Release Notes

Network and Security Manager Release Notes February 27, 2012 Revision 8

Contents

Version Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 New or Changed Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Before You Install NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Solaris Locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Upgrading NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Deprecated Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Important SSL VPN and Infranet Controller Instructions . . . . . . . . . . . . . . . . . . . . . 5 NSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Setting Up NSM to Work with Infranet Controller and Infranet Enforcer . . . . . 7 Usage Guidelines for Applying NSM Templates to SA and IC Clusters . . . . . . . 9 Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Not Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Maintaining the NSM GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Creating a Self-Signed TLS Certificate Between the NSM Client and the NSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Release 2010.4s3 Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Release 2010.4s2 Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Release 2010.4s1 Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Release 2010.4-q59 Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Release 2010.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Release 2010.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Release 2010.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Release 2010.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Copyright © 2012, Juniper Networks, Inc.

1

Network and Security Manager 2010.4 Release Notes

Devices Running ScreenOS and IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Secure Access SSL VPN SA Series and United Access Control Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Errata and Changes in Documentation for NSM Release 2010.4 . . . . . . . . . . . . . . 42 Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 NSM Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2


Version Summary

Version Summary Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices and other Juniper Networks devices in your networks. NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and now for the Junos operating system (Junos OS). By integrating management of all Juniper Networks devices, NSM enhances the overall security and manageability of the Internet gateway.

New Features NSM release patch build 2010.4 q21 onwards supports the following features for IDP Series 5.1 devices: •

Configuring the port and protocol for sending the log messages to the syslog server.

•

Assigning the rate limit in Kbps for client-to-server and server-to-client traffic.

•

Enforcing the service differentiation value and the rate limit together in an APE rule using the newly introduced, Diffserv Marking & Rate Limiting field.

•

Enforcing constraints to detect the attack patterns within specific sections of the traffic, which results in fewer false positives and improved performance.

•

Creating an application group object, which allows you to group predefined and/or custom applications into a single object.

•

The extended application objects, which are predefined objects developed by the Juniper Networks Security Center (J-Security Center) and distributed during NSM signature database updates. You can use extended application objects in APE rules if you want to treat various Web 2.0 applications running over HTTP differently.

New or Changed Information The following list provides the new or changed information for this release: •

NSM supports installation of the NSM client on the Windows 7 (32-bit and 64-bit) operating system. However, before installing the client or updating to the latest schema, make sure that the administrator account is disabled. To disable this account: 1.

From the Start menu, right-click Command Prompt, and select Run as administrator.

2. Type net user administrator /active:no.


3


•

With Junos OS Release 10.2 and later, the following devices from the SRX family have been renamed:

SRX Series Devices—Old Name

SRX Series Devices—New Name

srx210-lm

sxr210b

srx210-hm

srx210h

sxr210-poe

srx210h-poe

srx100-lm

srx100b

srx100-hm

srx100h

srx240-lm

srx240b

srx240-hm

srx240h

srx240-poe

srx240h-poe

•

From 2010.3 release onwards, NSM supports Windows 7 and Window XP.

Before You Install NSM Solaris Locales Before installing NSM on a Solaris server, you must install a specific set of locales, and make appropriate edits to the /etc/default/init file. For more information, see the Network and Security Manager Installation Guide.

Upgrade Considerations This section contains information about upgrading NSM and deprecated operating systems.

Upgrading NSM You can upgrade to NSM 2010.4 from the following versions: •

2008.2RX

•

2009.1RX

•

2010.1

•

2010.2

•

2010.3

NSM 2010.4 supports: •

4

3000 low-end devices with 10 user connections


Limitations

•

300 high-end devices with 25 user connections

Deprecated Operating System NSM no longer supports ScreenOS version 4.X. You must upgrade your devices to ScreenOS version 5.0 or later. NSM no longer supports Junos OS Release 9.2 or earlier.

Limitations The following items are known limitations in this version of NSM: •

NSM does not support Junos OS downgrades. However, if you need to downgrade a device, follow these steps: 1.

From the device, use the CLI command to downgrade the image. For example: root> request system software add reboot

2. After the downgrade, from NSM, delete the device and then add it again. •

For Junos OS J Series and EX Series devices—NSM Configuration Editor cannot completely validate the configuration that an NSM user has created before sending it to the device. The device validates the configuration when the configuration is pushed to the device as part of the Update Device job and may return validation errors to NSM.

•

For Junos OS for J Series and SRX Series Gateways: NSM does not allow upgrading firmware on multiple branch SRX Series devices. Doing so leads to upgrade failure due to memory constraints.

•

For SSL VPN SA and Infranet Controllers—Secure Virtual Workspace (SVW) settings on the SA device cannot be managed with NSM.

•

For EX Series switches—EX Series switches running Junos OS do not support snapshots. Therefore, users should not select the “Backup the current filesystem(s) on the device” check box in the final page of the Install Device Software wizard.

•

If the Allow use of global templates in subdomains option in the preferences tab is disabled, then any instances of global templates should be removed from the subdomains. Do this by removing the template from the subdomains. If any references to global templates still exist in the subdomains, then the devices or templates with those references will not display any value from the global templates.

Important SSL VPN and Infranet Controller Instructions This section contains setup instructions and template usage guidelines for SSL VPN SA (SA) and Infranet Controller (IC) devices.


5


NSM Server •

There is no limit to the number of devices that can be simultaneously updated in NSM, provided the configuration size on each device being updated is less than 5 MB. NSM can execute updates in parallel across a maximum of eight devices while the remaining update jobs are queued up.

•

If the software version of SA/IC configurations exceeds 5 MB, we recommend a maximum of four devices per job for an appropriately sized Linux or Solaris server running NSM.

•

Due to hardware limitations on NSMXpress, the recommended limit is two devices per job for SA/ICs running configurations more than 5 MB.

•

The following files on the NSM software server must be edited as described below (no changes are needed for NSMXpress): •

In /usr/netscreen/GuiSvr/bin/.guiSvrDirectiveHandler, change Xmx10248000000 to Xmx2048000000: $LIB_DIR/jre/bin/java -DNSROOT=$NSROOT -DgproGDM=$DEST_DIR -DNSDIR=$DEST_DIR/var/be -DSTART_PATH=$DEST_DIR -DBE_CFG=${CFG_FILE} -DLOG4J_CFG=${LOG4J_CFG_FILE} -XX:PermSize=64M -XX:MaxPermSize=64M -Xms128000000 - Xmx2048000000 com.netscreen.devicecomm.GUIDirectiveManager -version -repo ${REPO_DEST_DIR} -conf ${SVC_CFG_FILE}

•

In /usr/netscreen/GuiSvr/var/xdb/data/DB_CONFIG, change the set_cachesize parameter from 0 256000000 1 to 0 1024000000 4.

•

Set the shared memory to a minimum of 1 GB (kernel.shmmax = 1073741824):

•

•

In /etc/sysctl.conf, for Linux systems

•

In /etc/system, for Solarix systems

In /usr/netscreen/GuiSvr/var/xdb/specs/jax.spec, change Xmx512 to Xmx1024m: :jvm-options ( : ("-DEMBEDDED_JVM=true") : ("-Xms128m") : ("-Xmx1024m")

•

In /usr/netscreen/DevSvr/bin/.devSvrDirectiveHandler, change Xmx1024000000 to Xmx2048000000: $LIB_DIR/jre/bin/java -DNSROOT=$NSROOT -DgproDDM=$DEST_DIR -DNSDIR=$DEST_DIR/var/be -DSTART_PATH=$DEST_DIR -DBE_CFG=${CFG_FILE} -DLOG4J_CFG=${LOG4J_CFG_FILE} -XX:PermSize=64M -XX:MaxPermSize=64M -Xms128000000 - Xmx2048000000 com.netscreen.devicecomm.DeviceDirectiveManager -version -repo ${REPO_DEST_DIR} -conf ${SVC_CFG_FILE}

6


Important SSL VPN and Infranet Controller Instructions

The servers must be restarted after you change these parameters.

Setting Up NSM to Work with Infranet Controller and Infranet Enforcer A ScreenOS firewall that is managed by NSM can also be configured as an Infranet Enforcer in a UAC solution. To prevent conflicts between NSM and the Infranet Controller, configure these firewall devices: 1.

On the Infranet Controller, create the Infranet Enforcer instances: a. On the Infranet Controller, select UAC > Infranet Enforcer > Connection. b. Click New Enforcer. c. Enter the information requested in the display. d. Enter a password for the NACN password. You will use it again while setting up

the Infranet Enforcer. If you are setting up a cluster instead of a single box, enter all the serial numbers in the cluster, one per line. e. Click Save Changes. f.

Repeat Step 1b through Step 1e until all of your Infranet Enforcers have been entered.

2. If you do not have one already, create a CA certificate for each Infranet Enforcer: a. Create a certificate signing request (CSR) for an Infranet Controller server certificate,

and use the CA certificate to sign the server certificate. b. Import the server certificate into the Infranet Controller. c. Import the CA certificate into the Infranet Enforcer. 3. On each Infranet Enforcer, create the Infranet Controller instance: a. On the Infranet Enforcer, select Configuration > Infranet Auth > Controllers. b. Click New. c. Enter the parameters as prompted. The password in the second section must be

the NACN password you entered in Step 1d. d. Click OK. e. Repeat Step 3b through Step 3d for all of the Infranet Enforcers. f.

On the Infranet Controller, select UAC > Infranet Enforcer > Connection and check that all the Infranet Enforcers have been added.

4. On NSM, delete the Infranet Enforcer firewalls from the global domain: a. In the global domain, select Device Manager > Devices to list all the devices.


7


b. Right-click each Infranet Enforcer firewall device and select Delete from the list. 5. On NSM, delete the $infranet instances from the Object Manager: a. Select Object Manager > Authentication Servers. b. Right-click each $infranet_n object and select Delete from the list. c. Select VPN Manager > VPNs, and check that you do not have any $infranet objects

under VPN Manager. These objects are usually deleted automatically when you remove the firewall. 6. Create a new subdomain for the Infranet Enforcers: a. Select Tools > Manage Administrators and Domains. b. Select the Subdomains tab. c. Click the Add icon. d. In the New Subdomain dialog box, enter an appropriate name for the subdomain

so you know what it will be used for, and then click OK. e. From the drop-down list at the top left side, select your new domain. The new

domain is empty, but it can use objects from the global domain. If you do not remove the $infranet instances from the main domain, you risk having duplicate $infranet names. In addition, add a Single Infranet Enforcer or Infranet Enforcer Cluster. f.

Repeat Step 5 and Step 6 for every Infranet Enforcer or Infranet Enforcer Cluster you need to add to NSM. When finished, you should see $infranet instead of $infranet_# in each of the domains except global.

