Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

No index entries found.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 12.1X47 for the SRX Series.

Release 12.1X47-D45 Software Features


  • G.993.5 Vectoring support for VDSL modules on SRX Series devices— Starting with Junos OS Release 12.1X47-D45, firmware version, v2.16.0, is available for SRX-MP-1VDSL-A to support VDSL vectoring. Vectoring on VDSL reduces crosstalk and increases network bandwidth.

    [For more information, see Upgrading the VDSL PIC Firmware in the Junos OS Release 15.1X49-D50 Feature Guide. PDF Document]

Release 12.1X47-D30 Software Features

Chassis Cluster

  • Increasing IP monitoring capacity for SRX5000 Line Devices MICs (IOC2)—Starting with Junos OS Release 12.1X47-D30, the following IOC2 MICs on SRX5000 line devices support IP monitoring on both the primary and secondary nodes:
    • MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP)— 20 ports
    • MIC with 10x10GE SFP+ Interfaces (SRX-MIC-10XG-SFPP)—10 ports
    • MIC with 1x100GE CFP Interface (SRX-MIC-1X100G-CFP)—1 port
    • MIC with 2x40GE QSFP+ Interfaces (SRX-MIC-2X40G-QSFP)—2 ports

    IP monitoring checks the end-to-end connectivity of configured IP addresses and allows a redundancy group to automatically fail over when the monitored IP address is not reachable through the reth interface. Both the primary and secondary nodes in the chassis cluster monitor specific IP addresses to determine whether an upstream device in the network is reachable.

Release 12.1X47-D20 Software Features

System Logging

  • TCP/TLS support for real-time logging for SRX Series devices—Starting in Junos OS Release 12.1X47-D20, a secure mechanism, enabled through a plug-in during system initialization, encrypts and transports data plane syslog messages to TLS-capable syslog receivers (such as the Juniper Networks STRM or a standards-based third-party device) over TCP on all branch SRX Series devices in addition to high-end SRX Series devices. The SPU generates the log data. By default, port 514 is used for TCP logging and port 6514 is used for TLS logging. As a log client, a TCP/TLS connection is initiated to the log server.

    [See the “Syslog Messages” section in the Junos OS 12.1X47-D20 Release Feature Guide.]

Release 12.1X47-D15 Hardware Features

Interfaces and Chassis

  • Enhanced support for Switch Control Board and Routing Engine–Starting with Junos OS Release 12.1X47-D15, the SRX5400, SRX5600, and SRX5800 support the next-generation SCB (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4), providing a 120-Gbps per slot line rate, faster configuration processing, route convergence, and policy compilation, in addition to greater scalability and performance. The SRX5K-SCBE provides higher capacity traffic support, greater interface density, and improved services. The SRX5K-RE-1800X4 provides the interface for user access and system management, in addition to managing routing tables, routing protocols, device interfaces, and chassis components. The Routing Engine also has secondary storage through a 128-GB solid-state drive providing additional storage for Junos images.

    [See Switch Control Board SRX5K-SCBE and Routing Engine SRX5K-RE-1800X4.]

Release 12.1X47-D15 Software Features

Application Identification and Tracking

  • SSL proxy support for SRX240, SRX550, and SRX650 devices—Starting with Junos OS Release 12.1X47-D15, SRX240, SRX550, and SRX650 devices can decrypt and inspect SSL encrypted traffic for features such as AppSecure and IDP. SSL proxy ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity.

    [See SSL Proxy Overview.]

Authentication, Authorization and Accounting (AAA)

  • RADIUS functionality over IPv6 for system AAA for SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.1X47-D15, RADIUS functionality supports IPv6 for system authentication, authorization, and accounting (AAA) in addition to the existing RADIUS functionality over IPv4 for system AAA. With this feature, Junos OS users can log in to the device authenticated through RADIUS over an IPv6 network. Thus, Junos OS users can now configure both IPv4 and IPv6 RADIUS servers for AAA.

    [See the “Authentication, Authorization, and Accounting” section in the Junos OS 12.1X47-D15 Feature Guide.]

Chassis Cluster

  • Encrypted control link [High-end SRX Series] — The existing control link access is enhanced to prevent hackers from logging to the system without authentication via the control link as Telnet access is disabled. Chassis cluster control link supports an optional encrypted security feature that you can configure and activate. Using IPsec for internal communication between devices, the configuration information that passes through the chassis cluster link from the primary node to the secondary node is encrypted. Without the internal IPsec key, an attacker cannot gain privilege access or observe traffic. To configure this feature, use the set security ipsec internal security-association manual encryption ike-ha-link-encryption enable configuration command. To enable this feature, use the request security internal-security-association refresh command at the console.

