Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for vSRX


These release notes accompany Junos OS Release 20.3R3 for vSRX. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for vSRX.

What's New in Release 20.3R3

There are no new features for vSRX in Junos OS Release 20.3R3.

What's New in Release 20.3R2

There are no new features for vSRX in Junos OS Release 20.3R2.

What's New in Release 20.3R1

Interfaces and Chassis

  • TAP mode support for (vSRX 3.0)—Starting in Junos OS Release 20.3R1, TAP mode is supported for IDP, UTM, and UserFW on vSRX 3.0 to generate security log information and to display the information on threats detected, application usage, and user details according to the incoming traffic.

    Both client to server and server to client traffic is directed to vSRX port using switch mirror or fiber tap. In this mode, vSRX 3.0 receives packet only from the configured TAP interface. All sending packets to TAP interface are dropped silently before leaving the vSRX instance. Except the configured TAP interface, other interface can be configured as standard interface and can be used as management interface or connected to outside server.

    Use the set security forwarding-options mode tap interface <interface-name> command to configure TAP mode on an interface.

    To disable this TAP mode, delete the TAP mode for the related interface and the related zone and policy configuration of that interface.

    [See TAP Mode Support Overview, TAP Mode for IDP, TAP Mode for Security Zones and Policies, and forwarding-options (Security).]

Juniper ATP Cloud

  • Support for integration of AWS GuardDuty with vSRX Firewalls and Juniper ATP Cloud (vSRX)—Starting with Junos OS Release 20.3R1, we support threat feeds from Amazon Web Services (AWS) GuardDuty. The threats are sent as a security feed to the vSRX firewalls in the AWS environment. The vSRX firewalls can access the feeds either by directly downloading it from the AWS S3 bucket or, if the vSRX firewall is enrolled with Juniper ATP Cloud, the feed is pushed to the firewall device along with the security intelligence (SecIntel) feeds.

    [See Integrate AWS GuardDuty with vSRX Firewalls.]

Junos Telemetry Interface

  • Packet Forwarding Engine and Routing Engine sensor support on JTI (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX)—Junos OS Release 20.3R1 provides streaming support for revenue interface statistics through Packet Forwarding Engine (PFE) sensors and pseudo interface statistics through Routing Engine sensors. Sensors are supported through Junos telemetry interface (JTI) and remote procedure calls (gRPC) or gRPC Network Management Interface (gNMI) services. gNMI service is also enabled for other supported Routing Engine sensors.

    Using JTI and gRPC or gNMI services, you can stream telemetry statistics to an outside collector.

    These interface sensors are supported:

    • Physical interfaces (IFD) (resource path /interfaces/interface/).

    • Logical interfaces (IFL) (resource path /interfaces/interface/subinterfaces/).

    These Routing Engine sensors are supported using gNMI services (previously, only gRPC services were supported):

    • System events (resource path /junos/events).

    • BGP peer information (resource path /network-instances/network-instance/protocols/


    • Memory utilization for routing protocol task (resource path /junos/task-memory-information/).

    • Operational state of Routing Engines, power supply modules, Switch Fabric Boards, Control Boards, Switch Interface Boards, Modular Interface Cards, and Physical Interface Cards (resource path /components/).

    • Link Layer Discovery Protocol (LLDP) (resource path /lldp/).

    • Address Resolution Protocol (ARP) statistics for IPv4 routes (resource path /arp-information/).

    • Network Discovery Protocol (NDP) table state information for IPv6 routes (resource path /nd6-information/).

    • NDP router-advertisement statistics (resource path /ipv6-ra/).

    • IS-IS routing protocol statistics (resource path /network-instances/network-instance/protocols/protocol/isis/levels/level/ and network-instances/network-instance/protocols/protocol/isis/interfaces/interface/levels/level/).

    [See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface.]


  • Enhanced Service Mode Support (vSRX 3.0)—Starting in Junos OS Release 20.3R1, vSRX 3.0 supports Enhanced Service Mode (ESM). When this mode is enabled, vSRX 3.0 can support maximum of 128K sessions for Layer 7 services with increased service memory and the number of L4 sessions will be reduced to 50%.

