Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Security Policies Import Overview

Juniper Security Director Cloud allows you to import security policy configurations from next-generation security devices. During the onboarding process of these non-ZTP devices, you can discover and incorporate existing security policy configurations.

Juniper Security Director Cloud identifies objects, such as addresses, services, schedulers, SSL profiles, Content Security, IPS, and Layer 7 applications, by their unique names. When importing security policies, it brings in all the objects it supports and compares their names with those on the next-generation security device. A conflict arises if an object's name is the same as an existing one but its value differs.

An object conflict resolution (OCR) operation is initiated to address these naming conflicts. Table 1 lists the actions you can choose to resolve the conflicts.

Table 1: Object Conflict Resolution Actions
Scenario Action

Object name does not exist in Juniper Security Director Cloud.

Object is added to Juniper Security Director Cloud.

Object name with the same content exists.

New object is not added, and existing object is used.

Object name with different content exists.

Object conflict resolution operation is triggered. You can choose one of these actions to resolve object conflicts.

  • Rename object

    • The _1 suffix is added to the object name and the object is added. You can also specify a new, unique name. This is the default option.

    • The existing object is replaced with the renamed object when you deploy the security policy. The security policy labels are updated, but there's no functional change to the policy.

  • Overwrite with imported value

    • The existing object is replaced with the new object.
    • The new object is updated in all devices when you deploy the security policy. There is no functional change to the policy.
    • The traffic to all devices might be impacted when you update a device from Juniper Security Director Cloud.

  • Keep existing object

    • The existing object name is used.
    • The object content is updated when you deploy the security policy.
    • There traffic to all devices might be impacted because of the different object content.

Object Conflict Resolution Example

This diagram illustrates policy import and object conflict resolution. Existing objects in Juniper Security Director Cloud are displayed under Existing Addresses. Objects on the next‑generation firewall are displayed under Addresses to be Imported.

During the security policy import, object conflict resolution (OCR) compares both sets and flags any name conflicts. The diagram shows three resolution options—Rename object, Overwrite with imported values, or Keep existing object—and the resulting objects are displayed under Addresses Imported after OCR.

Figure 1: Object Conflict Resolution Example Image illustrating the object conflict resolution process