    [See Understanding Chassis Cluster Control Links.]

Flow-Based and Packet-Based Processing

  • Data path debugging on the SRX5000 line MPC for SRX5400, SRX5600, SRX5800—Starting with Junos OS Release 12.1X47-D15, data path debugging provides tracing and debugging at multiple processing units along the packet-processing path. The packet filter can be executed with minimal impact to the production system.

    On a high-end SRX Series device, a packet goes through a series of events involving different components from ingress to egress processing. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and set filters to define what packets to capture.

    [See "Understanding Data Path Debugging for SRX Series Devices" and "Example: Configuring End-to-End Debugging on a High-End SRX Series Device" in the Junos OS Release 12.1X47-D15 Feature Guide].

General Routing

  • SRX5K-RE-1800X4 for SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.1X47-D15, the SRX5K-RE-1800X4 Routing Engine is introduced.

    The SRX5K-RE-1800X4 has an Intel Quad core Xeon processor, 16 GB of DRAM, and a 128-GB solid-state drive (SSD).

    The number 1800 refers to the speed of the processor (1.8 GHz). The maximum required power for this Routing Engine is 90W.

    The SRX5K-RE-1800X4 has the following features:

    • Increased CPU power provides higher control plane scalability.

      Note: The SRX5K-RE-1800X4 provides significantly better performance than the previously used Routing Engine, even with a single core.

    • Memory address space is increased from 2 GB to 4 GB.
    • The SSD provides superior reliability.

    The part number and model number for the SRX5K-RE-1800X4 can be viewed using the following CLI commands:

    • show chassis hardware
    • show chassis hardware models

Interfaces and Chassis

  • Switch Control Board II for SRX5400, SRX5600, and SRX5800 — Starting with Junos OS Release 12.1X47-D15, the Switch Control Board (SCB) II (SRX5K-SCBE) is introduced.

    SCB II (SRX5K-SCBE) has the following features:

    • Used in the SCB slot.
    • Supports 160-Gbps redundant raw fabric throughput per FPC slot. The SCB I (SRX5K-SCB) supports 80 Gbps. This new fabric capability enables the IOC II (SRX5K-MPC) to reach its maximum throughput of 120 Gbps and to achieve a line rate of 100-Gbps interfaces.
    • In-service hardware upgrade (ISHU) from SRX5K-SCB to SRX5K-SCBE is supported in chassis cluster mode.
    • The SRX5K-SCBE uses serializer/deserializer (SerDes) link speed of 6.22 Gbps between an SRX5K-MPC and the SRX5K-SCBE. The fabric interface has enough bandwidth to support a line speed of 100-Gbps Ethernet interfaces.

      Note: Fabric Bandwidth Increasing Mode, which is supported in SRX5K-SCB alignment with the SPC II (SRX5K-SPC-4-15-320), is not supported.

    • The SRX5K-SPC-4-15-320 fabric interface runs at 3.11-Gbps SerDes link speed (same as the SPC I).
    • If an IOC I and an SPC I are plugged into a chassis with an SRX5K-SCBE, those cards will remain offline. Both an SRX5K-MPC and an SRX5K-SPC-4-15-320 are required to operate with an SRX5K-SCBE.

    To display new SRX5K-SCBE information, use the following CLI commands:

    • show chassis hardware
    • show chassis environment cb

    To request that an SCB II go online or offline, use the request chassis cb (offline | online) slot slot-number CLI command.

    Third SCB Supported in SRX5800

    There are three SCB slots in SRX5800 devices. The third slot can be used for an SCB or an FPC. When an SRX5K-SCBE is used with an SRX5K-SCB, the third SCB slot can only be used as an FPC slot (FPC 6). SCB redundancy is provided in chassis cluster mode.

    With an SRX5K-SCBE, a third SCB is supported. If a third SCB is plugged in, it provides intra-chassis fabric redundancy.

    If chassis cluster is enabled and a third SCB is also plugged in, both intra-chassis redundancy and inter-chassis redundancy are provided. If a fabric plane fails or a link error occurs on the active SCB, intra-chassis redundancy occurs first.

