Junos OS Release Notes for SRX Series
These release notes accompany Junos OS Release 18.4R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
The SRX5K-SPC3 Services Processing Card was introduced in Junos OS Service Release 18.2R1-S1 and is supported in all subsequent Junos OS Releases. The features and functionalities of the SRX5K-SPC3 card are supported in Junos OS Release 18.4R1. Going forward, future improvements for SRX5K-SPC3 will be included in upcoming Junos OS Maintenance Releases.
New and Changed Features
This section describes the new features and enhancements to existing features in Junos OS Release 18.4R3 for the SRX Series devices.
Junos OS Release 18.4R3 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D150. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D150 are not available in 18.4 releases.
Release 18.4R3 New and Changed Features
There are no new features in Junos OS Release 18.4R3 for the SRX Series devices.
Release 18.4R2-S1 New and Changed Features
Chassis Clustering
Increase in the maximum number of child links (SRX4600)—Starting in Junos OS Release 18.4R2-S1, you can configure eight child link interfaces in a redundant ethernet bundle on each node of the chassis cluster.
Dedicated fabric ports support (SRX4600)—Starting in Junos OS Release 18.4R2-S1, you can use the built-in dedicated fabric ports as fabric link ports in chassis cluster mode.
[See Understanding Chassis Cluster Slot Numbering and Physical Port and Logical Interface Naming, SRX Series Chassis Cluster Configuration Overview, and Chassis Cluster Control Plane Interfaces.]
Release 18.4R2 New and Changed Features
There are no new features in Junos OS Release 18.4R2 for the SRX Series devices.
Release 18.4R1 New and Changed Features
Application Security
CLI enhancements to support J-Web (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, the show service application-identification command is enhanced to display applications and application group details in J-Web.
The show service application-identification command used with the new entries option provides the following functionality:
Alphabetical list application and application group details.
Pagination support to limit the number of entries in output.
Display of details in a sorted order.
Using filters on output columns to search applications easily.
SSL decryption port mirroring (SRX Series and vSRX)—Junos OS Release 18.4R1 introduces SSL decryption mirroring for SSL forward and reverse proxy. SSL decryption mirroring enables you to forward a copy of SSL decrypted traffic to a configured mirror port on a server that is acting as a traffic collection tool.
To use the decryption mirroring feature, configure the mirror interface and the MAC address of the port in the SSL proxy profile, and apply the SSL proxy profile as the application service in the security policy. Traffic matching the policy rule is decrypted, and a copy of SSL-decrypted traffic is forwarded to the configured mirror port.
[See SSL Proxy.]
Application path selection based on link preference and priority (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100 SRX4200, and vSRX)—Starting in Junos OS Release 18.4R1, you can configure Application Quality of Experience (AppQoE) to select an application path based on the link priority and the link type when multiple links are available.
For application path selection, a list of paths to a specific destination, which meets SLA requirements, is made available. From the list, AppQoE selects a path that matches the configured link preference. Paths are WAN links used for forwarding application traffic. You can select an MPLS or Internet link as the preferred path, and assign a priority from the range 1-255 (value of 1 indicates highest priority).
Schedulers support for APBR (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, support for configuring policy schedulers for an advanced policy-based routing (APBR) policy is available. Using a policy scheduler, you can schedule APBR policy execution at a specified time and enforce the policy for a specified duration.
To use a scheduler for an APBR policy, you must create a scheduler and refer to scheduler in your APBR policy configuration. The policy scheduler activates and deactivates a policy according to the scheduled time. When the scheduler times out, the associated policy is deactivated.
Chassis Cluster
Chassis cluster resiliency (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, a three-layered model is introduced to detect software and hardware failures that impact chassis cluster performance. Flapping of em0 and control path software or hardware failures are detected and state transitions and failovers are triggered using this model. Following are the three layers:
Layer 1 : Identifies and detects the components that are causing the failures.
Layer 2 : Detects the failures that are not detected by Layer1.
Layer 3 : Shares the health information of the system between the two nodes over control and fabric links.
The set chassis cluster health-monitoring command is introduced to enable monitoring the health of chassis cluster.
[See Chassis Cluster Resiliency.]
Flow-Based and Packet-Based Processing
SRX5K-SPC3 card with flow support in chassis cluster mode (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, the SRX5K-SPC3 and SRX5K-SPC-4-15-320 (SPC2) cards can operate together in a mixed-mode configuration on the SRX5000 line of devices using the same slot number in both nodes. If you are adding the SPC3 SPCs to the SRX5000 devices, you must install the new SPCs in the lowest-numbered slot of any SPC that provides central point functionality. SPC3 interoperates with the SRX5000 I/O cards (IOC2, IOC3), Switch Control Boards (SCB2, SCB3), Routing Engines, and SPC2 cards.
General Packet Radio Service (GPRS)
IPv6 support on GTP (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 18.4R1, GPRS tunneling protocol (GTP) traffic security inspection is supported on IPv6 addresses along with existing IPv4 support. With this enhancement, a GTP tunnel using either IPv4 and IPv6 addresses is established for individual user endpoints (UEs) between a Serving GPRS Support Node (SGSN) in 3G or a Service Gateway (S-GW) and a Gateway GPRS Support Node (GGSN) in 3G or a PDN Gateway (P-GW) in 4G.
[See GPRS Overview.]
Enhancements to GTP-C Tunnel (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, the GTP-C tunnel is enhanced to support tunnel-based session distribution to speed up the tunnel setup process and load-balance the sessions between the SPUs. The GTP-C tunnels and the GTP-C tunnel sessions are distributed by the SGSN tunnel endpoint identifier (TEID) of the tunnel. Use the set security forwarding-process application-services enable-gtpu-distribution command to enable the tunnel-based session distribution where the GTP-C traffic of different tunnels is spread across different SPUs.
[See GPRS Overview.]
Interfaces and Chassis
Support for up and down delay timers on reth interfaces (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, you can configure up and down delay timers for redundant Ethernet (reth) interfaces. The delay timers keep the reth interfaces up or down, respectively, to prevent the routing protocols from reconverging and to avoid loss of traffic during a crash or when links flap.
On SRX series devices, the default delay timer for down hold-time is 11 seconds, and the default delay timer for up hold-time is 0 seconds. To configure the timers, include the reth 1 hold-time down timer and reth 1 hold-time up timer statements at the [edit interfaces] hierarchy level.
Half-duplex link support (SRX340 and SRX345)—Starting in Junos OS release 18.4R1, half-duplex mode is supported on SRX340 and SRX345 devices. Half duplex enables bidirectional communication, but signals can flow in only one direction at a time. Full-duplex communication means that both ends of the communication can send and receive signals at the same time. By default, half duplex is configured. If the link partner is set to autonegotiate the link, then the link is autonegotiated to full duplex or half duplex. If the link is not set to autonegotiation, then the link defaults to half duplex unless the interface is explicitly configured for full duplex.
[See link-mode.]
Intrusion Detection and Protection (IDP)
Support for custom time bindings in a time-binding custom attack (SRX Series)—Starting in Junos OS Release 18.4R1, you can configure the maximum time interval between any two instances of a time-binding custom attack. The range for the maximum time interval is 0 minutes and 0 seconds through 60 minutes and 0 seconds. In Junos OS releases before 18.4R1, the maximum time interval between any two instances of a time-binding attack is 60 seconds.
The interval time-interval statement is introduced at the [edit security idp custom-attack attack-name time-binding] hierarchy to configure a custom time-binding.
[See Understanding Custom Attack Objects and time-binding.]
User visibility improvements for IDP attacks within an IDP Policy (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, you can view and validate the complete set of attacks that are configured for an IDP policy (predefined, dynamic, and custom attacks).
Use the show security idp attack attack-list policy policy-name command to view the attacks that are configured for an IDP policy.
IDP policy rematch (SRX Series)—Starting in Junos OS Release 18.4R1, when a new IDP policy is loaded, the existing sessions are inspected using the newly loaded policy and are not ignored for IDP processing.
[See IDP Policies Overview.]
Logical Systems and Tenant Systems
Starting in Junos OS Release 18.4R1, the following features that are supported on the logical systems are now extended to tenant systems:
Dynamic address support for tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, the tenant system user can create dynamic address entries within a tenant system. A dynamic address entry contains IP ranges extracted from external sources. The security policies use the dynamic address in the source-address or destination-address field. The tenant system administrator can view the dynamic address information, including name, feeds, properties, and number of IPv4 and IPv6 entries for tenant systems, by using the show security dynamic-address command.
