Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 20.2R3 for the SRX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for SRX Series devices.

What’s New in Release 20.2R3

There are no new features in Junos OS Release 20.2R3 for the SRX Series devices.

What’s New in Release 20.2R2

There are no new features in Junos OS Release 20.2R2 for the SRX Series devices.

What’s New in Release 20.2R1

Application Security

  • AppQoE multihoming with active/active deployment (NFX150, NFX250, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and vSRX)—Starting In Junos OS Release 20.2R1, AppQoE is enhanced to support multihoming with active/active deployment. Previously, AppQoE supported multihoming with active/standby deployment.

    In active/active deployment, the spoke device connects to multiple hub devices. Application traffic can transit through any of the hub devices if the link to the hub device meets SLA requirements. Application traffic can switch seamlessly between the hub devices in case of service-level agreement (SLA) violation or the active hub device is not responding.

    To support active/active mode, you must enable the BGP multipath to allow the device to select multiple equal-cost BGP paths to reach a given destination.

    [See Application Quality of Experience (AppQoE).]

  • Packet capture of unknown application traffic (NFX Series, SRX Series, and vSRX)—Starting in Junos OS Release 20.2R1, we’ve added new capability to your security device that allows you to capture unknown application traffic.

    Once you have configured the packet capture options on your security device, the unknown application traffic information is gathered and stored on the device in a packet capture file (.pcap). You can use the packet capture of an unknown application to define a new custom application signature. You can use this custom application signature in a security policy to manage the application traffic more efficiently.

    You can also send the .pcap file to Juniper Networks in cases where the traffic is incorrectly classified, or to request for the creation of an application signature.

    [See Application Identification.]

  • Application Quality of Experience (SRX4600)—Starting in Junos OS Release 20.2R1, the SRX4600 supports AppQoE functionality. AppQoE enhances the user experience at the application level by monitoring the performance of business-critical applications. Based on the score, AppQoE selects the best possible link for that application traffic to meet performance requirements specified in the service-level agreement (SLA).

    The SRX4600 supports AppQoE in both the hub-and-spoke and the full mesh topologies.

    AppQoE support is already available on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and vSRX.

    [See Application Quality of Experience.]

Authentication and Access Control

  • Support to view user identify information in JIMS Active Directory (SRX Series)— Starting in Junos OS Release 20.2R1, you can search and view user identity information such as logged users, connected devices and group list from Juniper Identity Management Service (JIMS) and Active Directory (AD) domain. The SRX Series device relies on JIMS to obtain user identity information.

    You can search the user identity information and validate the authentication source to provide access to the device. You can request JIMS to retrieve the group list for the Active Directory domain for identity information of an individual user.

    [See Configure Juniper Identity Management Service to Obtain User Identity Information.]

Flow-Based and Packet-Based Processing

  • IOC NP-cache scaling increased (SRX4600, SRX5000 line of devices)—Starting in Junos OS Release 20.2R1, we have increased the number of hash table entries for IOC3 from 2 million to 20 million wings, for IOC4 from 2 million to 10 million wings on SRX5000 line of devices and for IOC on SRX4600 from 2 million to 5 million wings.

    [See Express Path.]

General Packet Radio Switching (GPRS)

  • Support for Must-IE check and IE removal for GTPv1 and GTPv2 (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Release 20.2R1, Junos OS supports the following information element (IE) enforcement functions for GTPv1 and GTPv2:

    • Must-IE check: Use this function to check for the presence of IEs in GTPv1-C and GTPv2-C messages that helps to verify message integrity. The device check for the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

    • IE removal: Use this function to remove IEs from GTPv1-C and GTPv2-C. This function helps to retain interoperability between Second-Generation Partnership Project (2GPP) and Third-Generation Partnership Project (3GPP) networks.

    [See Example: Configure Must-IE check for GTPv1 and GTPv2, and Example: Configure IE removal for GTPV1 and GTPv2.]

Intrusion Detection and Prevention (IDP)

  • Policy-based threat profile for IDP (SRX Series)—Starting from Junos OS Release 20.2R1, you can configure IDP rules with threat profiles to define attacker IP and target IP feeds.

    When traffic matches the feed data, IDP provides feed update to add the IP information in the Security Intelligence (SecIntel) module.

    This feature allows the SRX Series device to identify threats, and propagate intelligence for real-time enforcement and provides the ability to perform endpoint classification.

    [See IDP Policy Rules and IDP Rule Bases, security-intelligence, and Encrypted Traffic Analysis Overview.]

  • Signature Language Constructs (SRX Series)—Starting in Junos OS 20.2R1, the following signature language constructs are supported in the IDP engine code to write more efficient signatures that help reduce false attacks:

    • Byte extract

    • Byte test

    • Byte jump

    • Byte math

    • Is-data-at

    • Detection filter

    [See IDP Signature Language Enhancements.]

Junos Telemetry Interface

  • Packet Forwarding Engine and Routing Engine sensor support on JTI (SRX5400, SRX5600, and SRX5800)—Junos OS Release 20.2R1 provides streaming support for revenue interface statistics through Packet Forwarding Engine (PFE) sensors and pseudo interface statistics through Routing Engine sensors. Sensors are supported through Junos telemetry interface (JTI) and remote procedure calls (gRPC) or gRPC Network Management Interface (gNMI) services. gNMI service is also enabled for other supported Routing Engine sensors.

    Using JTI and gRPC or gNMI services, you can stream telemetry statistics to an outside collector.

    These interface sensors are supported:

    • Physical interfaces (IFD) (resource path /interfaces/interface/).

    • Logical interfaces (IFL) (resource path /interfaces/interface/subinterfaces/).

    These Routing Engine sensors are supported using gNMI services (previously, only gRPC services were supported):

    • System events (resource path /junos/events).

    • BGP peer information (resource path /network-instances/network-instance/protocols/

      protocol/bgp/
      ).

    • Memory utilization for routing protocol task (resource path /junos/task-memory-information/).

    • Operational state of Routing Engines, power supply modules, Switch Fabric Boards, Control Boards, Switch Interface Boards, Modular Interface Cards, and Physical Interface Cards (resource path /components/).

    • Link Layer Discovery Protocol (LLDP) (resource path /lldp/).

    • Address Resolution Protocol (ARP) statistics for IPv4 routes (resource path /arp-information/).

    • Network Discovery Protocol (NDP) table state information for IPv6 routes (resource path /nd6-information/).

