Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

New and Changed Features

 

Learn about new features and enhancements to existing features in Junos OS Release 12.3X48 for the SRX Series.

Release 12.3X48-D105 Software Features

There are no new features in Junos OS Release 12.3X48-D105 for the SRX Series devices.

Release 12.3X48-D100 Software Features

There are no new features in Junos OS Release 12.3X48-D100 for the SRX Series devices.

Release 12.3X48-D95 Software Features

  • JDPI-Decoder engine version upgrade (SRX Series)—Starting in Junos OS Release 12.3X48D95, the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) engine is packaged along with the application signature package version 999 that includes the protobundle version 1.380.0-64.005 and the JDPI-Decoder engine version 5.3.0-56. You can upgrade the application signature package when a new signature package version is available.

    [See show services application-identification status.]

Release 12.3X48-D90 Software Features

There are no new features in Junos OS Release 12.3X48-D90 for the SRX Series devices.

Release 12.3X48-D85 Software Features

There are no new features in Junos OS Release 12.3X48-D85 for the SRX Series devices.

Release 12.3X48-D80 Software Features

Application Security

  • JDPI-Decoder engine separation from Junos OS (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 12.3X48-D80, the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) engine is separated from Junos OS and allows you to download the JDPI-Decoder engine along with the protobundle. This implementation allows you to upgrade the JDPI-Decoder engine separately without upgrading Junos OS.

    [See show services application-identification status.]

Release 12.3X48-D75 Software Features

There are no new features in Junos OS Release 12.3X48-D75 for the SRX Series devices.

Release 12.3X48-D70 Software Features

There are no new features in Junos OS Release 12.3X48-D70 for the SRX Series devices.

Release 12.3X48-D65 Software Features

Ethernet Switching

  • Connectivity fault management (CFM) and link fault management (LFM) support for SRX210, SRX220, SRX240, SRX550, and SRX650 devices—Starting in Junos OS Release 12.3X48-D65, connectivity fault management (CFM) and link fault management (LFM) for the Operation, Administration, and Maintenance (OAM) are supported on very-high-bit-rate digital subscriber line (VDSL) and Point-to-Point Protocol over Ethernet (PPPoE) interfaces in addition to the Ethernet interfaces. CFM support includes fault monitoring, path discovery, and fault isolation functionalities. LFM support includes discovery and link monitoring, remote fault detection, and remote loopback functionalities.

    [See Understanding Ethernet OAM Connectivity Fault Management.]

Interfaces and Routing

  • ARP throttle and ARP detect [SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Starting in Junos OS Release 12.3X48-D65, an ARP throttling mechanism is introduced for SRX Series devices.

    Excessive ARP processing results in high utilization of Routing Engine CPU resources, resulting in deprivation of CPU resources to other Routing Engine processes. To provide protection against excessive ARP processing, you can now configure ARP throttle and ARP detect using the following configuration statements:

    • edit forwarding-options next-hop arp-throttle seconds

    • edit forwarding-options next-hop arp-detect milliseconds

    Caution

    We recommend that only advanced Junos OS users attempt to configure the ARP throttle and ARP detect feature. Improper configuration might result in high utilization of Routing Engine CPU resources, which can adversely affect other processes.

    [See arp-throttle and arp-detect.]

Release 12.3X48-D60 Software Features

High Availability

  • Support for dedicated Bidirectional Forwarding Detection (BFD)—Starting with Junos OS Release 12.3X48-D60, dedicated microkernel is supported on SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 to improve BFD performance. This is an enhancement to the distributed mode. Enabling dedicated microkernel completely offloads the BFD daemon to the Packet Forwarding Engine microkernel by dedicating one CPU core to this process. This significantly improves the BFD failure-detection performance. Because we are allocating one of the Packet Forwarding Engine’s CPU cores to the BFD daemon as a result, the device throughput performance is reduced.

    To enable dedicated BFD on the SRX240, SRX550, and SRX650 devices, use the set chassis dedicated-ukern-cpu command.

    To enable real-time BFD on the SRX100, SRX110, SRX210, and SRX220 devices, use the set chassis realtime-ukern-thread command.

    [See Understanding BFD for Static Routes for Faster Network Failure Detection, Understanding Distributed BFD, dedicated-ukern-cpu (BFD), and realtime-ukern-thread (BFD).]

