Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 20.2R1 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

Application Security

  • AppQoE multihoming with active/active deployment (NFX150, NFX250, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and vSRX)—Starting In Junos OS Release 20.2R1, AppQoE is enhanced to support multihoming with active/active deployment. Previously, AppQoE supported multihoming with active/standby deployment.

    In active/active deployment, the spoke device connects to multiple hub devices. Application traffic can transit through any of the hub devices if the link to the hub device meets SLA requirements. Application traffic can switch seamlessly between the hub devices in case of service-level agreement (SLA) violation or the active hub device is not responding.

    To support active/active mode, you must enable the BGP multipath to allow the device to select multiple equal-cost BGP paths to reach a given destination.

    [See Application Quality of Experience (AppQoE).]

  • Packet capture of unknown application traffic (NFX Series, SRX Series, and vSRX)—Starting in Junos OS Release 20.2R1, we’ve added new capability to your security device that allows you to capture unknown application traffic.

    Once you have configured the packet capture options on your security device, the unknown application traffic information is gathered and stored on the device in a packet capture file (.pcap). You can use the packet capture of an unknown application to define a new custom application signature. You can use this custom application signature in a security policy to manage the application traffic more efficiently.

    You can also send the .pcap file to Juniper Networks in cases where the traffic is incorrectly classified, or to request for the creation of an application signature.

    [See Application Identification.]

  • Application Quality of Experience (SRX4600)—Starting in Junos OS Release 20.2R1, the SRX4600 supports AppQoE functionality. AppQoE enhances the user experience at the application level by monitoring the performance of business-critical applications. Based on the score, AppQoE selects the best possible link for that application traffic to meet performance requirements specified in the service-level agreement (SLA).

    The SRX4600 supports AppQoE in both the hub-and-spoke and the full mesh topologies.

    AppQoE support is already available on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and vSRX.

    [See Application Quality of Experience.]

Authentication and Access Control

  • Support to view user identify information in JIMS Active Directory (SRX Series)— Starting in Junos OS Release 20.2R1, you can search and view user identity information such as logged users, connected devices and group list from Juniper Identity Management Service (JIMS) and Active Directory (AD) domain. The SRX Series device relies on JIMS to obtain user identity information.

    You can search the user identity information and validate the authentication source to provide access to the device. You can request JIMS to retrieve the group list for the Active Directory domain for identity information of an individual user.

    [See Configure Juniper Identity Management Service to Obtain User Identity Information.]

Flow-Based and Packet-Based Processing

  • NG-IOC cache increased (SRX4600, SRX5000 line of devices)—Starting in Junos OS Release 20.2R1, we have increased the number of hash table entries for IOC3 from 2 million to 20 million wings, for IOC4 from 2 million to 10 million wings on SRX5000 line of devices and for IOC on SRX4600 from 2 million to 5 million wings.

    [See Express Path.]

General Packet Radio Switching (GPRS)

  • Support for Must-IE check and IE removal for GTPv1 and GTPv2 (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Release 20.2R1, Junos OS supports the following information element (IE) enforcement functions for GTPv1 and GTPv2:

    • Must-IE check: Use this function to check for the presence of IEs in GTPv1-C and GTPv2-C messages that helps to verify message integrity. The device check for the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

    • IE removal: Use this function to remove IEs from GTPv1-C and GTPv2-C. This function helps to retain interoperability between Second-Generation Partnership Project (2GPP) and Third-Generation Partnership Project (3GPP) networks.

    [See Example: Configure Must-IE check for GTPv1 and GTPv2, and Example: Configure IE removal for GTPV1 and GTPv2.]

Intrusion Detection and Prevention (IDP)

  • Policy-based threat profile for IDP (SRX Series)—Starting from Junos OS Release 20.2R1, you can configure IDP rules with threat profiles to define attacker IP and target IP feeds.

    When traffic matches the feed data, IDP provides feed update to add the IP information in the Security Intelligence (SecIntel) module.