    • NDP router-advertisement statistics (resource path /ipv6-ra/).

    • IS-IS routing protocol statistics (resource path /network-instances/network-instance/protocols/protocol/isis/levels/level/ and network-instances/network-instance/protocols/protocol/isis/interfaces/interface/levels/level/).

    [See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface.]

Juniper Extension Toolkit (JET)

  • Python 3 support for JET (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS can use Python 3 to execute JET scripts. To enable unsigned JET Python applications that support Python 3 to run on devices running Junos OS, use the set system scripts language python3 command.

    [See language (Scripts), Develop Off-Device JET Applications, and Develop On-Device JET Applications.]

J-Web

  • Improved VPN usability (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve refreshed the IPsec VPN page. You can see a new improved site-to-site VPN workflow configuration.

    [See About the IPsec VPN Page.]

  • Pass-through tunnel inspection is supported in TAP mode (SRX 300 line of devices, SRX550M, SRX1500, SRX4100, and SRX4200)—Starting in Junos OS Release 20.2R1, the J-Web Setup Wizard TAP mode supports pass-through tunnel inspection. This allows the SRX Series device to inspect pass-through traffic over an IP-IP tunnel or GRE tunnel.

    [See Start J-Web.]

  • HTTP X-Forwarded for header support in IDP (SRX Series)—Starting in Junos OS Release 20.2R1, IDP supports the HTTP X-Forwarded option. When you enable this option, during traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the HTTP and SMTP traffic contexts and displays them in the attack logs.

    [See About the Sensor Page.]

  • Enhancements to custom application signatures (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve enhanced custom applications signatures with the following:

    • By default, the priority for the custom application is set to Low. This allows a predefined application to take precedence. If you want to override a predefined application, you must set the priority to High.

    • Depth option is supported. Use this byte limit for Application Identification (App ID) to identify custom application patterns for applications running over TCP or UDP or Layer 7 applications.

    • Custom Application Byte Limit is supported in Global Settings. This byte limit helps in understanding when to stop the identification of custom applications.

    [See Add Application Signatures and Global Settings.]

ATP Cloud

  • Support for adaptive threat profiling—Starting in Junos OS Release 20.2R1, you can configure adaptive threat profiling in Juniper Sky ATP. Adaptive Threat Profiling allows SRX Series devices to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. You can generate adaptive threat profiling feeds with traditional policies, unified policies with application identification (AppID) or URL-based match criteria, and IDP. Navigate to Configure > Adaptive Threat Profiling in Juniper Sky ATP UI to configure adaptive threat profiling.

    [See Adaptive Threat Profiling Overview and Add Threat Feed for Adaptive Threat Profiling.]

  • Support for encrypted traffic analysis—Starting in Junos OS Release 20.2R1, encrypted traffic analysis is supported in Juniper Networks Sky ATP. Encrypted traffic analysis helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. Navigate to Monitor > Encrypted Traffic in Juniper Sky ATP UI to view detailed information about encrypted traffic analysis-based detections. To configure encrypted traffic analysis, use the security-metadata-streaming command at [edit services] hierarchy level. Use the show services security-metadata-streaming statistics command to view the statistics of the sessions.

    [See Encrypted Traffic Analysis Overview and Encrypted Traffic Analysis Details.]

Logical Systems and Tenant Systems

  • Support for user firewall UAC authentication entries in shared mode for logical systems and tenant systems (SRX Series)—Starting in Junos OS Release 20.2R1, logical systems and tenant systems support user firewall authentication with Unified Access Control (UAC).

    [See Understanding Integrated User Firewall Support in a Tenant System.]

  • User authentication support for tenant systems (SRX Series)—Starting in Release 20.2R1, Junos OS introduces the following authentication support for tenant systems:

    • address-assignment pools: Creates centralized IPv4 and IPv6 address pools independent of the client applications that use the pools.

    • access profiles: Runs authentication and accounting requests.

    • clear network-access aaa subscribers: Clears AAA subscriber statistics and logs out subscribers. You can log out subscribers based on the username or on the subscriber session identifier.

    [See Firewall Authentication for Tenant Systems.]

Multicast

  • Strict packet order for multicast traffic (SRX345 and SRX1500)—Starting in Junos OS Release 20.2R1, we have introduced a new mechanism to maintain multicast traffic order and resolve packet drop issue. Use the strict-packet-order command at the [edit security flow] hierarchy level to maintain the packet order.

    As part of this enhancement, you can configure the multicast route next-hop resolve attempts. When a multicast route next-hop resolve is unsuccessful, the SRX Series device attempts to resolve the next-hop route based on the specified retry counts. Use the multicast-nh-resolve-retry command at the [edit security flow] hierarchy level to specify the number of retry counts.

    [See flow.]

Network Address Translation (NAT)

  • Increased port block allocation size (SRX5000 line of devices with SPC2 and SPC3 cards)—we've increased the port block allocation size so you can store more log files in the log server.

    • When you disable interim log, you can increase the size of port block allocation from 64 to 8 .

    • When you enable interim log, you can increase the size of port block allocation from 128 to 8.

    If you configure the port block allocation size less than 8, the system displays the warning message warning: To save system memory, the block size is recommended to be no less than 8.

    [See Guidelines for Configuring Secured Port Block Allocation and Configure Port Block Allocation Size.]

Network Management and Monitoring

  • NETCONF sessions over outbound HTTPS (EX Series, MX Series, PTX1000, PTX3000, PTX5000, PTX10001, PTX10002, PTX10008, PTX10016, QFX Series, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.2R1, the Junos OS with upgraded FreeBSD software image includes a Juniper Extension Toolkit (JET) application that supports establishing a NETCONF session using outbound HTTPS. The JET application establishes a persistent HTTPS connection with a gRPC server over a TLS-encrypted gRPC session and authenticates the NETCONF client using an X.509 digital certificate. A NETCONF session over outbound HTTPS enables you to remotely manage devices that might not be accessible through other protocols, for example, if the device is behind a firewall.

    [See NETCONF Sessions over Outbound HTTPS.]

  • Python 3 support for YANG scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS uses Python 3 to execute YANG action and translation scripts that are written in Python. Junos OS does not support using Python 2.7 to execute YANG Python scripts as of this release.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

  • Traffic log enhancement (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve enhanced the traffic log by supporting:

    • Escape in stream log forwarding and on-box reporting to avoid parsing errors. Stream mode supports escape in sd-syslog and binary format. Event mode supports escape only in binary format.

