No index entries found.
Download This Guide
New and Changed Features
This section describes the new features and enhancements to existing features in Junos OS Release 12.1X47 for the SRX Series.
Release 12.1X47-D45 Software Features
Interfaces
- G.993.5 Vectoring support for VDSL modules on SRX
Series devices— Starting with Junos OS Release
12.1X47-D45, firmware version, v2.16.0, is available for SRX-MP-1VDSL-A
to support VDSL vectoring. Vectoring on VDSL reduces crosstalk and
increases network bandwidth.
[For more information, see Upgrading the VDSL PIC Firmware in the Junos OS Release 15.1X49-D50 Feature Guide.
]
Release 12.1X47-D30 Software Features
Chassis Cluster
- Increasing IP monitoring capacity for SRX5000
Line Devices MICs (IOC2)—Starting with Junos OS
Release 12.1X47-D30, the following IOC2 MICs on SRX5000 line devices
support IP monitoring on both the primary and secondary nodes:
- MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP)— 20 ports
- MIC with 10x10GE SFP+ Interfaces (SRX-MIC-10XG-SFPP)—10 ports
- MIC with 1x100GE CFP Interface (SRX-MIC-1X100G-CFP)—1 port
- MIC with 2x40GE QSFP+ Interfaces (SRX-MIC-2X40G-QSFP)—2 ports
IP monitoring checks the end-to-end connectivity of configured IP addresses and allows a redundancy group to automatically fail over when the monitored IP address is not reachable through the reth interface. Both the primary and secondary nodes in the chassis cluster monitor specific IP addresses to determine whether an upstream device in the network is reachable.
Release 12.1X47-D20 Software Features
System Logging
- TCP/TLS support for real-time logging for
SRX Series devices—Starting in Junos OS Release
12.1X47-D20, a secure mechanism, enabled through a plug-in during
system initialization, encrypts and transports data plane syslog messages
to TLS-capable syslog receivers (such as the Juniper Networks STRM
or a standards-based third-party device) over TCP on all branch SRX
Series devices in addition to high-end SRX Series devices. The SPU
generates the log data. By default, port 514 is used for TCP logging
and port 6514 is used for TLS logging. As a log client, a TCP/TLS
connection is initiated to the log server.
[See the “Syslog Messages” section in the Junos OS 12.1X47-D20 Release Feature Guide.]
Release 12.1X47-D15 Hardware Features
Interfaces and Chassis
- Enhanced support for Switch Control Board
and Routing Engine–Starting with Junos OS Release
12.1X47-D15, the SRX5400, SRX5600, and SRX5800 support the next-generation
SCB (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4), providing a
120-Gbps per slot line rate, faster configuration processing, route
convergence, and policy compilation, in addition to greater scalability
and performance. The SRX5K-SCBE provides higher capacity traffic support,
greater interface density, and improved services. The SRX5K-RE-1800X4
provides the interface for user access and system management, in addition
to managing routing tables, routing protocols, device interfaces,
and chassis components. The Routing Engine also has secondary storage
through a 128-GB solid-state drive providing additional storage for
Junos images.
[See Switch Control Board SRX5K-SCBE and Routing Engine SRX5K-RE-1800X4.]
Release 12.1X47-D15 Software Features
Application Identification and Tracking
- SSL proxy support for SRX240, SRX550, and
SRX650 devices—Starting with Junos OS Release
12.1X47-D15, SRX240, SRX550, and SRX650 devices can decrypt and inspect
SSL encrypted traffic for features such as AppSecure and IDP. SSL
proxy ensures the secure transmission of data between a client and
a server through a combination of privacy, authentication, confidentiality,
and data integrity.
[See SSL Proxy Overview.]
