ON THIS PAGE
Why are CA certificates not imported during the device discovery operation?
Why is my device's configuration not deleted even after deleting the Active Directory profile?
Why does the Enable Security Logs page not display all my devices?
Why is the log analytics data missing even after I configured security logging?
Why did my device's deployment fail, with the "Statement Creation Failed" message?
Why don't I see the Save and Close buttons on the IPS policy rule window?
Why is the default configuration of IPS, content security, and SSL profiles not imported?
Why does the SSL proxy profile deployment on the device fail?
Why does the content security profile deployment on my device fail?
Why are applications not listed in the Application Signatures page?
Why does the IPS, content security, application signature bundle installation fail?
Why does the URL category installation fail, with the "No category file found" message?
Why does clicking the account activation link generate an invalid request message?
Why is the local certificate I imported not immediately visible?
Why don't I see some tunnels that are down on the IPsec VPN monitoring page?
Why are some devices imported as extranet devices while importing IPsec VPNs?
Why does the Import VPNs page not display my device while importing IPsec VPNs?
Why does the IPsec VPN monitoring page not display the status of some VPNs?
Why does the IPsec VPN monitoring page display the Up status of a VPN that is down?
Why does the health status of my device show as "No data available"?
How frequently is the device health status on the Device page updated?
How much storage space does Juniper Security Director Cloud provide?
What is the minimum bandwidth required for Juniper Security Director Cloud?
FAQ
Why are devices I added not discovered?
The discovery of devices added manually or through Zero Touch Provisioning might not be triggered because of multiple reasons, such as if the management interface is down, if the Juniper Security Director Cloud FQDN fails to resolve in your network, or if the required ports are closed.
To ensure that the device is successfully discovery, check the following:
-
The in-band management interface is up and is configured with a route to reach the Juniper Security Director Cloud FQDN.
-
The source IP in the data packet being sent to Juniper Security Director Cloud is correct.
-
The Google DNS or your own DNS is configured in the device to resolve the Juniper Security Director Cloud FQDN and is reachable from the device.
-
The firewall filters are configured correctly.
-
The required ports are open. See the Prerequisites for more details.
Why is the device I configured using CLI not discovered?
Devices configured using CLI through the Adopt Device method might not be discovered for multiple reasons.
To ensure that the device configured using CLI is successfully discovered, do the following:
-
Check that the source IP in the data packet being sent to Juniper Security Director Cloud is correct.
-
Check that the firewall filters are configured correctly.
-
Remove the CLI configuration allowing users to log in without a password. For example, the following CLI configuration in a vSRX Virtual Firewall Series device deployed on AWS must be removed:
set groups aws-default system services ssh no-passwords
-
Check if any ssh rate limit is configured in your SRX device. Use the following commands to delete the existing rate limit or set the rate limit number to more than 32.
-
delete system services ssh rate-limit
-
set system services ssh rate-limit 40
-
-
Check if the FQDN is reachable through any specific routing instance. If yes, add the routing instance in outbound services using the
set system services outbound-ssh routing-instance <<ROUTING-INSTANCE-NAME>>
command and commit the configuration in device.
Why does my device display "Not configured" as the name?
The device name is displayed as "Not configured" when the host name of the device is not configured. The Adopt Devices method does not provide an option to configure the host name of devices.
Use the HOSTNAME template at SRX > Device Management > Configuration Templates to configure the host name of your device.
The device name is correctly displayed after you configure the host name and deploy the device.
Why does my device display "srxXXXXXXXX" as the name?
The device name is displayed as "srxXXXXXXXX" when the host name of the device is not configured. The Adopt Devices method does provide an option to configure the host name of devices, and the firewall policies cannot be deployed without the host name.
Use one of the following methods to configure the host name:
- Use the HOSTNAME template at SRX > Device Management > Configuration Templates to configure the host name of your device.
- Configure the host name directly on your device using CLI.
The device name is correctly displayed after you configure the host name and deploy the device and firewall policies.
Why are CA certificates not imported during the device discovery operation?
The import of CA certificates during the device discovery operation might fail for multiple reasons.
To ensure that the CA certificate is successfully imported, do the following:
- Ensure the original device configuration is not modified.
- Ensure that the device does not have a conflicting CA profile or an existing certificate with the "sd_cloud_ca" certificate name.
- Ensure that the CLI configuration on the device does not display any Commit warning while committing the CLI mode change or while assigning Ethernet switches to the interfaces.
- Ensure that the device is not configured in another Organization of Juniper Security Director Cloud.