    • Different security log transport options for different streams.

    • Stream-event mode.

    • Increased maximum length of the stream mode sd-syslog format syslog message to 4*1472 bytes.

    • Different source addresses for different streams.

    • Year and millisecond in timestamps.

    [See log (Security) and mode (Security Log).]

  • CPU usage monitoring (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.2R1, you can use the following operational commands to monitor the average CPU usage information for the last minute, hour, or day of an SPC3 card:

    • show security monitoring performance spu summary fpc fpc-slot-number pic pic-slot-number

    • show security monitoring performance spu summary fpc fpc-slot-number pic pic-slot-number thread thread-number

    You can monitor the CPU usage information only when the PIC is online.

    We’ve introduced the new SNMP MIBs jnxJsSPUMonitoringSPUThreadsNumber, jnxJsSPUMonitoringSPUThreadIndex, jnxJsSPUMonitoringSPUThreadLastMinUsage, jnxJsSPUMonitoringSPUThreadLastHourUsage, and jnxJsSPUMonitoringSPUThreadLastDayUsage to monitor the CPU usage information of an SPC3 card.

    [See show snmp mib and show security monitoring performance spu.]

Platform and Infrastructure

Port Security

  • Media Access Control Security (MACsec) (SRX380)—Starting in Junos OS Release 20.2R1, MACsec is supported on high availability (HA) control and fabric ports of SRX380 devices in chassis cluster mode. MACsec provides secure communication for almost all types of Layer 2 traffic on Ethernet links. MACsec is capable of identifying and preventing most security threats at Layer 2 and can be used in combination with other security protocols to provide end-to-end network security. MACsec is standardized in IEEE 802.1AE.

    [See Media Access Control Security (MACsec) on Chassis Cluster.]

Security

  • Support for security feeds in security policies (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1, you can add source and destination addresses to the security intelligence (SecIntel) profiles to generate security feeds in a security policy. You can accomplish this by configuring the security-intelligence configuration statements. After the feeds are generated, you can configure other security policies to use the feeds as a dynamic-address˝˙þ to match designated traffic and perform policy actions.

    You can configure the security-intelligence configuration statements as permit, deny, or reject match conditions in a security policy at the following hierarchy levels:

    [See security-intelligence and Encrypted Traffic Analysis Overview.]

  • Enhancements to configuring security policies (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1, we have added advanced connection tracking options to security policies.

    You can configure the advanced-connection-tracking command at the[edit security zones security-zone zone name] hierarchy levels to generate a connection track table using source IP, destination IP (optional), and destination port (optional) during session creation stage when traffic enters a given zone. This connection track mapping table also appears on the backup node in high availability (HA) pair.

    You can configure the advanced-connection-tracking option under [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] to mandate that traffic matching given policy do a lookup in the to-zone’s connection track mapping table using the new session’s key information. If there is no match, a new connection is not created.

    [See advanced-connection-tracking.]

Software Installation and Upgrade

  • Zero-touch provisioning (ZTP) enhancements to support both DHCP options and phone-home client (SRX300, SRX320, SRX340, SRX345, SRX550 HM, and SRX1500)—Starting in Junos OS Release 20.2R1, you can use zero-touch provisioning with DHCP options or the phone-home client to provision your device. As part of the factory default configuration, both ZTP and the phone-home client are included and are running at the same time when the device boots up in factory-default mode. ZTP with DHCP options is the first priority for provisioning. The device checks for DHCP bindings, and if there are DHCP bindings, but the DHCP bindings are not given the necessary ZTP-related options, (such as file server, and at least one image file or configuration file) the phone-home client will take over the provisioning process.

    [See Zero Touch Provisioning.]

Unified Threat Management (UTM)

  • UTM CLI test commands for Web Filtering and antispam feature (SRX Series)— Starting in Release 20.2R1, Junos OS introduces the following test commands that help you to configure the Enhanced Web Filtering:

    • test security utm enhanced-web-filtering url-check <test-url>: Checks the category of a test string.

    • test security utm web-filtering profile <profile-name><test-url>: Checks the reputation of a test string.

    Junos OS introduces the following test command for the antispam feature:

    • test security utm anti-spam ip-check <test-IP>: Checks whether the IP address is a spam source.

    [See Unified Threat Management User Guide.]

  • CDF mode and inline-tap mode for AV—Starting in Release 20.2R1, Junos OS introduces continuous delivery function (CDF) and inline-tap mode at the existing [edit security utm default-configuration anti-virus] hierarchy level. Continuous delivery function holds the last packet and sends out the other packets. This reduces system memory usage and speeds up the traffic. Inline-tap mode permits the traffic even if it is infected. Use inline-tap mode to check the antivirus feature without blocking or modifying the traffic.

    [See Unified Threat Management User Guide.]

  • Safe search enhancement for Web filtering (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1, we’ve introduced safe search UTM Web filtering on well-known search engines. This safe search enhancement enforces the safest Web browsing mode available, by default. You can disable the safe search option at the Web filtering-level and profile-level configurations. You can also block search engine cache on the well-known search engines. By blocking the search engine cache, you can hide your Web-browsing activities from other users if you are a part of an organization that has multiple Web users in educational, financial, health-care, banking, and corporate segments.

    [See Safe Search Enhancement for Web Filtering, feature-profile, websense-redirect, and juniper-local.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for SRX Series.

What's Changed in Release 20.2R3

Flow-Based and Packet-Based Processing

  • On SRX Series devices in earlier releases, when the session table was full there was no alarm set to indicate this. Starting from this release, when the percent of flow session table utilization is 95% on FPC and PIC, an alarm message ? Flow session table is almost full on FPC <number> PIC <number>? is set. Similarly, when the percent of DCP session table utilization is 95% on FPC and PIC, an alarm message ? DCP session table is almost full on FPC <number> PIC <number>? is set.

  • Self-generated IKE packets chooses outgoing interface matching source IP Address (SRX Series) — A self-generated Internet Key Exchange (IKE) packet always select the ECMP outgoing interface that matches source IP address. Note that filter-based forwarding for self-generated traffic with rerouting is not supported.

