Network and Security Manager (NSM) Release Notes DMI Schema & NSM Schema Release version 336 ver 1.0.336, August 3rd, 2016 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net
Version Summary Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With Network and Security Manager, Juniper Networks delivers integrated, policy-based security and network management for all security devices and other Juniper Networks devices in your networks. Network and Security Manager uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and now for Junos Software. By integrating management of all Juniper Networks devices, Network and Security Manager enhances the overall security and manageability of the Internet gateway Addressed Issues: None Added Support: junos-es 12.1X47-D40.1 Known Issues: In the NSM UI, the group selector panels titled Members/Non-Members map to the panels titled Available/Selected or Available List/Selected List in the SA or Infranet Controller admin UI. (55674) Identifier names (names of key fields) in the SA and Infranet Controller configuration, such as the names or realms, roles, sign-in URLS, sign-in pages and so forth, cannot be changed through the NSM UI. This is correct NSM behavior. However, identifier names can be changed through the SSL VPN SA and Infranet Controller Web UI. (57104) Selection of multiple objects is not available through the NSM UI, even though this capability is available on the SA and Infranet Controller admin UI in multiple places. (57190) The SA and Infranet Controller admin UI allows duplication of objects such as roles or resource profiles. This capability does not exist in the NSM UI. (55527) The default value of Network Connect option in the SA template's User role is not validated to its correct default value by NSM.(570650) After a device reboot, NSM status may change to "Device Changed". The workaround is to execute "Import Device" from NSM after the device reboot. (722250) If the administrator configures virtual ports for the external interface when the external interface is disabled, NSM accepts the configuration without any validation errors. However, when the configuration is pushed to the device, device-side validation fails and the device throws an error, resulting in a failed config update from NSM. (58625) When configuring IP address for virtual ports, no validation check is performed on the NSM side. When the configuration is updated to the SA device, an error will be generated if the IP address is invalid. (58627) In NSM, administrators are allowed to edit virtual ports settings from the Passive node, DMI Schema Release 2
provided the Cluster license is installed on that node. (59215) When configuring Host Checker registry check rule types via NSM, the input type validation is not completed for DWORD and binary registry values. (384845) If an SA 7.0R1 device is added to NSM 2009.1r1 or 2010.1, after first import, they will see a configuration validation error at Resource policies > General > Kerberos Intermediation. The workaround is to create a dummy realm under Kerberos realm definition and attach it to Kerberos intermediation, but this workaround can only be applied if Kerberos SSO is not employed in the customer s deployment. (485829) Through NSM, User is able to update Secure Meeting configuration on SA service successfully even if SMTP Login and SMTP Password are invalid. (59632) Discrepancy between NSM UI and IVE admin UI : On the NSM UI, if the admin performs the following steps: - Edit configuration, Go to Users->Resource Policies->Web->General->Kerberos->Kerberos Intermediation and enable 'Fallback to NTLM V2' option. - Go to Users->Resource Policies->Web->Basic Auth/NTLM SSO. - Create a new policy with Authentication type as Kerberos. - Then: 'Default' value is not present for the Label option. However, a similar workflow when performed on the IVE admin UI results in the 'Default' value being present in the dropdown. To work around this issue, the NSM