of the constraints.
The object name must be a string beginning with a number or letter and consisting of alphanumeric characters, colons, periods, slashes, dashes, and underscores. The object name must not contain special characters such as &, <, >, and \n.
About Predefined Objects
All Security Director predefined objects are in the System domain. The predefined services, addresses, signatures, and so on are visible from all the domains in read-only mode.
All device-specific predefined objects are also in the System domain. When a new predefined object is discovered during the device discovery process, that object is also placed in the System domain. The All Device policy is placed in the Global domain and you can modify that policy.
