Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series


These release notes accompany Junos OS Release 20.1R1 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

Application Security

  • Custom application enhancements (NFX Series, SRX Series, and vSRX)—Starting in Junos OS Release 20.1R1, we’ve enhanced the custom applications signature functionality by providing a new set of applications and contexts.

    Application identification allows you to create custom application signatures to detect applications specific to your network environment. You can create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7 or TCP/UDP stream. While configuring the custom application signatures, you must specify the context values that the device can use to match the patterns in the application traffic.

    Custom application signature contexts are part of application signature package. You must download and install the latest application signature package version 3248 or later to use new contexts for custom application signatures.

    [See Custom Application Signatures for Application Identification.]

  • Default mechanism to forward the traffic through APBR rule (NFX Series, SRX Series, and vSRX)— Starting in Junos OS 20.1R1, you can configure a APBR rule by specifying the dynamic application match criteria with any keyword. This provides a default mechanism to forward the traffic to a specific next-hop device or to a destination if the traffic matches any dynamic application.

    [See Advanced Policy-Based Routing.]

  • AppQoE support for granular APBR rules (NFX Seris, SRX Series, and vSRX)—Starting in Junos OS Release 20.1R1, AppQoE utilizes the granular rule matching functionality of advanced policy-based routing (APBR) for better quality of experience (QoE) for the application traffic.

    In Junos OS Release 18.2R1, APBR supported configuring policies by defining source addresses, destination addresses, and applications as match conditions. After a successful match, the configured APBR profile is applied as an application services for the session. In this release, AppQoE leverages the APBR enhancement and selects the best possible link for the application traffic as sent by APBR to meet the performance requirements specified in SLA.

    [See Application Quality of Experience.]

Authentication and Access Control

  • Support for UPN as user identity (SRX Series)—Starting in Junos OS Release 20.1R1, you can use User Principal Name (UPN) as logon name in firewall-authentication, which is working as a captive portal for JIMS or user-firewall.

    You can use UPN as logon name along with cn or sAMAccountName at the same time. UPN can be used instead of sAMAccountName to authenticate a user.

    Even if user uses UPN as logon name, firewall authentication pushes sAMAccountName (mapping to the UPN) to user ID rather than pushing the UPN.

    Firewall-authentication pushes both UPN and sAMAccountName (mapping to the UPN) to JIMS.

    [See Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS.]

  • Trusted Platform Module (TPM) to bind secrets (SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 20.1R1, we’ve introduced the TPM support on the SRX5000 line of devices with SRX5K-RE3-128G Routing Engine (RE3). The TPM chip is enabled by default to make use of TPM functionality.

    When TPM is activated, it protects the private keys stored in Junos OS.

    [See Using Trusted Platform Module to Bind Secrets on SRX Series Devices.]

Flow-Based and Packet-Based Processing

  • Support of IPFIX formatting and Chassis Cluster for SRX J-Flow functionality (SRX300, SRX320, SRX340, SRX345, and SRX550HM) —Starting with Junos OS Release 20.1R1, you can configure Chassis Cluster and define an IPFIX flow record template suitable for IPv4 traffic or IPv6 traffic. IPFIX is an enhanced version of J-flow version 9 template. Using IPFIX, you can collect a set of sampled flows and send the record to a specified host.

    See [Configuring Flow Aggregation to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches, and SRX devices.]

  • Support service inspection for pass-through IP-IP and GRE tunnel in TAP mode (SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, and SRX4200)—Starting in Junos OS Release 20.1R1, TAP mode inspects IP-IP and GRE inner tunnel traffic by de-encapsulating the outer and inner IP header (up to two levels) to create flow sessions. You can configure up to eight TAP interfaces on an SRX Series device.

    [See TAP Mode for Flow Sessions, and forwarding-options.]


  • Increase in GTP scale for IoT and roaming firewall applications (SRX1500, SRX4100, SRX4200, and vSRX)—Starting in Junos OS Release 20.1R1, in addition to the existing support on SRX5400, SRX5600, SRX5800, and SRX4600, to enable the Internet of Things (IoT) and roaming firewall use cases, the GTP tunnel scale is increased for the following SRX Series devices:

    • SRX1500: 204,800 to 1,024,000

    • SRX4100: 409,600 to 4,096,000

    • SRX4200: 819,200 to 4,096,000

    For vSRX instances, the number of tunnels supported depends on the available system memory.

    [See Understanding Policy-Based GTP.]


  • SRX380 Services Gateway—The SRX380 Services Gateway is a high performance and all-in-one networking device, which consolidates routing, switching, and security. With next-generation firewall features and advanced threat mitigation capabilities, the SRX380 device provides cost-effective and secure connectivity across distributed enterprise locations. A 1U form factor model with a 16-core MIPS processor and 4-GB DDR4 RAM, the SRX380 device supports up to 10-Gbps firewall performance.

    The SRX380 device has an integrated 100-GB SSD and provides high port density with 16 on-board PoE-enabled 1-Gigabit Ethernet RJ-45 ports and 4 10-Gigabit Ethernet SFP+ ports. All the ports support AES-256 MACsec encryption. The SRX380 device has dual AC power supplies and supports up to four Mini-PIMs.

    The SRX380 supports the same features as those supported on the existing SRX300 line of services gateways. For the complete list of features supported on the SRX380, see Feature Explorer.

    [See SRX380 Services Gateway Overview.]

Interfaces and Chassis

  • Support for new show | display set CLI commands (ACX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the following new show commands have been introduced:

    • show | display set explicit—Display explicitly, as a series of commands, all the configurations that the system internally creates when you configure certain statements from the top level of the hierarchy.

    • show | display set relative explicit—Display explicitly, as a series of commands, all the configurations that the system internally creates when you configure certain statements from the current hierarchy level.

    [See show | display set and show | display set relative.]

Intrusion Detection and Prevention

  • HTTP X-Forwarded-For header support in IDP (SRX Series)—Starting from Junos OS Release 20.1R1, we've introduced the log-xff-header option to record the x-forward-for header (xff-header) information. When this option is enabled. During the traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the contexts for HTTP and SMTP traffics and displays in attack logs.

    The xff-header is not processed unless its enabled through sensor-configuration.

    • To enable the xff-header, use the set security idp sensor-configuration global log-xff-header command.

    • To disable the xff-header, use the delete security idp sensor-configuration global log-xff-header command.

    Previously, when you access internet, to lessen the external bandwidth the servers used transparent proxies. It was difficult to identify the originating source IP address as the proxy server converted it into an anonymous source IP address.

    [See Understanding Multiple IDP Detector Support.]

Juniper Sky ATP

  • Juniper Sky ATP support for disabling standard Juniper C&C and URL feeds—Starting in Junos OS Release 20.1R1, you can disable standard Juniper command and control (C&C) and URL feeds on SRX Series devices. Disabling the Juniper C&C and URL feeds helps to free the resources on SRX Series devices and makes the resources available for loading custom feeds. Use the set services security-intelligence disable-global-feed (all | feed name feed-name) command to disable the feeds. To enable the feeds, use the delete services security-intelligence disable-global-feed (all | feed name feed-name) command.

    [See set services security-intelligence and show services security-intelligence category summary.]

Junos OS XML API and Scripting

  • The jcs:load-configuration template supports loading the rescue configuration (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the jcs:load-configuration template supports the rescue parameter to load and commit the rescue configuration on a device. SLAX and XSLT scripts can call the jcs:load-configuration template with the rescue parameter set to "rescue" to replace the active configuration with the rescue configuration.

    [See Changing the Configuration Using SLAX and XSLT Scripts and jcs:load-configuration Template.]


  • J-Web supports SRX380 device—Starting in Junos OS Release 20.1R1, you can use J-Web to manage your SRX380 device. Additionally, you can also:

    • Monitor wireless LAN setting of the supported Wi-Fi Mini-PIM: Monitor > Wireless LAN.

    • View power statistics information using the new Power Budget Statistics tab: Monitor > Chassis Information > Chassis Component Details.


      You can view the power statistics information only when the device is in standalone mode.

    • Configure wireless LAN setting of the supported Wi-Fi Mini-PIM: Configure > Wireless LAN > Settings.

    • Configure redundant power supply for power management using the new Redundant PSU menu: Configure > Basic Settings.

    [See Dashboard Overview, Monitor Wireless LAN, and About the Settings Page.]

Network Management and Monitoring

Port Security

  • Media Access Control Security (MACsec) support (SRX380)—SRX380 supports MACsec in on all 16 1GbE ports and all four 10GbE ports. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. The supported cipher suites are GCM-AES-256 and GCM-AES-128. Only static CAK mode is supported.

    [See Understanding Media Access Control Security (MACsec).]


  • Support for security policy reports (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can use the show security policy-report command to display detailed security policy reports.

    Optimizing security policies ensure that the policies are efficient. Over time, policies become disorganized and hence ineffective. You can use the show security policy-report command to notify end users when you create new policies or change existing policies that adversely affect other security policies.

    You can use the report-skip command at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name] hierarchy level to exclude the policy from the policy analysis and prevent it from appearing in any future report.

    [See show security policy-report and report-skip.]

  • Support to clear DNS cache if DNS error responses are received (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can clear the DNS cache entry IP list when DNS error responses are received. We have introduced a new command, dns-cache under the [edit security policies] hierarchy level, to configure the security policy DNS cache behavior.

    [See dns-cache.]

System Management

  • Restrict option under NTP configuration is now visible (ACX Series, QFX Series, MX Series, PTX Series, and SRX Series)—Starting in Junos OS Release 20.1R1, the noquery command under the restrict hierarchy is now available and can be configured with a mask address. The noquery command is used to restrict ntpq and ntpdc queries coming from hosts and subnets.

    [See Configuring NTP Access Restrictions for a Specific Address.]

Tenant Systems and Logical Systems

  • ICAP service redirect support for tenant systems (SRX Series and vSRX)—You can prevent data loss from your network by employing Internet Content Adaptation Protocol (ICAP) redirect services. Starting in Junos OS Release 20.1R1, you can enable ICAP at the tenant system level, and you can view/clear the ICAP services redirect status and statistics at the tenant systems level.

    In addition, we’ve introduced the X-Client-IP, X-Server-IP, X-Authenticated-User, and X-Authenticated-Groups header extensions in an ICAP message to provide information about the source of the encapsulated HTTP message.

    [See ICAP Service Redirect and icap-redirect.]

  • Express Path session status CLI monitoring improvement and traffic logging (SRX4600, SRX5400, SRX5600, and SRX5800)—The Express Path (formerly known as services offloading) support is already available on SRX4600, SRX5400, SRX5600, and SRX5800 Series devices. Express Path considerably reduces packet-processing latency. Starting in Junos OS Release 20.1R1, you can view the total number of services-offload sessions and total number of services-offload packets processed in the CLI. In addition, you can configure the services-offload traffic logging at the logical system and tenant system level.

    [See Express Path.]


  • Common configuration payload password support for RADIUS server (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, you can configure a common password for IKEv2 configuration payload requests for an IKE gateway configuration. The common password in the range of 1 to 128 characters allows the administrator to define a common password. This password is used when the SRX Series device is requesting an IP address on behalf of a remote IPsec peer using IKEv2 configuration payload over the RADIUS server. The RADIUS server matches the credentials before it assigns any IP information to the configuration payload request.

    [See Understanding IKEv2 Configuration Payload.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for SRX Series.


  • Disable the do not fragment flag from packet IP header (SRX Series and vSRX)—Starting in Junos OS Release 20.1R1, we’ve introduced the clear-dont-frag-bit option at the [edit security alg alg-manager] hierarchy level to disable the do not fragment flag from the packet IP header, which allows the packet to be split after NAT is performed.

    In Junos OS releases earlier than Release 20.1R1, when the ALG performs payload-NAT, sometimes the size of the packet becomes bigger than the outgoing interface maximum transmission unit (MTU). If the packet IP header has the do not fragment flag, this packet cannot be sent out.

    [See alg-manager.]

Application Security

  • Starting in Junos OS Release 20.1R1, you can enable application identification (AppID) to classify a web application that is hosted on a content delivery network (CDN) such as AWS, Akamai, Azure, Fastly, and Cloudflare and so on accurately. Use the following configuration statement to enable CDN application classification:

    When you apply the configuration, AppID identifies and classifies actual applications that are hosted on the CDN.

    [See Application Identification]

  • You can configure maximum memory limit for the deep packet inspection (DPI) by using the following configuration statement:

    You can set 1 through 200000 MB as memory value.

    Once the JDPI memory consumption reaches to 90% of the configured value, then DPI stops processing new sessions.

    [See Application Identification]

  • Starting in Junos OS Release 20.1R1, you can configure and use IP protocol-based custom application signatures on your SRX Series device. In previous versions of Junos OS Releases from 19.2 through 19.4 release, IP protocol based custom application signatures did not work as expected.

    In Junos OS Releases in 19.2 through Junos OS Releases 19.4 and their maintenance releases, IP protocol based custom application signatures do not work as expected. As a workaround, you can configure the IP protocol-based applications at the following hierarchy levels:

    • For unified policy: Use service based application configuration as below:

    • For legacy application firewall: Use predefined IP protocol applications as below:

    [See Custom Application Signatures for Application Identification.]

Ethernet Switching and Bridging

  • LLDP support on redundant Ethernet interfaces (SRX Series)—Starting in Junos OS Release 20.1R1, you can configure the Link Layer Discovery Protocol (LLDP) on redundant Ethernet (reth) interfaces. Use the set protocol lldp interface <reth-interface> command to configure LLDP on the reth interface.

    [See Configuring LLDP and Ethernet Ports Switching Overview for Security Devices.]


  • Deactivated policy rules are not visible in the J-Web UI (SRX Series)—J-Web does not support disabling or enabling the security firewall or global policy rules from Junos OS Release 19.4R1. The policy rules that are deactivated through CLI are also not visible in the J-Web UI. As a workaround, use CLI to disable or enable the policy rules on the device.

Unified Threat Management (UTM)

  • Increase in the UTM scale number (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800)—Starting with Junos OS Release 20.1R1, on SRX Series devices, UTM policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000.

    [See Unified Threat Management overview.]


  • Public key infrastructure warning message (SRX Series)—Starting in Junos OS Release 20.1R1, a warning message ECDSA Keypair not supported with SCEP for cert_id <certificate id> is displayed when you try to enroll a local certificate using an Elliptic Curve Digital Signature Algorithm (ECDSA) key with Simple Certificate Enrollment Protocol (SCEP) because ECDSA key is not supported with SCEP.

    Prior to Junos OS Release 20.1R1, the warning message is not displayed.

    [See Example: Enrolling a Local Certificate Online Using SCEP.]

  • Change in display of local certificate serial number (SRX Series)—In Junos OS Release 20.1R1, the output of the show security pki local-certificate detail command is modified to display the PKI local certificate serial number with 0x as prefix to indicate that the PKI local certificate is in the hexadecimal format.

    [See show security pki local-certificate (View).]

Known Limitations

Learn about known limitations in this release for SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • When a dynamic application is created for an edited policy rule, the list of services will be blank when the services tab is clicked and then the policy grid will be autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Platform and Infrastructure

  • On an SRX4600 device, when LLDP is configured on the interfaces, Packet Forwarding Engine stops are seen due to the segmentation problem. LLDP is not supported on SRX4600 currently, but can be configured. PR1422466


  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499

  • In SPC2 and SPC3 mixed mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DCD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482

Open Issues

Learn about open issues in this release for SRX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • A maximum of 250 Web proxy profile creations are supported on all SRX Series devices. PR1428495

Platform and Infrastructure

  • On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • On SRX5400, SRX5600, and SRX5800 devices, on reth interfaces that are configured as DHCP clients, after a reboot of the device the interface might not get an IP address when you use the default number of DHCP retransmission attempts. When the number of retransmission attempts is increased to 5 or higher, it works fine. PR1458490


  • On the SRX5000 line of devices with SPC3 cards, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • On the SRX5000 line of devices with SPC3 and SPC2 mixed mode, with a very large amount of IKE peers (60,000) with dead peer detection (DPD) enabled, IPsec tunnels might flap in some cases when IKE and IPsec rekeys are happening at the same time. PR1473523

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

  • Packet's IP header have DF flag might be dropped by SRX Series ALG after payload-NAT. PR1444068

  • On the SRX5000 line of devices, the H323 call with NAT64 could not be established. PR1462984

  • RTSP data sessions are cleared unexpectedly during cold sync. PR1468001

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031

Authentication and Access Control

  • Same-source IP sessions are cleared when the IP entry is removed from the UAC table. PR1457570

Chassis Clustering

  • IP monitoring might fail on the secondary node. PR1468441

  • An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233

Flow-Based and Packet-Based Processing

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • Packet loss is caused by FPGA back pressure on SPC3. PR1429899

  • Control logical interface is not created by default for LLDP. PR1436327

  • Security logs cannot be sent to the external syslog server through TCP. PR1438834

  • The SPC card might stop on the SRX5000 line of devices. PR1439744

  • Flowd process core files are generated in the device while testing NAT PBA in AA mode. PR1443148

  • The SSL-based AppID simplification effort (removal of HTTPS, POP3S, IMAPS, SMTPS). PR1444767

  • In the BERT test for E1 interface, bits counts number is not within the range. PR1445041

  • The flowd process might stop on SRX Series devices when chassis cluster and IRB interface are configured. PR1446833

  • The AAWM policy rules for IMAP traffic sometimes might not get applied when passed through SRX Series devices. PR1450904

  • Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • The SRX Series devices stop and generate several core files. PR1455169

  • When you try to reset the system configuration on an SRX1500 device using the reset config button, it does not work properly. PR1458323

  • The security flow traceoptions fills in with RTSP ALG-related information. PR1458578

  • Optimizations were made to improve the connections-per-second performance of SPC3. PR1458727

  • LTE dual CPE support with mPIMs when modem receives disconnect event from ISP, need to increase wait timer. PR1460102

  • The security-intelligence CC feed does not block HTTPS traffic based on SNI. PR1460384

  • The AAMWD process exceeds 85 percent RLIMIT_DATA limitation due to memory leak. PR1460619

  • Added command to clear specified associated client. PR1461577

  • The srxpfe or flowd process might stop if the sampling configuration is changed. PR1462610

  • The tunnel packets might be dropped because the gr0.0 or st0.0 interface is wrongly calculated after a GRE or VPN route change. PR1462825

  • Fragmented traffic might get looped between the fab interface in a rare case. PR1465100

  • TCP session might not time out properly upon receiving TCP RESET packet. PR1467654

  • A core file might be generated when you perform an ISSU on SRX Series devices. PR1463159

  • The PKI daemon keeps leaking memory on SRX Series devices. PR1465614

  • HTTP block message stops working after SNI check for HTTPS session. PR1465626

  • Loading CA certificate causes PKI daemon core file to be generated. PR1465966

  • The jbuf process usage might increase up to 99 percent after Junos OS upgrade. PR1467351

  • The rpd process might stop after several changes to the flow-spec routes. PR1467838

  • Packet Forwarding Engine might generate core files because SSL proxy is enabled on NFX Series and SRX Series devices. PR1467856

  • Server unreachable is detected; ensure that port 443 is reachable. PR1468114

  • Tail drop on all ports is observed when any switch-side egress port gets congested. PR1468430

  • FTP data connection might be dropped if SRX Series devices send the FTP connection traffic through the dl interface. PR1468570

  • RPM test probe fails to show that round-trip time has been exceeded. PR1471606

  • Look up failure for expected e-mail address in DUT. PR1472748

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • The dfs-off function is enabled. PR1475294

  • The nsd process pause might be seen during device reboots if dynamic application groups are configured in policy. PR1478608

  • The show mape rule statistics command might display negative values. PR1479165

  • Sometimes multiple flowd core files are generated on both nodes of chassis cluster at the same time when changing media MTU. PR1489494

Interfaces and Chassis

  • The number of mgd processes increases because the mgd processes are not closed properly. PR1439440

  • Static route through dl0.0 interface is not active. PR1465199

  • MAC limiting on Layer 3 routing interfaces does not work. PR1465366

Intrusion Detection and Prevention (IDP)

  • SNMP queries might cause commit or show command to fail due to IDP PR1444043

  • Updating the IDP security package offline might fail in SRX Series devices. PR1466283


  • The default log query time in J-Web monitoring functionality has been reduced. This increases the responsiveness of the landing pages. PR1423864

  • Editing destination NAT rule in J-Web introduces a nonconfigured routing instance field. PR1461599

  • The Go button within the J-Web Monitor>Events view now correctly refreshes the logs even when using a blank search query. PR1464593

  • J-Web security resources dashboard widget was not being populated correctly. PR1464769

Layer 2 Ethernet Services

  • The metric is not changing when configured under the DHCP. PR1461571

Network Address Translation (NAT)

  • The flowd or srxpfe process might stop when traffic is processed by both ALGs and NAT. PR1471932

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • The flowd or srxpfe process might stop immediately after committing the jflowv9 configuration or after upgrading to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes PR1473288

Platform and Infrastructure

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • VM core files might be generated if the configured sampling rate is more than 65,535. PR1461487

  • On the SRX300 line of devices, you might encounter Authentication-Table loading slowly while using user-identification. PR1462922

  • The AE interface cannot be configured on an SRX4600 device. PR1465159

  • On SRX Series devices, Packet Forwarding Engine memory might be used up if the security intelligence feature is configured. PR1472926