    By default, ESM is disabled and the vSRX 3.0 is in basic firewall mode. You can enable ESM using the set security forwarding-process enhanced-services-mode command. After enabling this mode, you need to reboot the instance.

    When you enable this configuration, you will receive a warning message warning: You have changed enhanced services mode. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes.

    [See forwarding-process and show security flow status.]

Performance and Scaling

  • Scaling vSRX 3.0 using Microsoft Azure Load Balancer and Virtual Machine Scale Sets (vSRX 3.0)—Starting in Junos OS Release 20.3R1, vSRX 3.0 can automatically scale out or scale in for internal and outbound traffic using Azure Load Balancer (LB) and Microsoft Azure Virtual Machine Scale Sets (VMSS).

    vSRX 3.0 instances are inline firewalls and any throughput or connection scaling limitations on these firewalls limit the performance and scaling of the entire virtual network. In such cases autoscaling of infrastructure for traffic inside the virtual network and for the outbound traffic is required. You can use the suggested deployments with Azure Load Balancer and Virtual Machine Scale Sets to achieve vSRX 3.0 scaling and better performance for your business needs.

    [See vSRX 3.0 Scaling for Internal and Outbound Traffic Using Azure Load Balancer and Virtual Machine Scale Sets.]


  • Increase in IPsec VPN tunnels (vSRX)—Starting in Junos OS Release 20.3R1, vSRX instances support up to 10,000 IPsec VPN tunnels. Previously, vSRX instances with 17 vCPUs supported 512 IPsec VPN tunnels.

    To support the increased number of IPsec VPN tunnels, a minimum of 19 vCPUs are required. Out of the 19 vCPUs, 3 vCPUs must be dedicated to RE.

    You must run the request system software add optional://junos-ike.tgz command the first time you wish to enable increased IPsec tunnel capacity. For subsequent software upgrades of the instance, the junos-ike package is upgraded automatically from the new Junos OS releases installed in the instance. If chassis cluster is enabled then run this command on both the nodes.

    You can configure the number of vCPUs allocated to Junos Routing Engine using the set security forwarding-options resource-manager cpu re <value>. You must reboot the system to activate the new vCPU allocation for RE and Flow RT threads. Run the show security forward-options resource-manager status command to verify the vCPU allocation between routing engine and the flow RT threads.

    [See Junos OS Features Supported on vSRX, forwarding-options (Security), and show security forward-options resource-manager.]

  • Increased Tunnel Scaling (vSRX)—Starting in Junos OS Release 20.3R1, vSRX is supported by a new architecture similar to SRX5000 line of devices with SPC3 which increases the tunnel scale.

    IPsec VPN features that are supported on SRX5000 line of devices with SPC3 (SRX5K-SPC3) are also supported on vSRX instances.

    By default, when the vSRX boots up, the legacy architecture is executed. To enable the new architecture its mandatory to load and install this new junos-ike package. This is an optional package that is included in the Junos OS release. As an administrator, you must execute the request system software add optional://junos-ike.tgz command to load the junos-ike package.

    [See IPsec VPN Features and Configurations Not Supported on SRX5K-SPC3 and vSRX Instances.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for vSRX.

What’s Changed in Release 20.3R3

Junos OS XML API and Scripting

  • Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation.

    When you refresh a script using the request system scripts refresh-from operational mode command, include the cert-file option and specify the certificate path. Before you refresh a script using the set refresh or set refresh-from configuration mode command, first configure the cert-file statement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.

    [See request system scripts refresh-from and cert-file.]

What’s Changed in Release 20.3R2

There are no changes in behavior or syntax for vSRX in Junos OS Release 20.3R2.

What’s Changed in Release 20.3R1

There are no changes in behavior or syntax for vSRX in Junos OS Release 20.3R1.

