Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Known Behaviors and Issues

Known Behaviors

  • We now support unified policies and do not support legacy application security policies.

  • We now support a global address book. We do not support a zone address book.

  • When you import a policy that has rules with unsupported configuration, Juniper Security Director Cloud shows information about these rules under Summary on the import wizard. After importing, these rules with unsupported configurations are grayed out and shown with a disabled icon to differentiate between system-disabled rules and a rule disabled by user. The Rule description also shows the reason for disabling these rules.

    You cannot delete, edit, or perform any rule actions on these unsupported rules.

  • Juniper Security Director Cloud overwrites the user configuration performed directly from the device CLI or any other interface other than the portal.

    To avoid conflicts, you can import the configurations and re-assign the devices from existing policies.

  • Even when a user has not configured certain cloud applications, the CASB Dashboard and CASB Application Visibility display the details.

  • CASB Application Visibility shows micro-applications without much detail.

  • We no longer support Insights cloud collector.

    • For new users, cloud collector is disabled by default. You cannot enable cloud collector.

    • For existing users:

      • If cloud collector is not yet enabled, you cannot enable it anymore.

      • If cloud collector is already enabled, you can continue to use it. However, once you disable it, you cannot enable it again.

  • After importing a NAT policy where rules have Proxy ARP configured, you must edit the imported NAT policy to enable Manage Proxy ARP and then deploy the policy.

Known Issues

Juniper Security Director Cloud

  • When you create an Internet Content Adaptation Protocol (ICAP) profile server with a routing instance, the deployment fails.

    Workaround:

    1. Create the ICAP profile server without the routing instance.

    2. Deploy the ICAP profile server with the security policy.

    3. Add the routing instance in the ICAP profile server after the deployment.

  • When you import an ICAP profile server with a routing instance, the routing instance is removed from the profile server during the deployment.

    Workaround:

    1. Create the ICAP profile server without the routing instance.

    2. Deploy the ICAP profile server with the security policy.

    3. Add the routing instance in the ICAP profile server after the deployment.

  • The OOB connection between the Juniper® Networks SRX Series Firewall and Juniper Security Director Cloud doesn't close in the SRX Series Firewall. This happens because the device status in Juniper Security Director Cloud is changed to DOWN after the connection is closed, but the connection in the SRX Series Firewall remains active.

    Workaround: Restart the outbound SSH service in the SRX Series Firewall. This will resynchronize the SRX Series Firewall device with Juniper Security Director Cloud and change the status of the device to UP.

    1. Log in to the SRX Series Firewall using CLI.

    2. Run the following command to check the status of the flow session: show security flow session destination-port 7804

    3. If the flow session is active, but Juniper Security Director Cloud displays DOWN or OUT OF SYNC as the device status, run the following command to restart the SRX Series Firewall outbound SSH service: restart service-deployment.

  • For Juniper Networks® SRX1600 and Juniper Networks® SRX2300 firewalls, Juniper Security Director Cloud is unable to upgrade the software image from 23.4R1.9 to any other version.

  • Image installation fails for the images available on Juniper Security Director Cloud.

    Workaround:

    • You can add the images from the SRX > Device Management > Software Images page, and deploy the images for the device.

    • Try a manual CLI command execution on the device.

  • The security policy import and deploy might fail if any hidden commands are available in SRX Series Firewall due to old version incompatibility, for example, content security configuration, and security policy.

    Workaround:

    Delete any hidden or undocumented commands from SRX Series Firewalls, import the policy configuration again to Juniper Security Director Cloud, and then deploy the security policy.

  • With SMB protocol option in pre-defined AAMW profile, commit is failing for devices with version prior to Junos OS release 21.1.

    Workaround:

    Clone the default AAMW profile and disable the SMB protocol. Use the cloned profile in the Security Policy or global options.

  • While upgrading a device (through software image) to Junos OS 21.1 and above, an error ISSU is not supported for Clock Synchronization (SyncE) is shown.

    Workaround:

    Upgrade the cluster from CLI with the workaround provided in https://prsearch.juniper.net/problemreport/PR1632810.

  • After the security log configuration is pushed to device, the session on port 6514 does not get established immediately. The security and session log takes more than 10 minutes to appear in the Juniper Security Director Cloud UI. This behavior can be sporadically seen after onboarding the device or after consecutive re-negotiation of TLS connection from the device.

    Workaround:

    Use the following steps to change the security log stream to the host IP address to receive the security logs.

    1. View the DNS hostname information:

      • For Home PoP Virginia, view the DNS hostname using the show host srx.sdcloud.juniperclouds.net command.

        Example output: srx.sdcloud.juniperclouds.net has address 10.1.23.1

      • For Home PoP Ohio, view the DNS hostname using the show host srx.jsec2-ohio.juniperclouds.net command.