    This feature allows the SRX Series device to identify threats, and propagate intelligence for real-time enforcement and provides the ability to perform endpoint classification.

    [See IDP Policy Rules and IDP Rule Bases, security-intelligence, and Encrypted Traffic Analysis Overview.]

  • Signature Language Constructs (SRX Series)—Starting in Junos OS 20.2R1, the following signature language constructs are supported in the IDP engine code to write more efficient signatures that help reduce false attacks:

    • Byte extract

    • Byte test

    • Byte jump

    • Byte math

    • Is-data-at

    • Detection filter

    [See IDP Signature Language Enhancements.]

Junos Telemetry Interface

  • Packet Forwarding Engine and Routing Engine sensor support on JTI (SRX5400, SRX5600, and SRX5800)—Junos OS Release 20.2R1 provides streaming support for revenue interface statistics through Packet Forwarding Engine (PFE) sensors and pseudo interface statistics through Routing Engine sensors. Sensors are supported through Junos telemetry interface (JTI) and remote procedure calls (gRPC) or gRPC Network Management Interface (gNMI) services. gNMI service is also enabled for other supported Routing Engine sensors.

    Using JTI and gRPC or gNMI services, you can stream telemetry statistics to an outside collector.

    These interface sensors are supported:

    • Physical interfaces (IFD) (resource path /interfaces/interface/).

    • Logical interfaces (IFL) (resource path /interfaces/interface/subinterfaces/).

    These Routing Engine sensors are supported using gNMI services (previously, only gRPC services were supported):

    • System events (resource path /junos/events).

    • BGP peer information (resource path /network-instances/network-instance/protocols/

      protocol/bgp/
      ).

    • Memory utilization for routing protocol task (resource path /junos/task-memory-information/).

    • Operational state of Routing Engines, power supply modules, Switch Fabric Boards, Control Boards, Switch Interface Boards, Modular Interface Cards, and Physical Interface Cards (resource path /components/).

    • Link Layer Discovery Protocol (LLDP) (resource path /lldp/).

    • Address Resolution Protocol (ARP) statistics for IPv4 routes (resource path /arp-information/).

    • Network Discovery Protocol (NDP) table state information for IPv6 routes (resource path /nd6-information/).

    • NDP router-advertisement statistics (resource path /ipv6-ra/).

    • IS-IS routing protocol statistics (resource path /network-instances/network-instance/protocols/protocol/isis/levels/level/ and network-instances/network-instance/protocols/protocol/isis/interfaces/interface/levels/level/).

    [See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface.]

Juniper Extension Toolkit (JET)

  • Python 3 support for JET (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS can use Python 3 to execute JET scripts. To enable unsigned JET Python applications that support Python 3 to run on devices running Junos OS, use the set system scripts language python3 command.

    [See language (Scripts), Develop Off-Device JET Applications, and Develop On-Device JET Applications.]

J-Web

  • Improved VPN usability (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve refreshed the IPsec VPN page. You can see a new improved site-to-site VPN workflow configuration.

    [See About the IPsec VPN Page.]

  • Pass-through tunnel inspection is supported in TAP mode (SRX 300 line of devices, SRX550M, SRX1500, SRX4100, and SRX4200)—Starting in Junos OS Release 20.2R1, the J-Web Setup Wizard TAP mode supports pass-through tunnel inspection. This allows the SRX Series device to inspect pass-through traffic over an IP-IP tunnel or GRE tunnel.

    [See Start J-Web.]

  • HTTP X-Forwarded for header support in IDP (SRX Series)—Starting in Junos OS Release 20.2R1, IDP supports the HTTP X-Forwarded option. When you enable this option, during traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the HTTP and SMTP traffic contexts and displays them in the attack logs.

    [See About the Sensor Page.]

  • Enhancements to custom application signatures (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve enhanced custom applications signatures with the following:

    • By default, the priority for the custom application is set to Low. This allows a predefined application to take precedence. If you want to override a predefined application, you must set the priority to High.

    • Depth option is supported. Use this byte limit for Application Identification (App ID) to identify custom application patterns for applications running over TCP or UDP or Layer 7 applications.

