Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 18.2R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.2R3 for the SRX Series devices.

Release 18.2R3-New and Changed Features

There are no new features in Junos OS Release 18.2R3 for the SRX Series devices.

Release 18.2R2-New and Changed Features

Flow-Based and Packet-Based Processing

  • SRX5K-SPC3 card with flow support in chassis cluster mode (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.2R2, the SRX5K-SPC3 and SRX5K-SPC-4-15-320 (SPC2) cards can operate together in a mixed-mode configuration on the SRX5000 line of devices using the same slot number in both nodes. If you are adding the SPC3 SPCs to the SRX5000 devices, you must install the new SPCs in the lowest-numbered slot of any SPC that provides central point functionality. SPC3 interoperates with the SRX5000 I/O cards (IOC2, IOC3), Switch Control Boards (SCB2, SCB3), Routing Engines, and SPC2 cards.

    [See Understanding Flow support on SRX5K-SPC3 Platforms.]

VPN

  • PowerMode IPsec (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.2R2, PowerMode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses the regular flow processing and take an express flow data path, and utilizes the AES-NI instruction set for optimized performance of IPsec processing.

    You can enable PMI processing by using the set security flow power-mode-ipsec command.

    The following features are supported with PMI:

    • Auto Discovery VPN (ADVPN)

    • Internet Key Exchange (IKE) functionality

    • AutoVPN

    • High-availability

    • IPv6

    • Stateful firewall

    • st0 interface

    • Traffic selectors

    [See Understanding PowerMode IPsec.]

  • SRX5K-SPC-4-15-320 (SPC2) and SRX5K-SPC3 (SPC3) support for IPsec VPN (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.2R2, all IPsec VPN features that were previously supported only on SPC3 (model number: SRX5K-SPC3) are now supported on both SPC2 (model number: SRX5K-SPC-4-15-320) and SPC3 installed in the SRX5000 line of devices operating in chassis cluster mode or in standalone mode.

    [See Understanding VPN Support for Inserting Services Processing Cards.]

Release 18.2R1-S3 New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.2R1-S3 for the SRX Series devices.

Junos OS Release 18.2R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D130. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D130 are not available in 18.2 releases.

Junos OS Release 18.2R1-S1 and Junos OS Release 18.2R1-S3 supports SRX5K-SPC3. Junos OS for SRX Series documentation includes information about SRX5K-SPC3.

New features for security platforms in Junos OS Release 18.2R1-S3 include:

VPN

  • IPsec VPN support on SRX5K-SPC3 card (SRX5400, SRX5600, SRX5800)—Starting in Junos OS Release 18.2R1-S3, SPC3 card supports IPsec VPN with AutoVPN networks in point-to-point secure tunnel mode with multiple traffic selectors, Dead peer detection (DPD), IKE fragmentation, and Site-to-site VPN (responder only).

    For SPC3 cards, you can only verify the tunnel mapping on different SPUs using the show security ipsec tunnel-distribution command. You can continue to use show security ike tunnel-map command to view the tunnel mapping on different SPUs with SPC2.

    The show security ipsec tunnel-events-statistics command is not supported on SPC3 card.

    [See show security ipsec security-associations.]

Release 18.2R1-S1 New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.2R1-S1 for the SRX Series devices.

Junos OS Release 18.2R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D130. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D130 are not available in 18.2 releases.

Junos OS Release 18.2R1-S1 supports SRX5K-SPC3. Junos OS for SRX Series documentation includes information about SRX5K-SPC3.

New features for security platforms in Junos OS Release 18.2R1-S1 include:

Hardware

Interfaces and Chassis

  • User visibility improvements for chassis environment CLI (SRX5400, SRX5600, SRX5800)—Starting in Junos OS Release 18.2R1-S1, the show chassis environment fpc CLI command displays current and power for SPC3 board along with the FPC voltage. In the earlier releases, only FPC voltage was displayed.

    [See show chassis environment.]

J-Web

  • J-Web supports SRX5K-SPC3 Card—Starting Junos OS Release 18.2R1-S1, J-Web is enhanced to show SRX5K-SPC3 card support for SRX5400, SRX5600, and SRX5800 devices.

Platform and Infrastructure

  • SRX5K-SPC3 card (SRX5400, SRX5600, SRX5800)—Starting in Junos OS Release 18.2R1-S1, a new service processing card (SRX5K-SPC3) is introduced for the SRX5000 line of devices. The introduction of the new card improves the scalability and performance of the device and maintains its reliability as it preserves the chassis cluster functionality. The SRX5K-SPC3 card supports higher bandwidth for service processing. It provides support for the following software features:

    • Application layer gateway (ALG)

    • Advanced anti-malware (Juniper Sky ATP)

    • Application security suite

    • Flow-based packet processing implementation

    • GPRS tunneling protocol (GTP) and stream control transmission protocol (SCTP)

    • High availability (chassis cluster)

    • Intrusion detection and prevention (IDP)

    • J-Web

    • Network address translation (NAT)

    • Stateful firewall

    • SSL proxy

    • Firewall user authentication

    • UTM (antivirus, web filtering, content filtering, and antispam)

    Note

    The following limitations apply for the SPC3 card in Junos OS Release 18.2R1-S1:

    • Interoperability of SPC2 card and SPC3 card is not supported.

    • IPsec VPN functionality is not supported with SPC3 card.

    [See Understanding Flow support on SRX5K-SPC3 Platforms,Monitoring of Global-Level Objects in a Chassis Cluster, and Persistent NAT and NAT64.]

Release 18.2R1 New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 18.2R1 for the SRX Series devices.

ALG

Application Security

  • Application Quality of Experience (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100 and SRX4200, vSRX)—Starting in Junos OS Release 18.2R1, AppQoE enables you to effectively prioritize, segregate, and route business-critical applications traffic without compromising performance or availability.

    AppQoE utilizes the capability of application identification and advanced policy-based routing to identify specific applications in the network and to specify a path for the application traffic according (service-level agreement) SLA rules.

    AppQoE monitors RTT, jitter, and packet loss on each link, and based on the score, seamlessly diverts applications to an alternate path if the performance of the primary link is below acceptable levels as specified by the SLA. Measurement and monitoring of application performance is done using active and passive probes, which detect SLA violations and help select an alternate path for that particular application.

    [SeeApplication Quality of Experience.]

  • Support for advanced policy-based routing (APBR) policy (SRX Series, vSRX)—Starting in Junos OS Release 18.2R1, you can configure advanced policy-based routing (APBR) policies by defining source addresses, destination addresses, and applications as match conditions; and after a successful match, the configured APBR profile is applied as an application service for the session.

    In previous releases of Junos OS, an APBR profile could be attached to an incoming security zone of the ingress traffic, and the APBR was applied only on the basis of the security zone.

    This enhancement provides more flexible traffic-handling capabilities that offer granular control for forwarding packets.

    [See Advanced Policy-Based Routing.]

Authentication and Access Control

  • Support for user firewall to configure ClearPass and JIMS at the same time (SRX Series, vSRX)—Starting in Junos OS Release 18.2R1, you can configure ClearPass and Juniper Identity Management Service (JIMS) at the same time. By configuring ClearPass and JIMS at the same time, SRX Series devices can query JIMS for user identification entries, and ClearPass can push device entries to the SRX Series device through the Web API. In releases before Junos OS Release 18.2R1, you are restricted to configure either ClearPass or JIMS.

    [See Understanding How ClearPass and JIMS Works at the Same Time.]

  • Enhancement to NTP authentication method (SRX300, SRX320, SRX340, SRX345, and SRX550M)— Starting in Junos OS Release 18.2R1, Junos OS supports NTP authentication for both SHA-1 and SHA2-256, in addition to the existing NTP authentication method, MD5. You can now choose from among MD5, SHA-1, and SHA2-256 for synchronizing the clocks of Juniper Network routers, switches, and other security devices on the Internet. Using SHA-1 instead of MD5 improves the security of devices with very little impact to timing, while using SHA2-256 provides an increase in security over SHA-1.

