notesavmask.net

NetworkandSecurityManagerReleaseNotesFebruary27,2012Revision6ContentsVersionSummary3NeworChangedInformation3BeforeYouInstallNSM3SolarisLocales3UpgradeConsiderations3UpgradingNSM3DeprecatedOperatingSystem4Limitations4ImportantSSLVPNandInfranetControllerInstructions4NSMServer5SettingUpNSMtoWorkwithInfranetControllerandInfranetEnforcer6UsageGuidelinesforApplyingNSMTemplatestoSAandICClusters8Recommended8NotRecommended8BestPractices9MaintainingtheNSMGUIServer9CreatingaSelf-SignedTLSCertificateBetweentheNSMClientandtheNSMServer9AddressedIssues11Release2011.
1s3Patch11Release2011.
1s2Patch12Release2011.
1s1Patch13Release2011.
1-a16Patch15Release2011.
116Release2010.
420Release2010.
322Release2010.
224KnownIssues27NSM27EXSeriesSwitches38DevicesRunningScreenOSandIDP391Copyright2012,JuniperNetworks,Inc.
SecureAccessSSLVPNSASeriesandUnitedAccessControlInfranetControllers40SRXSeriesServicesGateways40ErrataandChangesinDocumentationforNSMRelease2011.
141Errata41NSMDocumentationandReleaseNotes41DocumentationFeedback42RequestingTechnicalSupport42RevisionHistory43Copyright2012,JuniperNetworks,Inc.
2NetworkandSecurityManager2011.
1ReleaseNotesVersionSummaryJuniperNetworksNetworkandSecurityManager(NSM)isasoftwareapplicationthatcentralizescontrolandmanagementofyourJuniperNetworksdevices.
WithNSM,JuniperNetworksdeliversintegrated,policy-basedsecurityandnetworkmanagementforallsecuritydevicesandotherJuniperNetworksdevicesinyournetworks.
NSMusesthetechnologydevelopedforJuniperNetworksScreenOStoenableandsimplifymanagementsupportforpreviousandcurrentversionsofScreenOSandnowfortheJunosoperatingsystem(JunosOS).
ByintegratingmanagementofallJuniperNetworksdevices,NSMenhancestheoverallsecurityandmanageabilityoftheInternetgateway.
NeworChangedInformationThefollowinglistprovidestheneworchangedinformationforthisrelease:Bindingatunnelinterfacetoacustomvirtualrouter(VR)inDMIdevicesthatsupportVPNconfiguration.
ConfiguringapplicationdefinitionsondevicesrunningJunosOSRelease10.
2andlater.
Groupingzonestocreateazonegroupobject.
Receivingdataplanesd-syslogmessagesfromDMIdevicesusingstreammode.
SpecifyingamulticastaddressgroupobjectintheDestinationAddressfieldofadestinationNATrule.
Managingthebladeserversandtheircomponents(SA/ICblades).
From2010.
3releaseonwards,NSMsupportsWindows7andWindowXP.
BeforeYouInstallNSMSolarisLocalesBeforeinstallingNSMonaSolarisserver,youmustinstallaspecificsetoflocales,andmakeappropriateeditstothe/etc/default/initfile.
Formoreinformation,seetheNetworkandSecurityManagerInstallationGuide.
UpgradeConsiderationsThissectioncontainsinformationaboutupgradingNSManddeprecatedoperatingsystems.
UpgradingNSMYoucanupgradetoNSM2011.
1fromthefollowingversions:2009.
1RX2010.
12010.
23Copyright2012,JuniperNetworks,Inc.
VersionSummary2010.
32010.
4NSM2011.
1supports:3000low-enddeviceswith10userconnections300high-enddeviceswith25userconnectionsDeprecatedOperatingSystemNSMnolongersupportsScreenOSversion4.
X.
YoumustupgradeyourdevicestoScreenOSversion5.
0orlater.
NSMnolongersupportsJunosOSRelease9.
2orearlier.
LimitationsThefollowingitemsareknownlimitationsinthisversionofNSM:NSMdoesnotsupportJunosOSdowngrades.
However,ifyouneedtodowngradeadevice,followthesesteps:1.
Fromthedevice,usetheCLIcommandtodowngradetheimage.
Forexample:root>requestsystemsoftwareaddreboot2.
Afterthedowngrade,fromNSM,deletethedeviceandthenadditagain.
ForJunosOSJSeriesandEXSeriesdevices—NSMConfigurationEditorcannotcompletelyvalidatetheconfigurationthatanNSMuserhascreatedbeforesendingittothedevice.
ThedevicevalidatestheconfigurationwhentheconfigurationispushedtothedeviceaspartoftheUpdateDevicejobandmayreturnvalidationerrorstoNSM.
ForJunosOSforJSeriesandSRXSeriesGateways:NSMdoesnotallowupgradingfirmwareonmultiplebranchSRXSeriesdevices.
Doingsoleadstoupgradefailureduetomemoryconstraints.
ForSSLVPNSAandInfranetControllers—SecureVirtualWorkspace(SVW)settingsontheSAdevicecannotbemanagedwithNSM.
ForEXSeriesswitches—EXSeriesswitchesrunningJunosOSdonotsupportsnapshots.
Therefore,usersshouldnotselectthe"Backupthecurrentfilesystem(s)onthedevice"checkboxinthefinalpageoftheInstallDeviceSoftwarewizard.
IftheAllowuseofglobaltemplatesinsubdomainsoptioninthepreferencestabisdisabled,thenanyinstancesofglobaltemplatesshouldberemovedfromthesubdomains.
Dothisbyremovingthetemplatefromthesubdomains.
Ifanyreferencestoglobaltemplatesstillexistinthesubdomains,thenthedevicesortemplateswiththosereferenceswillnotdisplayanyvaluefromtheglobaltemplates.
ImportantSSLVPNandInfranetControllerInstructionsThissectioncontainssetupinstructionsandtemplateusageguidelinesforSSLVPNSA(SA)andInfranetController(IC)devices.
Copyright2012,JuniperNetworks,Inc.
4NetworkandSecurityManager2011.
1ReleaseNotesNSMServerThereisnolimittothenumberofdevicesthatcanbesimultaneouslyupdatedinNSM,providedtheconfigurationsizeoneachdevicebeingupdatedislessthan5MB.
NSMcanexecuteupdatesinparallelacrossamaximumofeightdeviceswhiletheremainingupdatejobsarequeuedup.
IfthesoftwareversionofSA/ICconfigurationsexceeds5MB,werecommendamaximumoffourdevicesperjobforanappropriatelysizedLinuxorSolarisserverrunningNSM.
DuetohardwarelimitationsonNSMXpress,therecommendedlimitistwodevicesperjobforSA/ICsrunningconfigurationsmorethan5MB.
ThefollowingfilesontheNSMsoftwareservermustbeeditedasdescribedbelow(nochangesareneededforNSMXpress):In/usr/netscreen/GuiSvr/bin/.
guiSvrDirectiveHandler,changeXmx10248000000toXmx2048000000:$LIB_DIR/jre/bin/java-DNSROOT=$NSROOT-DgproGDM=$DEST_DIR-DNSDIR=$DEST_DIR/var/be-DSTART_PATH=$DEST_DIR-DBE_CFG=${CFG_FILE}-DLOG4J_CFG=${LOG4J_CFG_FILE}-XX:PermSize=64M-XX:MaxPermSize=64M-Xms128000000-Xmx2048000000com.
netscreen.
devicecomm.
GUIDirectiveManager-version-repo${REPO_DEST_DIR}-conf${SVC_CFG_FILE}In/usr/netscreen/GuiSvr/var/xdb/data/DB_CONFIG,changetheset_cachesizeparameterfrom02560000001to010240000004.
Setthesharedmemorytoaminimumof1GB(kernel.
shmmax=1073741824):In/etc/sysctl.
conf,forLinuxsystemsIn/etc/system,forSolarixsystemsIn/usr/netscreen/GuiSvr/var/xdb/specs/jax.
spec,changeXmx512toXmx1024m::jvm-options(:("-DEMBEDDED_JVM=true"):("-Xms128m"):("-Xmx1024m")In/usr/netscreen/DevSvr/bin/.
devSvrDirectiveHandler,changeXmx1024000000toXmx2048000000:$LIB_DIR/jre/bin/java-DNSROOT=$NSROOT-DgproDDM=$DEST_DIR-DNSDIR=$DEST_DIR/var/be-DSTART_PATH=$DEST_DIR-DBE_CFG=${CFG_FILE}-DLOG4J_CFG=${LOG4J_CFG_FILE}-XX:PermSize=64M-XX:MaxPermSize=64M-Xms128000000-Xmx2048000000com.
netscreen.
devicecomm.
DeviceDirectiveManager-version-repo${REPO_DEST_DIR}-conf${SVC_CFG_FILE}5Copyright2012,JuniperNetworks,Inc.
ImportantSSLVPNandInfranetControllerInstructionsTheserversmustberestartedafteryouchangetheseparameters.
SettingUpNSMtoWorkwithInfranetControllerandInfranetEnforcerAScreenOSfirewallthatismanagedbyNSMcanalsobeconfiguredasanInfranetEnforcerinaUACsolution.
TopreventconflictsbetweenNSMandtheInfranetController,configurethesefirewalldevices:1.
OntheInfranetController,createtheInfranetEnforcerinstances:a.
OntheInfranetController,selectUAC>InfranetEnforcer>Connection.
b.
ClickNewEnforcer.
c.
Entertheinformationrequestedinthedisplay.
d.
EnterapasswordfortheNACNpassword.
YouwilluseitagainwhilesettinguptheInfranetEnforcer.
Ifyouaresettingupaclusterinsteadofasinglebox,enteralltheserialnumbersinthecluster,oneperline.
e.
ClickSaveChanges.
f.
RepeatStep1bthroughStep1euntilallofyourInfranetEnforcershavebeenentered.
2.
Ifyoudonothaveonealready,createaCAcertificateforeachInfranetEnforcer:a.
Createacertificatesigningrequest(CSR)foranInfranetControllerservercertificate,andusetheCAcertificatetosigntheservercertificate.
b.
ImporttheservercertificateintotheInfranetController.
c.
ImporttheCAcertificateintotheInfranetEnforcer.
3.
OneachInfranetEnforcer,createtheInfranetControllerinstance:a.
OntheInfranetEnforcer,selectConfiguration>InfranetAuth>Controllers.
b.
ClickNew.
c.
Entertheparametersasprompted.
ThepasswordinthesecondsectionmustbetheNACNpasswordyouenteredinStep1d.
d.
ClickOK.
e.
RepeatStep3bthroughStep3dforalloftheInfranetEnforcers.
f.
OntheInfranetController,selectUAC>InfranetEnforcer>ConnectionandcheckthatalltheInfranetEnforcershavebeenadded.
4.
OnNSM,deletetheInfranetEnforcerfirewallsfromtheglobaldomain:a.
Intheglobaldomain,selectDeviceManager>Devicestolistallthedevices.
Copyright2012,JuniperNetworks,Inc.
6NetworkandSecurityManager2011.
1ReleaseNotesb.
Right-clickeachInfranetEnforcerfirewalldeviceandselectDeletefromthelist.
5.
OnNSM,deletethe$infranetinstancesfromtheObjectManager:a.
SelectObjectManager>AuthenticationServers.
b.
Right-clickeach$infranet_nobjectandselectDeletefromthelist.
c.
SelectVPNManager>VPNs,andcheckthatyoudonothaveany$infranetobjectsunderVPNManager.
Theseobjectsareusuallydeletedautomaticallywhenyouremovethefirewall.
6.
CreateanewsubdomainfortheInfranetEnforcers:a.
SelectTools>ManageAdministratorsandDomains.
b.
SelecttheSubdomainstab.
c.
ClicktheAddicon.
d.
IntheNewSubdomaindialogbox,enteranappropriatenameforthesubdomainsoyouknowwhatitwillbeusedfor,andthenclickOK.
e.
Fromthedrop-downlistatthetopleftside,selectyournewdomain.
Thenewdomainisempty,butitcanuseobjectsfromtheglobaldomain.
Ifyoudonotremovethe$infranetinstancesfromthemaindomain,youriskhavingduplicate$infranetnames.
Inaddition,addaSingleInfranetEnforcerorInfranetEnforcerCluster.
f.
RepeatStep5andStep6foreveryInfranetEnforcerorInfranetEnforcerClusteryouneedtoaddtoNSM.
Whenfinished,youshouldsee$infranetinsteadof$infranet_#ineachofthedomainsexceptglobal.
7.
InNSM,addtheInfranetEnforcerobjectstothenewdomain:a.
SelectDeviceManager>Devices.
b.
ClicktheAddicon,andthenselectDevicetostarttheAddDeviceWizard.
c.
IntheNewDevicewindow,provideanameforthedevice,acolorforitsiconinNSM,andcheckDeviceisReachable.
d.
Followtheinstructionsinthewizardtoaddandimportthedevice.
e.
RepeatStep7bthrough7dforeachInfranetEnforcerdevice.
YoumustreimporttheconfigurationeachtimeyouuseanInfranetEnforcer.
Otherwise,aNACNpasswordmismatchispossiblebecausetheInfranetControllerdynamicallychangesthispasswordperiodically.
Itisalsogoodpracticetodoa"SummarizeDeltaConfig"andensurethatno$infrapoliciesarepresent.
Ifthereare,theInfranetControllerhaschangedsomethingontheInfranetEnforcersinceyoulastimportedthedeviceconfiguration.
7Copyright2012,JuniperNetworks,Inc.
ImportantSSLVPNandInfranetControllerInstructionsNOTE:Ifyouchoosenottoreimporttheconfiguration,besuretoupdatetheInfranetControllerandInfranetEnforceratthesametime.
UsageGuidelinesforApplyingNSMTemplatestoSAandICClustersSA/ICclusterconfigurationdataiscomposedofClusterGlobal(CG),Node-Specific(NS),andNode-Local(NL)data,whichareabstractedinNSMasclusterobjectsandclustermemberobjects.
TheclusterobjectcontainsonlyCGdata,whiletheclustermemberobjectcontainsNSandNLdata.
Templatepromotionandapplicationtoclustersshouldbecompliantwiththeclusterabstraction.
RecommendedTemplatesthatareappliedtoclusterobjectsshouldonlyincludeCGdata.
TemplatesthatareappliedtoclustermemberobjectsshouldonlyincludeNS/NLdata.
Theseguidelinesapplytotemplatesthatarecreatedfromscratchorthroughpromotion.