Authentication, Authorization and Accounting (AAA)
- RADIUS functionality over IPv6 for system
AAA for SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.1X47-D15, RADIUS functionality
supports IPv6 for system authentication, authorization, and accounting
(AAA) in addition to the existing RADIUS functionality over IPv4 for
system AAA. With this feature, Junos OS users can log in to the device
authenticated through RADIUS over an IPv6 network. Thus, Junos OS
users can now configure both IPv4 and IPv6 RADIUS servers for AAA.
[See the “Authentication, Authorization, and Accounting” section in the Junos OS 12.1X47-D15 Feature Guide.]
Chassis Cluster
- Encrypted control link [High-end SRX Series] — The existing control link access is enhanced to prevent hackers from logging to the system without authentication via the control link as Telnet access is disabled. Chassis cluster control link supports an optional encrypted security feature that you can configure and activate. Using IPsec for internal communication between devices, the configuration information that passes through the chassis cluster link from the primary node to the secondary node is encrypted. Without the internal IPsec key, an attacker cannot gain privilege access or observe traffic. To configure this feature, use the set security ipsec internal security-association manual encryption ike-ha-link-encryption enable configuration command. To enable this feature, use the request security internal-security-association refresh command at the console.
Flow-Based and Packet-Based Processing
- Data path debugging on the SRX5000 line MPC
for SRX5400, SRX5600, SRX5800—Starting with Junos
OS Release 12.1X47-D15, data path debugging provides tracing and debugging
at multiple processing units along the packet-processing path. The
packet filter can be executed with minimal impact to the production
system.
On a high-end SRX Series device, a packet goes through a series of events involving different components from ingress to egress processing. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and set filters to define what packets to capture.
[See "Understanding Data Path Debugging for SRX Series Devices" and "Example: Configuring End-to-End Debugging on a High-End SRX Series Device" in the Junos OS Release 12.1X47-D15 Feature Guide].
General Routing
- SRX5K-RE-1800X4 for SRX5400, SRX5600, and
SRX5800 devices—Starting with Junos OS Release
12.1X47-D15, the SRX5K-RE-1800X4 Routing Engine is introduced.
The SRX5K-RE-1800X4 has an Intel Quad core Xeon processor, 16 GB of DRAM, and a 128-GB solid-state drive (SSD).
The number 1800 refers to the speed of the processor (1.8 GHz). The maximum required power for this Routing Engine is 90W.
The SRX5K-RE-1800X4 has the following features:
- Increased CPU power provides higher control plane scalability.
Note: The SRX5K-RE-1800X4 provides significantly better performance than the previously used Routing Engine, even with a single core.
- Memory address space is increased from 2 GB to 4 GB.
- The SSD provides superior reliability.
The part number and model number for the SRX5K-RE-1800X4 can be viewed using the following CLI commands:
- show chassis hardware
- show chassis hardware models
- Increased CPU power provides higher control plane scalability.
Interfaces and Chassis
- Switch Control Board II for SRX5400, SRX5600,
and SRX5800 — Starting with Junos OS Release 12.1X47-D15,
the Switch Control Board (SCB) II (SRX5K-SCBE) is introduced.
SCB II (SRX5K-SCBE) has the following features:
- Used in the SCB slot.
- Supports 160-Gbps redundant raw fabric throughput per FPC slot. The SCB I (SRX5K-SCB) supports 80 Gbps. This new fabric capability enables the IOC II (SRX5K-MPC) to reach its maximum throughput of 120 Gbps and to achieve a line rate of 100-Gbps interfaces.
- In-service hardware upgrade (ISHU) from SRX5K-SCB to SRX5K-SCBE is supported in chassis cluster mode.
- The SRX5K-SCBE uses serializer/deserializer (SerDes)
link speed of 6.22 Gbps between an SRX5K-MPC and the SRX5K-SCBE. The
fabric interface has enough bandwidth to support a line speed of 100-Gbps
Ethernet interfaces.
Note: Fabric Bandwidth Increasing Mode, which is supported in SRX5K-SCB alignment with the SPC II (SRX5K-SPC-4-15-320), is not supported.
