Junos Space Security Director

If you have confusion about Security Director and Junos Space, here is a simple description of these two;

Security Director (previously known as Security Design) is the application that manages Juniper SRX firewalls. You can think of this as a module which is only responsible for security platforms of Juniper. It is a subset of legacy NSM application as it doesn’t manage e.g EX, MX devices etc.

Junos Space is the platform which hosts all other applications i.e Security Director (SD), Service Now etc.  The hosting application is called Network Application Platform.

In this post, I would like to show briefly how you can add an SRX device into Security Director. Let’s begin;

When you login to Junos Space, the application that welcomes you is the Network Application Platform. All user management, device communication, monitoring jobs are handled by this application. For any application to access a device, target device must be imported to the platform first.

Importing a device to the platform

discover_target

 

I am doing my tests on 12.3P2.8 release of Space release so your screen may be different than mine. First of all add the device by using the Platform->Devices->Device Discovery->Discovery Targets

You will see the wizard which you can follow intuitively. Make sure the device SSH port is accessible from Space device.  You will enter the device’s user credentials and if available SNMP details. After a while SRX device should be available in the platform device list. Here is my SRX100 device I have just added

device_added_srx

 

Currently device is under the control of platform but not SD. Let’s add this device to SD too. Select Security Director on the left drop down menu and under Security Director Devices, right click the devices previously imported and click “import” to import the policy configuration.

security_director_add_device

 

 

 

 

 

 

 

 

 

 

 

 

 

You will again see a wizard that you can follow. Be informed that not every configuration might be supported. For example in my import utm-policy is flagged as unsupported which can change in future releases though.

sd_add_device_2

 

When you finish the wizard you will have a progress bar after which your policy will be available under Firewall Policy with the same name as your device.

firewall_policy_security_director

 

 

On this window, if you click the “Lock policy for edit” button on top, you can edit the policy. Here I would like to add a simple rule to push to the device. For this I right click on the “InterZone: transit-zone to srx100-wan” rule and click “Add Rule Before” to add the rule on top of every other rule. Though SD may rearrange the order depending on the context.

sd_new_rule_2

 

I also add a new address object e.g test_addr1 into SD database clicking the address field and then by clicking the plus + sign on the right corner of the new window and then click “Save” to save changes. So far so good but this policy hasn’t been assigned to any device yet. SD by default doesn’t assign the policy it imports to the device. You must do it manually. There is a reason behind it. To assign the policy to the device: Right click the policy name e.g srx100-1 and select assign device. Then choose the device you want to assign.

So far we haven’t pushed anything to the device yet. To push the policy:

Right click the device and select “Publish Policy” after which you will see the following screen;

policy_push

 

On this window if you click “View” link on the upper right corner, SD will show you what it will send to the device as CLI commands (or XML). If you click “Publish and Update” SD will first do some internal checks then it will push the config to the device via the netconf channel established.

For example below is the “View” output of my window.

sd_push_view

 

 

If you have followed so far you may be asking why SD is deleting some config although we didn’t delete anything. Address objects are removed because they aren’t used in any security policy. Policies which are removed at the bottom of the screen are because of the unsupported UTM policy.  After the view window, if you are comfortable with the changes, you can “Publish and Update” the device. Once you click, a job id is assigned to your process and then you can monitor the progress on the “My jobs” window which you can navigate from the right upper corner.

I hope you liked this short introduction to Security Director. I wrote it quite quickly let me know if you see any mistakes.

 

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


7 thoughts on “Junos Space Security Director”

  1. Please let us know how to update DMI schema in case of no-availabililty for this JUNOS OS?

    Moreover, please provide any configuration required in SRX e.g: Device-ID, Shared Secret, Client-ID. thanks

  2. Hi..

    Article was very helpful for me. thank you for the article… Can you please add more topics on this

    1. Praveen,
      I don’t work with Junos Space much any more. Maybe in the future but at the moment, I don’t see any post in the near future.

      Genco.

  3. Here is a link for Full guide of Security Director: In this they have step to migrate NSM to Junos Space:

Leave a Reply to RaymondCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading