Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 15.1X49-D80 for the SRX Series devices.

Release 15.1X49-D80 Software Features

AppSecure

  • SSL Forward Proxy URL category policy for SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800 devices and vSRX instances—Starting with Junos OS Release 15.1X49-D80, the whitelisting feature is extended to include URL categories supported by Enhanced Web filtering in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. Each URL category has a unique ID. The list of URL categories under whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile.

    [See AppSecure Services Feature Guide for Security Devices.]

  • SSL Proxy for Server Protection for SRX Series devices—SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server. Starting in Junos OS Release 15.1X49-D80, the proxy model implementation for server protection (often called reverse proxy) is based on existing SSL plug-ins to provide improved handshaking and support for more protocol versions.

    [See Configuring Reverse Proxy.]

Chassis Cluster

  • ISSU support for SRX4100 and 4200 devices—Starting with Junos OS Release 15.1X49-D80, SRX4100 and SRX4200 devices support in-service software upgrade (ISSU).

    ISSU enables a software upgrade from one Junos OS version to a later Junos OS version with little or no downtime. The chassis cluster ISSU feature enables both devices in a cluster to be upgraded from supported Junos OS versions with minimal disruption in traffic and no disruption in service.

    ISSU provides the following benefits:

    • Eliminates network downtime during software image upgrades
    • Reduces operating costs, while delivering higher service levels
    • Allows fast implementation of new features

    [See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.]

  • J-Flow version 9 support for SRX1500, SRX4100, SRX4200, and vSRX instances in a chassis cluster—Starting with 15.1X49-D80, on SRX1500, SRX4100, SRX4200, and vSRX instances, J-Flow version 9 is supported on a chassis cluster. Use of J-Flow version 9 enables you to define a flow record template suitable for IPv4 and IPv6 traffic.

    [See Chassis Cluster Supported Features.]

Class of Service (CoS)

  • Non-strict-priority scheduling support for SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500 devices and vSRX instances—On SRX Series devices, if all queue priorities send more bandwidth than the egress interface bandwidth, higher priority queues can starve lower priority queues. To prevent this, starting with Junos OS Release 15.1X49-D80, you can apply the non-strict-priority-scheduling option at the [edit-class-of-service] hierarchy level, which balances the transmit-rate configurations across queue priorities.

    [See non-strict-priority-scheduling.]

Ethernet Switching

  • Connectivity Fault Management (CFM) support for SRX1500 devices—Starting in Junos OS Release 15.1X49-D80, Ethernet switching supports Ethernet OAM CFM in switching mode.

    The CFM features can be configured on GE, XE, VDSL, and Point-to-Point Protocol over Ethernet (PPPoE) interfaces. The CFM supports fault monitoring, path discovery, fault isolation and performance measurement functionalities.

    Note: To enable CFM on an Ethernet interface, you must configure maintenance domains, maintenance associations, and maintenance association end points (MEPs).

    [See Understanding Ethernet OAM Connectivity Fault Management .]

  • LACP support for SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances—Starting with Junos OS Release 15.1X49-D80, LACP is supported in Layer 2 transparent mode in addition to the existing support in Layer 3 mode.

    When a device uses LACP to bundle the member links, it creates high-speed connections, known as a fat pipe, with peer systems. You can increase bandwidth by adding member links. LACP provides automatic determination, configuration, and monitoring of member links.

    LACP automatically binds member links, thereby avoiding errors that are possible when the LAG is configured manually.

    [See Understanding Link Aggregation Control Protocol.]

  • Layer 2 802.1X authentication for SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices—Starting with Junos OS Release 15.1X49-D80, Layer 2 802.1X authentication feature in switching mode is supported.

    802.1X is an IEEE standard for port-based network access control (PNAC). 802.1X is part of the IEEE 802 group of protocols. 802.1X authentication provides a mechanism to authenticate devices or users attached to a LAN port.

    The three basic components of a network with 802.1X are the authenticator PAE (port access entity), the supplicant, and the authentication server.

    Configuring 802.1X authentication using J-Web is not supported in this release.