- The SRX5K-SPC-4-15-320 fabric interface runs at 3.11-Gbps SerDes link speed (same as the SPC I).
- If an IOC I and an SPC I are plugged into a chassis with an SRX5K-SCBE, those cards will remain offline. Both an SRX5K-MPC and an SRX5K-SPC-4-15-320 are required to operate with an SRX5K-SCBE.
To display new SRX5K-SCBE information, use the following CLI commands:
- show chassis hardware
- show chassis environment cb
To request that an SCB II go online or offline, use the request chassis cb (offline | online) slot slot-number CLI command.
Third SCB Supported in SRX5800
There are three SCB slots in SRX5800 devices. The third slot can be used for an SCB or an FPC. When an SRX5K-SCBE is used with an SRX5K-SCB, the third SCB slot can only be used as an FPC slot (FPC 6). SCB redundancy is provided in chassis cluster mode.
With an SRX5K-SCBE, a third SCB is supported. If a third SCB is plugged in, it provides intra-chassis fabric redundancy.
If chassis cluster is enabled and a third SCB is also plugged in, both intra-chassis redundancy and inter-chassis redundancy are provided. If a fabric plane fails or a link error occurs on the active SCB, intra-chassis redundancy occurs first.
If no redundant plane is available in the chassis cluster, inter-chassis redundancy is triggered and all data plane redundancy groups fail over to the other chassis cluster node.
Control Plane
The Ethernet switch in the SRX5K-SCBE provides the Ethernet connectivity among all the FPCs and the Routing Engine. The Routing Engine uses this connectivity to distribute forwarding and routing tables to the FPCs. The FPCs use this connectivity to send exception packets to the Routing Engine.
The Ethernet switch used in the SRX5K-SCBE is Broadcom’s BCM56680. BCM56680 is a Layer 2 and Layer 3 switch-on-a-chip solution. It provides 1-Gbps ports with autonegotiation as well as four 10-Gbps ports.
The Routing Engine also connects to the Ethernet switch through Peripheral Component Interconnect (PCI) for control. The BCM56680’s address space is mapped into PCI address space.
To display control plane details, use the following commands:
- show chassis ethernet-switch
- show chassis ethernet-switch counters
Fabric Function
Fabric connects all FPCs in the data plane. The Fabric Manager executes on the Routing Engine and controls the fabric system in the chassis. Packet Forwarding Engines on the FPC and fabric planes on the SCB are connected through HSL2 channels.
HSL2 can be configured in different modes and different link speeds on each slot.
SCB II supports HSL2 with both 3.11-Gbps and 6.22-Gbps (SerDes) link speed and various HSL2 modes. When an FPC is brought online, the link speed and HSL2 mode are determined by the type of FPC.
To display fabric state, use the following CLI commands:
- show chassis fabric [summary | map | fpcs | plane | plane-location]
- request chassis fabric plane plane-number [offline | online]
IPv6
- IPv6 support for outbound SSH for all high-end SRX Series devices— Starting with Junos OS Release 12.1X47-D15, high-end SRX Series devices configured with IPv6 addresses support outbound SSH connections.
Network Address Translation (NAT)
- NAT64 IPv6 Prefix to IPv4 Address Persistent
Translation for SRX Series devices—Starting with
Junos OS Release 12.1X46-D15, this feature, which is targeted at IPv6
mobile networks, is used with the dual-translation mechanism, 464XLAT,
to enable IPv4 services to work over IPv6-only networks. It augments
the existing NAT64 mechanism, which enables IPv6 clients to contact
IPv4 servers by translating IPv6 addresses to IPv4 addresses (and
vice versa). However, the existing NAT64 mechanism does not ensure
a sticky mapping relationship for one unique end user. By configuring
the new address-persistent option with a specific IPv6
prefix length for NAT64 translations in an IPv4 source NAT pool, a
sticky mapping relationship is ensured between one specific IPv6 prefix
and one translated IPv4 address.
