JunOS Space - Warning Message for Consolidated Configuration - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, January 12, 2016

JunOS Space - Warning Message for Consolidated Configuration

Junos Space is a comprehensive network management solution that simplifies and automates management of Juniper’s switching, routing, and security devices. To those security administrator who like command line, they will still prefer to use command line to change certain things such as host name, routes, system configuration etc. Juniper call it out-of-band commit since it happens at device itself, not from JunOS Space. Usually the JunOS space will auto-synchronize the JunOS Space configuration database with device configuration.

In a network managed by Network Director, three separate repositories about device configuration are maintained:

  • The configuration information on the devices themselves. Each switch and wireless LAN controller maintains its own configuration record.
  • The configuration information maintained by the Junos Space Network Management Platform. When a device is discovered, either by Junos Space or Network Director, Junos Space stores a record of the configuration on that device.
  • The configuration information maintained by Network Director in Build mode. This information takes the form of the profiles assigned to the device, plus the additional configuration, such as LAG and access point configuration, that you can do under device management.

In Network Director, the configuration state of a device is shown as In Sync when the configuration information in all three repositories match. If there is a conflict between the configuration information in one or more of the repositories, Network Director shows the device configuration state as Out of Sync. An Out of Sync state is usually the result of out-of-band configuration changes—that is, configuration changes made to a device using a management tool other than Network Director.

When configuration changes are made on a physical device that Junos Space Network Management Platform manages, Junos Space Network Management Platform reacts differently depending on whether the network itself is the system of record (NSOR) or Junos Space Network Management Platform is the system of record (SSOR).

In the NSOR case which is default, Junos Space Network Management Platform receives a system log message and automatically resynchronizes with the device. This ensures that the device inventory information in the Junos Space Network Management Platform database matches the current configuration information on the device. Please check Juniper Doc "Understanding How Junos Space Automatically Resynchronizes Managed Devices" to get more information about it.

I met one warning message during working on CLI and Space. Sometimes, after I made some changes on firewall itself , usually it relates to system settings or routes. I thought it would be  auto-synchronized with space in 25 seconds. But in fact, it did not. Then when you worked on Space again to make firewall policy changes, during push and update process, it will warn you with following information:
"Some of the selected devices have their status as 'Device changed' and some may have consolidated configurations in 'Created' or 'Approved' states. Device update may cause conflict with consolidated configuration changes. Do you want to continue with Publish and update?

To resolve this, only need two steps:
1. Resynchronize with network
Select Devices -> Device Management. Right click the device, and select Resynchronize with network. Please select all your cluster members to do it when enabled clustering on your devices.

2. Resynchronize with Platform:
Select Security Director > Security Director Devices. Right-click the device, and select Resynchronize with Platform. The Sync Device Status page appears to confirm the sync action. To sync the changes, click Sync.

You will see synchronizing from device's Managed Status

After re-synchronization completed, the warning message will go away.

3. Other Steps
If the warning message is still there, try following steps:

3.1.Import device configuration from Security Director devices.
3.2.Assign the newly imported policy to the device.
3.3.Publish the policy once you have assign it.
3.4.Update the device from Security Director devices.

4. Last Resort

The last resource would be to delete the device and re-add, then re-import all FW, IPS, NAT, VPN Policies and assign it to the device, then publish and update.


  1. Una consulta. Si hacemos cambios en las políticas o nats por CLI como podemos reflejar esos cambios en el Junos Space Security Director?

    1. no. For any changes on firewall policies including IDP policies, NAT and VPN made by CLI, you will have to re-import them into Space.