Network Management and Monitoring

  • SNMP support for monitoring GRE keepalive status for all SRX Series devices—Starting with Junos OS Release 12.3X48-D60, you can monitor GRE interface status using remote network management. In earlier releases, you had to use a CLI command to check GRE keepalive status. Now the SNMP MIB jnxOamMibRoot helps you to monitor GRE keepalive status using remote network management. When GRE keepalive status is changed, this SNMP MIB generates SNMP trap jnxOamGreKeepAliveTrapVars to send notifications.

    [See Enterprise-Specific SNMP MIBs Supported by Junos OS.]

Release 12.3X48-D55 Software Features

Flow-Based and Packet-Based Processing

  • TCP out-of-state packet drop logging (SRX Series)—Starting in Junos OS Release 12.3X48-D55, SRX Series devices support logging of unsynchronized TCP out-of-state packets that are dropped by the flow module.

    Within any packet-switched network, when demand exceeds available capacity, the packets are queued up to hold the excess packets until the queue fills, and then the packets are dropped. When TCP operates across such a network, it takes any corrective actions to maintain error-free end-to-end communications.

    This feature enables packet recovery by logging the out-of-sync packets for error-free communication, and avoids database servers going out of sync.

    TCP packet drop logging occurs when:

    • TCP packets that trigger session creation are not synchronized.

    • TCP three-way handshake in flow fails.

    • TCP sequence check in flow fails.

    • TCP SYN packets are received in TCP FIN state.

    The unsynchronized TCP out-of-state packet drop log is a packet-based log, not a session-based log.

    Note

    TCP packets that are dropped by TCP-proxy and IDP are not logged.

    [See TCP Out-of-State Packet Drop Logging Overview.]

Release 12.3X48-D45 Software Features

Unified Threat Management (UTM)

  • SNI support for Web filtering on SRX Series devices—In Junos OS Release 12.3X48-D45, Junos OS supports Server Name Indication (SNI) for local, Websense-redirect, and Enhanced Web Filtering (EWF). SNI is an extension of SSL/TLS protocol to indicate what server name the client is contacting over an HTTPS connection. SNI inserts the actual hostname of the destination server in client’s hello message in clear text format before the SSL handshake is complete. Web filtering uses the SNI information for further processing or modifying the query. In this implementation, the SNI includes only the server name, and not the full URL of the server.

    [See Web Filtering Overview.]

Release 12.3X48-D40 Software Features

Dynamic Host Configuration Protocol (DHCP)

  • Cascaded DHCPv6 prefix delegation on SRX Series devices—Junos OS release 12.3X48-D40 supports the cascaded DHCPv6 prefix delegation feature that allows the customer premises equipment (CPE) to delegate sub-prefixes to sub-CPEs and assign IPv6 addresses to end hosts through stateless address auto configuration (SLAAC), stateless DHCPv6, or stateful DHCPv6. The LAN interface supports these three kinds of address assignment through independent configurations for DHCPv6, stateless SLAAC, and stateful DHCPv6.

Network Address Translation (NAT)

  • PAT port capacity increase, interim logging, and block recycling—In Junos OS Release 12.3X48-D40, increased PAT port capacity is supported on SRX5400, SRX5600, and SRX5800 devices with next-generation Services Processing Cards (SPCs) using the CLI option port-scaling-enlargement, at the [edit security nat source] hierarchy level.

    Interim logging and block recycling for port block allocation (PBA) are supported on all SRX Series devices using the CLI options interim-logging-interval and last-block-recycle-timeout at the [edit security nat source pool name port block-allocation] hierarchy levels.

Platform and Infrastructure

  • High-priority queue on SPC for SRX5400, SRX5600, and SRX5800 devices with IOC2 and IOC3 line cards—For the SRX5K-MPC (IOC2), the SRX5K-MPC3-100G10G (IOC3), and the SRX5K-MPC3-40G10G (IOC3), a new configuration option is supported in Junos OS Release 12.3X48-D40 that enables packets with specific Diff Serv code point (DSCP) precedence, inet-precedence, IEEE 802.1Q, and DHCPv6 for IPv6 traffic bits to enter a high-priority queue on the SPC on high-end SRX Series devices.

    Junos OS Release 12.3X48-D40 supports two types of priorities, high and low. Higher-priority queues take precedence over lower-priority queues for forwarding packets to achieve higher rate and lower latency, while ensuring that low- priority queues are not starved (locked out).