[See the “Network Address Translation” section in the Junos OS 12.1X47-D15 Feature Guide.]
Network Management and Monitoring
- Collect vital data on MIB OIDs for all SRX
Series devices [SRX Series]—Starting in Junos
OS Release 12.1X47-D15, you can collect and configure MIB OID data
for later use in reports. You can configure data collection duration
(default is 3 days), dump file size limitation (default is 5 Mbytes
for branch SRX Series and 10 Mbytes for high-end SRX Series), and
disk storage limitation (default is 80%). If an issue should arise,
then the collected data is examined to help identify its cause. Once
you enable a predefined group, the vital data of all OIDs in the group
are periodically collected and analyzed. Only critical data is collected
when CPU utilization exceeds 60% but is within 80%. You can also collect
raw MIB OID data.
[See the “Network Management and Monitoring” section in the Junos OS 12.1X47-D15 Release Feature Guide.]
Release 12.1X47-D10 Hardware Features
Interfaces and Chassis
- MIC with twenty 1-Gigabit Ethernet SFP ports
(SRX-MIC-20GE-SFP) [SRX5400, SRX5600, SRX5800]—MICs
install into MPCs to add different combinations of Ethernet interfaces
to your services gateway to suit the specific needs of your network.
The SRX-MIC-20GE-SFP can be installed in an MPC to add twenty 1-Gigabit Ethernet small form-factor pluggable (SFP) Ethernet ports.
You can install up to two MICs in the slots in each MPC. The SRX-MIC-20GE-SFP is hot-pluggable. You can remove and replace the MIC without powering off the services gateway, but the routing functions of the system are interrupted when the MIC is removed.
- Support for SFP+ 10-Gigabit and QSFP+ 40-Gigabit
Ethernet transceivers [SRX5400, SRX5600, SRX5800]—The
following transceivers are supported:
Transceiver Model
Description
Supported Card Model
SRX-SFPP-10G-LR
SFP+ 10GBASE-LR Gigabit Ethernet optic module, 1310 nm for up to 10 km transmission on single mode fiber (SMF) cable
SRX-MIC-10XG-SFPP
SRX-QSFP-40G-LR4
QSFP+ 40GBASE-LR4 Gigabit Ethernet single-mode optic module, 1310 nm for up to 10 km transmission on single mode fiber (SMF) cable
SRX-MIC-2X40G-QSFP
Release 12.1X47-D10 Software Features
Application Identification and Tracking
- Application-level distributed denial of service [SRX Series]—As announced in Junos OS Release 12.1X46-D10, application-level distributed denial of service is being deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future release per the Juniper Networks deprecation process. As a replacement product for this feature, we recommend that you migrate to the Juniper Networks DDoS Secure product line. For more details, contact your sales engineer.
- Default trusted CA certificates for SSL forward
proxy [High-end SRX Series]—SSL forward proxy
uses trusted CA certificates for server authentication. Junos OS provides
a default list of trusted CA certificates that you can easily load
on to your system using a default command option. Alternatively,
you can continue to use the CA profile feature to define your own
list of trusted CA certificates and import them on to your system.
[See Services Offloading Overview.]
- Next-generation application identification [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2,
SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600,
SRX5400, SRX5600, and SRX5800]—Next-generation application identification
recognizes Web-based and other applications and protocols at different
network layers using characteristics other than port number.
With next-generation application identification, applications are identified by using a downloadable protocol bundle containing application signatures and parsing information. Here, identification is based on protocol behavior and session management.
Next-generation application identification builds on the legacy application identification functionality and provides more effective detection capabilities for evasive applications such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications, enables dynamic update of the detector engine without requiring Junos OS code upgrade, and increases the application count to around 2900.
[See Application Identification Feature Guide for Security Devices.]
- Next-generation application identification predefined
signatures [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2,
SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400,
SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation
application identification eliminates previously implemented pattern-based
matching technology and particular signature constructs for each application.