Toreplicatetheconfigurationfromonecluster(source)toanothercluster(target)throughtemplates,promotetheconfigurationfromthesourceclusterobjecttoaclustertemplate,andthenapplythattemplatetothetargetclusterobject.
Toreplicatetheconfigurationfromoneclustermember(source)toanotherclustermember(target),promotetheconfigurationfromthesourceclustermemberobjecttoamembertemplate,andthenapplythattemplatetothetargetclustermemberobject.
NotRecommendedDonotapplyanytemplatethatcontainsNS/NLdatatoaclusterobject.
ApplicationofatemplatethatcontainsNS/NLdatacanresultinunexpectedUIbehaviorandupdateresults(suchas,NS/NLdatafromthetemplatebeingignoredorNS/NLdatainclusterobjectsisinvisible).
Donotapplyanytemplatepromotedfromaclusterobjectorastandalonedevicetoaclustermemberobject.
Node-specificsettingsinthetemplateappearinthememberobjectbutdonotappearinthedeltaconfiguration.
Asaresult,thesesettingsappearinthetemplatebutarenotpushedtotheback-endclusternode.
ThefollowinglistshowstheNSandNLconfigurationsettings.
AllothersettingsareCG.
Node-Specific(NS)Configuration:/ive-sa:configuration/system/log/snmp/ive-sa:configuration/system/log/events-log-settings/syslog/ive-sa:configuration/system/log/user-access-log-settings/syslog/ive-sa:configuration/system/log/admin-access-logsettings/syslog/ive-sa:configuration/system/log/sensors-log-settings/syslog/ive-sa:configuration/system/network/network-overview/settingsCopyright2012,JuniperNetworks,Inc.
8NetworkandSecurityManager2011.
1ReleaseNotes/ive-sa:configuration/system/network/external-port/ive-sa:configuration/system/network/internal-port/ive-sa:configuration/system/network/management-port/ive-sa:configuration/system/network/vlans/ive-sa:configuration/system/network/network-hosts/ive-sa:configuration/system/network/network-connect/network-ip-filter/ive-sa:configuration/system/clustering/properties/configuration-settings/collection-of-network-settings/ive-sa:configuration/users/resource-policies/network-connect-policies/network-connect-node-specific-configuration/ive-sa:configuration/authentication/auth-servers/collection-of-auth-server/union-of-ace/active-directory-winnt/settings/advanced/computer-names/ive-nameNode-Local(NL)Configuration:/ive-sa:configuration/system/configuration/dmi-agent/enabled/ive-sa:configuration/system/configuration/dmi-agent/deviceid/ive-sa:configuration/system/configuration/dmi-agent/hmac-key/ive-sa:configuration/system/maintenance/push-config/acceptpushBestPracticesThissectioncontainsinformationaboutrecommendedpracticeswhenusingNSM.
MaintainingtheNSMGUIServerForoptimalNSMserverperformance,followthesemaintenanceprocedureseveryfewmonths.
OntheNSMGUIclient:DeleteoldentriesfromtheJobManagerineachdomain.
PurgeolddatabaseversionsusingTool>DatabaseVersions.
IfthesizeoftheNSMdatabasein/usr/netscreen/GuiSvr/var/xdbcontinuestoincreaseconsiderablydespitetherecommendedpractices,youcanmanuallyremovealldomainversionsusingtheproceduredocumentedinKB11731.
Fordetails,seehttp://kb.
juniper.
net/KB11731.
CreatingaSelf-SignedTLSCertificateBetweentheNSMClientandtheNSMServerAself-signedcertificateisacertificatethathasnotbeensignedbyathirdparty,suchas,awell-knownCertificateAuthority(CA).
9Copyright2012,JuniperNetworks,Inc.
BestPracticesTocreateaself-signedcertificatebetweenanNSMserverandanNSMclient:1.
DownloadthefileCreateCerts.
zipfromhttp://kb.
juniper.
net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK14949/CreateCerts.
zip2.
CopythefiletotheNSMserverandunzipit.
#unzipcreateCerts.
zip3.
EditthefilecreateCerts.
shandmodifythesectionDefaultcertificategenerationfieldstoupdateyourcurrentinstallationandthecorrespondingcontactinformationofyourorganization.
0.
organizationName_default-stateOrProvinceName_default-localityName_default-countryName_default-emailAddress_default-user@example.
com4.
Runtheshellscript#shCreatecerts.
shNOTE:Thescriptproducesacertificatewithatimestampthatisnearly10yearsbeyondthecurrentdate.
Thefollowingisanexampleoftheoutputwhenthescriptisexecuted:root@nsm/]#shcreateCerts.
shEnterNSMinstallationpath[/usr/netscreen]>GeneratingRSAprivatekey,1024bitlongmoduluseis65537(0x10001)Usingconfigurationfromcfg/openssl.
cfgCheckthattherequestmatchesthesignatureSignatureokTheSubject'sDistinguishedNameisasfollowscountryName:PRINTABLE:'US'stateOrProvinceName:PRINTABLE:'State'localityName:PRINTABLE:'City'organizationName:PRINTABLE:'NameoftheOrganization'commonName:PRINTABLE:'NSM'emailAddress:IA5STRING:'user@example.
com'CertificateistobecertifieduntilAug322:41:042019GMT(3650days)Writeoutdatabasewith1newentriesAddressedIssuesDataBaseUpdatedUsingconfigurationfromcfg/openssl.
cfgCheckthattherequestmatchesthesignatureSignatureokTheSubject'sDistinguishedNameisasfollowscountryName:PRINTABLE:'US'Copyright2012,JuniperNetworks,Inc.
10NetworkandSecurityManager2011.
1ReleaseNotesstateOrProvinceName:PRINTABLE:'State'localityName:PRINTABLE:'City'organizationName:PRINTABLE:'NameoftheOrganization'commonName:PRINTABLE:'NSM'emailAddress:IA5STRING:'user@example.
com'CertificateistobecertifieduntilAug322:41:042019GMT(3650days)Writeoutdatabasewith1newentriesDataBaseUpdatedCertificatewasaddedtokeystoreCertificatewasaddedtokeystore[root@nsm/]#Thisstepcreatesfourfiles:root.
pem,server.
pem,truststore.
ts,andkeystore.
ts.
NOTE:Thefilestruststore.
tsandkeystore.
tsconsistofprivatekeysandmustbeprotected.
5.
OntheNSMGUIserver,copythefilesroot.
pemandserver.
pemto/usr/netscreen/GuiSvr/var/certDB/TrustedCA/.
6.
OntheNSMclient,copythefiletrustedtore.
tsandkeystore.
tstoNSM_GUI_INSTALLATION/securitydirectory.
(ThedefaultdirectoryisC:\ProgramFiles\Network&Securitymanager\security.
)Notethatthismustbeexecutedonallsystemswheretheclientisinstalled.
7.
RestartNSMGUIserverservicesforanewcertificatetobeused:#/etc/init.
d/guiSvrrestartIfusingahighavailabilityenvironment,execute:#/etc/init.
d/haSvrrestart.
AddressedIssuesThissectionincludesissuesaddressedforNSM,ScreenOS,SASeriesSSLVPNAppliances,ICSeriesUACAppliances,andSRXSeriesServicesGateways.
ThesereleasenotescontainonlyNSM-relatedissues.
Foracompletelistofaddressedissuesforeachdevice,seethereleasenotesassociatedwiththedevice.
Release2011.
1s3PatchThissectiondescribesthefollowingaddressedissuesinpatchrelease2011.
1s3:590632—TheoptiontosetasubinterfaceasanNTPserverisnotavailable.
677161—TheSSG20deviceismissingintheJXM-1SFPmoduleunderavail_1_sfp_interfacesectionof6_1.
dcf.
691651—TheNetworkProfilertabfailstopopulateandcreatethetempTable'pqtmp134main'withanerrormessage.
692612—Thedeviceupdatestopsat20percentandfailswiththeerrormessageFailedtoimportinventorydatafromdevice.
Session1048581forserviceNBIServicereturnsnulldata!
11Copyright2012,JuniperNetworks,Inc.
AddressedIssues693733—TheNSMGUIservercrashesandgeneratescorefiles.
698326—Ocassionally,thedeviceupdatefailswhenupdatingtheSRXSeriesdeviceusingNSM.
704138—WhileupdatingtheSRXSeriesdeviceusingNSM,theupdatestopsandreturnsanerrormessageindicatingafailurewhilecomparingtheinventorydataonNSMwiththeinventorydataontheSRXSeriesdevice.
708987—NSMshowsrandomdeviceconnectionstatusfortheEXSeriesswitches.
719632—Therulegroupsdisplaytherulenumberaszero.
724762—NSMcannotadd,delete,oreditdevicesintheroute-basedVPNthroughtheVPNManager.
727397—UpdatingtheSRXSeriesdevicefailswiththeerrormessageGenerateEditConfigFailednull.
729649—TheVirtualChassischeckboxisdisabledforaddingEX-XRE,EX8216,andEX8208Seriesdevices.
735707—NSMencountersanullpointerexceptionontheDeltaConfiguration.
736501—Duplicatepoliciesarecreatedonsubsequentimportofthedevice.
Release2011.
1s2PatchThissectiondescribesthefollowingaddressedissuesinpatchrelease2011.
1s2:515871—Cannotremovethe"setauth-server"AAA"src-interface"commandfromNSM.
661020—InNSM2010.
3,AddressandNetworkGroupobjectsshoulddisplayawarningmessageifthenamelengthfieldexceeds31characters.
668867—DuringapolicypushToomanyentries,theerrormessageappearsbecausethemaximumaddressorgroupobjectlimitwasexceededintheISGdevice.
669613—SomepoliciesintheNSMPolicyManagertaketoolongtoload.
670681—WhencreatingcustomIDPsignaturegroupsusingthedirectionfiltersandthenotoption(not-stcornot-c2s),theresultantmembersincludesignaturesthathaves2corc2ssignaturesincluded.
679020—InNSM,theVirtualChassischeckboxisdisabledwhenselectingtheSRX220hdevice.
682896—NSMtriestosendcommandsforunsettingandsettingthemanagementIPoptiononeveryupdate.
685119—WhenyoucreatealoopbackinterfaceonthensHSCdeviceusinganNSMtemplate,anerroroccurswhenyoutrytoupdatethedevice.
685576—WhennestingthetemplatesforJunosOSandSRXSeriesdevices,aduplicatenameerroroccurs.
685938—WhenVPNisterminatingonanIPv6interface,anNSMvalidationerroroccurs.
Copyright2012,JuniperNetworks,Inc.
12NetworkandSecurityManager2011.
1ReleaseNotes686460—TheNSMGUIfreezeswhenperforminghugechangestothepoliciesorgroups,orviewinglargecontent.
688993—IncompletepolicyupdatetoSAIDPresultsinchangingtheversionoftheattackobjectdatabase.
690916—EditingadeviceorpolicyinNSMcreatesmultiple_outfilesresultinginslowGUIperformance.
692680—WhileupdatingScreenOSdevices,NSMgeneratesanerror:Capabilitylimitreachedonthedevice.
695157—Cannotconfigurethentp-serveroptionforaVSIinterface.
695371—WhenaserviceobjectismadeonNSMthedefaultsourceportrangediffersfromtherangeonScreenOSwhenacustomserviceiscreateddirectlyonScreenOSCLI.
697843—IfasearchisdonewithinasectionofNSMand"ESC"isnotgivenAfterwards,thesearchboxremainsinthewindow.
Theonlyoptiontogetridofthatboxwouldbetorestarttheclient.
698708—CannotconfiguretheVIPobjectandrelatedpoliciesasNSMfailstoimporttheIPoftheADSLinterface.
704127—Replacingatemplatedisablestheinterface,ike,clusterandipsecsettings.
707190—NSMdisplaysa"java.
lang.
NullPointerexception"errorwhentheDial-UPVPNRulesoptionisusedinthepolicy.
707194—Cannotdeletetheunusedfirewallpolicyastwoofthepoliciescontainreferencestothesamefirewallrulebase.
707454—NSMisnotimportingtheantispamURprofilesettingsfromthedevice.
708127—Anincorrectparentinterfaceisdisplayedforthenewsubinterfacewithinavsys.
708505—UnabletoregistertheSRXSeriesdeviceiftheIKEpresharedkeyhasmorethan255asciicharacters.
TheguiSvrManageralsofails.
708605—AfteraddinganSRXSeriesdevicerunningidp,notificationfor"LogPackets"inIDPruleissetunintentionallyinbothNSM&SRX.
Release2011.
1s1PatchThissectiondescribesthefollowingaddressedissuesinpatchrelease2011.
1s1:492196—AddingordeletingadevicefromVPNManagerdoesnotchangethedeviceconfigurationstatusinDeviceManager.
532163—NSMdoesnotprovideanyoptionformonitoringattheinterfacelevelonanSSG5device.
605508—AfterupgradingtoNSM2011.
1,NSMreorderspoliciesthatbreaktheVPNs.
607518—Removingadeviceobjectdoesnotremovetheaddressmapentryfromthepolymorphicaddress.
13Copyright2012,JuniperNetworks,Inc.
AddressedIssues613644—NSMtriestosendanadditionalOSPFconfigoncertaininterfaceswhileconfiguringthedynamicroutingoptioninRoute-basedVPNusingVPNManager.
667160—Thesummarizeconfigoptionproducesadifferentoutputfromthatofthedevice,andsometimestheoutputismissing.
667875—SearchissuesarenoticedinNSMGUIafterupgradingNSMtoRelease2011.
1a7.
669079—ReportfiltersarenotprovidingexpectedresultsinNSM.
669650—ThedeviceisgettingdisconnectedfromNSM,indicatingerrorontheNBIservice.
671065—TheNSMsearchfunctionalitydoesnotworkforsearchstartingwiththeletterF.
671309—DeviceupdatefailsasNSMtriestopushIPv6addressesalongwiththeIKEgatewayeventhoughIPv6isnotenabledontheVPN.
684991—NSMimportsthebgroupsubinterfaceasaphysicalinterface,andhencedoesnotlistthesubinterfaceinthedrop-downlistwhilecreatingtheVSIinterface.
685036—TheNSMGUIperformanceispoorwhenscrollingthroughlargepolicies.
690366—ThedevSvrprocessproducescorefilesfrequently.
691213—InNSM,theRevertPolicyoperationdoesnotworkwhentherule(orrules)toberevertedareinagroup.