    • Custom Application Byte Limit is supported in Global Settings. This byte limit helps in understanding when to stop the identification of custom applications.

    [See Add Application Signatures and Global Settings.]

Juniper Sky ATP

  • Support for adaptive threat profiling—Starting in Junos OS Release 20.2R1, you can configure adaptive threat profiling in Juniper Sky ATP. Adaptive Threat Profiling allows SRX Series devices to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. You can generate adaptive threat profiling feeds with traditional policies, unified policies with application identification (AppID) or URL-based match criteria, and IDP. Navigate to Configure > Adaptive Threat Profiling in Juniper Sky ATP UI to configure adaptive threat profiling.

    [See Adaptive Threat Profiling Overview and Add Threat Feed for Adaptive Threat Profiling.]

  • Support for encrypted traffic analysis—Starting in Junos OS Release 20.2R1, encrypted traffic analysis is supported in Juniper Networks Sky ATP. Encrypted traffic analysis helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. Navigate to Monitor > Encrypted Traffic in Juniper Sky ATP UI to view detailed information about encrypted traffic analysis-based detections. To configure encrypted traffic analysis, use the security-metadata-streaming command at [edit services] hierarchy level. Use the show services security-metadata-streaming statistics command to view the statistics of the sessions.

    [See Encrypted Traffic Analysis Overview and Encrypted Traffic Analysis Details.]

Logical Systems and Tenant Systems

  • Support for user firewall UAC authentication entries in shared mode for logical systems and tenant systems (SRX Series)—Starting in Junos OS Release 20.2R1, logical systems and tenant systems support user firewall authentication with Unified Access Control (UAC).

    [See Understanding Integrated User Firewall Support in a Tenant System.]

  • User authentication support for tenant systems (SRX Series)—Starting in Release 20.2R1, Junos OS introduces the following authentication support for tenant systems:

    • address-assignment pools: Creates centralized IPv4 and IPv6 address pools independent of the client applications that use the pools.

    • access profiles: Runs authentication and accounting requests.

    • clear network-access aaa subscribers: Clears AAA subscriber statistics and logs out subscribers. You can log out subscribers based on the username or on the subscriber session identifier.

    [See Firewall Authentication for Tenant Systems.]

Multicast

  • Strict packet order for multicast traffic (SRX345 and SRX1500)—Starting in Junos OS Release 20.2R1, we have introduced a new mechanism to maintain multicast traffic order and resolve packet drop issue. Use the strict-packet-order command at the [edit security flow] hierarchy level to maintain the packet order.

    As part of this enhancement, you can configure the multicast route next-hop resolve attempts. When a multicast route next-hop resolve is unsuccessful, the SRX Series device attempts to resolve the next-hop route based on the specified retry counts. Use the multicast-nh-resolve-retry command at the [edit security flow] hierarchy level to specify the number of retry counts.

    [See flow.]

Network Address Translation (NAT)

  • Increased port block allocation size (SRX5000 line of devices with SPC2 and SPC3 cards)—we've increased the port block allocation size so you can store more log files in the log server.

    • When you disable interim log, you can increase the size of port block allocation from 64 to 8 .

    • When you enable interim log, you can increase the size of port block allocation from 128 to 8.

    If you configure the port block allocation size less than 8, the system displays the warning message warning: To save system memory, the block size is recommended to be no less than 8.

    [See Guidelines for Configuring Secured Port Block Allocation and Configure Port Block Allocation Size.]

Network Management and Monitoring

  • NETCONF sessions over outbound HTTPS (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, the Junos OS with upgraded FreeBSD software image includes a Juniper Extension Toolkit (JET) application that supports establishing a NETCONF session using outbound HTTPS. The JET application establishes a persistent HTTPS connection with a gRPC server over a TLS-encrypted gRPC session and authenticates the NETCONF client using an X.509 digital certificate. A NETCONF session over outbound HTTPS enables you to remotely manage devices that might not be accessible through other protocols, for example, if the device is behind a firewall.

    [See NETCONF Sessions over Outbound HTTPS.]

  • Python 3 support for YANG scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS uses Python 3 to execute YANG action and translation scripts that are written in Python. Junos OS does not support using Python 2.7 to execute YANG Python scripts as of this release.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

  • Traffic log enhancement (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve enhanced the traffic log by supporting:

    • Escape in stream log forwarding and on-box reporting to avoid parsing errors. Stream mode supports escape in sd-syslog and binary format. Event mode supports escape only in binary format.

    • Different security log transport options for different streams.

    • Stream-event mode.

    • Increased maximum length of the stream mode sd-syslog format syslog message to 4*1472 bytes.

    • Different source addresses for different streams.

    • Year and millisecond in timestamps.

    [See log (Security) and mode (Security Log).]

  • CPU usage monitoring (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.2R1, you can use the following operational commands to monitor the average CPU usage information for the last minute, hour, or day of an SPC3 card:

    • show security monitoring performance spu summary fpc fpc-slot-number pic pic-slot-number

    • show security monitoring performance spu summary fpc fpc-slot-number pic pic-slot-number thread thread-number

    You can monitor the CPU usage information only when the PIC is online.

    We’ve introduced the new SNMP MIBs jnxJsSPUMonitoringSPUThreadsNumber, jnxJsSPUMonitoringSPUThreadIndex, jnxJsSPUMonitoringSPUThreadLastMinUsage, jnxJsSPUMonitoringSPUThreadLastHourUsage, and jnxJsSPUMonitoringSPUThreadLastDayUsage to monitor the CPU usage information of an SPC3 card.

    [See show snmp mib and show security monitoring performance spu.]

Platform and Infrastructure

Port Security

  • Media Access Control Security (MACsec) (SRX380)—Starting in Junos OS Release 20.2R1, MACsec is supported on high availability (HA) control and fabric ports of SRX380 devices in chassis cluster mode. MACsec provides secure communication for almost all types of Layer 2 traffic on Ethernet links. MACsec is capable of identifying and preventing most security threats at Layer 2 and can be used in combination with other security protocols to provide end-to-end network security. MACsec is standardized in IEEE 802.1AE.

    [See Media Access Control Security (MACsec) on Chassis Cluster.]

Security

  • Support for security feeds in security policies (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1, you can add source and destination addresses to the security intelligence (SecIntel) profiles to generate security feeds in a security policy. You can accomplish this by configuring the security-intelligence configuration statements. After the feeds are generated, you can configure other security policies to use the feeds as a dynamic-address˝˙þ to match designated traffic and perform policy actions.

    You can configure the security-intelligence configuration statements as permit, deny, or reject match conditions in a security policy at the following hierarchy levels:

    [See security-intelligence and Encrypted Traffic Analysis Overview.]

  • Enhancements to configuring security policies (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1, we have added advanced connection tracking options to security policies.

    You can configure the advanced-connection-tracking command at the[edit security zones security-zone zone name] hierarchy levels to generate a connection track table using source IP, destination IP (optional), and destination port (optional) during session creation stage when traffic enters a given zone. This connection track mapping table also appears on the backup node in high availability (HA) pair.

    You can configure the advanced-connection-tracking option under [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] to mandate that traffic matching given policy do a lookup in the to-zone’s connection track mapping table using the new session’s key information. If there is no match, a new connection is not created.

    [See advanced-connection-tracking.]

Software Installation and Upgrade

  • Zero-touch provisioning (ZTP) enhancements to support both DHCP options and phone-home client (SRX300, SRX320, SRX340, SRX345, SRX550 HM, and SRX1500)—Starting in Junos OS Release 20.2R1, you can use zero-touch provisioning with DHCP options or the phone-home client to provision your device. As part of the factory default configuration, both ZTP and the phone-home client are included and are running at the same time when the device boots up in factory-default mode. ZTP with DHCP options is the first priority for provisioning. The device checks for DHCP bindings, and if there are DHCP bindings, but the DHCP bindings are not given the necessary ZTP-related options, (such as file server, and at least one image file or configuration file) the phone-home client will take over the provisioning process.

    [See Zero Touch Provisioning.]

Unified Threat Management (UTM)

  • UTM CLI test commands for Web Filtering and antispam feature (SRX Series)— Starting in Release 20.2R1, Junos OS introduces the following test commands that help you to configure the Enhanced Web Filtering:

    • test security utm enhanced-web-filtering url-check <test-url>: Checks the category of a test string.

    • test security utm web-filtering profile <profile-name><test-url>: Checks the reputation of a test string.

    Junos OS introduces the following test command for the antispam feature:

    • test security utm anti-spam ip-check <test-IP>: Checks whether the IP address is a spam source.

    [See Unified Threat Management User Guide.]

  • CDF mode and inline-tap mode for AV—Starting in Release 20.2R1, Junos OS introduces continuous delivery function (CDF) and inline-tap mode at the existing [edit security utm default-configuration anti-virus] hierarchy level. Continuous delivery function holds the last packet and sends out the other packets. This reduces system memory usage and speeds up the traffic. Inline-tap mode permits the traffic even if it is infected. Use inline-tap mode to check the antivirus feature without blocking or modifying the traffic.

    [See Unified Threat Management User Guide.]

  • Safe search enhancement for Web filtering (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1, we’ve introduced safe search UTM Web filtering on well-known search engines. This safe search enhancement enforces the safest Web browsing mode available, by default. You can disable the safe search option at the Web filtering-level and profile-level configurations. You can also block search engine cache on the well-known search engines. By blocking the search engine cache, you can hide your Web-browsing activities from other users if you are a part of an organization that has multiple Web users in educational, financial, health-care, banking, and corporate segments.

    [See Safe Search Enhancement for Web Filtering, feature-profile, websense-redirect, and juniper-local.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for SRX Series.

Application Security

  • Junos OS Release 20.2R1 introduces a new CLI configuration statement depth under set services application-identification application application-name over application signature signature-name member number hierarchy. You can use this configuration statement to specify the byte limit for application identification (AppID) to identify the custom application pattern for the applications running over TCP or UDP or Layer 7 applications.

    Starting in Junos OS Release 20.2R1, you can display the configured depth value in J-Web using the show services application-identification application detail command.

    In the above sample, you can see the configured value of the depth is displayed as 4.

    [See Application Identification].

  • Starting in Junos OS Release 20.2R1, the syntax of the commands used for displaying the SLA profile details is changed as following:

    Syntax in Junos OS Release Prior to 20.2R1

    Syntax in Junos OS Release 20.2R1 or Later

    show security advance-policy-based-routing sla profile sla-profile-name application application-name destination-group-name destination-group-name status

    show security advance-policy-based-routing sla profile profile-name application application-name next-hop next-hop-id status

    show security advance-policy-based-routing sla profile sla-profile-name application application-name destination-group-name destination-group-name

    show security advance-policy-based-routing sla profile profile-name application application-name next-hop next-hop-id

    [See show security advance-policy-based-routing sla profile (Application Name), show security advance-policy-based-routing sla profile (Next-Hop), and show security advance-policy-based-routing sla profile (Status).]

Flow-Based and Packet-Based Processing

  • ECMP load balancing in chassis cluster (SRX Series)—Starting in Junos OS Release 20.2R1, in a chassis cluster setup, to avoid reroute flapping between primary and secondary sessions, add a logic to skip the reroute for backup sessions. But reroute can change the chassis interface of a flow session, so the session can be changed from backup session to primary session after reroute. You cannot skip reroute for such a session.

    When you change the logic, the session reroute skips only the packets received from the chassis interface. So we can make sure the session continues as the backup session even after you reroute and change the out-going interface. Otherwise, reroute cannot be skipped for backup sessions.

