Table of Contents
Advertisement
Quick Links
Network and Security Manager Release
Notes
December 10, 2010
Revision 3
Contents
Copyright © 2010, Juniper Networks, Inc.
Version Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
New or Changed Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Before You Install NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Solaris Locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Upgrading NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Deprecated Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Important SSL VPN and Infranet Controller Instructions . . . . . . . . . . . . . . . . . . . . . 4
NSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Not Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Maintaining the NSM GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating a Self-Signed TLS Certificate Between the NSM Client and the
NSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Release 2010.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Release 2010.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Release 2010.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Devices Running ScreenOS and IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1
Advertisement
Table of Contents
Related Manuals for Juniper NETWORK AND SECURITY MANAGER - RELEASE NOTES REV 3
Summary of Contents for Juniper NETWORK AND SECURITY MANAGER - RELEASE NOTES REV 3
-
Page 1: Table Of Contents
SRX Series Services Gateways ........33 Copyright © 2010, Juniper Networks, Inc. - Page 2 Revision History ........... . 39 Copyright © 2010, Juniper Networks, Inc.
-
Page 3: Version Summary
Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices and other Juniper Networks devices in your networks. NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and now for Junos operating system (Junos OS). -
Page 4: Deprecated Operating System
If the software version of SA/IC configurations exceeds 5 MB, we recommend a maximum of four devices per job for an appropriately sized Linux or Solaris server running NSM. Copyright © 2010, Juniper Networks, Inc. - Page 5 , change Xmx1024000000 /usr/netscreen/DevSvr/bin/.devSvrDirectiveHandler to Xmx2048000000: $LIB_DIR/jre/bin/java -DNSROOT=$NSROOT -DgproDDM=$DEST_DIR -DNSDIR=$DEST_DIR/var/be -DSTART_PATH=$DEST_DIR -DBE_CFG=${CFG_FILE} -DLOG4J_CFG=${LOG4J_CFG_FILE} -XX:PermSize=64M -XX:MaxPermSize=64M -Xms128000000 - Xmx2048000000 com.netscreen.devicecomm.DeviceDirectiveManager -version -repo ${REPO_DEST_DIR} -conf ${SVC_CFG_FILE} The servers must be restarted after you change these parameters. Copyright © 2010, Juniper Networks, Inc.
-
Page 6: Setting Up Nsm To Work With Infranet Controller And Infranet Enforcer
In the global domain, select Device Manager > Devices to list all the devices. Right-click each Infranet Enforcer firewall device and select Delete from the list. On NSM, delete the $infranet instances from the Object Manager: Select Object Manager > Authentication Servers. Copyright © 2010, Juniper Networks, Inc. - Page 7 Controller has changed something on the Infranet Enforcer since you last imported the device configuration. NOTE: If you choose not to reimport the configuration, be sure to update the Infranet Controller and Infranet Enforcer at the same time. Copyright © 2010, Juniper Networks, Inc.
-
Page 8: Usage Guidelines For Applying Nsm Templates To Sa And Ic Clusters
The following list shows the NS and NL configuration settings. All other settings are CG. Node-Specific (NS) Configuration: <nsm:path>/ive-sa:configuration/system/log/snmp</nsm:path> <nsm:path>/ive-sa:configuration/system/log/events-log-settin gs/syslog</nsm:path> <nsm:path>/ive-sa:configuration/system/log /user-access-log-settings/syslog</nsm:path> <nsm:path>/ive-sa:configuration/system/log /admin-access-logsettings/syslog</nsm:path> <nsm:path>/ive-sa:configuration/system/log/sensors-log-settings/syslog</nsm:path> <nsm:path>/ive-sa:configuration/system/network /network-overview/settings</nsm:path> <nsm:path>/ive-sa:configuration/system/network/external-port</nsm:path> <nsm:path>/ive-sa:configuration/system/network/internal-port</nsm:path> <nsm:path>/ive-sa:configuration/system/network/management-port</nsm:path> <nsm:path>/ive-sa:configuration/system/network/vlans</nsm:path> <nsm:path>/ive-sa:configuration/system/network/network-hosts</nsm:path> Copyright © 2010, Juniper Networks, Inc. -
Page 9: Best Practices
Certificate Authority (CA). To create a self-signed certificate between an NSM server and an NSM client: Download the file CreateCerts.zip from http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK14949/C reateCerts.zip Copy the file to the NSM server and unzip it. #unzip createCerts.zip Copyright © 2010, Juniper Networks, Inc. - Page 10 :PRINTABLE:'Name of the Organization' commonName :PRINTABLE:'NSM' emailAddress :IA5STRING:'user@example.com' Certificate is to be certified until Aug 3 22:41:04 2019 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate was added to keystore Copyright © 2010, Juniper Networks, Inc.