DHCP support for tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, DHCP provides support for DHCP clients, DHCP relay agents, and IPv6 dynamic servers for prefix delegation for tenant systems. The DHCP relay agent operates as the interface between DHCP clients and IPv6 dynamic server for tenant systems, and also relays DHCP messages between DHCP clients and DHCP servers on different IP address networks.
[See DHCP for Tenant Systems.]
SRX5K-SPC3 card support for tenant systems (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, support for the SRX5K-SPC3 services processing card is introduced for tenant systems.
[See Tenant Systems Overview.]
Application firewall support on tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources appfw-rule-set and appfw-rule in a tenant system. The application firewall rules can be reordered using the command insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2.
Application firewall is a group of fine-grained application control policies to allow or deny the traffic based on the dynamic application name or the group names. It enhances security policy creation and enforcement based on the applications rather than traditional port and protocol analysis.
Interfaces support enhancement on tenant systems (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, support for interfaces is enhanced on tenants systems with the following changes:
You can configure an interface in the tenant system similar to how you configure an interface in a logical system.
All types of interfaces that can be configured in a logical system can also be configured in a tenant system.
All the interfaces that are configured in a tenant system are associated with the routing instance configured for that tenant system.
[See Tenant Systems Overview.]
Network Management and Monitoring
RPM probe enhancement (SRX Series)—Starting in Junos OS Release 18.4R1, if the result of a probe or test exceeds the packet loss threshold, the real-time performance monitoring (RPM) test probe is marked as failed. The test probe also fails when the round-trip time (RTT) exceeds the configured threshold ranges from 0 through 60000000 ms. As a result, the device generates an SNMP notification (trap) and marks the RPM test as failed.
RPM allows you to perform service-level monitoring. When RPM is configured on a device, the device calculates network performance based on packet response time, jitter, and packet loss.[See RPM Overview.]
SNMP support for monitoring the 4G LTE Mini-Physical Interface Module (Mini-PIM) status (SRX300, SRX320, SRX340, SRX345, and SRX550M)—Starting in Junos OS Release 18.4R1, you can monitor 4G LTE Mini-PIM status by using SNMP remote network management.
You can use the following commands to monitor the 4G LTE Mini-PIM status:
show snmp mib walk ascii jnxWirelessWANNetworkInfoTable
show snmp mib walk ascii jnxWirelessWANFirmwareInfoTable
In previous releases, the show modem wireless network interface interface-name and show modem wireless firmware interface interface-name commands are used to check the 4G LTE Mini-PIM status.
Routing Protocols
ARP policer support to protect Routing Engine (SRX Series)—Starting in Junos OS Release 18.4R1, you can apply policers on Address Resolution Protocol (ARP) traffic on SRX Series devices. You can configure rate limiting for the policer by specifying the bandwidth and the burst-size limit. Packets exceeding the policer limits are discarded.
The traffic to the Routing Engine is controlled by applying the policer on ARP traffic. Using policers helps prevent network congestion caused by broadcast storms.[See ARP Policer Overview.]
Security
New operational commands for security policy configuration (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, the following operational commands are introduced:
show security policies information
show security policies checksum
request security policies check
request security policies resync
The show security policies information command provides detailed information about the policies configured on SRX Series devices and on vSRX. The show security policies checksum, request security policies check, and request security policies resync commands are used to synchronize security policies between the Routing Engine and the Packet Forwarding Engine.
[See show security policies information, show security policies checksum, request security policies check, and request security policies resync.]
URL category-based security with unified policies (SRX Series)—Starting from Junos OS Release 18.4R1, the unified policies feature is enhanced to include URL categories as match criteria for traffic flowing through the firewall. The URL category for Web filtering enables redirecting the traffic based on configured URL Category policy for further processing on the SRX Series devices. URL categories can be configured for unified policies with or without dynamic-application applied.
A URL category can be configured as url-category any and url-category none. If url-category is not configured, the functionality is similar to url-category none.
Juniper Sky Advanced Threat Prevention
Juniper Sky ATP Logical Domain Support—Starting in Junos OS 18.4, SRX Series devices support logical domains for anti-malware and security-intelligence policies. When you associate a logical domain with a realm in Juniper Sky ATP, that domain receives the threat management features configured for the realm. The SRX Series device will then perform policy enforcement based on logical domain and the associated Juniper Sky ATP realm. See Tenant Systems: Security-Intelligence and Anti-Malware Policies in the Juniper Sky Advanced Threat Prevention Administration Guide for details.
Software Licensing
Support to stop log messages on throughput overuse (SRX4100)—Starting with Junos OS Release 18.4R1, the enhanced performance upgrade license is required to stop the log messages that are generated if the Internet mix (IMIX) throughput exceeds 20 Gbps and 7 Mpps on the SRX4100 device.
[See Log File Sample Content.]
UTM
Avira scan engine support on antivirus module (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 18.4R1, SRX Series devices support an on-device antivirus scan engine. The on-device scan engine Avira scans the data by accessing the virus pattern database. The antivirus scan engine is provided as a UTM module that you can download and install on your SRX Series device either manually (using the request security utm anti-virus avira-engine command) or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.
VPN
Port-mirrored traffic support on an IPsec interface (SRX Series)—Starting in Junos OS Release 18.4R1, if the output X2 interface of a mirror filter is configured for an st0 interface to filter traffic that you want to analyze, the packet is duplicated and encrypted by the IPsec tunnel bound to the st0 interface. This enhancement supports SRX Series devices in sending traffic mirrored from a port on an IPsec tunnel.
[See Monitoring X2 Traffic.]
PowerMode IPsec (SRX4100 and SRX4200)—Starting in Junos OS Release 18.4R1, PowerMode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing.
You can enable PMI processing by using the set security flow power-mode-ipsec command.
The following features are supported with PMI:
Auto Discovery VPN (ADVPN)
Internet Key Exchange (IKE) functionality
AutoVPN
High availability
IPv6
Stateful firewall
st0 interface
Traffic selectors
SRX5K-SPC-4-15-320 (SPC2) and SRX5K-SPC3 (SPC3) support for IPsec VPN (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, all IPsec VPN features that were previously supported only on SPC3 (model number: SRX5K-SPC3) are now supported on both SPC2 (model number: SRX5K-SPC-4-15-320) and SPC3 installed in the SRX5000 line of devices operating in chassis cluster mode or in standalone mode.
[See Understanding VPN Support for Inserting Services Processing Cards.]
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.4R3 for the SRX Series.
Release 18.4R3 Changes in Behavior and Syntax
Authentication and Access Control
Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 18.4R3, you can disable either the SSH login password or the challenge-response authentication at the [edit system services ssh] hierarchy level.
In Junos OS releases earlier than Release 18.4R3, you can enable and disable both the SSH login password and the challenge-response authentication simultaneously at the [edit system services ssh] hierarchy level.
[See Configuring SSH Service for Remote Access to the Router or Switch.]
SSH protocol version v1 option deprecated from CLI (SRX Series)—Starting in Junos OS Release 18.4R3, the nonsecure SSH protocol version v1 option is not available at the [edit system services ssh protocol-version] hierarchy level. The SSH protocol version v2 is the default option to remotely manage systems and applications. The deprecation of the SSH protocol version v1 enables Junos OS to be compatible with OpenSSH 7.4 and later versions.
Junos OS Release 18.4R2 and earlier releases support the SSH protocol version v1 option to remotely manage systems and applications.
[See protocol-version.]
Interfaces and Chassis
Change in output of show interfaces (SRX300, SRX320, SRX340, SRX345, SRX550M)—Starting in Junos OS Release 18.4R3, the output of the show interfaces command on the SRX300 line of devices and on the SRX550M no longer displays vlan as the value of the Physical interface field. On these devices, the value of the Physical interface field in the command output appears as irb instead of vlan.
Juniper Sky ATP
Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 18.4R3, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).
Unified Threat Management
Increase in the utm scale number (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 18.4R3, on SRX Series devices, UTM policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages, are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000.
VPNs
IKE gateway dynamic distinguished name (DN) attributes (SRX Series devices)—Starting in Junos OS Release 18.4R3, you can now configure only one dynamic distinguished name (DN) attribute among container-string and wildcard-string at [edit security ike gateway gateway_name dynamic distinguished-name] hierarchy. If you try configuring the second attribute after you configure the first attribute, the first attribute is replaced with the second attribute. Before your upgrade your device, you must remove one of the attributes if you have configured both the attributes.
[See distinguished-name (Security) and Understanding IKE Identity Configuration.]
COS Forward Class name (SRX Series devices)—Starting in Junos OS Release 18.4R3, we have deprecated the CLI option fc-name (COS Forward Class name) in the new iked process that displays security associations (SAs) under show command show security ipsec sa.
