Junos Space Security Director Release Notes 24.1

Introduction

The Junos Space® Security Director application is a powerful and easy-to-use solution that enables you to secure your network by creating and publishing firewall policies, IPsec VPNs, NAT policies, IPS policies, and AppFW.

Note: You need IPS and AppFW licenses to push IPS policies and AppFW signatures to a device.

New and Changed Features

Junos Space Security Director Release 24.1R1

• Support for the SRX1600 firewall (starting in Release Hot Patch 23.1R1).
• Support for the SRX2300 firewall (starting in Release Hot Patch 23.1R1).
• Upgraded Junos Space host Linux OS to Rocky Linux 9.2.
• Upgraded to MySQL v8.
• DNS Filter Support: Allows creation, viewing, modification, deletion, or cloning of DNS filters within Firewall Policy.
• Standalone Policy Enforcer is not supported; migration to Policy Enforcer on Security Director Insights 24.1R1 is required.

Note: Security Director Release 24.1R1 supports only non-FIPS mode.

Note: Security Director Release 24.1R2 supports Security Director Insights Release 24.1 R1 and above versions.

Note: Security Director 24.1R2 Hot Patch v1 is mandatory for Security Director Insights Policy Enforcer 24.1R1 to operate with Security Director Release 24.1R2.

Junos Space Security Director Release 24.1R3

• Support for the SRX4700 Firewall.

Note: High Availability is not supported on Junos Space Security Director for SRX4700 firewall.

• Deprecated Signature Management for Firewall Policies: Introduced Aggregate And Update Lsys Tsys configuration checkbox in Junos Space Network Management Platform.
• Upgraded Elasticsearch to version 6.8.17.

Junos Space Security Director Release 24.1R4

Junos Space Security Director supports sharing of point-to-point st0 logical interface when running IPsec VPN service using the IKED process, providing a migration path from the kmd process. Multiple VPNs objects can be configured to share a point-to-point st0 interface.

Supported Managed Devices

Security Director Release 24.1 can manage the following devices:

• SRX300
• SRX320
• SRX320-POE
• SRX340
• SRX345
• SRX380
• SRX1500
• SRX4100
• SRX4200
• SRX5400
• SRX5600
• SRX5800
• SRX4600
• VSRX
• MX240
• MX480
• MX960
• MX2010
• MX2020

Supported Log Collection Systems

The following log collection systems are supported:

• Log Collector 24.1 (Security Director Insights VM)
• Juniper Networks® Secure Analytics (JSA) Series Virtual Appliance as Log Collector on JSA Release 2014.8.R4 and later
• QRadar as Log Collector on QRadar Release 7.2.8 and later

Note: Starting in Security Director Release 21.1R1, standalone Log Collector and Integrated Log Collector are not supported.

Supported Junos OS Releases

Security Director Release 24.1 supports the following Junos OS releases:

• 19.3
• 19.4
• 20.1
• 20.2
• 20.3
• 20.4
• 21.1
• 21.2R3-S2
• 21.3
• 21.4
• 22.1
• 22.2
• 23.1
• 23.2
• 24.4R1

Note: EoL Junos releases might continue to work, but their support has not been tested.

SRX Series Firewalls require Junos OS Release 12.1 or later to synchronize the Security Director description field with the device.

The logical systems feature is supported only on devices running Junos OS Release 11.4 or later.

Note: To manage an SRX Series Firewall using Security Director, install the matching Junos OS schema on the Junos Space Network Management Platform. Mismatched schemas may display a warning message during the publish preview workflow.

Supported Policy Enforcer and Juniper® Advanced Threat Prevention (ATP) Cloud Releases

Note: Starting in Junos Space Security Director Release 24.1R1, standalone Policy Enforcer is not supported. Migration to Policy Enforcer running on Security Director Insights 24.1R1 is required.

Supported Browsers

Security Director Release 24.1 is best viewed on the following browsers:

• Mozilla Firefox
• Google Chrome

Installation and Upgrade Instructions

Supported Software Versions

Junos Space Security Director is supported only on specific software versions mentioned in Table 2 on page 7.