administrator needs to manually enter the value for the Label field. (464103) Through NSM, if user selects Sequential room number with prefix option, and leaving a blank value, an error is thrown Meeting room number prefix cannot by empty. In spite of this error, if the configuration is pushed to the SA through update device, then the following results may happen depends on the configuration of the IVE: (384371) - In the Admin UI, if the Meeting Name is set to User, then update device will fail with the error Please specify a Room for the Meeting Name. This is the expected behaviour, as described in the bug description. - In the Admin UI, if the Meeting Name is set to Expression, then the update device will succeed. But the result is wrong, as described in the comment 5. The Meeting Name will be set to Sequential Room with prefix, but the value of the prefix will be incorrect. NSM does not support the EGA license version of the Access Control Service. (525179) When the X-auth server setting in a ScreenOS Infranet Enforcer is changed from NSM and updated, during IPSec resource access from the endpoint, IPSec access might not resume just by Refreshing policy Actions from the Admin UI. Issue the exec infranet controller disconnect/exec infranet controller connect command from the ScreenOS Firewall CLI to regain access. (516799) When creating a new or modifying an existing sign-in policy from NSM, a trailing '/' must be appended to the sign-in URL. For example, '/test-url/' instead of '/test-url' as would be entered in the web admin UI. (442853) The user expiration field should come after the password field for Local authentication of new users in NSM UI. (411366) When creating new Sign In pages from NSM for IC Series device, the Default Portal name is "Secure Access SSL VPN" instead of " IC Series device ". (440128) DMI Schema Release 3
When configuring a sensor from NSM, you must assign a One Time Password. (417136) When importing an IC Series device Active/Active cluster into NSM, log synchronization should be enabled to ensure logs are properly sent. (386132) Using NSM, applying a template promoted from one cluster to another might fail if the Sensor OTP field is left blank. (385985) No validation exists in the NSM client when entering a value for System->Configuration- >Global security->settings->lockout period. As a result, updating the device fails if you enter an invalid value. Valid range is 1 10081 minutes. (384524) The default NSM Agent configuration port should be set to 7804. This setting is found on the Configuration > NSM Agent > NSM Settings > Primary port page. (380220) If a device is added to NSM and the platform is not specified correctly (e.g. adding an IC4000 as an IC4500), the device could cause high CPU utilization. The workaround is to specify the correct platform when adding the device to NSM. (385121) Host Checker Statement of Health rule types are visible within NSM client even if SOH license not installed on IC. (384841) When configuring RADIUS Parameters within NSM, there is no option for creating "Custom challenge expressions". (383475) When configuring RADIUS Attribute Policies within NSM, it is not possible to modify the values of existing attributes. Attributes should be deleted and re-created if changing the value within NSM is required. (406154) Management of 'Active Directory' mode AD auth server configuration from NSM is not supported. (747864) In NSM, the error page "java.lang.nullpointerexception" might be displayed when you are editing the IC Series device configuration. This happens in rare scenarios. The workaround is to load schema manually after applying it. (810435) PR 691493 - EX devices loaded with 11.2 and above is unable to configure server-reject-vlan option under Dot1x properly. PR 688353 - Serial Number is not displayed for SRX110 device under Hardware inventory Chassis information. PR 841131 - Firmware upgrade though NSM for 11.4R7.5, 12.1R2, 12.2R1 from specific releases are