Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for NFX Series


These release notes accompany Junos OS Release 20.4R3 for the NFX Series Network Services Platforms. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for NFX Series.


For information about NFX product compatibility, see NFX Product Compatibility.

What's New in Release 20.4R2

There are no new features or enhancements to existing features for NFX Series devices in Junos OS Release 20.4R2.

What's New in Release 20.4R1

Application Security

  • AppQoE support for SaaS applications (NFX Series and SRX Series)—Starting in Junos OS Release 20.4R1, we’ve extended application quality of experience (AppQoE) support for Software as a Service (SaaS) applications.

    AppQoE performs service-level agreement (SLA) measurements across the available WAN -links such as underlay, GRE, IPsec or MPLS over GRE. It then sends SaaS application data over the most SLA-compliant link to provide a consistent service.

    To configure AppQoE for SaaS applications:

    1. Define the SLA rule type as SaaS (set security advance-policy-based-routing sla-rule sla1 type saas).

    2. Include SaaS server details in the address book (set security address-book global address address-book-name dns-name saas-server-url ipv4-only).

    3. Disable midstream switching to disengage advanced policy-based routing (APBR) and prevent further rule matching.

    4. Attach the SLA rule to the policy-based APBR profile.

    [See Application Quality of Experience.]

  • Granular control over DNS-over-HTTP and DNS-over-TLS application traffic (NFX Series and SRX Series)—In Junos OS Release 20.4R1, we introduce a new micro-application, DNS-ENCRYPTED, to enhance the application signature package. By configuring this micro-application in a security policy, you can have granular control for DNS-over-HTTP and DNS-over-TLS application traffic.

    The DNS-ENCRYPTED application is enabled by default. You can disable it using the request services application-identification application disable DNS-ENCRYPTED command.

    You can view the details of the micro-applications using the show services show services application-identification application detail command.

    [See Application Identification Support for Micro-Applications.]

High Availability

  • High availability on NFX350 devices—Starting in Junos OS Release 20.4R1, NFX350 devices support the Chassis Cluster feature. You can configure a cluster of two NFX350 devices in active/passive or active/active mode to act as primary and secondary devices for protection against device failures. The high availability feature supports Layer 2 and Layer 3 features in dual CPE deployments.

    [See Chassis Cluster on NFX350 Devices and Upgrading or Disabling a Chassis Cluster on NFX350 Devices.]

Flow-Based and Packet-Based Processing

Logical Systems and Tenant Systems

  • Support for MAP-E confidentiality CLI statement (NFX150, NFX250, NFX350, and SRX1500)—Starting in Junos OS Release 20.4R1, we’ve introduced a global MAP-E confidentiality CLI statement to hide MAP-E rule parameters in CLI show commands and logs. To enable this configuration, include the confidentiality statement at the [edit security softwires map-e] hierarchy level. You need to have administrator privileges to enable or disable this configuration. This feature is supported for all domains of MAP-E.

    [See confidentiality and show security softwires map-e confidentiality status.]

Routing Protocols

  • Support for relaxing BGP router ID format from /32 to a nonzero ID per RFC6286 ( MX204, NFX Series, PTX5000, QFX Series, and vRR)—Starting in Junos OS Release 20.4R1, you can establish a BGP connection using a BGP identifier that is a 4-octet, unsigned, nonzero integer and it needs to be unique only within the autonomous system (AS) per RFC 6286. In earlier releases, the BGP ID of a BGP speaker was required to be a valid IPv4 host address assigned to the BGP speaker.

    To enable this feature, use the bgp-identifier identifier group bgp group name bgp-identifier identifier neighbor peer address bgp-identifier identifier configuration statement at the [edit protocols bgp] hierarchy level.

    [See router-id]


  • MACsec on NFX350 devices—Starting in Junos OS Release 20.4R1, you can configure Media Access Control Security (MACsec) on NFX350 devices for secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

    [See Configuring MACsec on NFX350 Devices and macsec.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for NFX Series devices.