Junos OS XML API and Scripting

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified RPC. If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are logged in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified RPC. If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are logged in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • Unable to Upgrade a Chassis Cluster Using In-Service Software Upgrade (SRX5400)—In chassis cluster mode, the backup router's destination address for IPv4 and IPv6 routers using the commands [edit system backup-router address destination destination-address] and [edit system inet6-backup-router address destination destination-address] must not be same as interface address configured for IPv4 and IPv6 using the commands [edit interfaces interface-name unit logical-unit-number family inet address ipv4-address] and [edit interfaces interface-name unit logical-unit-number family inet6 address ipv6-address].

    [See Troubleshooting Chassis Cluster Management Issues.]

Network Management and Monitoring

  • Changes to <commit> RPC responses in RFC-compliant NETCONF sessions (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—When you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level, the NETCONF server's response for <commit> operations includes the following changes:

    • If a successful <commit> operation returns a response with one or more warnings, the warnings are redirected to the system log file, in addition to being omitted from the response.

    • The NETCONF server response emits the <source-daemon> element as a child of the <error-info> element instead of the <rpc-error> element.

    • If you also configure the flatten-commit-results statement at the [edit system services netconf] hierarchy level, the NETCONF server suppresses any <commit-results> XML subtree in the response and emits only an <ok> or <rpc-error> element.

    [See Configuring RFC-Compliant NETCONF Sessions.]

User Interface and Configuration

  • Verbose format option to export JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the [edit system export-format json] hierarchy level. We changed the default format to export configuration data in JSON from verbose to ietf starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the [edit system export-format json] hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.

    [See export-format.]

What's Changed in Release 20.2R2

J-Web

  • Change in the J-Web browser tab title (SRX Series)—The J-Web browser tab title displays the device model and the hostname. The same details are displayed when you hover over the J-Web browser tab.

    For example, when you access J-Web for an SRX320 device with a host name srx320-xyz, the J-Web browser tab displays the title as J-Web (srx320 – srx320-xyz).

    If the hostname is not configured, you can see the host URL or IP address in the J-Web browser tab title. For example, J-Web (srx320 – <device IP address>).

Platform and Infrastructure

  • Support for fully qualified domain name (FQDN) for log server (SRX Series)—Starting in Junos OS Release, you can configure TTL value for a DNS server cache with hostname or IP address.

    [See Configuring the TTL Value for DNS Server Caching.]

Routing Protocols

  • Advertising 32 secondary loopback addresses to traffic engineering database as prefixes (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—We've made changes to export multiple loopback addresses to the lsdist.0 and lsdist.1 routing tables as prefixes. This eliminates the issue of advertising secondary loopback addresses as router IDs instead of prefixes. In earlier releases, multiple secondary loopback addresses in the traffic engineering database were added to the lsdist.0 and lsdist.1 routing tables as part of node characteristics and advertised them as the router ID.

System Log

VPNs

  • The junos-ike package installed by default (SRX5000 Series devices)— For SRX5000 Series devices with RE3 installed, the junos-ike package is installed by default. As a result, iked and ikemd process runs on the Routing Engine by default instead of IPsec key management daemon (kmd). In earlier Junos OS Releases, junos-ike package is an optional package for SRX5000 Series devices with RE3 and IPsec Key Management Daemon (KMD) runs by default.

    [See Enabling IPsec VPN Feature Set on SRX5K-SPC3 Services Processing Card.]

  • IKE Index displayed in show security ipsec security-associations detail Output (SRX5400,SRX5600, SRX5800)— When you execute the show security ipsec security-associations detail command, a new output field IKE SA Index corresponding to every IPsec Security Association (SA) within a tunnel is displayed under each IPsec SA information.

    [See show security ipsec security-associations.]

What's Changed in Release 20.2R1-S1

Network Address Translation (NAT)

  • Port block allocation support (SRX300, SRX320, SRX340, SRX345, SRX380, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS 20.2R1-S1, you can configure the port block allocation size of 1 through 64512. To save system memory, the recommended port block allocation size is 64. If you configure the port block allocation with a size lesser than 64, the system displays the warning message “warning: To save system memory, the block size is recommended to be no less than 64”. In earlier releases, you can configure port block allocation size of 1 through 64512 on SRX5400, SRX5600, and SRX5800 devices only.

    [See Configure Port Block Allocation Size.]

What's Changed in Release 20.2R1

Application Security

  • Junos OS Release 20.2R1 introduces a new CLI configuration statement depth under set services application-identification application application-name over application signature signature-name member number hierarchy. You can use this configuration statement to specify the byte limit for application identification (AppID) to identify the custom application pattern for the applications running over TCP or UDP or Layer 7 applications.

    Starting in Junos OS Release 20.2R1, you can display the configured depth value in J-Web using the show services application-identification application detail command.

    In the above sample, you can see the configured value of the depth is displayed as 4.

    [See Application Identification].

  • Starting in Junos OS Release 20.2R1, the syntax of the commands used for displaying the SLA profile details is changed as following:

    Syntax in Junos OS Release Prior to 20.2R1

    Syntax in Junos OS Release 20.2R1 or Later

    show security advance-policy-based-routing sla profile sla-profile-name application application-name destination-group-name destination-group-name status

    show security advance-policy-based-routing sla profile profile-name application application-name next-hop next-hop-id status

    show security advance-policy-based-routing sla profile sla-profile-name application application-name destination-group-name destination-group-name

    show security advance-policy-based-routing sla profile profile-name application application-name next-hop next-hop-id

    [See show security advance-policy-based-routing sla profile (Application Name), show security advance-policy-based-routing sla profile (Next-Hop), and show security advance-policy-based-routing sla profile (Status).]

Class of Service (CoS)

  • We've corrected the output of the show class-of-service interface | display xml command that appeared as <container> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> </container> to <container> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> </container> <container> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> </container>

Flow-Based and Packet-Based Processing

  • ECMP load balancing in chassis cluster (SRX Series)—Starting in Junos OS Release 20.2R1, in a chassis cluster setup, to avoid reroute flapping between primary and secondary sessions, add a logic to skip the reroute for backup sessions. But reroute can change the chassis interface of a flow session, so the session can be changed from backup session to primary session after reroute. You cannot skip reroute for such a session.

    When you change the logic, the session reroute skips only the packets received from the chassis interface. So we can make sure the session continues as the backup session even after you reroute and change the out-going interface. Otherwise, reroute cannot be skipped for backup sessions.