-
Page 11: Addressed Issues
477726—Using templates to activate an SSG5 device results in the creation of tunnel interfaces with blank names. Because of this, the device cannot be updated. 481066—SRX Series IDP severity level log information is displayed incorrectly in the NSM Log Viewer. Copyright © 2010, Juniper Networks, Inc. - Page 12 Series virtual cluster goes down and the secondary devices takes the primary role. The workaround is to reconcile inventory. 517009—A Global MIP object cannot be created on the subinterface of a cluster as the subinterface ( redundant1 ) is not being listed in Object Manager Copyright © 2010, Juniper Networks, Inc.
-
Page 13: Release 2010.2
Import Needed if you first add the primary and then the secondary device. To change the cluster status to Managed and In Sync, you must import the cluster. To work around this issue, first add the secondary device and then the primary device. Copyright © 2010, Juniper Networks, Inc. - Page 14 NSM replies with a JAVA Null pointer exception. 500367—Policy update in NSM fails intermittently, displaying a Java NullPointer Exception. 500769—NSM does not support PPP and PPP-service protocols on J Series devices with a 10.0r1.8 image. Copyright © 2010, Juniper Networks, Inc.
- Page 15 NSM attempts to unset these options at the next update. 502390—If you use NSM 2009.1 and want to upload either the SA 6.5r2 or IC C3.1r2 software into NSM, you must run a Juniper Networks Update to enable subsequent device software upgrades through NSM.
-
Page 16: Release 2010.1
ScreenOS 6.X. 405802—NSM does not allow the manual mode setting for interfaces. 406401—NSM Security Explorer does not display top attacks or top attackers when an attack log is created. Copyright © 2010, Juniper Networks, Inc. - Page 17 466215—When you install NSM with a custom data directory, NSM changes the ownership and permissions of all files and folders present under the parent directory instead of modifying the custom data directory alone. Copyright © 2010, Juniper Networks, Inc.
- Page 18 475862—NSM does not provide a means to execute the ScreenOS 6.1 command ‘set flow vpn-tcp-mss’. 475961—The NSM UI hangs indefinitely if the RMA/Activate procedure is not successful. 476808—The SNMP location field should be a member level setting and not a cluster level setting. Copyright © 2010, Juniper Networks, Inc.
- Page 19 488384—NSM does not delete custom zones defined in separate VSYS devices in separate subdomains. 491156—The NSM error message for duplication of objects is not sufficiently informative. 494878—During a fresh installation of NSM 2009.1r1a, predefined service objects are not converted to xdb.init. Copyright © 2010, Juniper Networks, Inc.
-
Page 20: Known Issues
Device list table. To work around this issue, execute the Reconcile Inventory directive to synchronize the inventory state of the device. 288993—When you customize a predefined report, does not generate it guiSvrCli.sh correctly and causes subsequent reports to fail. Copyright © 2010, Juniper Networks, Inc. - Page 21 NSM database. In NSM 2008.2, the NSM UI connects with the GUI server through port 7808, which is FIPS compliant. When installation is complete, you see the following message: “Please Copyright © 2010, Juniper Networks, Inc.
- Page 22 396285—Rebooting NSM servers fails in a Solaris 10 environment. You can use either of these workarounds to start or stop an NSM server: as the root user. /etc/init.d/guiSvr and /etc/init.d/devSvr /usr/netscreen/GuiSvr/bin/guiSvr.sh /usr/netscreen/DevSvr/bin/devSvr.sh as an NSM user. You cannot use this script as the root user. Copyright © 2010, Juniper Networks, Inc.