7. In NSM, add the Infranet Enforcer objects to the new domain: a. Select Device Manager > Devices. b. Click the Add icon, and then select Device to start the Add Device Wizard. c. In the New Device window, provide a name for the device, a color for its icon in

NSM, and check Device is Reachable. d. Follow the instructions in the wizard to add and import the device. e. Repeat Step 7b through 7d for each Infranet Enforcer device.

You must reimport the configuration each time you use an Infranet Enforcer. Otherwise, a NACN password mismatch is possible because the Infranet Controller dynamically changes this password periodically. It is also good practice to do a “Summarize Delta Config” and ensure that no $infra policies are present. If there are, the Infranet Controller has changed something on the Infranet Enforcer since you last imported the device configuration.

8


Important SSL VPN and Infranet Controller Instructions

NOTE: If you choose not to reimport the configuration, be sure to update the Infranet Controller and Infranet Enforcer at the same time.

Usage Guidelines for Applying NSM Templates to SA and IC Clusters SA/IC cluster configuration data is composed of Cluster Global (CG), Node-Specific (NS), and Node-Local (NL) data, which are abstracted in NSM as cluster objects and cluster member objects. The cluster object contains only CG data, while the cluster member object contains NS and NL data. Template promotion and application to clusters should be compliant with the cluster abstraction.

Recommended •

Templates that are applied to cluster objects should only include CG data. Templates that are applied to cluster member objects should only include NS/NL data. These guidelines apply to templates that are created from scratch or through promotion.

•

To replicate the configuration from one cluster (source) to another cluster (target) through templates, promote the configuration from the source cluster object to a cluster template, and then apply that template to the target cluster object.

•

To replicate the configuration from one cluster member (source) to another cluster member (target), promote the configuration from the source cluster member object to a member template, and then apply that template to the target cluster member object.

Not Recommended •

Do not apply any template that contains NS/NL data to a cluster object. Application of a template that contains NS/NL data can result in unexpected UI behavior and update results (such as, NS/NL data from the template being ignored or NS/NL data in cluster objects is invisible).

•

Do not apply any template promoted from a cluster object or a standalone device to a cluster member object. Node-specific settings in the template appear in the member object but do not appear in the delta configuration. As a result, these settings appear in the template but are not pushed to the back-end cluster node.

The following list shows the NS and NL configuration settings. All other settings are CG. Node-Specific (NS) Configuration: /ive-sa:configuration/system/log/snmp /ive-sa:configuration/system/log/events-log-settin gs/syslog /ive-sa:configuration/system/log /user-access-log-settings/syslog /ive-sa:configuration/system/log /admin-access-logsettings/syslog /ive-sa:configuration/system/log/sensors-log-settings/syslog /ive-sa:configuration/system/network /network-overview/settings


9


/ive-sa:configuration/system/network/external-port /ive-sa:configuration/system/network/internal-port /ive-sa:configuration/system/network/management-port /ive-sa:configuration/system/network/vlans /ive-sa:configuration/system/network/network-hosts /ive-sa:configuration/system/network /network-connect/network-ip-filter /ive-sa:configuration/system/clustering/properties/ configuration-settings/collection-of-network-settings /ive-sa:configuration/users/resource-policies/network-connect-policies/ network-connect-node-specific-configuration /ive-sa:configuration/authentication/auth-servers/collection-of-auth-server/ union-of-ace/active-directory-winnt/ settings/advanced/computer-names/ive-name

Node-Local (NL) Configuration: /ive-sa:configuration/system/configuration/dmi-agent/enabled /ive-sa:configuration/system/configuration/dmi-agent/deviceid /ive-sa:configuration/system/configuration/dmi-agent/hmac-key /ive-sa:configuration/system/maintenance/push-config/acceptpush

Best Practices This section contains information about recommended practices when using NSM.

Maintaining the NSM GUI Server For optimal NSM server performance, follow these maintenance procedures every few months. On the NSM GUI client: •

Delete old entries from the Job Manager in each domain.

•

Purge old database versions using Tool > Database Versions.

If the size of the NSM database in /usr/netscreen/GuiSvr/var/xdb continues to increase considerably despite the recommended practices, you can manually remove all domain versions using the procedure documented in KB11731. For details, see http://kb.juniper.net/KB11731.

Creating a Self-Signed TLS Certificate Between the NSM Client and the NSM Server A self-signed certificate is a certificate that has not been signed by a third party, such as, a well-known Certificate Authority (CA).

10


Best Practices

To create a self-signed certificate between an NSM server and an NSM client: 1.

Download the file CreateCerts.zip from http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK14949/C reateCerts.zip

2. Copy the file to the NSM server and unzip it.

#unzip createCerts.zip 3. Edit the file createCerts.sh and modify the section Default certificate generation

fields to update your current installation and the corresponding contact information of your organization. 0.organizationName_default - stateOrProvinceName_default - localityName_default countryName_default - emailAddress_default - [email protected] 4. Run the shell script #sh Createcerts.sh

NOTE: The script produces a certificate with a timestamp that is nearly 10 years beyond the current date.

The following is an example of the output when the script is executed: root@nsm/]# sh createCerts.sh Enter NSM installation path[/usr/netscreen]> Generating RSA private key, 1024 bit long modulus ....................++++++ ...........++++++ e is 65537 (0x10001) Using configuration from cfg/openssl.cfg Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'State' localityName :PRINTABLE:'City' organizationName :PRINTABLE:'Name of the Organization' commonName :PRINTABLE:'NSM' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Aug 3 22:41:04 2019 GMT (3650 days) Write out database with 1 new entries Addressed Issues Data Base Updated Using configuration from cfg/openssl.cfg Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US'


11


stateOrProvinceName :PRINTABLE:'State' localityName :PRINTABLE:'City' organizationName :PRINTABLE:'Name of the Organization' commonName :PRINTABLE:'NSM' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Aug 3 22:41:04 2019 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate was added to keystore Certificate was added to keystore [root@nsm/]#

This step creates four files: root.pem, server.pem, truststore.ts, and keystore.ts.

NOTE: The files truststore.ts and keystore.ts consist of private keys and must be protected.

5. On the NSM GUI server, copy the files root.pem and server.pem to

/usr/netscreen/GuiSvr/var/certDB/TrustedCA/ 6. On the NSM client, copy the file trustedtore.ts and keystore.ts to

NSM_GUI_INSTALLATION/security directory. (The default directory is C:\Program Files\Network & Security manager\security.) Note that this must be executed on all

systems where the client is installed. 7. Restart NSM GUI server services for a new certificate to be used:

#/etc/init.d/guiSvr restart If using a high availability environment, execute: #/etc/init.d/haSvr restart.

Addressed Issues This section includes issues addressed for NSM, ScreenOS, SA Series SSL VPN Appliances, IC Series UAC Appliances, and SRX Series Services Gateways. These release notes contain only NSM-related issues. For a complete list of addressed issues for each device, see the release notes associated with the device.

Release 2010.4s3 Patch This section describes the following addressed issues in patch release 2010.4s3:

12

•

578139—NSM deletes nat-source and destination-port on SRX Series devices.

•

578606—Dragging and dropping a device from one rule to another rule using NSM displays the error Devices cannot be assigned to Pre/Post Domain.

•

674368—Validation for the rule name is incomplete while creating policies for SRX Series device.

•

677161—The SSG20 device is missing in the JXM-1SFP module under avail_1_sfp_interface section of 6_1.dcf.


Addressed Issues

•

691651—The Network Profiler tab fails to populate and create the tempTable 'pqtmp134main' with an error message.

•

692612—The device update stops at 20 percent and fails with the error message Failed to import inventory data from device. Session 1048581 for service NBIService returns null data!

•

693733—The NSM GUI server crashes and generates core files.

•

698326—Ocassionally, the device update fails when updating the SRX Series device using NSM.

•

704138—While updating the SRX Series device using NSM, the update stops and returns an error message indicating a failure while comparing the inventory data on NSM with the inventory data on the SRX Series device.

•

708987—NSM shows random device connection status for the EX Series switches.

•

724762—NSM cannot add, delete, or edit devices in the route-based VPN through the VPN Manager.

•

727397—Updating the SRX Series device fails with the error message GenerateEditConfig Failed null.

•

729105—The VPN configuration is being unset for a vsys cluster in the NSM 2010.4S1 Release.

•

729649—The Virtual Chassis check box is disabled for adding EX-XRE, EX8216, and EX8208 Series devices.

•

735707—NSM encounters a null pointer exception on the Delta Configuration.

•

736501—Duplicate policies are created on subsequent import of the device.

Release 2010.4s2 Patch This section describes the following addressed issues in patch release 2010.4s2: •

515871—Cannot remove the "set auth-server "AAA" src-interface" command from NSM.

•

661020—In NSM 2010.3, Address and Network Group objects should display a warning message if the name length field exceeds 31 characters.

•

668867—During a policy push Too many entries, the error message appears because the maximum address or group object limit was exceeded in the ISG device.

•

669613—Some policies in the NSM Policy Manager take too long to load.

•

670681—When creating custom IDP signature groups using the direction filters and the not option (not-stc or not-c2s), the resultant members include signatures that have s2c or c2s signatures included.

•

682896—NSM tries to send commands for unsetting and setting the management IP option on every update.

•

685119—When you create a loopback interface on the nsHSC device using an NSM template, an error occurs when you try to update the device.


13


•

685576—When nesting the templates for Junos OS and SRX Series devices, a duplicate name error occurs.

•

685938—When VPN is terminating on an IPv6 interface, an NSM validation error occurs.

•

686460—The NSM GUI freezes when performing huge changes to the policies or groups, or viewing large content.

•

688993—Incomplete policy update to SA IDP results in changing the version of the attack object database.

•

690916—Editing a device or policy in NSM creates multiple_out files resulting in slow GUI performance.

•

692680—While updating ScreenOS devices, NSM generates an error: Capability limit reached on the device.

•

695157—Cannot configure the ntp-server option for a VSI interface.

•

695371—When a service object is made on NSM the default source port range differs from the range on ScreenOS when a custom service is created directly on ScreenOS CLI.

•

698708—Cannot configure the VIP object and related policies as NSM fails to import the IP of the ADSL interface.

•

704127—Replacing a template disables the interface,ike,cluster and ipsec settings.

•

707190—NSM displays a "java.lang.NullPointer exception" error when the Dial-UP VPN Rules option is used in the policy.

•

707194—Cannot delete the unused firewall policy as two of the policies contain references to the same firewall rulebase.

•

707454—NSM is not importing the antispam UR profile settings from the device.