Installing and Upgrading Security Director Release 24.1R1

Caution: You must install the Junos Space 24.1R1 hot patch v1 before installing or upgrading Junos Space Security Director application.

Junos Space Security Director Release 24.1R1 is supported only on Junos Space Network Management Platform Release 24.1R1 that can run on the following devices:

• Junos Space virtual appliance
• KVM server

Installing and Upgrading Security Director Release 24.1R2

Caution: You must install the Junos Space 24.1R1 hot patch v2 before installing or upgrading Junos Space Security Director application.

Note: Junos Space Network Management Platform Release 24.1R2 is qualified and is compatible with Security Director Release 24.1R2.

Junos Space Security Director Release 24.1R2 is supported only on Junos Space Network Management Platform Release 24.1R1 that can run on the following devices:

• Junos Space virtual appliance
• KVM server

Starting in Junos Space Security Director Release 24.1R2, the following cronjob is added in existing crontab in all JBOSS nodes:

10 1 * * * /var/www/cgi-bin/ApplicationVisibility_DataReduction.sh >/dev/null 2>&1

The cronjob runs every day at 1:10 AM. The ApplicationVisibility_DataReduction.sh script is added in /var/www/cgi-bin.

To purge the Application Visibility database, update APP_VISIBILITY=false to APP_VISIBILITY=true in the ApplicationVisibility_DataReduction.sh script. Purging is triggered only in the VIP node.

Data is retained for 7 days by default. You can modify the retention period using the following parameters in the ApplicationVisibility_DataReduction.sh script:

DAYS_IN_SECONDS_1=86400000
DAYS_IN_SECONDS_7=604800000
DAYS_IN_SECONDS_14=1209600000
DAYS_IN_SECONDS_21=1814400000
DAYS_IN_SECONDS_30=2592000000

Note: MODIFY HERE if needed: Replace Variable in next line for selected time SELECTED_DAYS=$DAYS_IN_SECONDS_7

Installing and Upgrading Security Director Release 24.1R3

Junos Space Security Director Release 24.1R3 is supported on Junos Space Network Management Platform Release 24.1R2 that can run on the following devices:

• Junos Space virtual appliance
• KVM server

Installing and Upgrading Security Director Release 24.1R4

Junos Space Security Director Release 24.1R4 is supported only on Junos Space Network Management Platform Release 24.1R4 that can run on the following devices:

• Junos Space virtual appliance
• KVM server

For more information about installing and upgrading Security Director, see the Security Director Installation and Upgrade Guide.

Loading Junos OS Schema for SRX Series Firewalls

You must download and install the correct Junos OS schema to manage SRX Series Firewalls. To download the correct schema, from the Network Management Platform list, select Administration > DMI Schema, and click Update Schema. See Updating a DMI Schema.

DMI Schema Compatibility for Junos OS Service Releases

The following tables explain how the Junos Space Network Management Platform chooses Device Management Interface (DMI) schemas for devices running Junos OS Service Releases.

If a Junos OS Service Release is installed on your device with a major release version of a DMI schema installed on Junos Space Network Management Platform, Junos Space chooses the latest corresponding major release of DMI schemas, as shown in Table 3 on page 11.

If 18.4R1.8 version is not available, then Junos Space chooses the nearest lower version of DMI schema installed.

If a Junos OS Service Release is installed on your device without a matching DMI schema version in Junos Space Network Management Platform, Junos Space chooses the nearest lower version of DMI schema installed, as shown in Table 4 on page 11.

If 18.4R1.x versions are not available, then Junos Space chooses the nearest lower version of DMI schema installed.

If a Junos OS Service Release is installed on your device without a corresponding DMI schema version in Junos Space Network Management Platform, then Junos Space chooses the nearest lower version of DMI schema installed, as shown in Table 6 on page 12.

For information about Junos OS compatibility, see Junos OS Releases Supported in Junos Space Network Management Platform.

Management Scalability

The following management scalability features are supported in Junos Space Security Director:

• By default, monitor polling is set to 15 minutes and resource usage polling is set to 10 minutes. This polling time changes to 30 minutes for a large-scale data center setup such as one for 200 SRX Series Firewalls managed in Security Director.

