Security

Hello community, hopefully someone on here might be able to help with the below quandary?

I have two SRX chassis clusters which are working as expected, however much of the setup was done using the CLI and I cannot get Security Director Cloud to properly see these changes.  Issues that I have are:

1. VPN configs in SDC are out of date, missing zone information for example.
2. Security policy configuration is out of date, SDC doesn't see a number of rules, even though it is reporting on them in the dashboard...
3. ATP is set up, but SDC doesn't think it is.

I did think about removing the SRXs from SDC an re-adding, but the limited documentation mentions that it will remove the config as well, I thought about deleting the sdcloud user and cert from the devices before pressing remove in SDC, but don't want to end up in more of a mess.

Any ideas about the best path either to get SDC to update those elements, or on a reliable clean removal process that will allow re-adding?

Thank you!

Hi Charles,

In this situation, you can either delete the device, delete the old policies and VPNs and then re-discover it and Import the policies (Auto-Import will happen if you discover it again), it will not delete the config from the device apart from SD config (certs, sduser, outbound-ssh).

Or you can import the policies since the number of rules are not matching, also import the VPNs and assign it to the device and deploy (deploy old and new policy).

Thanks Pravin,

JTAC finally responded with similar to you, I ended up using the process below that worked:

1. Rename existing policy in SDC
2. Import policy from SRX
3. Ignore the bit about replacing or changing imported values, it always changes them...
4. Make sure new policy is assigned to SRX
5. Remove old policy from SRX, it will warn you about deleting from device, ignore
6. Select new imported policy first, then old unassigned policy, important to do in this order
7. Click deploy
8. If you see two lines with two sets of changes, cancel
9. Try again and when you see one line with a + for the second policy and one set of changes, review the changes.
10. You will see several sections where the import process renamed the AAMP policy or similar, edit the new imported policy so that the names are back to what you want.
11. Repeat deploy test until you have only any expected changes.
12. Process with deploy, there will be a big red warning telling you that lots of stuff will be deleted.  If you have followed the process above exactly you can safely ignore this and press go.

* Remember to set rescue configuration before doing the above in case it goes wrong!

 import, fix import errors