The new detection mechanism has its own data feed and constructs to
identify applications. Next-generation application identification
eliminates the generation of nested application and treats nested
application as normal applications.
[See Application Identification Feature Guide for Security Devices.]
Chassis Cluster
- Autorecovery of fabric link [SRX Series]—The fabric link feature supports autorecovery,
which includes the following enhancements:
- Fabric monitoring feature is enabled by default on high-end SRX Series, and hence recovery of fabric link and synchronization takes place automatically.
- If the fabric link goes down, RG1+ becomes ineligible on either the secondary node or the node with failures, by default. The node remains in this state until the fabric link comes up or the other node goes away.
- If the fabric link goes down followed by the control link, then after approximately 66 seconds the secondary node (or the node with failures) assumes that the remote node is dead and takes over as the primary node.
- Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster debugging functionality has
the following enhancements:
- The show chassis cluster status command output includes failure reasons (acronyms and their expansions) when the redundancy group's priority is zero.
- Cleaner jsrpd process includes removing unwanted logs and moving the debug log message from level LOG_INFO to LOG_DEBUG.
- The show chassis cluster information command output displays redundancy group, LED, and monitored failure details.
- SNMP traps send messages when a node's weight goes down and also when it recovers.
- The show chassis cluster ip-monitoring command output displays both the global threshold and the current threshold of each node and displays the weight of each monitored IP address.
- A system log message appears when the control link goes down.
- In-service software upgrade (ISSU) progress
display [High-end SRX Series]—ISSU supports a
progress indicator. During an upgrade, you can see the progress of
an ISSU and the time expected to complete a process. To enable this
feature use the show chassis cluster information issu command
at the console. In addition, you can monitor real-time ISSU progress
through a new session to collect, report, and display cold synchronization
status on SPUs.
[See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.]
- NTP time synchronization in chassis cluster [SRX Series]—Network Time Protocol (NTP) is used to synchronize
the time between the Packet Forwarding Engine and the Routing Engine
in a standalone device and between two devices in a chassis cluster.
In standalone device and chassis cluster mode, the primary Routing Engine runs the NTP process to get the time from the external NTP server. The secondary Routing Engine uses NTP to get the time from the primary Routing Engine. On both standalone devices and clusters, the Packet Forwarding Engine uses NTP to get the time from the local Routing Engine.
- Sync backup node configuration from primary node [SRX Series]—Chassis cluster supports automatic configuration synchronization. When a secondary node joins a standalone primary node and a chassis cluster is formed, the primary node configuration is copied and applied to the secondary node. This enhancement saves the user from spending time on manual copying of the configuration on both nodes.
Dynamic Host Configuration Protocol (DHCP)
- DHCP server and DHCP client [SRX Series]—The DHCP server and DHCP client include chassis cluster support for high-end SRX Series devices in addition to branch SRX Series devices.
Flow-Based and Packet-Based Processing
- LAG support in services-offload mode [High-end SRX Series]—LAGs are supported in services-offload
mode. LAG combines links and provides increased bandwidth and link
availability. Services offloading reduces packet latency by processing
and forwarding packets in the network processor instead of in the
SPU. Supporting aggregation of links in the services-offload mode
combines the benefits of both these features and provides enhanced
throughput, link redundancy, and reduced packet latency.
[See Services Offloading Overview.]
- Services offloading [SRX5600
and SRX5800]—The following services offloading features are
supported:
- Per-wing statistics counters
- Services-offload traffic across different network processors
- End-to-end debugging in services-offload mode
[See Services Offloading Overview and Example: Configuring an NPC on SRX3000 Line Devices or SRX1400 Devices to Support Services Offloading.]
General Packet Radio Service (GPRS)
- SCTP IPv6 support [High-end
SRX Series]—The SCTP module allows you to configure the SCTP
profile with an IPv6 address and then process the IPv6 traffic. The
SCTP module checks every extension header until it finds the SCTP
header and then processes the SCTP header and ignores all the other
headers.