    To designate packets for the high-priority or low priority queues, use the spu-priority configuration statement at the [edit class-of-service forwarding-classes class] hierarchy level. A value of high places packets into the high-priority queue, and a value of low places packets into the low-priority queue.

Release 12.3X48-D35 Hardware Features

Wireless WAN

  • CBA850 3G/4G/LTE wireless WAN bridge—Starting with Junos Release 12.3X48-D35, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices support the CBA850 G/4G/LTE wireless WAN bridge. The CBA850 can be deployed as a primary WAN or as a backup WAN to the primary wired network for the services gateways.

    [See CBA850 3G/4G/LTE Wireless WAN Bridge Overview.]

Release 12.3X48-D35 Software Features

Interfaces

  • G.993.5 Vectoring support for VDSL modules on SRX Series devices—Starting with Junos OS Release 12.3X48-D35, firmware version v2.16.0 is available for SRX-MP-1VDSL-A to support VDSL vectoring. Vectoring on VDSL reduces crosstalk and increases network bandwidth.

    [See Upgrading the VDSL PIC Firmware.]

Unified Threat Management (UTM)

  • TCP proxy enhancement support on SRX5400, SRX5600, and SRX5800 devices— Starting with Junos OS Release 12.3X48-D35, the UTM Sophos antivirus (SAV) single session throughput is increased for optimizing tcp-proxy forwarding.

Release 12.3X48-D30 Software Features

Authentication and Access Control

The list below in this section provides you an overview and details of the integrated ClearPass authentication and enforcement features:

Integrated ClearPass on SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Integrated ClearPass authentication and enforcement enables SRX Series devices and Aruba ClearPass to collaborate in protecting your company’s resources by enforcing security at the user identity level, not the IP address of a user’s device. Not only can you configure security policies that apply to a user by username or group regardless of the device used, you can also configure a policy that specifies a group of users and a device type. Focusing security policies on user identity gives you exceptional control. Additionally, the SRX Series device provides ClearPass with threat and attack logs associated with users to inform your security enforcement at the ClearPass end. ClearPass can authenticate users across wired, wireless, and VPN infrastructures, and as the authentication source, post that information to the SRX Series device. [See Understanding the SRX Series Integrated ClearPass Authentication and Enforcement Feature.]

  • Individual user query on SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Junos OS Release 12.3X48-D30 supports the integrated ClearPass authentication and enforcement feature that includes the user query function. User query allows you to configure supported SRX Series devices to automatically query the Aruba ClearPass server for individual user authentication information when ClearPass does not post that information to it.

    [See Understanding the Integrated ClearPass Authentication and Enforcement User Query Function.]

  • Threat detection and notification to ClearPass on SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Junos OS Release 12.3X48-D30 supports the integrated ClearPass authentication and enforcement feature that includes the threat detection and notification function. This function allows the SRX Series device to filter detected events specifically for threats and attacks and send logs about them to the ClearPass Policy Manager.

    [See Understanding How the Integrated ClearPass Feature Detects Threats and Attacks and Notifies the CPPM.]

  • User and role enforcement on SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Junos OS Release 12.3X48-D30 supports the integrated ClearPass authentication and enforcement feature that includes the user role and enforcement function. For this feature, the SRX Series device relies on Aruba ClearPass as its authentication source. With the user authentication information provided by ClearPass, you can configure security policies and allow the SRX Series device to enforce them based on user identity (source identity) rather than relying on the IP address of a user’s device. You can also use group, or role, identities in security policies.

    [See Understanding Enforcement of ClearPass User and Group Authentication on the SRX Series Devices.]

  • Web API and message dispatcher on SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Junos OS Release 12.3X48-D30 supports the integrated ClearPass authentication and enforcement feature, which includes the Web API function. This function allows Aruba ClearPass to initiate a connection with the SRX Series device to provide it with user authentication and identity information.

    [See Understanding How ClearPass Initiates a Session and Communicates User Authentication Information to the SRX Series Device Using the Web API.]

Flow-Based and Packet-Based Processing

  • DHCPv6 enhancements to support RFC6177 for SRX Series devices—Starting with Junos OS Release 12.3X48-D30, new CLI commands are introduced to configure preferred prefix length and sub-prefix length in clients. A delegating router (DHCPv6 server) is provided with IPv6 prefixes and a requesting router (DHCPv6 client) requests one or more prefixes from the delegating router. When the client receives a valid DHCPv6 block it must then delegate to all active interfaces using a sub-prefix delegation.