Release 18.4R2 Changes in Behavior and Syntax
Application Security
Starting in Junos OS Release 18.4R2, the SSL decryption mirroring feature is supported on redundant Ethernet (reth) interface on SRX Series devices operating in a chassis cluster.
Starting in Junos OS Release 18.4R2, the format for setting up an automatic update of the application signature package is changed. Now you can use the YYYY-MM-DD.hh:mm format to configure the time for automatic download for application signatures. For example, following statement sets the start time as 10 AM on June 30, 2019:
user@host# set services application-identification download automatic start-time 2019-06-30.10:00:00You can configure the automatic updates using the new format once you upgrade your previous Junos OS version to the supported Junos OS version (Junos OS Release 18.4R2).
Network Management and Monitoring
NSD Restart Failure Alarm (SRX Series)—Starting in Junos OS Release 18.4R2, a system alarm is triggered when the Network Security Process (NSD) is unable to restart due to the failure of one or more NSD subcomponents. The alarm logs about the NSD are saved in the messages log. The alarm is automatically cleared when NSD restarts successfully.
The show chassis alarms and show system alarms commands are updated to display the following output when NSD is unable to restart - NSD fails to restart because subcomponents fail.
[See Alarm Overview.]
VPN
Encryption algorithm (SRX Series)—Starting in Junos OS Release 18.4R2, when AES-GCM 128-bit or AES-GCM 256-bit encryption algorithms are configured in the IPsec proposal, it is not mandatory to configure AES-GCM encryption algorithm in the corresponding IKE proposal.
[See IPsec VPN Configuration Overview and encryption-algorithm (Security IKE).]
Release 18.4R1-S2 Changes in Behavior and Syntax
VPN
Encryption algorithm (SRX Series)—Starting in Junos OS Release 18.4R1-S2, when AES-GCM 128-bit or AES-GCM 256-bit encryption algorithms are configured in the IPsec proposal, it is not mandatory to configure AES-GCM encryption algorithm in the corresponding IKE proposal.
[See IPsec VPN Configuration Overview and encryption-algorithm (Security IKE).]
Release 18.4R1 Changes in Behavior and Syntax
Application Security
Changes to show security advance-policy-based-routing statistics command—Starting from Junos OS Release 18.4R1, the AppID Requested, Rule matches, and AppID cache hits options are deprecated in the show security advance-policy-based-routing statistics command.
The new options App rule hit on cache hit, URL cat rule hit on cache hit, App rule hit midstream and URL cat rule hit midstream are included to provide the details as shown in Table 3:
Table 3: show security advance-policy-based-routing statistics
Field Name
Field Description
App rule hit on cache hit
The number of times the rule with a matching entry in the application system cache (ASC) is found.
URL cat rule hit on cache hit
The number of times the rule with defined URL categories is matched.
App rule hit midstream
The number of times a route is changed in the middle of a session because of the rule with defined application is matched.
URL cat rule hit midstream
The number of times a route is changed in the middle of a session because of the rule with defined URL categories is matched.
The modified show security advance-policy-based-routing statistics command provides the output as shown in the following sample:
user@host> show security advance-policy-based-routing statisticsAdvance Profile Based Routing statistics: Sessions Processed 2 App rule hit on cache hit 1 URL cat rule hit on cache hit 0 App rule hit midstream 1 URL cat rule hit midstream 0 Route changed on cache hits 1 Route changed midstream 1 Zone mismatch 0 Drop on zone mismatch 0 Next hop not found 0
Chassis Cluster
Chassis cluster information detail operational command (SRX Series)—Starting in Junos OS Release 18.4R1, use the show chassis cluster information detail command to view the chassis cluster information details for each node.
Flow-Based and Packet-Based Processing
New configuration options for flow configuration—Starting from Junos OS 18.4R1, the log dropped-illegal-packet and log dropped-icmp-packet options are introduced under the [edit security flow] hierarchy-level.
[See flow (Security Flow).]
Multiple collector support for J-Flow version 9 (SRX Series)—Starting in Junos OS Release 18.4R1, for J-Flow version 9, up to four collectors can be configured under family inet and the PFE to export the flow record, flow record template, option data, and option data template packet to all configured collectors. Earlier to this release, only one collector could be configured under family inet and inet6.
Installation and Upgrade
Autoinstallation support (SRX1500)—Starting in Junos OS Release 18.4R1, SRX1500 devices support autoinstallation to automate the configuration process for loading configuration files onto new or existing devices automatically over the network. Use the CLI Editor in configuration mode to configure the device for autoinstallation. The factory-default setting has been changed to support autoinstallation.
Network Management and Monitoring
The NETCONF server omits warnings in RPC replies when the rfc-compliant statement is configured and the operation returns
<ok/>(SRX Series)—Starting in Junos OS Release 18.4R1, when you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level to enforce certain behaviors by the NETCONF server, the server must not return an RPC reply that encloses both an<rpc-error>element and an<ok/>element. If the operation is successful, but the server reply would enclose one or more<rpc-error>elements of severity warning in addition to the<ok/>element, then the warnings are omitted. In earlier releases, or when therfc-compliantstatement is not configured, the NETCONF server might issue an RPC reply that encloses both an<rpc-error>element of severity warning and an<ok/>element.SSHD process authentication logs timestamp (SRX Series)—Starting in Junos OS Release 18.4R1, the SSHD process authentication logs use only the time zone defined in the system time zone. In the earlier releases, the SSHD process authentication logs sometimes used the system time zone and the UTC time zone.
UTM
security log message enhancement [SRX Series and vSRX]— Starting in Junos OS Release 18.4R1, the security log information is enhanced to include source zone and destination zone for Web filtering, content filtering, antispam filtering, and antivirus features of UTM.
[See Understanding Unified Policies [Unified Threat Management (UTM)].]
UTM default policy enhancement (SRX1500, vSRX)—Starting with Junos OS Release 18.4R1, on SRX1500 Services Gateways and vSRX instances, UTM policies, profiles, MIME patterns, filename extensions, customer message, and protocol-command numbers of values are increased from 500 to 1500. The custom URL patterns and custom URL category values are increased from 1000 to 3000.
[See UTM Overview.]
Antivirus profiles enhancement (SRX Series)— Starting in Junos OS Release 18.4R1, you can create a common antivirus profile for different antivirus types. While you are creating a UTM policy for an antivirus profile, the UTM policy configuration page provides common antivirus profile selection fields for each supported protocol.
In Junos OS Release 18.3R1 and earlier releases, separate antivirus profiles are created for every antivirus protocol. While you are creating a UTM policy for an antivirus profile, the UTM policy configuration page provides separate antivirus profile selection fields for every supported protocol.
[See Full Antivirus Protection.]
Known Behavior
This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 18.4R3 for the SRX Series.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Flow-Based and Packet-Based Processing
When you configure an interface to a zone under a tenant or under a root system, interfaces that are rented by other tenants are listed with a question mark. PR1370255
Interfaces and Chassis
On SRX4600 devices, the USB storage device is available only for the host OS (Linux) with full access and for the boot process (install and recovery functions). PR1283618
J-Web
CLI terminal is not working in Java version 1.8 due to a security restriction in the running applet. PR1341956
Platform and Infrastructure
USB stops working if the USB is removed while it is in initialization state. To avoid this issue, wait for a few seconds before removing the USB. PR1332360
Unified Threat Management (UTM)
From Junos OS Release 18.3 onward, categories in the APBR module based on destination IP address are supported. Category classification occurs and the APBR action takes place. UTM Web filtering provides information about the category to the APBR module for the matched and received destination IP address. But currently there is a limitation from web filtering, which states that category classification is inaccurate for IP address and leads to non-APBR route. PR1365931
To make the APBR custom category work, you need to create a local UTM profile. PR1366528
VPNs
When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe will be sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585
On an existing tunnel, if the DPD values are changed, then they are not applied until rekeying for that tunnel happens. PR1375963
When using the operational mode request security ike debug-enable for IKE debugging after having used IKE traceoptions with a filename specified in the configuration, the debugs are still being written to the same filename. PR1381328
Known Issues
This section lists the known issues in hardware and software in Junos OS Release 18.4R3 for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Chassis Cluster
After sub-sequential reboot of the RG0, the primary tunnel entries are getting deleted. PR1396513
On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334
Class of Service (CoS)
On NFX Series platforms, when a CoS rewrite rule is configured for the st0 interface, the CoS value will not take effect on the corresponding forwarding class. It causes CoS not to work as expected. PR1439401
Flow-Based and Packet-Based Processing
On SRX Series devices, traffic identification might fail and unidentified traffic might pass through the device when the AppID feature is used. PR1357093
Invalid sessions timeout over 48 hours with stress TCP in the backup node. PR1383139
On all SRX Series platforms, in chassis cluster with Z mode traffic and local (non-reth) interfaces configured, when using ECMP routing between multiple interfaces residing on both node0 and node1, if a session is initiated through one node and the return traffic comes in through the other node, packets may get dropped due to reroute failure. PR1410233
While PMI is on, IPsec-encrypted statistics on the Routing Engine show security ipsec statistics are not working anymore for fragment packets. PR1411486
Within an SSL-proxy configuration, if trusted-ca and root-ca have the same name, then it will result in the associated SSL-T and I profiles not getting pushed to the Packet Forwarding Engine and thereby impacting the SSL-proxy functionality. As a workaround, ensure to have different IDs or names for trusted-ca and root-ca.
