- play_arrow Junos Space Security Director
- play_arrow Dashboard
- play_arrow Overview
-
- play_arrow Monitor
- play_arrow Events and Logs-All Events
- Events and Logs Overview
- Creating Alerts
- Creating Reports
- Creating Filters
- Grouping Events
- Using Events and Logs Settings
- Selecting Events and Logs Table Columns
- Viewing Threats
- Viewing Data for Selected Devices
- Using the Detailed Log View
- Using the Raw Log View
- Showing Exact Match
- Using Filter on Cell Data
- Using Exclude Cell Data
- Showing Firewall Policy
- Showing Source NAT Policy
- Showing Destination NAT Policy
- Downloading Packets Captured
- Showing Attack Details
- Using Filters
- play_arrow Events and Logs-Firewall
- play_arrow Events and Logs-Web Filtering
- play_arrow Events and Logs-VPN
- play_arrow Events and Logs-Content Filtering
- play_arrow Events and Logs-Antispam
- play_arrow Events and Logs-Antivirus
- play_arrow Events and Logs-IPS
- play_arrow Events and Logs-Screen
- play_arrow Events and Logs-ATP Cloud
- play_arrow Events and Logs-Apptrack
- play_arrow Threat Prevention-Hosts
- play_arrow Threat Prevention-C&C Servers
- play_arrow Threat Prevention-HTTP File Download
- play_arrow Threat Prevention-Email Quarantine and Scanning
- play_arrow Threat Prevention-IMAP Block
- play_arrow Threat Prevention-Manual Upload
- play_arrow Threat Prevention-Feed Status
- play_arrow Threat Prevention-All Hosts Status
- play_arrow Threat Prevention-DDoS Feeds Status
- play_arrow Applications
- play_arrow Live Threat Map
- play_arrow Threat Monitoring
- play_arrow Alerts and Alarms - Overview
- play_arrow Alerts and Alarms-Alerts
- play_arrow Alerts and Alarms-Alert Definitions
- play_arrow Alerts and Alarms-Alarms
- play_arrow VPN
- play_arrow Insights
- play_arrow Job Management
- Using Job Management in Security Director
- Overview of Jobs in Security Director
- Archiving and Purging Jobs in Security Director
- Viewing the Details of a Job in Security Director
- Canceling Jobs in Security Director
- Reassigning Jobs in Security Director
- Rescheduling and Modifying the Recurrence of Jobs in Security Director
- Retrying a Failed Job on Devices in Security Director
- Exporting the Details of a Job in Security Director
- Job Management Main Page Fields
- play_arrow Audit Logs
- play_arrow Packet Capture
- play_arrow NSX Inventory-Security Groups
- play_arrow vCenter Server Inventory-Virtual Machines
- play_arrow Data Plane Packet Capture
-
- play_arrow Devices
- play_arrow Security Devices
- Using Features in Security Devices
- Security Devices Overview
- Add Devices to Juniper Security Director Cloud
- Updating Security-Specific Configurations or Services on Devices
- Resynchronizing Managed Devices with the Network in Security Director
- Performing Commit Check
- Logical Systems Overview
- Tenant Systems Overview
- Create a Logical System
- Create a Tenant System
- Uploading Authentication Keys to Devices in Security Director
- Modifying the Configuration of Security Devices
- Modifying the Basic Configuration for Security Devices
- Modifying the Static Routes Configuration for Security Devices
- Modifying the Routing Instances Configuration for Security Devices
- Modifying the Physical Interfaces Configuration for Security Devices
- Modifying the Syslog Configuration for Security Devices
- Modifying the Security Logging Configuration for Security Devices
- Modifying the Link Aggregation for Security Devices
- Modifying the User Management Configuration for Security Devices
- Modifying the Screens Configuration for Security Devices
- Modifying the Zones Configuration for Security Devices
- Modifying the IPS Configuration for Security Devices
- Modifying the SSL Initiation Profile for Security Devices
- Modifying the ICAP Redirect Profile for Security Devices
- Configuring Aruba ClearPass for Security Devices
- Configuring APBR Tunables for Security Devices
- Modifying the Express Path Configuration for Security Devices
