- play_arrow Junos Space Security Director
- play_arrow Dashboard
- play_arrow Overview
-
- play_arrow Devices
- play_arrow Security Devices
- Using Features in Security Devices
- Security Devices Overview
- Add Devices to Juniper Security Director Cloud
- Updating Security-Specific Configurations or Services on Devices
- Resynchronizing Managed Devices with the Network in Security Director
- Performing Commit Check
- Logical Systems Overview
- Tenant Systems Overview
- Create a Logical System
- Create a Tenant System
- Uploading Authentication Keys to Devices in Security Director
- Modifying the Configuration of Security Devices
- Modifying the Basic Configuration for Security Devices
- Modifying the Static Routes Configuration for Security Devices
- Modifying the Routing Instances Configuration for Security Devices
- Modifying the Physical Interfaces Configuration for Security Devices
- Modifying the Syslog Configuration for Security Devices
- Modifying the Security Logging Configuration for Security Devices
- Modifying the Link Aggregation for Security Devices
- Modifying the User Management Configuration for Security Devices
- Modifying the Screens Configuration for Security Devices
- Modifying the Zones Configuration for Security Devices
- Modifying the IPS Configuration for Security Devices
- Modifying the SSL Initiation Profile for Security Devices
- Modifying the ICAP Redirect Profile for Security Devices
- Configuring Aruba ClearPass for Security Devices
- Configuring APBR Tunables for Security Devices
- Modifying the Express Path Configuration for Security Devices
- Modifying the Device Information Source Configuration for Security Devices
- Viewing the Active Configuration of a Device in Security Director
- Deleting Devices in Security Director
- Rebooting Devices in Security Director
- Resolving Key Conflicts in Security Director
- Launching a Web User Interface of a Device in Security Director
- Connecting to a Device by Using SSH in Security Director
- Importing Security Policies to Security Director
- Importing Device Changes
- Viewing Device Changes
- Viewing and Exporting Device Inventory Details in Security Director
- Previewing Device Configurations
- Refreshing Device Certificates
- Assigning Security Devices to Domains
- Acknowledging Device SSH Fingerprints in Security Director
- Viewing Security Device Details
- Security Devices Main Page Fields
- play_arrow Device Discovery
- Overview of Device Discovery in Security Director
- Creating Device Discovery Profiles in Security Director
- Editing, Cloning, and Deleting Device Discovery Profiles in Security Director
- Running a Device Discovery Profile in Security Director
- Viewing the Device Discovery Profile Details in Security Director
- Device Discovery Main Page Fields
- play_arrow Secure Fabric
- play_arrow NSX Managers
- Understanding Juniper Connected Security for VMware NSX Integration
- Understanding Juniper Connected Security for VMware NSX-T Integration
- Before You Deploy vSRX in VMware NSX Environment
- Before You Deploy vSRX in VMware NSX-T Environment
- About the NSX Managers Page
- Download the SSH Key File
- Add the NSX Manager
- Registering Security Services
- Editing NSX Managers
- Viewing Service Definitions
- Deleting the NSX Manager
- Delete the NSX-T Manager
- Deploying the vSRX as an Advanced Security Service in a VMware NSX Environment
- Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment
- play_arrow vCenter Servers
- play_arrow Licenses
-
- play_arrow Configure
- play_arrow Firewall Policy-Standard Policies
- Firewall Policies Overview
- Policy Ordering Overview
- Creating Firewall Policies
- Firewall Policies Best Practices
- Creating Firewall Policy Rules
- Rule Base Overview
- Firewall Policy Locking Modes
- Rule Operations on Filtered Rules Overview
- Create and Manage Policy Versions
- Assigning Devices to Policies
- Comparing Policies
- Export Policies
- Creating Custom Columns
- Promoting to Group Policy
- Converting Standard Policy to Unified Policy
- Probe Latest Policy Hits
- Disable Firewall Policy Rules Based on Hits Over a Specified Duration
- Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
- Importing Policies
- Delete and Replace Policies and Objects
- Unassigning Devices from Policies
- Edit and Clone Policies and Objects
- Publishing Policies
- Showing Duplicate Policies and Objects