- Delete the following security PKI configuration for the digital certificates on the
device:
-
set security pki ca-profile sd_cloud_ca ca-identity sd_cloud_ca
-
set security pki ca-profile sd_cloud_ca ca-identity sd_cloud_local
-
Why does the device deletion job fail?
A device can be deleted from the Device page only if the status of the device is Up or In Sync.
To delete a device whose status is Down or Out of Sync, change the status of the device to Up with the same configuration version, and delete the device.
If you can't change the status of the device to Up, contact JTAC for help with deleting the device using API. You can create a service request with JTAC on the Web or by telephone.
-
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see https://support.juniper.net/support/requesting-support/.
Why is my device's configuration not deleted even after deleting the Active Directory profile?
The device configuration might not be deleted if the configuration changes are not committed or the configuration changes have been modified directly on the device.
To manually delete the device configuration, log in to the device using CLI in edit mode and commit the following configuration:
Delete services user-identification active-directory-access
Why is the monitoring log analytics data not available?
The log analytics data might not be available on the Dashboard, Event Viewer, and Application Visibility page if logging is not configured or the logging configuration failed to apply because the required certificates were not deployed during the device discovery.
To verify the log configuration, do the following:
- Use the device ILP pages to verify that the security log configuration is pushed to the device.
-
Do the following to enable security logging for the device:
- Click SRX > Device Management > Devices.
- Click Enable Security Logs to open the Enable Security Logs page.
-
Select the device interface, and click OK to create a Deploy job.
-
Use the following commands to check the status of the deploy—ca-certificate and deploy-ca-local-certificate jobs in Juniper Security Director Cloud:
CA certificate—show security pki ca-certificate
Local certificate—show security pki local-certificate
Why does the Enable Security Logs page not display all my devices?
The Enable Security Logs page displays only devices that are managed by Juniper Security Director Cloud and have the In Sync status. By default, the page also displays a filtered list of only configured devices.
Do the following:
- Check whether the device status is In Sync. The Enable Security Logs page displays only synchronized devices.
- If all the devices are synchronized, check whether the device list is filtered. Select All from the Group by dropdown list to view the complete list of devices.
- If you still do not see the complete device list, resynchronize the device with Juniper Security Director Cloud.
Why is the log analytics data missing even after I configured security logging?
The log analytics data might be missing if the Juniper Security Director Cloud load balancer is not reachable.
To verify that Juniper Security Director Cloud is reachable for security logging over TLS, do the following:
- Connect to the device using CLI.
- Use the following command to check whether port 6514 on the device is open—telnet srx.sdcloud.juniperclouds.net 6514
-
Use the following command to check the flow of security session data through port 6514—show security flow session destination-port 6514
The security session contains data and the bytes count of the data flow increases every time new session logs are sent over TLS to Juniper Security Director Cloud.
- Ensure that the correct interface is selected for the device in the Secure CRT configuration.
- Ensure that the security log, security PKI, and SSL services are not deactivated from the device.
- Ensure log session-init and session-close is enabled on the firewall rule to see the RT_FLOW logs.
-
If you still cannot see the log analytics data, use the following command to restart the security logging from the devicerestart security-log gracefully
Why did my device's deployment fail, with the "Statement Creation Failed" message?
The device deployment fails because of multiple reasons, such as if the device configuration is not synchronized with Juniper Security Director Cloud.
To ensure a successful device deployment, do the following:
- If the configuration was changed directly on the device and not synchronized with Juniper Security Director Cloud, resynchronize the device.
- If multiple policies assigned to the device contain similar rules, remove the rules with identical names.
Why don't I see the Save and Close buttons on the IPS policy rule window?
When you do not save the IPS policy rule and select No to navigate away from the window, the Save (✓) and Close (x) buttons might not be visible.
To ensure that the Save and Close buttons are always visible, close the left navigation pane by clicking the Close button.
Why is the default configuration of IPS, content security, and SSL profiles not imported?
The global settings of firewall policies are applied at the organization level. Modifications to these settings impact all the device policies that have firewall rules enabled with IPS, content security, and SSL profiles, so the default conflict resolution option is set to Keep Existing to prevent conflicts during the auto import operation. The default Keep Existing setting of the OCR action might prevent the import of the default configuration of IPS, content security, SSL profiles during the auto import operation of device configuration.
To ensure that the default configuration of IPS, content security, and SSL profiles is successfully imported during the auto import operation, do one of the following:
- Change the OCR action in the default IPS, content security, and SSL profiles using the global settings to Overwrite with the Imported value and deploy the policies again.