    Note

    By default, network time synchronization is unauthenticated.

    To implement authentication, use set authentication-key <key_number> type at the [edit system ntp] hierarchy level.

    • To enable SHA-1 authentication, use set authentication key <key_number> type sha1 value <password> at the [edit system ntp] hierarchy level.

    • To enable SHA2-256 authentication, use set authentication key <key_number> type sha256 value <password> at the [edit system ntp] hierarchy level.

    [See authentication-key and Configuring NTP Authentication Keys.]

Flow and Processing

  • Reverse Route with Packet Mode (SRX Series)—Starting from Junos OS Release 18.2R1, the reverse route using virtual router is supported with the new CLI command set security flow advanced-options reverse-route-packet-mode-vr. While processing the traffic from the server to the client, if the route of the traffic is changed, the traffic is rerouted using the virtual router from the packet incoming interface or filter-based forwarding.

    [See Understanding Reverse Route Packet Mode Virtual Router.]

IDP

  • Flexible grouping of IDP signatures for policies and profiles (SRX Series)—Starting with Junos OS Release 18.2R1, IDP signature updates support four new tags for creating more sophisticated dynamic groups in addition to the existing seven tags. The signature database is one of the major components of intrusion detection and prevention (IDP). It contains definitions of different objects—such as attack objects, application signatures objects, and service objects—that are used in defining IDP policy rules. Attacks can be grouped by set of tags.

    The additional tags are:

    • CVSS Score (for example, All signatures above 8.0)

    • Age (for example, Older than <x> years)

    • File Type (for example, MPEG, MP4, PPT, and *.doc)

    • Vulnerability Type (for example, buffer overflow, injection, use after free, XSS, and RCE)

    The Product and Vendor tags are already supported under existing filter products. The CLI interface for configuring these tags is now been made more user friendly with possible completions being available for configuration.

    • Vendor (for example, Microsoft, Apple, Red Hat, Google, Juniper, Cisco, and Oracle)

    • Product (for example, Office, Database, Firefox, Chrome, Flash, DirectX, Java, and Kerberos)

    [See IDP Policy Rules and IDP Rule Bases.]

Interfaces and Chassis

  • 100G Interfaces Support (SRX4600)–Starting in Junos OS Release 18.2R1, SRX4600 devices support 4x100G Ethernet mode using QSFP28 transceivers. To enable 100-Gigabit Ethernet on the marked ports, use the set chassis fpc command.

    [See SRX4600 Gateway Rate-Selectability.]

J-Web

  • J-Web support for Unified L4/L7 Firewall Policy—Starting Junos OS Release 18.2R1, J-Web supports unified L4/L7 firewall policy, where in you can configure current AppFW by applying its matching criteria of rules to the policy. Also, there are changes to UTM, IPS, AppID, SSL Proxy, Flow and Service redirect.

  • J-Web support for Logical Systems—Starting Junos OS Release 18.2R1, J-Web supports Logical Systems in SRX5400, SRX5600, and SRX5800 devices, providing multi-tenant firewalls by logically partitioning a single physical firewall into multiple logical systems with separate networking and security services.

  • J-Web support for Configuring ICAP Redirect and SSL Initiation Profiles—Starting Junos OS Release 18.2R1, using J-Web you can configure ICAP redirect profile and SSL initation profile, which enables you to decrypt HTTPS traffic and redirect HTTP message to 3rd party on-premise DLP server via ICAP/SICAP channel.

  • J-Web Enhanced Look and Feel—Starting Junos OS Release 18.2R1, J-Web for SRX5400, SRX5600, and SRX5800 devices will have a new and enhanced look and feel.

  • J-Web Configuration Commit Enhancement—Starting Junos OS Release 18.2R1, after you commit a new J-Web configuration, you can test the configuration for a time period and confirm the commit or roll back to the previous configuration.

  • J-Web support for Logical Domain Interconnect and Routing Instance—Starting Junos OS Release 18.2R1, using J-Web you can configure the interconnect between logical interfaces and between the root domain and logical systems. Based on the interconnection, you can configure LT interface unit, peer unit, logical system or VPLS switch, and IP addresses for logical system LT interface.

Logical Systems

  • Enabling or disabling ALGs in logical systems (SRX Series)—Starting in Junos OS Release 18.2R1, you can enable or disable the configuration of Application Layer Gateways (ALGs) in each logical system individually and view the status of the ALGs for all logical systems or specific logical systems. All 12 data ALGs (DNS, FTP, TFTP, MSRPC, SUNRPC, PPTP, RSH, RTSP, TALK, SQL, IKE, and TWAMP) and four VOIP ALGs (SIP, H.323, MGCP, and SCCP) are supported on logical systems.

    [See Understanding Application Layer Gateway (ALG) in Logical System.]

  • Flow enhancement for interconnect logical system (SRX Series)—Starting in Junos OS Release 18.2R1, the interconnect logical system routing and scaling are supported. You can interconnect multiple logical systems and multiple VPLS switches to pass the traffic without exiting the device. The logical tunnel interface point-to-point connection encapsulation frame-relay, encapsulation ethernet is introduced to optimize the obtainability of logical systems. The frame relay encapsulation adds data-link connection identifier (DLCI) information to the given frame.

    [See SRX Series Logical System Master Administrator Configuration Tasks Overview.]

  • Logical systems support (SRX4100 and SRX4200)—Starting in Junos OS Release 18.2R1, the logical systems are supported on SRX4100 and SRX4200 devices in addition to the existing support on SRX Series devices such as SRX1500, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.

    [See Understanding Logical Systems for SRX Series Services Gateways.]

  • Logging support (SRX Series, vSRX)—Starting in Junos OS Release 18.2R1, the off-box logging (stream mode) service is virtualized. Hence the off-box logging configuration is supported for each logical system and logs are handled based on these configurations. The [edit logical-system logical-system-name security log] command is introduced for virtualized logging support. The stream mode is a set of logging services that includes:

    • Off-box logging (SRX Series)

    [See Understanding Security Logs and Logical Systems.]

  • User firewall enhanced support with logical systems (SRX Series)—Starting in Junos OS Release 18.2R1, support for user firewall authentication is enhanced using a shared model. In this model, user logical systems share user firewall configuration and authentication entries with the root logical system.

    [See Understanding Integrated User Firewall support in a Logical System.]

  • Logical system support (SRX Series)—Starting in Junos OS Release 18.2R1, SRX4100 and SRX4200 devices support logical system in both transparent and route mode.

    [See Example: Configuring User Logical Systems Security Profiles.]

NAT

  • Network Address Translation (NAT) support for logical systems (SRX Series)—Starting in Junos OS Release 18.2R1, SRX Series devices support the NAT functionality for logical systems. NAT is a method for modifying or translating network address information in packet headers. Either source or destination addresses or both in a packet can be translated. NAT can include the translation of port numbers as well as IP addresses.

    [See Understanding Logical System Network Address Translation.]

Routing and Forwarding Options

  • NDP and DAD Proxy Support (SRX Series)—Starting in Junos OS Release 18.2R1, SRX Series devices support Neighbor Discovery Protocol (NDP) and Duplicate Address Detection (DAD) proxy features at the interface level. The NDP and DAD proxies are required if hosts in the same subnet are restricted from communicating directly with each other and need to use the proxy node to forward the packets between them. This feature is primarily used in scenarios where the proxying node needs to apply access control and intercept the traffic flowing between the hosts.

    [See Configuring Duplicate Address Detection Proxy and Configuring Neighbor Discovery Protocol Proxy.]

Security Policies

  • Support for unified policies (SRX Series and , vSRX instances)—Starting in Junos OS Release 18.2R1, unified policies are now supported on SRX Series devices and vSRX instances, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy.

