Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 15.1X49-D100 for the SRX Series devices.

Release 15.1X49-D100 Software Features

AppSecure

  • AppTrack enhancements to support APBR for SRX Series devices and vSRX instances—Starting from Junos OS Release 15.1X49-D100, the AppTrack feature is enhanced to include advanced policy-based routing (APBR) details. AppTrack, an application tracking tool, collects byte, packet, and duration statistics for application flows in the specified zone. As a part of the enhancement to support APBR, AppTrack syslog message now include destination interface details. A new AppTrack syslog message is introduced to include APBR profile, rule, and routing instance details. This message is generated for the session when APBR is applied to the session.

    In addition, the show security application-tracking counters command, which displays AppTrack counters, is updated to include a new counter to indicate the number of times a new route update log is generated.

    [See show security application-tracking counters andUnderstanding AppTrack.]

  • New cipher support on SSL proxy on SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices, and vSRX instances–Starting in Junos OS Release 15.1X49-D100, new ECDHE (Elliptic Curve DHE) ciphers and RSA ciphers are introduced along with the existing ciphers in SSL proxy. Newly added ECDHE ciphers are supported to enable the Perfect Forward Secrecy (PFS) on SSL proxy.

    [See SSL Proxy Overview.]

Class of Service (CoS)

  • Support for port-based egress traffic shaping on SRX Series devices— Starting with Junos OS Release 15.1X49-D100, you can configure egress traffic shaping at the physical port level, which limits the egress traffic rate of all logical interfaces on the port.

    [See shaping-rate (CoS Interfaces).]

  • Support for CoS on dl0 Interface on SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100, you can configure the following class of service (CoS) features on the dl0 interface for 4G wireless modems: behavior aggregate classifiers, multifield classifiers, policers, shapers, schedulers, and rewrite rules. The dialer interface, dl0, is a logical interface for configuring properties for modem connections.

    [See LTE Mini-PIM Overview.]

  • Support CoS on Logical Tunnel Interface in a Chassis Cluster on SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100, queuing is supported on logical tunnel (LT) interfaces to allow CoS configuration.

    [See Class of Service.]

Dynamic Host Configuration Protocol (DHCP)

  • DHCPv6 enhancements to support RFC 6177 for SRX Series devices— Starting with Junos OS Release 15.1X49-D100, new CLI commands are introduced to configure preferred prefix length and sub-prefix length in clients. A delegating router (DHCPv6 server) is provided with IPv6 prefixes and a requesting router (DHCPv6 client) requests one or more prefixes from the delegating router. When the client receives a valid DHCPv6 block it must then delegate to all active interfaces using a sub-prefix delegation.

    [See Administration Guide.]

Flow and Processing

  • Support for distributed BFD on SRX300, SRX320, SRX340, SRX345, and SRX1500—Starting with Junos OS Release 15.1X49-D100, distributed Bidirectional Forwarding Detection (BFD) is supported. The distributed BFD protocol is a simple hello mechanism that detects failures in a network. Hello packets are sent at a specified, regular interval. A neighbor failure is detected when the routing device stops receiving a reply after a specified interval.

    The support for distributed BFD results in the following session scaling improvements:

    1. Up to four sessions on SRX300 and SRX320 devices
    2. Up to 50 sessions on SRX340 and SRX345 devices
    3. Up to 120 sessions on SRX1500 devices

    The supported failure detection interval has improved.

    To enable distributed BFD on the SRX340, SRX345, and SRX1500, use the set chassis dedicated-ukern-cpu command.

    To enable distributed BFD on the SRX300 and SRX320, use the set chassis realtime-ukern-thread command.

    [See Understanding BFD for Static Routes for Faster Network Failure Detection, Understanding Distributed BFD, dedicated-ukern-cpu (BFD), and realtime-ukern-thread (BFD).]

  • Preserving incoming fragment characteristics for SRX Series devices—Starting in Junos OS Release 151.X49-D100, you can enable this feature to diminish the likelihood of packet fragmentation in the downstream data path. When the SRX Series device receives packet fragments, it must reassemble them into the whole datagram for application layer inspection. Before the datagram is transmitted, it must be broken down again into fragments. If this feature is enabled, the SRX Series device takes into account the characteristics of incoming fragments when setting the egress interface maximum transmission unit (MTU) size. It identifies the maximum fragment size of all incoming fragments. It uses that information in conjunction with the existing MTU of the egress interface. The SRX Series device compares the two numbers. It takes the smaller number and uses it for the egress interface MTU size.

    [See Understanding How Preserving Incoming Fragmentation Characteristics Can Improve Throughput.]

GPRS

  • Support for IPv6 address validation on user equipment for SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800 devices and vSRX instances—Starting with Junos OS Release 15.1X49-D100, the device supports IPv6 address validation on a user equipment (for example, a cellphone). The user equipment accesses data through the mobile core network, and the information is carried in the GTP tunnel by GTP-U packets. The IP address of the user equipment is allocated during the GTP user tunnel creation. User equipment supports both IPv4 and IPv6 address types.