  • Support LLDP protocol on reth interface. PR1473456

  • Certificate error while configuration validation during Junos OS upgrade. PR1474225

  • Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674

  • The commands request system power-off and request system halt might not work correctly. PR1474985

  • The flowd process core files might be seen when there are mixed NAT-T traffic or non-NAT-T traffic with PMI enabled. PR1478812

  • When SRX5K-SPC3s or MX-SPC3s are installed in slots 0 or 1 in SRX5800 or MX960 devices, EMI radiated emissions are observed to be higher than regulatory compliance requirements. PR1479001

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

  • The wl- interface stays in ready status after you execute request chassis fpc restart command in Layer 2 mode. PR1479396

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might crash when advanced anti-malware services are used. PR1480005

Routing Policy and Firewall Filters

  • Security policies cannot synchronize between Routing Engine and Packet Forwarding Engine on SRX Series devices. PR1453852

  • Traffic log shows wrong custom-application name when the alg ignore option is used in application configuration. PR1457029

  • The NSD process might get stuck and cause problems. PR1458639

  • Some domains are not resolved by the SRX Series devices when using DNS address book. PR1471408

  • The count option in security policy does not take effect even if the policy count is enabled. PR1471621

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

Routing Protocols

  • SSH login might fail if a user account exists in both local database and RADIUS or TACACS+. PR1454177

  • The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968

Unified Threat Management (UTM)

  • Increase the scale number of UTM profile or policy for the SRX1500 device, and the SRX4000 and SRX5000 lines of devices. PR1455321

  • The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825

VLAN Infrastructure

  • ISSU failed from Junos OS Release 18.4R2.7 to Junos OS Release 19.4, with secondary node PICs in present state after upgrading to Junos OS Release 19.4. PR1468609


  • IPsec SA inconsistent on SPCs of node0 and node1 in SRX Series devices with chassis cluster. PR1351646

  • After RG1 failover, IKE phase 1 SA is getting cleared. PR1352457

  • IPsec VPN missing half of the IKE SA and IPsec SA showing incorrect port number when scaling to 1000 IKEv1 AutoVPN tunnels. PR1399147

  • The IKE and IPsec configuration under groups is not supported. PR1405840

  • The established tunnels might remain unchanged when an IKE gateway is changed from AutoVPN to Site-to-Site VPN. PR1413619

  • The VPN tunnel might flap when IKE and IPsec rekey happen simultaneously. PR1421905

  • Old tunnel entries might be observed in the output of show security IPsec or IKE SA. PR1423821

  • The show security ipsec statistics command output displays buffer overflow and wraps around 4,---,---,--- count. PR1424558

  • Tunnel does not come up after changing configurations from IPv4 to IPv6 tunnels in the script with gateway lookup failed error. PR1431265

  • P1 configuration delete message is not sent on loading baseline configuration if there has been a prior change in VPN configuration. PR1432434

  • After a long time (a few hours) of traffic during a mini PDT test, the number of IPsec tunnels is much higher than expected. PR1449296

  • Some IPsec tunnels flap after RGs failover on the SRX5000 line of devices. PR1450217

  • IPsec VPN flaps if more than 500 IPsec VPN tunnels are connected for the first time. PR1455951

  • Traffic is not sent out through an IPsec VPN after update to Junos OS Release 18.2 or later. PR1461793

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with IKEv1 enabled IKE, the daemon might generate a core file, when IKESA is expired and IPsec tunnel associated with the expired IKESA exists in case of an RG0 failover. Daemon recovers eventually. PR1463501

  • The IPsec VPN tunnels cannot be established if overlapped subnets are configured in traffic selectors. PR1463880

  • IPsec tunnels might lose connectivity on SRX Series devices after chassis cluster failover when using AutoVPN point-to-multipoint mode. PR1469172

  • IPsec tunnels might flap when one secondary node is coming online after reboot in SRX Series high availability environment. PR1471243

  • The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738

Documentation Updates

Dynamic Host Configuration Protocol (DHCP)

  • Introducing DHCP User Guide—Starting in Junos OS Release 20.1R1, we are introducing the DHCP User Guide for Junos OS routing, switching, and security platforms. This guide provides basic configuration details for your Junos OS device as DHCP Server, DHCP client, and DHCP relay agent.

    [See DHCP User Guide.]

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1, and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.