    Note: On SRX1500 devices, dynamic filters in association with dot1x is not supported. Also, radius server configuration is not supported with dot1x configurations. Hence, you cannot configure the filter ID in radius server.

    [See Understanding 802.1X Port-Based Network Authentication].

  • Multiple VLAN Registration Protocol (MVRP) support for SRX1500 device— Starting in Junos OS Release 15.1X49-D80, the following Layer 2 features are supported in switching mode:
    • MVRP is a Layer 2 application protocol that manages dynamic VLAN registration in switching networks. The use of MVRP also manages the addition, deletion, and renaming of active VLANs, thereby reducing network administrators’ time spent on these tasks.
    • Switching mode comprises of two parameters, allowed-mac and shutdown-action.

    [See Configuring Multiple VLAN Registration Protocol (MVRP) to Manage Dynamic VLAN Registration.]

  • VLAN retagging and Q-in-Q Tunneling support for SRX1500 devices—Starting with Junos OS Release 15.1X49-D80, VLAN retagging and Q-in-Q, in switching mode is supported.

    VLAN retagging works on IEEE standard 802.1Q virtual LAN tagging (VLAN tagging). It is a part of the IEEE 802 group of protocols. The VLAN identifier in packets arriving on a Layer 2 trunk port can be rewritten or retagged with a different internal VLAN identifier.

    Q-in-Q is an Ethernet networking IEEE standard, formally known as IEEE 802.1ad. It is also known as provider bridging, stacked VLANs, or simply Q-in-Q. Q-in-Q allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing datacenter bridging network.

    [See Understanding VLAN Retagging and Understanding Q-in-Q Tunneling and VLAN Translation.]

General Packet Radio Service (GPRS)

  • GTP and SCTP ALG support for SRX1500 devices—Starting in Junos OS Release 15.1X49-D80, the GTP and SCTP ALGs are supported on SRX1500 devices. GTP is used to transfer mobile data in the mobility core network and SCTP is widely used in a mobility network for signaling message transmissions.

    [See General Packet Radio Service Feature Guide for Security Devices.]

J-Web

  • In Junos OS Release 15.1X49-D80, J-Web supports the addition of the following parameters on the existing JUNOS OS CLI for security platforms:
    1. MAC Interface limit support and LACP support in Layer 2 Transparent Mode for SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, and vSRX devices.
    2. The Interfaces > Link Aggregation menu in J-Web is enabled for Layer 2 Transparent Mode of J-Web for the SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, and vSRX devices.
    3. Changes in Remote Access VPN and IPsec VPN configuration.
    4. Changes to add Non-Strict-Priority scheduling for SRX1500 device.

Unified Threat Management (UTM)

  • E-Mail Attachments for SRX Series devices—Starting in Junos OS Release 15.1X49-D80, e-mail management for SMTP lets enrolled SRX Series devices transparently submit potentially malicious e-mail attachments to the cloud for inspection. Once an attachment is evaluated, Sky ATP assigns the file a threat score from 0 through 10 with 10 being the most malicious. In addition, e-mails are checked against administrator-configured blacklists and whitelists. If an e-mail matches the blacklist, it is considered to be malicious and is handled the same way as an e-mail with a malicious attachment.

    [See Email Management Overview.]

  • SNI support for Web filtering for SRX Series devices—In Junos OS Release 12.3X48-D45 and 15.1X49-D80, Junos OS supports Server Name Indication (SNI) for local, Websense-redirect, and Enhanced Web Filtering (EWF). SNI is an extension of SSL/TLS protocol to indicate what server name the client is contacting over an HTTPS connection. SNI inserts the actual hostname of the destination server in client’s hello message in clear text format before the SSL handshake is complete. Web filtering uses the SNI information for further processing or modifying the query. In this implementation, the SNI includes only the server name, and not the full URL of the server.

    [See UTM Feature Guide for Security Devices.]

User Access and Authentication

  • Trusted Platform Module (TPM) to Bind Secrets for SRX300, SRX320, SRX340, and SRX345 devices—Starting with Junos OS Release 15.1X49-D80, a software layer is added to enable the TPM’s capability.

