Network and Security Manager (NSM) Release Notes DMI Schema Release version 255 ver 1.0.252, November 8, 2012 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net
Version Summary Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With Network and Security Manager, Juniper Networks delivers integrated, policy-based security and network management for all security devices and other Juniper Networks devices in your networks. Network and Security Manager uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and now for Junos Software. By integrating management of all Juniper Networks devices, Network and Security Manager enhances the overall security and manageability of the Internet gateway Addressed Issues: None Known Issues: In the NSM UI, the group selector panels titled Members/Non-Members map to the panels titled Available/Selected or Available List/Selected List in the SA or Infranet Controller admin UI. (55674) Identifier names (names of key fields) in the SA and Infranet Controller configuration, such as the names or realms, roles, sign-in URLS, sign-in pages and so forth, cannot be changed through the NSM UI. This is correct NSM behavior. However, identifier names can be changed through the SSL VPN SA and Infranet Controller Web UI. (57104) Selection of multiple objects is not available through the NSM UI, even though this capability is available on the SA and Infranet Controller admin UI in multiple places. (57190) The SA and Infranet Controller admin UI allows duplication of objects such as roles or resource profiles. This capability does not exist in the NSM UI. (55527) The default value of Network Connect option in the SA template's User role is not validated to its correct default value by NSM.(570650) After a device reboot, NSM status may change to "Device Changed". The workaround is to execute "Import Device" from NSM after the device reboot. (722250) In Active/Passive Cluster IPv6 can be enabled on Management port using NSM configuration which will allow admin to access an A/P Cluster using IPv6 Address (820259) If the administrator configures virtual ports for the external interface when the external interface is disabled, NSM accepts the configuration without any validation errors. However, when the configuration is pushed to the device, device-side validation fails and the device throws an error, resulting in a failed config update from NSM. (58625) DMI Schema Release 2
When configuring IP address for virtual ports, no validation check is performed on the NSM side. When the configuration is updated to the SA device, an error will be generated if the IP address is invalid. (58627) In NSM, administrators are allowed to edit virtual ports settings from the Passive node, provided the Cluster license is installed on that node. (59215) When configuring Host Checker registry check rule types via NSM, the input type validation is not completed for DWORD and binary registry values. (384845) If an SA 7.0R1 device is added to NSM 2009.1r1 or 2010.1, after first import, they will see a configuration validation error at Resource policies > General > Kerberos Intermediation. The workaround is to create a dummy realm under Kerberos realm definition and attach it to Kerberos intermediation, but this workaround can only be applied if Kerberos SSO is not employed in the customer s deployment. (485829) Through NSM, User is able to update Secure Meeting configuration on SA service successfully even if SMTP Login and SMTP Password are invalid. (59632) Discrepancy between NSM UI and IVE admin UI : On the NSM UI, if the admin performs the following steps: - Edit configuration, Go to Users->Resource Policies->Web->General->Kerberos->Kerberos Intermediation and enable 'Fallback to NTLM V2' option. - Go