691493—TheEXSeriesdevicecannotconfiguretheserver-reject-vlanoptionunderDot1xcorrectlyafterupgradingtoschema206.
692247—NSMdoesnotshowtheadminwhohaslockedthepolicyforedit.
692687—InNSM,theXRE200deviceshouldnotconfigurethevme.
0interfaceasitisnotsupported.
Theissueisfixedinschemaandthefixisavailablefromschema215onwards.
694189—InISG2000devicerunningScreenOS5.
4,user-servsmaximumvaluesetbyNSMis4096whichexceedsthemaximumvalueof2048allowedbythedevice.
695441—TheunsetnsmserversecondarycommandissentafterupgradingNSMtoRelease2010.
3r2.
695742—DeletingMIPfromtheinterfacetakestoolong.
696336—TheNSMInstallIDwasgeneratedincorrectlyaftertheNSMupgrade.
697979—Whenmodifyingcustomgroupfilterssometimesallthenamesdisappear.
699601—ServiceandServiceGroupobjectscannotbeusedasadrag-dropoptionfromservicetabletopolicyrules.
700535—NSMsetstheuserservicesto2048eventhoughtheNS5400deviceallows4096userservices.
701807—UserloginthroughRADIUSauthenticationfailsafterupgradingNSMtoRelease2010.
4q56.
Copyright2012,JuniperNetworks,Inc.
14NetworkandSecurityManager2011.
1ReleaseNotes702221—Auditlogandpolicyversioningshowsincorrectinformationaftereditingrulesinsidetherulegroups.
702982—ThedevSvrManagerprocesswasproducingcorefiles.
704906—TheNSMdeltaoperationthrowsjava.
lang.
NullPointerException.
708866—AnewrulecreatedintheSRX-IDPpolicydoesnotgetpopulatedinNSM.
Release2011.
1-a16PatchThissectiondescribesthefollowingaddressedissuesinpatchrelease2011.
1-a16:480097—NSMcannotaddSRXclustermembertotheauto-importconfigurationlist.
515871—Cannotremovethe"setauth-server"AAA"src-interface"fromNSM.
529623—NSMattemptstounsetavalidloopbackinterfaceanditsassociatedMIP.
541862—TheNSMUIallowstheusertodraganddropanydeviceorclusterinsideanothercluster.
557767—WhenmodelinganSRX210hmwith10.
2,thedeviceshowsupasSRX210hminsteadofSRX210h.
571881—Afirewallvsysimportfailswiththe"Erroronsharedobjectimport:null"error.
573565—WhendetectorupdateisperformedfromNSMUI,NSMdeploystheincorrectdetectorengineonSRXSeriesdevices.
578236—WhenattemptingtoupdateanISGcluster,NSMdisplays"JavaLangArrayIndexOutOfBoundsException".
584602—TheNSMVPNManagerconfiguresdifferentpresharedkeysonScreenOSdevices.
596562—Reportgenerationfailsbecauseofamemoryallocationfailurethatgeneratesthe"logdatabasequeryfailed"error.
599347—NSMmatchesthedialupVPNruleasaduplicateruleonthenextupdateandunsetstherule.
607056—ForeveryupdateontheSRXSeriesdevice,NSMdeltaconfigreturnsacreateALGoperation.
607579—NSMdoesnotpopulatetheIKEandIPsecproposalsetsforanSRXSeriesdeviceconfiguration.
609287—NSMunsetsvalidpoliciesafterimport.
611492—ExportinganNSMstaticNATpolicygiveunexpectedresults.
613420—IntheNSMUI,InterfacemenuismissingfromProtocol->Dot1x->authenticator->Interface.
614749—NSMcannotpusharoutinginstancenameintheActioncolumnundertheStaticNATrulebase.
661970—NSMcannotcreateaDestinationNATRulefromSourceInterfaceafterimportingthedevice.
15Copyright2012,JuniperNetworks,Inc.
AddressedIssues665380—NSMisnotallowingtoconfiguremorethan3DHCPrelayservers.
666850—NSMpopulatestheSRXSeriesdevicelogswiththeincorrectzoneinformationandrulenumber.
668867—Duringapolicypush,NSMexceedsthemaximumaddressgroupobjectlimitfortheISGSeriesdevice,generatinga"Toomanyentries"error.
669836—IntheVPNManager,thequotationmarksaremissingaroundthe"setvpn"line.
671088—Databaseversionsarecreateddespitedomainversioningbeingdisabled.
677486—TheJavaprocessconsumes100%CPUofanNSMXpressdevice.
680976—OnanSRXSeriesdevice,whenCHAPconfigurationisremovedfromaninterface,theconfigurationisnotcompletelyremoved.
682894—TheNSMUIservercrashesatrandomintervals.
684964—FrequentlogwalkerprocesscrashinsolarisbecauseofIPv6log.
685114—Theincorrectl3-interface-namecommandissenttotheSRXSeriesdevice.
685126—NSMdeletestheL3interfacesettingfromaVLANconfigurationonanSRX210device.
685513—NSMdoesnotindicatewhichaddressgroupexceedsthenumberofaddressesthatcanbesupportedbyadevice.
686845—AlthoughacustomroleinNSMdoesnothavethepermissionstoeditapolicy,customroleeditsordeletespolicieserroneously.
687221—GuiSvrManagercrasheswhenmorethanoneadminuserlogsin.
687733—NSMisunabletologinusingmorethantwonon-superusers.
688340—FrequentcrashinGuiSvrManagerisobservedandcorefilesaregenerated.
688413—NSMdoesnotsendcustomserviceobjecttothedevice.
688713—NSMsetsthesourceanddestinationportvaluesincorrectlyonSRXSeriesdevices.
690125—NSMtriestodeleteIDPrelatedconfigurationvaluesfromaJSeriesdevice.
Thisissueisaddressedinschemaandthefixwillbeavailablefrom11.
2R3schemaonwards.
690853—NSMdoesnotconfiguretunnelinterfacebindingtozonesonavsys.
692132—UnabletoeditSRX3600deviceclusterduetoGuiSvrManagercrashwithcorefilegeneration.
Release2011.
1Thissectiondescribestheaddressedissuesin2011.
1:Copyright2012,JuniperNetworks,Inc.
16NetworkandSecurityManager2011.
1ReleaseNotes303296—TheNSMGUIshowsavalidationerrorintheConfigureVPNsectionofVPNpolicy.
304256—WhenyoutrytopushapolicyinsomeoftheIDP,thepolicyupdatefailswithanerrormessageFailedtoprocessthedatabasequery.
Statusisnotsuccess.
402298—WhenyouapplyafirewallpolicywithnetworkaddressobjectstodevicesrunningJunosOS,thedeviceupdateoperationinNSMfails,becauseDMIdevicesdonotsupportnetworkaddressobjects.
423164—DuringtheexecutionoftheSummarizeDeltaConfigcommandafteryouconfigureapolicy-basedVPN,NSMtriestore-pushpre-sharedkeysrepeatedlyinsubsequentupdatesforVPNpoliciesbetweenJunosOSdevices.
430886—InordertoaddJSeriesandSRXSeriesdevicesconfiguredinclustermode,thesecondaryclustermembermustbeaddedorimported,followedbyanaddorimportoftheprimarydevice.
430898—Theapply-marcoconfigurationsettingsinanSRX5800clusterarenotavailableinNSMforJunosOSdevicesaftertheyareimportedintoNSM2008.
450626—UpdatefailsonanSRXSeriesclusterwhentheDynamicDboptionisselected.
TheworkaroundistodisabletheDynamicDboption.
480398—NSMpushestheIDPpolicyduringeveryupdateevenifthereisnochange.
496199—OnanIPv6-disableddevice,configuringanIPv4neighborinBGPcausesNSMtowronglyupdateIPv6configurations,leadingtoanupdatefailure.
500498—AnupdatefailsifthepredefinedIDPpolicyispushedtoSRXlow-end(srx210/240-hm)devices.
501095—Thevalidationontheaddressobject'slengthisnotpresent.
Whenarulewiththisaddressobjectispushed,theverificationfailsandanycharactersover31aretruncatedasthedevicedoesnotacceptcommentsmorethan31charactersinlengthforsomeScreenOSdevices.
503960—TheLogViewerdoesnotdisplaytheroleinformationforSA/IVEdevices.
511449—Policy-basedVPNconfigurationappearstobemissingwhenitisgroupedunderthesecuritypolicyrulegroup.
512799—Objectsofanaddressgroupcanbeusedorleftunused.
Search>UnusedObjectsforaddressbookentriesmustlistallunusedobjects.
516144—NSMallowsaddinganSRXSeriesvirtualchassisasaclustermember.
522853—ModificationofamodeledvsysconfigurationdoesnotworkonanISG2000-IDPdevice.
522860—VPNmanagerdoesnotmeshmain,whenthemeshmainoptionisunchecked.
ns.
524220—ThescreeningoptionsTCPSweepandUDPSweepmustbeincludedintheNSMconfigurationastheseoptionsareavailableontheScreenOSWebandCLI.
527833—NSMdoesnotsupporttheip-monitoringCLIcommandforhigh-endSRXSeriesdevicesinHAconfiguration.
17Copyright2012,JuniperNetworks,Inc.
AddressedIssues535367—NSMincorrectlytrimstunnelruleswiththesamematchcriteriausedwhenmanaginganSRXdeviceonwhichdynamicVPNisenabled.
536353—ThisisanenhancementrequesttouseDSAandRSAkeysforauthenticationinadditiontoplaintextpasswords.
537267—WhileusingthereportmanagerinNSMtogeneratepredefinedandcustomreports,reportgenerationmayfailwithalogdatabasequeryfailedmessage.
539675—WhilechanginganinterfaceIPaddresstoanewIPaddressinthesamenetworkinaVPNtunnel-baseddevice,thecommandsarenotcompletedasthetunneltemporarilygoesdownandthegatewayisunset.
544887—E-mailalertsfromNSMdonotincludeanyattackdetailsforfirewall/IDPlogs.
546962—Oneveryupdateordeltaonthevsysdevices,NSMusedtoshowrootfirewallcommands.
554691—Inclustermode,themgtinterfaceisunabletochoosesrcinterfaceduringtheSNMPhostsettings.
Asasoultion,themgtinterfaceisabletochooseandconfigureattheclustermemberlevelasitisspecifictoeachdevice.
Allotherinterfacesareabletoconfigureattheclusterlevel.
555712—Thedrop-downarrowthatappearsunderthezone/R.
I.
/InterfacecolumnoftheSourceNATtabmustberemovedasitdoesnothingandtheselectedvariablecannotbeseenunlesstheglobalvariableisright-clicked.
555738—Afteraninstallationorupgrade,thecontentsof/var/netscreen/dbbackuparedeleted,whichdoesnotallowtheusertorestoreanypreviousinstallation,ifsomethinggoeswrong.
TheDeviceServermustprovideawarningandallowtheusertobackupanupgrade,ifrequired.
555953—WhenyouimportaScreenOSclusterintoNSMandaddthesamedevicetoNSMonadifferentdomain,NSMdoesnotshowanywarningorerrormessagesandthedevicecannotconnecttoNSM.
556311—WhileupgradingNSMfrom2008.
2r1to2010.
3,theinstancesofpolymorphicobjectsarenotvisiblein2010.
3.
556850—AfterconfiguringaJunosOS10.
2r2.
11device,importingthedeviceintoNSMfollowedbyadelta,NSMdeletesthedestinationportforthesourceNATonJunosOS10.
2r2.
11.
Theissuehasbeenaddressedanditisworking.
558993—AfteryouaddanaddresstoapolicyusingtheSelectDestinationAddressdialogbox,thecreatedaddressmustbedisplayedintheselectedmemberfield.
Currently,theaddressisaddedtotheleftpanealphabetically,makingitinconvenienttolocatetheaddress.
560234—NSRPmonitorinformationdoesnotdisplayopenedinanewwindow.
560937—NSMdoesnotgivetheoptiontochooseacaptive-portalforaUAC-enabledpolicy.
However,NSMunsetstheUACpolicyonthenextupdatewhenthecaptive-portalisconfiguredonthedeviceCLIandthedeviceisimportedintoNSM.
563015—Thedeviceserverlogwalkercrasheswhilereadingandloadinglogdatabaseparameters.
Asaresult,HAfailoveroccurs.
Copyright2012,JuniperNetworks,Inc.
18NetworkandSecurityManager2011.
1ReleaseNotes564344—LogViewersliderdoesnotworkproperlyiftheSrc/Dstfiltersareappliedduetoanimproperquery.
564655—SummarizeDeltaConfigshowsIPv6commandsbeingsenttothedeviceeventhoughIPv6isnotactivatedonthedevice.
ThiscommandmustnotbesenttodevicewhenIPv6isdeactivated.
564685—TheIPv6prefixwindowisnotloadingproperlywithcustomerconfigurationsandshowsaviewerror.
565145—WhenselectingthedeltaconfigfromtheNSMclient(Tool>Preference>DeviceUpdate)andpushingthemodelvsys,thedeltaconfigendswithsuccess.
565622—LogdatabasecorruptionissuesoccurforScreenOSdevicelogs.
565859—Duetodatabasecorruptionduringmigration,someexitingrulesarenotbeingdeletedproperly.
566266—Whentwodevicesareaddedasthemaindeviceandvsysdevice,theFailedtoacquirelockondeviceerrorisgeneratedduetothelockontheobjectwhenthevsysdeviceisupdatedandsummarizedeltaconfigiscompleted.
566621—Thepptpcommandispushedtoadeviceeventhoughthereisnochangeintheconfigurationduringadeviceupdate.
Asaworkaround,thepptpcommandistrimmedbeforesendingtothedevice.
567208—NSMLogViewerdoesnotdisplaythelogsduetoalogdatabasecorruptionforScreenOSdevicelogsafterupgradingfrom2010.
2r1to2010.
4.
567665—NSMLogViewerdoesnotdisplaythelogsduetoalogdatabasecorruptionforScreenOSdevicelogsafterupgradingfrom2010.
2r1to2010.
4.
567779—NSMmustnotchangetheinactivitytimeoutforservices.
568790—NSMLogViewerdoesnotdisplaythelogsduetologdatabasecorruptionforJunosOSdevicelogsafterupgradingfrom2010.
2r1to2010.
4.
569521—NSMclientmakesunabletoalmostanyotherapplicationwithoutchangingtheheapsizewithschema147orhigher.
Since1.
25GBofRAMisrequiredonlyforaschemarelease,thefixshouldbesuchthattheheapsizeshoulddecreaseautomaticallyafteraschemadownloadandadjuststothepropervaluefortheschemadownload.