•

708127—An incorrect parent interface is displayed for the new subinterface within a vsys.

•

708505—Unable to register the SRX Series device if the IKE preshared key has more than 255 ascii characters. The guiSvrManager also fails.

•

708605—After adding an SRX Series device running idp, notification for "Log Packets" in IDP rule is set unintentionally in both NSM & SRX.

•

719632—When rule groups are displayed in a policy, some of the rule numbers are displayed as 0 instead of their correct values.

Release 2010.4s1 Patch This section describes the following addressed issues in patch release 2010.4s1:

14

•

492196—Adding or deleting a device from VPN Manager does not change the device configuration status in Device Manager.

•

532163—NSM does not provide any option for monitoring at the interface level on an SSG5 device.


Addressed Issues

•

607518—Removing a device object does not remove the address map entry from the polymorphic address.

•

613644—NSM tries to send an additional OSPF config on certain interfaces while configuring the dynamic routing option in route-based VPN using VPN Manager.

•

667160—The summarize config option produces a different output from that of the device, and sometimes the output is missing.

•

669079—Report filters are not providing expected results in NSM.

•

669650—The device is getting disconnected from NSM, indicating an error on the NBI service.

•

671065—The NSM search functionality does not work for search starting with the letter F.

•

684991—NSM imports the bgroup subinterface as a physical interface, and hence does not list the subinterface in the drop-down list while creating the VSI interface.

•

685036—The NSM GUI performance is poor when scrolling through large policies.

•

690366—The devSvr process produces core files frequently.

•

691213—In NSM, the Revert Policy operation does not work when the rule (or rules) to be reverted are in a group.

•

691493—The EX Series device cannot configure the server-reject-vlan option under Dot1x correctly after upgrading to schema 206.

•

692247—NSM does not show the admin who has locked the policy for edit.

•

692687—In NSM, XRE200 device should not configure the vme.0 interface as it is not supported. The issue is fixed in schema and the fix is available from schema 215 onwards.

•

694189—In the ISG2000 device running ScreenOS 5.4, the user-servs maximum value set by NSM is 4096, which exceeds the maximum value of 2048 allowed by the device.

•

695742—Deleting MIP from the interface takes too long.

•

696336—The NSM Install ID was generated incorrectly after the NSM upgrade.

•

697979—When modifying custom group filters, sometimes all the names disappear.

•

699601—Service and Service Group objects cannot be used as a drag-drop option from service table to policy rules.

•

700535—In the NS5400 device, NSM sets the user services to 2048 even though the device allows 4096 user services.

•

701807—User login through RADIUS authentication fails after upgrading NSM to Release 2010.4q56.

•

702221—Audit log and policy versioning shows incorrect information after editing rules inside the rule groups.

•

702982—The devSvrManager process was producing core files.


15


•

704906—The NSM delta operation throws java.lang.NullPointerException.

•

708866—A new rule created in SRX-IDP policy does not get populated in NSM.

Release 2010.4-q59 Patch This section describes the following addressed issues in patch release 2010.4-q59:

16

•

480097—NSM cannot add SRX cluster member to the auto-import configuration list.

•

515871—Cannot remove the "set auth-server "AAA" src-interface " from NSM.

•

529623—NSM attempts to unset a valid loopback interface and its associated MIP.

•

541862—The NSM UI allows the user to drag and drop any device or cluster inside another cluster.

•

557767—When modeling an SRX210hm with 10.2, the device shows up as SRX210hm instead of SRX210h.

•

571881—A firewall vsys import fails with the "Error on shared object import: null" error.

•

573565—When detector update is performed from NSM UI, NSM deploys the incorrect detector engine on SRX Series devices.

•

578236—When attempting to update an ISG cluster, NSM displays "JavaLangArrayIndexOutOfBoundsException".

•

584602—The NSM VPN Manager configures different preshared keys on ScreenOS devices.

•

596562—Report generation fails because of a memory allocation failure that generates the "log database query failed" error.

•

607431—The NSM UI client hangs when editing domain pre-rules in a global domain.

•

611492—Exporting an NSM static NAT policy give unexpected results.

•

613420—In the NSM UI, Interface menu is missing from Protocol->Dot1x->authenticator->Interface.

•

614014—NSM adds remote admin user into its admin table with role information received from RADIUS.

•

614749—NSM cannot push a routing instance name in the Action column under the Static NAT rulebase.

•

665380—NSM is not allowing to configure more than 3 DHCP relay servers.

•

666850—NSM populates the SRX Series device logs with the incorrect zone information and rule number.

•

667161—The NSM UI client does not work on the Linux platform.

•

668867—During a policy push, NSM exceeds the maximum address group object limit for the ISG Series device, generating a "Too many entries" error.

•

669836—In the VPN Manager, the quotation marks are missing around the "set vpn" line.


Addressed Issues

•

671088—Database versions are created despite domain versioning being disabled.

•

674300—NSM creates a core dump when the troubleshooting option is selected for any device.

•

677486—The Java process consumes 100% CPU of an NSMXpress device.

•

681668—The auto config import feature does not add the host rsa-key into the ssh-known-hosts config section on EX Series switches.

•

682894—The NSM UI server crashes at random intervals.

•

684964—Frequent log walker process crash in solaris because of IPv6 log.

•

685114—The incorrect l3-interface-name command is sent to the SRX Series device.

•

685126—NSM deletes the L3 interface setting from a VLAN configuration on an SRX210 device.

•

685513—NSM does not indicate which address group exceeds the number of addresses that can be supported by a device.

•

687221—GuiSvrManager crashes when more than one admin user logs in.

•

687733—NSM is unable to login using more than two non-super users.

•

688340— Frequent crash in GuiSvrManager is observed and core files are generated.

•

688413—NSM does not send custom service object to the device.

•

688713—NSM sets the source and destination port values incorrectly on SRX Series devices.

•

690125—NSM tries to delete IDP related configuration values from a J Series device. This issue is addressed in schema and the fix will be available from 11.2R3 schema onwards.

•

690853—NSM does not configure tunnel interface binding to zones on a vsys.

•

692132—Unable to edit SRX3600 device cluster due to GuiSvrManager crash with core file generation.

•

692518—NSM deletes most of the rules in the policy when device is updated.

•

695163—NSM does not consider the negate option on an address object as a difference when trimming firewall rulebase.

Release 2010.4 This section describes the addressed issues in 2010.4: •

448239—Predefined IDP policies cannot be pushed to an SRX Series device. The workaround is to create the custom policy from the predefined policy, and then delete the disabled rule in the custom policy before making a policy update.

•

454585—E-mail alerts from NSM do not include any attack details for IDP logs.

•

478268—An update to an SRX Series device fails if the Confirmed commit option is enabled in the GUI.


17


18

•

489643—As a result of incorrect parsing of log data in NSM, the Log Viewer displays inaccurate information in different fields for AV, UF, traffic, and IDP logs.

•

494359—For SRX Series devices configured with VPN, the Delta Config summary shows configuration differences even after a device update.

•

497114—Updates to an SRX3600 device fail because NSM repeatedly displays a hardware OutofSync message. The workaround is to manually right-click on the device and reconcile inventory.

•

499642—While performing Get Delta Config Summary and Update directives, NSM reports an error “Failed to acquire lock on device” even when no other user is logged in.

•

502893—When VPN Manager is set to automatically generate static routes, it ignores the default route preference set in the corresponding virtual router.

•

512288—After a device import, duplicate objects are created due to the mismatch in color between the configuration on the device and on NSM.

•

515796—NSM UI displays the virtual chassis option for all OS versions of SRX low-end (100/210/240/650) devices, but does not support SRX devices running versions earlier than Junos OS Release 10.1.

•

515845—NSM UI does not display the correct hardware inventory output for devices in an SRX Series virtual cluster.

•

519888—NSM cannot create a single tunnel interface VPN using VPN manager. NSM builds NHTB entries using the egress interface of the end device, instead of the tunnel interface.

•

521182—As NSM does not validate the number of entries in an address group, an SRX Series device update fails if the entries exceed 256.

•

523931—Even though NSM pushes the RADIUS server information to an SRX Series device on every device update, the Delta Config summary shows that this information still needs to be pushed.

•

525134—NSM does not save some of the changes to the user preferences for users who are authenticated through the RADIUS server.

•

525264—After an upgrade from 2010.1, the detector version information is not imported into the cluster record when you import an ISG-IDP series root device cluster with its associated vsys members in NSM.

•

525588—In spite of filtering the report based on specific event categories, the NSM-generated report also has information about other event categories.

•

533009—After an upgrade to the NSM 2010.2 release, an SRX device policy update fails if this policy had comments with spaces in the previous release (that is, in the release from which you had upgraded).

•

534638—For ISG-IDP Series clusters running 6.1.x versions, when a root device is updated with a new detector, the detector version is updated only for the root device and not for the vsys members of this device. This mismatch in detector version between the vsys members and the root device results in a device update failure.


Addressed Issues

•

534943—An SRX device update fails when you push a policy that contains a customer service object with the SQL*Net Version 2 application protocol.

•

535137—During a device update, NSM does not push the maximum bandwidth setting for a firewall policy that has traffic shaping configured. NSM creates an exception.

•

537273—When you import an SOS cluster device to NSM in root mode, the aggregate subinterfaces are displayed as physical interfaces.

•

538908—NSM Policy Manager does not display comments for a rule that has a single service enabled.

•

541154—After an upgrade from 2010.2 to 2010.3, policy names are getting overwritten with the corresponding policy IDs during a J Series or SRX Series device update.

•

541576—NSM does not support adding more than one physical interface to an aggregate interface in the ns-5000-8G2-G4 card for an ns5000 series device.

•

541992—The custom phase 2 VPN proposal configuration from Junos OS devices is incorrectly imported into NSM. In addition, NSM does not permit a user to edit this configuration.

•

542616—If an SRX Series device upgrade fails from NSM, then you cannot upgrade it again from NSM due to space limitation. You must manually clear all temporary files created on the device by NSM before upgrading again.

•

542814—The custom phase 1 VPN proposal configuration from Junos OS devices is incorrectly imported into NSM. In addition, NSM does not permit the user to edit this configuration.

•

543140—The NSMXpress Web UI allows users created from the Web UI to log on using an incorrect password.

•

545126—For an SRX Series device, the traffic logs in the NSM Log Viewer do not contain any information for the Rule ID and Policy ID fields.

•

545225—If the Junos OS-based devices (such as SRX Series devices) are configured with policy- or route-based VPNs, even after a device update, the Delta Config summary shows there are configuration differences for the preshared key.