- Page 23 NSM, and are limited to 1000 to 65535, unlike in IDP 4.1R3 devices. 439567—Since IDP and ISG devices support multiple services, NSM also allows multiple services to be added in an IDP policy. However since SRX Series devices do not support Copyright © 2010, Juniper Networks, Inc.
- Page 24 NSMXpress device and enter the same password configured during install. 455944—Under the Route-map, the Metric Options field entries and Local Preference values are not properly displayed on the template. 457072—In NSM, you cannot create node-specific entries for a cluster. Copyright © 2010, Juniper Networks, Inc.
- Page 25 Route-maps are configured without any entries such as permit/deny, match, set, and Metric Parameters. 464029—NSM incorrectly displays the validation “IP Address can't be unset since it’s being used by VPN” on an IPv6 VPN though the IPv6 address is part of the VPN. Copyright © 2010, Juniper Networks, Inc.
- Page 26 468189—When migrating from NSM 2008.2R2a to 2009.1, the installer script does not display the version correctly. NSM 2008.2r2a is displayed as 2008.2r2. 472185—The NSM Device monitor and the VPN Monitor are slow to detect changes in state. Copyright © 2010, Juniper Networks, Inc.
- Page 27 Action fields for AV, UF, and AS logs. Correct information is displayed only for existing Traffic and IDP logs. 484205—Community list commands for Border Gateway Protocols in the device differ from those in the job information. Copyright © 2010, Juniper Networks, Inc.
- Page 28 497949—NSM incorrectly allows the same user role to be added as both member and non-member of a user group in an IDP policy. 498731—On an ISG1000 cluster running ScreenOS 6.2 or lower, NSM erroneously displays the IPv6 tab on the VSI interface. Copyright © 2010, Juniper Networks, Inc.
- Page 29 50 MB and a maximum heap size (configured in NSM client) of 768 MB. However, the pulse binary package size is 70 MB and requires 2048 MB of heap memory. Copyright © 2010, Juniper Networks, Inc.
-
Page 30: Ex Series Switches
It is therefore recommended that you manually remove the LAG interface from the ports associated with this template. 398326—After enabling the automatic import of configuration files on an EX Series switch running Junos OS Releases prior to 9.3R2 and 9.2R3, you need to manually add Copyright © 2010, Juniper Networks, Inc. -
Page 31: Devices Running Screenos And Idp
461167—You cannot export device logs using the syslog option from the NSMXpress WebUI. 461181—Updating fails when a policy with web filtering enabled is pushed to a vsys device from NSM. 461986—You cannot generate reports and e-mail them using the email.sh option in the NSMXpress appliance. Copyright © 2010, Juniper Networks, Inc. -
Page 32: Secure Access Ssl Vpn Sa Series And United Access Control Infranet Controllers
This is seen intermittently. 460586—When a Junos OS SA/IC template is removed from a device, the template values are not retained even if the Retain Template values on removal option is checked. Copyright © 2010, Juniper Networks, Inc. -
Page 33: Srx Series Services Gateways
458973—NSM displays validation errors under all occurrences of ‘isis’ node when the Junos OS Release 9.6 schema is applied. This issue is seen on all J Series and SRX Series devices. 460593—The system services RSH and Rlogin are not configurable from NSM. Copyright © 2010, Juniper Networks, Inc. -
Page 34: Errata And Changes In Documentation For Nsm Release 2010.3
The following section provides the documentation errata for this release. Errata This section lists outstanding issues with the documentation. Revision 1 of the Network and Security Manager Installation Guide, dated August 2010, contains incorrect information: Copyright © 2010, Juniper Networks, Inc. - Page 35 In “Table 26: GUI Server RAM Requirements”. The updated information is as follows: Total Configuration Size GUI Server RAM Required Less than 2 MB 4 GB Between 2 and 10 MB 4 GB Between 10 and 50 MB 6 GB Copyright © 2010, Juniper Networks, Inc.
-
Page 36: Nsm Documentation And Release Notes
® To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. -
Page 37: Requesting Technical Support
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/... - Page 38 CLI before contacting support: user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to .
-
Page 39: Revision History
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.