- Manually import the device configuration. The manual import operation triggers a conflict resolution option where you can change the OCR action to Overwrite with the Imported value.
Why does my device deployment fail with the "No matching members found. Group is empty." message after I configure the dynamic IPS signature group?
The device deployment fails after the dynamic IPS signature group is configured when none of the available IPS signatures match the filter criteria.
To ensure a successful device deployment, do the following:
- Ensure that the IPS signatures are downloaded in the device.
- Use the Preview Filtered Signatures option in the bottom of the page to check the filters in the dynamic IPS signature group and ensure that the filter criteria matches the available IPS signatures.
Why does the SSL proxy profile deployment on the device fail?
There are multiple reasons for the SSL proxy profile deployment failure.
To ensure a successful SSL proxy profile deployment, before deploying the profile, do the following to check whether the root certificate and trusted CA certificate selected in Juniper Security Director Cloud is imported in the device:
-
View the certificates on Juniper Security Director Cloud.
- Click SRX > Device Management > Devices.
- Click the device to open the device page.
- Click Inventory > Certificates.
-
View the certificates on the device.
- Connect to the device using CLI.
- Use the following CLI command to view the root on the device—show security local-certificate
-
Use the following CLI command to view the trusted CA certificate on the device—show security pki ca-certificate
Why does the content security profile deployment on my device fail?
There are multiple reasons for the content security profile deployment failure, such as if the content security license is not installed.
To ensure a successful content security profile deployment, do the following:
- Connect to the device using CLI.
-
Use the following command to check whether the content security license is installed on the device—show system license detail
-
Use the following command to check whether the traffic is processed through the policy that is configured with the content security profilehow security policies hit-count
-
Use the following command to check whether the content security objects, such as Webfiltering, Antivirus, Antispam, and content filtering, hits that help to determine the allowlist, blocklist, custom category, virus, and spam mail hitsshow security <utm-objects> statistics
Why are applications not listed in the Application Signatures page?
The application signatures must be downloaded in Juniper Security Director Cloud. The SRE administrators will download the signatures when new signature versions are available.
Why do the image management jobs fail?
The image management jobs, such as stage, deploy, and upgrade, might fail when the network download speed to Juniper Security Director Cloud is lower than 500Kbps.
Use the Images page at the Organization level to add images and to perform other image management operations.
Why does the IPS, content security, application signature bundle installation fail?
The IPS, content security, application signature bundle Installation on a device might fail when the network download speed to Juniper Security Director Cloud is lower than 500Kbps.
- Try the IPS, content security, application signature bundle installation again after some time.
-
If the signature installation still fails, connect to the device using CLI, and use the following command to manually install the signature—request security utm web-filtering category download-install
Why does the URL category installation fail, with the "No category file found" message?
The URL category installation to a device might fail because of issues with DNS resolution.
To ensure a successful installation of the URL category, use the following predefined or default path for the installation: http://update.juniper-updates.net/EWF/
Why does clicking the account activation link generate an invalid request message?
The invalid request message is displayed because the activation link expires in 24 hours.
If you do not activate your Juniper Security Director Cloud account within 24 hours, Juniper Security Director Cloud purges the users who do not activate their accounts.
Where can I see the user activity logs?
The user activity logs are available at Administration > Audit Logs.
Why do new users not receive the activation e-mail?
New users might not receive the activation e-mail when e-mails from Juniper Security Director Cloud are blocked by their organization network.
To ensure that users in your organization receive the activation e-mail, verify that the Juniper Security Director Cloud e-mails are not blocked by your organization network.
Why is the license I installed not immediately visible?
The installed licenses are only visible after you resynchronize the device.
To ensure that the installed license is immediately visible, resynchronize the device with Juniper Security Director Cloud.
Why is the local certificate I imported not immediately visible?
The installed certificates are only visible after you resynchronize the device.
To ensure that the imported local certificate is immediately visible, resynchronize the device with Juniper Security Director Cloud.
Why is the image upgrade job very slow?
The image upgrade job might be slow if you use Junos images in Juniper Security Director Cloud because the images are copied to the device for the upgrade job. The time taken depends on the bandwidth capacity of the network connection between Juniper Security Director Cloud and the device.
To ensure quick upgrade jobs of Junos images, create a download Junos image URL from support.juniper.net and use the URL to upgrade the images.
How can I create multiple users for my organization?