•

547929—With the NSM 2010.2r1-13.1n59 release, adding or editing devices takes relatively more time than in previous releases.

•

549986—The NSM installation script fails if there are multiple tmp partitions on the Solaris server (such as, “/tmp” and “/var/tmp”).

•

550796—If you add a cluster server to NSM after an upgrade from 2008.3 to 2010.2 LGB13z1n33 (with schema 143 and running on RH5 with service pack 5), then the cluster’s secondary server settings are grayed out in NSM.

•

552226—Under the Policies > Source NAT tab in NSM, the zone information is not displayed, and the source and destination addresses are not selectable. In addition, you cannot select a target for this policy.

•

553746—NSM does not manage address objects with dns-name for SRX Series devices running on Junos OS Release 10.2R2 and 10.0R2 images.


19


•

559528—Within an SOS template, if you assign the same host IP address for IPv4 and IPv4/IPv6 options under the SNMP Reporting settings, NSM displays a validation error.

•

560765—NSM Log Viewer stops responding and does not display the logs when there is a huge amount of logs to be processed by the log-walker.

Release 2010.3 This section describes the addressed issues in 2010.3:

20

•

403809—Policies cannot be edited as NSM displays a locked by another user message even though another user is not logged in to NSM.

•

407764—With NSM, the logs of a subdomain cannot be saved on the first try. The workaround is to quit NSM and then try saving the logs again.

•

413166—NSM displays an error when a MIP with an IP from a different subnet as the interface IP is added on a firewall device.

•

459994—In NSM 2007.3r5, DevServer Manager crashes when a PCAP retrieval operation is performed on logs.

•

465850—Uploading of the IDP 5.0 image fails in NSM after an upgrade from the 2008.2r1 to the 2008.2r2 release.

•

477726—Using templates to activate an SSG5 device results in the creation of tunnel interfaces with blank names. Because of this, the device cannot be updated.

•

481066—SRX Series IDP severity level log information is displayed incorrectly in the NSM Log Viewer.

•

482421—The BGP neighbor configuration in a ScreenOS cluster without VSD is not accurately synced in NSM.

•

482988—The NSM calculation of the estimated disk space required for DevSvr logs is inaccurate (Administer > Server Manager > Servers > Disk and Log Management).

•

482995—DevSvr logs are not getting purged after the specified time interval if you set this interval using the NSM GUI (Server Manager > Servers > Device Server > Disk and Log Management > Number of days to retain logs).

•

483416—Accessing the policy options of an existing policy causes the NSM GUI client to lock up, which prevents you from making any further changes.

•

486787—You cannot import or manage SRX Series devices after an upgrade. Also, the GuiSvr core dumps if any changes were done using the NSM GUI.

•

489258—The DevSvr crashes while viewing the IDP logs in Log Viewer.

•

491015—An inconsistent export of DevSvr log data to csv format occurs when using the devSvrCli.sh log2action utility.

•

495737—When updating the device software for an imported ScreenOS cluster device, a warning message appears stating that the configuration in NSM and the actual device configuration are not in sync, even when they are.

•

503179—Logs are not getting parsed because of file header corruption, resulting in a devSvrManager crash with core.


Addressed Issues

•

503231—A subinterface cannot be created on a serial interface on the SSG-20 platform as the interface is not displayed in the NSM GUI.

•

505169—In NSM, the log filter is getting created only for the group and host address objects and not for the network address object when you create the filter by right-clicking the source or destination address column within a log.

•

507098—A GuiServer Manager core dump occurs when compiling IDP policies.

•

512215—When editing an imported firewall cluster configuration, even if the VR is shared NSM displays the following error message on the zone: “Shared zone must be in shared VR.”

•

513335—During an IDP firmware upgrade, if an error occurs, the upgrade process continues indefinitely and cannot be stopped. With the 2010.3 release and later, a timeout option is provided to stop this process.

•

513985—During an import for a ScreenOS cluster, the BGP neighbor configuration is imported to cluster level instead of member level.

•

514579—PIM-SM settings or any dynamic routing protocol cannot be configured on an imported firewall because the NSM GUI does not display the Protocol section under interfaces when SOS devices are added in Cluster mode.

•

516433—NSM displays an out-of-sync message when the primary device in an SRX Series virtual cluster goes down and the secondary device takes the primary role. The workaround is to reconcile inventory.

•

517009—A Global MIP object cannot be created on the subinterface of a cluster as the subinterface (redundant1) is not listed in Object Manager.

•

517864—During an SRX Series device update, VPN Manager-configured VPN settings are being removed from the secondary node of the cluster.

•

518196—If you have an NSM HA set up with MIP IP addresses and perform a delta config, NSM unsets the secondary NSM server IP address from the cluster members.

•

519004—You cannot select an interface for an imported SRX Series device from the VLAN interface in NSM. NSM displays the following error: “Reference to undefined collection-of-interface-range.”

•

519395—For ScreenOS 6.3 devices, the NSM VPN Manager does not generate proxy-id configurations for VPNs.

•

521126—When a Source NAT update is pushed to an imported SRX Series device from NSM, a reference to the local NSM database is pushed instead of the IP address or address object.

•

525729—When OSPF parameters are configured using a template and then updated on a device, the OSPF ID is not imported when you import the device configuration back to NSM.

•

528500—If you make more than 100 configuration changes in NSM from the actual device configuration, the Job Manager displays only the first 100 lines.

•

528681—When a polymorphic object is updated to a device, NSM sends the polymorphic object name instead of the address object information.


21


•

529124—As several of the NSM windows (such as Policy windows, Device edit windows, and Download schema windows) were too tall, some of the buttons/functionalities within these windows were inaccessible on normal displays. With the 2010.3 release and later, the windows are resized automatically to fit within the display.

•

532571—If RMA/Activate is performed on a managed Junos OS device, it cannot connect to NSM after the device is rebooted or the Device server is restarted.

•

533763—NSM stops responding at 76 percent when policies are updated on ScreenOS-based ISG-IDP devices.

•

538643—With NSM, when you set the interface zone to null, the device update fails as NSM tries to unset the g-arp parameter for that specific interface.

Release 2010.2 This section describes the addressed issues in 2010.2:

22

•

228510—If you configure a multi-line banner for a device, verification fails on update.

•

271590—Deleting the system services outbound-ssh stanza does not cause existing connections to be dropped.

•

407541—When you add Junos OS devices in cluster mode through the reachable device workflow, device status is Import Needed if you first add the primary and then the secondary device. To change the cluster status to Managed and In Sync, you must import the cluster. To work around this issue, first add the secondary device and then the primary device.

•

420276—VPN monitor does not display an entry for the vsys cluster member if the name of the member is changed.

•

429396—When a user performs a delta configuration after updating the device configuration on an SRX Series device using a template, the same configuration data that was pushed earlier to the device during the update is displayed.

•

431656—When a standalone IDP device is added through a unreachable workflow, the device update operation fails.

•

445014—A Java exception error on the GUI occurs after modeling vsys to include a dot as part of its name.

•

462408—NSM displays “Unable to acquire lock, Locked by admin, Open read-only” when you edit a device. This issue has been observed when editing an ISG2000 cluster member and also on a J6350 device. This issue is not always reproducible. The workaround is to restart the GUI Server.

•

466608—NSM unsets the proxy ID of the VPN when it is configured in the template at the first delta after restarting the GUI Server.

•

468807—The comments are not pushed to the device during a Junos OS device update.

•

483395—After running the import admin directive, NSM changes other configurations along with admin accounts.

•

483452—NSM 2009.1r1 randomly fails to recognize certain IDP detector engine versions.


Addressed Issues

•

483469—Major screen redraw issues occur when running Microsoft Vista 32-bit and NSM.

•

485458—After adding a device to NSM, if you remove the default route and enable the dynamic protocol for that device, NSM displays an error indicating that the management route is missing.

•

486371—The GuiServer Manager crashes as the system runs out of memory.

•

495027—Power failure on the active GUI server causes a 7- to 10- minute delay before the Device Server connects to the active GUI.

•

497349—J Series devices cannot be validated through NSM.

•

498554—The HA Server does not stop during system shutdown.

•

498790—NSM unsets vrouter trust-vr on update if a comment is also configured.

•

499064—The NSM GUI Server crashes with a Mutex Lock Event.

•

499688—You cannot use the NSM GUI to remove an IDP platform from a custom IDP attack signature.

•

499748—When a packet capture (pcap) is requested and it contains VLAN traffic, NSM replies with a JAVA Null pointer exception.

•

500367—Policy update in NSM fails intermittently, displaying a Java NullPointer Exception.

•

500769—NSM does not support PPP and PPP-service protocols on J Series devices with a 10.0r1.8 image.

•

500838—The timeout value defined in a custom service object is not updated to an SRX Series device.

•

501875—An SRX Series device will be shown as down if the primary GUI server fails over to the secondary and a device connection is not established in extended HA.

•

502166—The NSM GUI crashes while viewing audit log details.

•

502223—When importing an NS-5GT in Home-Work port mode with DHCP DNS Options set, NSM attempts to unset these options at the next update.

•

502390—If you use NSM 2009.1 and want to upload either the SA 6.5r2 or IC C3.1r2 software into NSM, you must run a Juniper Networks Update to enable subsequent device software upgrades through NSM.

•

504414—NSM does not allow creation of an rpc-program-number in a custom service object if UDP or TCP services are selected.

•

504457—NSM unsets the value of lifetime kilobytes from custom phase 2 proposals after import from a device to NSM.

•

509454—NSM overrides previous rule parameters when a duplicate policy ID is present in a rule.

•

511486—An SRX Series device is displayed as a ScreenOS device in the NSM device manager after a schema upgrade to 124.


23


•

512713—After running an import admin directive, NSM changes other configurations along with admin accounts.

•

515794—New signature language constructs within-bytes, within-packets, and context-check created within a customer signature do not appear within the individual attack object signature set on the device.

•

515797—NSM cannot create a valid custom compound signature attack with new signature language constructs.

•

516416—An APE rulebase configured with a Custom Application fails to update for an update device operation.

•

516478—NSM incorrectly displays tunnel interfaces in a VPN.

•

516804—An IPv6 configuration imported into NSM immediately shows delta.

•

518800—NSM overrides previous rule parameters when a duplicate policy ID is present in a rule.

•

523762—Prior to the NSM 2010.2 release, NSM did not manage SRX Series policy names. When the device is imported and updated, NSM overwrites these policy names with the corresponding NSM policy IDs. With NSM 2010.2 release and later, these policy names are managed and displayed in the newly introduced Policy Name column.

Release 2010.1 This section describes the issues in 2010.1:

24

•

236415—NSM erroneously autopopulates interface settings in templates.

