Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

New and Changed Features

The following features have been added to Junos OS Release 12.1X46. Following the description is the title of the manual or manuals to consult for further information.

Note: For the latest updates about support and issues on Junos Pulse, see the Release 12.1X46-D15 Software Features

Release 12.1X46-D55 Software Features

Interfaces

  • G.993.5 Vectoring support for VDSL modules on SRX Series devices— Starting with Junos OS Release 12.1X46-D55, firmware version, v2.16.0, is available for SRX-MP-1VDSL-A to support VDSL vectoring. Vectoring on VDSL reduces crosstalk and increases network bandwidth.

    [For more information, see Upgrading the VDSL PIC Firmware in the Junos OS Release 15.1X49-D50 Feature Guide. PDF Document]

Release 12.1X46-D30 Software Features

Application Layer Gateways (ALGs

  • MS-RPC ALG and Sun RPC ALG map table scaling for SRX Series devices— Starting with Junos OS Release 12.1x46-D30, the MS-RPC ALG and Sun RPC ALG dynamically allocate new mapping entries instead of using a default size (512 entries). They also offer a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.

    [See RPC ALG Feature Guide for Security Devices.]

Release 12.1X46-D25 Software Features

General Packet Radio Service Feature Guide for Security Devices

  • GTP GSN Table Ager [High-end SRX Series]—One SRX Series device supports a total of 36,000 GSN entries, each of which was saved permanently prior to this release. To prevent GSN entry exhaustion caused by frequent short-time roaming among countries, visiting GSNs are recorded when subscribers access the home GPRS core network from visiting countries. These entries are not deleted when the subscribers return home, but no further traffic is passed. The GTP GSN table ager causes the idling GSN entries to time out, preventing inactive GSNs from taking up too much space.

    [See the “General Packet Radio Service” section in the Junos OS 12.1X46-D25 Feature Guide.]

TCP/TLS support for real time logging

  • TCP/TLS support for real-time logging [High-end SRX Series]—Starting in Junos OS Release 12.1X46-D25, a secure mechanism, enabled through a plug-in during system initialization, encrypts and transports dataplane syslog messages to TLS-capable syslog receivers (such as the Juniper Networks STRM or a standards-based third-party device) over TCP. The SPU generates the log data. By default, port 514 is used for TCP logging and port 6514 is used for TLS logging. As a log client, a TCP/TLS connection is initiated to the log server.

    [See the “Syslog Messages” section in the Junos OS 12.1X46-D25 Release Feature Guide.]

Release 12.1X46-D20 Software Features

Chassis Cluster

  • Autorecovery of fabric link [SRX Series]—The fabric link feature supports autorecovery, which includes the following enhancements:
    • Fabric monitoring feature is enabled by default on high-end SRX Series, and hence recovery of fabric link and synchronization takes place automatically.
    • If the fabric link goes down, RG1+ becomes ineligible on either the secondary node or the node with failures, by default. The node remains in this state until the fabric link comes up or the other node goes away.
    • If the fabric link goes down followed by the control link, then after approximately 66 seconds the secondary node (or the node with failures) assumes that the remote node is dead and takes over as the primary node.

    [See Understanding Chassis Cluster Fabric Links.]

  • Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster debugging functionality has the following enhancements:
    • The show chassis cluster status command output includes failure reasons (acronyms and their expansions) when the redundancy group's priority is zero.
    • Cleaner jsrpd process includes removing unwanted logs and moving the debug log message from level LOG_INFO to LOG_DEBUG.
    • The show chassis cluster information command output displays redundancy group, LED, and monitored failure details.
    • SNMP traps send messages when a node's weight goes down and also when it recovers.
    • The show chassis cluster ip-monitoring command output displays both the global threshold and the current threshold of each node and displays the weight of each monitored IP address.
    • A syslog message appears when the control link goes down.

    [See show chassis cluster ip-monitoring status.]

Public Key Infrastructure (PKI)

  • Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the revocation status of X509 certificates. Requests are sent to the OCSP server(s) configured in a CA profile with the ocsp url statement at the [edit security pki ca-profile profile-name revocation-check] hierarchy level. The use-ocsp option must also be configured. If there is no response from the OCSP server, the request is then sent to the location specified in the certificate's AuthorityInfoAccess extension.

    [See the “Public Key Infrastructure (PKI)” section in the Junos OS 12.1X46-D20 Feature Guide PDF Document.]