  • Support for logical interface policer on SRX Series devices—Starting with Junos OS Release 12.1X48-D30, the logical interface policer, also called an aggregate policer, is supported on all SRX Series devices. The logical interface policer is a two-color or three-color policer that defines traffic rate limiting. You can apply a policer to input or output traffic for multiple protocol families on the same logical interface without needing to create multiple instances of the policer.

    See:

VPNs

  • Group VPN members on SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices supported with Group VPNv2 servers—Junos OS Release 12.3X48-D30 allows Group VPN (also referred to as Group VPNv1) members to interoperate with Group VPNv2 servers. Group VPNv1 and Group VPNv2 members can coexist for the same group in the network.

    [For more information, see Changes in Behavior and Syntax, Known Behavior, and Migration, Upgrade, and Downgrade Instructions sections in this release note. Also, see Group VPN Overview for Group VPN members and Group VPNv2 Overview for Group VPNv2 servers.]

  • IPsec VPN session affinity—Starting with Junos OS Release 12.3X48-D30, the IOC2 on SRX5400, SRX5600, and SRX5800 devices supports IPsec session affinity for IPsec tunnel-based traffic.

    With the IOC, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead.

    To enable session affinity on the IOC2, you need to first enable session cache and then enable session affinity. For the IOC1, you do not have to enable session cache for enabling session affinity.

    To enable session cache, you need to run the set chassis fpc <fpc-slot> np-cache command.

    To enable IPsec VPN session affinity, use the set security flow load-distribution session-affinity ipsec command.

    Note

    Once you enable or disable session cache on the IOC2, a system restart is required.

    For configuring Express Path on an SRX5000 line device with Modular Port Concentrator (MPC), enable NP cache on the IOC using the set chassis fpc fpc-number np-cache command. Then configure the security policy to determine if the session is for Express Path.

    The set chassis fpc fpc-number services-offload command is deprecated.

    To disable Express Path on an SRX5000 line device with MPC, use the delete chassis fpc fpc-number np-cache command.

    The delete chassis fpc fpc-number services-offload command is deprecated.

    [For more information, see Understanding VPN Session Affinity, Enabling VPN Session Affinity, session-affinity, Understanding Session Cache, and Express Path Overview.]

Release 12.3X48-D25 Software Features

Application Layer Gateways (ALGs)

  • TCP support for SIP ALG on SRX Series devices— Starting with Junos OS Release 12.3X48-D25, the SIP ALG supports TCP along with UDP. The TCP support reduces traffic to the server by eliminating the need to reregister or refresh the server frequently.

IP Monitoring

  • Increasing IP monitoring capacity for SRX5000 line devices for IOC2 and IOC3—Starting with Junos OS Release 12.3X48-D25, IOC2 and IOC3 on SRX5000 line devices support IP monitoring on both the primary and secondary nodes.

    The following IOC2 MICs support IP monitoring:

    • MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP)— 20 ports

    • MIC with 10x10GE SFP+ Interfaces (SRX-MIC-10XG-SFPP)—10 ports

    • MIC with 1x100GE CFP Interface (SRX-MIC-1X100G-CFP)—1 port

    • MIC with 2x40GE QSFP+ Interfaces (SRX-MIC-2X40G-QSFP)—2 ports

    The following IOC3s support IP monitoring:

    • SRX5K-MPC3-100G10G (2x100GE and 4x10GE ports)

    • SRX5K-MPC3-40G10G (6x40GE and 24x10GE ports)

    IP monitoring checks the end-to-end connectivity of configured IP addresses and allows a redundancy group to automatically fail over when the monitored IP address is not reachable through the reth interface. Both the primary and secondary nodes in the chassis cluster monitor specific IP addresses to determine whether an upstream device in the network is reachable.

Network Address Translation (NAT)

  • IPv6-to-IPv6 Network Address Translation—Starting in Junos OS Release 12.3X48-D25, stateless IPv6-to-IPv6 network prefix translation, which is compliant with RFC 6296, is provided. This feature enables address independence and provides a one-to-one relationship between IPv6 addresses in an internal network and IPv6 addresses in an external network. This type of translation can be used to secure proprietary information, for example, by a mobile service provider using customers’ phone numbers as IPv6 local host identifiers.

  • Port-overloading—Starting in Junos OS Release 12.3X48-D25, the total number of public IP addresses for source NAT pools configured with the port-overloading-factor increases from 16 to 128. This increase enables support for the maximum number of sessions provided by the SRX5000 line.