  • Simplified HA (SRX Series)—Starting in Junos OS Release 20.2R1, on SRX Series devices in a simplified HA setup, when you clear the session using the clear security flow session command, some warm sessions exist for an extended duration. To clear these warm sessions, a new CLI command clear security flow session session-state warm is introduced.

    clear security flow session all

Juniper Extension Toolkit (JET)

  • PASS keyword required for Python 3 JET applications (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you are writing a JET application using Python 3, include the PASS keyword in the Exception block of the script. Otherwise, the application throws an exception when you attempt to run it.

    [See Develop Off-Device JET Applications and Develop On-Device JET Applications.]

  • Updates to IDL for RIB service API bandwidth field (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The IDL for the RouteGateway RIB service API has been updated to document additional rules for the bandwidth field. You must set bandwidth only if a next hop has more than one gateway, and if you set it for one gateway on a next hop, you must set it for all gateways. If you set bandwidth when there is only a single usable gateway, it is ignored. If you set bandwidth for one or more gateways but not all gateways on a next hop, you see the error code BANDWIDTH_USAGE_INVALID.

    [See Juniper EngNet.]

Juniper Sky ATP

  • Dynamic address entries on SRX Series devices in chassis cluster mode—Starting in Junos OS Release 20.2R1, for SRX Series devices in chassis cluster mode, the dynamic address entry list is retained on the device even after the device is rebooted following a loss of connection to Juniper Sky Advanced Threat Prevention (ATP).

Network Management and Monitoring

  • Request support information for IPsec VPN (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve introduced the CLI ipsec-vpn option to the request support information security-components command. This new option displays all the configuration, states, and statistics information necessary for debugging IPsec VPN related issues.

    [See request support information.]

  • Junos OS only supports using Python 3 to execute YANG Python scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS uses Python 3 to execute YANG action and translation scripts that are written in Python. In earlier releases, Junos OS uses Python 2.7 to execute these scripts.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

VPNs

  • New vendor ID for Internet Key Exchange (SRX Series)—In Junos OS Release 20.2R1, we’ve introduced a new vendor ID Juniper Networks for Internet IKEv1 and IKEv2 which is advertised to the peer.

    [See Understanding IKE and IPsec Packet Processing.]

  • Change in CLI options help text description (SRX Series)—Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the following CLI options under [edit security ike proposal proposal-name], [edit security ike policy policy-name], [edit security ipsec proposal proposal-name], and [edit security ipsec policy policy-name] hierarchies.

    Hierarchy

    CLI Options

    Help Text Description

    [edit security ike proposal proposal-name authentication-algorithm]

    md5

    NOT RECOMMENDED

    sha1

    NOT RECOMMENDED

    [edit security ike proposal proposal-name encryption-algorithm]

    3des-cbc

    NOT RECOMMENDED

    des-cbc

    NOT RECOMMENDED

    [set security ike proposal proposal-name dh-group]

    group1

    NOT RECOMMENDED

    group14

    NOT RECOMMENDED

    group2

    NOT RECOMMENDED

    group5

    NOT RECOMMENDED

    [edit security ike proposal proposal-name authentication-method]

    dsa-signatures

    NOT RECOMMENDED

    [edit security ike policy policy-name proposal-set]

    basic

    NOT RECOMMENDED

    compatible

    NOT RECOMMENDED

    standard

    NOT RECOMMENDED

    [edit security ipsec policy policy-name proposal-set]

    basic

    NOT RECOMMENDED

    compatible

    NOT RECOMMENDED

    standard

    NOT RECOMMENDED

    [edit security ipsec proposal proposal-name encryption-algorithm]

    3des-cbc

    NOT RECOMMENDED

    des-cbc

    NOT RECOMMENDED

    [edit security ipsec proposal proposal-name authentication-algorithm]

    hmac-md5-96

    NOT RECOMMENDED

    hmac-sha1-96

    NOT RECOMMENDED

    [edit security ipsec policy policy-name perfect-forward-secrecy keys]

    group1

    NOT RECOMMENDED

    group2

    NOT RECOMMENDED

    group5

    NOT RECOMMENDED

    group14

    NOT RECOMMENDED

    [See authentication-algorithm (Security IPsec) and encryption-algorithm (Security IKE).]

  • Change in thread ID configuration (SRX Series)—Starting in Junos OS Release 20.2R1, when you add, change, or delete the thread ID from distribution profile at [edit security distribution-profile profile-name fpc slot-number pic slot-number thread-id], all tunnels part of modified distribution profile anchored on modified SPU member of distribution profile are teared down and re-negotiated.

    [See distribution-profile.]

Known Limitations

Learn about known limitations in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Due to internal message failures between the Routing Engine and Packet Forwarding Engine, some packets get missed in the PCAP files while using the JDPI unknown packet capture feature. PR1491919

  • Committing a large number of custom applications with a single member, a single context, and a varying pattern might result in significant time taken for completion of commit. Commit status can be checked using show services application-identification commit-status. PR1493127

J-Web

  • When a dynamic application is created for an edited policy rule, the list of services is blank when the Services tab is clicked and then the policy grid is autorefreshed. As a workaround, create a dynamic application as the last action while modifying the policy rule and click the Save button to avoid loss of configuration changes made to the policy rule. PR1460214

  • For a spoke device in a hub-and-spoke topology, J-Web shows the VPN topology as Site to Site. PR1495973

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • On the SRX5000 line of devices with an SPC3 card, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, with 60,000 tunnels up, when RG0 failover happens while an IPsec and/or IKE rekey is in progress, those rekeying tunnels might go down and traffic loss might be seen until the tunnel is reestablished. PR1471499

  • In SPC2 and SPC3 mixed-mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DPD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482

  • On SRX Series devices, the accounting stop message is not being sent after deactivating the access profile under the security IKE gateway. PR1485732

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

  • You need to configure the default IPv6 route (egress is fxp0) if you use IPv6 GRE or IP-IP tunnel and dynamic route protocol (BGP, OSPF, and so on) in Layer 3 HA. Use the following configuration example (2010::1 is in the same sub network with fxp0):

    • set groups global routing-options rib inet6.0 static route 0::0/0 next-hop 2010::1

      set groups global routing-options rib inet6.0 static route 0::0/0 retain

      set groups global routing-options rib inet6.0 static route 0::0/0 no-readvertise

      PR1482616

J-Web

  • On the SRX5000 line of devices, J-Web might not be responsive sometimes when you commit configuration changes after adding a new dynamic application while creating a new firewall rule. J-Web displays a warning while validating the configuration due to dynamic application or any other configuration changes. As a workaround, refresh the J-Web page. PR1460001