569656—AddressobjectswithanobjectIDgreaterthan65,536aresupportedwiththisfix.
570147—Unusedtop-levelconfigurationitemsdisappearonSRXdevices.
570906—NSMLogViewerdoesnotdisplaythelogsduetologdatabasecorruptionforScreenOSdevicelogsafterupgradingfrom2010.
2r1to2010.
4.
571127—Rulenumber,source,anddestinationzoneinformationismissinginthetrafficlogsforallScreenOSfirewalls,whereScreenOSimageis6.
2.
0.
R7.
0managedinNSM.
572730—Ruletitleismissinginthecommentsfieldunderpolicymanager.
573404—Whendeleteloopback-relatedMIPinNSM,NSMsendsasetcommandtothedeviceinsteadofunsettingthecommandandtheupdatefails.
19Copyright2012,JuniperNetworks,Inc.
AddressedIssues573752—Iftheaddressgroupcontainsmorethan256addresseswhiledoingadeltaconfig,theNullPointerExceptionisspecifiedinNSM.
574326—ExceptfortunnelVPNrules,rulesthataresimilarmustbetrimmed.
Forallotherrules,trimminghasoccurred.
574763—Checkfortheruleoptionintheglobalfirewallwhetherallfieldsarevisibleornot.
578139—TheDeviceserverlogwalkercrasheswhilereadingandloadinglogdatabaseparameters.
Asaresult,HAfailoveroccurs.
(10.
2,10.
3,10.
4,and11.
1)578593—Whileeditingthecommentfieldinthefirewallpolicyrule,theusermustalsobeabletoeditthepolicyname.
578674—WhenselectingtheIPv4orIPv6radiobutton,itmustlisttherespectiveaddressobject(IPv4orIPv6).
Release2010.
4Thissectiondescribestheaddressedissuesin2010.
4:448239—PredefinedIDPpoliciescannotbepushedtoanSRXSeriesdevice.
Theworkaroundistocreatethecustompolicyfromthepredefinedpolicy,andthendeletethedisabledruleinthecustompolicybeforemakingapolicyupdate.
454585—E-mailalertsfromNSMdonotincludeanyattackdetailsforIDPlogs.
478268—AnupdatetoanSRXSeriesdevicefailsiftheConfirmedcommitoptionisenabledintheGUI.
489643—AsaresultofincorrectparsingoflogdatainNSM,theLogViewerdisplaysinaccurateinformationindifferentfieldsforAV,UF,traffic,andIDPlogs.
494359—ForSRXSeriesdevicesconfiguredwithVPN,thedeltaconfigsummaryshowsconfigurationdifferencesevenafteradeviceupdate.
497114—UpdatestoanSRX3600devicefailbecauseNSMrepeatedlydisplaysahardwareOutofSyncmessage.
Theworkaroundistomanuallyright-clickonthedeviceandreconcileinventory.
499642—WhileperformingGetDeltaConfigSummaryandUpdatedirectives,NSMreportsanerror"Failedtoacquirelockondevice"evenwhennootheruserisloggedin.
502893—WhenVPNManagerissettoautomaticallygeneratestaticroutes,itignoresthedefaultroutepreferencesetinthecorrespondingvirtualrouter.
512288—Afteradeviceimport,duplicateobjectsarecreatedduetothemismatchincolorbetweentheconfigurationonthedeviceandonNSM.
515796—NSMUIdisplaysthevirtualchassisoptionforallOSversionsofSRXlow-end(100/210/240/650)devices,butdoesnotsupportSRXdevicesrunningversionsearlierthanJunosOSRelease10.
1.
515845—NSMUIdoesnotdisplaythecorrecthardwareinventoryoutputfordevicesinanSRXSeriesvirtualcluster.
Copyright2012,JuniperNetworks,Inc.
20NetworkandSecurityManager2011.
1ReleaseNotes519888—NSMcannotcreateasingletunnelinterfaceVPNusingVPNmanager.
NSMbuildsNHTBentriesusingtheegressinterfaceoftheenddevice,insteadofthetunnelinterface.
521182—AsNSMdoesnotvalidatethenumberofentriesinanaddressgroup,anSRXSeriesdeviceupdatefailsiftheentriesexceed256.
523931—EventhoughNSMpushestheRADIUSserverinformationtoanSRXSeriesdeviceoneverydeviceupdate,thedeltaconfigsummaryshowsthatthisinformationstillneedstobepushed.
525134—NSMdoesnotsavesomeofthechangestotheuserpreferencesforuserswhoareauthenticatedthroughtheRADIUSserver.
525264—Afteranupgradefrom2010.
1,thedetectorversioninformationisnotimportedintotheclusterrecordwhenyouimportanISG-IDPseriesrootdeviceclusterwithitsassociatedvsysmembersinNSM.
525588—Inspiteoffilteringthereportbasedonspecificeventcategories,theNSM-generatedreportalsohasinformationaboutothereventcategories.
533009—AfteranupgradetotheNSM2010.
2release,anSRXdevicepolicyupdatefailsifthispolicyhadcommentswithspacesinthepreviousrelease(thatis,inthereleasefromwhichyouupgraded).
534638—ForISG-IDPSeriesclustersrunning6.
1.
xversions,whenarootdeviceisupdatedwithanewdetector,thedetectorversionisupdatedonlyfortherootdeviceandnotforthevsysmembersofthisdevice.
Thismismatchindetectorversionbetweenthevsysmembersandtherootdeviceresultsinadeviceupdatefailure.
534943—AnSRXdeviceupdatefailswhenyoupushapolicythatcontainsacustomerserviceobjectwiththeSQL*NetVersion2applicationprotocol.
535137—Duringadeviceupdate,NSMdoesnotpushthemaximumbandwidthsettingforafirewallpolicythathastrafficshapingconfigured.
NSMcreatesanexception.
537273—WhenyouimportanSOSclusterdevicetoNSMinrootmode,theaggregatesubinterfacesaredisplayedasphysicalinterfaces.
538908—NSMPolicyManagerdoesnotdisplaycommentsforarulethathasasingleserviceenabled.
541154—Afteranupgradefrom2010.
2to2010.
3,policynamesareoverwrittenwiththecorrespondingpolicyIDsduringaJSeriesorSRXSeriesdeviceupdate.
541576—NSMdoesnotsupportaddingmorethanonephysicalinterfacetoanaggregateinterfaceinthens-5000-8G2-G4cardforanns5000seriesdevice.
541992—Thecustomphase2VPNproposalconfigurationfromJunosOSdevicesisincorrectlyimportedintoNSM.
Inaddition,NSMdoesnotpermitausertoeditthisconfiguration.
542616—IfanSRXSeriesdeviceupgradefailsfromNSM,thenyoucannotupgradeitagainfromNSMduetospacelimitation.
YoumustmanuallyclearalltemporaryfilescreatedonthedevicebyNSMbeforeupgradingagain.
21Copyright2012,JuniperNetworks,Inc.
AddressedIssues542814—Thecustomphase1VPNproposalconfigurationfromJunosOSdevicesisincorrectlyimportedintoNSM.
Inaddition,NSMdoesnotpermittheusertoeditthisconfiguration.
543140—TheNSMXpressWebUIallowsuserscreatedfromtheWebUItologonusinganincorrectpassword.
545126—ForanSRXSeriesdevice,thetrafficlogsintheNSMLogViewerdonotcontainanyinformationfortheRuleIDandPolicyIDfields.
545225—IftheJunosOS-baseddevices(suchasSRXSeriesdevices)areconfiguredwithpolicy-orroute-basedVPNs,evenafteradeviceupdate,thedeltaconfigsummaryshowsthereareconfigurationdifferencesforthepresharedkey.
547929—WiththeNSM2010.
2r1-13.
1n59release,addingoreditingdevicestakesrelativelymoretimethaninpreviousreleases.
549986—TheNSMinstallationscriptfailsiftherearemultipletmppartitionsontheSolarisserver(suchas,"/tmp"and"/var/tmp").
550796—IfyouaddaclusterservertoNSMafteranupgradefrom2008.
3to2010.
2LGB13z1n33(withschema143andrunningonRH5withservicepack5),thenthecluster'ssecondaryserversettingsaregrayedoutinNSM.
552226—UnderthePolicies>SourceNATtabinNSM,thezoneinformationisnotdisplayed,andthesourceanddestinationaddressesarenotselectable.
Inaddition,youcannotselectatargetforthispolicy.
553746—NSMdoesnotmanageaddressobjectswithdns-nameforSRXSeriesdevicesrunningonJunosOSRelease10.
2R2and10.
0R2images.
559528—WithinanSOStemplate,ifyouassignthesamehostIPaddressforIPv4andIPv4/IPv6optionsundertheSNMPReportingsettings,NSMdisplaysavalidationerror.
560765—NSMLogViewerstopsrespondinganddoesnotdisplaythelogswhenthereisahugeamountoflogstobeprocessedbythelogwalker.
Release2010.
3Thissectiondescribestheaddressedissuesin2010.
3:403809—PoliciescannotbeeditedasNSMdisplaysalockedbyanotherusermessageeventhoughanotheruserisnotloggedintoNSM.
407764—WithNSM,thelogsofasubdomaincannotbesavedonthefirsttry.
TheworkaroundistoquitNSMandthentrysavingthelogsagain.
413166—NSMdisplaysanerrorwhenaMIPwithanIPfromadifferentsubnetastheinterfaceIPisaddedonafirewalldevice.
459994—InNSM2007.
3r5,DevServerManagercrasheswhenaPCAPretrievaloperationisperformedonlogs.
465850—UploadingoftheIDP5.
0imagefailsinNSMafteranupgradefromthe2008.
2r1tothe2008.
2r2release.
Copyright2012,JuniperNetworks,Inc.
22NetworkandSecurityManager2011.
1ReleaseNotes477726—UsingtemplatestoactivateanSSG5deviceresultsinthecreationoftunnelinterfaceswithblanknames.
Becauseofthis,thedevicecannotbeupdated.
481066—SRXSeriesIDPseveritylevelloginformationisdisplayedincorrectlyintheNSMLogViewer.
482421—TheBGPneighborconfigurationinaScreenOSclusterwithoutVSDisnotaccuratelysyncedinNSM.
482988—TheNSMcalculationoftheestimateddiskspacerequiredforDevSvrlogsisinaccurate(Administer>ServerManager>Servers>DiskandLogManagement).
482995—DevSvrlogsarenotgettingpurgedafterthespecifiedtimeintervalifyousetthisintervalusingtheNSMGUI(ServerManager>Servers>DeviceServer>DiskandLogManagement>Numberofdaystoretainlogs).
483416—AccessingthepolicyoptionsofanexistingpolicycausestheNSMGUIclienttolockup,whichpreventsyoufrommakinganyfurtherchanges.
486787—YoucannotimportormanageSRXSeriesdevicesafteranupgrade.
Also,theGuiSvrcoredumpsifanychangesweredoneusingtheNSMGUI.
489258—TheDevSvrcrasheswhileviewingtheIDPlogsinLogViewer.
491015—AninconsistentexportofDevSvrlogdatatocsvformatoccurswhenusingthedevSvrCli.
shlog2actionutility.
495737—WhenupdatingthedevicesoftwareforanimportedScreenOSclusterdevice,awarningmessageappearsstatingthattheconfigurationinNSMandtheactualdeviceconfigurationarenotinsync,evenwhentheyare.
503179—Logsarenotgettingparsedbecauseoffileheadercorruption,resultinginadevSvrManagercrashwithcore.
503231—AsubinterfacecannotbecreatedonaserialinterfaceontheSSG-20platformastheinterfaceisnotdisplayedintheNSMGUI.
505169—InNSM,thelogfilteriscreatedonlyforthegroupandhostaddressobjectsandnotforthenetworkaddressobjectwhenyoucreatethefilterbyright-clickingthesourceordestinationaddresscolumnwithinalog.
507098—AGuiServerManagercoredumpoccurswhencompilingIDPpolicies.
512215—Wheneditinganimportedfirewallclusterconfiguration,eveniftheVRissharedNSMdisplaysthefollowingerrormessageonthezone:"SharedzonemustbeinsharedVR.
"513335—DuringanIDPfirmwareupgrade,ifanerroroccurs,theupgradeprocesscontinuesindefinitelyandcannotbestopped.
Withthe2010.
3releaseandlater,atimeoutoptionisprovidedtostopthisprocess.
513985—DuringanimportforaScreenOScluster,theBGPneighborconfigurationisimportedtoclusterlevelinsteadofmemberlevel.
514579—PIM-SMsettingsoranydynamicroutingprotocolcannotbeconfiguredonanimportedfirewallbecausetheNSMGUIdoesnotdisplaytheProtocolsectionunderinterfaceswhenSOSdevicesareaddedinClustermode.
23Copyright2012,JuniperNetworks,Inc.
AddressedIssues516433—NSMdisplaysanout-of-syncmessagewhentheprimarydeviceinanSRXSeriesvirtualclustergoesdownandthesecondarydevicetakestheprimaryrole.
Theworkaroundistoreconcileinventory.
517009—AGlobalMIPobjectcannotbecreatedonthesubinterfaceofaclusterasthesubinterface(redundant1)isnotlistedinObjectManager.
517864—DuringanSRXSeriesdeviceupdate,VPNManager-configuredVPNsettingsarebeingremovedfromthesecondarynodeofthecluster.
518196—IfyouhaveanNSMHAsetupwithMIPIPaddressesandperformadeltaconfig,NSMunsetsthesecondaryNSMserverIPaddressfromtheclustermembers.
519004—YoucannotselectaninterfaceforanimportedSRXSeriesdevicefromtheVLANinterfaceinNSM.
NSMdisplaysthefollowingerror:"Referencetoundefinedcollection-of-interface-range.
"519395—ForScreenOS6.
3devices,theNSMVPNManagerdoesnotgenerateproxy-idconfigurationsforVPNs.
521126—WhenaSourceNATupdateispushedtoanimportedSRXSeriesdevicefromNSM,areferencetothelocalNSMdatabaseispushedinsteadoftheIPaddressoraddressobject.
525729—WhenOSPFparametersareconfiguredusingatemplateandthenupdatedonadevice,theOSPFIDisnotimportedwhenyouimportthedeviceconfigurationbacktoNSM.
528500—Ifyoumakemorethan100configurationchangesinNSMfromtheactualdeviceconfiguration,theJobManagerdisplaysonlythefirst100lines.