An SCTP endpoint can be a multihomed host with either all IPv4 addresses or all IPv6 addresses. An SCTP endpoint also supports NAT-PT in two directions, from an IPv4 address format to an IPv6 address format, and vice versa.
[See General Packet Radio Service Feature Guide for Security Devices.]
- SCTP multichunk inspection [High-end
SRX Series]—The SCTP firewall checks all chunks in a message
and then permits or drops the packet based on the policy. You can
enable the SCTP multichunk inspection and disable the SCTP chunk inspection
to check only the first chunk. If a data chunk is not allowed to pass
through the SCTP profile because of protocol blocking or rate limiting,
the SCTP firewall resets this chunk to a null PDU and continues to
check the next chunk. If all chunks in a packet are null PDUs, the
SCTP firewall drops the packet.
[See General Packet Radio Service Feature Guide for Security Devices.]
Interfaces and Chassis
- Promiscuous mode support on the SRX5K-MPC [SRX5400, SRX5600, SRX5800]—Promiscuous mode function is supported
on the SRX5000 line MPC (SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit,
and 100-Gigabit Ethernet interfaces on the MICs.
By default, an interface enables MAC filtering. You can configure promiscuous mode on the interface to disable MAC filtering. When you delete the promiscuous mode configuration, the interface will perform MAC filtering again. You can change the MAC address of the interface even when the interface is operating in promiscuous mode. When the interface is operating in normal mode again, the MAC filtering function on MPC uses the new MAC address to filter packets.
[See Understanding Promiscuous Mode on Ethernet Interfaces.]
J-Web
- Improved browser support for J-Web [SRX Series]—J-Web is enhanced to support modern browsers
like Microsoft Internet Explorer version 8.0, 9.0, and 10.0, Mozilla
Firefox version 23+, and Google Chrome version 28+ to provide cross-platform
browser compatibility.
The following tables shows the browser support for J-Web application.
Table 1: Browser Compatibility on SRX Series Devices
Device
Application
Supported Browsers
Recommended Browser
SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800
J-Web
- Microsoft Internet Explorer version 8.0, 9.0, and 10.0
- Mozilla Firefox version 23+
- Google Chrome version 28+
Mozilla Firefox version 23+
- J-Web support for chassis cluster wizard [SRX Series]—A new J-Web wizard is introduced to support chassis clustering. J-Web provides a step-by-step wizard that assists in setting up chassis cluster with a default basic configuration.
- J-Web UI improvements [SRX
Series]—The J-Web user interface is improved for better usability.
The following navigational changes are made to the Configuration tab:
- Additional filter options are enabled on the Interface Configuration page.
- Layout of the Zones and Screens page is enhanced.
- A few menu items are renamed for clarity.
- New buttons are introduced for launching wizards.
- Application tracking (previously on the Security Logging page) is moved to the Application Tracking Configuration page.
The Dashboard tab includes a link for setting the rescue configuration.
Layer 2 Features
- Layer 2 transparent mode support on the SRX5K-MPC [SRX5400, SRX5600, SRX5800]—Layer 2 transparent mode is supported
on the SRX5000 line MPC (SRX5K-MPC).
When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces on the SRX5K-MPC as Layer 2 bridging ports to support Layer 2 traffic.
The SPU supports all security services for Layer 2 bridging functions, and the MPC delivers the ingress packets to the SPU and forwards the egress packets that are encapsulated by the SPU to the outgoing interfaces.
Multicast
- Layer 3 multicast functionality on the SRX5K-MPC [SRX5400, SRX5600, and SRX5800]—Layer 3 multicast functionality
is supported on the SRX5000 line MPC (SRX5K-MPC).
