Security

last person joined: 7 days ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.

  • 1.  Security Director Device Change Import

    Posted 03-11-2014 05:27

    Hello, 

    We have been led to believe that with Security Director, if a change is made to the firewall/NAT/IPS policy manually on the device, Space can/will import the change into the devices currently assigned ruleset. But it seems that we can only import the changes into a new policy which contains only the change. 

    Our current scenerio is where Security Director Devices shows a firewalls Management Status as "Device Changed." We then select "Import Device Change" which creates a new policy with the same name as the current policy with _## assigned. That policy only includes the changes made on the device.

    Is there anyway to import the changes into the current policy? If not, is there a method to merge the two policies to reflect what is currently running on the device?

     

    Thanks in advance!

    M

     

     



  • 2.  RE: Security Director Device Change Import
    Best Answer

    Posted 03-12-2014 01:09

    As far as I know the only way is to import the change as a new policy.

     

    On my Space boxes, I import into a new policy and open the new policy, right click on the imported policy rule, copy the rule into clipboard, then go to the orginal policy and paste the rule in. Then delete the newly imported policy ie the one i did the copy from.

     

    It is a pain, but its the only way i have found that works.

     

    After speaking to my Juniper SE, it looks like they are not going to fix this issue any time soon.

     

    Rgds

     

    John

     

     



  • 3.  RE: Security Director Device Change Import

    Posted 03-12-2014 05:12

    Thanks for the feedback! I was pulling my hair out on that one.. 😉 At least now I have confirmation that it behaves as intended.

     

     



  • 4.  RE: Security Director Device Change Import

    Posted 06-23-2015 04:33

    What if you change other stuff like security zones in security director. Then it also says "Device changed", and it wont go away, no mater how much i import/deploy etc.

     

    Any one that has experienced that?



  • 5.  RE: Security Director Device Change Import

    Posted 07-30-2015 04:37

    Same experience here, it is a true pain in the butt.

    Importing the changes and then manually copying and pasting.. 

     

    I think the only solution for your problem fisk4 is deleting and recreating the device. Is there any word from Juniper if this behaviour will be changed in the future?

     

    To me, this almost renders security director unuseable. Considering going back to CLI..



  • 6.  RE: Security Director Device Change Import

    Posted 09-15-2015 13:03

    Unfortunately I have to report that the situation is the same with Security Director 141R2.6.

     

    If you see a device in 'device changed' state and you import the change (which was created at the CLI), the result is that you get that single change in a totally separate policy.

     

    I've been presenting this to a customer who wants to be able to change either at the CLI or the GUI, and this single 'feature' has put them off using Security Director completely.  They need to be able to use GUI or CLI at will - a bit like you can with the Trapeze wireless system:  change either, then reconcile the differences.

     

    Quite disappointed!