- Show and Delete Unused Policies and Objects
- Updating Policies on Devices
- Firewall Policies Main Page Fields
- Firewall Policy Rules Main Page Fields
- play_arrow Firewall Policy-Unified Policies
- play_arrow Firewall Policy-Devices
- play_arrow Firewall Policy-Schedules
- play_arrow Firewall Policy-Profiles
- Understanding Firewall Policy Profiles
- Understanding Captive Portal Support for Unauthenticated Browser Users
- Creating Firewall Policy Profiles
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- Firewall Policy Profiles Main Page Fields
- play_arrow Firewall Policy-Templates
- play_arrow Firewall Policy-Secure Web Proxy
- play_arrow Firewall Policy-DNS Security & ETI Profile
- play_arrow Firewall Policy-DNS Security & ETI Policy
- play_arrow Firewall Policy-DNS Sinkhole
- play_arrow Firewall Policy-DNS Filter
- play_arrow Environment
- play_arrow Application Firewall Policy-Policies
- play_arrow Application Firewall Policy-Signatures
- play_arrow Application Firewall Policy-Redirect Profiles
- play_arrow SSL Profiles
- play_arrow User Firewall Management-Active Directory
- play_arrow User Firewall Management-Access Profile
- play_arrow User Firewall Management-Address Pools
- play_arrow User Firewall Management-Identity Management
- play_arrow User Firewall Management-End User Profile
- play_arrow IPS Policy-Policies
- Understanding IPS Policies
- Creating IPS Policies
- Creating IPS Policy Rules
- Publishing Policies
- Updating Policies on Devices
- Assigning Devices to Policies
- Create and Manage Policy Versions
- Creating Rule Name Template
- Export Policies
- Unassigning Devices to Policies
- Viewing and Synchronizing Out-of-Band IPS Policy Changes Manually
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- IPS Policies Main Page Fields
- Configure IPS Policy in a Firewall Policy
- Import a Firewall Policy that Has IPS Policy Configured
- play_arrow IPS Policy-Devices
- play_arrow IPS Policy-Signatures
- play_arrow IPS Policy-Templates
- play_arrow NAT Policy-Policies
- NAT Overview
- NAT Global Address Book Overview
- Creating NAT Policies
- Publishing Policies
- NAT Policy Rules Main Page Field
- Creating NAT Rules
- Updating Policies on Devices
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- Comparing Policies
- Create and Manage Policy Versions
- Export Policies
- Assigning Devices to Policies
- Unassigning Devices to Policies
- Creating Rule Name Template
- Viewing and Synchronizing Out-of-Band NAT Policy Changes Manually
- Configuring NAT Rule Sets
- Auto Grouping
- NAT Policies Main Page Fields
- play_arrow NAT Policy-Devices
- play_arrow NAT Policy-Pools
- play_arrow NAT Policy-Port Sets
- play_arrow Content Security Policy-Policies
- Content Security Overview
- Creating Content Security Policies
- Comparing Policies
- Delete and Replace Policies and Objects
- Viewing Policy and Shared Object Details
- Assigning Policies and Profiles to Domains
- Showing Duplicate Policies and Objects
- Edit and Clone Policies and Objects
- Show and Delete Unused Policies and Objects
- Content Security Policies Main Page Fields
- play_arrow Content Security Policy-Web Filtering Profiles
- play_arrow Content Security Policy-Category Update
- play_arrow Content Security Policy-Antivirus Profiles
- play_arrow Content Security Policy-Antispam Profiles
- play_arrow Content Security Policy-Content Filtering Profiles
- play_arrow Content Security Policy-Global Device Profiles
- play_arrow Content Security Policy-Default Configuration
- play_arrow Content Security Policy-URL Patterns
- play_arrow Content Security Policy-Custom URL Categories
- play_arrow Application Routing Policies
- Understanding Application-Based Routing
- About the Application Routing Policies Page
- Configuring Advanced Policy-Based Routing Policy
- About the Rules Page (Advanced Policy-Based Routing)
- Creating Advanced Policy-Based Routing Rules
- About the App Based Routing Page
- Edit and Clone Policies and Objects
- Assigning Devices to Policies
- Customizing Profile Names
- Publishing Policies
- Updating Policies on Devices
- play_arrow Threat Prevention - Policies
- play_arrow Threat Prevention - Feed Sources
- About the Feed Sources Page
- Juniper ATP Cloud Realm Overview
- Juniper ATP Cloud Malware Management Overview
- Juniper ATP Cloud Email Management Overview
- File Inspection Profiles Overview