- Modifying the Device Information Source Configuration for Security Devices
- Viewing the Active Configuration of a Device in Security Director
- Deleting Devices in Security Director
- Rebooting Devices in Security Director
- Resolving Key Conflicts in Security Director
- Launching a Web User Interface of a Device in Security Director
- Connecting to a Device by Using SSH in Security Director
- Importing Security Policies to Security Director
- Importing Device Changes
- Viewing Device Changes
- Viewing and Exporting Device Inventory Details in Security Director
- Previewing Device Configurations
- Refreshing Device Certificates
- Assigning Security Devices to Domains
- Acknowledging Device SSH Fingerprints in Security Director
- Viewing Security Device Details
- Security Devices Main Page Fields
- play_arrow Device Discovery
- Overview of Device Discovery in Security Director
- Creating Device Discovery Profiles in Security Director
- Editing, Cloning, and Deleting Device Discovery Profiles in Security Director
- Running a Device Discovery Profile in Security Director
- Viewing the Device Discovery Profile Details in Security Director
- Device Discovery Main Page Fields
- play_arrow Secure Fabric
- play_arrow NSX Managers
- Understanding Juniper Connected Security for VMware NSX Integration
- Understanding Juniper Connected Security for VMware NSX-T Integration
- Before You Deploy vSRX in VMware NSX Environment
- Before You Deploy vSRX in VMware NSX-T Environment
- About the NSX Managers Page
- Download the SSH Key File
- Add the NSX Manager
- Registering Security Services
- Editing NSX Managers
- Viewing Service Definitions
- Deleting the NSX Manager
- Delete the NSX-T Manager
- Deploying the vSRX as an Advanced Security Service in a VMware NSX Environment
- Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment
- play_arrow vCenter Servers
- play_arrow Licenses
-
- play_arrow Configure
- play_arrow Firewall Policy-Standard Policies
- Firewall Policies Overview
- Policy Ordering Overview
- Creating Firewall Policies
- Firewall Policies Best Practices
- Creating Firewall Policy Rules
- Rule Base Overview
- Firewall Policy Locking Modes
- Rule Operations on Filtered Rules Overview
- Create and Manage Policy Versions
- Assigning Devices to Policies
- Comparing Policies
- Export Policies
- Creating Custom Columns
- Promoting to Group Policy
- Converting Standard Policy to Unified Policy
- Probe Latest Policy Hits
- Disable Firewall Policy Rules Based on Hits Over a Specified Duration
- Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
- Importing Policies
- Delete and Replace Policies and Objects
- Unassigning Devices from Policies
- Edit and Clone Policies and Objects
- Publishing Policies
- Showing Duplicate Policies and Objects
- Show and Delete Unused Policies and Objects
- Updating Policies on Devices
- Firewall Policies Main Page Fields
- Firewall Policy Rules Main Page Fields
- play_arrow Firewall Policy-Unified Policies
- play_arrow Firewall Policy-Devices
- play_arrow Firewall Policy-Schedules
- play_arrow Firewall Policy-Profiles
- Understanding Firewall Policy Profiles
- Understanding Captive Portal Support for Unauthenticated Browser Users
- Creating Firewall Policy Profiles
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- Firewall Policy Profiles Main Page Fields
- play_arrow Firewall Policy-Templates
- play_arrow Firewall Policy-Secure Web Proxy
- play_arrow Firewall Policy-DNS Security & ETI Profile
- play_arrow Firewall Policy-DNS Security & ETI Policy
- play_arrow Firewall Policy-DNS Sinkhole
- play_arrow Firewall Policy-DNS Filter
- play_arrow Environment
- play_arrow Application Firewall Policy-Policies
- play_arrow Application Firewall Policy-Signatures
- play_arrow Application Firewall Policy-Redirect Profiles
- play_arrow SSL Profiles
- play_arrow User Firewall Management-Active Directory