    If no redundant plane is available in the chassis cluster, inter-chassis redundancy is triggered and all data plane redundancy groups fail over to the other chassis cluster node.

    Control Plane

    The Ethernet switch in the SRX5K-SCBE provides the Ethernet connectivity among all the FPCs and the Routing Engine. The Routing Engine uses this connectivity to distribute forwarding and routing tables to the FPCs. The FPCs use this connectivity to send exception packets to the Routing Engine.

    The Ethernet switch used in the SRX5K-SCBE is Broadcom’s BCM56680. BCM56680 is a Layer 2 and Layer 3 switch-on-a-chip solution. It provides 1-Gbps ports with autonegotiation as well as four 10-Gbps ports.

    The Routing Engine also connects to the Ethernet switch through Peripheral Component Interconnect (PCI) for control. The BCM56680’s address space is mapped into PCI address space.

    To display control plane details, use the following commands:

    • show chassis ethernet-switch
    • show chassis ethernet-switch counters

    Fabric Function

    Fabric connects all FPCs in the data plane. The Fabric Manager executes on the Routing Engine and controls the fabric system in the chassis. Packet Forwarding Engines on the FPC and fabric planes on the SCB are connected through HSL2 channels.

    HSL2 can be configured in different modes and different link speeds on each slot.

    SCB II supports HSL2 with both 3.11-Gbps and 6.22-Gbps (SerDes) link speed and various HSL2 modes. When an FPC is brought online, the link speed and HSL2 mode are determined by the type of FPC.

    To display fabric state, use the following CLI commands:

    • show chassis fabric [summary | map | fpcs | plane | plane-location]
    • request chassis fabric plane plane-number [offline | online]


  • IPv6 support for outbound SSH for all high-end SRX Series devices— Starting with Junos OS Release 12.1X47-D15, high-end SRX Series devices configured with IPv6 addresses support outbound SSH connections.

Network Address Translation (NAT)

  • NAT64 IPv6 Prefix to IPv4 Address Persistent Translation for SRX Series devices—Starting with Junos OS Release 12.1X46-D15, this feature, which is targeted at IPv6 mobile networks, is used with the dual-translation mechanism, 464XLAT, to enable IPv4 services to work over IPv6-only networks. It augments the existing NAT64 mechanism, which enables IPv6 clients to contact IPv4 servers by translating IPv6 addresses to IPv4 addresses (and vice versa). However, the existing NAT64 mechanism does not ensure a sticky mapping relationship for one unique end user. By configuring the new address-persistent option with a specific IPv6 prefix length for NAT64 translations in an IPv4 source NAT pool, a sticky mapping relationship is ensured between one specific IPv6 prefix and one translated IPv4 address.

    [See the “Network Address Translation” section in the Junos OS 12.1X47-D15 Feature Guide.]

Network Management and Monitoring

  • Collect vital data on MIB OIDs for all SRX Series devices [SRX Series]—Starting in Junos OS Release 12.1X47-D15, you can collect and configure MIB OID data for later use in reports. You can configure data collection duration (default is 3 days), dump file size limitation (default is 5 Mbytes for branch SRX Series and 10 Mbytes for high-end SRX Series), and disk storage limitation (default is 80%). If an issue should arise, then the collected data is examined to help identify its cause. Once you enable a predefined group, the vital data of all OIDs in the group are periodically collected and analyzed. Only critical data is collected when CPU utilization exceeds 60% but is within 80%. You can also collect raw MIB OID data.

    [See the “Network Management and Monitoring” section in the Junos OS 12.1X47-D15 Release Feature Guide.]

Release 12.1X47-D10 Hardware Features

Interfaces and Chassis

  • MIC with twenty 1-Gigabit Ethernet SFP ports (SRX-MIC-20GE-SFP) [SRX5400, SRX5600, SRX5800]—MICs install into MPCs to add different combinations of Ethernet interfaces to your services gateway to suit the specific needs of your network.

    The SRX-MIC-20GE-SFP can be installed in an MPC to add twenty 1-Gigabit Ethernet small form-factor pluggable (SFP) Ethernet ports.

    You can install up to two MICs in the slots in each MPC. The SRX-MIC-20GE-SFP is hot-pluggable. You can remove and replace the MIC without powering off the services gateway, but the routing functions of the system are interrupted when the MIC is removed.

    [See MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP.]