•

250830—NSM does not allow you to add SSG500 and SSG500M devices to the same cluster.

•

256770—A template operation directive may incorrectly remove passwords.

•

269588—gl29042 IDP clusters in third party HA configurations display a failed status at all times while IDP clusters in standalone HA installations display correct status.

•

275084—NSM does not display address objects from the global domain under filtered logs within a subdomain.

•

277921—NSM does not allow you to add both SSG550 and SSG550M devices to the same cluster.

•

283064—DSCP values are not exported when a policy is exported to HTML format.

•

289807—When configured, NSM fails to unset the BGP Neighbor route map.

•

290186—NSM does not allow grouping of multicast address objects.

•

294623—In NSM, you can accidentally create a firewall policy with a Policy ID (PID) that is already associated with another policy. If this happens, NSM displays a yellow warning message but allows the action to continue. Then NSM renumbers the policy and pushes it to the device. However, NSM does not change the PID in the policy list. This can lead to inconsistencies such as a mismatch between policies and PIDs.


Addressed Issues

•

301001—NSM generates a validation error on subinterfaces based on aggregate interfaces when bandwidth is greater than 100 Mbps.

•

308927—NSM does not import the negate operator for a DI Custom attack.

•

392276—NSM does not remove BGP commands when unsetting a tunnel interface.

•

392731—The Search feature is missing some special characters.

•

394395—The NSM GUI does not display traffic logs.

•

397197—During an attack update in NSM, the GuiSvr manager restarts and performs a core dump.

•

398479—The devSvrLogWalker process crashes frequently.

•

402285—NSM fails to create an MIP on a device resulting in a device update failure when the MIP is included in a policy rule. However, the MIP can be created locally on the device and used.

•

405236,ScreenOS PR 408237—NSM does not provide an option for enabling an NTP server on a firewall running ScreenOS 6.X.

•

405802—NSM does not allow the manual mode setting for interfaces.

•

406401—NSM Security Explorer does not display top attacks or top attackers when an attack log is created.

•

411983—NSM attempts to set OSPF retransmit intervals even when the interface is not part of an OSPF area.

•

412776—If you create a custom view using an existing view, the custom view is not saved in the LogViewer.

•

414615—The NSM GUI is very slow.

•

415598—Importing a firewall into NSM generates a validation error.

•

421675—NSM does not generate unset commands correctly on devices running ScreenOS.

•

436368—NSM displays 'unset interface ethernet0/3 g-arp' in the delta config summary.

•

436779—Editing settings at the member level in NSM deletes settings in multiple clusters.

•

438346—VRRP support for devices running ScreenOS 6.0.

•

438686—Upgrades from ScreenOS release 5.4 to 6.1 in NSM causes template overrides at the cluster level.

•

438804—Deleting a virtual router from NSM also deletes the virtual router configuration on multiple clusters.

•

441419—NSM 2007.3r5 as well as NSM 2008 (with ScreenOS 6.1 schema) does not include the CLI: set flow vpn-tcp-mss and set flow tcp-mss.

•

442379—Tunnel interfaces belonging to shared virtual routers and zones are not available in the Vsys.


25


26

•

444462—Updates to devices running JUNOS fail if there are spaces in the name of the address object.

•

451634—NSM incorrectly displays differences immediately after creating a new policy version with the policy versioning tool.

•

453177—When you create a full mesh route-based VPN from the VPN Manager with a numbered tunnel interface and NHTB with next hop IP-enabled, and then you delete a device in the VPN setup and add the same device again, NSM generates a validation error on the tunnel interface. The previous NHTB entries are also lost.

•

454594—When a GRE over IPSec transport mode is selected for a VPN bound to a tunnel interface, NSM generates an error.

•

459772—When you right-click on a device in Device Manager, the software install list is blank.

•

460404—NSM 2008.2r2 does not support the ScreenOS 6.1 MGT zone for modeled SSG5 devices.

•

463817—On a modeled device running JUNOS software, you need to promote a template twice in order to update it. However, after you promote the template, previously edited device settings are erased from the device template.

•

466215—When you install NSM with a custom data directory, NSM changes the ownership and permissions of all files and folders present under the parent directory instead of modifying the custom data directory alone.

•

466534—When rules are dragged and dropped into Rulegroups, they appear randomly within the policy instead of within the Rulegroup.

•

466683—NSM generates wrong commands when a zone named 'dmz' is created on an NS5GT device.

•

467638—Setting up a TCP connection to port 7808 and then disconnecting causes many errors in the guidaemon log file.

•

468861—NSM does not allow editing of a vsys device.

•

469070—NSM does not allow the deletion of a device from Device Manager if it was part of a VPN with NHTB enabled.

•

469707—NSM displays an error when a VPN is configured to use an outgoing interface at a cluster level.

•

470179—Changing the IP address of a subinterface with OSPF causes an update failure.

•

470698—NSM does not provide an option for setting 'ssh known host' in SRX Series devices.

•

470709—After importing a configuration from the DHCP server, NSM changes the DHCP configuration and tries to update the DHCP server.

•

470784—NSM does not import the device configuration from file correctly. Some fields are either not imported or improperly displayed after import.

•

471128—NSM does not display a warning when a comment for an address object exceeds the supported number of characters.


Addressed Issues

•

471868—On an NS5400 device, NSM displays a warning that the max User_Zone 1023 is larger than the number of user zones supported by the device.

•

471965—NSM displays a warning when an address object contains more than 31 characters whereas ScreenOS 5.x permits it.

•

473282—NSM 2007.2r2 does not provide the option avail_vip_same-as-untrust for an SSG550 device running ScreenOS 6.0.

•

473595—An upgrade from NSM 2008.2 to 2009.1 causes API integration errors.

•

473614—NSM does not provide the option of configuring SSH known hosts on J Series routers running JUNOS 9.4 and later.

•

475784—NSM incorrectly displays denied logs of JUNOS 9.6 as permitted/ accepted.

•

475824—On an SRX Series device running NSM 2009.1r1,the values of Bytes Total and Packets Total are miscalculated.

•

475862—NSM does not provide a means to execute the ScreenOS 6.1 command ‘set flow vpn-tcp-mss’.

•

475961—The NSM UI hangs indefinitely if the RMA/Activate procedure is not successful.

•

476808—The SNMP location field should be a member level setting and not a cluster level setting.

•

477349—If you select the None radio button in the NSM GUI, the context is un-initialized and data is lost. A workaround is to save your data before you click the None button and then restore the data after you select other options.

•

477575—NSM does not generate encryption commands to SRX Series gateways when AES is chosen as algorithm.

•

478227—After RMA, an SRX 650 device cannot be activated in the unreachable mode.

•

478487—If you remove a VPN created through the NSM VPN Manager, NSM fails to remove the tunnel interface from the zone while updating the device configuration, causing a commit failure.

•

480054—NSM does not allow you to set Certificate Authority revocation to None.

•

480114—When a user is created on the SRX Series device template, applied to the device, and the device is updated; NSM always displays differences in the delta config for the encrypted password configured in the template.

•

480558—The NSM UI client freezes when you create and save multiple rule groups.

•

480566—When the DHCP domain is set in a template, the CLI is not updated to an SSG5 device running ScreenOS 6.2.

•

480583—NSM does not provide an option to set policy based routing on redundant interfaces.

•

482295—NSM unsets DI pack on a device running ScreenOS if Base pack is selected.

•

484916—NSM settings for the minimum and maximum number of packet logs that can be stored in IDP devices need to be modified.

•

485633—NSM does not allow custom ICMP services without code values.


27


•

485646—During the initial update after importing a new device, NSM deletes console port configurations from the device.

•

485648—Device updates from NSM fail erroneously stating an application timeout.

•

485656—After importing a new device, NSM tries to change its priority of redundancy group value from 1 to 0.

•

485773—NSM incorrectly generates validation errors when importing group configurations from an SRX series device.

•

485897—NSM displays a validation error on predefined JUNOS GTP services.

•

488384—NSM does not delete custom zones defined in separate VSYS devices in separate subdomains.

•

491156—The NSM error message for duplication of objects is not sufficiently informative.

•

494878—During a fresh installation of NSM 2009.1r1a, predefined service objects are not converted to xdb.init.

Known Issues This section describes known issues with the current release of NSM. Whenever possible, a workaround is suggested. These release notes contain issues related to NSM only. For a complete list of addressed issues for each device, see the release notes associated with the device.

NSM

28

•

266865—When you use NSM to edit the startup information of a device and change the Use Device Server Through MIP setting to Use Default Device Server IP Address and Port or make the opposite change, NSM does not push the change to the device.

•

277604—Interface configuration screens show more settings than are supported by the actual interface.

•

277718—When you use NSM to set Antivirus (AV) parameters for a policy on a Juniper Secure Services Gateway (SSG) 300 Series device running ScreenOS 6.0r4, the new setting is not pushed to the device. However, NSM can be used successfully to send AV parameters settings to SSG 140 Series devices running ScreenOS 6.0r4.

•

277997—Device updates fail when a policy that references address objects for ScreenOS devices is assigned to a J Series device because the address object naming conventions for J Series devices are more restrictive than the naming conventions for ScreenOS devices. For J Series devices, the address object name must be a string that begins with a letter and consists of letters, numbers, dashes, and underscores. For ScreenOS devices, the address object name can include a combination of numbers, characters, and symbols. To ensure that a J Series device can use the Address Objects referenced by the security policy that is assigned to the J Series device, all address objects in that policy must follow the address object naming conventions for J Series devices. If the policy that is assigned to a J Series device contains preexisting address objects for ScreenOS devices, these address objects must be renamed to follow the same address object naming conventions for J Series devices.


Known Issues

•

284698—NSM users that do not have the View Security Policies role can still see the policy node within devices that have their Policy Management Mode set to In-Device.

•

286643—When you create a virtual system device with a ‘.’ in the name, the firmware upgrade fails. The root device will reflect the change, but the virtual system will not.

•

287814—NSM users with IDP administrator credentials logged into a subdomain can edit shared address objects that are also visible in the global domain.

•

288309—For J Series routers in an NSM cluster, when the cluster member device reboots and reconnects to NSM, the hardware inventory displays out-of-sync in the Device list table. As a workaround, execute the Reconcile Inventory directive to synchronize the inventory state of the device.

•

288993—When you customize a predefined report, guiSvrCli.sh does not generate it correctly and causes subsequent reports to fail.

•

292369—When you create a policy-based VPN and then update the device and import it back into NSM, the VPN rules previously created with VPN Manager and updated to the device are now imported in the new policy created under Policy Manager > Security Policies, and the new policy is assigned to the device. However, if the VPN is subsequently deleted by the user, the VPN and all rules associated with it are removed from the VPN Manager, but not the Policy Manager policy. Before you can successfully update the devices, you must manually delete these VPN rules in the policy under Policy Manager.

