New and Changed Features
This section describes new features as well as enhancements to existing features starting in Junos OS Release 18.3R1 for cSRX support.
New Features in Junos OS Release 18.3R1 for cSRX
There are no new features in Junos OS Release 18.3R1 for the cSRX.
cSRX Architecture Illustration
The cSRX Container Firewall inherits many of the branch SRX Series Junos OS features. This topic outlines the SRX series features supported by cSRX along with the features that are not applicable in a containerized environment.
SRX Series Features Supported on cSRX
Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.
To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Table 1: SRX Series Features Supported on cSRX
Application Firewall (AppFW)
Application Identification (AppID)
Application Tracking (AppTrack)
Basic firewall policy
Brute force attack mitigation
CLI only. No J-Web support.
Two revenue network interfaces (eth1, and eth2).
Intrusion Detection and Prevention (IDP)
For SRX Series IPS configuration details, see:
IPv4 and IPv6
Malformed packet protection
Network Address Translation (NAT)
For SRX Series NAT configuration details, see:
Basic Layer 3 forwarding with VLANs.
Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding
SYN cookie protection
For SRX Series user firewall configuration details, see:
Unified Threat Management (UTM)
For SRX Series UTM configuration details, see:
For SRX Series UTM antispam configuration details, see:
Zones and zone-based IP spoofing
SRX Series Features Not Supported on cSRX
Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.
Table 2: SRX Series Features Not Supported on cSRX
SRX Series Feature
|Application Layer Gateways|
|Authentication with IC Series Devices|
Layer 2 enforcement in UAC deployments
Note: UAC-IDP and UAC-UTM also are not supported.
|Class of Service|
High-priority queue on SPC
|Data Plane Security Log Messages (Stream Mode)|
Flow monitoring cflowd version 9
Ping Ethernet (CFM)
Traceroute Ethernet (CFM)
|Ethernet Link Aggregation|
LACP in standalone or chassis cluster mode
Layer 3 LAG on routed ports
Static LAG in standalone or chassis cluster mode
|Ethernet Link Fault Management|
Physical interface (encapsulations)
|Flow-Based and Packet-Based Processing|
End-to-end packet debugging
Network processor bundling
Aggregated Ethernet interface
IEEE 802.1X dynamic VLAN assignment
IEEE 802.1X MAC bypass
IEEE 802.1X port-based authentication control with multisupplicant support
Interleaving using MLFR
PPPoE-based radio-to-router protocol
Promiscuous mode on interfaces
|IP Security and VPNs|
Acadia - Clientless VPN
Hardware IPsec (bulk crypto) Cavium/RMI
IPsec tunnel termination in routing instances
Multicast for AutoVPN
Suite B implementation for IPsec VPN
DS-Lite concentrator (also known as AFTR)
DS-Lite initiator (also known as B4)
|Log File Formats for System (Control Plane) Logs|
Binary format (binary)
Remote instance access
Spotlight Secure integration
CCC and TCC
Layer 2 VPNs for Ethernet connections
|Network Address Translation|
Maximize persistent NAT bindings
Note: Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth).
BGP extensions for IPv6
BGP route reflector
Bidirectional Forwarding Detection (BFD) for BGP
Layer 3 Q-in-Q VLAN tagging
|Unified Threat Management|
|Upgrading and Rebooting|
Boot instance configuration
Boot instance recovery
Junos Space Virtual Director
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes from Junos OS Release 18.3R1 for the cSRX. For the most complete and latest information about changes in command behavior and syntax applicable to all SRX Series platforms in Junos OS Release 18.3R1, see Changes in Behavior and Syntax for SRX.
Application System Cache for Application Services (SRX Series, cSRX Instances)
Starting with Junos OS 18.2R1, the default behavior of the ASC has changed as follows:
Security services such as security policies, application firewall (AppFW), Juniper Sky ATP, IDP, and UTM do not use the ASC by default.
Miscellaneous services such as APBR and AppTrack use the ASC for application identification by default.
The change in the default behavior of the ASC affects the legacy Application Firewall (AppFW) functionality. With the ASC disabled by default for the security services starting in Junos OS Release 18.2 onwards, the AppFW will not use the entries present in the ASC.
You can revert to the ASC behavior as in Junos OS releases prior to 18.2 by using the set services application-identification application-system-cache security-services command.
The SRX Series device may become susceptible to application evasion techniques if the ASC is enabled for security services. We recommend that you enable the ASC only when the performance of the device in its default configuration (disabled for security services) is not sufficient for your specific use case.
Use the following commands to enable or disable the ASC:
Enable the ASC for security services:user@host# set services application-identification application-system-cache security-services
Disable the ASC for miscellaneous services:user@host# set services application-identification application-system-cache no-miscellaneous-services
Disable the enabled ASC for security services:user@host# delete services application-identification application-system-cache security-services
Enable the disabled ASC for miscellaneous services:user@host# delete services application-identification application-system-cache no-miscellaneous-services
You can use the show services application-identification application-system-cache command to verify the status of the ASC.
The following sample output provides the status of the ASC:
user@host>show services application-identification application-system-cache
Application System Cache Configurations: application-cache: on Cache lookup for security-services: off Cache lookup for miscellaneous-services: on cache-entry-timeout: 3600 seconds
For Junos OS Release prior to 18.2R1, application caching is turned on by default. You can manually turn this caching off using the CLI.