Changes in Default Behavior and Syntax

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the JUNOS software with enhanced services documentation:

For Security

• J-series Services Routers do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use the order radius password or ldap password.
• You can configure a USB modem interface under a security zone even though it does not support logical units. When you add a USB modem interface, you must add the USB modem interface and the dialer interface to the same security zone.
• You can run the CLI command set security screen screen-name tcp port-scan without specifying the optional threshold value. In such a case, the J-series Services Router takes the default value, which is 5000 microseconds.
• You can run the CLI command set security screen screen-name limit-session source-ip-based without specifying the optional source/destination session limits. In such a case, the J-series Services Router takes the default value for the source and destination session limits, which is 128 concurrent sessions.
• You can run the set security screen ids-option screen-name commands without specifying the optional values. In these cases, the J-series Services Router uses the default values.
  • set security screen ids-option screen-name tcp alarm-threshold—Default is 512 half-complete proxy connections.
  • set security screen ids-option screen-name tcp attack-threshold—Default is 200 SYN packets per second.
  • set security screen ids-option screen-name tcp destination-threshold— Default is 4000 SYN segments received for a destination IP address.
  • set security screen ids-option screen-name tcp queue-size—Default is 1024 proxy connection requests.
  • set security screen ids-option screen-name tcp source-threshold—Default is 4000 SYN segments received per second.
  • set security screen ids-option screen-name tcp timeout—Default is 20 seconds.
  • set security screen ids-option screen-name tcp syn-ack-ack-proxy threshold—Default is 512 connections.
  • set security screen ids-option screen-name icmp flood-threshold—Default is 1000 packets per second.
  • set security screen ids-option screen-name udp flood-threshold—Default is 1000 packets per second.
• You can run the CLI command set security screen screen-name icmp ip-sweep without specifying the optional threshold value. In such a case, the J-series Services Router takes the default value, which is 5000 microseconds.
• If the egress filter-based forwarding (FBF) redirects an incoming packet to a zone different from the original one obtained from the previous route lookup and flow processing, then the incoming packet is dropped.
• Some screen protection statistics relating to ICMP, TCP, and IP are missing from show interfaces flow-statistics interface-name command output. To display this information, use the command show security screen statistics interface interface-name instead.
• Although you can use or omit the term term-name statement to configure applications at the [applications application] hierarchy level, the methods are mutually exclusive. Configuration information for the nonterm method is not automatically inherited from the term configuration.

For WAN Acceleration

• Previously, the WXC integrated Services Module (ISM 200) was referred to in command output as wx-pim, and WAN acceleration commands used the suffix –pim. Now the WXC ISM 200 appears as ISM in command output, and the -pim suffix is no longer valid in WAN acceleration commands:
  • set system process wan-acceleration-pim is changed to set system process wan-acceleration.
  • restart wan-acceleration-pim is changed to restart wan-acceleration.
  • request wan-acceleration-pim login is changed to request wan-acceleration login.
• J-series Services Routers with a WXC Integrated Services Module installed no longer support the negotiate-address and unnumbered-address options for configuring the wx-slot/0/0 interface at the [edit interfaces wx-slot/0/0 unit logical-unit-number family inet] hierarchy level.

For Licenses

• Pings between customer edge (CE) routers might fail because all J-series Services Routers have enforced hard-licensing from this release onwards.