failing is failing on EX. This is a regression issue due to fix of device side PR 739795, which is applicable only for ex devices. Unlink option while image update is removed on ex devices due to which ex devices throws an error while performing image update option from NSM, since NSM sends unlink option by default for common Junos platforms. The unlink option is removed from 11.4R3, 12.1R2, 12.2R1 build onwards, so the image upgrade will not work from NSM, if one of these images are loaded on ex box, e.g; image upgrade from NSM for 11.4R5.5 to 11.4R7.5 will fail, but it will pass for 11.4R2.14 to 11.4R7.5, similarly image upgrade for 11.4R6.6 to 12.2R3.5 will fail, but it will pass for 11.4R1.6 to 12.2R3.5. Device team has reverted this code which will reflect from next junos version for i.e; 12.1R6, 12.2R4 and 12.3R2 as per mentioned in AT#126 in PR 739795. [Workaround : Perform image upgrade through CLI and Adjust OS through NSM.] PR 846432 - character n in full-name field under system->login->user is giving validation errors [Workaround :- Avoid using alphabet n for m/mx 12.1 and 12.2 series, also ex 12.x series.] PR 847391: Device version is shown as 12.1X44.4 instead of 12.1X44-D10.4. Workaround - Immediate import is required after firmware upgrade to 12.1X44-D10.4 from NSM else diff will DMI Schema Release 4
be observed. PR 886740 - After successful completion of Summarize config on SRX5600 Cluster shows Description as "connecting to Device server", Completion as 50% & in summary "Reached 50000 limit, 10753 more lines are truncated." PR 901992 - NSM shows wrong Port range under Nat-pool PR 901565 - NSM shows wrong defaults values in device editor for SRX devices PR 915400 - unable to add Ex4300 series devices PR 924031 - [NSM]Device update fails on J-series device when using ICMPv6 predefined service on NSM rules PR 933692 - NSM client could not connect to server after online schema upgrade in NSM with huge DB PR 944384 If device config is changed from IVE web UI, the config status in NSM may remain In Sync PR 950019 NSM iso, mpls nodes missing under security->forwarding Options->family in VSRX device. PR 950899 - validation error observed in junos-es devices for ISIS service for 10.4R16.3 PR 973358 - Validation error related to ALG is shown in SRX5600 cluster. PR 999631 - NSM server is generating core at the time of performing update device PR 1008200 - Observing validation error on M10i device with 13.3 os version PR 1066989-12.1X44-D45.2 : update device is failing on 1k3k device with Internal trunk version PR 1116013-12.1X44-D30.4 : Delta seen after successful update of access-profile configuration from NSM PR 1105594 - Delta on srx5600 after image upgrade to 12.1X44-D50.2 on application's dfa pattern PR 1109027 - Delta on srx5600 after image upgrade to 12.3X48-D15.4 PR 1125563-12.3X48-D15 : NSM does not have JUINOS pre-defined application-set PR PR 1078345 12.1X44-D45.2 - ntp source-address format change - NSM unable to update PR 1119255 - \\n\\n\\n related delta observed after upgrading the image to 12.1X47-D25.4 on SRX5600 PR 1136792 - Delta on srx5600 after image upgrade to 12.1X46-D40.2 PR 1137002 - Upgrade fails for Vsrx image for 12.1X46-D40.2 series PR 1137500 - junos-icmp6-packet-to-big changed to junos-icmp6-packet-too-big for 12.1X47 PR 1032972 - NSM2012.2R10:: Delta related to destination-port(src/dest NAT) is seen after upgrading the software from 12.1X45-D10 to 12.1I20140910_srx_12q1_x47_d15_intgr.0-670013 PR 1156597 - Additional node 'none' is seen in NSM for snmpv3/privacy-des PR 1166027-12.1X46-D45.4:: NSM allows to configure 'vlans' though they are not supported by SRX-HE device PR 1165616-12.1X46-D45.4:: SNMPv3/privacy-key delta after image upgrade to 12.1X46- D45.4 PR 1168863 : 12.1X47-D35.2:: Delta on alarms node after image upgrade to 12.1X47-D35.2 on srx device PR 1176540 - Stream category node for logs changed in DMI Schema betweeen 12.3X48-D25.3 and 12.3X48-D21.2 PR 1181882 - Validation error under class of service after adding srx5600 device with 10.4 image PR 1181844 4-IL2-12.1X46-D50.4:: Error while upgrading image from 10.4R16.3 to 12.1X46- D50.4 on SRX5600 device DMI Schema Release 5