  • Configuration of global settings options of IPsec VPN such as TCP encap profile, IPsec power mode and IKE package installation are not supported from J-Web. PR1496439

Routing Policy and Firewall Filters

  • When the cli show security match-policy command is used with url-category as a match item and the destination IP address cannot be divided by 3, an incorrect result may be returned. PR1483251

VPNs

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356

  • On the SRX5000 line of devices with an SPC3 card, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • Tunnel debugging configuration is not synchronized to the backup node. It needs to be configured again after RG0 failover. PR1450393

  • On the SRX5000 line of devices with SPC3 and SPC2 mixed mode, with a very large number of IKE peers (60,000) with dead peer detection (DPD) enabled, IPsec tunnels might flap in some cases when IKE and IPsec rekeys are happening at the same time. PR1473523

  • Some TCP connections going through IPsec tunnels are getting stuck after RG1 failover. PR1477184

  • During 10,000 tunnel ramp-up, sometimes, IKED generates a core file. PR1479548

  • The SRX5000 line of devices with SPC3 was not supporting simultaneous IKE negotiation in Junos OS Releases 19.2, 19.3, 19.4, and 20.1. PR1497297

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.2R3

Chassis Clustering

  • Disabled node on SRX chassis cluster sends out ARP request packets. PR1548173

  • SPU might stop under GPRS tunneling protocol scenario. PR1559802

Flow-Based and Packet-Based Processing

  • The rst-invalidate-session command does not work if configured together with the no-sequence-check command. PR1541954

  • Configuration archive transfer-on-commit fails on Junos OS Release 18.2R3-S6.5. PR1563641

  • Traffic loss might be seen when a big number of applications or addresses is referenced by one policy. PR1576038

General Routing

  • The TCP packet might be dropped if syn-proxy protection is enabled. PR1521325

  • On SRX Series devices with chassis cluster, high CPU usage might be seen due to the llmd process. PR1521794

  • Certificate validation might fail when OCSP is used and the OCSP server is a dual-stack device. PR1525924

  • On the SRX1500 device, the traffic rate shown in the CLI command is not accurate. PR1527511

  • The MAC table is null in Layer 2 mode after one pass-through session is created successfully. PR1528286

  • Junos OS: Memory leak when querying Aggregated Ethernet (AE) interface statistics (CVE-2021-0230). PR1528605

  • On SRX4100 and SRX4200 devices, four out of eight fans might not work. PR1534706

  • Junos OS: SRX Series: An assertion failure in BIND can be used to trigger a Denial of Service (DoS) (CVE-2020-8622). PR1537737

  • The firewall filter SA and DA tags are not in the log messages as expected in port details. PR1539338

  • Packet drop might be seen when a packet with destination port 0 is received on the SRX380 device. PR1540414

  • The JNH memory might leak on the Trio-based line cards. PR1542882

  • Tail drops might occur on SRX Series devices if shaping-rate is configured on lt interface. PR1542931

  • The nsd process might crash when DNS-based allowlisting is configured under SSL proxy. PR1542942

  • Need syslog to indicate signature download completion. PR1545580

  • The flowd process might crash on SRX Series devices. PR1545628

    SRX1500 reports fans running at over speed. PR1546132

  • The flowd process might generate core files when the user changes the flow mode configuration to packet mode. PR1546653

  • On SRX4100 and SRX4200, if PEM0 is removed, the output of jnxOperatingDescr.2 might be incomplete. PR1547053

  • Advanced anti-malware file or email statistics does not get incremented with the latest PB version. PR1547094

  • On vSRX2.0, vSRX3.0, SRX1500, SRX4100, SRX4200, SRX4600 running chassis cluster in Junos OS Release 18.3 or later releases, multiple messages of "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" are generated in the chassisd log file. These messages may recur after every few seconds and they do not have any impact on system operation. PR1547953

  • Lcmd log "gw_cb_presence:136: PEM(slot = 0): error detecting presence ( fruid = 15, drv_id = 30, status = -11 )" generates every second on the SRX4100 and SRX4200 devices. PR1550249

  • The speed mismatch error is seen while trying to commit reth0 with gigether-options. PR1553888

  • An IPFD core might be generated when using adaptive threat profiling. PR1554556

  • When Junos OS software is upgraded to Junos OS Release 20.3, you might see the error "ERROR: Failed to setup symlinks in alternate root". PR1548626

  • The dumpdisklabel command fails with message "ERROR: Unknown platform srx550m". PR1557311

  • The outbound-ssh routing-instance command output shows as unsupported. PR1558808

  • Application identification unknown packet capture utility does not function on SRX Series devices when the enhanced-services mode is enabled. PR1558812

  • The pkid process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374

Interfaces and Chassis

  • When SRX Series devices receive proxy ARP requests on VRRP interfaces, SRX Series devices send ARP replies with the underlying interface MAC address. PR1526851

  • Backup Routing Engine or backup node may stuck in bad status with improper "backup-router" configuration. PR1530935

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682

  • Need system log to indicate signature download completion. PR1543571

  • IDP policy load might fail post image upgrade for Junos OS 15.1x49 releases. PR1546542

  • The idpd process might stop and generates a core files. PR1547610

  • The idpd process might stop when committing IDP configuration under logical systems and tenant systems during RGs failover. PR1561298

  • The flowd process might stop and generates a core files if Jflow V9 is configured. PR1567871

  • Wi-Fi mPIM on SRX Series devices is reaching out to NTP and DNS servers. PR1569680

  • Traffic going through the VRRP interface might be dropped when VRRP enabled IRB interface goes down. PR1572920

J-Web

  • The "+" button is not shown in the J-Web interface menu. PR1550755

Platform and Infrastructure

  • Syslog reporting "PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second" error messages in node 0 and node 1 control panel. PR1522130

  • The commit might not fail as expected when the reth interface is deleted. PR1538273

Routing Policy and Firewall Filters

  • The flowd or srxpfe process might stop when an SRX Series or NFX Series device running Junos OS Release 18.2R1 or later supports the unified policy feature. PR1544554

  • Traffic might be dropped unexpectedly when the url-category match condition is used on a security policy. PR1546120