    Unified policies are the security policies, where you can use dynamic applications as match conditions along with existing 5-tuple or 6-tuple matching conditions (with user firewall) to detect application changes over time, and allow you to enforce a set of rules for the transit traffic.

    Unified policies allow you to use dynamic application as one of the policy match criteria rule in each application. Application identification (AppID) is applied on the traffic, and the application is identified after several packets are checked.

    Before identifying the final application, the policy cannot be matched precisely. A potential policy list is made available, and the traffic is permitted using the potential policy from the list.

    After the application is identified, the final policy is applied to the session. Policy actions such as permit, deny, reject, or redirect is applied on the traffic as per the policy rules.

    [See Understanding Unified Policies.]

    The following features support unified policies:

    • Application Identification (AppID)—Unified policy leverages the application identity information from the Application Identification (AppID). AppID provides the information such as dynamic application classification, default protocol and port of an application. For any application included in the dependent list of another application, AppID provides this information.

      [See Application Identification.]

    • Application firewall (AppFW)—Unified policy configuration handles AppFW functionality and simplifies the task of configuring firewall policy to permit or block application traffic from the network.

      If you configure a unified policy with a dynamic application as one of the matching conditions, then the configuration eliminates the additional steps involved in AppFW configuration—that is, configuring a security policy to invoke the application firewall service.

      Starting in Junos OS Release 18.2R1, the Application Firewall (AppFW) functionality is deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

      The [edit security application-firewall] hierarchy level and all configuration options under this hierarchy are deprecated.

      [See Application Firewall.]

    • Application Quality of Service (AppQoS)—AppQoS functionality is supported when the device is configured with unified policies. You can configure a default AppQoS rule set to manage unified policy conflicts, if multiple security policies match the traffic.

      [See Application Quality of Service.]

    • ICAP service redirect—Internet Content Adaptation Protocol (ICAP) service redirect functionality is supported when the device is configured with unified policies.

      [See iCAP Service Redirect.]

    • IDP—Starting with Junos OS Release 18.2R1, with unified policies support, when a security rule has IDP enabled, the name of the actual IDP policy is replaced. This is to simplify IDP policy usage and to provide flexibility to have multiple policies active at the same time.

      All IDP matches will now be handled within the unified policies. As a part of session interest check IDP will enabled if IDP policy is present in any of the matched rules.

      IDP policy is activated in security policies, by permitting the IDP policy within the application services using the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name command.

      Since IDP policy name is directly use in the security policy rule, the [edit security idp active-policy policy-name] statement is deprecated.

      [See IDP Policies Overview.]

    • SSL proxy—SSL proxy functionality is supported when the device is configured with unified policies. You can configure a default SSL proxy profile to manage unified policy conflicts, if multiple security policies match the traffic.

      [See SSL Proxy.]

    • UTM—A new dynamic application policy match condition is added to SRX Series devices, allowing an administrator to more effectively control the behavior of Layer 7 applications. To accommodate Layer 7 application-based policies in UTM, the [edit security utm default-configuration] command is introduced. If any parameter in a specific UTM feature profile configuration is not configured, then the corresponding parameter from the UTM default configuration is applied.

      Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different UTM profiles, the SRX Series device applies the default UTM profile until a more explicit match has occurred.

      [See Understanding Unified Policies [Unified Threat Management (UTM)].]

    • Juniper Sky ATP support within unified policy (SRX Series)— Juniper Sky ATP is supported for unified policies. The set services security-intelligence default-policy and set services advanced-anti-malware default-policy commands are introduced to create default settings for both policy types. During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list, which contain different security intelligence or anti-malware policies, the SRX Series device applies the default policy until a more explicit match has occurred.

      [See the Juniper Sky ATP Administration Guide.]

User Interface and Configuration

  • Support for displaying ephemeral configuration data with filtering (SRX Series)—Starting in Junos OS Release 18.2R1, the show ephemeral-configuration command enables you to specify the scope of the configuration data to display. To filter the displayed configuration data, append the statement path of the requested hierarchy to the command.

    [See Displaying Ephemeral Configuration Data in the Junos OS CLI.]

UTM

  • Antispam supports IPv6 address [SRX Series] —Starting in Junos OS Release 18.2R1, the antispam feature supports IPv6 traffic.

    [See Antispam Filtering.]

VPN

  • Configuring forwarding class on IPsec VPNs (SRX Series, vSRX)—Starting with Junos OS Release 18.2R1, forwarding classes configured on an SRX Series device can be mapped to IPsec security associations (SAs). Multiple IPsec SAs are negotiated on the same IKE SA with a peer device, one SA per forwarding class configured in IPsec.

    A unique IPsec SA is negotiated with the VPN peer for each forwarding class. By mapping the forwarding class to the IPsec SA, all the packets with a certain class-of-service (CoS) value will get quality-of-service (QoS) treatment between the peer devices thus avoiding packet drop due to the anti-replay window. This feature provides QoS for IPsec when peer devices allow for multiple SA negotiation.

    [See Understanding CoS-Based IPsec VPNs with Multiple IPsec SAs.]

  • Public key infrastructure (PKI) proxy support (SRX Series)—Starting in Junos OS Release 18.2R1, PKI supports Hypertext Transfer Protocol (HTTP) Web proxy. HTTP Web proxy acts as an intermediary between the client and the server, but neither the server nor the client can detect its presence. You can add Web proxy support to the SRX Series devices to configure systemwide HTTP connections to the egress traffic to ensure secure communication with the certificate authority (CA) server.

    [See Understanding Certificate Authority Profiles.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.2R3 for the SRX Series.

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 18.2R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Network Management and Monitoring

  • NSD Restart Failure Alarm (SRX Series)—Starting in Junos OS Release 18.2R3, a system alarm is triggered when the Network Security Process (NSD) is unable to restart due to the failure of one or more NSD subcomponents. The alarm logs about the NSD are saved in the messages log. The alarm is automatically cleared when NSD restarts successfully.

    The show chassis alarms and show system alarms commands are updated to display the following output when NSD is unable to restart - NSD fails to restart because subcomponents fail.

    [See Alarm Overview.]

  • Starting with Junos OS Release 18.2R1, the following commands under the [edit security utm feature-profile] hierarchy level are deprecated:

    • set web-filtering type

    • set web-filtering url-blacklist

    • set web-filtering url-whitelist

    • set web-filtering http-persist

    • set web-filtering http-reassemble

    • set web-filtering traceoptions

    • set web-filtering juniper-enhanced cache

    • set web-filtering juniper-enhanced reputation

    • set web-filtering juniper-enhanced query-type

    • set anti-virus mime-whitelist

    • set anti-virus url-whitelist

    • set anti-virus type

    • set anti-virus traceoptions

    • set anti-virus sophos-engine

    • set anti-spam address-blacklist

    • set anti-spam address-whitelist

    • set anti-spam traceoptions

    • set content-filtering traceoptions

    [See feature-profile.]

Security

  • Starting with Junos OS Release 18.2R1, the following commands under the [edit security utm feature-profile] hierarchy level are deprecated:

    • set web-filtering type

    • set web-filtering url-blacklist

    • set web-filtering url-whitelist

    • set web-filtering http-persist

    • set web-filtering http-reassemble

    • set web-filtering traceoptions

    • set web-filtering juniper-enhanced cache

    • set web-filtering juniper-enhanced reputation

    • set web-filtering juniper-enhanced query-type

    • set anti-virus mime-whitelist

    • set anti-virus url-whitelist

    • set anti-virus type

    • set anti-virus traceoptions

    • set anti-virus sophos-engine

    • set anti-spam address-blacklist

    • set anti-spam address-whitelist

    • set anti-spam traceoptions

    • set content-filtering traceoptions

    [See feature-profile.]