The SRX5K-MPC collaborates with the Routing Engine, central point, and SPU to support the following Layer 3 multicast functionality:
- Supports IP multicast routing protocols for forwarding multicast traffic
- Establishes and coordinates operations between multicast shared trees and shortest-path tree (SPT)
- Forwards and receives IP multicast traffic
Network Address Translation (NAT)
- Increased IP address pool limit [SRX5400, SRX5600, and SRX5800]—This feature is only supported on SRX5000 line with the SPC II (SRX5K-SPC-4-15-320). This feature increases the maximum number of IP addresses for NAT bindings to 1,000,000 from 12,000. When using more than 12,000 IP addresses, configure the twin port range to limit the number of ports.
- Port block allocation [High-end
SRX Series]—This feature allocates ports to subscribers in blocks
and generates logs during block allocation or release. Deterministic
port block allocation allows the mapping of a subscriber’s IP
address to an external address and port number using predefined algorithms.
This feature reduces excessive log generation.
To configure port block allocation, include the block-size, max-blocks-per-host, block-active-timeout, and log statements at the [edit security nat pool pool-name port block-allocation ] hierarchy level.
To configure deterministic port block allocation, include the block-size and host statements at the [edit security source pool pool-name port deterministic ] hierarchy level.
- Source and destination NAT rule application [SRX Series]—The rule match criteria for source and destination
NAT includes a new application option. This option enables
you to configure up to 3072 application terms per rule. In addition,
you can configure up to 8 single destination ports or port ranges
with the rule match destination-port option. Previously,
you could configure only a single port or port range.
[See match (Security Destination NAT) and match (Security Source NAT).]
- Twin port configuration [SRX5400,
SRX5600, and SRX5800]—This feature lets you configure the twin
port range for source NAT pools to avoid port overloading. The maximum
number of translation ports is 384 million. The default twin port
range is 2048, which accommodates 12,000 IP addresses.
To set the global default twin port range for all source pools, use the set security nat source pool-default-twin-port-range low to high statement.
To set the twin port range for a specific pool, use the set security nat source pool pool-name port range twin-port low to high statement.
Note: If the twin port range is configured for a smaller range, then attackers can more easily predict the translated port.
Network Management and Monitoring
- IP monitoring of reth interface LAGs [High-end SRX Series]—In addition to the reth interface, IP
monitoring through a redundant LAG is supported to take advantage
of both throughput and redundancy.
IP monitoring checks the end-to-end connectivity of configured IP addresses and allows a redundancy group to automatically fail over when the monitored IP address is not reachable through the reth interface. Both the primary and secondary devices in the chassis cluster monitor specific IP addresses to determine whether an upstream device in the network is reachable.
[See IP Monitoring Overview.]
- IP monitoring with interface as next-hop
option [SRX Series]—IP monitoring enables you
to configure a static route with a P2P interface as a next-hop action
when IP monitoring has failed.
The following added functions support the track-ip option:
- Next-hop type checking: IP address or interface.
- Interface type checking for next-hop. Only a P2P interface is supported; an error message results when the configuration is committed.
- You can use the interface as a next-hop to construct route parameters and call RPD API to add a static route; log route addition results.
- You can use existing code to delete the route when the primary route recovers.
Port Security
- UDP port scan protection [SRX
Series]—The UDP port scanning feature is similar to TCP port
scanning in capabilities, user commands, and operational implementation.
The UDP port scanning option is disabled by default. The default threshold
period value is 5000 microseconds. You can manually set the threshold
period value, which ranges from 1000 to 1,000,000 microseconds. This
feature protects against DDoS attacks on some exposed public UDP services
by allowing fewer than 10 new sessions in the configured threshold
period for each zone and source IP.
[See Understanding Port Scanning.]
Public Key Infrastructure (PKI)
- Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the revocation status of X509 certificates. Requests are sent to the OCSP server(s) configured in a CA profile with the oscp url statement at the [edit security pki ca-profile profile-name revocation-check] hierarchy level. The use-ocsp option must also be configured. If there is no response from the OCSP server, the request is then sent to the location specified in the certificate's AuthorityInfoAccess extension.