Note: You can manually configure the monitor polling on the Administration>Monitor Settings page.

• Security Director supports up to 15,000 SRX Series Firewalls with a six-node Junos Space fabric. In a setup with 15,000 SRX Series Firewalls, all settings for monitor polling must be set to 60 minutes. If monitoring is not required, disable it to improve the performance of your publish and update jobs.
• To enhance the performance further, increase the number of update subjobs thread in the database. To increase the update subjobs thread in the database, run the following command:

#mysql -u <mysql-username> -p <mysql-password> sm_db;
mysql> update RuntimePreferencesEntity SET value=20 where
name='UPDATE_MAX_SUBJOBS_PER_NODE';
mysql> exit

Note: Contact Juniper Support team for MySQL username and password details.

Note: If you use a database dedicated setup (SSD hard disk VMs), the performance of publish and update is better compared with the performance in a normal two-node Junos Space fabric setup.

Known Behavior

This section contains the known behavior and limitations in Junos Space Security Director Release 24.1.

• You can generate a temporary password in Security Director under Administration > Users & Roles > Users by either creating a user or editing a user.
• Make sure you check the Generate check box on the Create User or the Edit User window to create a temporary password.
• After you generate the temporary password in Security Director, you must first log in through Junos Space Network Management Platform GUI and not Security Director GUI.
• When you install a signature to a device, upgrade Application Signatures fails with the message: Updating data-plane with new attack or detector:failed.
• Workaround: Push the IPS policy from Security Director before installing a signature to the root device.
• To discover the tenant devices in Security Director Release 21.2R1, we recommend the schema to be greater than or equal to 20.1R1. You must install the schema before Security Director discovers a tenant device.
• If you configure VPN in Security Director Release earlier to 19.4R1 and upgrade Security Director to Release 20.1R1 and later, IKE ID is displayed blank if IKE ID is defined as Default.
• Security Director does not generate CLIs for deletion if a VPN is already configured in the device and the same device is used for creating another VPN from Security Director.
• In Security Director Release 20.1R1 and later, you must configure a tunnel IP address for DRP. In Security Director Release 19.4R1 and earlier, if you configure VPN as unnumbered with a DRP, you are prompted to provide a tunnel IP address while editing the VPN after upgrading to Security Director Release 20.1R1 and later.
• After upgrade, you cannot edit profiles with predefined proposals because the profiles in Security Director Release 20.1R1 and later support only custom proposals.
• In Security Director Release 19.4R1 and earlier, if you configure a VPN with static routing or a traffic selector with protected network as the zone or interface, you must perform the following tasks:
  1. Before you upgrade to Security Director Release 20.1R1 and later, update the configuration on the device, and delete the VPN policy from Security Director.
  2. After you upgrade, import the VPN configuration.

  Note: In Security Director Release 20.1R1 and later, we support only address objects in protected networks for static routing and traffic selector.

• You must enable the Enable preview and import device change option, which is disabled by default:
  1. Select Network Management Platform > Administration > Applications.
  2. Right-click Security Director and select Modify Application Settings.
  3. From Update Device, select the Enable preview and import device change option.
• If you restart the JBoss application servers manually in a six-node setup one by one, the Junos Space Network Management Platform UI and Security Director UI are launched within 20 minutes. The devices reconnect to Junos Space Network Management Platform. You can then edit and publish the policies. When the connection status and the configuration status of all devices are UP and IN SYNC, respectively, click Update Changes to update all security-specific configurations or pending services on SRX Series Firewalls.
• To generate reports in the local time zone of the server, you must modify /etc/sysconfig/clock to configure the time zone. Changing the time zone on the server by modifying /etc/localtime does not generate reports in the local time zone.
• If the vSRX VMs in NSX Manager are managed in Security Director Release 17.1R1 and Policy Enforcer Release 17.1R1, then after upgrading to Security Director Release 20.3R1 and Policy Enforcer Release 20.3R1, migrate the existing vSRX VMs in NSX Manager from Policy Enforcer Release 17.1R1 to Release 20.3R1.
• To migrate the existing vSRX VMs:
  1. Log in to the Policy Enforcer server by using SSH.
  2. Run the following commands:

  cd /var/lib/nsxmicro
  ./migrate_devices.sh

• If the NSX Server SSL certificate has expired or changed, communication between Security Director and NSX Manager fails, impacting NSX Manager functionality, such as sync NSX inventory and security group update.
• To refresh the NSX SSL certificate:
  1. Log in to Policy Enforcer by using SSH.
  2. Run the following command:

  nsxmicro_refresh_ssl --server <<NSX IP ADDRESS>>--port 443

  This script fetches the latest NSX SSL certificate and stores it for communication between Security Director and NSX Manager.

• In a setup where other applications are installed in Junos Space Network Management Platform along with Security Director, the JBoss PermSize must be increased from 512m to 1024m in the /usr/local/jboss/domain/configuration/host.xml.slave file. Under <jvm name="platform">, change the following values in the <jvm-options> tag:

  <option value="-XX:PermSize=1024m"/>
  <option value="-XX:MaxPermSize=1024m"/>

• When you import addresses through CSV, a new address object is created by appending a_1 to the address object name if the address objects already exists in Security Director.

Known Issues

This section lists the known issues in Junos Space Security Director Release 24.1.

For the most complete and latest information about known Security Director defects, use the Juniper Networks online Junos Problem Report Search application.

• Preferred vs Default Link Usage widget does not show the date for the APBR on App Based Routing page. PR1747794
• A policy analysis report with more than 20000 rules cannot be generated. PR1708393
• SSL certificate error is displayed while analyzing threat prevention policy. PR1648734
• When you use Security Director Insights as a log collector, device selection on Monitor page does not work when a logical system or a tenant system device is selected. PR1621052
• Security Director displays device lookup failed error during preview. PR1617742
• Workaround:
  1. Move the device to RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Put in RMA State.
  2. Reactivate the device from RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Reactivate from RMA.
• Primary cluster displays the status as DOWN while both devices in the device cluster displays the status as UP. PR1616993
• Workaround:
  1. Move the device to RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Put in RMA State.
  2. Reactivate the device from RMA state. Navigate to Junos Space Network Management Platform. Select Devices > Device Management. Select a device, right-click and select Device Operations and then select Reactivate from RMA.
• Security Director does not clear uncommitted logical system or tenant system device management configuration in case of job failure, which causes subsequent updates to fail. You must clear the configuration from space node before proceeding with next update. PR1603146
• Workaround: Navigate to Junos Space Network Management Platform > Devices > Device Management > Modify Configuration > Deploy > Reject Changes.
• Security Director fails to import policies when custom dynamic-applications are configured at root-level and referred in logical system or tenant system policies. PR1602677
• An icon showing OOB changes is seen for firewall and IPS policies, although the corresponding policy changes are not made on the device. PR1484953
• Workaround: Clear the OOB icon on the policies when changes are not made on the device. Navigate to the corresponding policy, and right-click the policy. Select View Device Policy Changes and reject all changes, and then click OK.
• Deployment of cipher list CLI works only when you perform Save, or Save and Deploy. PR1485949
• Workaround: You must save or deploy the selected Cipher list before you view the preview changes.
• An object conflict occurs when you import Web filter profiles with duplicate names, although the values are the same. PR1420341
• Workaround: Select either Overwrite with Imported Value or Keep Existing Object to avoid duplicate objects.
• Junos Space Security Director does not support routing instances and proxy profiles in an antivirus pattern update for the Content Security default configuration. PR1462331
• When you import OOB changes to a logical system device, a job is created for the root device along with the logical system device, although changes are made only in the logical system device. PR1448667
• Import fails when a device is imported only with Content Security custom objects without a Content Security policy. PR1447779
• Workaround: Delete the Content Security custom objects if not used in a policy, or assign a Content Security policy.
• Update fails for unified policies when an SSL proxy profile that is set as global in a device is not used in any policy for that device. PR1407389
• A policy analysis report with a large number of rules cannot be generated. PR1418125
• When a column filter is used, the Deselect all and Clear all options do not clear selected items occasionally. PR1424112
• The Show Unused option is not available for URL categories. PR1431345
• Restart of a single JBoss node does not recover the system even if the issue is present on a single node. PR1478804
• Workaround: Restart all JBoss nodes.
• Clis are not generating for authentication type used in firewall policy profile. PR1787073
• Logging session CLIs are not getting generated for TSYS device. PR1802193