VPNs

Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 18.2R3 for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Chassis Clustering

  • On all SRX branch devices, if you enable ip monitoring for redundancy groups, the feature might not work properly on the secondary node if the reth interface has more than one physical interfaces configured. This is because the backup node sends traffic using the MAC address of the lowest port in the bundle. If the reply does not come back on the same physical port, then the internal switch drops. PR1344173

Flow-Based and Packet-Based Processing

  • On SRX4600 devices, the USB disk is not available for Junos OS. However, the USB disk is available for the host OS (Linux) with full access. The USB disk is still used in the booting process (install and recovery functions). PR1283618

  • When a USB device is under initialization, removing the USB device leads to USB crash. PR1332360

  • On SRX1500 devices with AppFW configured, the expected HTTP CPS is 60,000, which is a 14 percent drop (the expected value is 70,000). PR1339131

  • The memory usage of useridd increases when the configuration is exchanged between user firewall for active directory and JIMS. PR1383751

  • Z mode is not supported when using the dedicated fabric link. PR1397267

  • On an SRX high-end platform, if a huge packet is bigger than 9271 in size and is fragmented, when it hits the ALG gate, the defragmented huge packet needs to be forwarded to another SPU. There is a size limitation when forwarding a packet between SPUs, which would cause the huge packet to be dropped in such situations. PR1426644

  • If incoming tunnel and egress tunnel are anchored on different SPUs, PMI flaps this x2 traffic to regular flow path for encryption on the egress tunnel because PMI does not have the PIC forwarding functionality. PR1432915

J-Web

  • On SRX Series devices, DHCP relay configuration on the Configure > Services > DHCP > DHCP Relay page is removed from the J-Web interface in Junos OS Release 15.1X49-D60. The same DHCP relay can be configured using the CLI. PR1205911

  • On SRX Series devices, DHCP client bindings on the Monitor page is removed. You can view the same bindings in the CLI using the show dhcp client binding command. PR1205915

  • On SRX Series devices, adding 2000 global addresses at a time to the SSL proxy profile exempted addresses can cause the Web page to become unresponsive. PR1278087

  • On SRX Series devices, you cannot view the custom log files created for event logging using J-Web interface. PR1280857

  • Uploading a certificate using the Browse button stores the certificate in the device at the /jail/var/tmp/uploads/ location, which will be deleted upon executing the request system storage cleanup command. PR1312529

  • The values of address and address-range are not displayed in the inline address-set creation pop-up window of the Juniper Identity Management Service (JIMS) server. PR1312900

  • PPPoE interface pp0 will not be manageable through J-Web Interfaces->Port page. PR1316328

  • The Dynamic-Application configuration page in the J-Web interface did not properly display application-signatures when searching by category. PR1344165

  • Forming an HA from J-Web by using the HA cluster wizard is not supported from Junos OS Release 12.1X47 onward for SRX5400 only. PR1372518

Routing Protocols

  • A new CLI command is required to prevent traffic loss during a disaster recovery failover scenario. PR1352589

User Interface and Configuration

  • On SRX Series devices setups, committing a configuration with a considerable number of logical system configuration can take a little more time than usual. This issue occurs because backing up previous configurations might take a little longer to finish. PR1339862

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of one DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • The iked process can handle 1000 DPD packets per second. If HA link encryption is enabled, the iked process can handle 500 DPD packets per second. DPD packets include both DPD probes sent from the device and DPD probes received from the peer. PR1380971

  • Use the file created in the set security ike traceoptions file location to check the logs. PR1381328

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, occasionally, if an IKE or IPsec configuration (under groups hierarchy) is changed for one IKE gateway, the tunnel might be cleared for unrelated IKE or IPsec gateways. PR1405840

  • The iked process does not handle cases and core files might be generated when a remote gateway address is configured as an IPv6 address while the local interface where the tunnel is anchored has an IPv4 address. PR1416081

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 18.2R3 for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Security

  • If automatic application-identification download is configured with a start-time specified, the automatic download stops when the time has progressed to the next year and a reboot is done before the start-time is reached that year. PR1436265

Application Identification

  • IDP installation fails on one node due to application identification process stuck. PR1336145

Flow-Based and Packet-Based Processing

  • On SRX4600 platform, the output of the show route forwarding-table command displays the next-hop IP address twice if the next-hop is the st0 interface. The routing functionality is not impacted. PR1290725

  • The device sends incorrect rejection code when the destination device is not reachable. PR1371115

  • An SRX Series device receives a dynamic update from the JIMS server when JIMS detects that a user has been disabled in the Active Directory, and another dynamic update from JIMS if that user is subsequently reenabled. This update retains the domain and username in the table, but does not include any groups associated with that user. PR1380771

  • With stress TCP traffic, sessions that have been invalid for more than 48 hours expire. PR1383139

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when multiple cores occur in quick succession, the coldsync monitored status is displayed and it is not removed after completing the coldsync. You need to reboot the affected node to recover from this issue. PR1403000

  • On all SRX Series platforms, in chassis cluster with Z mode traffic and local (non-reth) interfaces configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets might get dropped due to reroute failure. PR1410233

  • When a GRE tunnel (GRE over IPsec tunnel) or IPsec tunnel is used on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly (24 bytes less than the expected value). PR1426607

  • On SRX5000 Series devices with an SPC3 card, traffic might not go through when BA classifiers for DSCP are configured with rewrite. PR1428153

  • On SRX5000 Series devices with an SPC3 card, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y) PR1441411

J-Web

  • On SRX Series platforms, the root password configured at first J-Web access (Skip to J-Web feature) does not work if the password length is shorter than eight characters. PR1371353

Platform and Infrastructure

  • On SRX5600 and SRX5800 devices in chassis cluster, when a second Routing Engine is installed to enable dual control links, the show chassis hardware command might display the same serial number for both the secondary Routing Engines on both the nodes. PR1321502

  • On SRX5000 platforms (include SRX5400, SRX5600,SRX5800), the EM interface is an internal interface. If EM interface is down that leads to the control link being lost. SRX cluster will be in an abnormal status. PR1342362

VPNs

  • When an SRX Series device acts as an initiator behind the NAT, disabling NAT on the router in between causes an immediate new negotiation failure because of an attempt to disable NAT using port 4500. The next attempt succeeds by using port 500. Disabling NAT and bringing down all the existing tunnels and reestablishing the tunnels with port 500 is the expected behavior. PR1273213

  • On SRX Series devices, if multiple traffic selectors are configured for a peer with Internet Key Exchange version 2 (IKEv2) reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. A new negotiation of these traffic selectors is triggered through other mechanisms—for example, by traffic or by a peer. PR1287168

  • When using the operational mode request security ike debug-enable for IKE debugging after having used IKE traceoptions with a file name specified in the configuration, the debugs are still being written to the same file name. PR1381328

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when a large number of IPsec tunnels are established, a few tunnels might fail during rekey negotiation if the device initiates the rekey. PR1389607

  • VPN does not recover on the high-end standalone SRX Series devices when CLI operation restart ipsec-key-management is done. PR1390831

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, occasionally, if the IKE or IPsec configuration (under groups hierarchy) is changed for one IKE gateway, the tunnel might clear for an unrelated IKE or IPsec gateway. PR1405840

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs. PR1407356

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior remains in responder-only mode. PR1413619

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, disrupting traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • On SRX5000 Series devices with an SPC3 or SPC2 card, when a duplicate user (same user with different IP address but same IKE-ID) logs in, in some cases, old IKE SA entries are not deleted immediately. PR1423821

  • IKE SA entries are not displayed in CLI output after a cluster node fails over when tunnels are established in aggressive mode. PR1424077

Resolved Issues

This section lists the issues fixed in Junos OS Release 18.2R3 for the SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 18.2R3

Application Identification

  • Application identification classification logic has been improved for NetBIOS and RPC. PR1357093

Application Layer Gateways (ALGs)

  • DNS requests with additional EDNS records might be dropped by the DNS ALG. PR1379433

  • On all SRX Series devices, SIP/FTP ALG does not work when SIP traffic with source NAT goes through the SRX Series device. PR1398377

  • The H.323 protocol voice packets might be dropped on SRX Series devices. PR1400630