•

292522—On a Secure Access SSL VPN SA Series device, when a user creates a resource profile, updates the device, and tries to add another bookmark, the new bookmark page does not show the Host and Server port values.

•

295156—On a Secure Access SSL VPN SA Series device, the order of the policies within a SAM policy is not maintained when the SAM policy is edited with the NSM GUI.

•

295314—After the initial import of a device, the database version feature shows the user who performed the import as ‘unknown.’

•

299504—When you promote a device with a medium-sized configuration to a template from the root configuration level, you must wait at least 1 minute for the change to take effect before opening the template.

•

299014—During an upgrade installation, license information is required to complete the installation.

•

302289—The virtual management Ethernet interface must be set as the management interface on the Virtual Chassis for it to be managed through NSM.

•

302500—If you perform a firmware upgrade from Junos OS Release 9.0 to 9.1 through the device UI (or CLI) and not through NSM, you must reimport the device in NSM and adjust the operating system (OS) version of the device. To adjust the OS version in NSM, open Device Manager and right-click the device. Select either View/Reconcile Inventory or Adjust-OS Version. Ensure that the OS version running on the device matches the one recorded in the NSM database.

•

In NSM 2008.2, the NSM UI connects with the GUI server through port 7808, which is FIPS compliant. When installation is complete, you see the following message: “Please


29


note that TCP port 7808 is being used for server-UI communication.” Earlier versions of NSM connected through port 7801, which was not FIPS compliant. •

303308— Excessive retry operations can cause a DMI device to malfunction if NSM closes the connection to the device while the device is trying to connect to NSM. When you add a DMI device through the NSM UI, you first add an unreachable device and then use the generated key to configure the device so that the device can initiate the connection to the NSM server. The connection will fail, however, if NSM closes the connection because: •

The device is in the modeled RMA state.

•

The device shares a duplicate sequence number with another managed device.

•

The platform or device type (cluster member, virtual chassis, and so on) you specified while adding the device does not match the device itself.

You can check for these conditions by examining the Configuration Status in the Device List. If the Configuration Status is RMA, Detected duplicate serial number, Platform mismatch, or Device type mismatch, delete the device immediately from NSM to prevent excessive connection retries from causing a device malfunction, such as exceeding the maxproc limit, or reaching 100 percent CPU utilization. To add the device again, make sure the platform type and device type specified in the device add workflow match those of the device itself.

30

•

304406—During an NSM installation in an HA environment, when performing a refresh with the NSM installer or NSMXpress UI, the HA peers may not initialize communication properly. This problem commonly occurs when you migrate from a single NSM server to an HA configuration. The error does not occur when you perform a clean install or an upgrade using the NSM installer.

•

305451—On a subinterface, the NSM template does not display a data origin icon under the Service Options.

•

312509—When you configure the Network Address Translation (NAT) rule set on an SRX Series device running Junos OS Release 9.2, it is not imported correctly into NSM.

•

313889—When you connect 3000 or more devices to NSM, the GUI client freezes for a few minutes because of the large number of notifications from the GUI server.

•

If you add a Junos OS device to the NSM database through the reachable device workflow, you must enable netconf for SSH (specific to system services) by running the following command in the device CLI: set system services netconf ssh.

•

388578—NSM 2008.1r1 does not support SSL-VPN security devices.

•

394543—When you update the configurations of more than 30 devices together, the update device operation can take up to 10 minutes.

•

396285—Rebooting NSM servers fails in a Solaris 10 environment. You can use either of these workarounds to start or stop an NSM server: •

Use /etc/init.d/guiSvr and /etc/init.d/devSvr as the root user.

•

Use /usr/netscreen/GuiSvr/bin/guiSvr.sh and /usr/netscreen/DevSvr/bin/devSvr.sh as an NSM user. You cannot use this script as the root user.


Known Issues

•

400850—Physical interfaces do not appear in the PBR policy non-member list if you bind them to the same security zone as the redundant interface.

•

404479—NSM does not list physical interfaces imported to vsys or cluster vsys devices if they are configured in the shared zone. If the interface is not configured in the shared zone, NSM displays it in the interface list.

•

If you add a Junos OS device to NSM through the unreachable workflow, execute the following commands on the device CLI to enable logging on it: set system syslog file default-log-messages any set system syslog file default-log-messages structured-data

•

404943—When the predefined service ‘any-ip’ is selected in a policy-based VPN and the device is updated, NSM generates an invalid CLI.

•

406791—After migration from NSM 2008.1R1 to 2008.2, editing a VPN results in a reference error under the manually created NHTB entry in NSM 2008.1R1.

•

409350—NSM does not support automatic ADM transformation for DMI devices. VPN monitor does not display an entry for the vsys cluster member if the name of the member is changed.

•

410009—When a large number of devices is discovered, topology discovery displays unconnected devices, connected devices, and links as overlapping each other. The workaround is to manually drag unconnected device icons to free areas in the topology map, or view connected and unconnected devices separately.

•

422422—With every action, the NSM server increases its usage of memory which does not get freed later.

•

426324—The NSM guiSvrManager does not scale up to manage 6000 devices. You must limit the number of managed devices to a total of 3500 firewalls and DMI devices with 10K configurations and 5 GUI clients.

•

434863—VPN manager automatically fills tunnel proxy information for a route-based VPN. However, for external devices, you may want to check the proxy information and change it manually, if required.

•

436587—In NSM 2008.1, the value of the NHRP field in the vrouter schema is True, thereby enabling NHRP on all vrouters by default. In NSM 2008.2R2, the NHRP default value is False. Migrating from either NSM 2008.1R2 or NSM 2008.2R1 to NSM 2008.2R2 ensures that wrongly enabled vrouters are reset.

•

437109—If you disable backup during a high availability installation of NSM, then manual backups using the script replicateDb present in the /usr/netscreen/HaSvr/utils/ directory are not allowed as well.

•

437457—When you update an ICAP profile in a vsys device, the update fails.

•

438631—When an IDP device is upgraded from 4.1R3 to 5.0, the IDP configuration files are not imported to NSM. This is because the packet capture settings in IDP 5.0 devices are configurable from NSM, and are limited to 1000 to 65535, unlike in IDP 4.1R3 devices.

•

439567—Since IDP and ISG devices support multiple services, NSM also allows multiple services to be added in an IDP policy. However since SRX Series devices do not support


31


multiple services in IDP policies, a device update fails after a service field is changed in the IDP policy.

32

•

439909—NSM API cannot log in using a user defined inside a subdomain. Login for a subdomain must be specified in the form of "global.subdomainname" instead of just the subdomain name.

•

402298—When you apply a firewall policy with network address objects to devices running Junos OS, the device update operation in NSM fails, because DMI devices do not support network address objects.

•

443271—When a device reboots, the hardware-inventory status may be set to out-of-sync in NSM even when there is no change in the device’s hardware. A workaround is to refresh the inventory. The status reverts to in-sync in NSM.

•

449502—SA devices with HOST CHECKER policies for admin user cannot be added and managed by NSM.

•

446392—When migrating from 2007.3R1 to 2008.2R2, NSM unsets the loopback and subinterface configurations created in the 2007.3R1 setup. Migration from 2007.3R4 to 2008.2R2 succeeds.

•

450863—NSM does not display a validation error if an IPv4 address is added to an IPv6 address group using the Replace with option.

•

450906—When an interface is configured in the IPv6 host/router mode, NSM does not show or generate the interface ID which is generated by default in the device. Instead NSM generates an interface ID randomly.

•

450964—When you log in to NSM for the first time on the NSMXpress appliance, the System Information page opens first instead of the Install NSM page.

•

452182—While searching for IPs using the Global Search feature, you can search for a specific IP address and netmask. However, you cannot search for all IP addresses in a particular subnet. You also cannot search for all IPs beginning or ending with a particular number.

•

452960—To create a multiple IP range DIP, you must configure the extended IP under two options: Device supporting IPv6 and Device not supporting IPv6.

•

452898—The sequence of nodes under the Network tab changes when an interface is configured. Closing and reopening the interface window restores the original order of nodes.

•

453968—The Search option under IPv6 and IPv4 policies does not allow you to enter a complete string or word.

•

454983—The device cannot send the configuration file to the NSM server after a commit. The workaround is to run the passwd cfmuser command as root on the NSMXpress device and enter the same password configured during install.

•

455944—Under the Route-map, the Metric Options field entries and Local Preference values are not properly displayed on the template.

•

457072—In NSM, you cannot create node-specific entries for a cluster.


Known Issues

•

457242—The graph in myreport displays 0.0.0.0 before displaying the correct IPv6 address.

•

457557—When you log in to NSM as a custom administrator in a custom role with a Create Security Policies privilege and create a new policy with an IPv6 rulebase, a Java Null Pointer error is shown for the rulebase.

•

458585—NSM does not display a validation error for an invalid Attack Database Server path: Device > Security > Expand Attack DB > Settings.

•

459052—While creating gateway VPN settings, the NSM update often sends the following commands: set ike gateway g1 dpd-liveness interval 0 set ike gateway g1 dpd-liveness retry 5 unset ike gateway g1 dpd-liveness always-send unset ike gateway g1 dpd-liveness reconnect unset ike gateway g1 nat-traversal

•

459323—NSM does not display validation error messages for low or high values under Destination or Source ports.

•

459330—NSM fails to update the PBR match-group, Action-Group, and PBR policy names if the name string contains spaces.

•

459949—When AVT is enabled on a device, the Profiler is not automatically enabled during a device restart. The workaround is to right-click on the device and select Start profiler.

•

460492—When installing a system update on RHEL 4.6, you receive a warning for the SE Linux package. However, the installation works.

•

460645—The default screen view does not display all the options under Devices > Configuration > Update Device Config > ScreenOS and IDP options. The workaround is to extend the length of the window to view all the options.

•

460894—The NSM Object Manager does not display Zone object details.

•

461192—NSM displays all the interfaces under the Route-map > Match Interface list instead of displaying only the configured interfaces.

•

461266—NSM topology displays different icons for the M10i, MX480, J4300, and other routers.

•

463254—The order of nodes under the Network tab changes if the Transparent mode option is checked for a template. Closing and reopening the template restores the original order of nodes.

•

463738—When you model a device enabled with a transparent interface, the interface is incorrectly displayed as Route mode in the device configuration, and you cannot edit the mode field.

•

463788—The NSM UI displays a validation error for Route-map strings when Route-maps are configured without any entries such as permit/deny, match, set, and Metric Parameters.

