1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. NETWORK AND SECURITY MANAGER - S REV 1
  6. Release note

Juniper NETWORK AND SECURITY MANAGER - RELEASE NOTES REV 1 Release Note

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Network and Security Manager Release
Notes
November 18, 2010
Revision 1
Contents
Copyright © 2010, Juniper Networks, Inc.
Version Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
New or Changed Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Before You Install NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Solaris Locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Upgrading NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Deprecated Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Important SSL VPN and Infranet Controller Instructions . . . . . . . . . . . . . . . . . . . . . 4
NSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Not Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Maintaining the NSM GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Creating a Self-Signed TLS Certificate Between the NSM Client and the
NSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Devices Running ScreenOS and IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
NSM Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1

Advertisement

Table of Contents
loading

Related Manuals for Juniper NETWORK AND SECURITY MANAGER - RELEASE NOTES REV 1

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER - RELEASE NOTES REV 1

  • Page 1: Table Of Contents

    Revision History ........... . 33 Copyright © 2010, Juniper Networks, Inc.

  • Page 2: Version Summary

    Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices and other Juniper Networks devices in your networks. NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and now for the Junos operating system (Junos OS).

  • Page 3: Upgrade Considerations

    For EX Series switches—EX Series switches running Junos OS do not support snapshots. Therefore, users should not select the “Backup the current filesystem(s) on the device” check box in the final page of the Install Device Software wizard. Copyright © 2010, Juniper Networks, Inc.

  • Page 4: Important Ssl Vpn And Infranet Controller Instructions

    Set the shared memory to a minimum of 1 GB (kernel.shmmax = 1073741824): /etc/sysctl.conf, for Linux systems for Solarix systems /etc/system, /usr/netscreen/GuiSvr/var/xdb/specs/jax.spec , change Xmx512 to Xmx1024m: :jvm-options ( : ("-DEMBEDDED_JVM=true") : ("-Xms128m") : ("-Xmx1024m") , change Xmx1024000000 /usr/netscreen/DevSvr/bin/.devSvrDirectiveHandler to Xmx2048000000: $LIB_DIR/jre/bin/java -DNSROOT=$NSROOT -DgproDDM=$DEST_DIR -DNSDIR=$DEST_DIR/var/be -DSTART_PATH=$DEST_DIR Copyright © 2010, Juniper Networks, Inc.

  • Page 5: Setting Up Nsm To Work With Infranet Controller And Infranet Enforcer

    On the Infranet Enforcer, select Configuration > Infranet Auth > Controllers. Click New. Enter the parameters as prompted. The password in the second section must be the NACN password you entered in Step 1d. Click OK. Copyright © 2010, Juniper Networks, Inc.
  • Page 6 In the New Device window, provide a name for the device, a color for its icon in NSM, and check Device is Reachable. Follow the instructions in the wizard to add and import the device. Repeat Step 7b through 7d for each Infranet Enforcer device. Copyright © 2010, Juniper Networks, Inc.

  • Page 7: Usage Guidelines For Applying Nsm Templates To Sa And Ic Clusters

    The following list shows the NS and NL configuration settings. All other settings are CG. Node-Specific (NS) Configuration: <nsm:path>/ive-sa:configuration/system/log/snmp</nsm:path> <nsm:path>/ive-sa:configuration/system/log/events-log-settin gs/syslog</nsm:path> <nsm:path>/ive-sa:configuration/system/log Copyright © 2010, Juniper Networks, Inc.

  • Page 8: Best Practices

    Creating a Self-Signed TLS Certificate Between the NSM Client and the NSM Server A self-signed certificate is a certificate that has not been signed by a third party, such as, a well-known Certificate Authority (CA). Copyright © 2010, Juniper Networks, Inc.
  • Page 9 Write out database with 1 new entries Addressed Issues Data Base Updated Using configuration from cfg/openssl.cfg Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' Copyright © 2010, Juniper Networks, Inc.

  • Page 10: Addressed Issues

    To work around this issue, first add the secondary device and then the primary device. 403809—Policies cannot be edited as NSM displays a locked by another user message even though another user is not logged in to NSM. Copyright © 2010, Juniper Networks, Inc.
  • Page 11 482421—The BGP neighbor configuration in a ScreenOS cluster without VSD is not accurately synced in NSM. 482988—The NSM calculation of the estimated disk space required for DevSvr logs is inaccurate ( Administer > Server Manager > Servers > Disk and Log Management Copyright © 2010, Juniper Networks, Inc.
  • Page 12 499064—The NSM GUI Server crashes with a Mutex Lock Event. 499642—While performing Get Delta Config Summary and Update directives, NSM reports an error “Failed to acquire lock on device” even when no other user is logged Copyright © 2010, Juniper Networks, Inc.
  • Page 13 NSM attempts to unset these options at the next update. 502390—If you use NSM 2009.1 and want to upload either the SA 6.5r2 or IC C3.1r2 software into NSM, you must run a Juniper Networks Update to enable subsequent device software upgrades through NSM.
  • Page 14 NSM unsets the secondary NSM server IP address from the cluster members. 519004—You cannot select an interface for an imported SRX Series device from the VLAN interface in NSM. NSM displays the following error: “Reference to undefined collection-of-interface-range.” Copyright © 2010, Juniper Networks, Inc.
  • Page 15 (that is, in the release from which you had upgraded). 533763—NSM stops responding at 76 percent when policies are updated on ScreenOS-based ISG-IDP devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 16 550796—If you add a cluster server to NSM after an upgrade from 2008.3 to 2010.2 LGB13z1n33 (with schema 143 and running on RH5 with service pack 5), then the cluster’s secondary server settings are grayed out in NSM. Copyright © 2010, Juniper Networks, Inc.