    TPM is used to protect the private keys stored in Junos, when the TPM is activated. For example, IPsec or SSL inspection uses these private keys.

    [See Using Trusted Platform Module to Bind Secrets on SRX Series Devices.]

VPNs

  • IKEv2 message fragmentation for SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances—Starting in Junos OS Release 15.1X49-D80, large IKEv2 messages (such as authentication exchanges that contain multiple certificates) are fragmented; each message fragment is encrypted and authenticated before being transmitted. On the receiver, the message fragments are verified, decrypted, and merged into the original message. Message fragmentation, as described in RFC 7383, Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation, allows IKEv2 to operate in environments where IP fragments might be blocked and VPN peers would not be able to establish an IPsec security association. IKEv2 message fragmentation is enabled by default on SRX Series devices for IPv4 and IPv6 messages. You can disable fragmentation and, optionally, configure the maximum message size with the fragmentation statement at the [edit security ike gateway gateway-name] hierarchy level.

    [See Understanding IKEv2 Fragmentation.]

  • IPv6 support for dynamic endpoint VPNs for SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances—Starting with Junos OS Release 15.1X49-D80, dynamic endpoint VPNs on SRX Series devices support IPv6 traffic on secure tunnels using IKEv1 or IKEv2. The IPv6 dynamic endpoint gateway can use PKI certificates or preshared keys for authentication. A dynamic endpoint VPN is used when the remote site-to-site peer has a dynamically assigned IP address.

    Note: IPv6 traffic is not supported for AutoVPN networks.

    [See Understanding IPsec VPNs with Dynamic Endpoints.]

  • NCP Exclusive Remote Access Client connections to IPsec VPN gateways on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances—Starting in Junos OS Release 15.1X49-D80, SRX Series devices support IKEv1 or IKEv2 IPsec VPN connections from users running third-party NCP Exclusive Remote Access Client on Windows and MAC OS devices. NCP Exclusive Remote Access Client software can be downloaded from https://www.ncp-e.com/ncp-exclusive-remote-access-client/.

    A two-user license is supplied by default on SRX Series devices; a license must be purchased and installed for additional users. The SRX Series devices use AutoVPN in point-to-point interface mode. Traffic selectors configured on the SRX Series device and the NCP client determine the client traffic to be encrypted. For IKEv1 client authentication, Extended Authentication (XAuth) is used with a RADIUS server or a local access profile. IKEv2 clients use EAP with a RADIUS server for authentication.

    [See Understanding IPsec VPNs with NCP Exclusive Remote Access Client.]

  • Suite B and PRIME cryptographic suites for SRX4100 and SRX4200 devices—Starting in Junos OS Release 15.1X49-D80, Suite B and PRIME cryptographic suites are supported on SRX4100 and SRX4200 devices. Suite B is a set of cryptographic algorithms designated by the U.S. National Security Agency to allow commercial products to protect traffic that is classified at secret or top secret levels. Protocol Requirements for IP Modular Encryption (PRIME) is an IPsec profile defined for public sector networks in the United Kingdom. It is based on the Suite B cryptographic suite but uses Advanced Encryption Standard–Galois/Counter Mode (AES-GCM) rather than Advanced Encryption Standard–Cipher Block Chaining (AES-CBC) for IKEv2 negotiations.

    [See Understanding Suite B and PRIME Cryptographic Suites.]

  • Support for SSL remote access VPNs by encapsulating IPsec traffic over TCP connections on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, and SRX4200 devices and vSRX instances—Starting in Junos OS Release 15.1X49-D80, SRX Series devices support SSL VPN connections from users running third-party NCP Exclusive Remote Access Client on Windows and MAC OS devices. In many public hotspot environments, UDP traffic is blocked while TCP connections are allowed. To support these environments, SRX Series devices can encapsulate IPsec messages within a TCP connection. This implementation is compatible with the NCP Exclusive Remote Access Client, which can be downloaded from https://www.ncp-e.com/ncp-exclusive-remote-access-client/. A two-user license is supplied by default on SRX Series devices; a license must be purchased and installed for additional users.

    [See Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client.]

Related Documentation

Modified: 2017-05-29