You can create multiple users with different roles for your organization as an Organization Administrator at Administration > Users & Roles.
Why don't I see some tunnels that are down on the IPsec VPN monitoring page?
The Top Unstable Tunnels section on the IPsec VPN monitoring page displays the filtered list of the tunnels that are down based on the selected time span. If a tunnel is not included in the list, the tunnel might be down for longer than the selected time span.
To display a complete list of the tunnels that are down, select a longer time span in the Top Unstable Tunnels section.
Why are some devices imported as extranet devices while importing IPsec VPNs?
There are multiple reasons why devices might be imported as extranet devices along with the imported IPsec VPNs.
To ensure that all devices are imported correctly with the imported IPsec VPNs, check the following:
- All relevant devices were selected while importing the IPsec VPN.
- There is no mismatch in the configuration of the device profile in Juniper Security Director Cloud and on the device.
- Juniper Security Director Cloud supports the device topology.
Why does the Import VPNs page not display my device while importing IPsec VPNs?
The Import VPNs page displays only devices with the Up and In Sync status.
To ensure that the Import VPNs page displays all your devices, ensure that the devices are in the Up and In Sync status.
Why does the IPsec VPN monitoring page not display my VPN?
The IPsec VPN monitoring page does not support the following VPNs:
- Hub-and-Spoke Auto Discovery VPN
- Remote Access VPN—Juniper Secure Connect
- Auto VPNs
To verify why the IPsec VPN monitoring page does not display your VPN, check whether the VPN type is supported for monitoring.
Why does the IPsec VPN monitoring page not display the status of some VPNs?
There are multiple reasons why the status of some VPNs is not displayed in the Tunnels Status section of the IPsec VPN monitoring page.
To ensure that the Tunnels Status section displays the status of all your VPNs, check that:
- Subscriptions are associated with all your devices
- VPNs are deployed on all devices.
- The status of all devices is Up and In Sync.
Why does the IPsec VPN monitoring page display the Up status of a VPN that is down?
The Tunnels Status section of the IPsec VPN monitoring page displays the status of the VPN tunnels based on a status poll conducted at regular intervals, so if the status of a VPN tunnel is incorrect, the tunnel might have failed after the poll was conducted.
To verify that the correct status of all the VPN tunnels is displays, wait for the poll to be conducted. The status poll is conducted every 10 minutes by default.
Why is the health status of my device unknown?
The Device page displays the health status of only devices with subscriptions.
To ensure that the Device page displays the correct health status of your device, ensure that you assign a trial or a paid subscription to the device. The correct health status is displayed a few minutes after associating subscriptions.
Why does the health status of my device show as "No data available"?
The Device page displays the status of only devices with subscriptions.
To ensure that the Device page displays the correct health status of your device, ensure that you assign a trial or a paid subscription to the device. The correct device status is displayed a few minutes after associating subscriptions.
How frequently is the device health status on the Device page updated?
The health status device on the Device page is updated every 15 minutes. Juniper Security Director Cloud polls all devices with subscriptions in an organization for the CPU, memory usage, and storage usage data.
How do I check the chassis details of my device?
The chassis details are displayed on the device-specific page.
To view the chassis details of your device, do the following:
- Click SRX > Devices Management > Devices to open the Device page.
- Click the device name in the Host Name column to open the device-specific page that displays the details of the device.
How do I check the bandwidth speed of my device?
The bandwidth speed is displayed on the device-specific page.
To view the bandwidth speed of your device, do the following:
- Click SRX > Devices Management > Devices to open the Device page.
- Click the device name in the Host Name column to open the device-specific page that displays the details of the device.
- Click the Inventory > Interfaces tab that displays the bandwidth speed in the Speed column.
How much storage space does Juniper Security Director Cloud provide?
Juniper Security Director Cloud provides the following storage space to users:
- Trial subscription—10GB free storage space with a maximum limit of 5 devices.
- Paid subscription—10GB free storage space for each device based on device subscription entitlements with an option to purchase multiple storage subscriptions worth 1TB each. For example, if you purchase 10 storage subscriptions, you get 10TB storage space.
What is the minimum bandwidth required for Juniper Security Director Cloud?
There is no specific minimum bandwidth required for Juniper Security Director Cloud.
The bandwidth requirement varies based on the tasks performed and processes in progress. For example, processes such as device synchronization depends on the device configuration and the number of session logs sent over the syslog channel. However, some processes, such as Signature bundle installation and image management require minimum 500Kbps bandwidth.