to Users->Resource Policies->Web->Basic Auth/NTLM SSO. - Create a new policy with Authentication type as Kerberos. - Then: 'Default' value is not present for the Label option. However, a similar workflow when performed on the IVE admin UI results in the 'Default' value being present in the dropdown. To work around this issue, the NSM administrator needs to manually enter the value for the Label field. (464103) Through NSM, if user selects Sequential room number with prefix option, and leaving a blank value, an error is thrown Meeting room number prefix cannot by empty. In spite of this error, if the configuration is pushed to the SA through update device, then the following results may happen depends on the configuration of the IVE: (384371) - In the Admin UI, if the Meeting Name is set to User, then update device will fail with the error Please specify a Room for the Meeting Name. This is the expected behaviour, as described in the bug description. - In the Admin UI, if the Meeting Name is set to Expression, then the update device will succeed. But the result is wrong, as described in the comment 5. The Meeting Name will be set to Sequential Room with prefix, but the value of the prefix will be incorrect. PR 691493 - EX devices loaded with 11.2 and above is unable to configure server-reject-vlan option under Dot1x properly. PR 688353 - Serial Number is not displayed for SRX110 device under Hardware inventory Chassis information. DMI Schema Release 3
New platforms SRX240B2, SRX240H2, SRX240H2-DC added with 11.4R5.5 are not supported with 11.4R5.5 schema. Added Support: 12.1R4.7 for junos, junos-es and junos-ex. Removed Support: None DMI Schema Release 4
Supported releases This DMI schema update supports the following device code releases: Note: Junos 10.4R2 will not be supported. Junos 11.2R2 will not be supported. Junos Service Releases have limited support in NSM. Junos Service Release device CLI changes will not be supported in NSM. SA 7.0r7 and 7.1r3 do not have published schema and will not be supported from NSM. Please refer to the SA release notes for more details. Device Family J/SRX family JunOS version Release 12.1 12.1R1.9, 12.1R2.9, 12.1R3.5,12.1R4.7 Release 11.4 11.4R1.6, 11.4R2.14, 11.4R3.7,11.4R4.4, 11.4R4-S1.2,11.4R4-S2, 11.4R5.5 Release 11.2 11.2R1.10, 11.2R3.3, 11.2R4.3, 11.2R5.4 11.2R6.3, 11.2R7.4 Release 11.1 11.1R1.14, 11.1R2.3, 11.1R3.5, 11.1R4.4, 11.1R6.4 Release 10.4 10.4R1.9, 10.4R3.4, 10.4R4.5, 10.4R5.5, 10.4R6.5 10.4R7.5, 10.4R8.5, 10.4R9.2, 10.4R10.7, 10.4R11.4 Release 10.3 10.3R1.9, 10.3R2.11, 10.3R3.7, 10.3R4.4 Release 10.2 10.2R2.11, 10.2R4.8 Release 10.1 10.1R1.8, 10.1R2.8, 10.1R3, 10.1R4.4 Release 10.0 10.0R1, 10.0R2, 10.0R3, 10.0R4 Release 9.3 9.3R1, 9.3R2, 9.3R3, 9.3R4 DMI Schema Release 5
M/MX Release 12.2 12.2R1.8 Release 12.1 12.1R1.9, 12.1R2.9, 12.1R3.5,12.1R4.7 Release 11.4 11.4R1.6, 11.4R2.14, 11.4R3.7, 11.4R4.4, 11.4R5.5 Release 11.2 11.2R1.10, 11.2R3.3, 11.2R4.3, 11.2R5.4 11.2R6.3, 11.2R7.4 Release 11.1 11.1R1.14, 11.1R2.3, 11.1R3.5, 11.1R4.4, 11.R6.4 Release 10.4 10.4R1.9, 10.4R3.4, 10.4R4.5, 10.4R5.5, 10.4R6.5 10.4R7.5, 10.4R8.5, 10.4R9.2, 10.4R10.7, 10.4R11.4 Release 10.3 10.3R1.9, 10.3R2.11, 10.3R3.7, 10.3R4.4 Release 10.2 10.2R2.11, 10.2R4.8 Release 10.1 10.1R1.11, 10.1R1.8, 10.1R2.8, 10.1R3, Release 10.1 10.1R4.4 Release 10.0 10.0R1, 10.0R2, 10.0R3, 10.0R4 Release 9.3 9.3R1, 9.3R2, 9.3R3, 9.3R4 DMI Schema Release 6