If already in the scenario, do the following to recover:
Configure different name for trusted-ca and root-ca.
From the CLI, restart the NSD process using the restart network-security command.
The rtlogd process on the two Routing Engine HA nodes go into deadlock state when rtlogd on both nodes are busy sending data to each other in the single thread context. PR1435352
On SRX Series devices with SSL proxy service used, a memory leak issue might occur, which results in the flowd or srxpfe process stops. PR1450829
TCP session cannot time out properly upon receiving the TCP RESET packet, and the session timeout does not change to two second. PR1467654
Interfaces and Chassis
On SRX Series devices, when doing an ISSU upgrade, the reth interface might flap and cause traffic loss in rare occasions. PR1381475
On SRX Series platforms, sometimes the mgd processes are not properly closed. As a result, many mgd instances are unnecessarily left running. PR1439440
Intrusion Detection and Prevention (IDP)
Rogue .gz files in
/var/tmp/sec-download/might fail offline secpack update. PR1466283
J-Web
On SRX Series platforms, the root password configured at the first J-Web access (Skip to J-Web) does not work if the password length is shorter than eight characters. PR1371353
Support for intelligent CLI-based autocomplete is added to secure-wire. PR1372825
On the SRX300 line of devices, an IPS installation failure message is displayed when the uploading IPS signature package using the TAP mode quick setup wizard. This is an intermittent issue and occurs when IPS is installed immediately after the system zeroized command. PR1404296
Network Management and Monitoring
The snmpd process leaks memory in the SNMPv3 query path and crashes. The issue is caused by a memory leak when the request PDU is dropped by SNMP when the snmp filter-duplicates configuration is enabled. Each request PDU has a structure pointer for the SNMPv3 security details. This is allocated when the PDU is created or cloned. But while dropping the duplicate requests, the corresponding structure is not freed, which causes the memory leak. PR1392616
Platform and Infrastructure
Multiple Monitor-failures errors are seen on the rg1 interface after ISSU completion from Junos OS Release 17.4R1-S3 to Junos OS Release 18.1R1.9. PR1354395
On an SRX4600 device, Packet Forwarding Engine stops are seen due to the segmentation problem. PR1422466
On the SRX300 line of devices, the interface LED does not work properly. PR1446035
Routing Policy and Firewall Filters
On all SRX Series devices, there might be a traffic outage if failover happens between node0 and node1 and the network security process (NSD) fails to read the security policies from the configuration file. PR1182591
In rare case, a specific domain is not resolved by the SRX Series devices when using the DNS address book. This is because the DNS library resolver fails to identify the pointer with a big offset in the compressed DNS name. PR1471408
Unified Threat Management (UTM)
From Junos OS Release 18.4 onwards, the UTM log will include source and destination zone information. PR1326271
VPNs
On SRX Series devices, if multiple traffic selectors are configured for a peer with IKEv2 reauthentication, only one traffic selector is rekeyed at the time of IKEv2 reauthentication. The VPN tunnels of the remaining traffic selectors are cleared without immediate rekeying. New negotiation of these traffic selectors is triggered through other mechanisms such as traffic or by peer. PR1287168
On an SRX4600 device, when the next hop is set to the st0 interface, the output of the show route forwarding-table command displays the next-hop IP address twice. PR1290725
On SRX Series devices, with NCP as client, sometimes IKE SA might not be displayed in the CLI output after RG1 failover. PR1352457
VPN tunnels flap after adding or deleting a group in edit private mode on a clustered setup. PR1390831
On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, if an existing IKE gateway configuration is changed from AutoVPN to Site-to-Site VPN, the IKE negotiation behavior remains in responder-only mode. PR1413619
On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334
On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411
On SRX Series devices with more than 500 IPsec VPN tunnels configured, the IPsec VPN might flap if establishing a connection for the first time. PR1455951
On SRX Series devices with chassis cluster configured, when the SRX Series device is acting as a hub device and AutoVPN point-to-multipoint mode is configured (set interfaces st0 unit x multipoint and set security ike gateway xxx dynamic are configured), IPsec tunnels might lose connectivity after RG0 failover. PR1469172
Resolved Issues
This section lists the issues fixed in hardware and software in Junos OS Release 18.4R3 for SRX Series devices.
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Resolved Issues: 18.4R3
Application Layer Gateways (ALGs)
Sometimes unexpected forwarding sessions appear for tenant ALG SIP traffic in cross tenant. PR1409748
The H.323 connection might not be established when the H.323 packet passes SRX Series devices twice through different virtual routers. PR1436449
Packet loss happens during cold synchronization from the secondary node after rebooting. PR1448252
Authentication and Access Control
The CPU utilization of the uacd is high, about 100 percent, in the output of show chassis routing-engine. PR1424971
The same source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570
Application Security
The AAMW diagnostic script gives incorrect error : Error: Platform does not support SkyATP: srx300. PR1423378
If automatic application-identification download is configured with a start-time specified, the automatic download stops when the time has progressed to the next year and a reboot is done before the start-time is reached that year. PR1436265
The flowd or srxpfe process might crash when advanced anti-malware service is used. PR1437270
The flowd process core files might be seen when the traffic hits an AppQoS policy. PR1446080
Chassis CLustering
Hardware failure is seen on both nodes in show chassis cluster status. PR1452137
On SRX Series devices with chassis cluster, the control link remains up even though the control link is actually down. PR1452488
Class of Service (CoS)
Frequent use of the show class-of-service spu statistics command cause rtlogd busy. PR1438747
Flow-Based and Packet-Based Processing
Throughput or latency performance of all traffic drops when TCP traffic is passing through from one logical system to another logical system. But it may occurs also when logical system is not used on SRX. PR1403727
Juniper Sky ATP does not escape the \ inside the username before the metadata is sent to the cloud. PR1416093
The flowd process stops on the SRX5000 or SRX4000 lines of devices when large-size packets go through IPsec tunnel with the post-fragment check. PR1417219
Blacklist compilation failures are reported. PR1418980
Group VPN IKE security associations cannot be established before RG0 failover. PR1419341
SSL proxy did not correctly warn users about unsupported certificates. PR1419485
SPC3 storage and hard disc error log messages. PR1420800
FRU model number is not displayed. PR1422185
Failed to clear sessions on SPC2 with error message error: usp_ipc_client_recv_:ipc_pipe_read() failed read timed out after 5 second(s). PR1426090
When configuring a GRE tunnel (GRE-over-IPsec-tunnel) or an IPsec tunnel on an SRX Series device, the MTU of the tunnel interface is calculated incorrectly. PR1426607
The X2 traffic cannot be encrypted after the traffic is decrypted when PMI is enabled. PR1429473
The flowd process might stop on the SRX5000 line of devices. PR1430804
VPN traffic fails after primary node reboot or power off. PR1433336
Intermittent packet drop might be observed if IPsec is configured. PR1434757
On SRX Series, syslog severity level of msg subtype is end of policy is set to error although this message can be ignored. PR1435233
On an SRX4600 device, core file generation might be observed and SPM might be in present state. PR1436421
The second IPsec ESP tunnel might not be able to establish between two IPv6 IKE peers. PR1435687
The ipfd process might crash when SecIntel is used. PR1436455
Some webpages cannot be fully rendered. PR1436813
When running SSL proxy on the firewall, the locally generated certificate is not validated by OpenSSL client. PR1436831
Member of dynamically created VLANs information is not displayed by show vlans command. PR1438153
The probe of Ethernet switching always shows down in a chassis cluster scenario. PR1438277
The flowd process stops and generates core files. PR1438445
Security logs cannot be sent to the external syslog server through TCP. PR1438834
The local interface IPv6 address might be shown as Tentative if LACP is enabled on the reth interface. PR1438887
When llmd is rotating database, there is possibility that reading a NULL db at the same time, which generates core files. PR1439186
The wmic process might stop and restart when using user firewall with Active Directory. PR1439538
The IKE pass-through packet might be dropped after source NATed. PR1440605
The flowd process stops on the SRX550 or on the SRX300 line of devices when an SFP transceiver is plugged in. PR1440194
While checking the flow session XML for source NAT under a tenant, there is no value identifier for tenant-name (< tenant>< /tenant>). PR1440652
Performance improvements were made to Screens, which benefit multi-socket systems. PR1440677