Routing Protocols

  • OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also known as OSPF version 3 (OSPFv3), does not have built-in authentication to ensure that routing packets are not altered and re-sent to the router. In Junos OS Release 12.1X46-D20, IPsec can be used to secure OSPFv3 interfaces and virtual links and provide encryption for OSPF packets.

    To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the security-association sa-name configuration option at the [edit security ipsec] hierarchy level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link configuration.

    [See the “Routing Protocols” section in the Junos OS 12.1X46-D20 Feature Guide PDF Document.]

Unified Threat Management (UTM)

  • UTM on next-generation SPC [SRX5400, SRX5600 and SRX5800]—This feature provides support for UTM features, including Sophos antivirus, content filtering, antispam, and enhanced Web filtering on next-generation SPCs.
  • UTM license enforcement [SRX Series]—License enforcement is supported for UTM features, including Sophos antivirus, enhanced Web filtering, and antispam filtering on all high-end SRX Series devices in addition to branch SRX Series devices. You can add or remove UTM licenses on SRX Series devices. Each feature license is tied to exactly one software feature and is valid for exactly one device.

    Table 10 lists the license modules and the license names.

    Table 10: UTM License Information

    UTM Module

    License Name

    SAV

    av_key_sophos_engine

    AS

    anti_spam_key_sbl

    EWF

    wf_key_websense_ewf

    On branch SRX Series devices, after you install the license and reboot the device, the device reserves more memory for UTM features, and hence decreases the session capacity. Use the set security forwarding-process application-services enable-utm-memory command to manually reallocate the memory for UTM features. You must reboot the device for the configuration to take effect.

    [See the “UTM” section in the Junos OS 12.1X46-D20 Feature Guide PDF Document.]

    [See License Enforcement.]

Virtual Private Networks (VPNs)

  • HMAC-SHA-256-128 authentication [High-end SRX Series]—Starting with Junos OS Release 12.1X46-D20, HMAC-SHA-256-128 authentication is supported for IPsec proposals and manual security associations on high-end SRX Series devices. You can specify the hmac-sha-256-128 option at the [edit security ipsec proposal proposal-name] and the [edit security ipsec vpn vpn-name manual] hierarchy levels.

    [See the “VPNs” section in the Junos OS 12.1X46-D20 Feature Guide PDF Document.]

Release 12.1X46-D15 Software Features

Routing Protocols

  • OSPFv2 support [High-end SRX Series]—OSPFv2 interfaces are supported on nonbroadcast multiaccesss (NBMA) networks and point-to-point access networks on high-end SRX Series devices.

    When you configure OSPFv2 on an NBMA network, OSPFv2 operates by default in point-to-multipoint mode. In this mode, OSPFv2 treats the network as a set of point-to-point links. Because there is no autodiscovery mechanism, you must configure each neighbor.

    An NBMA interface behaves similarly to a point-to-multipoint interface but requires election and operation of a designated router and a backup designated router.

    Use the following CLI commands to configure an OSPFv2 interface on an NBMA or a point-to-multipoint network:

    • set protocols ospf area area-number interface interface-name neighbor address-of-neighbor
    • set protocols ospf area area-number interface interface-name interface-type interface-type (nbma or p2mp)

[See “Routing Protocols” section in Junos OS 12.1X46-D15 Feature Guide PDF Document.]

Release 12.1X46-D10 Software Features

Application Layer Gateways (ALGs)

  • ALG message buffer optimization—Starting in Junos OS Release 12.1X46-D10, the ALG message buffer optimization feature is enhanced to reduce high memory consumption. This feature is supported on all SRX Series and J Series devices.

    A message buffer is allocated only when the packet is ready to process. The buffer is freed after the packet completes ALG handling, including modifying the payload, performing NAT, opening a pinhole for a new connection between a client and a server, and transferring data between a client and a server located on opposite sides of a Juniper Networks device.

    This feature has the following enhancements:

    • Unnecessary objcache buffering is avoided, resulting in low memory utilization.
    • jbuf manipulation is used to simplify the message buffer logic.
    • Full-fledged message buffer support for ALG line breaker is more flexible.
    • ALG Manager and ALG plug-in logic clarity are optimized.

    [See alg-manager.]

  • IPv6 support for PPTP ALG—Starting with Junos OS Release 12.X46, this feature is supported on all SRX Series devices.

    PPTP ALG provides an ALG for the Point-to-Point Tunneling Protocol (PPTP). The PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and popularly applied on Linux systems; it is widely deployed for building VPNs.

    To support IPv6, the PPTP ALG parses both IPv4 and IPv6 PPTP packets, performs NAT, and then opens a pinhole for the data tunnel. The flow module supports IPv6 to parse the GRE packet and use the GRE call ID as fake port information to search the session table and gate table.

    [See PPTP ALG Feature Guide for Security Devices.]

  • IPv6 support for RTSP ALG—This feature is supported on all SRX Series and J Series devices.

    RTSP (Real-Time Streaming Protocol) is an Application Layer protocol for controlling the delivery of data with real-time properties. The RTSP ALG accesses existing media files over the network and controls the replay of the media.

    Starting with Junos OS Release 12.1X46-D10, IPv6 is supported on the RTSP ALG along with NAT-PT mode and NAT64 address translation.

    This feature enables the RTSP ALG to parse IPv6 RTSP packets, open an IPv6 pattern pinhole, and translate the Layer 7 IPv6 address according to the NAT configuration. Also, support for IPv6 RTSP transaction pass through under permission policy and IPv6 RTSP transaction pass through under NAT-PT and NAT 64 are enabled.

    [See SIP RTSP ALG Feature Guide for Security Devices.]

  • IPv6 support for SIP ALG—This feature is supported on all SRX Series and J Series devices.

    Starting with Junos OS Release 12.1X46-D10, IPv6 is supported on the SIP ALG along with NAT-PT mode and NAT64 address translation.

    The SIP ALG processes the IPv6 address in the same way it processes the IPv4 address for updating the payload if NAT is configured and opening pinholes for future traffic.

    NAT-PT is implemented by normal NAT from IPv6 address to IPv4 address and vice versa. The SIP ALG processes those address translation in payload just as the addresses are processed in normal NAT.

    NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. NAT64 is required to keep the IPv6 to IPv4 address mapping.

    Previously Session Traversal Utilities for NAT (STUN) worked without the SIP ALG. This means that the SIP ALG was not involved when persistent NAT was configured.

    Starting with Junos OS Release 12.1X46-D10, STUN can coexist with the SIP ALG and SIP ALG is involved when persistent NAT is configured.

    [See SIP ALG Feature Guide for Security Devices.]

Chassis Cluster

  • Chassis cluster—Starting in Junos OS Release 12.1X46-D10, the SRX5K-MPC adds the support of using 40-Gigabit Ethernet and 100-Gigabit Ethernet ports as chassis cluster fabric ports. This feature is supported on the SRX5400, SRX5600, and SRX5800. This enhancement saves one more slot on chassis and also improves chassis cluster fabric link performance. In addition, you can also use 10G port on SRX5K-MPC as fabric port with a 10x10GE MIC installed on it.

    [See Understanding Chassis Cluster Fabric Links.]

Dynamic Host Configuration Protocol (DHCP)

  • DHCP relay—Starting in Junos OS Release 12.1X46-D10, this feature is supported on all high-end SRX Series devices.

    The existing DHCP relay feature has been enhanced to include support for high-end SRX Series devices along with chassis cluster support.

    You can configure DHCP relay options on the device and enable the device to function as a DHCP relay agent. A DHCP relay agent forwards DHCP request and reply packets between a DHCP client and a DHCP server.

    To configure the DHCP relay agent on the device, include the dhcp-relay statement at the [edit forwarding-options] hierarchy level.

    [See Understanding DHCP Relay Agent Operation.]

Flow and Processing

  • Enhanced IPv6 support for the screen feature—This feature is supported on all high-end SRX Series devices.

    IPv6 support is extended for the following screen features:

    • IPv6 extension header checking and filtering
    • IPv6 packet header checking and filtering
    • ICMPv6 checking and filtering

    New statements and commands allow you to configure these enhancements using security zones similar to previous screen configurations. You can enable, disable, and update screens to drop packets, create logs, and provide increased statistics for IPv6 traffic.

    Note: By default, IPv6 packets bypass the screen feature.

    [See Understanding IPv6 Support for Screens.]

  • Enhancements to flow trace options—This feature is supported on all high-end SRX Series devices.

    Starting in Junos OS Release 12.1X46-D10, flow trace granularity has been enhanced to filter logs effectively. As a result you can access relevant trace messages easily and avoid large traces that slow down your system. You can set the level of message you want displayed by using the new trace-level statement at the [edit security flow traceoptions] hierarchy level. And, use new flags to trace additional operations such as fragmentation, high availability, multicast, session, tunnel, and route.

    [See traceoptions (Security Flow).]

  • Monitoring flow sessions—This feature is supported on all high-end SRX Series devices.

    Beginning with Junos OS Release 12.1X46-D10, you can monitor flow using filters that match different criteria (such as source and destination addresses). New operational mode commands monitor security flow filter and monitor security flow file have been added. These commands allow you to debug without having to commit or modify your running configuration. Previously, you were required to commit the configuration to turn on trace options, which could possibly change the state of your device.

    [See Monitoring Security Flow Sessions Overview.]

General Packet Radio Service (GPRS)

  • NAT for GPRS tunneling protocol (GTP):—Starting in Junos OS Release 12.1X46-D10, static NAT for GTP packets is supported on all high-end SRX Series devices.

    This feature has the following enhancements:

    • For GTP, control (GTP-C), as part of the GPRS IP address negotiation, embedded IP addresses are included in the packet data protocol (PDP) context request or response messages.
    • For GTP, user plane (GTP-U), GTP-U carries encapsulated user payload in an IP packet. When NAT is enabled, only the outer IP packet needs to be translated, the embedded IP addresses will not be translated.

    [See Understanding GTP-U Inspection.]

  • GTP unified in-service software upgrade support (ISSU)—Junos OS Release 12.1X46-D10 adds support for unified ISSU on the GPRS tunneling protocol (GTP). This feature is supported on all high-end SRX Series devices.

    GTP supports unified ISSU between two SRX Series devices running two different Junos OS releases. Unified ISSU is applied on a chassis cluster, enabling a software upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic.

[See Understanding GTP-U Inspection.]

Interfaces and Routing

  • Link aggregation—Starting in Junos OS Release 12.1X46-D10, the SRX5K-MPC supports the LAG and LACP features on the SRX5400, SRX5600, and SRX5800.

    The following LAG and LACP features are supported:

    • Increases bandwidth, provides graceful degradation as failure occurs, and increases availability.
    • Provides network redundancy by load-balancing traffic across all available links. If one of the links should fail, the system automatically load-balances traffic across all remaining links.
    • Enables automatic addition and deletion of individual links to the aggregate bundle without user intervention.
    • Provides link monitoring to check whether both ends of the bundle are connected to the correct group, enables or disables link protection, configures the LACP interval, and supports centralized and distributed modes.

    [See LAG and LACP Support on the SRX5000 Module Port Concentrator.]

    [See Understanding Aggregated Ethernet Interfaces.]

IP Spoofing

  • IP spoofing in transparent mode—Starting in Junos OS Release 12.1X46-D10, this feature is supported on all high-end SRX Series devices.

    The IP spoofing feature has been enhanced to include Layer 2 transparent mode support. IP spoofing is most frequently used in denial-of-service attacks. In an IP spoofing attack, the attacker gains access to a restricted area of the network and inserts a false source address in the packet header to make the packet appear to come from a trusted source. When SRX Series devices are operating in transparent mode, the IP spoof-checking mechanism makes use of address book entries.

    Note: IP spoofing in Layer 2 transparent mode does not support DNS and wildcard addresses.

    [See Understanding IP Spoofing in Layer 2 Transparent Mode.]

J-Web

  • Management support for NAT options—Starting in Junos OS Release 12.1X46-D10, support is provided to monitor the following NAT options on all SRX Series devices:
    • Utilization for all source pools
    • Successful, failed, and current sessions for source pools, source rules, destination rules, and static rules
    • Source addresses and source ports for static rules
    • Source ports for source rules
  • Support is provided to configure the following NAT options on all SRX Series devices:
    • Source address and port as match criteria for static rules
    • Source port as match criteria for source rules
    • Upper and lower thresholds at which an SNMP trap is triggered for source rules and pools, destination rules, and static rules
  • User Firewall J-Web support
    • Source identity-based firewall policy—Starting in Junos OS Release 12.1X46-D10, this feature is supported on the existing Firewall Policies Configuration and Monitoring Policies pages on all high-end SRX Series devices. This feature allows you to configure and monitor source identities in a firewall policy.
    • Configure firewall authentication integrated with user firewall—Starting in Junos OS Release 12.1X46-D10, this feature is supported on all high-end SRX Series devices. You use this feature by specifying the access profile and SSL termination profile.
    • New J-Web pages for user firewall—Starting in Junos OS Release 12.1X46-D10, new user firewall pages are supported on all high-end SRX Series devices.