•

464029—NSM incorrectly displays the validation “IP Address can't be unset since it’s being used by VPN” on an IPv6 VPN though the IPv6 address is part of the VPN.


33


34

•

464071—SCTP, UTM, and GTP objects are visible in the expanded display mode after they have been deleted from the policy.

•

464094—NSM allows you to create IPv6-based DIP objects when the IPv6 mode is set to none.

•

464145—The VPN monitor does not display content for the Local address and Peer address fields.

•

464404—When existing custom virtual routes are configured using a template, you see a Revert to template/default value option when you right-click on the virtual router name field. If you select this option, the virtual router name becomes a null value and you see a validation error.

•

464834—In the NSMXpress multi-user access feature, you can map predefined users such as nsm and cfmuser to have access to the WebUI. However, these predefined users cannot log in because they do not have the defined password. We recommend that you do not map predefined users to WebUI users through UNIX authentication.

•

465023—The quick configuration editor Interfaces page is not refreshed when an interface is edited from a regular config editor. Functional zone tables are not validated when any node under functional zones is configured.

•

465407—NSM allows to you to configure IPv6 options on a device running ScreenOS 6.3 even after IPv6 is disabled on that device.

•

465748—If you try to download the NSM client from an NSMXpress appliance with a different NSM UI client version, NSM prompts you to download the client from the server, but the download fails. A workaround is to download the client directly from the NSM server (https://ApplianceIP) or change the guiSvrWebProxy.port value to 443 in /var/netscreen/GuiSvr/guiSvr.cfg.

•

466039—The Interface Quick Configuration landing page usually shows “Could not Create View” for EX Series, MX Series, and SRX Series devices.

•

466233—After configuration, the routing table of model vsys devices does not display IPv6 route entries. However, the same route entries are visible in the delta config summary and are successfully updated in the device. A workaround is to import the vsys device.

•

466335—You cannot change the superuser password from the WebUI of an NSMXpress device.

•

466349—NSM does not filter IPv6 policy rules from the Central Manager during an update to a ScreenOS device that does not support IPv6.

•

466934—The NSM database backup operation fails to execute from the WebUI on NSMXpress devices. The workaround is to log off, then log back in and execute the operation again.

•

467745—The NSM 2008.2r2 client often displays an empty device list.

•

468189—When migrating from NSM 2008.2R2a to 2009.1, the installer script does not display the version correctly. NSM 2008.2r2a is displayed as 2008.2r2.

•

472185—The NSM Device monitor and the VPN Monitor are slow to detect changes in state.


Known Issues

•

473963—During a shared disk installation on an NSM appliance, you receive an error message that the password for the Device Server is too short and that the minimum length should be eight characters.

•

474008—When you install a regional server on a new NSMXpress appliance through the WebUI or nsm_setup, you occasionally see the following message: Stopping NFS statd: [FAILED]. However, the installation is successful.

•

474518—The check box option for enabling NTP on redundant interfaces within NSM is missing.

•

475084—You cannot create a user with a UNIX authentication password option in the NSMXpress User list.

•

477341—Under Security Policies > Shared objects, a fast scroll Screen refresh does not occur properly.

•

477347—In NSM 2009.X, under Security Policies > Shared objects, the Search feature for services is slower than in previous releases.

•

477352—After you create an object under Security Policies > Shared objects, NSM takes some time to refresh the screen.

•

477355—The Junos OS does not validate configurations from NSM.

•

478484—During a regional server installation on an NSMXpress appliance, you see the following error message at the post-installation tasks stage: "No such file or directory" (/bin/cp: cannot stat `/usr/netscreen/GuiSvr/var/metadata_table.nml': "var/install/NSM-RS).

However, the installation is successful. •

479624—When you edit virtual routers with large numbers of static routes and ACL entries, the CPU utilization of the NSM GUI is very high.

•

479859—NSM incorrectly allows you to create address objects called ANY-IPv4 and ANY-IPv6.

•

480429—Device Statistics do not display policy distribution information.

•

481088—The SMTP Protocol Anomaly attack object does not contain recommended actions.

•

481124—A DI signature is displayed as member of the IDP dynamic attack group.

•

481645—NSM does not set a warning flag for IPv6 address objects containing duplicate networks.

•

485787—After the migration from 2009.1r1 to 2009.1r1a15 in an NSMXpress/NSM3000 appliance, online recovery partitioning fails from the NSM GUI.

•

484205—Community list commands for Border Gateway Protocols in the device differ from those in the job information.

•

484701—When selecting rules in a complex policy (around 1000 rules), the NSM GUI of release 2009.1r1 responds more slowly than in release 2007.3r4.


35


36

•

486191—After an upgrade on NSMXpress, you must manually delete the file nsm-scripti-vals.new if available under the /tmp directory. You must then reconfigure NSMXpress through nsm_setup.

•

488187—When you install NSM3000, disk partitioning may fail on the first attempt. The workaround is to erase the disk and reinstall the appliance.

•

489761—In an extended high availability setup, DMI devices do not reconnect to NSM after a GUI server failover. The workaround is to restart the Device server.

•

493491—The Random-port option is not available when configuring DIP on an interface running ScreenOS.

•

495586—NSM reorders NAT rules incorrectly on an SRX Series device cluster member.

•

495927—In the Policy Manager, if you select a rule containing either a source or destination IPv6 address and right-click on it, the Add Address and Filter options are not available. The workaround is to directly right-click on the rule without first selecting it.

•

496118—NSM fails to update an ISG2000 cluster with a ‘Manage-IP of redundant IP’ configuration.

•

496177—On an ISG2000 device, updating a physical interface with an IPv6 prefix list fails.

•

496199—On an IPv6-disabled device, configuring an IPv4 neighbor in BGP causes NSM to wrongly update IPv6 configurations leading to an update failure.

•

496395—When you apply an OSPF and BGP-enabled template to a device, NSM displays a validation error for the Virtual router ID under VR.

•

496431—On an ISG2000 device, NSM pushes the redundant interface configuration on every update of the device.

•

496701—After upgrading an ISG2000 running ScreenOS 6.2 to release 6.3 through the NSM Software Manager, NSM wrongly creates CLI 'set cpu-protection threshold 0', causing updates to fail.

•

496705—When you configure DIP for an interface in a ScreenOS template, the Wizard is not displayed completely. The workaround is to drag the wizard open completely. On subsequent edits, the wizard opens to the same size as dragged earlier.

•

496721—After a peer group member is removed from a peer group in BGP and the device is updated, NSM does not delete the member from the group.

•

497112—If an IDP policy with all filters enabled in a dynamic attack group is pushed to an SRX3600 device, the update fails.

•

497949—NSM incorrectly allows the same user role to be added as both member and non-member of a user group in an IDP policy.

•

498731—On an ISG1000 cluster running ScreenOS 6.2 or earlier, NSM erroneously displays the IPv6 tab on the VSI interface.

•

498733—The NSM GUI does not provide a check box for enabling Track IP under VSD Group Monitoring for cluster members.


Known Issues

•

499146—After an RMA/Activate of an NS204 device, the NSM server primary interface displays a delta.

•

499174—When service applications are configured on policies in a Junos OS device template and applied to devices through NSM, the update fails.

•

499181—The NSM GUI erroneously displays the Gateway Tracking On option for IPv6 destination-based routes. IPv6 routes do not support this feature, causing the update to fail.

•

501774—When a port template configuration is pushed to an EX Series switch, the Device Connectivity status goes down and then comes back up.

•

502716—While updating IDP policies on an MX960 router, NSM only updates the name of the policy but not its contents such as address, attacks, action, notification, and so on.

•

503701—When selecting enforcement points to associate with ICs on an EX Series switch, the NSM GUI does not display the Select Cluster Member option. Drag the window open to see an extra field for selecting IC A/A cluster members.

•

504876—NSM is unable to connect with EX8216 switches running Junos OS Release 10.0r1.8.

•

504886—When a device is added through any workflow, NSM requires you to perform an import device config operation before you can view the Advanced > Predefined Service Session cache > Predefined Services option.

•

505299—Under Device Discovery rules, NSM is unable to discover J4350 and J6350 devices.

•

506135—NSM does not display variables for a query expression in the filter node under Configuration > System > Log monitoring. You can however, create a query expression in a template where these variables are visible and successfully update a device in NSM with the template.

•

514022—NSM is unable to delete or disable IPv6 addresses configured on an interface using NSM. You can, however, delete an IPv6 address configured on an interface using the CLI.

•

514848—Object manager creates duplicate address objects with the same name but different IP addresses.

•

515487—The loopback interface belonging to a shared zone in a vsys is incorrectly imported into NSM.

•

516415—NSM imports an IPv6 address object whose domain name has been changed in the device as an IPv4 address object.

•

516420—Device Monitor does not update the modified device polling time.

•

517719—NSM is unable to add a Junos OS Pulse binary package. NSM supports a maximum package size of 50 MB and a maximum heap size (configured in NSM client) of 768 MB. However, the pulse binary package size is 70 MB and requires 2048 MB of heap memory.


37


38

•

519447—The Only this Value and Not this Value filters in the Log Viewer do not work for IPv6 Src, Dst, Src NAT, and Dst NAT address objects.

•

521704—An NSM user is able to delete the user role logged in as from NSM.

•

521930— The Junos OS applications node in templates shows extra options that are not present in the actual device for both predefined and custom applications.

•

522853— Modification of a modeled vsys configuration does not work on an ISG2000-IDP device.

•

523092—NSM does not allow selection of the dates of March 29, 30, and 31 while creating a new log report.

•

523099— NSM displays deleted vsys information.

•

523176—For log reports, if Columns for Report is selected with IPv6 address fields, the report displays an extra IP 0.0.0.0.

•

523190—Username and Password text boxes are displayed only when Authentication Type is initially set as Certificate and then set back to Basic.

•

523484—NSM displays the wrong version number after performing a software upgrade for devices running the Junos OS.

•

524124—NSM shows the configuration status of a device as Managed,InSync after successfully importing a configuration file exported from the same device. The workaround is to update the device after importing the configuration file.

•

524216—Predefined Junos OS service objects junos-persistent-nat and junos-stun are not available in NSM.

•

526007—Resetting to Factory Defaults does not work after performing Offline Update Recovery Partition on an NSM3000 appliance. The workaround is to reinstall the image through USB.

•

526499—After upgrading to NSM 2010.2, when checking the HA server version, the highAvailSvr process displays the current version as 1.13.1 instead of 2010.2, and also displays old versions.

•

527833—NSM does not support the ip-monitoring CLI command for high-end SRX Series devices in HA configuration.