PR 1170125-2012.2R13:: Version 329 : NSM throws the validation error as "Missing required field" for 'security log stream <stream name> category' PR 1182188-12.1X46-D50.4:: NSM doesn't reflect the changes as per the schema diff tool PR 1189046-12.3X48-D30.7:: Few stream log category nodes are missing in NSM PR 1189064-12.3X48-D30.7:: map-entry-timeout range for msrpc/sunrpc has changed to 5-4320 Removed Support: Device Family J/SRX family JunOS version 10.4 : 10.4R1.9, 10.4R3.4, 10.4R4.5, 10.4R5.5, 10.4R6.5, 10.4R7.5, 10.4R8.5, 10.4R9.2, 10.4R10.7, 10.4R11.4, 10.4R12.1, 10.4R13.4, 10.4R14.2, 10.4R15.1, 10.4R16.3 M/MX None EX None DMI Schema Release 6
Supported releases This DMI schema update supports the following device code releases: Note: Junos 10.4R2 will not be supported. Junos 11.2R2 will not be supported. Junos Service Releases have limited support in NSM. Junos Service Release device CLI changes will not be supported in NSM. SA 7.0r7 and 7.1r3 do not have published schema and will not be supported from NSM. Please refer to the SA release notes for more details. Device Family JunOS version DMI Schema Release 7
Released J/SRX family 12.1 : 12.1R1.9, 12.1R2.9, 12.1R3.5,12.1R3.6,12.1R4.7, 12.1R4.8,, 12.1R5.5,, 12.1R6.5,, 12.1R7.9, 12.1X44 : 12.1X44-D10.4, 12.1X44-D15.5, 12.1X45-D10, 12.1X45-D15.5, 12.1X44-D20.3, 12.1X44-D25.5, 12.1X44-D30.4, 12.1X44- D35.5,,12.1X44-D40.2,,12.1X44-D45.2, 12.1X44-D50.2, 12.1X44-D60.2, 12.1X45 : 12.1X45-D20.4, 12.1X45-D30, 12.1X45-D25.1,12.1X45-D30 12.1X46 : 12.1X46-D10.2, 12.1X46-D15.3, 12.1X46-D20.5, 12.1X46- D25.7,,12.1X46-D30.2,,,12.1X46-D35.1, 12.1X46-D40.2, 12.1X46-D45.4,12.1X46-D50.4 12.1X47 : 12.1X47-D10.4, 12.1X47-D20.7, 12.1X47-D25.4,, 12.1X47- D30.4, 12.1X47-D35.2,12.1X47-D40.1 12.3X48 : 12.3X48-D10.3, 12.3X48-D15.4, 12.3X48-D21.1,12.3X48- D25.3,12.3X48-D30.7 11.4 : 11.4R1.6, 11.4R2.14, 11.4R2.15, 11.4R3.7, 11.4R4.4, 11.4R4-S1.2,11.4R4-S2, 11.4R5.5, 11.4R6.5,11.4R6.6, 11.4R7.5, 11.4R8.4, 11.4R9.4,11.4R9.5, 11.4R10.3, 11.4R10.4, 11.4R11.4, 11.4R12.4, 11.4R13.5 DMI Schema Release 8
M/MX Release 13.3 -> 13.3R1.6 Release 13.2 à 13.2R1.7, 13.2X50-D10.2, 13.2X50-D15.3, 13.2R2.4, 13.2R3.7 Release 12.3 à 12.3R1.7, 12.3R2.5, 12.3R3.4, 12.3R4.6, 12.3R5.7 Release 12.2 à 12.2R1.8, 12.2R2.4, 12.2R2.5, 12.2R3.5, 12.2R4.5, 12.2R5.3, 12.2R6.3, 12.2R7.1 Release 12.1 à 12.1R1.9, 12.1R2.9, 12.1R3.5, 12.1R3.6, 12.1R4.7, 12.1R4.8, 12.1R5.5, 12.1R6.5, 12.1R7.7, 12.1R8.4, 12.1R9.3 Release 11.4 à 11.4R1.6, 11.4R2.14, 11.4R2.15, 11.4R3.7, 11.4R4.4, 11.4R5.5, 11.4R6.5,11.4R6.6, 11.4R7.5, 11.4R8.4, 11.4R9.4, 11.4R10.3 Release 10.4 à 10.4R1.9, 10.4R3.4, 10.4R4.5, 10.4R5.5, 10.4R6.5, 10.4R7.5, 10.4R8.5, 10.4R9.2, 10.4R10.7, 10.4R11.4, 10.4R12.1, 10.4R13.4, 10.4R14.2, 10.4R15.1, 10.4R16.3 DMI Schema Release 9
Device Family EX JunOS version Release 13.2 à 13.2X50-D10.2, 13.2X50-D15.3 Release 12.3 à 12.3R1.7, 12.3R2.5, 12.3R3.4, 12.3R4.6, 12.3R5.7, 12.3R6.6 Release 12.2 à 12.2R1.8, 12.2R2.4, 12.2R2.5, 12.2R3.5, 12.2R4.5, 12.2R5.3, 12.2R6.4, 12.2R7.1 Release 12.1 à 12.1R1.9, 12.1R2.9, 12.1R3.5, 12.1R3.6, 12.1R4.7, 12.1R4.8, 12.1R5.5, 12.1R6.6, 12.1R7.7, 12.1R8.4, 12.1R9.3 Release 11.4 à 11.4R1.6, 11.4R2.14, 11.4R2.15, 11.4R3.7, 11.4R4.4, 11.4R5.5, 11.4R5.7, 11.4R6.5, 11.4R6.6, 11.4R7.5, 11.4R8.5, 11.4R9.4, 11.4R10.3 Release 10.4 à 10.4R1.9, 10.4R3.4, 10.4R4.5, 10.4R5.5, 10.4R6.5, 10.4R7.5, 10.4R8.5, 10.4R8.6, 10.4R9.2, 10.4R10.7, 10.4R11.4, 10.4R11.5, 10.4R12.1, 10.4R12.4, 10.4R13.4, 10.4R14.2, 10.4R15.1, 10.4R16.3 Junos-QFX Release 11.3 à 11.3R1.7 Device Family Secure Access Infranet Controller Release 8.0 à 8.0R1 Release 7.4 à 7.4R1->7.4R3 Release 7.3 à 7.3R1, 7.3R3 Release 7.2 à 7.2R1.1, 7.2R3 JunOS version Release 7.1 à 7.1R1, 7.1R2, 7.1R4,7.1R6 Release 7.0 à 7.0R1, 7.0R3, 7.0R6 Release 6.5 à 6.5R1, 6.5R2, 6.5R3, 6.5R4, 6.5R5, Release 6.5 à 6.5R7, 6.5R9, 6.5R10, 6.5R11 Release 6.4 à 6.4R1, 6.4R2, 6.4R3, 6.4R4, 6.4R5 Release 6.3 à 6.3R1,6.3R2, 6.3R3, 6.3R5, 6.3R6, 6.3R7 Release 5.0 à 5.0R1 Release 4.4 à 4.4R1, 4.4R3 Release 4.3 à 4.3R1, 4.3R3 Release 4.2 à 4.2R1.1 Release 4.1 à 4.1R1, 4.1R2, 4.1R6 Release 4.0 à 4.0R1, 4.0R3 Release 3.1 à 3.1R1, 3.1R2, 3.1R3, 3.1R4, 3.1R5, 3.1R7 Release 3.0 à 3.0R1, 3.0R2, 3.0R3 Release 2.2 à 2.1R1, 2.2R2, 2.2R3, 2.2R4 DMI Schema Release 10