System Logging

  • Stream log based on category for SRX Series devices —Starting with Junos OS Release 12.3X48-D25, when forwarding logs using stream mode, all the categories can be configured for sending specific category logs to different log servers. For stream mode log forwarding, the transport protocol used between Packet Forwarding Engine and the log server can be UDP, TCP, or TLS, and it is configurable. The transport protocol used between the Routing Engine and the log server can only be UDP.

    [See Understanding System Logging for Security Devices]

Unified Threat Management (UTM)

  • Enhanced Web Filtering (EWF) supports HTTPS traffic for SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.3X48-D25, EWF supports HTTPS traffic by intercepting HTTPS traffic passing through the SRX Series device. The security channel from the SRX Series device is divided as one SSL channel between the client and the SRX Series device and another SSL channel between the SRX Series device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to the UTM. UTM extracts the URL from the HTTP request message.

  • Sophos Antivirus over SSL forward proxy supports HTTPS traffic for SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.3X48-D25, UTM Sophos Antivirus over SSL forward proxy supports HTTPS traffic by intercepting HTTPS traffic passing through the SRX Series device. The security channel from the SRX Series device is divided as one SSL channel between the client and the SRX Series device and another SSL channel between the SRX Series device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to UTM. UTM extracts the URL and the file checksum information from cleartext traffic. The Sophos Antivirus scanner determines whether to block or permit the requests.

Release 12.3X48-D20 Software Features

Interfaces

  • CLI enhancement for interfaces operational command for SRX Series devices–Starting with Junos OS Release 12.3X48-D20, a new show interfaces terse zone command is introduced. This command displays the zone name for each interface.

Screens

  • Improved logging and trapping for SRX Series devices—Starting with Junos OS Release 12.3X48-D20, the system log information for IP-based session limits is enhanced to include more information. Each session-limit screen log now contains five tuples of information. The hard core screen SNMP trap interval can now be configured in the range from 1 second to 3600 seconds. The default interval is 2 seconds.

Security Policies

  • Setting the TCP MSS value per security policy for SRX Series devices—Beginning with Junos OS Release 12.3X48-D20, two new options enable you to set the maximum segment size for TCP sessions per policy. The two options for the set security policies from-zone zone to-zone zone policy policy-name then permit tcp-options statement are initial-tcp-mss tcp-mss-value and reverse-tcp-mss tcp-mss-value.

    Previously, a packet’s maximum segment size could only be set globally, for all TCP sessions, using the set security flow tcp-mss statement.

    [See initial-tcp-mss, reverse-tcp-mss, and show security policies.]

VPNs

  • AutoVPN spokes and Auto Discovery VPN (ADVPN) partners supported on all high-end SRX Series devices—Starting in Junos OS Release 12.3X48-D20, all high-end SRX Series devices can be configured as AutoVPN spokes and ADVPN partners. In Junos OS Release 12.3X48-D10, only branch SRX Series devices were supported as ADVPN partners.

    Note

    BGP and OSPF dynamic routing protocols are supported with AutoVPN. Only OSPF is supported with ADVPN.

    [See Understanding Auto Discovery VPN.]

  • IKEv2 AES-GCM for branch SRX Series and SRX5400, SRX5600, and SRX5800 devices with SPC2 (SRX5K-SPC-4-15-320)—Starting in Junos OS Release 12.3X48-D20, support is provided for Protocol Requirements for IP Modular Encryption (PRIME), an IPsec profile defined for public sector networks in the United Kingdom. PRIME uses AES-GCM rather than AES-CBC for IKEv2 negotiations. Both PRIME-128 and PRIME-256 cryptographic suites are supported.

    The following options are available:

    • The encryption-algorithm options aes-128-gcm and aes-256-gcm are available for proposals configured at the [edit security ike proposal proposal-name] hierarchy level.

    • Predefined proposals prime-128 and prime-256 are available at the [edit security ike policy policy-name proposal-set] and [edit security ipsec policy policy-name proposal-set] hierarchy levels.

    [See encryption-algorithm (Security IKE), proposal-set (Security IKE), proposal-set (Security IPsec), and Understanding Suite B and PRIME Cryptographic Suites.]

