Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 12.1X47 for the SRX Series.

Application Identification and Tracking

  • Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as single applications. In addition, next-generation application identification does not support custom applications or custom application groups.

    Existing configurations involving any nested applications, custom applications, or custom application groups are ignored and the following warning messages are displayed as system log messages:

    APPID_CUSTOM_APP_UNSUPPORTED: Ignoring unsupported custom app configuration.
    APPID_CUSTOM_NESTAPP_UNSUPPORTED: Ignoring unsupported custom nested app configuration.
    

    Though configurations commit successfully, related functionality will not be available. For more information, see Known Behavior.

  • When you upgrade to Junos OS Release 12.1X47-D10, you might have problems with application firewall and application QoS rules not being enforced for some applications and IDP policy load failures.

    Applications or application groups for which services are not enforced or applications that can cause IDP policy load failures are indicated by the following system log message:

    APPID_APP_GRP_UNSUPPORTED

    Example:

    APPID_APP_GRP_UNSUPPORTED: Ignoring unsupported entry junos:JOOST in path [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:JOOST] [edit security idp custom-attack cs2 attack-type signature protocol-binding nested-application JOOST]

    APPID_APP_GRP_UNSUPPORTED: Ignoring unsupported entry junos:PPLIVE in path [edit security application-firewall rule-sets apptest rule 1 match dynamic-application junos:PPLIVE] [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:PPLIVE]

    To avoid these problems, we recommend that you upgrade to the latest signature package.

    Note: If you are using any applications or application groups that are not present in the latest signature package, you must remove them from application firewall and application QoS rules and IDP policies for installation to complete successfully.

  • When an SRX Series device is operating in chassis cluster mode and application identification is enabled, pre-match state application IDs are not synchronized to the other node. Any failover sessions still under classification will not be assigned application IDs. This could result in an application statistics and counters mismatch.

Application Layer Gateways (ALGs)

  • In Junos OS Release 12.1X47-D40 and earlier, on SRX Series devices, the mapping of Microsoft remote procedure call Application Layer Gateway (MS-RPC ALG) universally unique identifier (UUID) to the object identifier (OID) does not associate with the security zone information. Because the MS-RPC ALG data traffic matching a specific UUID fails to search the correct security policy, the traffic may be dropped.

    Starting in Junos OS Release 12.1X47-D45, the mapping of MS-RPC ALG (UUID-to-OID) is now associated with the security zone information, which the MS-RPC ALG data traffic matches with the UUID security policy, which in turn allows the MS-RPC ALG data traffic to flow.

  • In Junos OS Release 12.1X47-D35 and earlier, on all SRX Series devices, the DNS ALG only recorded and forwarded the DNS packets for which the packet length exceeded the threshold value (range from 512 through 8192).

    Starting in Junos OS Release 12.1X47-D40, the DNS ALG can be configured to drop the oversized DNS packets if the length exceeds the threshold value. To enable this, you need to configure the new CLI command set security alg dns oversize-message-drop. If the command set security alg dns oversize-message-drop is not configured, the DNS ALG will only record and forward the oversized DNS packets.

Chassis Cluster

  • Starting in Junos OS Release 12.1X47-D40, the request system scripts add package-name no-copy | unlink command is updated to include the following options for installing AI Script install packages on SRX Series devices in a chassis cluster:
    • master- Install AI script packages on the primary node.
    • backup- Install AI script packages on the secondary node.

    This enhancement eliminates the need for separate AI script installations on the primary node and the secondary node.

  • Starting in Junos OS Release 12.1X47-D10, for all branch SRX Series devices in chassis cluster mode, there is a node option available for all show chassis CLI commands. The node option displays status information for all FPCs or for the specified FPC on a specific node (device) in the cluster.
  • Starting in Junos OS Release 12.1X47-D25, for all SRX Series devices, reth interface supports proxy ARP.
  • When an SRX Series device is operating in chassis cluster mode and encounter any IA-chip access issue in an SPC or a I/O Card (IOC), a minor FPC alarm will be activated to trigger redundancy group failover.

Dynamic Host Configuration Protocol (DHCP)

  • Starting in Junos OS Release 12.1X47-D45, the options no-hostname is added to the dhcp-client configuration. You set the no-hostname if you do not want the DHCP client to send the hostname with the packets (DHCP option code12).

Flow-Based and Packet-Based Processing

  • On all high-end SRX Series devices, the TCP sequence check in NPU is disabled in the services-offload mode. Prior to this release, NPU TCP sequence check was always enabled and caused intermittent TCP packet drop when permitted by the services-offload policy.
  • Prior to Junos OS Release 12.1X46-D10, the SRX Series devices did not decode SCTP source and destination ports for IPv6 traffic but instead used a preset port 1 to create flow sessions. These preset ports did not match corresponding security policies and caused the system to drop SCTP IPv6 traffic.