528681—Whenapolymorphicobjectisupdatedtoadevice,NSMsendsthepolymorphicobjectnameinsteadoftheaddressobjectinformation.
529124—AsseveraloftheNSMwindows(suchasPolicywindows,Deviceeditwindows,andDownloadschemawindows)weretootall,someofthebuttons/functionalitieswithinthesewindowswereinaccessibleonnormaldisplays.
Withthe2010.
3releaseandlater,thewindowsareresizedautomaticallytofitwithinthedisplay.
532571—IfRMA/ActivateisperformedonamanagedJunosOSdevice,itcannotconnecttoNSMafterthedeviceisrebootedorthedeviceserverisrestarted.
533763—NSMstopsrespondingat76percentwhenpoliciesareupdatedonScreenOS-basedISG-IDPdevices.
538643—WithNSM,whenyousettheinterfacezonetonull,thedeviceupdatefailsasNSMtriestounsettheg-arpparameterforthatspecificinterface.
Release2010.
2Thissectiondescribestheaddressedissuesin2010.
2:228510—Ifyouconfigureamulti-linebannerforadevice,verificationfailsonupdate.
271590—Deletingthesystemservicesoutbound-sshstanzadoesnotcauseexistingconnectionstobedropped.
Copyright2012,JuniperNetworks,Inc.
24NetworkandSecurityManager2011.
1ReleaseNotes407541—WhenyouaddJunosOSdevicesinclustermodethroughthereachabledeviceworkflow,devicestatusisImportNeededifyoufirstaddtheprimaryandthenthesecondarydevice.
TochangetheclusterstatustoManagedandInSync,youmustimportthecluster.
Toworkaroundthisissue,firstaddthesecondarydeviceandthentheprimarydevice.
420276—VPNmonitordoesnotdisplayanentryforthevsysclustermemberifthenameofthememberischanged.
429396—WhenauserperformsadeltaconfigurationafterupdatingthedeviceconfigurationonanSRXSeriesdeviceusingatemplate,thesameconfigurationdatathatwaspushedearliertothedeviceduringtheupdateisdisplayed.
431656—WhenastandaloneIDPdeviceisaddedthroughaunreachableworkflow,thedeviceupdateoperationfails.
445014—AJavaexceptionerrorontheGUIoccursaftermodelingvsystoincludeadotaspartofitsname.
462408—NSMdisplays"Unabletoacquirelock,Lockedbyadmin,Openread-only"whenyoueditadevice.
ThisissuehasbeenobservedwheneditinganISG2000clustermemberandalsoonaJ6350device.
Thisissueisnotalwaysreproducible.
TheworkaroundistorestarttheGUIServer.
466608—NSMunsetstheproxyIDoftheVPNwhenitisconfiguredinthetemplateatthefirstdeltaafterrestartingtheGUIServer.
468807—ThecommentsarenotpushedtothedeviceduringaJunosOSdeviceupdate.
483395—Afterrunningtheimportadmindirective,NSMchangesotherconfigurationsalongwithadminaccounts.
483452—NSM2009.
1r1randomlyfailstorecognizecertainIDPdetectorengineversions.
483469—MajorscreenredrawissuesoccurwhenrunningMicrosoftVista32-bitandNSM.
485458—AfteraddingadevicetoNSM,ifyouremovethedefaultrouteandenablethedynamicprotocolforthatdevice,NSMdisplaysanerrorindicatingthatthemanagementrouteismissing.
486371—TheGuiServerManagercrashesasthesystemrunsoutofmemory.
495027—PowerfailureontheactiveGUIservercausesa7-to10-minutedelaybeforetheDeviceServerconnectstotheactiveGUI.
497349—JSeriesdevicescannotbevalidatedthroughNSM.
498554—TheHAServerdoesnotstopduringsystemshutdown.
498790—NSMunsetsvroutertrust-vronupdateifacommentisalsoconfigured.
499064—TheNSMGUIServercrasheswithaMutexLockEvent.
499688—YoucannotusetheNSMGUItoremoveanIDPplatformfromacustomIDPattacksignature.
499748—Whenapacketcapture(pcap)isrequestedanditcontainsVLANtraffic,NSMreplieswithaJAVANullpointerexception.
25Copyright2012,JuniperNetworks,Inc.
AddressedIssues500367—PolicyupdateinNSMfailsintermittently,displayingaJavaNullPointerException.
500769—NSMdoesnotsupportPPPandPPP-serviceprotocolsonJSeriesdeviceswitha10.
0r1.
8image.
500838—ThetimeoutvaluedefinedinacustomserviceobjectisnotupdatedtoanSRXSeriesdevice.
501875—AnSRXSeriesdevicewillbeshownasdowniftheprimaryGUIserverfailsovertothesecondaryandadeviceconnectionisnotestablishedinextendedHA.
502166—TheNSMGUIcrasheswhileviewingauditlogdetails.
502223—WhenimportinganNS-5GTinHome-WorkportmodewithDHCPDNSOptionsset,NSMattemptstounsettheseoptionsatthenextupdate.
502390—IfyouuseNSM2009.
1andwanttouploadeithertheSA6.
5r2orICC3.
1r2softwareintoNSM,youmustrunaJuniperNetworksUpdatetoenablesubsequentdevicesoftwareupgradesthroughNSM.
504414—NSMdoesnotallowcreationofanrpc-program-numberinacustomserviceobjectifUDPorTCPservicesareselected.
504457—NSMunsetsthevalueoflifetimekilobytesfromcustomphase2proposalsafterimportfromadevicetoNSM.
509454—NSMoverridespreviousruleparameterswhenaduplicatepolicyIDispresentinarule.
511486—AnSRXSeriesdeviceisdisplayedasaScreenOSdeviceintheNSMdevicemanagerafteraschemaupgradeto124.
512713—Afterrunninganimportadmindirective,NSMchangesotherconfigurationsalongwithadminaccounts.
515794—Newsignaturelanguageconstructswithin-bytes,within-packets,andcontext-checkcreatedwithinacustomersignaturedonotappearwithintheindividualattackobjectsignaturesetonthedevice.
515797—NSMcannotcreateavalidcustomcompoundsignatureattackwithnewsignaturelanguageconstructs.
516416—AnAPErulebaseconfiguredwithaCustomApplicationfailstoupdateforanupdatedeviceoperation.
516478—NSMincorrectlydisplaystunnelinterfacesinaVPN.
516804—AnIPv6configurationimportedintoNSMimmediatelyshowsdelta.
518800—NSMoverridespreviousruleparameterswhenaduplicatepolicyIDispresentinarule.
523762—PriortotheNSM2010.
2release,NSMdidnotmanageSRXSeriespolicynames.
Whenthedeviceisimportedandupdated,NSMoverwritesthesepolicynameswiththecorrespondingNSMpolicyIDs.
WithNSM2010.
2releaseandlater,thesepolicynamesaremanagedanddisplayedinthenewlyintroducedPolicyNamecolumn.
Copyright2012,JuniperNetworks,Inc.
26NetworkandSecurityManager2011.
1ReleaseNotesKnownIssuesThissectiondescribesknownissueswiththecurrentreleaseofNSM.
Wheneverpossible,aworkaroundissuggested.
ThesereleasenotescontainissuesrelatedtoNSMonly.
Foracompletelistofaddressedissuesforeachdevice,seethereleasenotesassociatedwiththedevice.
NSM266865—WhenyouuseNSMtoeditthestartupinformationofadeviceandchangetheUseDeviceServerThroughMIPsettingtoUseDefaultDeviceServerIPAddressandPortormaketheoppositechange,NSMdoesnotpushthechangetothedevice.
277604—Interfaceconfigurationscreensshowmoresettingsthanaresupportedbytheactualinterface.
277718—WhenyouuseNSMtosetAntivirus(AV)parametersforapolicyonaJuniperNetworksSecureServicesGateway(SSG)300SeriesdevicerunningScreenOS6.
0r4,thenewsettingisnotpushedtothedevice.
However,NSMcanbeusedsuccessfullytosendAVparameterssettingstoSSG140SeriesdevicesrunningScreenOS6.
0r4.
277997—DeviceupdatesfailwhenapolicythatreferencesaddressobjectsforScreenOSdevicesisassignedtoaJSeriesdevicebecausetheaddressobjectnamingconventionsforJSeriesdevicesaremorerestrictivethanthenamingconventionsforScreenOSdevices.
ForJSeriesdevices,theaddressobjectnamemustbeastringthatbeginswithaletterandconsistsofletters,numbers,dashes,andunderscores.
ForScreenOSdevices,theaddressobjectnamecanincludeacombinationofnumbers,characters,andsymbols.
ToensurethataJSeriesdevicecanusetheAddressObjectsreferencedbythesecuritypolicythatisassignedtotheJSeriesdevice,alladdressobjectsinthatpolicymustfollowtheaddressobjectnamingconventionsforJSeriesdevices.
IfthepolicythatisassignedtoaJSeriesdevicecontainspreexistingaddressobjectsforScreenOSdevices,theseaddressobjectsmustberenamedtofollowthesameaddressobjectnamingconventionsforJSeriesdevices.
284698—NSMuserswhodonothavetheViewSecurityPoliciesrolecanstillseethepolicynodewithindevicesthathavetheirPolicyManagementModesettoIn-Device.
286643—Whenyoucreateavirtualsystemdevicewitha'.
'inthename,thefirmwareupgradefails.
Therootdevicewillreflectthechange,butthevirtualsystemwillnot.
287814—NSMuserswithIDPadministratorcredentialsloggedintoasubdomaincaneditsharedaddressobjectsthatarealsovisibleintheglobaldomain.
288309—ForJSeriesroutersinanNSMcluster,whentheclustermemberdevicerebootsandreconnectstoNSM,thehardwareinventorydisplaysout-of-syncintheDevicelisttable.
Asaworkaround,executetheReconcileInventorydirectivetosynchronizetheinventorystateofthedevice.
288993—Whenyoucustomizeapredefinedreport,guiSvrCli.
shdoesnotgenerateitcorrectlyandcausessubsequentreportstofail.
292369—Whenyoucreateapolicy-basedVPNandthenupdatethedeviceandimportitbackintoNSM,theVPNrulespreviouslycreatedwithVPNManagerandupdatedto27Copyright2012,JuniperNetworks,Inc.
KnownIssuesthedevicearenowimportedinthenewpolicycreatedunderPolicyManager>SecurityPolicies,andthenewpolicyisassignedtothedevice.
However,iftheVPNissubsequentlydeletedbytheuser,theVPNandallrulesassociatedwithitareremovedfromtheVPNManager,butnotthePolicyManagerpolicy.
Beforeyoucansuccessfullyupdatethedevices,youmustmanuallydeletetheseVPNrulesinthepolicyunderPolicyManager.
292522—OnaSecureAccessSSLVPNSASeriesdevice,whenausercreatesaresourceprofile,updatesthedevice,andtriestoaddanotherbookmark,thenewbookmarkpagedoesnotshowtheHostandServerportvalues.
295156—OnaSecureAccessSSLVPNSASeriesdevice,theorderofthepolicieswithinaSAMpolicyisnotmaintainedwhentheSAMpolicyiseditedwiththeNSMGUI.
295314—Aftertheinitialimportofadevice,thedatabaseversionfeatureshowstheuserwhoperformedtheimportas'unknown.
'299504—Whenyoupromoteadevicewithamedium-sizedconfigurationtoatemplatefromtherootconfigurationlevel,youmustwaitatleast1minuteforthechangetotakeeffectbeforeopeningthetemplate.
299014—Duringanupgradeinstallation,licenseinformationisrequiredtocompletetheinstallation.
302289—ThevirtualmanagementEthernetinterfacemustbesetasthemanagementinterfaceonthevirtualchassisforittobemanagedthroughNSM.
302500—IfyouperformafirmwareupgradefromJunosOSRelease9.
0to9.
1throughthedeviceUI(orCLI)andnotthroughNSM,youmustreimportthedeviceinNSMandadjusttheoperatingsystem(OS)versionofthedevice.
ToadjusttheOSversioninNSM,openDeviceManagerandright-clickthedevice.
SelecteitherView/ReconcileInventoryorAdjust-OSVersion.
EnsurethattheOSversionrunningonthedevicematchestheonerecordedintheNSMdatabase.
InNSM2008.
2,theNSMUIconnectswiththeGUIserverthroughport7808,whichisFIPScompliant.
Wheninstallationiscomplete,youseethefollowingmessage:"PleasenotethatTCPport7808isbeingusedforserver-UIcommunication.
"EarlierversionsofNSMconnectedthroughport7801,whichwasnotFIPScompliant.
303308—ExcessiveretryoperationscancauseaDMIdevicetomalfunctionifNSMclosestheconnectiontothedevicewhilethedeviceistryingtoconnecttoNSM.
WhenyouaddaDMIdevicethroughtheNSMUI,youfirstaddanunreachabledeviceandthenusethegeneratedkeytoconfigurethedevicesothatthedevicecaninitiatetheconnectiontotheNSMserver.
Theconnectionwillfail,however,ifNSMclosestheconnectionbecause:ThedeviceisinthemodeledRMAstate.
Thedevicesharesaduplicatesequencenumberwithanothermanageddevice.
Theplatformordevicetype(clustermember,virtualchassis,andsoon)youspecifiedwhileaddingthedevicedoesnotmatchthedeviceitself.
YoucancheckfortheseconditionsbyexaminingtheConfigurationStatusintheDeviceList.
IftheConfigurationStatusisRMA,Detectedduplicateserialnumber,PlatformCopyright2012,JuniperNetworks,Inc.
28NetworkandSecurityManager2011.
1ReleaseNotesmismatch,orDevicetypemismatch,deletethedeviceimmediatelyfromNSMtopreventexcessiveconnectionretriesfromcausingadevicemalfunction,suchasexceedingthemaxproclimit,orreaching100percentCPUutilization.
Toaddthedeviceagain,makesuretheplatformtypeanddevicetypespecifiedinthedeviceaddworkflowmatchthoseofthedeviceitself.
304406—DuringanNSMinstallationinanHAenvironment,whenperformingarefreshwiththeNSMinstallerorNSMXpressUI,theHApeersmaynotinitializecommunicationproperly.
ThisproblemcommonlyoccurswhenyoumigratefromasingleNSMservertoanHAconfiguration.
TheerrordoesnotoccurwhenyouperformacleaninstalloranupgradeusingtheNSMinstaller.
305451—Onasubinterface,theNSMtemplatedoesnotdisplayadataoriginiconundertheServiceOptions.