Resolved Issues

Resolved Issues in Junos Space Security Director Release 24.1R1

This section lists the issues fixed in Junos Space Security Director Release 24.1R1:

For the most complete and latest information about resolved issues, use the Juniper Networks online Junos Problem Report Search application.

• When two or more route based VPNs are created in Security Director, the preview changes for the last created VPN does not display the zone and routing instance configuration. PR1806457
• Multiple IKE policy pre-shared-key statements are pushed to the firewall. PR1486055

Resolved Issues in Junos Space Security Director Release 24.1R2

This section lists the issues fixed in Junos Space Security Director Release 24.1R2:

For the most complete and latest information about resolved issues, use the Juniper Networks online Junos Problem Report Search application.

• The user is unable to edit the tunnel settings when creating a route based VPN with multi proxy-ID. PR1770960
• The user is unable to delete the details of users and roles from Security Director. PR1787314
• The Rollback function is not working properly in Security Director. PR1787570
• The Intrusion Detection and Prevention (IDP) policy update is successful, but the SRX Series Firewall CLI failed due to mismatches between node0 and node1 in the NSM-download file. PR1795041
• The Application Visibility page takes longer than usual to display data in Security Director. PR1764875
• Content Security default configuration pushes extra configurations from Security Director. PR1769834
• When you try to either preview, publish, or update a NAT policy configuration, it fails with an error message. PR1818400
• The configuration preview takes longer than usual to complete in Security Director. PR1809047
• Policy based VPN is missing from the security policy rule. PR1821775
• When you try to publish a VPN job in Security Director, it fails with an error message. PR1816247
• IP filter tab search is not working as expected. PR1774699
• The search criteria show incorrect results in Security Director. PR1775496
• IDP packet capture process fails to run on the JBoss VIP node. PR1811578
• The user is unable to login to Security Director with a system generated password. PR1817001
• The user is unable to import the firewall policy in Security Director. PR1816006

Resolved Issues in Junos Space Security Director Release 24.1R4

This section lists the issues fixed in Junos Space Security Director Release 24.1R4:

• The Source Zone category under Web Filtering does not show any data in Security Director GUI. PR1803773
• When the user tries to select the source NAT pool in a sub domain, Security Director displays NAT pools across all sub domains in the drop-down list. PR1825006
• Error while importing variable using CSV in Security Director PR1827777
• The snapshot policy job takes longer than usual to complete after upgrading from Security Director Release 21.3R1 to Security Director Release 23.1R1. PR1829529
• The search functionality does not work properly in Security Director Release 22.2R1 HP v6. PR1825791
• VERIZON SIT LAB - SD Showing incorrect interval values when DPD mode is enabled. PR1872073
• BOEING CANADA | Unable to create security logging nor NTP when selecting multiple devices on SD. PR1877029
• The quick template doesn't list in the profile for the selection after upgrading to 24.1 in Security director. PR1872102
• Security Director Firewall Log Export to CSV Missing Source/Destination Country. PR1883846
• Vulnerabilities reported in Junos Space Security Director. PR1829067

Hot Patch Releases

Junos Space Security Director Release 24.1R2 Hot Patch Release

This section describes the installation procedure and resolved issues in Junos Space Security Director Release 24.1R2 hot patch.

During hot patch installation, the script performs the following operations:

• Blocks the device communication.
• Stops JBoss, JBoss Domain Controller (JBoss-dc), and jmp-watchdog services.
• Backs up existing configuration files and EAR files.
• Updates the Red Hat Package Manager (RPM) files.
• Restarts the watchdog process, which restarts JBoss and JBoss-dc services.
• Unblocks device communication after restarting the watchdog process for device load balancing.