    Starting in Junos OS Release 12.1X47-D10, the actual SCTP source and destination ports (instead of the preset port 1) will be used to create flow sessions for the SCTP IPv6 traffic.

Integrated User Firewall WMIC Protocol Version

  • Integrated user firewall uses NTLMv2 as the default WMIC authentication protocol for security reasons. NTLMv1 exposes the system to attacks in which authentication hashes could be extracted from NTLMv1 authentication responses.

Interfaces and Routing

  • Starting in Junos OS Release 12.1X47-D35, on all SRX Series devices, a new CLI command, no-dns-propagation, is introduced to disable the propagation of DNS information to the kernel.
  • Starting in Junos OS Release 12.1X46-D30, on all branch SRX Series devices, when you run the system autoinstallation command, the command will configure unit 0 logical interface for all the active state physical interfaces. However, a few commands, such as fabric-options, do not allow the physical interface to be configured with a logical interface. If the system autoinstallation and the fabric-options commands are configured together, the following message is displayed: incompatible with 'system autoinstallation’.

Intrusion Detection Prevention (IDP)

New sensor configuration options have been added to log run conditions as IDP session capacity and memory limits are approached, and to analyze traffic dropped by IDP and application identification due to exceeding these limitations.

  • drop-if-no-policy-loaded—At start up, traffic is ignored by IDP by default if the IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before the IDP policy is loaded.
  • drop-on-failover—By default, IDP ignores failover sessions in an SRX chassis cluster deployment. The drop-on-failover option changes this behavior and automatically drops sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs.
  • drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this case, IDP and other sessions are dropped only when the device’s session capacity or resources are depleted. The drop-on-limit option changes this behavior and drops sessions when resource limits are exceeded.
  • max-sessions-offset—The max-sessions-offset option sets an offset for the maximum IDP session limit. When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.
  • min-objcache-limit-lt—The min-objcache-limit-lt option sets a lower threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures.
  • min-objcache-limit-ut—The min-objcache-limit-ut option sets an upper threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal. For example, the following message shows that the available IDP cache memory has increased above the upper threshold and that it is now performing normally:
  • On all SRX Series devices with a single session, when IDP is activated, the upload and download speeds are slow when compared to the firewall performance numbers.

    To overcome this issue, a new CLI command set security idp sensor-configuration ips session-pkt-depth is introduced and this session-pkt-depth sensor-configuration is global for any session.

    The session-pkt-depth sensor-configuration CLI value specifies the number of packets in a session the IDP inspection happens, beyond this value the IDP will not be inspecting the packets in that session. For example, when the session-pkt-depth sensor-configuration CLI value is configured as “n”, the IDP inspection happens only for first (n-1) packets in that session. From the nth packet, the session is ignored by IDP. The default value of session-pkt-depth sensor-configuration is “0” and when the value is “0” the session-pkt-depth is not mentioned, and the IDP performs a full inspection of the session.

  • A new attribute, max-synacks-queued, is added to IDP sensor configuration TCP reassembler. This attribute defines the maximum syn/ack queued with different SEQ numbers and takes the values 0 through 5. Also, a new counter, Duplicate Syn/Ack with different SEQ, is added to the IDP TCP reassembler. This counter displays the number of syn/ack packets with different SEQ numbers.
  • A system log message is generated when an IDP signature database update or policy compilation fails with an empty dynamic group. The system-generated log message is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty.

Network Address Translation (NAT)

  • Source NAT pool port configuration options—Starting with Junos OS Release 12.1X47-D40, the port-overloading-factor option and the port-range option at the [edit security nat source pool source-pool-name port] hierarchy level can be configured together. Prior to Release 12.1X47-D40, the options would overwrite each other.

Network Time Protocol

  • On all SRX Series devices, when the NTP client or server is enabled in the edit system ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks.

Screens

  • In Junos OS releases earlier than Junos OS Release 12.1X47-D20, when the session based screen limit is hit from the same source to multiple destination IP address or same destination to multiple source IP address every second, the firewall generated flood of logs per second. For example, if we receive 100 session based screen attack to the same source or same destination IP address in a given second, then 100 log messages per second were sent to Syslog server.

    Starting in Junos OS Release 12.1X47-D20, when multiple session based screen attack is hit every second for the same source or same destination IP addresses, only one syslog message every second is sent for a specific source or destination IP address. If the session based screen is hit multiple times in a second for multiple source or multiple destination addresses then multiple syslog messages for every unique source and destination address is sent every second.