- play_arrow User Firewall Management-Access Profile
- play_arrow User Firewall Management-Address Pools
- play_arrow User Firewall Management-Identity Management
- play_arrow User Firewall Management-End User Profile
- play_arrow IPS Policy-Policies
- Understanding IPS Policies
- Creating IPS Policies
- Creating IPS Policy Rules
- Publishing Policies
- Updating Policies on Devices
- Assigning Devices to Policies
- Create and Manage Policy Versions
- Creating Rule Name Template
- Export Policies
- Unassigning Devices to Policies
- Viewing and Synchronizing Out-of-Band IPS Policy Changes Manually
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- IPS Policies Main Page Fields
- Configure IPS Policy in a Firewall Policy
- Import a Firewall Policy that Has IPS Policy Configured
- play_arrow IPS Policy-Devices
- play_arrow IPS Policy-Signatures
- play_arrow IPS Policy-Templates
- play_arrow NAT Policy-Policies
- NAT Overview
- NAT Global Address Book Overview
- Creating NAT Policies
- Publishing Policies
- NAT Policy Rules Main Page Field
- Creating NAT Rules
- Updating Policies on Devices
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Assigning Policies and Profiles to Domains
- Comparing Policies
- Create and Manage Policy Versions
- Export Policies
- Assigning Devices to Policies
- Unassigning Devices to Policies
- Creating Rule Name Template
- Viewing and Synchronizing Out-of-Band NAT Policy Changes Manually
- Configuring NAT Rule Sets
- Auto Grouping
- NAT Policies Main Page Fields
- play_arrow NAT Policy-Devices
- play_arrow NAT Policy-Pools
- play_arrow NAT Policy-Port Sets
- play_arrow Content Security Policy-Policies
- Content Security Overview
- Creating Content Security Policies
- Comparing Policies
- Delete and Replace Policies and Objects
- Viewing Policy and Shared Object Details
- Assigning Policies and Profiles to Domains
- Showing Duplicate Policies and Objects
- Edit and Clone Policies and Objects
- Show and Delete Unused Policies and Objects
- Content Security Policies Main Page Fields
- play_arrow Content Security Policy-Web Filtering Profiles
- play_arrow Content Security Policy-Category Update
- play_arrow Content Security Policy-Antivirus Profiles
- play_arrow Content Security Policy-Antispam Profiles
- play_arrow Content Security Policy-Content Filtering Profiles
- play_arrow Content Security Policy-Global Device Profiles
- play_arrow Content Security Policy-Default Configuration
- play_arrow Content Security Policy-URL Patterns
- play_arrow Content Security Policy-Custom URL Categories
- play_arrow Application Routing Policies
- Understanding Application-Based Routing
- About the Application Routing Policies Page
- Configuring Advanced Policy-Based Routing Policy
- About the Rules Page (Advanced Policy-Based Routing)
- Creating Advanced Policy-Based Routing Rules
- About the App Based Routing Page
- Edit and Clone Policies and Objects
- Assigning Devices to Policies
- Customizing Profile Names
- Publishing Policies
- Updating Policies on Devices
- play_arrow Threat Prevention - Policies
- play_arrow Threat Prevention - Feed Sources
- About the Feed Sources Page
- Juniper ATP Cloud Realm Overview
- Juniper ATP Cloud Malware Management Overview
- Juniper ATP Cloud Email Management Overview
- File Inspection Profiles Overview
- Juniper ATP Cloud Email Management: SMTP Settings
- Configure IMAP Settings
- Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- Modifying Juniper ATP Cloud Realm
- Creating File Inspection Profiles
- Creating Allowlist for Juniper ATP Cloud Email and Malware Management
- Creating Blocklists for Juniper ATP Cloud Email and Malware Management
- Add ATP Appliance Server
- Edit or Delete a ATP Appliance Server
- Custom Feed Sources Overview
- Creating Custom Feeds
- Example: Creating a Dynamic Address Custom Feed and Firewall Policy
- Configuring Settings for Custom Feeds
- play_arrow IPsec VPN-VPNs
- IPsec VPN Overview
- Create a Site-to-Site VPN