  • Support for SFP+ 10-Gigabit and QSFP+ 40-Gigabit Ethernet transceivers [SRX5400, SRX5600, SRX5800]—The following transceivers are supported:

    Transceiver Model


    Supported Card Model


    SFP+ 10GBASE-LR Gigabit Ethernet optic module, 1310 nm for up to 10 km transmission on single mode fiber (SMF) cable



    QSFP+ 40GBASE-LR4 Gigabit Ethernet single-mode optic module, 1310 nm for up to 10 km transmission on single mode fiber (SMF) cable


Release 12.1X47-D10 Software Features

Application Identification and Tracking

  • Application-level distributed denial of service [SRX Series]—As announced in Junos OS Release 12.1X46-D10, application-level distributed denial of service is being deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future release per the Juniper Networks deprecation process. As a replacement product for this feature, we recommend that you migrate to the Juniper Networks DDoS Secure product line. For more details, contact your sales engineer.
  • Default trusted CA certificates for SSL forward proxy [High-end SRX Series]—SSL forward proxy uses trusted CA certificates for server authentication. Junos OS provides a default list of trusted CA certificates that you can easily load on to your system using a default command option. Alternatively, you can continue to use the CA profile feature to define your own list of trusted CA certificates and import them on to your system.

    [See Services Offloading Overview.]

  • Next-generation application identification [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation application identification recognizes Web-based and other applications and protocols at different network layers using characteristics other than port number.

    With next-generation application identification, applications are identified by using a downloadable protocol bundle containing application signatures and parsing information. Here, identification is based on protocol behavior and session management.

    Next-generation application identification builds on the legacy application identification functionality and provides more effective detection capabilities for evasive applications such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications, enables dynamic update of the detector engine without requiring Junos OS code upgrade, and increases the application count to around 2900.

    [See Application Identification Feature Guide for Security Devices.]

  • Next-generation application identification predefined signatures [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation application identification eliminates previously implemented pattern-based matching technology and particular signature constructs for each application. The new detection mechanism has its own data feed and constructs to identify applications. Next-generation application identification eliminates the generation of nested application and treats nested application as normal applications.

    [See Application Identification Feature Guide for Security Devices.]

Chassis Cluster

  • Autorecovery of fabric link [SRX Series]—The fabric link feature supports autorecovery, which includes the following enhancements:
    • Fabric monitoring feature is enabled by default on high-end SRX Series, and hence recovery of fabric link and synchronization takes place automatically.
    • If the fabric link goes down, RG1+ becomes ineligible on either the secondary node or the node with failures, by default. The node remains in this state until the fabric link comes up or the other node goes away.
    • If the fabric link goes down followed by the control link, then after approximately 66 seconds the secondary node (or the node with failures) assumes that the remote node is dead and takes over as the primary node.

    [See Understanding Chassis Cluster Fabric Links.]

  • Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster debugging functionality has the following enhancements:
    • The show chassis cluster status command output includes failure reasons (acronyms and their expansions) when the redundancy group's priority is zero.
    • Cleaner jsrpd process includes removing unwanted logs and moving the debug log message from level LOG_INFO to LOG_DEBUG.
    • The show chassis cluster information command output displays redundancy group, LED, and monitored failure details.
    • SNMP traps send messages when a node's weight goes down and also when it recovers.
    • The show chassis cluster ip-monitoring command output displays both the global threshold and the current threshold of each node and displays the weight of each monitored IP address.
    • A system log message appears when the control link goes down.

    [See show chassis cluster ip-monitoring status.]

  • In-service software upgrade (ISSU) progress display [High-end SRX Series]—ISSU supports a progress indicator. During an upgrade, you can see the progress of an ISSU and the time expected to complete a process. To enable this feature use the show chassis cluster information issu command at the console. In addition, you can monitor real-time ISSU progress through a new session to collect, report, and display cold synchronization status on SPUs.

    [See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.]

  • NTP time synchronization in chassis cluster [SRX Series]—Network Time Protocol (NTP) is used to synchronize the time between the Packet Forwarding Engine and the Routing Engine in a standalone device and between two devices in a chassis cluster.

    In standalone device and chassis cluster mode, the primary Routing Engine runs the NTP process to get the time from the external NTP server. The secondary Routing Engine uses NTP to get the time from the primary Routing Engine. On both standalone devices and clusters, the Packet Forwarding Engine uses NTP to get the time from the local Routing Engine.

    [See Chassis Cluster Feature Guide for Security Devices.]