    This behavior also applies to flood protection screens with TCP-Synflood-src-based, TCP-Synflood-dst-based, and UDP flood protection.

Security

  • Starting in Junos OS Release 12.1X47-D10, on all branch SRX Series devices, the Routing Engine memory is decreased to 960 MB when an advanced service such as next-generation application identification, IDP, or UTM is enabled on the device.

System Logging

  • In Junos OS Release 12.1X47-D35 and earlier, the severity parameter for RT_SRC_NAT_PBA messages was “debug”.

    Starting in Junos OS Release 12.1X47-D40, the severity parameter has changed. The RT_SRC_NAT_PBA messages are now fixed with severity as “info”.

    The following example shows RT_SRC_NAT_PBA messages before Junos OS Release 12.1X47-D40:

    16:32:43.760393 In IP (tos 0x0, ttl 254, id 16957, offset 0, flags [none], proto: UDP (17), length: 218) 10.10.10.10.syslog > 10.10.10.1.syslog: SYSLOG, length: 190 Facility user (1), Severity debug (7)

    Feb 5 16:32:49 RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 10.10.10.1 used/maximum [1/32] blocks, allocates port block [27200-27263] from 80.0.0.1 in source pool src-nat-pool-1 lsys_id: 0\012

    The following example shows RT_SRC_NAT_PBA messages in Junos OS Release 12.1X47-D40, indicating the change in the severity parameter:

    16:32:43.760393 In IP (tos 0x0, ttl 254, id 16957, offset 0, flags [none], proto: UDP (17), length: 218) 10.10.10.10.syslog > 10.10.10.1.syslog: SYSLOG, length: 190 Facility user (1), Severity info (6)

    Feb 5 16:32:49 RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 10.10.10.1 used/maximum [1/32] blocks, allocates port block [27200-27263] from 80.0.0.1 in source pool src-nat-pool-1 lsys_id: 0\012

  • In Junos OS Release 12.1X47-D35 and earlier, the structured log of Web filtering has inappropriate field names.

    Starting in Junos OS Release 12.1X47-D40, the structured log fields have changed. The corresponding fields in the UTM Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are now fixed with the appropriate structured log fields.

    The following example shows WEBFILTER_URL_BLOCKED messages before Junos OS Release 12.1X47-D40:

    <12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" name="cat1" error-message="BY_BLACK_LIST" profile-name="uf1" object-name="www.baidu.com" pathname="/" username="N/A" roles="N/A"] WebFilter: ACTION="URL Blocked" 192.168.1.100(58071)->103.235.46.39(80) CATEGORY="cat1" REASON="BY_BLACK_LIST" PROFILE="uf1" URL=www.baidu.com OBJ=/ username N/A roles N/A

    The following example shows WEBFILTER_URL_BLOCKED messages in Junos OS Release 12.1X47-D40, indicating the change in structured log fields:

    <12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="N/A" roles="N/A"] WebFilter: ACTION="URL Blocked" 192.168.1.100(58071)->103.235.46.39(80) CATEGORY="cat1" REASON="BY_BLACK_LIST" PROFILE="uf1" URL=www.baidu.com OBJ=/ username N/A roles N/A

    The structured log field changes in the UTM Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are as follows:

    • name -> category
    • error-message -> reason
    • profile-name -> profile
    • object-name -> url
    • pathname -> obj
  • The system log message UTMD_EWF_CAT_OBSOLETE is introduced in Junos OS Release 12.1X47-D15.
  • The system log message APPID_CUSTOM_APPGRP_UNSUPPORTED is deprecated in Junos OS Release 12.1X47-D15.

System Management

  • During a load override, to enhance the memory for the commit script, make sure you load the configuration by applying the following commands before commit:
    set system scripts commit max-datasize 800000000
    set system scripts op max-datasize 800000000
  • On an SRX5800 device in transparent mode, if the device is not processing multicast OSPFv3 hello packets, to fix this condition you must remove the “delete security flow bridge no-packet-flooding” statement from the configuration.

    Note: Packet flooding is enabled by default. If you have manually disabled packet flooding with the “set security flow bridge no-packet-flooding” statement, then use the configuration statement above to revert to the default behavior, which will allow the device to process multicast OSPFv3 hello packets.

System Management

  • Starting with Junos OS Release 12.1X47-D25, you can limit the number of pre-authentication SSH packets that the SSH server will accept prior to user authentication. Use the set system services ssh max-pre-authentication-packet value command to set the maximum number of pre-authentication SSH packets that the server will accept.

