Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Security Director] Policy Profile changes not getting updated. "No configuration changes" while checking delta configuration.

3

0

Article ID: KB35884 KB Last Updated: 10 Jun 2020Version: 1.0
Summary:

This article explains on how to make a Firewall Policy Profile work using script.

Symptoms:

By default, SD will only update the Firewall Policy Profile assigned to a Policy only if rules are created from SD. The script attached will update the configuration in DB so that Firewall Policy Profile changes can be pushed from SD. This script will also optionally update the selected Policy-rules with the Rule Options - "Inherit Profile from Policy".

Rule Options - "Inherit Profile from Policy" must be selected in each rule for the Policy profile to work. If a user has 100's of rules and have logging configured in all rules from device command line itself.

Example:

set security policies from-zone trust to-zone untrust policy test then log session-close
set security policies from-zone trust to-zone untrust policy test then count

While importing the firewall policy to SD, all the rules under the policy imported will have the Rule Options "CUSTOM". In this case, it’s difficult to modify individual rules with Rule Options - "Inherit Profile from Policy". This script will help in achieving this task.

Cause:

This is a limitation in all SD versions. A Problem Report has been created for this. This workaround can be applicable until the issue is fixed permanently.

Solution:

Work-around:

  1. Make a backup of the Space database by following the steps in Backing Up the Junos Space Network Management Platform Database. (The process is the same for all Space versions.)
  2. Download the script file updateProfile.zip.
  3. SCP the script file to the server and unzip.  (Unzip the script on the server to ensure file integrity.)
    Example:
    unzip updateProfile.zip
  4. Create or use a default Firewall Policy Profile: Security Director > Firewall Policy > Profiles.
  5. Assign the profile to a policy: Security Director -> Policy -> edit policy -> Assign the profile. Do not Publish now. 
  6. Run the Script:
    sh updateProfile.sh
    The script will ask for user inputs: Policy name & Domain name. Choose any of the below given options as required.
  7. All rules under the policy will be modified with Rule Options - (Inherit Profile from Policy) & the logging profile change will be updated.
    Note: Selecting 1 will be useful when user want all rules in in policy to be updated with the new logging profile change in SD.
  8. The script will only update logging profile to the rules in the policy where Rule Options - (Inherit Profile from Policy) is already chosen.
    Note: Selecting 2 will be useful in scenarios where user have custom profile applied for rules and don't want that rules to be changed in SD.
  9. Once script execution is done. Check preview, if preview looks good then Publish & Update.

Example with Screenshots:

  1. If Firewall Policy Profile is not created yet create one.

  2. Edit the Security Policy and assign the profile

  3. Check preview, you may see “No configuration changes". Don’t publish now. 

  4. Run the script.

    Preview after running script:

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search