Release 12.3X48-D15 Software Features

Application Layer Gateways (ALGs)

  • 464XLAT ALG traffic support for SRX Series devices—Starting with Junos OS Release 12.3X48-D15, XLAT ALG traffic is supported for the FTP, RTSP, and PPTP ALGs. The 464XLAT architecture is a combination of stateless translation on the customer-side translator (CLAT) and stateful translation on the provider-side translator (PLAT). The 464XLAT architecture is used to translate the packet information of a device using the combination of stateless (translates private IPv4 address to global IPv6 addresses, and vice versa) and stateful (translates IPv6 addresses to global IPv4 addresses, and vice versa) translation.

    [See Understanding 464XLAT ALG Functionality and Understanding 464XLAT ALG Traffic Support.]

  • Scaling BLF support for UDP-based SIP ALG for SRX Series devices—Starting with Junos OS Release 12.3X48-D15, the SIP ALG supports 65,000-byte SIP messages on the UDP protocol. In the scaling Busy Lamp Field (BLF) application, if every instance is around 500 bytes, the SIP ALG supports 100 instances in one SIP UDP message.

    BLF support for UDP-based SIP ALG includes the following features:

    • The device can send and receive 65,000-byte SIP messages.

    • The SIP ALG can parse the 65,000-byte SIP messages and open the pinhole, if required.

    • The SIP ALG regenerates the new jumbo SIP message if NAT is configured and the payload is changed.

    [See Understanding Scaling Busy Lamp Field Support for the UDP-Based SIP ALG.]

Intrusion Detection Prevention (IDP)

  • New Pattern Matching Engine for SRX Series Devices—Starting with Junos OS Release 12.3X48-D15, a new pattern matching engine is introduced for the SRX Series IDP feature. This scanning mechanism helps improve performance and policy loading.

    Note

    Currently, there are no changes to the existing DFA. The device continues to accept custom signatures in the existing DFA syntax.

    When IDP performs any scheduled or automatic installation of a new signature update, a commit is being performed and you can view this commit using the "show system commit" command which is done "by root via other" as shown below:

    user@srx3600> show system commit

    [See show security idp policy-commit-status.]

Security Policies

  • Increase in number of address objects per policy for SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.3X48-D15, the maximum number of address objects per policy will increase from 1024 to 4096. The maximum number of policies per context for SRX3400 and SRX3600 devices will increase from 10,240 to 40,000, and for SRX5400, SRX5600, and SRX5800 devices, from 10240 to 80,000.

    [See Best Practices for Defining Policies on SRX Series Devices.]

Release 12.3X48-D10 Software Features

Application Layer Gateways (ALGs)

  • MS-RPC ALG and Sun RPC ALG map table scaling for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the MS-RPC ALG and Sun RPC ALG dynamically allocate new mapping entries instead of using a default size (512 entries). They also offer a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.

    [See Understanding Sun RPC ALGs and Understanding Microsoft RPC ALGs.]

Chassis Cluster

  • Dual active-backup IPsec VPN chassis clusters for SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.3X48-D10, VPN tunnels can terminate on either node of an active/active chassis cluster pair. Both nodes in the chassis cluster can actively pass traffic through VPN tunnels at the same time.

    Note

    Z-mode flows occur when traffic enters an interface on a chassis cluster node, passes through the fabric link, and exits through an interface on the other cluster node. They are not supported with dual active-backup IPsec VPN chassis clusters.

    [See Understanding Dual Active-Backup IPsec VPN Chassis Clusters.]

Flow-Based and Packet-Based Processing

  • Allowing embedded ICMP packets for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, security flow allows embedded ICMP packets to pass through your device even when there is no session match. By default, an embedded ICMP packet is dropped if it does not match any session. Use the allow-embedded-icmp statement at the [edit security flow] hierarchy level to enable this feature. Once enabled, all packets encapsulated in ICMP pass through and no policy affects this behavior. This feature is useful when you have asymmetric routing in your network and you want to use traceroute and other ICMP applications on your device.

    [See allow-embedded-icmp.]

  • Enhanced security flow session command for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the following updates have been made to the show security flow session command:

    • A new option, policy-id, allows you to query the flow session table by policy ID.

    • New output flags have been added in the command output. The three available flags are flag, natflag1, and natflag2.

    [See show security flow session and show security flow session policy-id.]

  • Express Path (formerly known as services offloading) on the SRX5000 line MPC for SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.3X48-D10, the SRX5K-MPC supports Express Path. Express Path is a mechanism for processing fast-path packets in the Trio chipset instead of in the SPU. This method reduces the long packet-processing latency that arises when packets are forwarded from network processors to SPUs for processing and back to IOCs for transmission.