  • When both ALG and rst-invalidate-session are enabled, the TCP reset packet is dropped by SRX Series devices. PR1430685

Application Security

  • On all SRX Series device with Security Intelligence (SecIntel), the Black/White list file open might fail if the file pointer is null, which might cause the ipfd process to stop. PR1436455

  • On all SRX Series devices with advanced anti-malware service used, due to a rare issue in file system handling in data plane, the flowd/srxpfe process might crash. PR1437270

Chassis Clustering

  • The SNMP trap sends wrong information with manual failover. PR1378903

  • GTPv2 modify bearer request packet that does not contain F-TEID IE in bearer context is dropped during GTP inspection. PR1399658

  • Traffic with domain name address might fail for 3-5 minutes after RG0 failover on SRX Series devices. PR1401925

  • The flowd process stops while updating or deleting a GTP tunnel. PR1404317

  • Mixed-mode (SPC3 card coexisting with SPC2 cards) HA IP monitoring fails on secondary node with the following error message: secondary arp entry not found. PR1407056

  • SRX Series devices might be potentially overwritten with an incorrect buffer address when detailed logging is configured under GTPv2 profile. PR1413718

  • PIM neighbors might not come up on a chassis cluster on SRX Series devices. PR1425884

  • Starting in Junos OS Release 18.4, a maximum of six PDN connects can be contained in PDP context response. Otherwise, the response is dropped. PR1422877

  • RG0 failover sometimes causes FPC offline/present status. PR1428312

Flow-Based and Packet-Based Processing

  • Removal of RC4 from SSL-FP. PR1302789

  • SRX1500 device may encounter a loss in reading/writing access to SSD drive due to an incorrect calculation error during read/write operations with SSD firmware version 560ABBF0. PR1345275

  • Control traffic loss might be seen on SRX4600 platform. PR1357591

  • When activating security flow traceoptions, the unfiltered traffic is captured. PR1367124

  • SRX1500 device continues alarm on Fan Tray 0 Fan 0 Spinning Degraded. PR1367334

  • On SRX1500 device, the activity LED (right LED) for 1-Gigabit Ethernet or 10-Gigabit Ethernet port is not on although traffic is passing through that interface. PR1380928

  • Password recovery menu does not show up on SRX Series devices. PR1381653

  • Large file downloads slow down for many seconds. PR1386122

  • Traffic might be processed by the VRRP backup when multiple VRRP groups are configured. PR1386292

  • The default configuration of SRX300 line of devices is changed. PR1393683

  • Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850

  • Performance drops are seen in SRX345 and SRX340 platforms for IDP C2S policy. PR1395592

  • These messages are seen: kernel: tcp_timer_keep:Local(0x80000004:54652) Foreign(0x80000004:33160). PR1396584

  • On SRX4600 platform, the 40 Gigabit Ethernet interface might flap continuously because of a MAC local fault. PR1397012

  • 40-Gigabit Ethernet or 100-Gigabit Ethernet ports may take a long time (about 30 seconds) to link up on SRX4600 platform. PR1397210

  • The pkid process might stop after RG0 failover. PR1379348

  • On SRX Series devices, the connection to JIMS fluctuates, resulting in failover. PR1398140

  • On SRX4600 and SRX5000 Series devices, BGP packets might be dropped when CPU usage is high. PR1398407

  • SRX Series devices do not strip VLAN added by native vlan id command options. PR1397443

  • The next-hop IP address is not displayed in the routing table in the J-Web interface. PR1398650

  • VLAN push might not work on SRX1500. PR1398877

  • Increase DAG feed scale number to 256 from 63. PR1399314

  • The authd process might stop when the show network-access requests pending command is issued while the authd process is restarting. PR1401249

  • SRX Series device cannot obtain IPv6 address through DHCPv6 when using PPPOE interface with logical-unit-number greater than zero. PR1402066

  • Unable to access SRX Series devices if messages kern.maxfiles limit exceeded by uid 65534, please see tuning(7) are seen. PR1402242

  • CPU is hitting 100 percent with fragmented traffic. PR1402471

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary command do not count or display the number of packets processed within PowerMode IPsec because these packets do not go through regular flow path. PR1403037

  • Downloads might stall or fail completely when utilizing services that are reliant on TCP proxy. PR1403412

  • Transit UDP 500/4500 traffic might not pass across SRX5000 Series devices when using an SPC3 or SPC2 card. PR1403517

  • Split brain condition is experienced if the an SPC3 or SPC2 card goes offline in the primary node. PR1403872

  • Fail to match permit rule in application firewall ruleset. PR1404161

  • Configuring using the CLI editor in the J-Web generates an mgd core file. PR1404946

  • The flowd process stops and all cards are brought offline. PR1406210

  • The RG1 failover does not happen immediately when the SPC3 card crashes. PR1407064

  • The flowd process might crash if enable-session-cache command is configured under the SSL termination profile. PR1407330

  • IDP signature update fails at RG0 primary node. PR1407603

  • On SRX1500 platform, traffic is blocked on all interfaces after configuring interface-mac-limit on one interface. PR1409018

  • Memory leak occurs if AAMW is enabled. PR1409606

  • While PMI is ON, IPsec encrypted statistics on the Routing Engine show security ipsec statistics is not working anymore for fragment packets. PR1411486

  • PEM 0 or PEM 1 I2C failure major alarm might be set and cleared for multiple times. PR1413758

  • HA packets might be dropped on SRX5000 Series devices with an IOC3 or IOC2 card. PR1414460

  • Any traffic originated from the device itself might be dropped in the IPsec tunnel. PR1414509

  • The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117

  • Traffic is dropped if SOF is enabled in chassis cluster active/active mode PR1415761

  • Juniper Sky ATP does not escape the \ inside the username before the metedata is sent to cloud. PR1416093

  • The flowd process stops on SRX5000 or SRX4000 Series devices when large-size packets go through IPsec tunnel with the post-fragment check. PR1417219

  • Traffic logging shows service-name junos-dhcp-server for UDP destination port 68. PR1417423

  • Traffic might be lost on SRX Series devices if IPsec session affinity is configured with ipsec-performance-acceleration. PR1418135

  • SSL proxy does not correctly warn users about unsupported certificates. PR1419485

  • FRU model number is not displayed. PR1422185

  • The show security flow session session-identifier < sessID> command does not work if the session ID is bigger than 10M on SRX4600 platform. PR1423818

  • Partial traffic might get dropped on an existing LAG. PR1423989

  • Memory leaks might occur on the jsqlsyncd process on SRX chassis clusters. PR1424884

  • Alarms due to high temperature when operating with expected temperatures. PR1425807

  • The IPsec traffic going through SRX5000 Series device with SPC2 cards installed causes high SPU CPU utilization. PR1427912

  • Uneven distribution of CPU with high PPS on device. PR1430721

  • The flowd process might stop on SRX5000 Series devices. PR1430804

  • SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message where as with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577

  • SPMC version mismatch errors after Junos OS is installed using USB method. PR1437065

  • Performance improvements were made to Screens which benefit multi-socket systems like the SRX4200 and SRX4600 devices, and SPC3's. PR1440677

  • On SRX5400, SRX5600, SRX5800 Series platforms acting as a middle device between Internet Key Exchange (IKE) peers, it is not able to establish more than one Encapsulating Security Payload (ESP) session between two IPv6 IKE peer if the IKE ALG is enabled on the middle SRX device. PR1435687

Interfaces and Chassis

  • Both nodes in the SRX cluster went into db mode after downgrading to Junos OS Release 18.1 when the vlan-tagging configured on reth interfaces, but vlan-id is not configured PR1407295

Intrusion Detection and Prevention (IDP)

  • IDP might stop with the custom IDP signature. PR1390205

  • Unable to configure dynamic-attack-group. PR1418754

J-Web

  • The Dynamic-Application configuration page within J-Web does not properly display application-signatures when searching by category. PR1344165