Routing Protocols
- OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also known as OSPF version 3 (OSPFv3),
does not have built-in authentication to ensure that routing packets
are not altered and re-sent to the router. IPsec can be used to secure
OSPFv3 interfaces and virtual links and provide encryption for OSPF
packets.
To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the security-association sa-name configuration option at the [edit security ipsec] hierarchy level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link configuration.
[See Understanding OSPF and OSPFv3 Authentication on SRX Series Devices.]
Security
- TCP support for DNS [SRX Series]—Prior
to Junos OS Release 12.1X47-D10, DNS resolution was performed with
UDP as a transport. Messages carried by UDP are restricted to 512
bytes; longer messages are truncated and the traffic class (TC) bit
is set in the header. The maximum length of UDP DNS response messages
is 512 bytes and the maximum length of TCP DNS response message is
65,535 bytes. A DNS resolver knows whether the response is complete
if the TC bit when it is set in the header.
[See Reconnaissance Deterrence Feature Guide for Security Devices.]
Security Policy
- Integrated user firewall [SRX Series]—This feature retrieves user-to-IP address mappings from the Windows Active Directory to use as match criteria in firewall policies. The SRX Series device polls the event log of the Active Directory Controller (ADC) to determine who has logged on. The username and group are queried from the LDAP service in the ADC. The SRX Series device uses the IP address, username, and group information to generate authentication entries that the UserFW module uses to enforce user-based and group-based policy control over traffic.
- Multiple zones for policies [SRX Series]—This feature enables you to configure multiple
source zones and multiple destination zones in one global policy.
Previously, you had to create a separate policy for each from-zone/to-zone
pair, even when other attributes, such as source-address or destination-address
were identical.
[See Global Policy Overview.]
Unified Threat Management (UTM)
- Downloadable Kaspersky scan engine [Branch SRX Series]—The Kaspersky scan engine is provided
as a downloadable UTM module instead of a preinstalled, module in
UTM.
To use this feature, your SRX Series device must have an active UTM license. When you install the KAV license the system automatically downloads the Kaspersky module from the Juniper Networks server and runs it.
When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled Kaspersky engine, then the downloaded module replaces the original module on the device. Regardless of the UTM license status, when the KAV license is deleted from the device, the Kaspersky engine and all files associated with KAV are removed from the system immediately.
- UTM license enforcement [SRX
Series]—License enforcement is supported for UTM features, including
Sophos antivirus, enhanced Web filtering, and antispam filtering on
all high-end SRX Series devices in addition to branch SRX Series devices.
You can add or remove UTM licenses on SRX Series devices. Each feature
license is tied to exactly one software feature and is valid for exactly
one device.
Table 2 lists the license modules and the license names.
Table 2: UTM License Information
UTM Module
License Name
SAV
av_key_sophos_engine
AS
anti_spam_key_sbl
EWF
wf_key_websense_ewf
[See License Enforcement.]
- UTM on next-generation SPC [SRX5400, SRX5600, and SRX5800]—This feature provides support for UTM features, including Sophos antivirus, content filtering, antispam, and enhanced Web filtering on next-generation SPCs.
VPN
- HMAC-SHA-256-128 authentication [High-end SRX Series]—HMAC-SHA-256-128 authentication is supported for IPsec proposals and manual security associations on high-end SRX Series devices. You can specify the hmac-sha-256-128 option at the [edit security ipsec proposal proposal-name] and the [edit security ipsec vpn vpn-name manual] hierarchy levels.
[See authentication (Security IPsec) and authentication-algorithm (Security IPsec).]
Related Documentation
- Changes in Behavior and Syntax
- Known Behavior
- Known Issues
- Resolved Issues
- Documentation Updates
- Migration, Upgrade, and Downgrade Instructions