        Example output: srx.jsec2-ohio.juniperclouds.net has address 192.168.1.1

    2. Update the security log stream sd-cloud-logs to the IP address of respective Home PoP.

      For example, if a device is onboarded in a organization with Home PoP as Virginia, then use the set security log stream sd-cloud-logs host 10.1.23.1 command.

  • For existing devices in Juniper Security Director Cloud with Home PoP as Virginia, the security logs are not seen in the UI. This behavior is observed if IP address is used in the security log configuration to reach Juniper Security Director Cloud.

    Workaround

    • Disable and enable the security log configuration from the UI using the following steps:

      1. Go to SRX > Device Management > Devices and click on Security Logs Configuration.

      2. From the Group by field, select All.

      3. Select the device and make a note of Source Interface value.

      4. Click the edit icon, disable the toggle for Security Log Status, and click the click √ (check mark) to save your changes.

      5. Click OK. A deploy job is triggered to disable the security log configuration.

      6. Go to SRX > Device Management >Devices and click on Security Logs Configuration.

      7. From the Group by field, select All.

      8. Select the device, click the edit icon and select the interface value that was noted in Step 3.

      9. Enable the toggle for Security Log Status, and click the click √ (check mark) to save your changes.

      10. Click OK. A deploy job is triggered to enable the security log configuration.

      The device renegotiates the security log connection using the above steps. You should be able to view the security log in the UI.

    • If you are unable to view the security logs using the above steps, then use the following steps to change security log configuration to point to IP address:

      1. View the DNS hostname for Home PoP Virginia using the show host srx.sdcloud.juniperclouds.net command.

        Example output: srx.sdcloud.juniperclouds.net has address 10.1.23.1

      2. Update the security log stream sd-cloud-logs to the IP address of respective Home region using the set security log stream sd-cloud-logs host 10.1.23.1 command.
  • Juniper Security Director Cloud is unable to show the following logs for SRX Series Firewall with Junos OS version 21.4 R3-S3.4 and later versions.

    • Web filtering logs

    • RT_FLOW logs

    • Content security logs

  • While reimporting NAT pool with pre-configured address object and deploying it using NAT rule, object conflict resolution (OCR) is detected for address name field.

  • If peer synchronization is enabled for Multinode High Availability solution, then any deployment or configuration change will result in multiple synchronization jobs.

    Workaround

    Delete the set system commit peers-synchronize command from device configuration for Multinode High Availability solution.

Secure Edge

  • We do not support the use of third-party authenticators for access to certain SaaS applications. For example, the Box application allows you to log in using your Google credentials, but Juniper Secure Edge recognizes the activity as a Google login rather than a Box login.

    Workaround: Use the SaaS application's built-in authentication system.

  • Box upload activity is not detected in roaming traffic.

  • If you use the CASB-supported Microsoft Teams application, you must edit the decrypt profile to identify the activities. By default, the decrypt profile (exempt list) includes the following Microsoft URLs:

    • *.delivery.mp.microsoft.com
    • *.teams.microsoft.com
    • *.update.microsoft.com
    • *.vortex-win.data.microsoft.com
    • activation.sls.microsoft.com
    • update.microsoft.com
    • windowsupdate.microsoft.com
    • *.windowsupdate.microsoft.com

    You must remove *.teams.microsoft.com from the exempt list to identify Microsoft Teams activities.

  • If a non-administrator user launches the Juniper® Identity Management Service (JIMS) Collector GUI, the status of the Enforcement Points is not updated. The status always shows Inactive in the Monitor > Enforcement Points page in the JIMS Collector UI.

  • When authenticated by Hosted DB, end users with disabled accounts are not notified that their account has been disabled. The end-user account was either disabled by the administrator or automatically disabled after five consecutive failed authentication attempts.

    Workaround: End users can contact their administrator to unlock their account.

  • When you create an IPsec tunnel from a site to Secure Edge, the tunnel configuration status on the UI displays a “tunnel_status_undefined” message instead of an “in progress” message.

    Workaround: The status updates when the tunnel creation process is complete – typically in about <10> minutes.

  • The LDAP configuration may display a blank error screen when incorrect information is entered.

    Workaround: The administrator will need to reenter the correct LDAP values.

  • A few CASB applications and activities are not identified by the browser.

    Workaround: Disable the HTTP over QUIC in your browser settings to use the SSL proxy.

    • Steps to disable HTTP over QUIC in Firefox:

      1. In the address bar, enter about:config.

      2. In the Search preference name box, enter network.http.http3.enable and change the toggle to False.

      3. Repeat the above step for network.http.http3.enable and change the toggle to False.

      4. Clear the browser cookies and restart the browser.

    • Steps to disable HTTP over QUIC in Chrome:

      1. In the address bar, enter chrome://flags/.

      2. In the Search flags box, enter Experimental QUIC protocol and select Disabled from the drop-down menu.

      3. Clear the browser cookies and restart the browser.