  • Sync backup node configuration from primary node [SRX Series]—Chassis cluster supports automatic configuration synchronization. When a secondary node joins a standalone primary node and a chassis cluster is formed, the primary node configuration is copied and applied to the secondary node. This enhancement saves the user from spending time on manual copying of the configuration on both nodes.

    [See SRX Series Chassis Cluster Configuration Overview.]

Dynamic Host Configuration Protocol (DHCP)

  • DHCP server and DHCP client [SRX Series]—The DHCP server and DHCP client include chassis cluster support for high-end SRX Series devices in addition to branch SRX Series devices.

    [See Administration Guide for Security Devices.]

Flow-Based and Packet-Based Processing

  • LAG support in services-offload mode [High-end SRX Series]—LAGs are supported in services-offload mode. LAG combines links and provides increased bandwidth and link availability. Services offloading reduces packet latency by processing and forwarding packets in the network processor instead of in the SPU. Supporting aggregation of links in the services-offload mode combines the benefits of both these features and provides enhanced throughput, link redundancy, and reduced packet latency.

    [See Services Offloading Overview.]

  • Services offloading [SRX5600 and SRX5800]—The following services offloading features are supported:
    • Per-wing statistics counters
    • Services-offload traffic across different network processors
    • End-to-end debugging in services-offload mode

    [See Services Offloading Overview and Example: Configuring an NPC on SRX3000 Line Devices or SRX1400 Devices to Support Services Offloading.]

General Packet Radio Service (GPRS)

  • SCTP IPv6 support [High-end SRX Series]—The SCTP module allows you to configure the SCTP profile with an IPv6 address and then process the IPv6 traffic. The SCTP module checks every extension header until it finds the SCTP header and then processes the SCTP header and ignores all the other headers.

    An SCTP endpoint can be a multihomed host with either all IPv4 addresses or all IPv6 addresses. An SCTP endpoint also supports NAT-PT in two directions, from an IPv4 address format to an IPv6 address format, and vice versa.

    [See General Packet Radio Service Feature Guide for Security Devices.]

  • SCTP multichunk inspection [High-end SRX Series]—The SCTP firewall checks all chunks in a message and then permits or drops the packet based on the policy. You can enable the SCTP multichunk inspection and disable the SCTP chunk inspection to check only the first chunk. If a data chunk is not allowed to pass through the SCTP profile because of protocol blocking or rate limiting, the SCTP firewall resets this chunk to a null PDU and continues to check the next chunk. If all chunks in a packet are null PDUs, the SCTP firewall drops the packet.

    [See General Packet Radio Service Feature Guide for Security Devices.]

Interfaces and Chassis

  • Promiscuous mode support on the SRX5K-MPC [SRX5400, SRX5600, SRX5800]—Promiscuous mode function is supported on the SRX5000 line MPC (SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces on the MICs.

    By default, an interface enables MAC filtering. You can configure promiscuous mode on the interface to disable MAC filtering. When you delete the promiscuous mode configuration, the interface will perform MAC filtering again. You can change the MAC address of the interface even when the interface is operating in promiscuous mode. When the interface is operating in normal mode again, the MAC filtering function on MPC uses the new MAC address to filter packets.

    [See Understanding Promiscuous Mode on Ethernet Interfaces.]


  • Improved browser support for J-Web [SRX Series]—J-Web is enhanced to support modern browsers like Microsoft Internet Explorer version 8.0, 9.0, and 10.0, Mozilla Firefox version 23+, and Google Chrome version 28+ to provide cross-platform browser compatibility.

    The following tables shows the browser support for J-Web application.

    Table 1: Browser Compatibility on SRX Series Devices



    Supported Browsers

    Recommended Browser

    SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800


    • Microsoft Internet Explorer version 8.0, 9.0, and 10.0
    • Mozilla Firefox version 23+
    • Google Chrome version 28+

    Mozilla Firefox version 23+

  • J-Web support for chassis cluster wizard [SRX Series]—A new J-Web wizard is introduced to support chassis clustering. J-Web provides a step-by-step wizard that assists in setting up chassis cluster with a default basic configuration.
  • J-Web UI improvements [SRX Series]—The J-Web user interface is improved for better usability.

    The following navigational changes are made to the Configuration tab:

    • Additional filter options are enabled on the Interface Configuration page.
    • Layout of the Zones and Screens page is enhanced.
    • A few menu items are renamed for clarity.
    • New buttons are introduced for launching wizards.
    • Application tracking (previously on the Security Logging page) is moved to the Application Tracking Configuration page.