312509—WhenyouconfiguretheNetworkAddressTranslation(NAT)rulesetonanSRXSeriesdevicerunningJunosOSRelease9.
2,itisnotimportedcorrectlyintoNSM.
313889—Whenyouconnect3000ormoredevicestoNSM,theGUIclientfreezesforafewminutesbecauseofthelargenumberofnotificationsfromtheGUIserver.
IfyouaddaJunosOSdevicetotheNSMdatabasethroughthereachabledeviceworkflow,youmustenablenetconfforSSH(specifictosystemservices)byrunningthefollowingcommandinthedeviceCLI:setsystemservicesnetconfssh.
388578—NSM2008.
1r1doesnotsupportSSL-VPNsecuritydevices.
394543—Whenyouupdatetheconfigurationsofmorethan30devicestogether,theupdatedeviceoperationcantakeupto10minutes.
396285—RebootingNSMserversfailsinaSolaris10environment.
YoucanuseeitheroftheseworkaroundstostartorstopanNSMserver:Use/etc/init.
d/guiSvrand/etc/init.
d/devSvrastherootuser.
Use/usr/netscreen/GuiSvr/bin/guiSvr.
shand/usr/netscreen/DevSvr/bin/devSvr.
shasanNSMuser.
Youcannotusethisscriptastherootuser.
400850—PhysicalinterfacesdonotappearinthePBRpolicynon-memberlistifyoubindthemtothesamesecurityzoneastheredundantinterface.
404479—NSMdoesnotlistphysicalinterfacesimportedtovsysorclustervsysdevicesiftheyareconfiguredinthesharedzone.
Iftheinterfaceisnotconfiguredinthesharedzone,NSMdisplaysitintheinterfacelist.
IfyouaddaJunosOSdevicetoNSMthroughtheunreachableworkflow,executethefollowingcommandsonthedeviceCLItoenableloggingonit:setsystemsyslogfiledefault-log-messagesanysetsystemsyslogfiledefault-log-messagesstructured-data404943—Whenthepredefinedservice'any-ip'isselectedinapolicy-basedVPNandthedeviceisupdated,NSMgeneratesaninvalidCLI.
406791—AftermigrationfromNSM2008.
1R1to2008.
2,editingaVPNresultsinareferenceerrorunderthemanuallycreatedNHTBentryinNSM2008.
1R1.
29Copyright2012,JuniperNetworks,Inc.
KnownIssues409350—NSMdoesnotsupportautomaticADMtransformationforDMIdevices.
VPNmonitordoesnotdisplayanentryforthevsysclustermemberifthenameofthememberischanged.
410009—Whenalargenumberofdevicesisdiscovered,topologydiscoverydisplaysunconnecteddevices,connecteddevices,andlinksasoverlappingeachother.
Theworkaroundistomanuallydragunconnecteddeviceiconstofreeareasinthetopologymap,orviewconnectedandunconnecteddevicesseparately.
422422—Witheveryaction,theNSMserverincreasesitsusageofmemorywhichdoesnotgetfreedlater.
426324—TheNSMguiSvrManagerdoesnotscaleuptomanage6000devices.
Youmustlimitthenumberofmanageddevicestoatotalof3500firewallsandDMIdeviceswith10,000configurationsand5GUIclients.
434863—VPNmanagerautomaticallyfillstunnelproxyinformationforaroute-basedVPN.
However,forexternaldevices,youmaywanttochecktheproxyinformationandchangeitmanually,ifrequired.
436587—InNSM2008.
1,thevalueoftheNHRPfieldinthevrouterschemaisTrue,therebyenablingNHRPonallvroutersbydefault.
InNSM2008.
2R2,theNHRPdefaultvalueisFalse.
MigratingfromeitherNSM2008.
1R2orNSM2008.
2R1toNSM2008.
2R2ensuresthatwronglyenabledvroutersarereset.
437109—IfyoudisablebackupduringahighavailabilityinstallationofNSM,thenmanualbackupsusingthescriptreplicateDbpresentinthe/usr/netscreen/HaSvr/utils/directoryarenotallowedaswell.
437457—WhenyouupdateanICAPprofileinavsysdevice,theupdatefails.
438631—WhenanIDPdeviceisupgradedfrom4.
1R3to5.
0,theIDPconfigurationfilesarenotimportedtoNSM.
ThisisbecausethepacketcapturesettingsinIDP5.
0devicesareconfigurablefromNSM,andarelimitedto1000to65,535,unlikeinIDP4.
1R3devices.
439567—SinceIDPandISGdevicessupportmultipleservices,NSMalsoallowsmultipleservicestobeaddedinanIDPpolicy.
HoweversinceSRXSeriesdevicesdonotsupportmultipleservicesinIDPpolicies,adeviceupdatefailsafteraservicefieldischangedintheIDPpolicy.
439909—NSMAPIcannotloginusingauserdefinedinsideasubdomain.
Loginforasubdomainmustbespecifiedintheformof"global.
subdomainname"insteadofjustthesubdomainname.
443271—Whenadevicereboots,thehardware-inventorystatusmaybesettoout-of-syncinNSMevenwhenthereisnochangeinthedevice'shardware.
Aworkaroundistorefreshtheinventory.
Thestatusrevertstoin-syncinNSM.
449502—SAdeviceswithHOSTCHECKERpoliciesforadminusercannotbeaddedandmanagedbyNSM.
446392—Whenmigratingfrom2007.
3R1to2008.
2R2,NSMunsetstheloopbackandsubinterfaceconfigurationscreatedinthe2007.
3R1setup.
Migrationfrom2007.
3R4to2008.
2R2succeeds.
Copyright2012,JuniperNetworks,Inc.
30NetworkandSecurityManager2011.
1ReleaseNotes450863—NSMdoesnotdisplayavalidationerrorifanIPv4addressisaddedtoanIPv6addressgroupusingtheReplacewithoption.
450906—WhenaninterfaceisconfiguredintheIPv6host/routermode,NSMdoesnotshoworgeneratetheinterfaceIDwhichisgeneratedbydefaultinthedevice.
InsteadNSMgeneratesaninterfaceIDrandomly.
450964—WhenyoulogintoNSMforthefirsttimeontheNSMXpressappliance,theSystemInformationpageopensfirstinsteadoftheInstallNSMpage.
452182—WhilesearchingforIPsusingtheGlobalSearchfeature,youcansearchforaspecificIPaddressandnetmask.
However,youcannotsearchforallIPaddressesinaparticularsubnet.
YoualsocannotsearchforallIPsbeginningorendingwithaparticularnumber.
452960—TocreateamultipleIPrangeDIP,youmustconfiguretheextendedIPundertwooptions:DevicesupportingIPv6andDevicenotsupportingIPv6.
452898—ThesequenceofnodesundertheNetworktabchangeswhenaninterfaceisconfigured.
Closingandreopeningtheinterfacewindowrestorestheoriginalorderofnodes.
453968—TheSearchoptionunderIPv6andIPv4policiesdoesnotallowyoutoenteracompletestringorword.
454983—ThedevicecannotsendtheconfigurationfiletotheNSMserverafteracommit.
TheworkaroundistorunthepasswdcfmusercommandasrootontheNSMXpressdeviceandenterthesamepasswordconfiguredduringinstall.
455944—UndertheRoute-map,theMetricOptionsfieldentriesandLocalPreferencevaluesarenotproperlydisplayedonthetemplate.
457072—InNSM,youcannotcreatenode-specificentriesforacluster.
457242—Thegraphinmyreportdisplays0.
0.
0.
0beforedisplayingthecorrectIPv6address.
457557—WhenyoulogintoNSMasacustomadministratorinacustomrolewithaCreateSecurityPoliciesprivilegeandcreateanewpolicywithanIPv6rulebase,aJavaNullPointererrorisshownfortherulebase.
458585—NSMdoesnotdisplayavalidationerrorforaninvalidAttackDatabaseServerpath:Device>Security>ExpandAttackDB>Settings.
459052—WhilecreatinggatewayVPNsettings,theNSMupdateoftensendsthefollowingcommands:setikegatewayg1dpd-livenessinterval0setikegatewayg1dpd-livenessretry5unsetikegatewayg1dpd-livenessalways-sendunsetikegatewayg1dpd-livenessreconnectunsetikegatewayg1nat-traversal459323—NSMdoesnotdisplayvalidationerrormessagesforloworhighvaluesunderDestinationorSourceports.
459330—NSMfailstoupdatethePBRmatch-group,Action-Group,andPBRpolicynamesifthenamestringcontainsspaces.
31Copyright2012,JuniperNetworks,Inc.
KnownIssues459949—WhenAVTisenabledonadevice,theProfilerisnotautomaticallyenabledduringadevicerestart.
Theworkaroundistoright-clickonthedeviceandselectStartprofiler.
460492—WheninstallingasystemupdateonRHEL4.
6,youreceiveawarningfortheSELinuxpackage.
However,theinstallationworks.
460645—ThedefaultscreenviewdoesnotdisplayalltheoptionsunderDevices>Configuration>UpdateDeviceConfig>ScreenOSandIDPoptions.
Theworkaroundistoextendthelengthofthewindowtoviewalltheoptions.
460894—TheNSMObjectManagerdoesnotdisplayZoneobjectdetails.
461192—NSMdisplaysalltheinterfacesundertheRoute-map>MatchInterfacelistinsteadofdisplayingonlytheconfiguredinterfaces.
461266—NSMtopologydisplaysdifferenticonsfortheM10i,MX480,J4300,andotherrouters.
463254—TheorderofnodesundertheNetworktabchangesiftheTransparentmodeoptionischeckedforatemplate.
Closingandreopeningthetemplaterestorestheoriginalorderofnodes.
463738—Whenyoumodeladeviceenabledwithatransparentinterface,theinterfaceisincorrectlydisplayedasRoutemodeinthedeviceconfiguration,andyoucannoteditthemodefield.
463788—TheNSMUIdisplaysavalidationerrorforRoute-mapstringswhenRoute-mapsareconfiguredwithoutanyentriessuchaspermit/deny,match,set,andMetricParameters.
464029—NSMincorrectlydisplaysthevalidation"IPAddresscan'tbeunsetsinceit'sbeingusedbyVPN"onanIPv6VPNthoughtheIPv6addressispartoftheVPN.
464071—SCTP,UTM,andGTPobjectsarevisibleintheexpandeddisplaymodeaftertheyhavebeendeletedfromthepolicy.
464094—NSMallowsyoutocreateIPv6-basedDIPobjectswhentheIPv6modeissettonone.
464145—TheVPNmonitordoesnotdisplaycontentfortheLocaladdressandPeeraddressfields.
464404—Whenexistingcustomvirtualroutesareconfiguredusingatemplate,youseeaReverttotemplate/defaultvalueoptionwhenyouright-clickonthevirtualrouternamefield.
Ifyouselectthisoption,thevirtualrouternamebecomesanullvalueandyouseeavalidationerror.
464834—IntheNSMXpressmulti-useraccessfeature,youcanmappredefineduserssuchasnsmandcfmusertohaveaccesstotheWebUI.
However,thesepredefineduserscannotloginbecausetheydonothavethedefinedpassword.
WerecommendthatyoudonotmappredefineduserstoWebUIusersthroughUNIXauthentication.
465023—ThequickconfigurationeditorInterfacespageisnotrefreshedwhenaninterfaceiseditedfromaregularconfigeditor.
Functionalzonetablesarenotvalidatedwhenanynodeunderfunctionalzonesisconfigured.
Copyright2012,JuniperNetworks,Inc.
32NetworkandSecurityManager2011.
1ReleaseNotes465407—NSMallowstoyoutoconfigureIPv6optionsonadevicerunningScreenOS6.
3evenafterIPv6isdisabledonthatdevice.
465748—IfyoutrytodownloadtheNSMclientfromanNSMXpressappliancewithadifferentNSMUIclientversion,NSMpromptsyoutodownloadtheclientfromtheserver,butthedownloadfails.
AworkaroundistodownloadtheclientdirectlyfromtheNSMserver(https://ApplianceIP)orchangetheguiSvrWebProxy.
portvalueto443in/var/netscreen/GuiSvr/guiSvr.
cfg.
466039—TheInterfaceQuickConfigurationlandingpageusuallyshows"CouldnotCreateView"forEXSeries,MXSeries,andSRXSeriesdevices.
466233—Afterconfiguration,theroutingtableofmodelvsysdevicesdoesnotdisplayIPv6routeentries.
However,thesamerouteentriesarevisibleinthedeltaconfigsummaryandaresuccessfullyupdatedinthedevice.
Aworkaroundistoimportthevsysdevice.
466335—YoucannotchangethesuperuserpasswordfromtheWebUIofanNSMXpressdevice.
466349—NSMdoesnotfilterIPv6policyrulesfromtheCentralManagerduringanupdatetoaScreenOSdevicethatdoesnotsupportIPv6.
466934—TheNSMdatabasebackupoperationfailstoexecutefromtheWebUIonNSMXpressdevices.
Theworkaroundistologoff,thenlogbackinandexecutetheoperationagain.
467745—TheNSM2008.
2r2clientoftendisplaysanemptydevicelist.
468189—WhenmigratingfromNSM2008.
2R2ato2009.
1,theinstallerscriptdoesnotdisplaytheversioncorrectly.
NSM2008.
2r2aisdisplayedas2008.
2r2.
472185—TheNSMDevicemonitorandtheVPNMonitorareslowtodetectchangesinstate.
473963—DuringashareddiskinstallationonanNSMappliance,youreceiveanerrormessagethatthepasswordfortheDeviceServeristooshortandthattheminimumlengthshouldbeeightcharacters.
474008—WhenyouinstallaregionalserveronanewNSMXpressappliancethroughtheWebUIornsm_setup,youoccasionallyseethefollowingmessage:StoppingNFSstatd:[FAILED].
However,theinstallationissuccessful.
474518—ThecheckboxoptionforenablingNTPonredundantinterfaceswithinNSMismissing.
475084—YoucannotcreateauserwithaUNIXauthenticationpasswordoptionintheNSMXpressUserlist.
477341—UnderSecurityPolicies>Sharedobjects,afastscrollScreenrefreshdoesnotoccurproperly.
477347—InNSM2009.
X,underSecurityPolicies>Sharedobjects,theSearchfeatureforservicesisslowerthaninpreviousreleases.
477352—AfteryoucreateanobjectunderSecurityPolicies>Sharedobjects,NSMtakessometimetorefreshthescreen.