      The following webpages have been added to the J-Web user interface:

      • Authentication Priority Configuration Page—You can either disable an optional authentication source or reassign a unique priority to it.
      • Local Authentication Configuration Page and Local Authentication Monitoring Page—You can configure and monitor local Firewall authentication.
      • UAC Settings Configuration Page and UAC Authentication Monitoring Page—You can configure UAC and monitor UAC authentication.
  • Allow adding a new policy and moving an existing policy to an arbitrary location
    • Firewall Policies Configuration Page Options—Starting in Junos OS Release 12.1X46-D10, several new options on the Firewall Policies Configuration page are supported on high-end SRX Series devices. The Add menu includes Add before and Add after options that allow you to add a new policy before or after a selected policy. On the Move menu, there is a new Move to option that allows you to specify a target location. You can also drag and drop a policy to the target location.
    • Checking Policies Monitoring Page—Starting in Junos OS Release 12.1X46-D10, the Move to option on the Checking Policies Monitoring page is supported on high-end SRX Series devices.

Management Information Bases (MIBs)

  • SNMP aggregation for policy MIBs—Starting in Junos OS Release 12.1X46-D10, this feature is supported on all SRX Series devices.

    A set of systemwide policy statistics such as policy-allowed packets, bytes and rates, policy-dropped packets, bytes and rates, and policy flows allowed and rate statistics have been added in the enterprise-specific policy MIB JUNIPER-JS-POLICY-MIB. You can obtain the policy statistics by using the SNMP agent or the CLI operational mode commands. Use the following CLI commands to set, clear, and display the systemwide policy statistics:

    • set security policies policy-stats system-wide <disable | enable>–Configures systemwide policy statistics. Disabled by default.
    • clear security policies statistics–Clears the systemwide policy statistics.
    • show snmp mib walk jnxJsPolicySystemStats–Displays both IPv4 and IPv6 statistics.
    • show snmp mib walk jnxJsPolicySystemStatsIPv4–Displays only IPv4 statistics.

    [See Policy Objects MIB.]

Modular Interface Cards

SRX5600 and SRX5800 Services Gateway MPC Software Features—The SRX5K-MPC is a Modular Port Concentrator (MPC) that is supported on the SRX5400, SRX5600, and SRX5800.

The following features are supported on the SRX5K-MPC:

  • Load balancing among SPUs using hash-based forwarding

    Note: When the SRX5K-MPC is installed on SRX5600 and SRX5800 devices, the default session distribution mode is set to hash-based distribution mode on the devices. The hash-based distribution mode is the only mode supported on the SRX5K-MPC.

  • Filtering support
  • Filter-based forwarding at logical interfaces of revenue ports, firewall filter applied at loopback interface of chassis, policer applied at loopback interface of chassis
  • Interface ingress policing
  • Following types of threshold-based flood protection:
    • UDP-based flood protection
    • ICMP-based flood protection
    • TCP source-based SYN flood protection
    • TCP destination-based SYN flood protection

Screen

Stream Control Transmission Protocol (SCTP)

  • SCTP payload protocol blocking—Starting in Junos OS Release 12.1X46-D10, the permit traffic configuration is added to allow all types of payload protocol traffic. This feature is supported on all high-end SRX Series devices. This feature has the following enhancements:
    • The default behavior for SCTP payload protocol traffic was permit all. Now, the default behavior is drop all. However, the behavior can be changed to permit all by configuration.
    • The payload protocol traffic can be permitted by configuring the decimal value of the SCTP protocol identifiers or the name in the permit list.
    • The payload protocol traffic can be dropped by configuring the decimal value of the SCTP protocol identifiers or the name in the drop list.

    [See Understanding Stream Control Transmission Protocol.]

  • Support for SCCP v20—This feature is supported on all SRX Series devices.

    Starting in Junos OS Release 12.1X46-D10, the SCCP ALG supports SCCP versions 16, 17, and 20 and several SCCP messages have been updated with a new format. Cisco Call Manager (CM) version 7 uses SCCP version 20.