  • In the J-Web dashboard, the Security Resources widget does not display absolute values. PR1372826

  • J-Web now supports defining SSL proxy and redirect (block page) profiles when a policy contains dynamic applications. PR1376117

  • Special character used in the pre-shared-key is removed silently after a commit operation on J-Web. PR1399363

  • The httpd-gk process stops leading to dynamic VPN failures and high Routing Engine CPU utilization up to 100 percent. PR1414642

  • J-Web configuration change for address set using Search function results in commit error. PR1426321

  • J-Web shows incorrect port-mode under Configure>Interfaces>Link Aggregation. PR1430414

  • IRB interface is not available in zone option of J-Web. PR1431428

Multiprotocol Label Switching (MPLS)

  • The rpd process might restarts unexpectedly when no-cspf and lo0 is not included under RSVP. PR1366575

Network Address Translation (NAT)

  • SRX-SPC3 mix mode NAT SPC3 core file at ../sysdeps/unix/sysv/linux/raise.c:55. PR1403583

  • The nsd process stops and causes the Web filter to stop working. PR1406248

Network Management and Monitoring

  • The set system no-redirects setting does not take effect for reth interface. PR894194

  • The chassisd might stop and restart after the AGENTX session timeout between master (snmpd) and sub-agent. PR1396967

Platform and Infrastructure

  • High httpd utilization after reboot failover. PR1352133

  • Log in class with allowed-days and specific access-start/access-end does not work as expected. PR1389633

  • Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074

  • GW lcores and srxpfe cores files at ../src/pfe/usp/rt/applications/ipsec/ipsec_rt_forge_util.c:59 when loading 18.4 image. PR1392580

  • The flowd process stops if it goes into a dead loop. PR1403276

  • Complete device outage might be seen when SPU VM core happens. PR1417252

  • Some packages might be omitted during upgrade from legacy with packages. PR1417321

  • Flowd process might stop on SRX Series devices. PR1417658

  • Routing Engine CPU utilization is high and eventd consumes a lot of resources. PR1418444

  • On SRX4600 device, commit failed while configuring 2047 VLAN IDs on reth interface. PR1420685

  • The interface flaps when LACP is configured on the reth interfaces. PR1435955

Routing Policy and Firewall Filters

  • The show security flow session command now fully supports the dynamic-application construct. PR1387449

  • Memory leak in nsd prevents the configuration from taking effect after it is committed. PR1414319

  • The output of the show security firewall-authentication jims statistics command displays the statistics of both the primary JIMS server and secondary JIMS server. PR1415987

  • The flowd process stops while deleting policies from Junos Space. PR1419704

  • A commit warning is displayed when a traditional policy is placed below a unified policy. PR1420471

  • One new alarm is created: NSD fails to restart because subcomponents fail. PR1422738

Unified Threat Management (UTM)

  • Whitelist/Blacklist does not work for HTTPS traffic going through Web proxy. PR1401996

  • On SRX Series devices, when configuring Enhanced Web Filtering on the CLI, the autocomplete function does not properly handle or suggest custom categories. PR1406512

  • The device might not look up blacklist first in local Web Filtering environment. PR1417330

  • UTM Web filtering status shows down when using Hostname [routing-instance synchronization failure]. PR1421398

  • When using unified policies, the base-filter for certain UTM profiles might not be applied correctly. PR1424633

  • Behavioral improvements were made to SSL-Proxy's url-category whitelisting functionality. PR1426189

VPNs

  • SPC3 IKE SA detail output does not show proper traffic statistics. PR1371638

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, the show security ike security-association detail command does not display local IKE-ID field correctly. PR1388979

  • A few VPN tunnels do not forward traffic after RG1 failover. PR1394427

  • The kmd process might stop when SNMP polls for the IKE SA. PR1397897

  • VPN does not recover on the high end standalone SRX Series devices when CLI operation restart ipsec-key-management is done. PR1400712

  • Syslog is not generated when IKE gateway rejects duplicate IKE ID connection. PR1404985

  • Idle IPsec VPN tunnels without traffic and with ongoing DPD probes might be affected during RG0 failover. PR1405515

  • Not all the tunnels are deleted when authentication algorithm in IPsec proposal is changed. PR1406020

  • Multiple flowd process files are observed with IPsec acceleration with fragmentation traffic. PR1407910

  • On SRX5400, SRX5600, SRX5800 devices with SPC3, when SRX is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey IPsec tunnel index may change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855

  • Traffic drops on peer due to bad SPI after first reauthentication. PR1412316

  • On SRX5400, SRX5600, SRX5800 devices with an SPC3 card, when the device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193

  • The flowd/srxpfe process might crash when traffic selector is used for IPsec VPN. PR1418984

  • The show security ike sa detail command shows incorrect value in IPSec security associations coloumn. PR1423249

  • Once VPN IPsec with NATT (NAT in the middle of IPSEC peers) is in place, the SRX Series devices performance is slow. PR1424937

  • SRX Series devices should send IKE delete notification to peer when traffic selector configuration is changed for a specific AutoVPN. PR1426714

  • Kmd process stops and generates a core file after running the CLI command show security ipsec traffic-selector <>. PR1428029

  • VPN overhead calculation is going wrong on SPC3 due to using wrong spu-id API. Fixed this issue by calling common API for SPC2 and SPC3 to get SPU-id without core-id. PR1435700

Resolved Issues: 18.2R2

Application Layer Gateways (ALGs)

  • On SRX320, SRX340, SRX340, and SRX550 devices, the RPD process stops when you configure the auto-bandwidth option under the label-switched path (LSP) in the multiprotocol label switching (MPLS). PR1331164

  • When using the IPsec ALG, the IPsec tunnel payload is dropped after the IKE or IPsec tunnel reestablishment due to a session conflict. PR1372232

  • If the SIP ALG is disabled, the SIP active sessions are affected. PR1373420

  • DNS requests with EDNS option might be dropped by the DNS ALG. PR1379433

  • SUN RPC data traffic for previously established ALG sessions might be dropped because it matches the gate which contains old interface information. PR1387895

  • On SRX5400, SRX5600, and SRX5600 devices, flowd process might generate core files while sending cross tenant ALG traffic. As a workaround, avoid the cross tenant ALG traffic or disable ALG type which has cross tenant traffic. PR1388658

Chassis Clustering

  • On SRX340 and SRX345 devices, half-duplex mode is not supported because BCM53426 does not support half-duplex mode. BCM5342X SoC port configurations, BCM53426 does not have QSGMII interface. Only the QSGMII port supports halfduplex mode. PR1149904

  • On SRX550M device, the SFP transceiver does not work after the chassis reboot. PR1347874

  • On SRX4600 device with chassis cluster enabled, when a failover occurs the dedicated fabric link is down. PR1365969

  • The device in chassis cluster might be unresponsive if IP monitoring is enabled. PR1366958

  • On SRX Series devices in chassis cluster, minor Potential slow peers are: FWDD0 XDPC1 XDPC8 FWDD1 alarm is observed which can be ignored. PR1371222

  • Multiple flowd process files are seen on node 1 after an RG0 failover. PR1372761

  • Traffic loss occurs when the primary node is rebooting. PR1372862

  • On SRX Series devices in chassis cluster, if reroute occurs on the IPv4 wings of a NAT64 or NAT46 session, the active node will send RTO message to the backup session to update the rerouted interface. PR1379305

  • On SRX4600 device in chassis cluster, the Flexible PIC Concentrators (FPCs) goes offline if the chassis clusters IDs are more than 10. PR1390202

Class of Service (CoS)

  • When the host-outbound-traffic command is configured in the class of service (CoS), the device stops working when a corrupted packet is arrived on the Packet Forwarding Engine. PR1359767

Command Line Interface

  • The following CLI command outputs are not displayed correctly: show usp memory segment shm data module and show jsf shm module. PR1387711