SPC2 wrongly forwarded packet to SPC3 core0 and core14. PR1441234
New CLI option to show only userful group information for an Active Directory user. PR1442567
Core files are generated while using NAT PBA in AA mode. PR1443148
On the SRX300 line of devices does not have MIB that can retrieve the fan status. PR1443649
The flowd or srxpfe process might crash when processing fragmented packets. PR1443868
Junos OS: SRX5000 Series: flowd process crash due to receipt of specific TCP packet (CVE-2019-0064) PR1445480
The flowd process might stop on SRX Series devices with chassis cluster and IRB interface is configured. PR1446833
The J-Flow version 5 stops working after changing input rate value. PR1446996
Packet loss happens during cold sync from the secondary node after rebooting. PR1447122
SPC3 Talus FPGA stuck on 0x3D or 0x69 golden version. PR1448722
Host-inbound or host-outbound traffic on VR does not work when SRX5000 line of devices work at SPC3 mix mode. PR1449059
All ingress packets are dropped if the traffic transit network is also the same network for LTE mPIM internal management. PR1450046
AAWM policy rules for IMAP traffic sometimes might not get applied when passed through an SRX Series device. PR1450904
FTP data cannot pass through SRX320 4G wireless from FTP server to client. PR1451122
Traffic forwarding on Q-in-Q port and VLAN tagging are not observed properly on R0. PR1451474
The rpd process might stop and restart and an rpd core file is generated when committing the configuration. PR1451860
Update SRX300 traffic default logging to stream mode. PR1453074
The security flow traceoptions fills in with RTSP ALG-related information. PR1458578
Optimizations were made to improve the connections-per-second performance of an SPC3. PR1458727
The tunnel packets might be dropped because gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825
Fragmented traffic might get looped between the fab interface in Z mode. PR1465100
The rpd process might stop after several changes to the flow-spec routes. PR1467838
Server unreachable is detected; ensure that port 443 is reachable. PR1468114
Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430
LTE latest 17.5.515 build drops FTP data connection. PR1468570
SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550HM devices may not retrieve the complete users or groups and user-group-mappings if the DC includes more than 20,000 users or groups. Use JIMS solution on SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550HM devices when the users or devices or groups are more than 20,000 in the AD deployment. PR1472601
Install and Upgrade
IDP install fails on one node because AppID process gets stuck. PR1336145
SRX Series devices go into DB mode after USB installation. PR1390577
SPMC version mismatch errors after Junos OS install using USB method. PR1437065
Junos OS upgrade fails when partition option is used on SRX Series devices. PR1449728
The jbuf process usage may increase up to 99 percent after Junos OS upgrade. PR1467351
Interfaces and Chassis
Both nodes in the SRX Series chassis cluster go into DB mode after downgrading to Junos OS Release 18.1. PR1407295
MTU change after a CFM session is up can impact L2 Ethernet ping (loopback messages). If the new change is less than the value in the initial incarnation, then L2 Ethernet ping would fail. PR1427589
LFM remote loopback is not working as expected. PR1428780
The LACP interface might flap if performing a failover. PR1429712
Certain interfaces may drop all unicast traffic when LTE PIM is used. PR1430403
The fxp0 interface might redirect packets not destined to itself. PR1453154
Intrusion Detection and Prevention (IDP)
The flowd or srxpfe process stops and generates core files when processing IDP packets. PR1416275
NSD fails to push security zone to the Packet Forwarding Engine after reboot, if there is an active IDP rule configured with FQDN. PR1420787
The flowd or srxpfe process stops and generates core files. PR1437569
J-Web
Some error messages might be seen when using J-Web. PR1446081
The idle-timeout for J-Web access doesn't work properly. PR1446990
J-Web fails to display the traffic log in event mode when stream mode host is configured. PR1448541
Editing a destination NAT rule in J-Web introduces a non-configured routing instance field. PR1461599
Layer 2 Ethernet Services
DHCP request might get dropped in a DHCP relay scenario. PR1435039
Network Address Translation (NAT)
The nsd process might crash during SNMP query for deterministic NAT pool information. PR1436775
RTSP resource session is not found during NAT64 static mapping. PR1443222
On SRX5000 line of devices with SPC3 card, when using source NAT, under high traffic load, a small fraction of TCP-SYN packets may be dropped due to the source NAT port failing to be allocated. Also, the NAT pool resources may leak over time. PR1443345
A port endian issue in SPU messages between SPC3 and SPC2 results in one redundant NAT binding being created in the central point when one binding is allocated in SPC2 SPC. PR1450929
Packet loss is observed when multiple source NAT pools and rules are configured. PR1457904
Network Management and Monitoring
MIB OID dot3StatsDuplexStatus shows wrong status. PR1409979
SNMPD might generate core files after restarting the NSD process by restart network-security gracefully. PR1443675
Control links are logically down on SRX Series chassis cluster when software version is Junos OS Release 12.3X48. PR1458314
Platform and Infrastructure
The show security flow session command fails with error messages when SRX4600 has over a million routing entries. PR1408172
Packet drops, replication failure, or ksyncd crashes might be seen on the logical system of a Junos OS device after Routing Engine switchover. PR1427842
The PICs might go offline and split-brain might be seen when an interrupt storm happens on the internal Ethernet interface em0 or em1. PR1429181
Packet loss is caused by FPGA back pressure on SPC3. PR1429899
REST API does not work properly. PR1430187
Packet Forwarding Engine pause might be seen on the SRX1500 device. PR1431380
The false license alarm may be seen even if there is a valid license. PR1431609
When changing the decrypt mirror interface in the SSL proxy service configuration, it does not reflect properly in the Packet Forwarding Engine. PR1434595
The interface using LACP flaps when the Routing Engine is busy. PR1435955
LACP traffic is distributed evenly on ingress child links but not on egress links. PR1437098
The ksyncd process might crash and restart on SRX Series devices. PR1440576
The configured RPM probe server hardware timestamp does not respond with the correct timestamp to the RPM client. PR1441743
The RPM udp-ping probe does not work in a multiple routing instance scenario. PR1442157
The show security flow session command fails, generating an error message, when an SRX4100 or SRX4200 has around 1 million routing entries in the FIB. PR1445791
LACP cannot work with the encapsulation flexible-ethernet-services configuration PR1448161
Cm errors on certain MPC line cards are classified as major, which should be minor or non-fatal. PR1449427
REST API process become nonresponsive when a number of requests come at a high rate. PR1449987
Traffic loss might occur when there are around 80,000 routes in FIB. PR1450545
The SRX Series devices stops and generates several core files. PR1455169
When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323
The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619
A VM core might be observed if configuring a sampling rate of more than 65,535. PR1461487
The AE interface cannot be configured on an SRX4600 device. PR1465159
Static route through dl0.0 interface is not active. PR1465199
On SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user-identification. PR1462922
Routing Policy and Firewall Filters
The NSD process might stop due to a memory corruption issue. PR1419983
An SRX1500 device allows only a maximum of 256 policies with counting enabled. PR1435231
Two ipfd processes appear in ps command and the process pauses. PR1444472
Traffic log shows a wrong custom-application name when the alg ignore option is used in application configuration. PR1457029
The NSD process might get stuck and cause problems. PR1458639
Policy detail does not display policy statistics counter, even if policy count is enabled. PR1471621
Routing Protocols
SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177
Services Applications
The flowd process stops when SRX5800 devices work at SPC3 mix mode with 1 SPC3 card and 7 SPC2 cards. PR1448395
In a rare condition, SRX device Packet Forwarding Engine might generate core file because corrupted or malformed HTTP long (over 64,000 bytes) messages hit security policy that is attached on ICAP redirect policy. PR1460035
Unified Threat Management (UTM)
The command show security utm web-filtering status now provides additional context when the status of EWF is down. PR1426748
Adjust core allocation ratio for on-box antivirus. PR1431780
On SRX Series devices, memory might leak if Websense Redirect Web Filtering is configured. PR1445222
Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321
VPNs
With a large number of IPsec tunnels established, a few tunnels might fail during rekey negotiation if the SRX Series device initiates the rekey. PR1389607
IPsec VPN missing half of the IKE SA and IPsec SA showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147
The IKE and IPsec configuration under groups is not supported. PR1405840