    [See SCCP ALG Feature Guide for Security Devices.]

  • SCTP rate limiting—Starting in Junos OS Release 12.1X46-D10, the rate limiting functionality is extended with a generalized SCTP payload protocol rate limiting function. This feature is supported on all high-end SRX Series devices. This feature has the following enhancements:
    • The rate limiting function supports decimal identifier values for Internet Assigned Numbers Authority (IANA) SCTP protocols and synonyms for the well-known IANA SCTP protocols.
    • Each profile can be configured with many IP addresses. Each IP address can be configured with many protocols.

    [See Understanding Stream Control Transmission Protocol.]

Unified Threat Management (UTM)

  • UTM antivirus, antispam, and content filtering support—Starting in Junos OS Release 12.1X46-D10, Sophos antivirus, antispam, and content filtering features are supported on all SRX Series devices.

    The existing CLI operational commands show security utm anti-virus status and show security utm anti-virus statistics have been enhanced to display the aggregated status and statistics from all Flexible PIC Concentrators (FPCs) and PICs. You can use the following new operational commands to display the status and statistics of each FPC and PIC:

    • show security utm anti-virus status fpc
    • show security utm anti-virus status fpc fpc-slot fpc-slot pic-slot pic-slot
    • show security utm anti-virus statistics fpc
    • show security utm anti-virus statistics fpc fpc-slot fpc-slot pic-slot pic-slot

    [See show security utm anti-virus status.]

    [See show security utm anti-virus statistics.]

  • UTM Web filtering support—Starting in Junos OS Release 12.1X46-D10, the enhanced Web filtering feature is supported on all SRX Series devices.

    The existing CLI operational commands show security utm web-filtering status and show security utm web-filtering statistics have been enhanced to display the aggregated status and statistics from all Flexible PIC Concentrators (FPCs) and PICs. You can use the following new operational commands to display the status and statistics of each FPC and PIC:

    • show security utm web-filtering status fpc
    • show security utm web-filtering status fpc fpc-slot fpc-slot pic-slot pic-slot
    • show security utm web-filtering statistics fpc
    • show security utm web-filtering statistics fpc fpc-slot fpc-slot pic-slot pic-slot

    [See show security utm web-filtering status.]

    [See show security utm anti-virus statistics]

Virtual Private Networks (VPNs)

  • Enhanced X2 interface monitoring—This feature is supported on all SRX Series devices.

    In an LTE mobile network, X2 interfaces are used to connect Evolved Node Bs (eNodeBs) for signal handover, monitoring, and radio coverage. SRX Series devices connect these eNodeBs using IPsec tunnels.

    This feature enables you to monitor traffic between eNodeBs by snooping into the clear text traffic as it flows from one IPsec tunnel to another. Use the monitor-filter statement at the [edit security forwarding-options] hierarchy level to duplicate clear text packets and send them to the physical interface. You can then use Ethereal or other packet analyzers to verify or collect the X2 traffic.

    [See Understanding X2 Traffic Monitoring . ]

  • Dead peer detection (DPD) enhancements—This feature is supported on all SRX Series devices.

    Network devices use the DPD protocol to verify the existence and availability of other peer devices. The default DPD mode optimized sends probes if there is no incoming IKE or IPsec traffic from the peer within a configured interval after outgoing packets are sent to the peer. The always-send option sends DPD probes at configured intervals regardless of traffic activity between peers. A new configuration option probe-idle-tunnel at the [edit security ike gateway dead-peer-detection] hierarchy level sends DPD probes when there is no incoming or outgoing IKE or IPsec traffic between peers.

    Note: We recommend that you configure probe-idle-tunnel instead of always-send.

    For all DPD modes, Phase 1 and Phase 2 security associations are cleared if a specified number of probes are sent with no response from the peer.

    [See Understanding Dead Peer Detection.]

  • IPsec VPN performance enhancements—Starting in Junos OS Release 12.1X46-D10, a new configuration statement, ipsec-performance-acceleration, has been introduced under the [edit security flow] hierarchy to enable IPsec VPN performance acceleration. This feature is supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

    By default, VPN performance acceleration is disabled on SRX Series devices. Enabling VPN performance acceleration can improve VPN throughput under certain conditions.

    The following functions are not supported:

    • VPN traffic ACL accounting on physical egress and ingress interface
    • VPN traffic physical interface filter-based policer
    • VPN traffic physical interface QoS feature (classifier, remarking, scheduling, and shaping)
  • Multiple traffic selectors on a route-based VPN—This feature is supported on all SRX Series devices.

    A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define multiple traffic selectors within a specific route-based VPN, resulting in a unique SA for each traffic selector configured. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.

    To configure a traffic selector, use the traffic-selector configuration statement at the [edit security ipsec vpn vpn-name] hierarchy level. The traffic selector pair is defined with the mandatory local-ip ip-address and remote-ip ip-address statements. The CLI operational command show security ipsec security-association traffic-selector traffic-selector displays SA information for the specified traffic selector.

    [See Understanding Traffic Selectors in Route-Based VPNs.]

  • Support for IPv6 address encapsulation in route-based one-to-one site-to-site VPN tunnels—This feature is supported on all SRX Series devices.

    In tunnel mode, IPsec encapsulates the original IP datagram—including the original IP header—within a second IP datagram. The outer IP header contains the IP address of the gateway, while the inner header contains the ultimate source and destination IP addresses. The outer and inner IP headers can have a protocol field of IPv4 or IPv6. As of Junos OS Release 12.1X46-D10, the following tunnel modes are supported on SRX Series devices:

    • IPv4-in-IPv4 tunnels encapsulate IPv4 packets inside IPv4 packets.
    • IPv6-in-IPv6 tunnels encapsulate IPv6 packets inside IPv6 packets.
    • IPv6-in-IPv4 tunnels encapsulate IPv6 packets inside IPv4 packets.
    • IPv4-in-IPv6 tunnels encapsulate IPv4 packets inside IPv6 packets.

    There are no new CLI configuration statements for this feature.

    IPv4 and IPv6 traffic can be routed into a single IPv4 or IPv6 tunnel; the st0 interface bound to the tunnel must be configured for both family inet and family inet6. Dual stack tunnels—parallel IPv4 and IPv6 tunnels over a single physical external interface to different VPN peers—are also supported.

    [See VPN Feature Support for IPv6 Addresses.]

  • IKEv2 configuration payload support with RADIUS—This feature is supported on all SRX Series devices.

    Configuration payload is an Internet Key Exchange (IKE) version 2 feature used to propagate provisioning information from an IKE responder to the IKE initiator. Starting with Junos OS Release 12.1X46-D10, IKEv2 configuration payload is supported with route-based VPNs only. The following attribute types, defined in RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2), can be returned to the IKE initiator by the IKE responder:

    • INTERNAL_IP4_ADDRESS
    • INTERNAL_IP4_NETMASK
    • INTERNAL_IP4_DNS

    For the IKE responder to provide the initiator with provisioning information, it must acquire the information from a specified source such as a RADIUS server. Provisioning information can also be returned from a DHCP server through a RADIUS server. On the RADIUS server, the user information should not include an authentication password. As in previous Junos OS releases for the SRX Series, the RADIUS server profile is bound to the IKE gateway using the xauth access-profile profile-name configuration at the [edit security ike gateway gateway-name] hierarchy level.

    This feature is supported only for point-to-multipoint secure tunnel (st0) interfaces. For point-to-multipoint interfaces, the interfaces must be numbered and the addresses in the configuration payload INTERNAL_IP4_ADDRESS attribute type must be within the subnetwork range of the associated point-to-multipoint interface.

    Note: IKEv2 on SRX Series devices does not support policy-based VPNs or VPN monitoring.

    [See Understanding Internet Key Exchange Version 2.]

  • IKEv2 with NAT-T and dynamic endpoint VPN—This feature is supported on all SRX Series devices.

    Starting with Junos OS 12.1X46-D10, both IKEv2 initiators and responders in a route-based VPN can be behind NAT devices. The IKEv2 NAT-T feature supports IPsec traffic that crosses NAT devices. Static NAT and dynamic NAT are supported. In static NAT, there is a one-to-one relationship between the private and the public addresses. In dynamic NAT, there is a many-to-one or many-to-many relationship between the private and public addresses.

    Dynamic endpoint (DEP) VPN is a Junos OS feature that covers IKEv2 initiator and responder perspectives. From the initiator’s perspective, DEP VPN covers the situation where the IKE external interface address is not fixed and is therefore not known by the responder. This situation can occur when the peer’s address is dynamically assigned by an ISP or when the peer’s connection crosses a NAT device that allocates addresses from a dynamic address pool. From the responder’s perspective, DEP VPN describes either a finite number of VPNs that are created for a number of VPN peers in a many-to-many scenario or a shared VPN in a many-to-one scenario.