Unified Threat Management (UTM)

  • Starting in Junos OS Release 12.1X47-D15, enhanced Web filtering has the following updates:
    • Addition of five new security categories
    • Modification of category names for eight security categories

    Table 3: New categories

    Category ID

    Category Name

    Parent ID

    Description

    220

    Compromised Websites

    0

    Sites that are vulnerable and known to host an injected malicious code or unwanted content.

    221

    Newly Registered Websites

    0

    Sites whose domain names were registered recently.

    1529

    Classifieds Posting

    0

    General function that enables a user to post a classified advertisement.

    1530

    Blog Posting

    0

    General function that enables a user to post a blog entry.

    1531

    Blog Commenting

    0

    General function that enables a user to post a comment.

    Table 4: Updates to existing category names

    Old Category Name

    New Category Name

    Racism and Hate

    Intolerance

    URL Translation Sites

    Website Translation

    MP3 and Audio Download Services

    Media File Download

    Non Traditional Religions and Occult and Folklore

    Non Traditional Religions

    Freeware and Software Download

    Application and Software Download

    Images Media

    Web Infrastructure

    Image Servers

    Web Images

    Potentially Damaging Content

    Suspicious Content

  • In Junos OS Release 12.1X47-D10 and earlier, the UTM default configuration on Junos OS did not include junos-default-bypass-mime in the mime-whitelist. The user had to manually configure the default bypass mime by using the following command:
    user@host#set security utm feature-profile anti-virus mime-whitelist list junos-default-bypass-mime

    Starting in Junos OS Release 12.1X47-D15, the junos-default-bypass-mime is listed in mime-whitelist as the UTM default configuration on Junos OS. The user need not configure the CLI explicitly. To check the default mime-whitelist configuration, use the following CLI operational commands:

    [edit]user@host> show configuration groups junos-defaults security utm custom-objects mime-pattern junos-default-bypass-mimevalue [ text/css audio/ video/ image/ ];[edit]user@host> show configuration groups junos-defaults security utm feature-profile anti-virus mime-whitelistlist junos-default-bypass-mime;
  • Starting in Junos OS Release 12.1X47-D20, enhanced Web filtering has the following updates:
    • Addition of seven new security categories. See Table 5.
    • Modification of category name for a security category. See Table 6.

    Table 5: New categories

    Category ID

    Category Name

    Parent ID

    Description

    222

    Collaboration Office

    0

    Category that is used to manage the office domain.

    223

    Office Mail

    222

    Office function that enables a user to collaborate through email and messaging.

    224

    Office Drive

    222

    Office function that enables a user to collaborate through virtual storage.

    225

    Office Documents

    222

    Office function that enables a user to collaborate through document applications.

    226

    Office Apps

    222

    Office function that enables a user to collaborate through various applications.

    227

    Web Analytics

    9

    Sites that are associated with web traffic analysis.

    228

    Web and Email Marketing

    9

    Sites that are associated with online marketing.

    Table 6: Updates to existing category names

    Old Category Name

    New Category Name

    Supplements and Unregulated Compounds

    Nutrition

User Interface and Configuration

  • You can configure only one rewrite rule for one logical interface. When you configure multiple rewrite rules for one logical interface, an error message is displayed and the commit fails.

VPN

  • Starting in Junos OS Release 12.1X47-D40, a new command, unconfigured-peer-graceful-restart, is available to enable graceful restart for BGP peers in the AutoVPN feature.
  • If SRX5400, SRX5600, or SRX5800 devices experience a failover that is caused by network issues, hardware failures, or ISSU upgrade, tunnels that use AES-GCM are reestablished. If you are using these devices in a chassis cluster with tunnels that use AES-GCM (included in the Suite B and PRIME cryptographic suites), we recommend that you upgrade the devices to Junos OS Release 12.3X48-D25, 12.3X48-D30, or 15.1X49-D40.
  • AutoVPN multicast deprecated—Support for multicast traffic in an AutoVPN hub-and-spoke network is deprecated and will be removed in a future release.

    AutoVPN hubs are supported on SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX5600, and SRX5800 devices. AutoVPN spokes are supported on SRX100, SRX210, SRX220, SRX240, SRX550, SRX650, and SRX1400 devices.

  • In previous Junos OS releases, the Pulse client could be automatically downloaded and installed when users logged into a branch SRX Series device that was configured for dynamic VPN. Starting with Junos OS Release 12.1X47-D15, Pulse client software is no longer available from dynamic VPN SRX Series devices and must be obtained from the Juniper Networks Download Software site at https://www.juniper.net/support/downloads/.

Related Documentation

Modified: 2016-11-30