Dynamic Host Configuration Protocol

  • SRX300, SRX320, SRX340, and SRX345 devices with LTE mPIM do not forward the DHCP relay packets over the LTE. PR1357137

Flow-based and Packet-based Processing

  • The security logs for unified policies are improved to reflect the reason for a denied or rejected session. PR1338310

  • On SRX Series devices, the session-init and session-close are logged for unified policies. PR1338319

  • The IPsec replay error for Z-mode traffic is observed. PR1349724

  • Multicast routes are not seen after setting the maximum transmission unit (MTU) size to 1,300. PR1349996

  • On SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices in chassis cluster, when CoS is configured on a interface, LACP communication stops due to failure of the fabric port and the connections between the SRX device and other devices breaks. PR1350731

  • When the routing instance is configured, the UTM antispam does not send the DNS query. PR1352906

  • The IPsec VPN traffic might be dropped on the pass-through device after an IKE rekey operation. PR1353779

  • The PIM register message from source first-hop router (FHR) suddenly stops appearing. PR1356241

  • When the output interface configured in X2 mirror-filter is down, the flowd process might stop. PR1357347

  • On SRX4200 and SRX4600 devices, during reboot or power on the device, the control traffic loss is observed. PR1357591

  • IDP inline tap mode is not supported and configuration for SPC3 must be disabled. PR1359591

  • On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373

  • On SRX Series devices, if you disable one of the four reth interfaces, the traffic flow stops. PR1360399

  • On SRX Series devices, in an SSL proxy scenario, if the TLS packets contain application layer protocol negotiation (ALPN), then the ALPN extension is removed by the SSL proxy, resulting in the negotiation failure of the application layer protocol. PR1360820

  • The default version of Application identification (AppID) signature pack and protocol bundle are updated. PR1362367

  • On SRX550M device, the traffic might be duplicated and forwarded to the wrong interface. PR1362514

  • This release includes support for service-specific ASC configuration, which allows the ASC to be enabled or disabled on a per-service basis. With the advent of Unified Policies, two services are introduced to the ASC: Security Services, and Miscellaneous Services. Security Services are responsible for policy-lookup behavior, while miscellaneous services are responsible for non-policy related items, such as APBR. Starting with 18.2R1, by default, the ASC will be disabled for security-services and enabled for miscellaneous-services. This has the possibility to impact existing legacy AppFW functionality post-upgrade to 18.2R1 as existing cache-entries will be ignored during policy-lookups. PR1363501

  • SNMP MIB walk does not work when screens are applied to more than 14 security zones. PR1364210

  • On SRX Series devices, the Application identification (AppID) is supported for HTTP, SMTPS, POP3S and IMAPS protocols. PR1365810

  • On SRX5400, SRX5600 and SRX5800 devices with chassis cluster, in-service software upgrade (ISSU) might struck at IPID data synn state. PR1366077

  • A flowd core file is generated after an RG0 failover. PR1366122

  • On SRX Series devices, when Application Quality of Experience (AppQoE) is enabled and the traffic starts flowing, the flowd process might stop. PR1367599

  • On SRX1500 device with Junos OS 15.1X49-D140, the srxpfe process might not work. PR1370900

  • The SPC3 core file size is larger than the SPC1 and SPC2 core dump files. PR1371447

  • In chassis cluster mode with the IPsec tunnel configured, packet loss is observed when the clear text packets are processed. PR1373161

  • The SPC3 card improved the unified policies performance. PR1374231

  • On SRX Series devices, the Security Log Event Details window size is increased to display all the relevant information about the event. PR1373357

  • On SRX Series devices working in a PIM sparse mode, the network located between a first hop router (FHR) and a rendezvous point (RP), if a PIM control session is created through the PIM register stop message, only the next one PIM register message can be forwarded, after this message, the subsequent PIM register message (also matches the above PIM control session) is wrongly dropped. PR1378295

  • When the data path debug capture is stopped, incorrect error message is displayed. PR1381703

  • The SPC3 might be installed on any slot except slot 0, slot 1, and slot 11. PR1378178

  • On SRX5600 with chassis cluster, if the respmod is enabled for ICAP, the connection with the ICAP server might reset automatically. PR1382376

  • On SRX300, SRX320, SRX340, SRX345, SRX550-M devices, during the path MTU discovery, CE does not receive the message frag needed and DF set. PR1389428

  • On SRX4600, SRX5400, SRX5600, and SRX5800 devices using the SPC3, when the Application Quality of Service rate-limiter is configured to specific traffic, packet loss occurs on unrelated traffic until reboot. PR1394085

  • The set security flow log dropped-illegal-packet and set security flow log dropped-icmp-packet CLI commands are unhidden. PR1394720

Interfaces and Chassis

  • On SRX4600 device, the virtual IP address of the VRRP might not respond to host-inbound traffic. PR1371516

  • The following message appears for each port whose settings are changed or refreshed:

    Apr 3 12:00:00 srx /kernel: check_configured_tpids: <interface> : default tpid (0x8100) not configured. pic allows maximum of 0 tpids

    Apr 3 12:00:00 srx /kernel: check_configured_tpids: <interface> number of configured tpids exceeds the limit(0)

    PR1373668

Interfaces and Routing

  • On SRX1500 devices, the ae0 and ae1 interfaces display the MAC address as 00:00:00:00:00:00 and 00:00:00:00:00:01. PR1352908

Intrusion Detection and Prevention (IDP)

  • IDP signature update fails on the secondary node. PR1358489

  • The IDP might not be deployed due to IDP configuration is not able to commit. PR1374079

  • The unified policies configured with IDP, might not inspect arbitrary sessions, and marking them as Not Interested within the show security idp counters flow command. PR1385094

J-Web

  • When the J-Web fails to get the resource information, the Routing Engine CPU usage shows 100% in resource utilization in the J-Web dashboard. PR1351416

  • The J-Web setup wizard does not propagate the DHCP attributes from ISP to LAN. PR1370700

  • The chassis cluster image does not displayed on the J-Web dashboard. PR1382219

Layer 2 Features

  • The dcpfe/fxpc process might crash when you try to allocate large memory on Packet Forwarding Engines with low memory. PR1362332

Layer 2 Ethernet Services

  • The subnet mask is not sent as the reply to a DHCPINFORM message. PR1357291

Network Address Translation (NAT)

  • Source NAT sessions might fail to create when the port-overloading or the port-overloading-factor is configured. PR1370279

Network Management and Monitoring

  • With user firewall enabled and RG0 failover is being performed, eventd process core files are generated. PR1366120

Platform and Infrastructure

  • On SRX1500 devices, when the power supply fails, the trap sent might contain incorrect information. PR1315937

  • Frequency logs are displayed on the SRX5400, SRX5600, and SRX5800 devices when the IOC card has the same identifier as the SPC PIC card. PR1357913

  • The SCP configuration backup fails even though the /var/etc/ssh_known_hosts has a proper fingerprint. PR1359424

  • On SRX4600 devices, the show chassis fan show chassis environment command does not display any output. PR1363645

  • On SRX1500 device, continues alarm on fan is observed. PR1367334

  • Packet capture feature does not work after removing the sampling configuration. PR1370779

  • On SRX Series devices in chassis cluster, the cold synchronization process might slow down when there are many packet forwarding engines (PFEs) installed on the device. PR1376172

  • Junos upgrade might fail with the validate option after the /cf/var/sw directory is erroneously deleted. PR1384319

Routing Policy and Firewall Filters

  • The TCP protocol ports 5800 and 5900 are added to junos-defaults to support VNC application. PR1333206

  • The show security policies detail command output is modified to improve readability, particularly for unified policies. PR1338307

  • On SRX Series devices, the nsd process might crash on the Packet Forwarding Engine with large-scale security policy configuration. PR1354576

  • DDynamic application autocomplete support is not functional within the CLI for the show security match-policies command. PR1363908