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured in IKEv1 and NAT traversal is active, after a successful IPsec rekey, the IPsec tunnel index might change. In such a scenario, there might be some traffic loss for a few seconds. PR1409855
The IKED process stop due to a misconfiguration. PR1416081
The IKED process might stop when IKE and IPsec SA rekey happens simultaneously. PR1420762
The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously PR1421905
Old tunnel entries are also seen when a new tunnel negotiation happens from the peer device after a change in the IKE gateway configuration at peer side. PR1423821
IPsec packet throughput might be impacted if NAT-T is configured and the fragmentation operation of post fragment happens. PR1424937
The P1 configuration delete message is not sent on loading the baseline configuration if there has been a prior change in VPN configuration. PR1432434
On the SRX5000 line of devices with SPC3, with P2MP and IKEv1 configured, if negotiation fails on the peer device, then multiple IPsec SA entries are created on the device if the peer keeps triggering a new negotiation. PR1432852
IPsec rekey triggers for when sequence number in AH and ESP packet is about to exhaust is not working. PR1433343
The kmd log shows resource temporarily unavailable repeatedly and VPNs might be down. PR1434137
On SRX Series devices, fragments exit VPN traffic earlier than required by ingress packet sizes. PR1435700
The IKED stops on the SRX5000 line of devices with SPC3 when IPsec VPN or IKE is configured. PR1443560
IPsec VPN traffic drop might be seen on SRX Series platforms with NAT-T scenario. PR1444730
IPsec tunnels with distribution profile configuration will be renegotiated after perform RG0 failover on the SRX5000 line of devices with SPC3. PR1446078
After a long time (a few hours) of traffic during a mini PDT test, the number of IPsec tunnels is much higher than expected. PR1449296
Some IPsec tunnels flap after RGs fail over on the SRX5000 line of devices. PR1450217
The VPN flaps on the primary node after a reboot of the secondary node. PR1455389
IPsec VPN tunnels are losing routes for the traffic selector randomly while the tunnel is still up, causing complete outage. PR1456301
Traffic is not sent out through an IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793
The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880
Resolved Issues: 18.4R2
Application Firewall
Fail to match permit rule in AppFW rule set. PR1404161
Application Layer Gateways (ALGs)
DNS requests with the EDNS option might be dropped by the DNS ALG. PR1379433
On all SRX Series platforms, SIP/FTP ALG does not work when SIP traffic with source NAT goes through the SRX Series devices. PR1398377
H.323 voice packets might be dropped on SRX Series devices. PR1400630
The TCP reset packet is dropped when any TCP proxy based feature and the rst-invalidate-session command are enabled simultaneously. PR1430685
Chassis Clustering
The SNMP trap sends wrong information with Manual failover. PR1378903
Traffic cannot pass through cross tenants after ISSU from Junos OS Release 18.3 to Junos OS Release 18.4. PR1382467
Traffic with domain name address might fail for 3-5 minutes after RG0 failover on SRX Series platforms. PR1401925
The flowd process stops when updating or deleting a GTP tunnel. PR1404317
Mixed mode (SPC3 coexisting with SPC2 cards) high availability (HA) IP monitoring fails on secondary node with secondary arp entry not found error. PR1407056
The SRX Series devices might be potentially overwritten with an incorrect buffer address when detailed logging is configured under the GTPv2 profile. PR1413718
Starting with Junos OS Release 18.4, at most, 6 Packet Data Network Gateway (PGW) connections can be contained in a PDP context response; otherwise, the response will be dropped. PR1422877
Memory leaks might be seen on the jsqlsyncd process on SRX chassis clusters. PR1424884
RG0 failover sometimes causes FPC offline/present status. PR1428312
Flow-Based and Packet-Based Processing
On SRX1500 devices, fan speed goes up and down continuously. PR1335523
Application identification classification logic has been improved for NetBIOS and RPC. PR1357093
Control traffic loss might be seen on SRX4600 platform. PR1357591
When activating security flow traceoptions, the unfiltered traffic is captured. PR1367124
SRX1500 continues to generate an alarm on fan Tray 0 Fan 0 Spinning Degraded. PR1367334
The pkid process might stop after RG0 failover. PR1379348
On SRX1500 devices, the activity LED (right LED) for 1-Gigabit Ethernet/10-Gigabit Ethernet port is not on although traffic is passing through that interface. PR1380928
Password recovery menu is not shown on SRX Series devices. PR1381653
Large file downloads slow down for many seconds. PR1386122
Traffic might be processed by the VRRP backup when multiple VRRP groups are configured. PR1386292
Junos OS release 18.3R1 cannot be installed through TFTP in boot loader on SRX300 line of devices. PR1390858
Performance drops are seen in SRX345 and SRX340 platforms for IDP C2S policy. PR1395592
These messages are seen:
/kerneltcp_timer_keep:Local(0x80000004:54652) Foreign(0x80000004:33160). PR1396584On SRX4600 platform, the 40-Gigabit Ethernet interface might flap continuously by MAC local fault. PR1397012
40-Gigabit Ethernet 100-Gigabit Ethernet ports might take a long time (about 30 seconds) to link up on SRX4600 platform. PR1397210
SRX Series devices might not strip VLAN added by native VLAN ID command. PR1397443
SRX Series devices connection to JIMS keeps flapping, causing failover to secondary JIMS. PR1398140
High jsd or na-grpcd CPU usage might be seen even when JET or JTI is not used. PR1398398
On SRX4600 and SRX5000 devices, BGP packets might be dropped under high CPU usage. PR1398407
VLAN push might not work on SRX1500. PR1398877
Increase DAG feed scale number to 256 from 63. PR1399314
The authd might stop when issuing the show network-access requests pending command during the authd restart. PR1401249
SRX Series device cannot obtain IPv6 address through DHCPv6 when using a PPPoE interface with a logical unit number greater than 0. PR1402066
Unable to access SRX Series platforms if the messages kern.maxfiles limit exceeded by uid 65534, please see tuning(7) are seen. PR1402242
CPU is hitting 100 percent with fragmented traffic. PR1402471
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when PowerMode IPsec is enabled, the show security flow statistics and show security flow session tunnel summary commands will not count or display the number of packets processed within PowerMode IPsec, because these packets do not go through regular flow path. PR1403037
Downloads might stall and/or completely fail when utilizing services that are reliant on TCP proxy. PR1403412
Transit UDP 500/4500 traffic might not pass across SRX5000 Series devices when using SPC3/SPC2. PR1403517
The flowd process stops and all cards go offline. PR1406210
The RG1 failover does not happen immediately when the SPC3 card crashes. PR1407064
The flowd process might crash if the enable-session-cache command is configured under the SSL termination profile. PR1407330
The kernel might crash on the secondary node when committing set system management-instance. PR1407938
Memory leak occurs if AAMW is enabled. PR1409606
Traffic might be lost and CPU might spike high if SSL proxy is enabled. PR1414467
Any traffic originated from the device itself might be dropped in the IPsec tunnel. PR1414509
The input and output bytes or bps statistic values might not be identical for the same size of packets. PR1415117
The reth interfaces are now supported when configuring SSL Decryption Mirroring (mirror-decrypt-traffic interface). PR1415352
Traffic might be dropped if SOF is enabled in a chassis cluster in active/active mode. PR1415761
The command show security firewall-authentication jims statistics will output statistics of both the primary JIMS server and secondary JIMS server. PR1415987
when enabling PMI on SRX5400, SRX5600, and SRX5800 devices with SPC3 card or SRX4100, SRX4200, and SRX46000 devices, the flowd process stops when large size packets go through IPsec tunnel with the post fragment check triggered. PR1417219
Traffic logging shows service-name junos-dhcp-server for UDP destination port 68. PR1417423
Traffic might be lost on the SRX Series device if IPsec session affinity is configured with ipsec-performance-acceleration. PR1418135
On all SRX Series devices, if the traffic-log feature is configured, logs might incorrectly display IPv4 addresses in an IPv6 format. PR1421255
The show security flow session session-identifier < sessID> is not working if the session ID is bigger than 10M on SRX4600 platform. PR1423818
Alarms triggered due to high temperature when operating within expected temperatures. PR1425807
PIM neighbors might not come up on SRX Series chassis cluster. PR1425884
The IPsec traffic going through SRX5000 line of devices with SPC2 cards installed causes high SPU CPU utilization. PR1427912
SPC3: Uneven distribution of CPU with high PPS on device. PR1430721
SRX550M running Junos OS Release 18.4R1 shows PEM 1 output failure message, whereas with Junos OS Release 15.1X49 or Junos OS Release 18.1R3.3 it does not show any alarms. PR1433577
Interfaces and Chassis
Switching interface mode between family ethernet-switching and family inet/inet6 might cause traffic loss. PR1394850
On SRX1500 platform, traffic is blocked on all interfaces after configuring the interface-mac-limit command on one interface. PR1409018
