Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

New and Changed Features

This section describes the new features and enhancements to existing features in Junos Space Security Director Release 17.1R1.

  • VMWare NSX integration—VMware NSX is a network virtualization product owned by VMware. It integrates with vCenter server and provides users the ability to create and manage logical networks without modifying the underlying physical network. NSX supports the distributed firewall architecture. The VMWare distributed firewall currently supports only the basic firewall features such as Layer 2, Layer 3, and Layer 4. It does not provide advanced Layer 4 through Layer 7 security services, which are critical to provide complete protection in a software-defined data center (SDDC) environment.

    You can now add a vSRX virtual security appliance as a partner security service in the VMware NSX environment. The vSRX works in conjunction with Junos Space Security Director and VMware NSX Manager to deliver a complete and integrated virtual security solution for your SDDC environment. The vSRX provides advanced security services, including IPS and application control and visibility services through AppSecure.

  • Custom application signatures—Application Identification supports defining your own custom application signatures and signature groups. Custom application signatures are unique to your environment and are not part of the predefined application package when you install them into the device. The custom application signatures are pushed to the device when you publish or update, and subsequently, you can use them in the application firewall policy rules only.

    You can import the custom application signatures from a device and also push the created custom application signatures to a device, by using the publish and update workflow. The custom application signatures are supported in Junos OS Release 15.1X49.D40 and later.

  • Packet Capture—You can use the Packet Capture tool to download the packets captured by the SRX Series devices corresponding to attacks and analyze these packets externally using tools such as Wireshark, tcpdump, tshark, and so on. The Packet Capture tool captures the data packet and enables you to analyze the network traffic and troubleshoot network problems. The packet capture tool captures real-time data packets traveling over the network for monitoring and logging purposes. You must configure the SRX Series device to send the attack packets to the Junos Space Network Management Platform.

    Based on a preconfigured set of rules, SRX Series devices classify the packets as normal or an attack. When there is an attack, an SRX Series device sends the attack packets to the Junos Space Network Management Platform which runs a load balancer bound with a virtual IP.

    Note: Packet Capture is applicable only for intrusion prevention system (IPS) packets.

  • Captive portal support for unauthenticated browser users—The SRX Series device now presents the user with a captive portal interface to enable users to be authenticated when they request access to an SRX Series protected resource, using an HTTP or HTTPS browser.

    Junos Space Security Director supports Auth Only Browser and Auth User Agent parameters to give you high control over how HTTP or HTTPS traffic is handled.

  • IKE path fragmentation—IKEv2 message fragmentation allows IKEv2 to operate in environments where IP fragments might be blocked and peers would not be able to establish an IPsec security association (SA). The IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.
  • Advanced user identities query support—You can query for advanced user identities from Juniper Identity Management Service (JIMS). JIMS provides a robust and scalable user identification and IP address mapping implementation that includes endpoint context and machine ID. JIMS collects advanced user identities from different authentication sources for SRX Series devices.

    Junos Space Security Director is used to push the JIMS configuration to SRX Series devices to help them query JIMS to obtain IP address or user mapping and device information. SRX Series devices generate the authentication entries for the user firewall. However, SRX Series firewall authentication can also push the authentication entries to JIMS.

  • ECDHE cipher suite support for SSL forward proxy—Security Director provides an option to configure the following SSL Forward Proxy ciphers for the devices running Junos OS Release 15.1X49-D100.

    Elliptic Curve Diffie-Hellman Extchange (ECDHE) cipher suites are supported to enable perfect forward secrecy on an SSL forward proxy. The SSL forward proxy still uses RSA for authentication. However, it uses ECDH ephemeral key exchange to agree on a shared secret.

    The following ECDHE cipher suites are supported:

    • ECDHE-RSA-WITH-AES-256-GCM-SHA384
    • ECDHE-RSA-WITH-AES-256-CBC-SHA384
    • ECDHE-RSA-WITH-AES-256-CBC-SHA
    • ECDHE-RSA-WITH-AES-3DES-EDE-CBC-SHA
    • ECDHE-RSA-WITH-AES-128-GCM-SHA256
    • ECDHE-RSA-WITH-AES-128-CBC-SHA256
    • ECDHE-RSA-WITH-AES-128-CBC-SHA
  • Change control workflow—The Change Control workflow enables you to request an approval for a change to a firewall or a NAT policy. The system tracks dependencies across change requests and makes these dependencies and change requests visible to the firewall administrator.

    The change control workflow provides the following benefits:

    • Direct correlation between a change ticket ID and its details and the associated firewall or NAT policy.
    • Policies that are modified within an activity (or configuration session) are locked and cannot be modified within other activities. This prevents conflicting changes that could make a policy unstable.
    • Activities are tracked within the workflow. You can use this information to determine what changes were made and who made the changes.
    • Approve and deploy the change requests to the network irrespective of the order in which they are created.
  • Aruba ClearPass in device configuration—You can configure Aruba ClearPass as the authentication source for the integrated ClearPass authentication and enforcement feature. The SRX Series device and Aruba ClearPass collaborate to protect your network resources by enforcing security at the user identity level and controlling user access to the Internet.
  • Reporting enhancements—The following predefined reports are added:
    • Antivirus—Consolidated statistics related to all antivirus events.
    • URL Report—Consolidated statistics related to all the URL events.
    • Application and User Usage—Statistics related to the bandwidth usage by applications and users.
    • Threat Report—Statistics related to top threats identified through IDP, Antivirus, Antispam, Screen, and Device Authentication failure events.
  • Additional dashboard widgets—The following new dashboard widgets are available:
    • Application Top Application by Volume—Top applications based on volume or bandwidth.
    • IP Top Source IPs by Volume—Top source IP addresses of the network traffic by volume or bandwidth.
    • IP Top Spams By Source IPs—Top source IP addresses for spams.
    • Web Filtering Top Blocked Websites—Blocked websites, sorted by count.
    • Virus Top Blocked—Displays blocked viruses, sorted by count.
    • IP Top Source IPs by Sessions—Displays top source IP addresses of the network traffic by sessions.

Modified: 2017-08-01