  • Simplified HA (SRX Series)—Starting in Junos OS Release 20.2R1, on SRX Series devices in a simplified HA setup, when you clear the session using the clear security flow session command, some warm sessions exist for an extended duration. To clear these warm sessions, a new CLI command clear security flow session session-state warm is introduced.

    clear security flow session all

Juniper Extension Toolkit (JET)

  • PASS keyword required for Python 3 JET applications (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you are writing a JET application using Python 3, include the PASS keyword in the Exception block of the script. Otherwise, the application throws an exception when you attempt to run it.

    [See Develop Off-Device JET Applications and Develop On-Device JET Applications.]

  • Updates to IDL for RIB service API bandwidth field (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The IDL for the RouteGateway RIB service API has been updated to document additional rules for the bandwidth field. You must set bandwidth only if a next hop has more than one gateway, and if you set it for one gateway on a next hop, you must set it for all gateways. If you set bandwidth when there is only a single usable gateway, it is ignored. If you set bandwidth for one or more gateways but not all gateways on a next hop, you see the error code BANDWIDTH_USAGE_INVALID.

    [See Juniper EngNet.]

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 20.2R1, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Network Management and Monitoring

  • Request support information for IPsec VPN (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve introduced the CLI ipsec-vpn option to the request support information security-components command. This new option displays all the configuration, states, and statistics information necessary for debugging IPsec VPN related issues.

    [See request support information.]

  • Junos OS only supports using Python 3 to execute YANG Python scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS uses Python 3 to execute YANG action and translation scripts that are written in Python. In earlier releases, Junos OS uses Python 2.7 to execute these scripts.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

VPNs

  • New vendor ID for Internet Key Exchange (SRX Series)—In Junos OS Release 20.2R1, we’ve introduced a new vendor ID Juniper Networks for Internet IKEv1 and IKEv2 which is advertised to the peer.

    [See Understanding IKE and IPsec Packet Processing.]

  • Change in CLI options help text description (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the following CLI options under [edit security ike proposal proposal-name], [edit security ike policy policy-name], [edit security ipsec proposal proposal-name], and [edit security ipsec policy policy-name] hierarchies.

    Hierarchy

    CLI Options

    Help Text Description

    [edit security ike proposal proposal-name authentication-algorithm]

    md5

    NOT RECOMMENDED

    sha1

    NOT RECOMMENDED

    [edit security ike proposal proposal-name encryption-algorithm]

    3des-cbc

    NOT RECOMMENDED

    des-cbc

    NOT RECOMMENDED

    [set security ike proposal proposal-name dh-group]

    group1

    NOT RECOMMENDED

    group14

    NOT RECOMMENDED

    group2

    NOT RECOMMENDED

    group5

    NOT RECOMMENDED

    [edit security ike proposal proposal-name authentication-method]

    dsa-signatures

    NOT RECOMMENDED

    [edit security ike policy policy-name proposal-set]

    basic

    NOT RECOMMENDED

    compatible

    NOT RECOMMENDED

    standard

    NOT RECOMMENDED

    [edit security ipsec policy policy-name proposal-set]

    basic

    NOT RECOMMENDED

    compatible

    NOT RECOMMENDED

    standard

    NOT RECOMMENDED

    [edit security ipsec proposal proposal-name encryption-algorithm]

    3des-cbc

    NOT RECOMMENDED

    des-cbc

    NOT RECOMMENDED

    [edit security ipsec proposal proposal-name authentication-algorithm]

    hmac-md5-96

    NOT RECOMMENDED

    hmac-sha1-96

    NOT RECOMMENDED

    [edit security ipsec policy policy-name perfect-forward-secrecy keys]

    group1

    NOT RECOMMENDED

    group2

    NOT RECOMMENDED

    group5

    NOT RECOMMENDED

    group14

    NOT RECOMMENDED

    [See authentication-algorithm (Security IPsec) and encryption-algorithm (Security IKE).]

  • Change in thread ID configuration (SRX Series)—Starting in Junos OS Release 20.2R1, when you add, change, or delete the thread ID from distribution profile at [edit security distribution-profile profile-name fpc slot-number pic slot-number thread-id], all tunnels part of modified distribution profile anchored on modified SPU member of distribution profile are teared down and re-negotiated.

    [See distribution-profile.]

Known Limitations

Learn about known limitations in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • When you use the request services user-identification authentication-source jims groups domain <domain-name> (force-fetch|status) command, the SRX Series device retrieve the complete group list, excluding the user list or device list.

    The secondary JIMS server is online and the related secondary JIMS validator is offline when the primary JIMS server is offline. Therefore, the connection to the JIMS validator reports an error message for the group-query or validate-query command.

    [See Querying JIMS for User Identity Information.]

Flow-Based and Packet-Based Processing

  • Committing a large number of custom applications with a single member, a single context, and a varying pattern might result in significant time taken for completion of commit. Commit status can be checked using show services application-identification commit-status. PR1493127

J-Web

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

Routing Policy and Firewall Filters

  • SecProfiling deployment starts from the root logical system and evolves to the user-defined logical system; currently the use-case under tenant is not mandated. PR1490071

VPNs

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499

  • On SRX Series device, the accounting stop message is not being sent after deactivating the access profile under the security IKE gateway. PR1485732

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Use 512 antireplay window size for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence there are no out-of-order packets with 512 antireplay window size. PR1470637

J-Web

  • On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001

  • For a spoke device of hub and Spoke topology, J-Web shows the VPN topology as Site to Site. PR1495973

  • Configuration of global settings options of IPsec VPN such as TCP encap profile, IPsec power mode and IKE package installation are not supported from J-Web. PR1496439

  • SSL proxy exempted URL categories list blank in HA setup. PR1516590

  • Charts are appearing blank in generated Threat Assessment Report when J-Web is opened from Firefox browser v77.0.1. PR1517343

Routing Policy and Firewall Filters

  • IP address that can't be divided exactly by three in show security match-policies can lead to matching failure. PR1483251

VPNs

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE-IDs. PR1407356

  • On the SRX5000 line of devices with an SPC3 card, sometimes IKE SA is not seen on the device when st0 binding on VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • With NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • During 10,000 tunnel ramp-up, sometimes, IKED generates a core file. PR1479548

  • On SRX Series devices with SPC3, when overlapping taffic-selectors are configured, multiple IPsec SAs get negotiated with peer device. PR1482446

  • The SRX5000 line of devices with SPC3 was not supporting simultaneous IKE negotiation in Junos OS Release 19.2, 19.3, 19.4 or 20.1. PR1497297

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

  • RTSP data sessions are cleared unexpectedly during cold sync. PR1468001

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031

  • FTPS traffic might get dropped on SRX Series or MX Series devices if FTP ALG is used. PR1483834

Authentication and Access Control

  • SRX Series: Unified Access Control (UAC) bypass vulnerability (CVE-2020-1637). PR1475435

Flow-Based and Packet-Based Processing

  • Command show security pki local-certificate logical-system all is not showing any output. PR1414628

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • TCP session might not time out properly upon receiving TCP RESET packet. PR1467654

  • RPM test probe fails to show that round-trip time has been exceeded. PR1471606

  • Support LLDP protocol on reth interface. PR1473456

  • Certificate error when configuration is validated during Junos OS upgrade. PR1474225

  • An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233

  • Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627

  • MPCs might stop when there is bulk route update failure in a corner case. PR1478392

  • The nsd process pause might be seen during device reboots if dynamic application groups are configured in policy. PR1478608

  • The flowd process core files might be seen when there is mixed NAT-T traffic or non-NAT-T traffic with PMI enabled. PR1478812

  • When SRX5K-SPC3s or MX-SPC3s are installed in slots 0 or 1 in SRX5800 or MX960 devices, EMI radiated emissions are observed to be higher than regulatory compliance requirements. PR1479001

  • The show mape rule statistics command might display negative values. PR1479165

  • The wl-interface stays in ready status after you execute request chassis fpc restart command in Layer 2 mode. PR1479396