Intrusion Detection and Prevention (IDP)
IDP might crash with the custom IDP signature. PR1390205
Unable to configure dynamic-attack-group. PR1418754
Installation and Upgrade
ISSU failed from Junos OS Release 18.3R1.9 to Junos OS Release 18.4R1.4. PR1405556
J-Web
In the J-Web dashboard, the Security Resources widget did not display absolute values. PR1372826
The Security Log Event Details window size was increased to display all relevant information about an event. PR1373357
J-Web now supports defining SSL Proxy and redirect (block page) profiles when a policy contains dynamic applications. PR1376117
Threat Assessment Report shows overlapping text and data. PR1397884
Special character used in the pre-shared-key is removed silently after a commit operation on J-Web. PR1399363
Configuring using the CLI editor in J-Web generates an mgd core file. PR1404946
The httpd-gk process stops, leading to dynamic VPN failures and high Routing Engine CPU utilization up to 100 percent. PR1414642
J-Web configuration change for an address set using the search function results in a commit error. PR1426321
User unable to view GUI when logged in as read-only user. User is presented with an empty page after logging in. PR1428520
On SRX Series devices, J-Web incorrectly displays port mode access for the link aggregation interfaces despite them being configured with multiple VLAN IDs and port mode trunk. PR1430414
IRB interface is not available in zone option of J-Web. PR1431428
Logical and Tenant Systems
Tenant system administrator can change VLAN assignment beyond the allocated tenant system. PR1422058
Multiprotocol Label Switching (MPLS)
The rpd might restart unexpectedly when no-cspf is configured and lo0 is not included under the RSVP protocol. PR1366575
Network Address Translation (NAT)
On SRX Series devices with SPC3 in mixed mode NAT SPC3 core files are generated at
../sysdeps/unix/sysv/linux/raise.c:55. PR1403583The nsd process stops and causes the Web filter to stop working. PR1406248
Network Management and Monitoring
The set system no-redirects setting does not take effect for the reth interface. PR894194
The chassisd might stops and restart after the AGENTX session timeout between master(snmpd) and subagent. PR1396967
Partial traffic might get dropped on an existing LAG. PR1423989
Platform and Infrastructure
High httpd utilization after reboot failover. PR1352133
In chassis cluster redundancy group failover scenario, on SRX5600 and 5800 platforms, if the failover is caused by interface monitoring failure, the failover on PFE side (that is data plane) might be slow (example-impact on BFD session up to several seconds). PR1385521
Memory leak might occur on the data plane during composite next-hop installation failure. PR1391074
The flowd process might stop if there are too many IPsec tunnels. PR1392580
The flowd process stops if it goes into a dead loop. PR1403276
HA failed with the failure code HW after loading the image. PR1406029
Session capacity of SRX340 device does not match with SRX345 device. PR1410801
PEM 0 or PEM 1 or FAN, I2C Failure major alarm might be set and cleared multiple times. PR1413758
HA packets might be dropped on SRX5000 line of devices with IOC3 or IOC2 cards. PR1414460
Complete device outage might be seen when an SPU vmcore is generated. PR1417252
Some applications might not be installed during upgrade from an earlier version that does not support FreeBSD 10 to FreeBSD 10 (based system). PR1417321
On SRX Series device, flowd process stops might be seen. PR1417658
Routing Engine CPU utilization is high and eventd is consuming a lot of resources. PR1418444
On SRX4600 devices, commit failed while configuring 2047 VLAN IDs on the reth interface. PR1420685
Routing Policy and Firewall Filters
The show security flow session command now fully supports the dynamic application. PR1387449
Memory leak in nsd causes configuration change to not take effect after a commit. PR1414319
The flowd process(responsible for traffic forwarding in SRX) stops on SRX devices while deleting a lot of policies from Junos Space. PR1419704
A commit warning will now be presented to the user when a traditional policy is placed below a unified policy. PR1420471
The dynamic-address summary's IP entry count does not include IP entries in root logical system. PR1422525
One new alarm is created NSD fails to restart because subcomponents fail. PR1422738
The ipfd generates a core file while scaling cases 6-1. PR1431861
Unified Threat Management (UTM)
Whitelist and blacklist do not work for HTTPS traffic going through Web proxy. PR1401996
On SRX Series devices, when configuring Enhanced Web Filtering on the CLI, the autocomplete function did not properly handle or suggest custom categories. PR1406512
On SRX Series devices, when using Unified Policies and Web filtering (EWF) without SSL proxy, the Server Name Indication (SNI) might not be identified correctly and the RT_UTM logs were recorded incomplete information. PR1410981
The device might not look up the blacklist first in the local Web filtering environment. PR1417330
Unable to achieve better Avira AV TP on SRX4600 devices due to reaching mbuf high watermark. PR1419064
UTM Web filtering status shows down when using hostname [routing-instance synchronization failure]. PR1421398
When using unified policies, the base filter for certain UTM profiles might not be applied correctly. PR1424633
The custom-url-categories are now pushed correctly to the Packet Forwarding Engine under all circumstances. PR1426189
User Interface and Configuration
Tenant system administrator cannot view its configuration with Empty Database message when using groups. PR1422036
VPNs
On SRX1500 device, when configuring IPsec VPN and BGP simultaneously, the kmd process might stop and generate a core file if BGP peers reach approximately 350. All of the VPN tunnels will be disconnected during the pause. PR1336235
SPC3 ike sa detail output is not showing proper traffic statistics. PR1371638
On SRX5400, SRX5600, and SRX5800 devices with SPC3, the show security ike security-association detail command does not display local IKE-ID field correctly. PR1388979
A few VPN tunnels do not forward traffic after RG1 failover. PR1394427
The kmd process might stop when SNMP polls for the IKE SA. PR1397897
VPN tunnels flap after adding or deleting a configuration group in edit private mode on a clustered setup. PR1400712
Syslog is not generated when the IKE gateway rejects a duplicate IKE ID connection. PR1404985
Idle IPsec VPN tunnels without traffic and with ongoing DPD probes can be affected during RG0 failover. PR1405515
Not all the tunnels are deleted when the authentication algorithm in IPsec proposal is changed. PR1406020
Traffic drops on peer due to bad SPI after first reauthentication. PR1412316
On SRX5400, SRX5600, and SRX5800 devices with SPC3, when the SRX Series device is configured to initiate IKEv2 reauthentication when NAT traversal is active, occasionally reauthentication might fail. PR1414193
The flowd/srxpfe process might stop when traffic selector is used for IPsec VPN. PR1418984
Group VPN IKE security associations cannot be established before RG0 failover. PR1419341
The show security ike sa detail command shows incorrect value in the IPSec security associations column. PR1423249
On SRX Series devices with SPC3, SRX Series device does not send IKE delete notification to the peer if the traffic selector configuration is changed. PR1426714
The kmd process stops and generates a core file after running the show security ipsec traffic-selector command. PR1428029
Resolved Issues: 18.4R1
Application Layer Gateways (ALGs)
When the IPsec ALG is used, the IPsec tunnel payload is dropped after the IKE or IPsec tunnel reestablishment because of a session conflict. PR1372232
If the SIP ALG is disabled, the SIP active sessions are affected. PR1373420
Sun RPC data traffic for previously established ALG sessions might be dropped because it matches the gate that contains old interface information. PR1387895
A flowd process might generate core files when cross-tenant ALG traffic is sent. PR1388658
DNS requests with the EDNS (extension mechanisms for DNS) option option might be dropped by the DNS ALG. PR1379433
Chassis Cluster
On SRX340 and SRX345 devices, half-duplex mode is not supported because BCM53426 does not support half-duplex mode. BCM5342X SoC port configurations, BCM53426 does not have QSGMII interface. Only the QSGMII port supports half-duplex mode. PR1149904
On an SRX4600 device with chassis cluster enabled, when a failover occurs the dedicated fabric link is down. PR1365969
The device in chassis cluster might be unresponsive if IP monitoring is enabled. PR1366958
The show chassis environment fpc # command, which is used to display the FPC voltage, is enhanced to show the current and power consumption for an SPC3. PR1368507
On SRX Series devices in chassis cluster, the minor Potential slow peers are: FWDD0 XDPC1 XDPC8 FWDD1 alarm is observed, which can be ignored. PR1371222
Multiple flowd process files are seen on node 1 after an RG0 failover. PR1372761
Traffic loss occurs when the primary node is rebooting. PR1372862
On SRX Series devices in chassis cluster, if reroute occurs on the IPv4 wings of a NAT64 or NAT46 session, the active node sends RTO message to the backup session to update the rerouted interface. PR1379305
On SRX4600 devices in a chassis cluster, the FPCs go offline if the chassis cluster IDs are more than 10. PR1390202