- Create a Hub-and-Spoke (Establishment All Peers) VPN
- Create a Hub-and-Spoke (Establishment by Spokes) VPN
- Create a Hub-and-Spoke Auto Discovery VPN
- Create a Full Mesh VPN
- Create a Remote Access VPN—Juniper Secure Connect
- Create a Remote Access VPN—NCP Exclusive Client
- IPsec VPN Global Settings
- Understanding IPsec VPN Modes
- Comparison of Policy-Based VPNs and Route-Based VPNs
- Understanding IPsec VPN Routing
- Understanding IKE Authentication
- Publishing IPsec VPNs
- Updating IPSec VPN
- Modify IPsec VPN Settings
- Viewing Tunnels
- Importing IPsec VPNs
- Deleting IPSec VPN
- IPsec VPN Main Page Fields
- play_arrow IPsec VPN-Extranet Devices
- play_arrow IPsec VPN-Profiles
- play_arrow Insights
- About the Log Parsers Page
- Create a New Log Parser
- Edit and Delete a Log Parser
- About the Log Sources Page
- Add a Log Source
- Edit and Delete a Log Source
- View Log Statistics
- About the Event Scoring Rules Page
- Create an Event Scoring Rule
- Edit and Delete Event Scoring Rules
- About the Incident Scoring Rules Page
- Create an Incident Scoring Rule
- Edit and Delete Incident Scoring Rules
- play_arrow Shared Objects-Geo IP
- play_arrow Shared Objects-Policy Enforcement Groups
- play_arrow Shared Objects-Addresses
- play_arrow Shared Objects-Services
- play_arrow Shared Objects-Variables
- play_arrow Shared Objects-Zone Sets
- Understanding Zone Sets
- Creating Zone Sets
- Edit and Clone Policies and Objects
- Delete and Replace Policies and Objects
- Finding Usages for Policies and Objects
- Show and Delete Unused Policies and Objects
- Showing Duplicate Policies and Objects
- Viewing Policy and Shared Object Details
- Zone Sets Main Page Fields
- play_arrow Shared Objects-Metadata
- play_arrow Change Management-Change Requests
- Change Control Workflow Overview
- Creating a Firewall or NAT Policy Change Request
- About the Changes Submitted Page
- Approving and Updating Changes Submitted
- Creating and Updating a Firewall Policy Using Change Control Workflow
- Editing, Denying, and Deleting Change Requests
- About the Changes Not Submitted Page
- Discarding Policy Changes
- Viewing Submitted and Unsubmitted Policy Changes
- play_arrow Change Management-Change Request History
- play_arrow Overview of Policy Enforcer and Juniper ATP Cloud
- play_arrow Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Juniper ATP Cloud)
- Policy Enforcer Components and Dependencies
- Policy Enforcer Configuration Concepts
- Juniper ATP Cloud Configuration Type Overview
- Features By Juniper ATP Cloud Configuration Type
- Available UI Pages by Juniper ATP Cloud Configuration Type
- Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
- play_arrow Configuring Policy Enforcer Settings and Connectors
- Policy Enforcer Settings
- Policy Enforcer Connector Overview
- Creating a Policy Enforcer Connector for Public and Private Clouds
- Creating a Policy Enforcer Connector for Third-Party Switches
- Editing and Deleting a Connector
- Viewing VPC or Projects Details
- Integrating ForeScout CounterACT with Juniper Networks Connected Security
- ClearPass Configuration for Third-Party Plug-in
- Cisco ISE Configuration for Third-Party Plug-in
- Integrating Pulse Policy Secure with Juniper Networks Connected Security
- Policy Enforcer Backup and Restore
- Configure Certificate-Based Authentication in Policy Enforcer
- play_arrow Guided Setup-ATP Cloud with SDSN
- play_arrow Guided Setup-ATP Cloud
- play_arrow Guided Setup for No ATP Cloud (No Selection)
- play_arrow Manual Configuration- ATP Cloud with SDSN
- play_arrow Manual Configuration-ATP Cloud
- play_arrow Cloud Feeds Only Threat Prevention
- play_arrow Configuring No ATP Cloud (No Selection) (without Guided Setup)
- play_arrow Migration Instructions for Spotlight Secure Customers
-
- play_arrow Reports
ON THIS PAGE
About the Policy Sync Settings Page
To access this page, click Administration > Policy Sync Settings.
