Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Changes in Behavior and Syntax

 

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 15.1X49-D210.

Application Security

  • In Junos OS 15.1X49-D210 release, you can configure maximum memory limit for the deep packet inspection (DPI) by using following configuration statement:

    You can set 1 through 200000 MB as memory value.

    Once the JDPI memory consumption reaches 90% of the configured value, then DPI stops processing new sessions.

  • In Junos OS Release 15.1X49-D210, you can limit the application identification inspection as follows:

    • Inspection Limit for TCP and UDP Sessions

      You can set the byte limit and the packet limit for application identification (AppID) in a UDP or in a TCP session. AppID concludes the classification based on the configured inspection limit. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled. The global AppID cache is enabled by default.

      To configure the byte limit and the packet limit, use the following configuration statements from the [edit] hierarchy level:

      Table 1 provides the range and default value for configuring the byte limit and the packet limit for TCP and UDP sessions.

      Table 1: Maximum Byte Limit and Packet Limit for TCP and UDP Sessions

      Session

      Limit

      Range

      Default Value

      TCP

      Byte limit

      0 through 4294967295

      • 6000

      • For Junos OS Release 15.1X49-D200, the default value is 10000.

      Packet limit

      0 through 4294967295

      Zero

      UDP

      Byte limit

      0 through 4294967295

      Zero

      Packet limit

      0 through 4294967295

      • 10

      • For Junos OS Release 15.1X49-D200, the default value is 20.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

      If you set the both the byte-limit and the packet-limit options, AppID inspects the session until both the limits are reached.

      You can disable the TCP or UDP inspection limit by configuring the corresponding byte-limit and the packet-limit values to zero.

    • Global Offload Byte Limit (Other Sessions)

      You can set the byte limit for the AppID to conclude the classification and identify the application in a session. On exceeding the limit, AppID terminates the application classification and takes one of the following decisions:

      • If a pre-matched application is available, AppID concludes the application classification as the pre-matched application in following cases:

        • When AppID does not conclude the final classification within the configured byte limit

        • When the session is not offloaded due to tunnelling behavior of some applications

      • If a pre-matched application is not available, AppID concludes the application as junos:UNKNOWN, if the global AppID cache is enabled. The global AppID cache is enabled by default. See Enabling or Disabling Application System Cache for Application Services.

      To configure the byte limit, use the following configuration statement from the [edit] hierarchy:

      The default value for the global-offload-byte-limit option is 10000.

      You can disable the global offload byte limit by configuring the global-offload-byte-limit value to zero.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

    • Starting in Junos OS Release 15.1X49-D210R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

      If your configuration includes enabled performance mode option with max-packet-threshold value, AppID concludes the application classification on reaching the lowest value configured in the TCP or UDP inspection limit or in the global offload byte limit, or in the maximum packet threshold for DPI performance mode option.

    [See Application Identification Inspection Limit and application-identification]

Flow-Based and Packet-Based Processing

  • Equal-cost multipath (ECMP) is used to load-balance traffic by using equal-cost routes. However, enabling this feature on SRX Series devices and vSRX instances does not result in load balancing when the next hops are reachable through different nodes in a chassis cluster. Use the set security flow no-local-favor-ecmp command to allow route selection on both nodes. After you run this command, load balancing will work even if the outgoing interfaces are active on different nodes. For more information, see KB article KB35365.