Note: You must install the hot patch on Security Director Release 23.1R1 or on any previously installed hot patch. The hot patch installer backs up all the files which are modified or replaced during hot patch installation.

Installation Instructions

Perform the following steps in the CLI of the JBoss-VIP node only:

1. Download the Security Director 24.1R2 Patch vX from the download site. Here, X is the hot patch version. For example, v1, v2, and so on.
2. Copy the SD24.1R2-hotpatch-vX.tgz file to the /home/admin location of the VIP node.
3. Verify the checksum of the hot patch for data integrity:

md5sum SD24.1R2-hotpatch-vX.tgz

4. Extract the SD24.1R2-hotptach-vX.tgz file:

tar -zxvf SD24.1R2-hotpatch-vX.tgz

5. Change the directory to SD24.1R2-hotpatch-vX.

cd SD24.1R2-hotpatch-vX

6. Execute the patchme.sh script from the SD24.1R2-hotpatch-vX folder:

sh patchme.sh

The script detects whether the deployment is a standalone deployment or a cluster deployment and installs the patch accordingly.

A marker file, /etc/.SD24.1R2-hotpatch-vX, is created with the list of Red Hat Package Manager (RPM) details in the hot patch.

Note: We recommend that you install the latest available hot-patch version, which is the cumulative patch.

Resolved Issues in the Hot Patches

Table 7 on page 23 lists the resolved issues in Security Director Release 24.1R2 hot patch.

Junos Space Security Director Release 24.1R3 Hot Patch Release

This section describes the installation procedure and resolved issues in Junos Space Security Director Release 24.1R3 hot patch.

During hot patch installation, the script performs the following operations:

• Blocks the device communication.
• Stops JBoss, JBoss Domain Controller (JBoss-dc), and jmp-watchdog services.
• Backs up existing configuration files and EAR files.
• Updates the Red Hat Package Manager (RPM) files.
• Restarts the watchdog process, which restarts JBoss and JBoss-dc services.
• Unblocks device communication after restarting the watchdog process for device load balancing.

Note: You must install the hot patch on Security Director Release 23.1R1 or on any previously installed hot patch. The hot patch installer backs up all the files which are modified or replaced during hot patch installation.

Installation Instructions

Perform the following steps in the CLI of the JBoss-VIP node only:

1. Download the Security Director 24.1R3 Patch vX from the download site. Here, X is the hot patch version. For example, v1, v2, and so on.
2. Copy the SD24.1R3-hotpatch-vX.tgz file to the /home/admin location of the VIP node.
3. Verify the checksum of the hot patch for data integrity:

md5sum SD24.1R3-hotpatch-vX.tgz

4. Extract the SD24.1R3-hotptach-vX.tgz file:

tar -zxvf SD24.1R3-hotpatch-vX.tgz

5. Change the directory to SD24.1R3-hotpatch-vX.

cd SD24.1R3-hotpatch-vX

6. Execute the patchme.sh script from the SD24.1R3-hotpatch-vX folder:

sh patchme.sh

The script detects whether the deployment is a standalone deployment or a cluster deployment and installs the patch accordingly.

A marker file, /etc/.SD24.1R3-hotpatch-vX, is created with the list of Red Hat Package Manager (RPM) details in the hot patch.

Note: We recommend that you install the latest available hot-patch version, which is the cumulative patch.

Resolved Issues in the Hot Patches

Table 8 on page 25 lists the resolved issues in Security Director Release 24.1R3 hot patch.

Finding More Information

For the latest, most complete information about known and resolved issues, see the Juniper Networks Problem Report Search application at: http://prsearch.juniper.net.

Juniper Networks Feature Explorer is a Web-based application that helps you to explore and compare feature information to find the correct software release and hardware platform for your network. Find Feature Explorer at: https://apps.juniper.net/feature-explorer/.

Revision History

Copyright © 2025 Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in the United States and other countries. All other trademarks may be property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.