    The following features are supported:

    • Support inter- and intra-Packet Forwarding Engine Express Path for IPv4

    • Per-wing statistics counter of bytes and packets sent out over the wing

    • LAG interfaces

    • NAT for IPv4

    • Active and backup chassis cluster

    Note

    The services offloading feature is renamed to Express Path starting in Junos OS Release 12.3X48-D10. Currently, the documents still use the term services offloading.

    [See Express Path Overview.]

  • Improved session close log for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the session closed log message has been expanded to include information about the device sending the TCP RST. The new log message session closed TCP [client | server] RST simplifies troubleshooting by indicating whether it was the client or the server that sent the TCP RST.

    [See System Log Explorers.]

General Packet Radio Service (GPRS)

  • GTP GSN table ager for high-end SRX Series devices—Starting with Junos OS Release 12.3X48-D10, one SRX Series device supports 100,000 GSN entries per SPU and 250,000 GSN entries per CP. Prior to this release, each entry was saved permanently. To prevent GSN entry exhaustion caused by frequent short-time roaming among countries, visiting GSNs are recorded when subscribers access the home GPRS core network from visiting countries. These entries are not deleted when the subscribers return home, but no further traffic is passed. The GTP GSN table ager causes the idling GSN entries to time out, preventing inactive GSNs from taking up too much space.

    [See show security gprs gtp gsn statistics.]

  • SCTP association scaling for high-end SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the capacity of SCTP is enhanced from 5000 associations to 20,000 associations per SPU.

    [See Understanding Stream Control Transmission Protocol.]

IP Tunneling

  • IPv6 tunneling control for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the IPv6 tunneling control feature introduces new screens for tunneled traffic based on user preferences. By default, all tunneling traffic is allowed by the screens unless the external IP encapsulation matches the block criteria of any existing screen. You must enable the screens to control, allow, or block the transit of tunneled traffic. The following new screens are introduced in this feature:

    • GRE 4in4 Tunnel

    • GRE 4in6 Tunnel

    • GRE 6in4 Tunnel

    • GRE 6in6 Tunnel

    • Bad Inner Header Tunnel

    • IPinIP 6to4relay Tunnel

    • IPinIP 6in4 Tunnel

    • IPinIP 6over4 Tunnel

    • IPinIP 4in6 Tunnel

    • IPinIP ISATAP Tunnel

    • IPinIP DS-Lite Tunnel

    • IPinIP 6in6 Tunnel

    • IPinIP 4in4 Tunnel

    • IPinUDP Teredo Tunnel

[See Understanding Screen IPv6 Tunneling Control.]

IPv6

  • Transparent mode for IPv6 support extended for SRX Series devices—The Transparent mode for IPv6 was supported on all high-end SRX Series devices. Starting with Junos OS Release 12.3X48-D10, transparent mode for IPv6 is also supported on all branch SRX Series devices.

    [See Understanding IPv6 Flows in Transparent Mode.]

Layer 2 Features

  • Secure wire mode and mixed mode (Layer 2 and Layer 3) support for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, secure wire mode and mixed mode are supported and the interface type of these modes is the same without cross talk. You can configure both Layer 2 and Layer 3 interfaces simultaneously using separate security zones. There is no routing among IRB interfaces or between IRB interfaces and Layer 3 interfaces. Also, the user logical system is not supported for Layer 2 traffic. However, you can configure the Layer 2 interface using the root logical system.

    As with mixed mode, in secure wire mode you can configure both Layer 3 and secure wire interfaces simultaneously. In fact, you can configure Layer 3, Layer 2, and secure wire interfaces simultaneously, without traffic cross talk between any two of the three configured interfaces.

    [See Understanding Mixed Mode (Transparent and Route Mode).]

Network Address Translation (NAT)

  • NAT64 IPv6 prefix to IPv4 address persistent translation for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, this feature, which is targeted at IPv6 mobile networks, is used with the dual-translation mechanism, 464XLAT, to enable IPv4 services to work over IPv6-only networks. It augments the existing NAT64 mechanism, which enables IPv6 clients to contact IPv4 servers by translating IPv6 addresses to IPv4 addresses (and vice versa). However, the existing NAT64 mechanism does not ensure a sticky mapping relationship for one unique end user. By configuring the new address-persistent option with a specific IPv6 prefix length for NAT64 translations in an IPv4 source NAT pool, a sticky mapping relationship is ensured between one specific IPv6 prefix and one translated IPv4 address.