Junos - MAG Release 11.4 à 11.4R2.8 Release 11.1 à 11.1R1.2, 11.1R1.14 DMI Schema Release 11
NSM releases are bundled with specific versions of Schema. All listed versions of NSM can be upgraded to the latest schema. NSM Release Bundled Schema version NSM 2012.R12 Version 324 NSM 2012.2R11 Version 317 NSM 2012.2R10 Version 307 NSM 2012.2R9 Version 303 NSM 2012.2R8 Version 297 NSM 2012.2R7 Version 292 NSM 2012.2R6 Version 284 NSM 2012.2R5 Version 280 NSM 2012.2R4 Version 276 NSM 2012.2R3 Version 266 NSM 2012.2R2 Version 265 NSM 2012.2R1 Version 261 NSM 2012.2 Version 256 NSM 2012.1 Version 233 NSM 2011.4 Version 222 NSM 2011.1 Version 166 NSM 2010.4 Version 158 NSM 2010.3 Version 143 NSM 2010.2 Version 134 NSM 2010.1 Version 119 NSM 2009.1r1 Version 87 NSM 2008.2r2 Version 66 DMI Schema Release 12
Schema Update considerations PR 933692 -NSM client could not connect to server after schema upgrade in NSM with huge DB The existing heap size defined is is insufficient for larger schema size to accommodate in DB due to which following errors are observed Xdbservice.log java.lang.outofmemoryerror: Java heap space nbiservice.log 2013/11/18-13:20:19.370 ERROR [CSPWorker-2] schemaservice.schemaaccess - Failed to get file from XDB org.apache.axis2.axisfault: Java heap space at org.apache.axis2.util.utils.getinboundfaultfrommessagecontext(utils.java:486) at org.apache.axis2.description.outinaxisoperationclient.handleresponse(outinaxisoperation.java:343) at org.apache.axis2.description.outinaxisoperationclient.send(outinaxisoperation.java:389) at org.apache.axis2.description.outinaxisoperationclient.executeimpl(outinaxisoperation.java:211) at org.apache.axis2.client.operationclient.execute(operationclient.java:163) at net.juniper.nbiservice.xdbservice.xdbservicestub.getallobjectsrequest(xdbservicestub.java:533) at net.juniper.nbiservice.schemaservice.schemaaccess.getallschemafilesobjs(schemaaccess.java:640) Workaround : Case 1:- If schema is not loaded DMI Schema Release 13
Step 1 : Increase -Xmx parameter from 256/512 to 1280 in /var/netscreen/guisvr/xdb/specs/jax.spec Step 2 : Restart NSM services Step 3: Update/Apply the schema Step 4: Revert the -Xmx parameter to the original and Restart the services. Step 5 : Connect the client. Case 2 :- If schema is loaded and the issue is seen Step 1 : Increase -Xmx parameter from 256/512 to 1250 in /var/netscreen/guisvr/xdb/specs/jax.spec Step 2: Remove /tmp/nsm_schemas.zip, /var/netscreen/guisvr/be/versions/<schema-ver>/, /var/netscreen/guisvr/schemas-gdh/<schema-ver>/, /var/netscreen/devsvr/ be/versions /<Schemaver>/, /var/netscreen/devsvr/schemas-ddh/<schema-ver>/ at server side and.nsm/schemas-nsm, <NSM_Installed_dir>/versions/<Schema-ver> at client side Step 3: Restart NSM services Step 4: Revert the -Xmx parameter to the original and Restart the services. Step 5 : Connect the client and import. This is an intermittent problem since some other high priority task may be running on NSM server which consumes more heap. Getting Help For more assistance with Juniper Networks products, visit: www.juniper.net/support Juniper Networks provides maintenance releases (updates and upgrades) for NSM software. To have access to DMI Schema Release 14
these releases, you must register your NetScreen devices and NSM application with Juniper Networks at the above web address. Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc. ATTN: General Counsel 1194 N. Mathilda Ave. Sunnyvale, CA 94089 U.S.A. http://www.juniper.net DMI Schema Release 15