  • Global policies working with multi-zones cause high PFE CPU utilization. PR1549366

  • Policy configured with "route-active-on" condition may incorrectly work for local routes. PR1549592

  • The junos-defaults construct within a unified-policies application match criteria now restricts the ports and protocols of a flow on a per-dynamic-application basis. PR1551984

  • On the SRX5000 line of devices, the secondary node might get stuck in performing ColdSync after a reboot, upgrade, or if ISSU is performed. PR1558382

  • The traffic might dropped due to inserting one global policy above others on SRX Series devices. PR1558827

Subscriber Access Management

  • Incorrect counter type (counter instead of gauge) is specified for some values in MIB jnxUserAAAMib. PR1533900

Unified Threat Management (UTM)

  • Stream buffer memory leak might happen when UTM is configured under unified policies. PR1557278

  • UTM license expiry event loss may cause the device to not quit the advanced service mode and maximum-sessions is decreased by half. PR1563874

VPNs

  • IPsec SA is missing the keyword NULL after RG failover. PR1507270

  • IPsec traffic might get dropped after RG0 failover. PR1522931

  • On all SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is re-established. PR1530684

  • The flowd process might stop during IPsec SA renegotiation on SRX5000 line of devices. PR1545916

  • After the IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537

  • Traffic going through policy-based IPsec tunnel might be dropped after RG0 failover. PR1550232

  • A session might be closed when the session is created during the IPsec rekey. PR1564444

  • When there are multiple IPsec SA, backup SA start IPsec rekey. PR1565132

  • SPI mismatch caused by simultaneous rekeys under kmd stress. PR1571105

Resolved Issues: 20.2R2

Application Layer Gateways (ALGs)

  • The srxpfe or mspmand process might crash if FTPS is enabled in a specific scenario. PR1510678

Flow-Based and Packet-Based Processing

  • The show security group-vpn server statistics |display XML is not in expected format. PR1349959

  • With the NCP remote access solution, in a PathFinder case (for example, where IPsec traffic has to be encapsulated as TCP packets), TCP encapsulation for transit traffic is failing. PR1442145

  • ECMP load balancing does not happen when RG1 node 0 is secondary. PR1475853

  • On SRX4100 and SRX4200 devices with chassis cluster in transparent mode, when a failover occurs for RG1, the interface on the new secondary node flaps as expected to let the switch update its MAC address table. PR1490291

  • Not able to clear the warm sessions on the peer SRX Series devices. PR1493174

  • Outbound SSH connection flap or memory leak issue might be observed while pushing the configuration to the ephemeral DB with a high rate. PR1497575

  • The srxpfe or flowd process might stop due to memory corruption within JDPI. PR1500938

  • The downloads might permanently get stuck or not complete when TCP proxy is used on SRX Series devices. PR1502977

  • Fabric interface might be monitored down after chassis cluster reboot. PR1503075

  • SOF asymmetric scenario is not working with the phase 1 solution. PR1507865

  • TAP mode behavior has been improved and the configuration has been greatly simplified. PR1521066

  • In a dual CPE scenario, if the rule match is completed before application identification is done, AppQoE moves the session to other node. PR1514973

  • VRRP does not work on the redundant Ethernet interface with a VLAN ID greater than 1023. PR1515046

  • PCAP file generated using packet capture was improper on the SRX5000 line of devices. PR1515691

  • A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903

  • The PPPoE session does not come up after return to zero on SRX Series devices. PR1518709

  • FQDN-based security log stream does not dynamically update the IP address. PR1520071

  • Adaptive Threat Profiling would stop submitting new IP addresses to a feed after a limit of 10,000 has been reached. PR1524284

Interfaces and Chassis

Intrusion Detection and Prevention (IDP)

  • IDP's custom-attack time-binding interval command was mistakenly hidden within the CLI. PR1506765

  • Adaptive Threat Profiling incorrectly classifies hosts when Server-to-Client (S2C) IDP signatures are used. PR1533116

J-Web

  • While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346

  • J-Web chassis status widget is incorrectly reporting temperature alarms. PR1507156

  • The parameters show another LSYS at J-Web in a multiple LSYS scenario. PR1518675

Layer 2 Ethernet Services

  • DHCP might not work after performing request system zeroize or load factory-default on SRX Series devices. PR1521704

Network Address Translation (NAT)

  • NAT PBA size 1 on SRX Series devices. PR1525822

Platform and Infrastructure

  • Packets get dropped when the next hop is IRB over the LT interface. PR1494594

Routing Policy and Firewall Filters

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

  • Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222

  • The show security dynamic-address feed-name command could not list secprofiling feed. PR1537714

Unified Threat Management (UTM)

  • UTM causes emails from outside to inside to not be received. PR1523222

VPNs

  • On a SRX4200 device, 35 percent of drop is seen in all TPS cases. PR1481625

  • On SRX Series devices with SPC3, when overlapping traffic-selectors are configured, multiple IPsec SAs get negotiated with the peer device. PR1482446

Resolved Issues: 20.2R1

Application Layer Gateways (ALGs)

  • RTSP data sessions are cleared unexpectedly during cold sync. PR1468001

  • The flowd or srxpfe process might stop when an ALG creates a gate with an incorrect protocol value. PR1474942

  • SIP messages that need to be fragmented might be dropped by SIP ALG. PR1475031

  • FTPS traffic might get dropped on SRX Series or MX Series devices if FTP ALG is used. PR1483834

Authentication and Access Control

  • SRX Series: Unified Access Control (UAC) bypass vulnerability (CVE-2020-1637). PR1475435

Flow-Based and Packet-Based Processing

  • Command show security pki local-certificate logical-system all is not showing any output. PR1414628

  • The trusted-ca and root-ca names or IDs should not be the same within an SSL proxy configuration. PR1420859

  • Introduction of default inspection limits for application identification to optimize CPU usage and improve resistance to evasive applications. PR1454180

  • TCP session might not time out properly upon receiving TCP RESET packet. PR1467654

  • RPM test probe fails to show that round-trip time has been exceeded. PR1471606

  • Support LLDP protocol on reth interface. PR1473456

  • Certificate error when configuration is validated during Junos OS upgrade. PR1474225

  • An unhealthy node might become primary in SRX4600 devices with chassis cluster scenario. PR1474233

  • Packet drop might be observed on the SRX300 line of devices when adding or removing an interface from MACsec. PR1474674