    The Dashboard tab includes a link for setting the rescue configuration.

Layer 2 Features

  • Layer 2 transparent mode support on the SRX5K-MPC [SRX5400, SRX5600, SRX5800]—Layer 2 transparent mode is supported on the SRX5000 line MPC (SRX5K-MPC).

    When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces on the SRX5K-MPC as Layer 2 bridging ports to support Layer 2 traffic.

    The SPU supports all security services for Layer 2 bridging functions, and the MPC delivers the ingress packets to the SPU and forwards the egress packets that are encapsulated by the SPU to the outgoing interfaces.

    [See Layer 2 Bridging and Transparent Mode Overview.]


  • Layer 3 multicast functionality on the SRX5K-MPC [SRX5400, SRX5600, and SRX5800]—Layer 3 multicast functionality is supported on the SRX5000 line MPC (SRX5K-MPC).

    The SRX5K-MPC collaborates with the Routing Engine, central point, and SPU to support the following Layer 3 multicast functionality:

    • Supports IP multicast routing protocols for forwarding multicast traffic
    • Establishes and coordinates operations between multicast shared trees and shortest-path tree (SPT)
    • Forwards and receives IP multicast traffic

    [See Multicast Feature Guide for Security Devices.]

Network Address Translation (NAT)

  • Increased IP address pool limit [SRX5400, SRX5600, and SRX5800]—This feature is only supported on SRX5000 line with the SPC II (SRX5K-SPC-4-15-320). This feature increases the maximum number of IP addresses for NAT bindings to 1,000,000 from 12,000. When using more than 12,000 IP addresses, configure the twin port range to limit the number of ports.
  • Port block allocation [High-end SRX Series]—This feature allocates ports to subscribers in blocks and generates logs during block allocation or release. Deterministic port block allocation allows the mapping of a subscriber’s IP address to an external address and port number using predefined algorithms. This feature reduces excessive log generation.

    To configure port block allocation, include the block-size, max-blocks-per-host, block-active-timeout, and log statements at the [edit security nat pool pool-name port block-allocation ] hierarchy level.

    To configure deterministic port block allocation, include the block-size and host statements at the [edit security source pool pool-name port deterministic ] hierarchy level.

  • Source and destination NAT rule application [SRX Series]—The rule match criteria for source and destination NAT includes a new application option. This option enables you to configure up to 3072 application terms per rule. In addition, you can configure up to 8 single destination ports or port ranges with the rule match destination-port option. Previously, you could configure only a single port or port range.

    [See match (Security Destination NAT) and match (Security Source NAT).]

  • Twin port configuration [SRX5400, SRX5600, and SRX5800]—This feature lets you configure the twin port range for source NAT pools to avoid port overloading. The maximum number of translation ports is 384 million. The default twin port range is 2048, which accommodates 12,000 IP addresses.

    To set the global default twin port range for all source pools, use the set security nat source pool-default-twin-port-range low to high statement.

    To set the twin port range for a specific pool, use the set security nat source pool pool-name port range twin-port low to high statement.

    Note: If the twin port range is configured for a smaller range, then attackers can more easily predict the translated port.

Network Management and Monitoring

  • IP monitoring of reth interface LAGs [High-end SRX Series]—In addition to the reth interface, IP monitoring through a redundant LAG is supported to take advantage of both throughput and redundancy.

    IP monitoring checks the end-to-end connectivity of configured IP addresses and allows a redundancy group to automatically fail over when the monitored IP address is not reachable through the reth interface. Both the primary and secondary devices in the chassis cluster monitor specific IP addresses to determine whether an upstream device in the network is reachable.

    [See IP Monitoring Overview.]

  • IP monitoring with interface as next-hop option [SRX Series]—IP monitoring enables you to configure a static route with a P2P interface as a next-hop action when IP monitoring has failed.

    The following added functions support the track-ip option:

    • Next-hop type checking: IP address or interface.
    • Interface type checking for next-hop. Only a P2P interface is supported; an error message results when the configuration is committed.
    • You can use the interface as a next-hop to construct route parameters and call RPD API to add a static route; log route addition results.
    • You can use existing code to delete the route when the primary route recovers.

    [See show services ip-monitoring status.]