    Starting with Junos OS 12.1X46-D10, the default value for the nat-keepalive option configured at the [edit security ike gateway gateway-name] hierarchy level has been changed from 5 seconds to 20 seconds.

    [See Understanding NAT-T.]

Web Authentication

  • Web-redirect firewall authentication—Starting in Junos OS Release 12.1X46-D10, Web authentication redirect enhancement is provided on all SRX Series devices.

    With this feature, when you attempt to initiate a connection across the firewall, after successful authentication the browser launches your original destination URL without your needing to retype the URL.

    The following message is displayed:

    Redirecting to the original url, please wait

    [See Firewall User Authentication Overview]

Hardware Features

SRX5400 Services Gateway

  • The SRX5400 Services Gateway (see Figure 2) expands the SRX Series family of next-generation security platforms, delivering a high-performance, highly scalable, carrier-class security device with multiprocessor architecture. The SRX5400 Services Gateway is 5 rack units (U) tall. You can stack eight services gateways in a rack that is at least 48 U (89.3 in. or 2.24 m) in height if it has a 1 in. cap between for increased port density per unit of floor space. The services gateway provides four slots that you can populate with one Switch Control Board (SCB) and up to three additional cards comprised of an SPC and MPCs.

    Note: The SRX5400 Services Gateway supports only the SPC II (SRX5K-SPC-4-15-320) and does not support the SRX5K-SPC-2-10-40 SPC.

    Figure 2: SRX5400 Services Gateway Front Panel

    SRX5400 Services Gateway Front
Panel

    Note: The SRX5400 Services Gateway only supports the SRX5K-MPC, and does not support older SRX5000 Series I/O cards (IOCs) or Flex IOCs cards such as:

    • SRX5K-40GE-SFP
    • SRX5K-4XGE-XFP
    • SRX5K-FPC-IOC

    Note: The SRX5400 Services Gateway supports Junos OS 12.1x46-D10 and later versions. It does not support previous Junos OS versions.

    [See Firewall SRX5400 Services Gateway Hardware Guide.]

SRX5K-MPC IOC for the SRX5000 Line of Services Gateways

The SRX5K-MPC (see Figure 3) is an interface card with two slots that accept MICs which add Ethernet ports to your services gateway. An MPC with MICs installed functions in the same way as a regular IOC but allows you to add different types of Ethernet ports to your device. You can add just one MIC; or you can add two MICs of the same or different types.

Note: The SRX5K-MPC card is supported on the SRX5400, SRX5600, and SRX5800 Services Gateways. The SRX5400 Services Gateway supports only MPCs. It does not support legacy cards such as IOCs or Flex IOCs.

Figure 3: SRX5K-MPC

SRX5K-MPC

[See Modular Port Concentrator SRX5K-MPC.]

MICs for the SRX5000 Line of Services Gateways

You use MICs and MPCs to add different combinations of Ethernet interfaces to your services gateway to suit the specific needs of your network. The following three new MICs are supported on the SRX5000 line of services gateways:

SRX-MIC-1X100G-CFP

The SRX-MIC-1X100G-CFP (see Figure 4) can be installed in an MPC to add one 100-Gigabit Ethernet CFP port.

Figure 4: SRX-MIC-1X100G-CFP

 SRX-MIC-1X100G-CFP

[See SRX-MIC-1X100G-CFP.]

SRX-MIC-2X40G-QSFP

The SRX-MIC-2X40G-QSFP (see Figure 5) can be installed in an MPC to add two 40-Gigabit quad small form-factor pluggable (QSFP) Ethernet ports.

Figure 5: SRX-MIC-2X40G QSFP

 SRX-MIC-2X40G QSFP

[See SRX-MIC-2X40G-QSFP.]

SRX-MIC-10XG-SFPP

The SRX-MIC-10XG-SFPP (see Figure 6) can be installed in an MPC to add ten 10-Gigabit Ethernet SFP+ ports.

Figure 6: SRX-MIC-10XG SFPP

SRX-MIC-10XG SFPP

[See SRX-MIC-10XG-SFPP.]

Related Documentation

Modified: 2017-04-24