Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

This section lists outstanding issues with the documentation.

Attack Detection and Prevention

The default parameters documented in the firewall/NAT screen configuration options table in the JUNOS Software Security Configuration Guide and the J-Web online Help do not match the default parameters in the CLI. The correct default parameters are:

tcp {
    syn-flood {
        alarm-threshold 1024;
        attack-threshold 200;
        source-threshold 1024;
        destination-threshold 2048;
        timeout 20;
    }
 }
[edit security screen ids-option untrust-screen]

Chassis Clustering

The JUNOS Software Security Configuration Guide for SRX-series services gateways contains incorrect information in the “Hardware Setup for SRX-series Chassis Clusters” section.
The text incorrectly says that the connection that serves as the control link must be the built-in controller port on each device. SRX 5600 and SRX 5800 devices do not contain built-in ports. Their control ports should be on corresponding Services Processing Cards (SPCs) in the two devices in the cluster, with a slot numbering offset of 6 for SRX 5600 devices and 12 for SRX 5800 devices. Also, the text incorrectly says that the fabric link connection can be a combination of any pair of Gigabit Ethernet interfaces on the devices. The fabric link connection can be a pair of Fast Ethernet or Gigabit Ethernet interfaces for SRX 210 devices and a pair of Gigabit Ethernet or 10-Gigabit Ethernet interfaces for all other SRX-series devices.
The figure showing the fabric link connection for the pair of SRX 5800 devices incorrectly shows two-port Input/Output Cards (IOCs). The IOCs have 4 ports.
The “Setting the Node ID and Cluster ID” and “Active/Passive Chassis Cluster Scenario” sections in the JUNOS Software Security Configuration Guide incorrectly show command syntax as the following:
set chassis cluster node 0 cluster-id 1
set chassis cluster node 1 cluster-id 1 reboot
The command syntax should be as follows:
set chassis cluster cluster-id 1 node 0
set chassis cluster cluster-id 1 node 1 reboot

CLI

The JUNOS Software CLI Reference Guide erroneously contains some content concerned with policy-based NAT configuration. This release supports only rule-based NAT configuration.
Page 976 of the JUNOS Software CLI Reference Guide for J-series Services Routers and SRX-series Services Gateways displays the “show security alg status” title when it should display the “show security alg sip transactions” title. The information for Syntax, Release Information, Description, and Options is also incorrect. The correct information is provided below.
Syntax—show security alg sip transactions<node (node-id | all | local | primary)>
Release information—Command modified in Release 9.2 of JUNOS software; node options added in Release 9.0 of JUNOS software.
Description—Display information about Session Initiation Protocol (SIP) Application Layer Gateway (ALG) transactions.
This command is supported on J-series and SRX-series devices.
Options
- none—Display all SIP ALG transactions.
- node—(Optional) For chassis cluster configurations, display SIP transactions on a specific node (device) in the cluster.
- node-id—Identification number of the node. It can be 0 or 1.
- all—Display information about all nodes.
- local—Display information about the local node.
- primary—Display information about the primary node.

CompactFlash Card Support

The JUNOS Software Administration Guide incorrectly states that JUNOS supports a 256-MB CompactFlash card size. JUNOS supports only 512-MB and 1024-MB CompactFlash card sizes.

Device Support

The “Installing Software using the TFTPBoot Method on the SRX 100/SRX 210/SRX 650 Services Gateway” section and the “Administration Features on SRX 100/210/240 Services Gateways” section in the JUNOS Software Administration Guide incorrectly imply that the SRX100 device is supported. The SRX100 device is not supported in this release.

DLSw

The JUNOS Software Interfaces and Routing Configuration Guide incorrectly states that the data link switching (DLSw) protocol is supported in this release. DLSw support ended in JUNOS Release 9.3.

Flow

The JUNOS Software CLI Reference and the JUNOS Software Security Configuration Guide state that the following aggressive aging statements are supported on SRX-series devices when in fact they are not supported on SRX 3400, 3600, 5600, and SRX 5800 devices:

[edit security flow aging early-ageout]
[edit security flow aging high-watermark]
[edit security flow aging low-watermark]

Installing Software Packages

The current SRX 210 documentation does not include the following information:
On SRX 210 devices, the /var hierarchy is hosted in a separate partition (instead of the root partition). If JUNOS software installation fails due to insufficient space:
1. Use the request system storage cleanup command to delete temporary files.
2. Delete any user-created files in both the root partition and under the /var hierarchy.

Intrusion Detection and Prevention (IDP)

In the JUNOS Software Security Configuration Guide, the following information in the "Verifying the Policy Compilation and Load Status" section is incorrect:
- The text does not indicate that the log file must be created first.
- The path for the log file is incorrect.
Note the following correct information:
- Create the log file first by entering set security idp traceoptions file idpd. You can then set flags by entering set security idp traceoptions flag all.
- The correct path for the idpd log file is /var/log, not /var/db

J-Web

The J-Web Security Package Update help page does not have information about download status.

Screens

The following guide contains incorrect screen configuration instructions:
- JUNOS Software Design and Implementation Guide, “Implementing Firewall Deployments for Branch Offices” chapter
Examples throughout this guide describe how to configure screen options using the set security screen screen-name CLI statements. Instead, you should use the set security screen ids-option screen-name CLI statements. All screen configuration options are located at the [set security screen ids-option screen-name] level of the configuration hierarchy.