Device Family EX Junos-QFX JunOS version Release 12.2 12.2R1.8 Release 12.1 12.1R1.9, 12.1R2.9, 12.1R3.5,12.1R4.7 Release 11.4 11.4R1.6, 11.4R2.14, 11.4R3.7, 11.4R4.4, 11.4R5.5 Release 11.3 11.3R2.4, 11.3R3.2, 11.3R4.2 Release 11.2 11.2R1.2, 11.2R3.3, 11.2R4.3, 11.2R5.4, 11.2R6.3, 11.2R7.4 Release 11.1 11.1R1.14, 11.1R2.3, 11.1R3.5, 11.1R4.4, 11.1R6.4 Release 10.4 10.4R1.9, 10.4R3.4, 10.4R4.5, 10.4R5.5, 10.4R6.5 10.4R7.5, 10.4R8.5, 10.4R9.2, 10.4R10.7, 10.4R11.4 Release 10.3 10.3R1.9, 10.3R2.11, 10.3R3.7, 10.3R4.4 Release 10.2 10.2R2.11, 10.2R4.8 Release 10.1 10.1R1.8, 10.1R2.8, 10.1R3, 10.1R4.4 Release 10.0 10.0R1, 10.0R2, 10.0R3, 10.0R4 Release 9.3 9.3R1, 9.3R2, 9.3R3, 9.3R4 Release 11.3 11.3R1.7 Device Family Secure Access Infranet Controller Junos - MAG JunOS version Release 7.3 7.3R1 Release 7.2 7.2R1.1, 7.2R3 Release 7.1 7.1R1, 7.1R2, 7.1R4,7.1R6 Release 7.0 7.0R1, 7.0R3, 7.0R6 Release 6.5 6.5R1, 6.5R2, 6.5R3, 6.5R4, 6.5R5, Release 6.5 6.5R7, 6.5R9, 6.5R10, 6.5R11 Release 6.4 6.4R1, 6.4R2, 6.4R3, 6.4R4, 6.4R5 Release 6.3 6.3R1,6.3R2, 6.3R3, 6.3R5, 6.3R6, 6.3R7 Release 4.3 4.3R1 Release 4.2 4.2R1.1 Release 4.1 4.1R1, 4.1R2, 4.1R6 Release 4.0 4.0R1, 4.0R3 Release 3.1 3.1R1, 3.1R2, 3.1R3, 3.1R4, 3.1R5, 3.1R7 Release 3.0 3.0R1, 3.0R2, 3.0R3 Release 2.2 2.1R1, 2.2R2, 2.2R3, 2.2R4 Release 11.4 11.4R2.8 Release 11.1 11.1R1.2, 11.1R1.14 DMI Schema Release 7
NSM releases are bundled with specific versions of Schema. All listed versions of NSM can be upgraded to the latest schema. NSM Release Bundled Schema version NSM 2012.1 Version 233 NSM 2011.4 Version 222 NSM 2011.1 Version 166 NSM 2010.4 Version 158 NSM 2010.3 Version 143 NSM 2010.2 Version 134 NSM 2010.1 Version 119 NSM 2009.1r1 Version 87 NSM 2008.2r2 Version 66 DMI Schema Release 8
Schema Update considerations Online Schema update KB12561 Offline Schema update KB12756 Before the Schema is applied on the NSM servers, the below changes may need to be performed. These changes are required on 2010.3 and 2010.4 versions of NSM. These changes may also be required when upgrading to a later NSM version. 1. Login to the NSM GUI Server & edit the /usr/netscreen/guisvr/var/guisvr.cfg Modify the line that looks as below guisvrdirectivehandler.max.heap 1024000000 to guisvrdirectivehandler.max.heap 1536000000 2. Login to the NSM Device Server & edit the /usr/netscreen/devsvr/var/devsvr.cfg Modify the line that looks as below devsvrdirectivehandler.max.heap 1024000000 to devsvrdirectivehandler.max.heap 1536000000 3. Login to the NSM Dev Server & edit the file /usr/netscreen/devsvr/var/be/cfg/swrpcinfo.prop Modify the below parameters to new values as shown below: get-re-info.response.retry=60 request-package-add.response.retry=10 request-reboot.response.retry=10 file-put.response.timeout=120 file-put.response.retry=10 (may be set as high as 40 if upgrade is timing out) These changes are required due to the increased JUNOS image sizes. 4. Stop all the NSM processes Non-HA environment HA environment /etc/init.d/hasvr stop /etc/init.d/guisvr stop /etc/init.d/devsvr stop /etc/init.d/hasvr stop DMI Schema Release 9
5. Start all the processes Non-HA environment HA environment /etc/init.d/guisvr start /etc/init.d/devsvr start /etc/init.d/hasvr start /etc/init.d/hasvr start 6. On the client we need to update the heap size Go to C:\Program Files\Network and Security Manager/ Edit NSM.lax file & modify the heap size to the below values lax.nl.java.option.java.heap.size.initial=48m to lax.nl.java.option.java.heap.size.initial=64m lax.nl.java.option.java.heap.size.max=768m to lax.nl.java.option.java.heap.size.max=1280m Getting Help For more assistance with Juniper Networks products, visit: www.juniper.net/support Juniper Networks provides maintenance releases (updates and upgrades) for NSM software. To have access to these releases, you must register your NetScreen devices and NSM application with Juniper Networks at the above web address. Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc. ATTN: General Counsel 1194 N. Mathilda Ave. Sunnyvale, CA 94089 U.S.A. http://www.juniper.net DMI Schema Release 10