- Juniper ATP Cloud Email Management: SMTP Settings
- Configure IMAP Settings
- Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- Modifying Juniper ATP Cloud Realm
- Creating File Inspection Profiles
- Creating Allowlist for Juniper ATP Cloud Email and Malware Management
- Creating Blocklists for Juniper ATP Cloud Email and Malware Management
- Add ATP Appliance Server
- Edit or Delete a ATP Appliance Server
- Custom Feed Sources Overview
- Creating Custom Feeds
- Example: Creating a Dynamic Address Custom Feed and Firewall Policy
- Configuring Settings for Custom Feeds
- play_arrow IPsec VPN-VPNs
- IPsec VPN Overview
- Create a Site-to-Site VPN
- Create a Hub-and-Spoke (Establishment All Peers) VPN
- Create a Hub-and-Spoke (Establishment by Spokes) VPN
- Create a Hub-and-Spoke Auto Discovery VPN
- Create a Full Mesh VPN
- Create a Remote Access VPN—Juniper Secure Connect
- Create a Remote Access VPN—NCP Exclusive Client
- IPsec VPN Global Settings
- Understanding IPsec VPN Modes
- Comparison of Policy-Based VPNs and Route-Based VPNs
- Understanding IPsec VPN Routing
- Understanding IKE Authentication
- Publishing IPsec VPNs
- Updating IPSec VPN
- Modify IPsec VPN Settings
- Viewing Tunnels
- Importing IPsec VPNs
- Deleting IPSec VPN
- IPsec VPN Main Page Fields
- play_arrow IPsec VPN-Extranet Devices
- play_arrow IPsec VPN-Profiles
- play_arrow Insights
- About the Log Parsers Page
- Create a New Log Parser
- Edit and Delete a Log Parser
- About the Log Sources Page
- Add a Log Source
- Edit and Delete a Log Source
- View Log Statistics
- About the Event Scoring Rules Page
- Create an Event Scoring Rule
- Edit and Delete Event Scoring Rules
- About the Incident Scoring Rules Page
- Create an Incident Scoring Rule
- Edit and Delete Incident Scoring Rules
- play_arrow Shared Objects-Geo IP
- play_arrow Shared Objects-Policy Enforcement Groups
- play_arrow Shared Objects-Addresses
- play_arrow Shared Objects-Services
- play_arrow Shared Objects-Variables
- play_arrow Shared Objects-Zone Sets
- Understanding Zone Sets
- Creating Zone Sets
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Finding Usages for Policies and Objects
- Show and Delete Unused Policies and Objects
- Showing Duplicate Policies and Objects
- Viewing Policy and Shared Object Details
- Zone Sets Main Page Fields
- play_arrow Shared Objects-Metadata
- play_arrow Change Management-Change Requests
- Change Control Workflow Overview
- Creating a Firewall or NAT Policy Change Request
- About the Changes Submitted Page
- Approving and Updating Changes Submitted
- Creating and Updating a Firewall Policy Using Change Control Workflow
- Editing, Denying, and Deleting Change Requests
- About the Changes Not Submitted Page
- Discarding Policy Changes
- Viewing Submitted and Unsubmitted Policy Changes
- play_arrow Change Management-Change Request History
- play_arrow Overview of Policy Enforcer and Juniper ATP Cloud
- play_arrow Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Juniper ATP Cloud)
- Policy Enforcer Components and Dependencies
- Policy Enforcer Configuration Concepts
- Juniper ATP Cloud Configuration Type Overview
- Features By Juniper ATP Cloud Configuration Type
- Available UI Pages by Juniper ATP Cloud Configuration Type
- Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
- play_arrow Configuring Policy Enforcer Settings and Connectors
- Policy Enforcer Settings
- Policy Enforcer Connector Overview
- Creating a Policy Enforcer Connector for Public and Private Clouds
- Creating a Policy Enforcer Connector for Third-Party Switches
- Editing and Deleting a Connector
- Viewing VPC or Projects Details
- Integrating ForeScout CounterACT with Juniper Networks Connected Security
- ClearPass Configuration for Third-Party Plug-in
- Cisco ISE Configuration for Third-Party Plug-in
- Integrating Pulse Policy Secure with Juniper Networks Connected Security
- Policy Enforcer Backup and Restore
- Configure Certificate-Based Authentication in Policy Enforcer
- play_arrow Guided Setup-ATP Cloud with SDSN
- play_arrow Guided Setup-ATP Cloud
- play_arrow Guided Setup for No ATP Cloud (No Selection)
- play_arrow Manual Configuration- ATP Cloud with SDSN
- play_arrow Manual Configuration-ATP Cloud
- play_arrow Cloud Feeds Only Threat Prevention
- play_arrow Configuring No ATP Cloud (No Selection) (without Guided Setup)
- play_arrow Migration Instructions for Spotlight Secure Customers
-
- play_arrow Reports
- play_arrow Administration
- play_arrow My Profile
- play_arrow Users and Roles-Users
- Overview of Users in Security Director
- Creating Users in Security Director
- Editing and Deleting Users in Security Director
- Viewing and Terminating Active User Sessions in Security Director
- Viewing the User Details in Security Director
- Clearing Local Passwords for Users in Security Director
- Disabling and Enabling Users in Security Director
- Unlocking Users in Security Director
- Users Main Page Fields
- play_arrow Users and Roles-Roles
- play_arrow Users and Roles-Domains
- Overview of Domains in Security Director
- Creating Domains in Security Director
- Edit and Delete Domains in Security Director
- Exporting Domains in Security Director
- Viewing Users, Devices, and Remote Profiles Assigned to a Domain in Security Director
- Assigning Devices to Domains in Security Director
- Assigning and Unassigning Remote Profiles to Domains in Security Director
- Assigning and Unassigning Users to Domains in Security Director
- Domains Main Page Fields
- play_arrow Users and Roles-Remote Profiles
- play_arrow Logging Management
- play_arrow Logging Management-Logging Nodes
- play_arrow Logging Management-Statistics & Troubleshooting
- play_arrow Logging Management-Logging Devices
- play_arrow Monitor Settings
- play_arrow Signature Database
- play_arrow License Management
- play_arrow Migrating Content from NSM to Security Director
- play_arrow Policy Sync Settings
- play_arrow Insights Management
- Add Insights Nodes
- About the Alerts Settings Page
- Create a New Alert Setting
- Configure System Settings
- About the Identity Settings Page
- Add JIMS Configuration
- Edit and Delete an Identity Setting
- Configure Mitigation Settings
- About the Threat Intelligence Page
- Configure Threat Intelligence Source
- Edit and Delete Threat Intelligence Source
- About the ServiceNow Configuration Page
- About the Backup & Restore Page
- Create a Backup File and Restore the Configuration
- Download and Delete a Backup File
-
Events and Logs Overview
Use the Events and Logs page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.
This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.
By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select a device.
Starting in Junos Space Security Director Release 21.2R1, Tenant Systems (TSYS) devices are also supported.
To access the Event Viewer page select Monitor > Events & Logs > All Events.
Events & Logs—Summary View
Click Summary View for a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim-lane view of different events that are happening at a specific time. The events include firewall, Web filtering, VPN, content filtering, antispam, antivirus, IPS, ATP Cloud, Screen, and Apptrack. Each event is color‐coded, with darker shades representing a higher level of activity. Each tabs provide deep information like type, and number of events occurring at that specific time.
See Table 1 the descriptions of the widgets in this view.
Widget | Description |
|---|---|
Total Events | Total number of all the events that includes firewall, webfiltering, IPS, IPSec, content filtering, antispam, and antivirus events. |
Virus Instances | Total number of virus instances running in the system. |
Attacks | Total number of attacks on the firewall. |
Interface Down | Total number of interfaces that are down. |
CPU Spikes | Total number of times a CPU utilization spike has occurred. |
Reboots | Total number of system reboots. |
Sessions | Total number of sessions established through firewall. |
Events & Logs—Detail View
Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group by option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Select the Export to CSV option from the grid settings pane to export and download the log data in CSV file.
The Legacy Node option is displayed in the event viewer after the legacy log collector node is added on the Logging Nodes page. We’ve added the legacy log collector support for read-only purpose to view existing log collector data. New logs should point to Security Director Insights VM as the log collector. Select the Legacy Node checkbox to view the existing log collector data. When you clear the Legacy Node checkbox, Security Director Insights log collector data is displayed.
See Table 2 for field descriptions.