•

532855—The NSM application will not discover all end point devices if complete address forwarding tables (AFT) information is not available.

•

562393—When SRX low-end family devices (which have been renamed from 10.2) are added through model or unreachable workflow, the Managed OS version support drop down list in NSM must display operating systems only up to 10.1. However, the list displays 10.2 and 10.3 too.

•

738793—When an SA cluster member is removed from IVE device, the corresponding cluster member should also be removed from NSM manually. The cluster member can be added again as a normal device.


Known Issues

EX Series Switches •

394552—NSM allows you to apply Layer 2 Uplink port templates on LAG interfaces (ports names beginning with ‘ae’). NSM cannot automatically detect whether a LAG interface is deleted from the switch configuration after you apply the port template. It is therefore recommended that you manually remove the LAG interface from the ports associated with this template.

•

398326—After enabling the automatic import of configuration files on an EX Series switch running Junos OS Releases prior to 9.3R2 and 9.2R3, you need to manually add the NSM Device Server as a known host to the switch. To do this, log in to the EX Series switch through Telnet or SSH and then SSH to the NSM Device Server IP. This adds the NSM Device Server as a known host in the switch. Without this manual intervention, automatic import of config files does not take place from EX Series switches. You do not need to perform this step for EX Series devices running Junos OS Release 9.2R3 or 9.3R2.

•

398860—If you use LLDP, IP phones connected to 9.2R1.10 EX Series switches are not discovered. You need to upgrade to EX Series 9.2R2.15 or later.

•

402243—On a virtual chassis, if there is a physical link through the vme0 interface to an adjacent EX Series switch, topology discovery records two links, one from the vme interface and another from the me0 interface.

•

406887—Topology discovery commits data in small chunks to the database. If one of many such transactions fails, the remaining data is not committed. This could create inconsistent data in the database.

•

427855—When both master and backup router engines in a grande device are reachable by SNMP, topology discovery displays them as two separate devices in the topology map.

•

444091—Wrong links are discovered with EX8200 devices with only STP/RSTP. Enable LLDP on all the switches to ensure that links are discovered properly.

•

446950—Because of a UI issue, NSM incorrectly allows you to create virtual chassis with EX3200-24P. Virtual chassis should be created with EX4200 platforms only.

Devices Running ScreenOS and IDP •

294030—On an ISG device, sufficient device memory is required to compile the policy during an update from NSM. A policy that specifies All attacks needs 600 MB or more RAM on the device. The update fails if the amount of RAM is insufficient. Contact JTAC for a workaround.

•

450906—When IPv6 is enabled on an interface in host mode, NSM does not generate any interface ID unless configured by the user whereas ScreenOS does, causing a mismatch. A workaround is to import the device into NSM after you update the IPv6 settings.

•

454755—ScreenOS does not treat DI profiles as standard shared objects. Hence NSM does not reflect changes in the profiles after you import a device.


39


•

458945—NSM cannot manage a device running a ScreenOS version earlier than 6.3 with an IPv6 configuration. For NSM to effectively manage the device, it must be upgraded to ScreenOS 6.3 and added or imported into NSM.

•

461167—You cannot export device logs using the syslog option from the NSMXpress WebUI.

•

461181—Updating fails when a policy with web filtering enabled is pushed to a vsys device from NSM.

•

461986—You cannot generate reports and e-mail them using the email.sh option in the NSMXpress appliance.

•

464396—On a modeled ScreenOS root device with a modeled vsys device, NSM does not display the IPv6 option on the modeled vsys.

•

464517—When a rule is added to a policy and the Notify Closed Session option is enabled, NSM shows the ‘unset IDP’ command in the delta configuration. If IDP is enabled on the device, IDP does not get unset.

•

465144—NSM does not display the option to monitor the IDP security module under the VSD group monitoring section.

•

479370—NSM does not generate dead peer detection configuration for IKE gateways on SRX Series devices.

•

489282—When you update an SSG5 running ScreenOS 6.1, NSM unsets eth0/0 and BGP even when an eth 0/0 change is unnecessary and BGP is not enabled. The workaround is to enable BGP on tunnel 1.1.

•

497120—Updating an SRX3600 device with an IDP policy fails, displaying a “Previous commit is in progress” error message. The workaround is to wait for several minutes until the back-end commit process is completed.

•

518101—Validating a device fails after adjusting the OS version or updating the software through NSM.

•

521642—NSM displays delta configuration for ISG devices after the OS version is adjusted from 6.1 to 6.3.

•

522885—While adding SOS devices on an NSM HA server, a DB_EVENT_PANIC error message is displayed, and the HA server fails over to the secondary server. This issue is seen occasionally.

•

522890—Editing a ScreenOS cluster device, with a device configuration of 275 KB, takes approximately 5 minutes.

•

523203—ISG-1000 devices running ScreenOS 6.3r3 display a validation error under the root profile.

Secure Access SSL VPN SA Series and United Access Control Infranet Controllers

40

•

436750—NSM cannot import an IC if the IC has more than 5100 resource access policies. The import operation does not complete.

•

455844—Deleting an SA device object from NSM does not remove the object until services are restarted. This is seen intermittently.


Known Issues

•

460586—When a Junos OS SA/IC template is removed from a device, the template values are not retained even if the Retain Template values on removal option is checked.

•

465450—While creating a new custom expression under Role mapping, if you choose Directory/Attribute: as any LDAP server on NSM when you configure the User/Admin/MAC Realm General settings, the update to an SA/IC device fails.

•

519756—Creating a new Kerberos Intermediation on an SA device running SA 7.0R1 without assigning a realm will display an error. The workaround is to create a realm and assign it to the default Kerberos Intermediation.

SRX Series Services Gateways •

395329—NSM cannot update the following attacks to SRX Series devices: •

All attacks

•

Product filter as part of a dynamic attack group

•

Anomalies as part of a compound attack group

•

Recommended filter as part of a dynamic attack group where the value is set to false

•

If your previous NSM release managed IDP devices and you migrate to NSM 2008.2 enabling the FIPS mode, the IDP device connection status is down. You should reconnect all IDP devices to the FIPS-enabled 2008.2 NSM server. This happens because earlier NSM versions used MD5 HA to store device fingerprints, while FIPS compliance requires SHA-1. However, if the server is migrated to a non-FIPS 2008.2 setup then devices are connected automatically.

•

430886—In order to add J Series and SRX Series devices configured in cluster mode, the secondary cluster member needs to be added or imported, followed by an add or import of the primary device.

•

439305—An SRX Series device update fails because NSM does not drop the invalid IDP policy rule, IP-action with Block option selected. Although NSM displays a warning when you create this particular policy rule, it does not prevent its creation.

•

449045—When deleting the SRX family of devices, certain Java exception errors are logged into the file gproGDM.log of the GuiSvr error log directory.

•

450626—Update fails on an SRX Series cluster when the Dynamic Db option is selected. The workaround is to disable the Dynamic Db option.

•

452275—VLAN configurations are not applicable for SRX3400, SRX3600, SRX5600, and SRX5800 devices. However, the configuration editor and the quick configuration editor list the VLAN configurations.

•

458973—NSM displays validation errors under all occurrences of ‘isis’ node when the Junos OS Release 9.6 schema is applied. This issue is seen on all J Series and SRX Series devices.

•

460593—The system services RSH and Rlogin are not configurable from NSM.


41


•

461264—At times, an update on an SRX Series device fails with the error message “Previous commit in progress.” This may happen when a previous commit is still being executed on the device in the background; for example, during an IDP policy compilation. For a workaround, see http://kb.juniper.net/KB16548. If the error is not due to an IDP policy compilation, the workaround is to add the device again.

•

477359—The private edit mode used in SRX Series clusters does not block NSM.

•

514021—The model number of SRX devices is incorrectly displayed under Hardware Inventory.

•

516144—NSM allows adding an SRX Series virtual chassis as a cluster member.

•

517276— NSM does not display logs for the backup device in an SRX Series virtual chassis in the Log viewer.

•

517284—IDP Detector Engine update does not work for both devices in an SRX Series virtual cluster.

•

519796—NSM does not display SRX Series virtual chassis details in Device Monitor.

Errata and Changes in Documentation for NSM Release 2010.4 The following section provides the documentation errata for this release.

Errata This section lists outstanding issues with the documentation. •

In the Network and Security Manager Installation Guide, the sections on installing and upgrading NSM incorrectly refer to the upgrade directory as /tmp. The correct directory is /var/tmp.

•

The Network and Security Manager Installation Guide incorrectly shows the minimum system requirements for the operating system as RHEL 32-bit ES/AS 4.0-Update 7 or 32-bit ES/AS 5.0-Update 3 (Minimal and Full Install). The document should show the minimum system requirements for the operating system as RHEL 32-bit ES/AS 4.0-Update 8 or 32-bit ES/AS 5.0-Update 4 (Minimal and Full Install).

NSM Documentation and Release Notes For a list of related NSM documentation, see http://www.juniper.net/techpubs/software/management/security-manager/ .

If the information in the latest release notes differs from the information in the documentation, follow the NSM Release Notes. To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/.

42


Documentation Feedback

Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected], or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments: •

Document name

•

Document part number

•

Page number

•

Software release version

Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC. •

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf.

•

Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/.

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: •

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/


43


•

Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/. Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. •

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html. If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support: user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net:pub/incoming. Then send the filename, along with software version information (the output of the show version command) and the configuration, to [email protected]. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/.

Revision History 18 November 2010—Revision 1, NSM 2010.4 10 December 2010—Revision 2, NSM 2010.4 22 February 2011—Revision 3, NSM 2010.4 13 July 2011—Revision 4, NSM 2010.4 26 October 2011—Revision 5, NSM 2010.4 30 November 2011—Revision 6, NSM 2010.4 05 January 2012—Revision 7, NSM 2010.4 27 February 2012—Revision 8, NSM 2010.4 Copyright © 2012, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

44


Requesting Technical Support

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.


45

Release Notes - Juniper Networks

Release Notes - Juniper Networks

Suggest Documents

Juniper Networks ScreenOS Release Notes - of /sup

JNU 1.3 Release Notes - Juniper Networks

CSE 13.3R1 Release Notes - Juniper Networks

Junos OS 15.1X49-D45 Release Notes - Juniper Networks

Junos OS 15.1X49-D45 Release Notes - Juniper Networks

Open Automation Release Notes - Force10 Networks

Juniper Flow Monitoring - Juniper Networks [PDF]

Juniper Networks Inc.xlsx

Juniper Networks Evaluation Agreement

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Release Notes

Juniper Networks Corporate PowerPoint Template

juniper networks curriculum - K Labs