Class of Service (CoS)
When the host-outbound-traffic statement is configured in class of service (CoS), the device stops working when a corrupted packet arrives on the Packet Forwarding Engine. PR1359767
Command-Line Interface (CLI)
The following CLI command outputs are not displayed correctly: show usp memory segment shm data module and show jsf shm module. PR1387711
Flow-Based and Packet-Based Processing
On SRX320, SRX340, SRX340, and SRX550 devices, the rpd process stops when you configure the auto-bandwidth option under the MPLS label-switched path (LSP). PR1331164
The security logs for unified policies are improved to reflect the reason for a denied or rejected session. PR1338310
The IPsec replay error for Z-mode traffic is observed. PR1349724
When the output interface configured in the X2 mirrored filter is down, the flowd process might stop. PR1357347
On SRX4200 and SRX4600 devices, when the device is being rebooted or powered on, control traffic loss is observed. PR1357591
IDP inline-tap mode is not supported and configuration for SPC3 must be disabled. PR1359591
The syslog usage is deprecated, use the ERRMSG for relevant messages. PR1360274
On the secondary control plane, a multicast session leak is observed for the PIM register. PR1360373
The application layer protocol negotiation (ALPN) fails because the SSL proxy removes the ALPN extensions from the TLS packets. PR1360820
On the SRX550M device, traffic might be duplicated and forwarded to the wrong interface. PR1362514
The show services application-identification statistics applications command displays the application-system-cache error message. PR1363033
On SRX Series devices, application identification (AppID) is supported for HTTP, SMTPS, POP3S, and IMAPS protocols. PR1365810
When RG0 failover occurs, the flowd process generates core files. PR1366122
The request services user-identification authentication-table delete authentication-source command output displays incorrect results. PR1366767
On SRX Series devices, when AppQoE is enabled and the traffic starts flowing, the flowd process might stop. PR1367599
On an SRX1500 device with Junos OS Release 15.1X49-D140, the srxpfe process might not work. PR1370900
The device under test (DUT) sends incorrect rejection code when the destination device is not reachable. PR1371115
The SPC3 core file size is larger than the SPC1 and SPC2 core files. PR1371447
On SRX4100 and SRX4200 devices, the UDP IMIX throughput is decreased. PR1373019
In chassis cluster mode with the IPsec tunnel configured, packet loss is observed when the clear-text packets are processed. PR1373161
Using the SPC3 improves the performance of the unified policies. PR1374231
A summary option for the show system security-profile assignment command is added to provide summary of security profile assignment for the entire device. PR1376990
The SPC3 card might be installed on any slot except slot 0, slot 1, and slot 11. PR1378178
On SRX Series devices working in a PIM sparse mode, and located between a first-hop router and a rendezvous point (RP), if a PIM control session is created through the PIM register stop message, only the next PIM register message can be forwarded, and after this first message, the subsequent PIM register messages (also matching the PIM control session above) are wrongly dropped. PR1378295
When the datapath-debug capture is stopped, incorrect error message is displayed. PR1381703
On an SRX5600 device in a chassis cluster, if respmod is enabled for ICAP, the connection with the ICAP server might reset automatically. PR1382376
On SRX300, SRX320, SRX340, SRX345, SRX550M devices, during the path MTU discovery, the control engine does not receive the message frag needed and DF set. PR1389428
The set security flow log dropped-illegal-packet and set security flow log dropped-icmp-packet CLI commands are unhidden. PR1394720
On SRX Series devices, the active flow monitoring does not work for multiple collectors. PR1396482
Interfaces and Chassis
The virtual IP address of the Virtual Router Redundancy Protocol (VRRP) might not respond to the host-inbound traffic. PR1371516
Intrusion Detection and Prevention (IDP)
The IDP might not be deployed because the IDP configuration cannot be committed. PR1374079
The unified policies configured with IDP might not inspect the arbitrary sessions, and are marked as Not Interested within the show security idp counters flow command. PR1385094
J-Web
The PPPoE interface pp0 is not displayed on the J-Web's Interfaces > Port page. PR1316328
The dynamic application configuration page in J-Web does not display application signatures in the result if the signatures are searched by category field. PR1344165
The J-Web setup does not populate the DHCP attributes. PR1370700
The chassis cluster image is not displayed on the J-Web dashboard. PR1382219
Logical Systems
The logical system licenses fail to bind to the tenants or logical systems after the device is rebooted. PR1380144
The logical system license limit is increased to three. One license is for root-logical-system traffic and the other two licenses are for the logical system and the tenant to transfer the traffic. PR1384659
Tenant for logical system installation failed on node 1 after upgrading ISSU. PR1388336
Network Address Translation (NAT)
Source NAT sessions might fail to be created when the port-overloading or the port-overloading-factor statement is configured. PR1370279
Network Management and Monitoring
The show snmp mib walk etherStatsTable command displays incorrect results. PR1335808
The eventd process generates core file, when the incoming system log message length is at or beyond the maximum supported size. PR1366120
Platform and Infrastructure
On SRX1500 devices, when the power supply fails, the trap sent might contain incorrect information. PR1315937
On SRX300, SRX320, SRX340, and SRX345 devices, you are unable to lock the USB port. PR1352104
On SRX4100 and SRX4200 devices, the SRX Network Time Protocol (NTP) client might not stay synchronized to the NTP server and as a result the device clock often switches from NTP to local time. PR1357843
On SRX5400, SRX5600, and SRX5800 devices, log messages are seen often when an IOC card has the same identifier as the SPC card. PR1357913
When the secure copy protocol (SCP) fails to transfer the active configuration to an archive site, the archive site also fails. PR1359424
On SRX4600 devices, the show chassis fan show chassis environment command does not display any output. PR1363645
Packet capture feature does not work after the sampling configuration is deleted. PR1370779
On SRX Series devices in a chassis cluster, the cold synchronization process might slow down when there are many Packet Forwarding Engines installed on the device. PR1376172
Junos OS upgrade might fail when you use the validate option after the
/cf/var/swdirectory is erroneously deleted. PR1384319
Routing Policy and Firewall Filters
The TCP protocol ports 5800 and 5900 are added to junos-defaults to support the VNC application. PR1333206
The show security policies detail command output is modified to improve readability, particularly for unified policies. PR1338307
The timeout value of
junos-httpis not accurate. PR1371041When the dynamic address is referenced in the dynamic-address field and the destination IP address for the traffic is matched within this dynamic address, the policy fails to match the traffic PR1372921
Routing Protocols
If family iso is enabled through the GRE over IPSec tunnel, the vFPC stops working. PR1364624
Services Applications
When the ICAP configuration and the traffic passing through are modified, core files might be generated. PR1389600
Clearing the TCP session might not clear the redirect objects. PR1390835
System Logs
On SRX Series devices, the following false log message is observed. are observed: /kernel: check_configured_tpids: < interfaces > : default tpid (0x8100) not configured. pic allows maximum of 0 tpids. PR1373668
Unified Threat Management (UTM)
The default actions under a Web filtering profile might not work properly. PR1365389
When the server port is configured as 443, the displayed EWF server status is UP. PR1383695
VPNs
IPsec tunnel might not work when there are concurrent IKEv2 Phase 1 SA rekeys. PR1360968
On SRX5600 and SRX 5800 devices, during a migration from VPN to AutoVPN configuration, traffic loss is observed. PR1362317
On SRX Series devices in a chassis cluster, when the VPN configuration size reaches an internal configuration processing chunk size, the VPN tunnels might not be configured successfully and the VPN tunnels might not come up after rebooting, upgrading, or restarting ipsec-key-management. PR1376134
Packet loss is observed in IPsec Z-mode scenario. PR1377266
The kmd process might stop and cause VPN traffic outage after the show security ipsec next-hop-tunnels command is run. PR1381868
Adding or deleting site-to-site manual NHTB VPN tunnels to an existing st0 unit causes the existing manual NHTB VPN tunnels under the same st0 unit to flap. PR1382694
Documentation Updates
There are no errata or changes in Junos OS Release 18.4R2 for the SRX Series documentation.
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.
Junos OS upgrade from 15.1X49 directly to 18.4R3 or 18.4R3 based Service Releases is supported for all SRX platforms.
You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.
For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.
For information about ISSU, see the Chassis Cluster User Guide for Security Devices.