33Copyright2012,JuniperNetworks,Inc.
KnownIssues477355—TheJunosOSdoesnotvalidateconfigurationsfromNSM.
478484—DuringaregionalserverinstallationonanNSMXpressappliance,youseethefollowingerrormessageatthepost-installationtasksstage:"Nosuchfileordirectory"(/bin/cp:cannotstat`/usr/netscreen/GuiSvr/var/metadata_table.
nml':"var/install/NSM-RS).
However,theinstallationissuccessful.
479624—WhenyoueditvirtualrouterswithlargenumbersofstaticroutesandACLentries,theCPUutilizationoftheNSMGUIisveryhigh.
479859—NSMincorrectlyallowsyoutocreateaddressobjectscalledANY-IPv4andANY-IPv6.
480429—DeviceStatisticsdonotdisplaypolicydistributioninformation.
481088—TheSMTPProtocolAnomalyattackobjectdoesnotcontainrecommendedactions.
481124—ADIsignatureisdisplayedasmemberoftheIDPdynamicattackgroup.
481645—NSMdoesnotsetawarningflagforIPv6addressobjectscontainingduplicatenetworks.
485787—Afterthemigrationfrom2009.
1r1to2009.
1r1a15inanNSMXpress/NSM3000appliance,onlinerecoverypartitioningfailsfromtheNSMGUI.
484205—CommunitylistcommandsforBorderGatewayProtocolsinthedevicedifferfromthoseinthejobinformation.
484701—Whenselectingrulesinacomplexpolicy(around1000rules),theNSMGUIofrelease2009.
1r1respondsmoreslowlythaninrelease2007.
3r4.
486191—AfteranupgradeonNSMXpress,youmustmanuallydeletethefilensm-scripti-vals.
newifavailableunderthe/tmpdirectory.
YoumustthenreconfigureNSMXpressthroughnsm_setup.
488187—WhenyouinstallNSM3000,diskpartitioningmayfailonthefirstattempt.
Theworkaroundistoerasethediskandreinstalltheappliance.
489761—Inanextendedhighavailabilitysetup,DMIdevicesdonotreconnecttoNSMafteraGUIserverfailover.
TheworkaroundistorestarttheDeviceserver.
493491—TheRandom-portoptionisnotavailablewhenconfiguringDIPonaninterfacerunningScreenOS.
495586—NSMreordersNATrulesincorrectlyonanSRXSeriesdeviceclustermember.
495927—InthePolicyManager,ifyouselectarulecontainingeitherasourceordestinationIPv6addressandright-clickonit,theAddAddressandFilteroptionsarenotavailable.
Theworkaroundistodirectlyright-clickontherulewithoutfirstselectingit.
496118—NSMfailstoupdateanISG2000clusterwitha'Manage-IPofredundantIP'configuration.
496177—OnanISG2000device,updatingaphysicalinterfacewithanIPv6prefixlistfails.
Copyright2012,JuniperNetworks,Inc.
34NetworkandSecurityManager2011.
1ReleaseNotes496395—WhenyouapplyanOSPFandBGP-enabledtemplatetoadevice,NSMdisplaysavalidationerrorfortheVirtualrouterIDunderVR.
496431—OnanISG2000device,NSMpushestheredundantinterfaceconfigurationoneveryupdateofthedevice.
496701—AfterupgradinganISG2000runningScreenOS6.
2toRelease6.
3throughtheNSMSoftwareManager,NSMwronglycreatesCLI'setcpu-protectionthreshold0',causingupdatestofail.
496705—WhenyouconfigureDIPforaninterfaceinaScreenOStemplate,theWizardisnotdisplayedcompletely.
Theworkaroundistodragthewizardopencompletely.
Onsubsequentedits,thewizardopenstothesamesizeasdraggedearlier.
496721—AfterapeergroupmemberisremovedfromapeergroupinBGPandthedeviceisupdated,NSMdoesnotdeletethememberfromthegroup.
497112—IfanIDPpolicywithallfiltersenabledinadynamicattackgroupispushedtoanSRX3600device,theupdatefails.
497949—NSMincorrectlyallowsthesameuserroletobeaddedasbothmemberandnon-memberofausergroupinanIDPpolicy.
498731—OnanISG1000clusterrunningScreenOS6.
2orearlier,NSMerroneouslydisplaystheIPv6tabontheVSIinterface.
498733—TheNSMGUIdoesnotprovideacheckboxforenablingTrackIPunderVSDGroupMonitoringforclustermembers.
499146—AfteranRMA/ActivateofanNS204device,theNSMserverprimaryinterfacedisplaysadelta.
499174—WhenserviceapplicationsareconfiguredonpoliciesinaJunosOSdevicetemplateandappliedtodevicesthroughNSM,theupdatefails.
499181—TheNSMGUIerroneouslydisplaystheGatewayTrackingOnoptionforIPv6destination-basedroutes.
IPv6routesdonotsupportthisfeature,causingtheupdatetofail.
501774—WhenaporttemplateconfigurationispushedtoanEXSeriesswitch,theDeviceConnectivitystatusgoesdownandthencomesbackup.
502716—WhileupdatingIDPpoliciesonanMX960router,NSMonlyupdatesthenameofthepolicybutnotitscontentssuchasaddress,attacks,action,notification,andsoon.
503701—WhenselectingenforcementpointstoassociatewithICsonanEXSeriesswitch,theNSMGUIdoesnotdisplaytheSelectClusterMemberoption.
DragthewindowopentoseeanextrafieldforselectingICA/Aclustermembers.
504876—NSMisunabletoconnectwithEX8216switchesrunningJunosOSRelease10.
0r1.
8.
504886—Whenadeviceisaddedthroughanyworkflow,NSMrequiresyoutoperformanimportdeviceconfigoperationbeforeyoucanviewtheAdvanced>PredefinedServiceSessioncache>PredefinedServicesoption.
35Copyright2012,JuniperNetworks,Inc.
KnownIssues505299—UnderDeviceDiscoveryrules,NSMisunabletodiscoverJ4350andJ6350devices.
506135—NSMdoesnotdisplayvariablesforaqueryexpressioninthefilternodeunderConfiguration>System>Logmonitoring.
Youcanhowever,createaqueryexpressioninatemplatewherethesevariablesarevisibleandsuccessfullyupdateadeviceinNSMwiththetemplate.
514022—NSMisunabletodeleteordisableIPv6addressesconfiguredonaninterfaceusingNSM.
Youcan,however,deleteanIPv6addressconfiguredonaninterfaceusingtheCLI.
514848—ObjectmanagercreatesduplicateaddressobjectswiththesamenamebutdifferentIPaddresses.
515487—TheloopbackinterfacebelongingtoasharedzoneinavsysisincorrectlyimportedintoNSM.
516415—NSMimportsanIPv6addressobjectwhosedomainnamehasbeenchangedinthedeviceasanIPv4addressobject.
516420—DeviceMonitordoesnotupdatethemodifieddevicepollingtime.
517719—NSMisunabletoaddaJunosOSPulsebinarypackage.
NSMsupportsamaximumpackagesizeof50MBandamaximumheapsize(configuredinNSMclient)of768MB.
However,thepulsebinarypackagesizeis70MBandrequires2048MBofheapmemory.
519447—TheOnlythisValueandNotthisValuefiltersintheLogViewerdonotworkforIPv6Src,Dst,SrcNAT,andDstNATaddressobjects.
521704—AnNSMuserisabletodeletetheuserroleloggedinasfromNSM.
521930—TheJunosOSapplicationsnodeintemplatesshowsextraoptionsthatarenotpresentintheactualdeviceforbothpredefinedandcustomapplications.
523092—NSMdoesnotallowselectionofthedatesofMarch29,30,and31whilecreatinganewlogreport.
523099—NSMdisplaysdeletedvsysinformation.
523176—Forlogreports,ifColumnsforReportisselectedwithIPv6addressfields,thereportdisplaysanextraIP0.
0.
0.
0.
523190—UsernameandPasswordtextboxesaredisplayedonlywhenAuthenticationTypeisinitiallysetasCertificateandthensetbacktoBasic.
523484—NSMdisplaysthewrongversionnumberafterperformingasoftwareupgradefordevicesrunningtheJunosOS.
524124—NSMshowstheconfigurationstatusofadeviceasManaged,InSyncaftersuccessfullyimportingaconfigurationfileexportedfromthesamedevice.
Theworkaroundistoupdatethedeviceafterimportingtheconfigurationfile.
524216—PredefinedJunosOSserviceobjectsjunos-persistent-natandjunos-stunarenotavailableinNSM.
Copyright2012,JuniperNetworks,Inc.
36NetworkandSecurityManager2011.
1ReleaseNotes526007—ResettingtoFactoryDefaultsdoesnotworkafterperformingOfflineUpdateRecoveryPartitiononanNSM3000appliance.
TheworkaroundistoreinstalltheimagethroughUSB.
526499—AfterupgradingtoNSM2010.
2,whencheckingtheHAserverversion,thehighAvailSvrprocessdisplaysthecurrentversionas1.
13.
1insteadof2010.
2,andalsodisplaysoldversions.
532855—TheNSMapplicationwillnotdiscoverallendpointdevicesifcompleteaddressforwardingtables(AFT)informationisnotavailable.
562393—WhenSRXlow-endfamilydevices(whichhavebeenrenamedfrom10.
2)areaddedthroughmodelorunreachableworkflow,theManagedOSversionsupportdropdownlistinNSMmustdisplayoperatingsystemsonlyupto10.
1.
However,thelistdisplays10.
2and10.
3too.
571988—TheNSMUIshowsanSSOserviceURLvalidationerrorforaJunosPulsegatewaybladeservermemberdevicewhenyoumakeconfigurationchangesinthechassisauthserver.
Theworkaroundistoignoretheerrorandapplyconfigurationchanges.
572667—NSMallowsmanualgroupingofastandaloneIVEdeviceorbladeservermembersthatbelongtoadifferentbladeserver.
However,NSMmustvalidatethemanuallyaddedmembersbelongtotheJunosPulsegatewaybladeserver.
TheworkaroundisnottomanuallygroupmembersbelongtodifferentJunosPulsegatewaybladeserversortouseautomaticgroupingworkflow.
580279—WhenyoudeleteabladeserverafteraddingabladeservermemberoranIVEdevice,aReferenceclusterownerremovedmessageisdisplayedeventhoughthereisnoclustergroupedunderthebladeserver.
Thismessagecanbeignored.
582020—Whenthepolicy-optionscommandisconfiguredonaJunosOSdeviceandimportedtoNSM,thenext-hopandtheload-balanceoptionsarenotavailableonNSM.
TheNSMUIneedstobesynchronizedwiththeJunosOSdevice.
583241—UpdatedeviceoperationfailswhenanIVEdeviceOSisupgradedfromtheNSMUI.
Werecommendthatyouimportthedeviceconfigurationfirst,maketherequiredchanges,andthenupdatethedeviceconfigurationfromNSM.
585346—StandaloneIDPversion5.
1disconnectsfromNSMandreconnectsevery1hour.
ThisissuedoesnotcauseanytrafficinterruptiononIDP.
However,itmaycauseNSMgeneratedalertstotheadministrators.
591145—WhenyouchangetheFPCpowerconfigurationfromOfftoOn,aHardwareinventoryoutofsyncerrorisdisplayed.
Asaworkaround,executetheView/ReconcileoperationtoreconcilethehardwareinventoryoftheJunosPulsegatewaybladeserver,andthenupdatetheconfiguration.
597263—WhenyouperformanimportoperationonthebladeserverafterchangingtheFPCpowerconfigurationfromOfftoOn,theapplicationbladeisremovedfromthechassisandaddedtothedevicetreerootnode.
TheworkaroundistodeletetheapplicationbladefromtheNSMUI,additagain,andthenperformanimportdeviceconfigoperationontheJunosPulsegatewaybladeserver.
37Copyright2012,JuniperNetworks,Inc.
KnownIssues599577—UpgradetoanIVEdeviceusingfile-putandrequest-package-addRPCsthroughaDMIdeviceinboundconnectionfailsifthefilenameusedintheRPCrequestisnotinthepackage-#####.
pkgformat.
Theworkaroundistousethepackage-#####.
pkgformatforthefilename.
608293—TheNSMUIdisplaysavalidationerrorwhen11.
1R1.
14JPGdeviceimagesareaddedtoNSM.
ThisisaonetimeissueandonceOKisclickedafteraddingthedeviceimage,theerrorgetsdisappeared.
738793—WhenanSAclustermemberisremovedfromIVEdevice,thecorrespondingclustermembershouldalsoberemovedfromNSMmanually.
Theclustermembercanbeaddedagainasanormaldevice.
EXSeriesSwitches394552—NSMallowsyoutoapplyLayer2UplinkporttemplatesonLAGinterfaces(portsnamesbeginningwith'ae').
NSMcannotautomaticallydetectwhetheraLAGinterfaceisdeletedfromtheswitchconfigurationafteryouapplytheporttemplate.
ItisthereforerecommendedthatyoumanuallyremovetheLAGinterfacefromtheportsassociatedwiththistemplate.
398326—AfterenablingtheautomaticimportofconfigurationfilesonanEXSeriesswitchrunningJunosOSReleasespriorto9.
3R2and9.
2R3,youneedtomanuallyaddtheNSMDeviceServerasaknownhosttotheswitch.
Todothis,logintotheEXSeriesswitchthroughTelnetorSSHandthenSSHtotheNSMDeviceServerIP.
ThisaddstheNSMDeviceServerasaknownhostintheswitch.
Withoutthismanualintervention,automaticimportofconfigfilesdoesnottakeplacefromEXSeriesswitches.
YoudonotneedtoperformthisstepforEXSeriesdevicesrunningJunosOSRelease9.
2R3or9.
3R2.
398860—IfyouuseLLDP,IPphonesconnectedto9.
2R1.
10EXSeriesswitchesarenotdiscovered.
YouneedtoupgradetoEXSeries9.
2R2.
15orlater.
402243—Onavirtualchassis,ifthereisaphysicallinkthroughthevme0interfacetoanadjacentEXSeriesswitch,topologydiscoveryrecordstwolinks,onefromthevmeinterfaceandanotherfromtheme0interface.
406887—Topologydiscoverycommitsdatainsmallchunkstothedatabase.
Ifoneofmanysuchtransactionsfails,theremainingdataisnotcommitted.
Thiscouldcreateinconsistentdatainthedatabase.