Known Limitations

Learn about known limitations in this release for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Intrusion Detection and Prevention (IDP)

  • Disable IDP before upgrading vSRX from a Junos OS Release 15.1X49 to Junos OS Release 17.4 or higher releases. Due to a change in IDP database format after Junos OS Release 15.1X49, there is no IDP database initially after the upgrade and the IDP configuration may fail to load, potentially leading to the entire Junos OS configuration not to load at the first bootup after the upgrade. After the upgrade, first download and install the IDP security package before re-enabling IDP again. PR1455125


  • For a spoke device in a hub-and-spoke topology, the UI will show VPN topology as Site to Site. PR1495973

Open Issues

Learn about open issues in this release for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • Configuration of global setting options of IPSec VPN such as TCP-Encap profile, IPSec Power Mode, and IKE package installation is not supported from the UI. PR1496439

  • J-Web does not allow you to save a rule if the cumulative shared objects are more than 2,500 before the policy grid is saved. When there are several shared objects, there will be a noticeable delay in opening sources and destinations of a rule, and performing rule action. PR1540047

User Access and Authentication

  • On vSRX 3.0 on Azure, with Microsoft Azure Hardware Security Module (HSM) enabled, keypair generation fails if the user re-uses the certificate ID for creating a new keypair, even if the previous keypair has been deleted. PR1490558

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for vSRX.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.3R3

Intrusion Detection and Prevention (IDP)

  • Application identification related signatures might not get triggered. PR1588450

Platform and Infrastructure

  • The queue-counters-srx-reserved-buffer-bytes count is 625000 Bytes, expected buffer is 2500000. PR1538286

  • IKE configure mode payload is not pushing secondary DNS and secondary WINS attributes to Xauth module with IKEv1. Hence, the client is not getting assigned with secondary DNS and secondary WINS with IKEv1. PR1558831

  • Delay in vSRX CLI prompt might be observed. PR1559741

  • The pkid process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374

  • If committing source-address <addr> routing-instance and than delete source-address <addr> in private edit mode, commit fails with warning message. PR1582529

Routing Protocols

  • Traffic might be lost during mirror data transmit from the primary ppmd or bfdd. PR1570228


  • A session might be closed when the session is created during the IPsec rekey. PR1564444

Resolved Issues: 20.3R2

Application Security

  • During rare circumstances, if the AppID unknown packet capture functionality is enabled, the srxpfe process might crash and generate a core file. PR1538991

Chassis Clustering

  • The control link might be broken when there is excessive traffic load on the control link in vSRX cluster deployment. PR1524243


  • On Microsoft Azure deployments, SSH public key authentication is not supported for vSRX 3.0 CLI and portal deployment. PR1402028

  • Commit is not successful when the configuration is committed without active probe settings options (all options under active probe settings are optional). PR1533420

  • The master-password configuration is rejected if master-encryption-password (MEK) is not set. PR1537251

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices. PR1521682

  • When adaptive threat profiling is configured within an IDP rule base and logging is enabled, on the vSRX instances the Packet Forwarding Engine process might stop and generate a core file. PR1532737

Platform and Infrastructure

  • Configuration integrity mismatch error in vSRX3.0 running on Azure with key-vault integrated. PR1551419

  • The pkid process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374


  • The flowd process might stop in an IPsec VPN scenario. PR1517262

Resolved Issues: 20.3R1

Application Security

  • Application Quality of Experience (AppQoE) system log shows best-path previous-interface value as “N/A” when deactivating DBG or the link. PR1487056

  • When destination-path-group is deleted in the configuration and added again, the fc-id, dscp, fc name, and loss priority fields are reset. PR1489948

  • The flow performance might be reduced in the Security Intelligence scenario. PR1491682

Intrusion Detection and Prevention (IDP)

  • The IDP attack detection may not work in a specific situation. PR1497340


  • While creating a firewall policy rule, the list of available dynamic applications is empty in HA on the Select Dynamic Application page. PR1490346

  • Infinite loading circle may be encountered via J-Web. PR1493601

Platform and Infrastructure

  • The clock drift issue might cause control link failure of a vSRX cluster running on KVM hypervisor. PR1496937

  • The vSRX may restart unexpectedly. PR1479156

  • In vSRX3.0 on Azure with keyvault enabled, change in MEK results in deletion of certificates. PR1513456