  • Stateful firewall rule configuration deletion might lead to memory leak. PR1475220

  • The flowd or srxpfe process might stop when deleting user firewall local authentication table entry. PR1477627

  • MPCs might stop when there is bulk route update failure in a corner case. PR1478392

  • The nsd process pause might be seen during device reboots if dynamic application groups are configured in policy. PR1478608

  • The flowd process core files might be seen when there is mixed NAT-T traffic or non-NAT-T traffic with PMI enabled. PR1478812

  • When SRX5K-SPC3s or MX-SPC3s are installed in slots 0 or 1 in SRX5800 or MX960 devices, EMI radiated emissions are observed to be higher than regulatory compliance requirements. PR1479001

  • The show mape rule statistics command might display negative values. PR1479165

  • The wl-interface stays in ready status after you execute request chassis fpc restart command in Layer 2 mode. PR1479396

  • Recent changes to JDPI's classification mechanism caused a considerable performance regression (more than 30 percent). PR1479684

  • The flowd or srxpfe process might stop when advanced anti-malware service is used. PR1480005

  • On Web proxy, memory leak in association hash table and DNS hash table. PR1480760

  • The jsqlsyncd process synchronizes its databases every second even there is no change. PR1482428

  • The firewall Web authentication graphics have been updated. PR1482433

  • IMAP curl sessions get stuck in the active state if AAMW IMAP block mode is configured. PR1484692

  • The show chassis temperature-thresholds command displays extensive FPC 0 output. PR1485224

  • The configuration set chassis psu redundancy n-plus-n needs support on in high availability (HA) mode. PR1486746

  • Commit does not work after the installation through boot loader. PR1487831

  • If a cluster ID of 16 or multiples of 16 is used, the chassis cluster might not come up. PR1487951

  • CPU board inlet increases after OS upgrade from Junos OS Release 15.1X49 to Junos OS Release 18.x. PR1488203

  • All interfaces remain in the down status after the SRX300 line of devices power up or reboot. PR1488348

  • There is a risk of service interruption on all SRX Series devices with a dual stacked CA server. PR1489249

  • GRE or IPSec tunnel might not come up when set security flow no-local-favor-ecmp command is configured. PR1489276

  • Sometimes multiple flowd core files are generated on both nodes of chassis cluster at the same time when changing media MTU. PR1489494

  • Continuous drops seen in control traffic, with high data queues in one SPC2 PIC. PR1490216

  • Phone client stop seen while doing SRX345 device ZTP with CSO. PR1496650

  • Unexpected flow logging traffic beyond the packet filter. PR1497939

  • Traffic interruption happens due to MAC address duplication between two devices running Junos OS. PR1497956

  • Don't use capital characters for source-identity when using show security match-policies command. PR1499090

  • J-Flow version 9 does not display correct outgoing interface for APBR traffic. PR1502432

  • AppQoE support for dynamic-application. PR1503400

  • The cfmd core observed when LTM is triggered for the session configured on ethernet-switching interface without bridge domain configuration. PR1503696

Intrusion Detection and Prevention (IDP)

  • Configuring anomaly occurs in CLI. PR1490437

J-Web

  • You cannot configure redundant PSU and power budget statistics on the SRX380 device that is in high availability (HA) mode through J-Web. PR1493713

  • The J-Web users might not be able to configure PPPoE using PPPoE wizard. PR1502657

Layer 2 Ethernet Services

  • Member links state might be asychronized on a connection between PE and CE devices in an EVPN active/active mode. PR1463791

Multiprotocol Label Switching (MPLS)

  • BGP session might keep flapping between two directly connected BGP peers because of the wrong TCP-MSS in use. PR1493431

Network Address Translation (NAT)

  • Issuing the show security nat source paired-address command might return an error. PR1479824

Network Management and Monitoring

  • The flowd or srxpfe process might stop immediately after committing the J-Flow version 9 configuration or after upgrading to affected releases. PR1471524

  • SNMP trap coldStart agent-address becomes 0.0.0.0. PR1473288

Platform and Infrastructure

  • Modifying the REST configuration might cause the system to become unresponsive. PR1461021

  • On SRX1500 and the SRX4000 line of devices, physically disconnecting the cable from fxp0 interface causes hardware monitor failure and redundancy group failover, when the device is the primary node in a chassis cluster. PR1467376

  • The RGx might fail over after RG0 failover in a rare case. PR1479255

  • The /usr/libexec/ui/yang-pkg and /usr/libexec/ui/pyang files not found in SRX Series devices during YANG installation. PR1496577

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • Support for dynamic tunnels on SRX Series devices was mistakenly removed. PR1476530

  • TCP proxy was mistakenly engaged in unified policies when Web filtering was configured in potential match policies. PR1492436

  • Traffic fails to hit the policies with matching source-end-user-profiles. PR1505002

Routing Protocols

  • The rpd might stop when both instance-import and instance-export policies contain as-path-prepend action. PR1471968

Unified Threat Management (UTM)

  • The utmd process might pause after deactivating UTM configuration with predefined category upgrading used. PR1478825

VPNs

  • IKE SA does not get cleared and is showing very long lifetime. PR1439338

  • IKED is treating all re-transmission of first IKE_INIT request packets as new connections when acting as responder. PR1460907

  • The iked might crash when the IKE SA expires and the IPsec tunnel of expired IKE SAs still exists. PR1463501

  • The newly configured IPsec tunnels might be stuck in VPNM verify-path state in a tunnel scaled scenario. PR1464353

  • IPsec tunnels might flap when one secondary node is coming online after reboot in SRX Series high availability environment. PR1471243

  • The kmd process might crash continually after the chassis cluster failover in the IPsec ADVPN scenario. PR1479738

  • On SRX4200 device, 35 percent of drop is seen in all TPS cases. PR1481625

  • Some options under IKE and IPsec policy and proposal help text description should change to NOT RECOMMENDED. PR1487515

  • Use different XML tags for local and remote IKE ID to avoid confusion. PR1493368

  • Issue with XML rpc show security ipsec tunnel-distribution summary output. PR1494274

Documentation Updates

There are no errata or changes in Junos OS Release 20.2R3 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 19.2, 19.3, and 19.4 are EEOL releases. You can upgrade from Junos OS Release 19.2 to Release 19.3 or from Junos OS Release 19.2 to Release 19.4.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.