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might stop when advanced anti-malware service is used. PR1480005

  • On Web proxy, memory leak in association hash table and DNS hash table. PR1480760

  • The jsqlsyncd process synchronizes its databases every second even there is no change. PR1482428

  • The firewall Web authentication graphics have been updated. PR1482433

  • IMAP curl sessions get stuck in the active state if AAMW IMAP block mode is configured. PR1484692

  • The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224

  • The configuration set chassis psu redundancy n-plus-n needs support on in high availability (HA) mode. PR1486746

  • Commit does not work after the installation through boot loader. PR1487831

  • If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951

  • CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203

  • All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348

  • There is a risk of service interruption on all SRX Series devices with a dual stacked CA server. PR1489249

  • GRE or IPSec tunnel might not come up when set security flow no-local-favor-ecmp command is configured. PR1489276

  • Sometimes multiple flowd core files are generated on both nodes of chassis cluster at the same time when changing media MTU. PR1489494

  • Continuous drops seen in control traffic, with high data queues in one SPC2 PIC. PR1490216

  • Phone client stop seen while doing SRX345 device ZTP with CSO. PR1496650

  • Unexpected flow logging traffic beyond the packet filter. PR1497939

  • Traffic interruption happens due to MAC address duplication between two devices running Junos OS. PR1497956

  • Don't use capital characters for source-identity when using show security match-policies command. PR1499090

  • J-Flow version 9 does not display correct outgoing interface for APBR traffic. PR1502432

  • AppQoE support for dynamic-application. PR1503400

  • The cfmd core observed when LTM is triggered for the session configured on ethernet-switching interface without bridge domain configuration. PR1503696

Intrusion Detection and Prevention (IDP)

  • Configuring anomaly occurs in CLI. PR1490437

J-Web

  • You cannot configure redundant PSU and power budget statistics on the SRX380 device that is in high availability (HA) mode through J-Web. PR1493713

  • The J-Web users might not be able to configure PPPoE using PPPoE wizard. PR1502657

Layer 2 Ethernet Services

  • Member links state might be asychronized on a connection between PE and CE devices in an EVPN active/active mode. PR1463791

Multiprotocol Label Switching (MPLS)

  • BGP session might keep flapping between two directly connected BGP peers because of the wrong TCP-MSS in use. PR1493431

Network Address Translation (NAT)

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • The flowd or srxpfe process might stop immediately after committing the J-Flow version 9 configuration or after upgrading to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

Platform and Infrastructure

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

  • The /usr/libexec/ui/yang-pkg and /usr/libexec/ui/pyang files not found in SRX Series devices during YANG installation. PR1496577

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

  • TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436

  • Traffic fails to hit the policies with matching source-end-user-profiles. PR1505002

Routing Protocols

  • The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968

Unified Threat Management (UTM)

  • The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825

VPNs

  • IKE SA does not get cleared and is showing very long lifetime. PR1439338

  • IKED is treating all re-transmission of first IKE_INIT request packets as new connections when acting as responder. PR1460907

  • The iked might crash when the IKE SA expires and the IPsec tunnel of expired IKE SAs still exists. PR1463501

  • The newly configured IPsec tunnels might be stuck in VPNM verify-path state in a tunnel scaled scenario. PR1464353

  • IPsec tunnels might flap when one secondary node is coming online after reboot in SRX Series high availability environment. PR1471243

  • The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738

  • On SRX4200 device, 35 percent of drop is seen in all TPS cases. PR1481625

  • Some options under IKE and IPsec policy and proposal help text description should change to NOT RECOMMENDED. PR1487515

  • Use different XML tags for local and remote IKE ID to avoid confusion. PR1493368

  • Issue with XML rpc show security ipsec tunnel-distribution summary output. PR1494274

Documentation Updates

There are no errata or changes in Junos OS Release 20.2R1 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 19.3, 19.4, and 20.1 are EEOL releases. You can upgrade from Junos OS Release 19.3 to Release 19.4 or from Junos OS Release 19.3 to Release 20.1.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.