Starting in Junos Space Security Director Release 19.2R1, use the Policy Sync Settings page to automatically synchronize out-of-band firewall policy changes from a device to Security Director. The device must be discovered by Security Director. The out-of-band configuration changes are changes you make to a device configuration through any method other than deploying the configuration change from Security Director. By default, the automatic synchronization is disabled.
This page is displayed only in the global domain and applicable for only device-specific firewall policies. Out-of-band firewall policy changes are applicable for both standard firewall and unified firewall policies.
Starting in Junos Space Security Director Release 19.4R1, you can import or reject out-of-band changes for an IPS policy from a device to Security Director manually or automatically. For devices running Junos OS Release 18.2 and later, you can synchronize the changes from standard or unified firewall policies page. For devices with Junos OS Release 18.1 and earlier, you can synchronize the IPS policy changes from the IPS Policies page.
Starting in Junos Space Security Director Release 20.1R1, you can import or reject out-of-band changes for a NAT policy from a device to Security Director manually or automatically.
When a device is discovered in Security Director, the Managed Status is displayed as Managed in the Security Devices page. For automatic synchronization of out-of-band policy changes, the managed status of the device must be SD Changed, Device Changed, or In Sync. You must update the device atleast once from Security Director. In case of logical systems (LSYS) or tenant systems (TSYS), root device may show the status as Device Changed if a policy is assigned to it. Update the root device so that the status is In Sync.
The out-of-band changes are not supported if more than one policy is assigned to a device or if rules are configured in All Devices Policy Pre/Post policies.
The out-of-band changes does not support synchronization of duplicate rule-sets in a NAT policy.
Tasks You Can Perform
You can perform the following tasks from this page:
Enable automatic synchronization of out-of-band firewall, IPS, and NAT policy changes in the device.
Choose an option to automatically accept or reject the out-of-band firewall, IPS, and NAT policy changes.
Field Descriptions
Table 1 provides guidelines on using the fields on the Policy Sync Settings page.
Field | Description |
|---|---|
Auto Sync Policy Changes | By default, the automatic synchronization of out-of-band firewall, IPS, and NAT policy changes is disabled. Enable this option to automatically synchronize out-of-band firewall, IPS, and NAT policy changes from a device to Security Director. When automatic synchronization of out-of-band policy changes is disabled, you can import the out-of-band changes from a device manually. After you synchronize the policy changes, the policy shows that you’ll need to republish the policy. A dummy publish and update has to be performed in order to set the managed status as In sync. The custom rule group in a policy is not supported. If the policy has a custom rule group, then the custom rule group is deleted after synchronizing the policy and all the rules are grouped inside device-specific or predefined rule groups. |
Policy Source of Truth | The policy “source of truth” is where the device is synchronized to Security Director. All device side out of sync changes are rejected to match Security Director.
|
Policies | Select one or more policies (Firewall/NAT/IPS) to be automatically synchronized from a device to Security Director. |
Default Action for Policies | Select an option. During automatic synchronization of out-of-band firewall, IPS, and NAT policy changes from a device to Security Director, you can choose to rename object, keep existing value, or overwrite with imported value. By default, Rename Object is selected. Rename object—Provides a new name to the conflicting object. "_1" is added by default to the name. Device Preview or Update deletes the original object and adds the object with the new name. Overwrite with Imported Value—Overwrites the existing object with the new object. The object is replaced in Security Director with the new object. No change is seen in preview for the imported device. The change appears in the next preview/update for all other devices that use this object. Keep Existing Object—Keeps the existing object and ignores the new object. The object in Security Director is used instead of the device object. |