  • With CSO SD-WAN configuration loaded, flowd process generates core files while deleting the GRE IPsec configuration. PR1513461

  • Changes to the configuration command for assigning more vCPUs to the Routing Engine. PR1505724

  • On vSRX the interfaces might remain shut as the FPC faces issues while coming online after an upgrade attempt on the device. PR1499092

  • When SSL proxy is enabled and if the vSRX runs out of memory, then the SSL proxy module might stop. PR1505013

Routing Policy and Firewall Filters

  • Traffic might fail to hit policies if match dynamic-application and match source-end-user-profile options are configured under the same security policy name. PR1505002

  • Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222

Unified Threat Management (UTM)

  • The source and destination IP or port fields were reversed for Content-Filtering and Anti-Virus logs. PR1499327


  • On vSRX3.0 instances, when ECMP routes are configured to load balance over multiple IPSec VPNs connected to a single multipoint tunnel interface, the traffic may not flow. PR1438311

  • The flowd process might stop in IPsec VPN scenario. PR1517262

Migration, Upgrade, and Downgrade Instructions

This section contains information about how to upgrade Junos OS for vSRX using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

You also can upgrade to Junos OS Release 20.3R3 for vSRX using J-Web (see J-Web) or the Junos Space Network Management Platform (see Junos Space).

Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Releases 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, or 19.2 is supported.

The following limitations apply:

  • Direct upgrade of vSRX from Junos OS 15.1X49 Releases to Junos OS Release 19.3 and higher is not supported. For upgrade between other combinations of Junos OS Releases in vSRX and vSRX 3.0, the general Junos OS upgrade policy applies.

  • The file system mounted on /var usage must be below 14% of capacity.

    Check this using the following command:

    show system storage | match " /var$" /dev/vtbd1s1f

    Using the request system storage cleanup command might help reach that percentage.

  • The Junos OS upgrade image must be placed in the directory /var/host-mnt/var/tmp/. Use the request system software add /var/host-mnt/var/tmp/<upgrade_image>

  • We recommend that you deploy a new vSRX virtual machine (VM) instead of performing a Junos OS upgrade. That also gives you the option to move from vSRX to the newer and more recommended vSRX 3.0.

  • Ensure to back up valuable items such as configurations, license-keys, certificates, and other files that you would like to keep.


For ESXi deployments, the firmware upgrade from Junos OS Release 15.1X49-Dxx to Junos OS releases 17.x, 18.x, or 19.x is not recommended if there are more than three network adapters on the 15.1X49-Dxx vSRX instance. If there are more than three network adapters and you want to upgrade, then we recommend that you either delete all the additional network adapters and add the network adapters after the upgrade or deploy a new vSRX instance on the targeted OS version.

Upgrading Software Packages

To upgrade the software using the CLI:

  1. Download the Junos OS Release 20.3R3 for vSRX .tgz file from the Juniper Networks website. Note the size of the software image.
  2. Verify that you have enough free disk space on the vSRX instance to upload the new software image.
  3. Optionally, free up more disk space if needed to upload the image.

    If this command does not free up enough disk space, see [SRX] Common and safe files to remove in order to increase available system storage for details on safe files you can manually remove from vSRX to free up disk space.

  4. Use FTP, SCP, or a similar utility to upload the Junos OS Release 20.3R3 for vSRX .tgz file to /var/crash/corefiles/ on the local file system of your vSRX VM. For example:
  5. From operational mode, install the software upgrade package.

    If no errors occur, Junos OS reboots automatically to complete the upgrade process. You have successfully upgraded to Junos OS Release 20.3R3 for vSRX.


    Starting in Junos OS Release 17.4R1, upon completion of the vSRX image upgrade, the original image is removed by default as part of the upgrade process.

  6. Log in and use the show version command to verify the upgrade.

Validating the OVA Image

If you have downloaded a vSRX .ova image and need to validate it, see Validating the vSRX .ova File for VMware.

Note that only .ova (VMware platform) vSRX images can be validated. The .qcow2 vSRX images for use with KVM cannot be validated the same way. File checksums for all software images are, however, available on the download page.