Field | Description |
|---|---|
Log Generated Time | The time when the log was generated on the SRX Series device. |
Log Received Time | The time when the log was received on the log collector. |
Event Name | The event name of the log |
Source Country | The source country name. |
Source IP | The source IP address from where the event occurred. |
Destination Country | Destination country name from where the event occurred. |
Destination IP | The destination IP address of the event. |
Source Port | The source port of the event. |
Destination Port | The destination port of the event. |
Description | The description of the log. |
Attack name | Attack name of the log: Trojan, worm, virus, and so on. |
Threat Severity | The severity level of the threat. |
Policy Name | The policy name in the log. |
Content Security category or Virus Name | The Content Security category of the log. |
URL | Accessed URL name that triggered the event. |
Event category | The event category of the log. |
User Name | The username of the log. |
Action | Action taken for the event: warning, allow, and block. |
Log Source | The IP address of the log source. |
Application | The application name from which the events or logs are generated |
Hostname | The host name in the log. |
Service Name | The name of the application service. For example, FTP, HTTP, SSH, and so on. |
Nested Application | The nested application in the log. |
Source Zone | The source zone of the log. |
Destination Zone | The destination zone of the log. |
Protocol ID | The protocol ID in the log. |
Roles | The role name associated with the log. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
NAT Source Port | The translated source port. |
NAT Destination Port | The translated destination port. |
NAT Source Rule Name | The NAT source rule name. |
NAT Destination Rule Name | The NAT destination rule name. |
NAT Source IP | The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses. |
NAT Destination IP | The translated (also called natted) destination IP address. |
Traffic Session ID | The traffic session ID of the log. |
Path Name | The path name of the log. |
Logical system Name | The name of the logical system. |
Rule Name | The name of the rule. |
Profile Name | The name of the All events profile that triggered the event. |
Client Hostname | Hostname of the client. |
Malware Info | Information of the malware. |
Logical Subsystem Name | The name of the logical system in JSA logs. |
Advanced Search
You can perform advanced search of all events using the search text box present above the grid. It includes the logical operators as part of the filter string. Enter the search string in the text box and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid operator based on which you want to perform the advanced search operation. Press Spacebar to provide AND operator and OR operator. After you have entered the search string, press Enter to display the search result in the grid.
In the search text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not. While entering a search criteria, when you press backspace at any point of time, only one character is deleted.
Starting in Junos Space Security Director Release 19.2R1, in addition to the manual search using keywords, you can drag and drop the values from non-empty cells in the grid into the event viewer search bar. The value is added as the search criterion and the search results are displayed. You can drag and drop only searchable cells. When you hover over the rows in event viewer, searchable cells are displayed with blue background. If a cell is not searchable, there is no change in the background color. If you drag a searchable cell without any value or if the value = ’–’, you cannot drop the contents of such cells. If the search bar already has a search criterion, all the subsequent drag and drop search criteria are prepended by ‘AND’. After dropping the value in the search bar, the search condition is refreshed in the grid. This applies to both simple and complex search filters.
You can perform complex filtering using AND and OR logical operators, and brackets to group the search tokens.
For example: (Name = one and id = 11) or (Name = two and id = 12)
The precedence level of the AND logical operator is higher than OR. In the following filter query, Condition2 AND Condition3 is evaluated before the OR operator.
For example: Condition1 OR Condition2 AND Condition3
To override this, use parentheses explicitly. In the below filter query, expression inside the parentheses is evaluated first.
For example: ( Condition1 OR Condition2 ) AND Condition3
Filter Rule | Example |
|---|---|
Enter a comma for an OR filter. | Name=test,site is the same as Name=test OR Name=site |
Enter parentheses to combine AND and OR functionality. | Source Country = France AND (Event Name = RT_Flowsession_Close OR Event Category = Firewall) |
Enter double quotes for terms with spaces. | "San Jose" |
Following are some of the examples for event log filters:
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust,internal AND Policy Name = IDP2
Events with specific sources IPs or events hitting htp, tftp, http, and unknown applications coming from host DC-SRX1400-1 or vSRX Virtual Firewall-75.
Application = tftp,ftp,http,unknown OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vSRX Virtual Firewall-75
Role-Based Access Control for Event Viewer
Role-Based Access Control (RBAC) has the following impact on the Event Viewer:
You must have Security Analyst or Security Architect or have permissions equivalent to that role to access the event viewer.
You cannot view event logs created in other domains. However, a super user or any user with an appropriate role who can access a global domain can view logs in a subdomain, if a subdomain is created with visibility to the parent domain.
You can only view logs from the devices that you can access and that belong to your domain.
You can only view, not edit, a policy if you do not have edit permissions.
The user role under Administration > Users & Roles must have Event Viewer > View Device Logs option is enabled to view or read logs.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