Port Security

  • UDP port scan protection [SRX Series]—The UDP port scanning feature is similar to TCP port scanning in capabilities, user commands, and operational implementation. The UDP port scanning option is disabled by default. The default threshold period value is 5000 microseconds. You can manually set the threshold period value, which ranges from 1000 to 1,000,000 microseconds. This feature protects against DDoS attacks on some exposed public UDP services by allowing fewer than 10 new sessions in the configured threshold period for each zone and source IP.

    [See Understanding Port Scanning.]

Public Key Infrastructure (PKI)

  • Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the revocation status of X509 certificates. Requests are sent to the OCSP server(s) configured in a CA profile with the oscp url statement at the [edit security pki ca-profile profile-name revocation-check] hierarchy level. The use-ocsp option must also be configured. If there is no response from the OCSP server, the request is then sent to the location specified in the certificate's AuthorityInfoAccess extension.

    [See Understanding Online Certificate Status Protocol.]

Routing Protocols

  • OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also known as OSPF version 3 (OSPFv3), does not have built-in authentication to ensure that routing packets are not altered and re-sent to the router. IPsec can be used to secure OSPFv3 interfaces and virtual links and provide encryption for OSPF packets.

    To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the security-association sa-name configuration option at the [edit security ipsec] hierarchy level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link configuration.

[See Understanding OSPF and OSPFv3 Authentication on SRX Series Devices.]


  • TCP support for DNS [SRX Series]—Prior to Junos OS Release 12.1X47-D10, DNS resolution was performed with UDP as a transport. Messages carried by UDP are restricted to 512 bytes; longer messages are truncated and the traffic class (TC) bit is set in the header. The maximum length of UDP DNS response messages is 512 bytes and the maximum length of TCP DNS response message is 65,535 bytes. A DNS resolver knows whether the response is complete if the TC bit when it is set in the header.

    [See Reconnaissance Deterrence Feature Guide for Security Devices.]

Security Policy

  • Integrated user firewall [SRX Series]—This feature retrieves user-to-IP address mappings from the Windows Active Directory to use as match criteria in firewall policies. The SRX Series device polls the event log of the Active Directory Controller (ADC) to determine who has logged on. The username and group are queried from the LDAP service in the ADC. The SRX Series device uses the IP address, username, and group information to generate authentication entries that the UserFW module uses to enforce user-based and group-based policy control over traffic.
  • Multiple zones for policies [SRX Series]—This feature enables you to configure multiple source zones and multiple destination zones in one global policy. Previously, you had to create a separate policy for each from-zone/to-zone pair, even when other attributes, such as source-address or destination-address were identical.

    [See Global Policy Overview.]

Unified Threat Management (UTM)

  • Downloadable Kaspersky scan engine [Branch SRX Series]—The Kaspersky scan engine is provided as a downloadable UTM module instead of a preinstalled, module in UTM.

    To use this feature, your SRX Series device must have an active UTM license. When you install the KAV license the system automatically downloads the Kaspersky module from the Juniper Networks server and runs it.

    When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled Kaspersky engine, then the downloaded module replaces the original module on the device. Regardless of the UTM license status, when the KAV license is deleted from the device, the Kaspersky engine and all files associated with KAV are removed from the system immediately.

    [See Full Antivirus Protection Overview.]

  • UTM license enforcement [SRX Series]—License enforcement is supported for UTM features, including Sophos antivirus, enhanced Web filtering, and antispam filtering on all high-end SRX Series devices in addition to branch SRX Series devices. You can add or remove UTM licenses on SRX Series devices. Each feature license is tied to exactly one software feature and is valid for exactly one device.

    Table 2 lists the license modules and the license names.

    Table 2: UTM License Information

    UTM Module

    License Name







    [See License Enforcement.]

  • UTM on next-generation SPC [SRX5400, SRX5600, and SRX5800]—This feature provides support for UTM features, including Sophos antivirus, content filtering, antispam, and enhanced Web filtering on next-generation SPCs.


  • HMAC-SHA-256-128 authentication [High-end SRX Series]—HMAC-SHA-256-128 authentication is supported for IPsec proposals and manual security associations on high-end SRX Series devices. You can specify the hmac-sha-256-128 option at the [edit security ipsec proposal proposal-name] and the [edit security ipsec vpn vpn-name manual] hierarchy levels.

[See authentication (Security IPsec) and authentication-algorithm (Security IPsec).]

Related Documentation

Modified: 2016-11-30