  • Page 17: Known Issues

    J Series devices. 284698—NSM users that do not have the View Security Policies role can still see the policy node within devices that have their Policy Management Mode set to In-Device. Copyright © 2010, Juniper Networks, Inc.
  • Page 18 FIPS compliant. When installation is complete, you see the following message: “Please note that TCP port 7808 is being used for server-UI communication.” Earlier versions of NSM connected through port 7801, which was not FIPS compliant. Copyright © 2010, Juniper Networks, Inc.
  • Page 19 NSM user. You cannot use this script as the root user. 400850—Physical interfaces do not appear in the PBR policy non-member list if you bind them to the same security zone as the redundant interface. Copyright © 2010, Juniper Networks, Inc.
  • Page 20 IDP policy. However since SRX Series devices do not support multiple services in IDP policies, a device update fails after a service field is changed in the IDP policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 21 455944—Under the Route-map, the Metric Options field entries and Local Preference values are not properly displayed on the template. 457072—In NSM, you cannot create node-specific entries for a cluster. 457242—The graph in myreport displays 0.0.0.0 before displaying the correct IPv6 address. Copyright © 2010, Juniper Networks, Inc.
  • Page 22 VPN” on an IPv6 VPN though the IPv6 address is part of the VPN. 464071—SCTP, UTM, and GTP objects are visible in the expanded display mode after they have been deleted from the policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 23 468189—When migrating from NSM 2008.2R2a to 2009.1, the installer script does not display the version correctly. NSM 2008.2r2a is displayed as 2008.2r2. 472185—The NSM Device monitor and the VPN Monitor are slow to detect changes in state. Copyright © 2010, Juniper Networks, Inc.
  • Page 24 484205—Community list commands for Border Gateway Protocols in the device differ from those in the job information. 484701—When selecting rules in a complex policy (around 1000 rules), the NSM GUI of release 2009.1r1 responds more slowly than in release 2007.3r4. Copyright © 2010, Juniper Networks, Inc.
  • Page 25 498731—On an ISG1000 cluster running ScreenOS 6.2 or earlier, NSM erroneously displays the IPv6 tab on the VSI interface. 498733—The NSM GUI does not provide a check box for enabling Track IP under VSD Group Monitoring for cluster members. Copyright © 2010, Juniper Networks, Inc.
  • Page 26 50 MB and a maximum heap size (configured in NSM client) of 768 MB. However, the pulse binary package size is 70 MB and requires 2048 MB of heap memory. Copyright © 2010, Juniper Networks, Inc.
  • Page 27 562393—When SRX low-end family devices (which have been renamed from 10.2) are added through model or unreachable workflow, the Managed OS version support drop down list in NSM must display operating systems only up to 10.1. However, the list displays 10.2 and 10.3 too. Copyright © 2010, Juniper Networks, Inc.

  • Page 28: Ex Series Switches

    A workaround is to import the device into NSM after you update the IPv6 settings. 454755—ScreenOS does not treat DI profiles as standard shared objects. Hence NSM does not reflect changes in the profiles after you import a device. Copyright © 2010, Juniper Networks, Inc.

  • Page 29: Secure Access Ssl Vpn Sa Series And United Access Control Infranet Controllers

    436750—NSM cannot import an IC if the IC has more than 5100 resource access policies. The import operation does not complete. 455844—Deleting an SA device object from NSM does not remove the object until services are restarted. This is seen intermittently. Copyright © 2010, Juniper Networks, Inc.

  • Page 30: Srx Series Services Gateways

    458973—NSM displays validation errors under all occurrences of ‘isis’ node when the Junos OS Release 9.6 schema is applied. This issue is seen on all J Series and SRX Series devices. 460593—The system services RSH and Rlogin are not configurable from NSM. Copyright © 2010, Juniper Networks, Inc.

  • Page 31: Nsm Documentation And Release Notes

    If the information in the latest release notes differs from the information in the documentation, follow the NSM Release Notes. To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/...

  • Page 32: Requesting Technical Support

    7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...

  • Page 33: Revision History

    Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

This manual is also suitable for:

Network and security manager

Table of Contents