    [See Understanding IP Address Validation on GTP.]

Installation and Upgrade

  • Support for SSD slot on SRX340, SRX345, and SRX550M devices—Starting in Junos OS Release 15.1X49-D100, the SSD slot in the device supports adding an external SSD disk for additional storage of log messages.

    [See Hardware Overview of SRX Series Services Gateways.]

  • Zero Touch Provisioning on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices– Starting from Junos OS 15.1X49-D100, ZTP is supported to automate the provisioning of the device configuration and software image with little or no manual intervention.

    ZTP on SRX Series devices is responsible for the initial bootup and configuration of the device when the device is powered on. When the SRX Series device boots up with the factory-default configuration, it connects to the server over the Internet and downloads the initial configuration and the latest Junos OS image from the server. The new image is installed first and then the initial configuration is applied and committed on the SRX Series device.

    [See Configuring Zero Touch Provisioning on SRX Series Devices.]

Integrated User Firewall

  • Advanced user identity query for SRX Series devices—Starting in Junos OS Release 15.1X49-D100, you can use the advanced user identities query feature which provides a solution that allows you to provision users locally and have their authentication information made available throughout your network for policy enforcement and reporting.

    This feature:

    • Relies on the Juniper Identity Management Service (JIMS) from which the SRX Series device obtains the user identity information.
    • Allows you to obtain identity information for a range of users or, similar to the Aruba Clearpass query function, for an authenticated user based on the user’s IP address.

    [See Understanding the Advanced Query Feature for SRX Series Active Directory and Aruba ClearPass User Firewall Authentication.]

  • Timeout parameters for unauthenticated user authentication table entries for SRX Series devices—Starting in Junos OS Release 15.1X49-D100, you can configure separate timeout values for invalid user authentication table entries. User entries for both active directory and Aruba ClearPass contain a timeout value after which the entry expires. When an invalid entry is created for an unauthenticated user attempting to log in, the current timeout value, which applies to all entries, applies to it. Active directory probes the unauthenticated user’s workstation for identity information. SRX Series queries ClearPass for the authentication information. While the probe or query is taking place, the timeout value for the invalid user entry is counting down. To ensure that an invalid user entry does not expire during this period, this feature introduces new timeout parameters specifically for invalid user entries. Because they are separate features, individual entries are defined for Aruba ClearPass and for active directory. The active directory authentication table is a repository for both integrated user firewall and captive portal authentication.

    [See Understanding the Invalid Authentication Table Entry Timeout Setting.]

Interfaces

  • LTE support on SRX320, SRX340, SRX345, and SRX550M Services Gateways—Starting with Junos OS Release 15.1X49-D100, wireless WAN connectivity over 3G and 4G/LTE networks is supported. The connectivity is provided by the LTE Mini-Physical Interface Module (Mini-PIM), which can be configured as a primary WAN or as a backup WAN to the primary wired network for the services gateways.

    [See Interfaces Feature Guide for Security Devices.]

  • MAC-Sec support on SRX300, SRX320, 340 and SRX345 devices—Starting in Junos OS Release 15.1X49-D100, Media Access Control Security (MACsec) is supported on all MACsec-capable ports of SRX300, SRx320, SRX340 and SRX345 devices.

    On SRX300 line devices, static secure association key (SAK) and connectivity association key (CAK) are supported to secure the control and fabric links. The following ports support MACsec:

    • SRX300 and SRX320: 2 ports (on two fixed SFP interfaces.)
    • SRX340 and SRX345: 16 ports (on eight fixed SFP interfaces + eight fixed Ethernet ports)

    [See Understanding Media Access Control Security (MACsec).]

  • PPPoE support SRX Series and vSRX instances—Starting in Junos OS Release 15.1X49-D100, SRX series devices and vSRX support Point-to-Point Protocol over Ethernet (PPPoE). You can connect multiple hosts on an Ethernet LAN to a remote site through a single customer premises equipment (CPE) device. The hosts share a common digital subscriber line (DSL), a cable modem, or a wireless connection to the Internet.

    [See Understanding PPPoE Interfaces.]

  • RFC 4638 support for SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting in Junos OS Release 15.1X49-D100, you can use the PPP-Max-Payload option to override the default behavior of the PPPoE client by providing a maximum size that the PPP payload can support in both sending and receiving directions. The PPPoE server might allow the negotiation of an MRU larger than 1492 and the use of an MTU larger than 1492.

    [See Understanding MTU and MRU Configuration for PPP Subscribers.]