    [See Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation.]

PKI

  • Digital certificate validation for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the PKI daemon on SRX Series devices performs X509 certificate policy, path, key usage, and distinguished name validation, as specified in RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

    [See Understanding Digital Certificate Validation.]

Routing Protocols

  • Virtual Router Redundancy Protocol version 3 (VRRPv3) for branch SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the Internet protocol VRRP provides one or more backup devices when a statically configured device is used on a LAN. The devices share a virtual IP address, with one device designated as the primary devices and the others as backups.

    VRRP is the combination of both IPv4 and IPv6. The VRRPv3 feature supports IPv4 and IPv6 VRRP groups, including IPv6 traps. When you configure VRRP IPV6 groups, you must set the virtual-link-local address or link-local-address value explicitly. Otherwise, the address will be automatically generated.

    To enable VRRPv3, set the version-3 statement at the [edit protocols vrrp] hierarchy level.

    Note

    To avoid having multiple primary devices in the network, the VRRPv3 IPv4 devices switch to the backup state when they receive a VRRPv2 IPv4 advertisement packet. Additionally, to avoid having multiple primary devices in your IPv6 network that are caused by checksum differences, you need to disable VRRP for IPv6 on the backup devices before you perform the VRRPv2 to VRRPv3 upgrade.

    Note

    When you enable VRRPv3, ensure that the protocol is enabled on all the VRRP devices in the network. This is because VRRPv3 does not interoperate with previous versions of VRRP.

[See Junos OS Support for VRRPv3.]

Security

  • Secure wire interface mode and forwarding for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, secure wire allows interfaces to be mapped one-to-one for ingress-to-egress forwarding. It differs from transparent and route modes in that there is no switching or routing lookup to forward traffic. Policies and upper-layer security features permit traffic to be forwarded through the device.

    This feature is available on Ethernet logical interfaces; both IPv4 and IPv6 addresses are supported. You can configure interfaces for access or trunk mode. Secure wire supports chassis cluster redundant Ethernet interfaces and virtual LAN tagging, but it does not support IRB interfaces. This feature does not support security features not supported in transparent mode, including NAT and IPsec VPN. It does support Layer 7 features, including AppSecure, IPS, and UTM.

    [See Understanding Secure Wire.]

Unified Threat Management (UTM)

  • Redirect Web filtering support for SRX Series devices—The redirect Web filtering solution intercepts HTTP requests and sends them to an external URL filtering server, provided by Websense, to determine whether to block or permit the requests.

    [See Understanding Redirect Web Filtering.]

VPNs

  • Auto Discovery VPN (ADVPN) protocol for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, AutoVPN deployments can use the ADVPN protocol to dynamically establish spoke-to-spoke VPN tunnels. When passing traffic from one spoke to another spoke, the hub can suggest that the spokes establish a direct security association, or "shortcut," between each other. Shortcuts can be established and torn down dynamically, resulting in better network resource utilization and reduced reliance on a centrally located hub.

    On the hub, configure advpn suggester at the [edit security ike gateway gateway-name] hierarchy level. On spokes, configure advpn partner at the [edit security ike gateway gateway-name] hierarchy level. ADVPN is supported with IKEv2 only.

    [See Understanding Auto Discovery VPN.]

  • AutoVPN with traffic selectors for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, AutoVPN hubs can be configured with multiple traffic selectors. This allows hubs to advertise spoke networks with different metrics.

    This feature includes the following added functionality:

    • AutoVPN hubs with traffic selectors can be configured with the st0 interface in point-to-point mode for both IKEv1 and IKEv2.

      Note

      Dynamic routing protocols are not supported with traffic selectors with st0 interfaces in point-to-point mode.

    • Traffic selectors are configured on the hub to protect traffic to spokes. Spokes can be non-SRX Series devices.

    [See Understanding AutoVPN with Traffic Selectors.]

  • Enhanced VPN support for inactive-tunnel reporting and syslog for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the methods used for debugging issues in VPN have been enhanced to improve the process in several ways. The use of CLI per-tunnel debugging, deleting the traceoptions configuration stanza after data collection is complete, and issuing the subsequent commit command are no longer required. Debugging can now be performed through Junos OS operational commands with the following VPN enhancements:

    • Information shown in the output of the show security ipsec inactive-tunnel command

    • System log messages

[See Understanding Tunnel Events.]