  • On SRX4100, SRX4200, SRX4600, SRX4800, when dynamic application is configured in security policy core files are observed on the PFE. As a workaround, do not configure dynamic application in security policy. PR1368762

  • The timeout value of junos-http is incorrect. PR1371041

  • When a policy references dynamic addresses in the destination-address field and the destination IP address of the traffic is within this dynamic-address pool, the policy does not match this traffic. The issue occurs only for destination address and not for the source address. PR1372921

Routing Protocols

  • If family iso is enabled through the GREoIPSec (GRE over IPSec) tunnel, the vFPC stops working. PR1364624

Services Applications

  • When modifying the ICAP configuration and the traffic passing through, the core file might generated. PR1389600

  • Clearing the TCP session might not clear the redirect objects. PR1390835

Unified Threat Management (UTM)

  • The default action of Web filtering does not work as expected. PR1365389

  • When the server port is configured as 443, the displayed EWF server status is UP. PR1383695

VPNs

  • During an RG0 failover in ISSU, when you use the rekeys, the iked core process file are generated. PR1340973

  • Policy-based VPN is not working with the virtual router. PR1350123

  • IPsec tunnel might not work when there are concurrent IKEv2 Phase 1 SA rekeys. PR1360968

  • On SRX5600 AND SRX5800 devices, during VPN to AutoVPN configuration migration, traffic loss is observed. PR1362317

  • On SRX Series devices in chassis cluster, when the VPN configuration size reaches the internal configuration processing chunk size, the VPN tunnels might not be configured successfully and the VPN tunnels might not come up after a reboot, upgrade, or restart ipsec-key-management. PR1376134

  • Packet loss is observed in IPsec Z-mode scenario. PR1377266

  • The kmd process might stop and cause VPN traffic outage after running the show security ipsec next-hop-tunnels command. PR1381868

  • Adding or deleting site-to-site manual NHTB VPN tunnels to an existing st0 unit causes the existing manual NHTB VPN tunnels under the same st0 unit to flap. PR1382694

Resolved Issues: 18.2R1

Application Layer Gateways (ALGs)

  • On SRX Series devices with SIP ALG enabled, the SIP ALG might drop SIP packets that have a referred-by or referred-to header field containing multiple header parameters. PR1328266

  • SIP calls drop when the limit per SPU crosses 10,000 calls. PR1337549

Authentication and Access Control

  • On SRX Series devices, the Packet Forwarding Engine might crash and a huge number of core files might be generated within a short time. PR1326677

  • On SRX Series devices, incomplete Request Support Information (RSI) might be seen. PR1329967

  • On SRX Series devices, the sessions might close because of the idle Timeout junos-fwauth-adapter logs. PR1330926

  • Web authentication uses hard-coded three seconds timeout but in some scenarios the three seconds timeout is too short to complete a web authentication. Use the new CLI set access firewall-authentication web-authentication timeout command to configure web authentication timeout value. PR1339627

Chassis Clustering

  • The device might stop forwarding traffic after RG1 failover from node0 to node1. PR1323024

  • IP monitoring is not working as expected when one node is in secondary hold state and the primary node's priority is 0. PR1330821

Class of Service (CoS)

  • Packets go out of order on SPC2 cards with IOC1 or FIOC cards. PR1339551

Flow-Based and Packet-Based Processing

  • On SRX4600 devices, when you execute the clear security flow session command, time taken to clear the session depends on the total session number. For example, the clear session takes 9 minutes to clear 57M sessions. PR1308901

  • Periodic PIM register loop is observed during switch failure. PR1316428

  • The OSPF peers are unable to establish neighbors between the LT interfaces of the logical systems. PR1319859

  • The IPv6 traffic does not work as expected on IOC3 with the services offloading (npcache) feature. PR1331401

  • SSH to the loopback interface of SRX Series devices does not work properly when AppTrack is configured. PR1343736

  • The flowd process might stop when SYN-proxy function is used. PR1343920

  • SNMP MIB walk provides incorrect data counters for total current flow sessions. PR1344352

  • The interface MAC limit configured under VLANS, which is in the range of the CLI guideline, does not take effect. PR1347245

  • File download stops over a period of time when TCP proxy is activated through AV or Juniper Sky ATP PR1349351

  • On SRX Series devices in a chassis cluster, if an IPv6 session is being closed and at the same time the related data-plane Redundancy Group (RG1+) failover occurs, this IPv6 session on the backup node might hang and cannot be cleared. PR1354448

  • On SRX5000 line devices, when the IPsec performance acceleration feature is enabled, packets going in or out of a VPN tunnel are dropped. PR1357616

Intrusion Detection and Prevention (IDP)

  • The control plane CPU usage is high when using IDP. PR1283379

  • Loading IDP policy fails due to less available heap memory. PR1347821

J-Web

  • J-Web does not display wizards on the dashboard. PR1330283

  • When httpd process is not running, J-Web setup wizard does not work after you run the request system zeroize command, . PR1335561

  • In J-Web you cannot delete dynamic VPN user configuration. PR1348705

  • In J-Web menu security policies search button using Internet Explorer version 11 does not work. PR1352910

  • The unsupported et and xe interface parameter for speed, link mode, and media type are removed from the Configure>Interface>Ports tab in J-Web. PR1355871

Layer 2 Ethernet Services

  • The default gateway route might be lost after the failover of RG0 in a chassis cluster. PR1334016

Network Address Translation (NAT)

  • Arena utilization on a FPC spikes and then resumes to a normal value. PR1336228

Platform and Infrastructure

  • When you perform commits with apply-groups, VPN might flap. PR1242757

  • The packet captured by datapath-debug on an IOC2 card might be truncated. PR1300351

  • Inconsistent flow-control status on the reth interface is observed. PR1302293

  • On SRX5000 line devices using DC PEM, the output of the show chassis environment pem and show chassis power commands shows incorrect DC input values. PR1323256

  • On SRX5400, SRX5600, and SRX5800 devices, SPC2 XLP stops processing packets in the ingress direction after repeated RSI collections. PR1326584

  • When Security-Intelligence is configured, IPFD CPU utilization might be higher than expected. PR1326644

  • The log messages file contains the node*.fpc*.pic* Status:1000 from if_np for ifl_copnfig op:2 for ifl :104 message. PR1333380

  • Log message No Port is enabled for FPC# on node0 is generated every 5 seconds. PR1335486

  • On SRX4100 devices, interfaces are shown as half-duplex, but there is no impact on the traffic. PR1358066

Routing Policy and Firewall Filters

  • Flowd process stops after configuring a huge number of custom applications. PR1347822

  • On SRX Series devices, a large-scale commit, for example, a 70,000-lines security policy, might stop the nsd process on the Packet Forwarding Engine. PR1354576

Routing Protocols

  • When BGP traceoptions are configured and enabled, the traces specific to messages sent to the BGP peer (BGP SEND traces) are not logged The traces specific to received messages (BGP RECV traces) are logged correctly. PR1318830

  • On SRX Series devices, dedicated BFD does not work. PR1347662

Unified Threat Management (UTM)

  • The ISSU upgrade might fail due to the Packet Forwarding Engine generating a core file. PR1328665

VLAN Infrastructure

  • On SRX Series devices in transparent mode, the flowd process might stop when matching the destination MAC. PR1355381

VPN

  • IPsec traffic statistic counters return 32-bit values. PR1301688

  • PKID syslog for key-pair deletion is required for conformance. PR1308364

  • SNMP for jnxIpSecTunMonVpnName does not work. PR1330365

  • The kmd process might generate core files when all VPNs are down. PR1336368

  • All IPsec tunnels are in both active and inactive state. PR1348767

  • S2S tunnels are not redistributed after IKE and IPsec are reactivated in a configuration. PR1354440

  • The iked process might crash when IKE and IPsec SA rekey happens simultaneously PR1420762

Documentation Updates

There are no errata or changes in Junos OS Release 18.2R3 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases might occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1 and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on SRX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network.

Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/