J-Web

  • J-Web support for Mini PIM FRU and integrated Mini PIM on SRX platforms—Starting with Junos OS Release 15.1X49-D100, J-Web will support Mini PIM FRU and integrated Mini PIM on SRX320, SRX340, SRX345 and SRX550M, and SRX320 and SRX320 PoE platforms.
  • J-Web support for on-box reporting and other enhancements on SRX platforms—Starting with Junos OS Release 15.1X49-D100, J-Web will support on-box reporting, such as, application and user usage, log mode stream, threat report, high risk application report, URL report, IPS report, IPS report, virus report, botnet report, advance malware report, and user Firewall. J-Web GUI is enhanced for a better user experience and new dashboard widgets are added on SRX300, SRX320, SRX340, SRX345, SRX320-poe, SRX550M, SRX1500, SRX4100, and SRX4200 platforms.

    The on-box reporting feature is enabled by default when you load the factory-default configurations on the SRX Series device with Junos OS Release 15.1X49-D100 or later.

    If you are upgrading your device from a Junos OS Release prior to Junos OS 15.1X49-D100, then the device inherits the existing configuration and the on-box reporting feature is disabled by default. You need to run the set security log report command and the set security log mode stream command to enable the on-box reporting feature on the device.

    Alternatively using J-Web, you can enable these commands in the Configure> Device Setup > Basic Settings > Logging page.

  • J-Web support for SSL Proxy and User Firewall on SRX platforms—Starting with Junos OS Release 15.1X49-D100, J-Web will support SSL Proxy (SSL Forward Proxy Profile, Associate proxy profile to a security policy) and User Firewall (UserFW captive portal HTTPS redirect support, Active Directory profile) on SRX1500, SRX300, SRX320, SRX340, SRX345, SRX320-poe, SRX4100, and SRX4200 platforms.

Network Management and Monitoring

  • SNMP support for monitoring GRE keepalive status for all SRX Series devices and vSRX instances—Starting with Junos OS Release 15.1X49-D100, you can monitor generic routing encapsulation (GRE) interface status using remote network management. In earlier releases, you had to use a CLI command to check GRE keepalive status. Now the SNMP MIB jnxOamMibRoot helps you to monitor GRE keepalive status using remote network management. When GRE keepalive status is changed, this SNMP MIB generates SNMP trap jnxOamGreKeepAliveTrapVars to send notifications.

    [See Enterprise-Specific SNMP MIBs Supported by Junos OS.]

System Logs

  • On-box reporting support on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200 devices, and vSRX instances—Starting with Junos OS Release 15.1X49-D100, the existing on-box logging functionality is modified to collect system traffic logs, analyzes the logs, and generate reports of these logs in the form of tables and graphs using the CLI.

    This feature is enabled by default when you load the factory-default configurations on the SRX Series device with Junos OS Release 15.1X49-D100 or later.

    If you are upgrading your device from a Junos OS Release prior to Junos OS 15.1X49-D100, then the device inherits the existing configuration and the on-box reporting feature is disabled by default. You need to run the set security log report command and the set security log mode stream command to enable the on-box reporting feature on the device.

    The feature allows the IT management teams to identify security information at a glance to quickly decide actions to be taken.

    [See System Log Monitoring and Troubleshooting Guide for Security.]

Unified Threat Management (UTM)

  • IPv6 support for UTM features on SRX Series devices—Starting in Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, HTTPS, FTP, SMTP, POP3, IMAP protocols is supported for Sophos antivirus, Web filtering and Content filtering security features of UTM.

    [See Unified Threat Management Overview.]

VPN

  • Support for SSL remote access VPNs by encapsulating IPsec traffic over TCP connections on SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 15.1X49-D100, SSL VPN connections from users running third-party NCP Exclusive Remote Access Client on Windows and MAC OS devices is supported. In many public hotspot environments, UDP traffic is blocked while TCP connections are allowed. To support these environments, SRX Series devices can encapsulate IPsec messages within a TCP connection. This implementation is compatible with the NCP Exclusive Remote Access Client, which can be downloaded from https://www.ncp-e.com/ncp-exclusive-remote-access-client/. A two-user license is supplied by default on SRX Series devices; a license must be purchased and installed for additional users.

    [See Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client.]

  • Traffic selectors supported for IKEv2 site-to-site VPNs on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances—Starting with Junos OS Release 15.1X49-D100, traffic selectors can be configured with IKEv2 site-to-site VPNs. A traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through a security association (SA).

    [See Understanding Traffic Selectors in Route-Based VPNs.]

Release 15.1X49-D100 Hardware Features

Hardware

  • The LTE Mini-Physical Interface Module (Mini-PIM) provides LTE support on the SRX320, SRX340, SRX345, and SRX550M devices. The LTE Mini-PIM supports wireless WAN connectivity over both 3G and 4G/LTE networks, and is available in two models based on the operating region:
    • SRX-MP-LTE-AE (North America and European Union)
    • SRX-MP-LTE-AA (Asia and Australia)

    The Mini-PIM supports up to two SIM cards and can be installed in any of the Mini-PIM slots on the devices. You can configure the Mini-PIM as a primary WAN or as a backup WAN to the primary wired network.

Related Documentation

Modified: 2017-07-19