Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Security Director] Understanding object conflict resolution options while importing a firewall policy in Security Director

0

0

Article ID: KB34207 KB Last Updated: 07 Jun 2019Version: 2.0
Summary:

Importing a firewall policy into Junos Space Security Director will trigger object conflict resolution if there are object name conflicts.

This article describes the resolution options that are displayed to users when such a conflict is encountered and what selecting each option would entail.

Symptoms:

During policy import, if objects with the same name, but different content exist in both the device being imported and Junos Space Security Director, the object conflict resolution screen will appear.

 

Solution:

Junos Space Security Director uses object name as the unique identifier for the object (per domain). During policy import, all objects are compared by name between what is in Junos Space Security Director and what is on the device.

  • If the object name does not exist in Security Director, the object is added to Security Director.

  • If the object name exists in Security Director with the same content, the existing object in Security Director is used.

  • If the object name exists in Security Director with different content, the object conflict resolution screen is displayed, providing users with the following selection options:

    • Rename Object

      • This is the safest option.

      • "_1" is added by default to the name, or users can specify a new unique name.

      • Device Preview or Update will delete the original object and add the object with the new name.

      • There is no functional change to the policy (labels only).

    • Overwrite with Imported Value

      • The object is replaced in Security Director with the object from this import operation.

      • No change is seen in Preview for the device imported.

      • The change will appear for all other devices that use this object in the next preview/update.

      • There is no change to the firewall policy.

      • There may be possible traffic impact to all other devices that use this object the next time the other device is updated from Junos Space.

    • Keep Existing Object

      • The object in Security Director with this name is used instead of what is on the firewall.

      • Preview/update for the imported firewall policy will show the modification.

      • There may be possible traffic impact to this firewall because the content is different in some way.

 

Reminders

  • Objects that are not linked to a policy are imported into Security Director, and then removed from the device configuration as part of a device update.

  • Before viewing the first policy preview in Security Director after device import, ensure that all policies (of each type) are in the published state.

    • Example: If a NAT policy is not published for a device, the preview (or update result) of the firewall policy will show (or actually delete if update is performed before publish) any object in the NAT policy that is not found in the firewall policy (if the NAT policy has not been previously published).

  • Multiple policies of each type can be assigned to a device. Ensure that all are published before viewing preview or updating the device.

 

Example Captured from Security Director 19.1


Starting Addresses in Space:


Staring Addresses on Device:


Import Selection:



After Import Result in Space:


Notice:
Address1 = No changes
Address2 = Content changed
Address3 = Address3_1 created

 

Device Update Preview  for the device that was just imported (Address1):

 

 

Device Update Preview for the device that was just imported (Address2):

 Not shown, as there was no change on the imported Device.
 Example not captured of Preview for a different device that was using original Address2 as 20.20.20.20. The following update would show modification to 2.2.2.2 similar to Address1 example above.



Device Update Preview  for the device that was just imported (Address3):

Modification History:
2019-06-07: Added Security Director 19.1 Example in Solution Section
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search