427855—WhenbothmasterandbackuprouterenginesinagrandedevicearereachablebySNMP,topologydiscoverydisplaysthemastwoseparatedevicesinthetopologymap.
444091—WronglinksarediscoveredwithEX8200deviceswithonlySTP/RSTP.
EnableLLDPonalltheswitchestoensurethatlinksarediscoveredproperly.
446950—BecauseofaUIissue,NSMincorrectlyallowsyoutocreatevirtualchassiswithEX3200-24P.
VirtualchassisshouldbecreatedwithEX4200platformsonly.
Copyright2012,JuniperNetworks,Inc.
38NetworkandSecurityManager2011.
1ReleaseNotesDevicesRunningScreenOSandIDP294030—OnanISGdevice,sufficientdevicememoryisrequiredtocompilethepolicyduringanupdatefromNSM.
ApolicythatspecifiesAllattacksneeds600MBormoreRAMonthedevice.
TheupdatefailsiftheamountofRAMisinsufficient.
ContactJTACforaworkaround.
450906—WhenIPv6isenabledonaninterfaceinhostmode,NSMdoesnotgenerateanyinterfaceIDunlessconfiguredbytheuserwhereasScreenOSdoes,causingamismatch.
AworkaroundistoimportthedeviceintoNSMafteryouupdatetheIPv6settings.
454755—ScreenOSdoesnottreatDIprofilesasstandardsharedobjects.
HenceNSMdoesnotreflectchangesintheprofilesafteryouimportadevice.
458945—NSMcannotmanageadevicerunningaScreenOSversionearlierthan6.
3withanIPv6configuration.
ForNSMtoeffectivelymanagethedevice,itmustbeupgradedtoScreenOS6.
3andaddedorimportedintoNSM.
461167—YoucannotexportdevicelogsusingthesyslogoptionfromtheNSMXpressWebUI.
461181—UpdatingfailswhenapolicywithwebfilteringenabledispushedtoavsysdevicefromNSM.
461986—Youcannotgeneratereportsande-mailthemusingtheemail.
shoptionintheNSMXpressappliance.
464396—OnamodeledScreenOSrootdevicewithamodeledvsysdevice,NSMdoesnotdisplaytheIPv6optiononthemodeledvsys.
464517—WhenaruleisaddedtoapolicyandtheNotifyClosedSessionoptionisenabled,NSMshowsthe'unsetIDP'commandinthedeltaconfiguration.
IfIDPisenabledonthedevice,IDPdoesnotgetunset.
465144—NSMdoesnotdisplaytheoptiontomonitortheIDPsecuritymoduleundertheVSDgroupmonitoringsection.
479370—NSMdoesnotgeneratedeadpeerdetectionconfigurationforIKEgatewaysonSRXSeriesdevices.
489282—WhenyouupdateanSSG5runningScreenOS6.
1,NSMunsetseth0/0andBGPevenwhenaneth0/0changeisunnecessaryandBGPisnotenabled.
TheworkaroundistoenableBGPontunnel1.
1.
497120—UpdatinganSRX3600devicewithanIDPpolicyfails,displayinga"Previouscommitisinprogress"errormessage.
Theworkaroundistowaitforseveralminutesuntiltheback-endcommitprocessiscompleted.
518101—ValidatingadevicefailsafteradjustingtheOSversionorupdatingthesoftwarethroughNSM.
521642—NSMdisplaysdeltaconfigurationforISGdevicesaftertheOSversionisadjustedfrom6.
1to6.
3.
39Copyright2012,JuniperNetworks,Inc.
KnownIssues522885—WhileaddingSOSdevicesonanNSMHAserver,aDB_EVENT_PANICerrormessageisdisplayed,andtheHAserverfailsovertothesecondaryserver.
Thisissueisseenoccasionally.
522890—EditingaScreenOSclusterdevice,withadeviceconfigurationof275KB,takesapproximately5minutes.
523203—ISG-1000devicesrunningScreenOS6.
3r3displayavalidationerrorundertherootprofile.
SecureAccessSSLVPNSASeriesandUnitedAccessControlInfranetControllers436750—NSMcannotimportanICiftheIChasmorethan5100resourceaccesspolicies.
Theimportoperationdoesnotcomplete.
455844—DeletinganSAdeviceobjectfromNSMdoesnotremovetheobjectuntilservicesarerestarted.
Thisisseenintermittently.
460586—WhenaJunosOSSA/ICtemplateisremovedfromadevice,thetemplatevaluesarenotretainedeveniftheRetainTemplatevaluesonremovaloptionischecked.
465450—WhilecreatinganewcustomexpressionunderRolemapping,ifyouchooseDirectory/Attribute:asanyLDAPserveronNSMwhenyouconfiguretheUser/Admin/MACRealmGeneralsettings,theupdatetoanSA/ICdevicefails.
519756—CreatinganewKerberosIntermediationonanSAdevicerunningSA7.
0R1withoutassigningarealmwilldisplayanerror.
TheworkaroundistocreatearealmandassignittothedefaultKerberosIntermediation.
SRXSeriesServicesGateways395329—NSMcannotupdatethefollowingattackstoSRXSeriesdevices:AllattacksProductfilteraspartofadynamicattackgroupAnomaliesaspartofacompoundattackgroupRecommendedfilteraspartofadynamicattackgroupwherethevalueissettofalseIfyourpreviousNSMreleasemanagedIDPdevicesandyoumigratetoNSM2008.
2enablingtheFIPSmode,theIDPdeviceconnectionstatusisdown.
YoushouldreconnectallIDPdevicestotheFIPS-enabled2008.
2NSMserver.
ThishappensbecauseearlierNSMversionsusedMD5HAtostoredevicefingerprints,whileFIPScompliancerequiresSHA-1.
However,iftheserverismigratedtoanon-FIPS2008.
2setupthendevicesareconnectedautomatically.
439305—AnSRXSeriesdeviceupdatefailsbecauseNSMdoesnotdroptheinvalidIDPpolicyrule,IP-actionwithBlockoptionselected.
AlthoughNSMdisplaysawarningwhenyoucreatethisparticularpolicyrule,itdoesnotpreventitscreation.
449045—WhendeletingtheSRXfamilyofdevices,certainJavaexceptionerrorsareloggedintothefilegproGDM.
logoftheGuiSvrerrorlogdirectory.
Copyright2012,JuniperNetworks,Inc.
40NetworkandSecurityManager2011.
1ReleaseNotes452275—VLANconfigurationsarenotapplicableforSRX3400,SRX3600,SRX5600,andSRX5800devices.
However,theconfigurationeditorandthequickconfigurationeditorlisttheVLANconfigurations.
458973—NSMdisplaysvalidationerrorsunderalloccurrencesof'isis'nodewhentheJunosOSRelease9.
6schemaisapplied.
ThisissueisseenonallJSeriesandSRXSeriesdevices.
460593—ThesystemservicesRSHandRloginarenotconfigurablefromNSM.
461264—Attimes,anupdateonanSRXSeriesdevicefailswiththeerrormessage"Previouscommitinprogress.
"Thismayhappenwhenapreviouscommitisstillbeingexecutedonthedeviceinthebackground;forexample,duringanIDPpolicycompilation.
Foraworkaround,seehttp://kb.
juniper.
net/KB16548.
IftheerrorisnotduetoanIDPpolicycompilation,theworkaroundistoaddthedeviceagain.
477359—TheprivateeditmodeusedinSRXSeriesclustersdoesnotblockNSM.
514021—ThemodelnumberofSRXdevicesisincorrectlydisplayedunderHardwareInventory.
517276—NSMdoesnotdisplaylogsforthebackupdeviceinanSRXSeriesvirtualchassisintheLogviewer.
517284—IDPDetectorEngineupdatedoesnotworkforbothdevicesinanSRXSeriesvirtualcluster.
519796—NSMdoesnotdisplaySRXSeriesvirtualchassisdetailsinDeviceMonitor.
ErrataandChangesinDocumentationforNSMRelease2011.
1Thefollowingsectionprovidesthedocumentationerrataforthisrelease.
ErrataIntheNetworkandSecurityManagerInstallationGuide,thesectionsoninstallingandupgradingNSMincorrectlyrefertotheupgradedirectoryas/tmp.
Thecorrectdirectoryis/var/tmp.
TheNetworkandSecurityManagerInstallationGuideincorrectlyshowstheminimumsystemrequirementsfortheoperatingsystemasRHEL32-bitES/AS4.
0-Update7or32-bitES/AS5.
0-Update3(MinimalandFullInstall).
ThedocumentshouldshowtheminimumsystemrequirementsfortheoperatingsystemasRHEL32-bitES/AS4.
0-Update8or32-bitES/AS5.
0-Update4(MinimalandFullInstall).
NSMDocumentationandReleaseNotesForalistofrelatedNSMdocumentation,seehttp://www.
juniper.
net/techpubs/software/management/security-manager/.
Iftheinformationinthelatestreleasenotesdiffersfromtheinformationinthedocumentation,followtheNSMReleaseNotes.
41Copyright2012,JuniperNetworks,Inc.
ErrataandChangesinDocumentationforNSMRelease2011.
1ToobtainthemostcurrentversionofallJuniperNetworkstechnicaldocumentation,seetheproductdocumentationpageontheJuniperNetworkswebsiteathttp://www.
juniper.
net/techpubs/.
DocumentationFeedbackWeencourageyoutoprovidefeedback,comments,andsuggestionssothatwecanimprovethedocumentation.
Youcansendyourcommentstotechpubs-comments@juniper.
net,orfilloutthedocumentationfeedbackformathttps://www.
juniper.
net/cgi-bin/docbugreport/.
Ifyouareusinge-mail,besuretoincludethefollowinginformationwithyourcomments:DocumentnameDocumentpartnumberPagenumberSoftwarereleaseversionRequestingTechnicalSupportTechnicalproductsupportisavailablethroughtheJuniperNetworksTechnicalAssistanceCenter(JTAC).
IfyouareacustomerwithanactiveJ-CareorJNASCsupportcontract,orarecoveredunderwarranty,andneedpostsalestechnicalsupport,youcanaccessourtoolsandresourcesonlineoropenacasewithJTAC.
JTACpolicies—ForacompleteunderstandingofourJTACproceduresandpolicies,reviewtheJTACUserGuidelocatedathttp://www.
juniper.
net/customers/support/downloads/710059.
pdf.
Productwarranties—Forproductwarrantyinformation,visithttp://www.
juniper.
net/support/warranty/.
JTACHoursofOperation—TheJTACcentershaveresourcesavailable24hoursaday,7daysaweek,365daysayear.
Self-HelpOnlineToolsandResourcesForquickandeasyproblemresolution,JuniperNetworkshasdesignedanonlineself-serviceportalcalledtheCustomerSupportCenter(CSC)thatprovidesyouwiththefollowingfeatures:FindCSCofferings:http://www.
juniper.
net/customers/support/Searchforknownbugs:http://www2.
juniper.
net/kb/Findproductdocumentation:http://www.
juniper.
net/techpubs/FindsolutionsandanswerquestionsusingourKnowledgeBase:http://kb.
juniper.
net/Downloadthelatestversionsofsoftwareandreviewreleasenotes:http://www.
juniper.
net/customers/csc/software/Copyright2012,JuniperNetworks,Inc.
42NetworkandSecurityManager2011.
1ReleaseNotesSearchtechnicalbulletinsforrelevanthardwareandsoftwarenotifications:https://www.
juniper.
net/alerts/JoinandparticipateintheJuniperNetworksCommunityForum:http://www.
juniper.
net/company/communities/OpenacaseonlineintheCSCCaseManagementtool:http://www.
juniper.
net/cm/Toverifyserviceentitlementbyproductserialnumber,useourSerialNumberEntitlement(SNE)Toollocatedathttps://tools.
juniper.
net/SerialNumberEntitlementSearch/.
OpeningaCasewithJTACYoucanopenacasewithJTAContheWeborbytelephone.
UsetheCaseManagementtoolintheCSCathttp://www.
juniper.
net/cm/.
Call1-888-314-JTAC(1-888-314-5822toll-freeintheUSA,Canada,andMexico).
Forinternationalordirect-dialoptionsincountrieswithouttoll-freenumbers,visitusathttp://www.
juniper.
net/support/requesting-support.
html.
Ifyouarereportingahardwareorsoftwareproblem,issuethefollowingcommandfromtheCLIbeforecontactingsupport:user@host>requestsupportinformation|savefilenameToprovideacorefiletoJuniperNetworksforanalysis,compressthefilewiththegziputility,renamethefiletoincludeyourcompanyname,andcopyittoftp.
juniper.
net:pub/incoming.
Thensendthefilename,alongwithsoftwareversioninformation(theoutputoftheshowversioncommand)andtheconfiguration,tosupport@juniper.
net.
Fordocumentationissues,filloutthebugreportformlocatedathttps://www.
juniper.
net/cgi-bin/docbugreport/.
RevisionHistory19May2011—Revision1,NSM2011.
113July2011—Revision2,NSM2011.
126October2011—Revision3,NSM2011.
130November2011—Revision4,NSM2011.
105January2012—Revision5,NSM2011.
127February2012—Revision6,NSM2011.
1Copyright2012,JuniperNetworks,Inc.
Allrightsreserved.
JuniperNetworks,Junos,Steel-BeltedRadius,NetScreen,andScreenOSareregisteredtrademarksofJuniperNetworks,Inc.
intheUnitedStatesandothercountries.
TheJuniperNetworksLogo,theJunoslogo,andJunosEaretrademarksofJuniperNetworks,Inc.
Allothertrademarks,servicemarks,registeredtrademarks,orregisteredservicemarksarethepropertyoftheirrespectiveowners.
JuniperNetworksassumesnoresponsibilityforanyinaccuraciesinthisdocument.
JuniperNetworksreservestherighttochange,modify,transfer,orotherwiserevisethispublicationwithoutnotice.
43Copyright2012,JuniperNetworks,Inc.
RequestingTechnicalSupportProductsmadeorsoldbyJuniperNetworksorcomponentsthereofmightbecoveredbyoneormoreofthefollowingpatentsthatareownedbyorlicensedtoJuniperNetworks:U.
S.
PatentNos.
5,473,599,5,905,725,5,909,440,6,192,051,6,333,650,6,359,479,6,406,312,6,429,706,6,459,579,6,493,347,6,538,518,6,538,899,6,552,918,6,567,902,6,578,186,and6,590,785.
Copyright2012,JuniperNetworks,Inc.
44NetworkandSecurityManager2011.
1ReleaseNotes