Junos OS XML API and Scripting

  • The <get-interface-information/> RPC reply includes an <error-severity> element when execution fails (NFX Series)—If the <get-interface-information/> RPC fails to execute, the device's RPC reply includes the <error-severity> element. In earlier releases, the RPC reply does not include the <error-severity> element.

Known Limitations

Learn about known limitations in this release for NFX Series devices. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • The link disable option puts the analyzer interface in an inconsistent state, with link state as DOWN and administrator state as UP. PR1442224

  • On NFX250 devices, the LACP subsystem is not started automatically when dc-pfe process is restarted. PR1583054

  • LACP port channel members are seen in detached state after configuring because of dc-pfe core. PR1579647

Open Issues

Learn about open issues in this release for NFX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

High Availability

  • On an NFX350 chassis cluster, when FPC0 (when node0 is primary) or FPC7 (when node1 is primary) is restarted by either using the request chassis fpc slot slot restart node local command or due to dcpfe core files on the primary, it restarts FPC1 or FPC8. This might break the pre-existing TCP sessions and fail to restart the TCP sessions. The TCP sessions might require a manual restart. PR1557607

Virtual Network Functions (VNFs)

  • On NFX Series devices, while configuring vmhost vlans using vlan-id-list, the system allows duplicate VLAN IDs in the VLAN ID list. PR1438907.

  • On NFX Series devices, the OVS Analyzer configuration is lost after VNF reboot on non-dpdk SKUs. As a workaround, for non-dpdk SKUs, restart the VNF, de-activate and activate the analyzer configuration for the analyzer to function properly. PR1480462.

Resolved Issues

Learn which issues were resolved in the Junos OS Release 20.4R2 for NFX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.4R2

General Routing

  • The l2cpd core files might be seen on reboot. PR1561235


  • On NFX Series devices, the following error message for interfaces might be seen: FAILED(-1) read ofSFP eeprom. PR1529939

Platform and Infrastructure

  • On NFX150 devices, when J-Flow v5 is configured and the J-Flow v5 server is reachable through anIPsec tunnel, and the MTU size of this IPsec tunnel is configured as 1500, the J-Flow packets are not generated on NFX Series devices. As a workaround, use J-Flow v9 or IPFIX version, instead of J-Flowv5, to enable the J-Flow functionality on NFX Series devices. PR1539964

  • On NFX150, NFX250 NextGen, and NFX350 devices, the EmulatorPin CPUSet option does not get configured, which might result in vCPU running on a higher level up to 100%. PR1540564

Resolved Issues: 20.4R1

High Availability

  • On NFX150 devices, upgrade from Junos OS Release 19.4 to Junos OS Release 20.2 fails and the /usr/sbin/boot_mgmt_fsm: line 40: echo: write error: No space left on device issue message is displayed. PR1532334


  • When you configure analyzers on VNF interfaces with output port as other VNF interfaces, all the incoming and outgoing packets can be mirrored on to the designated analyzer port. However, after a system reboot, this functionality stops working and no packets are mirrored on the output analyzer port. PR1480290

Platform and Infrastructure

  • On NFX150 devices, ZTP over LTE configuration commit fails for operation=create in XML operations configuration. PR1511306

  • The device reads the board ID from eeprom directly using I2C upon power cycle. PR1529667

Documentation Updates

There are no errata or changes in Junos OS Release 20.4R2 documentation for NFX Series devices.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for the NFX Series. Upgrading or downgrading Junos OS might take several hours, depending on the size and configuration of the network.


For information about NFX product compatibility, see NFX Product Compatibility.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see

Basic Procedure for Upgrading to Release 20.4

When upgrading or downgrading Junos OS, use the jinstall package. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. Use other packages, such as the jbundle package, only when so instructed by a Juniper Networks support representative.


The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the device, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files), might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the device. For more information, see the Software Installation and Upgrade Guide.


We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.

To download and install Junos OS Release 20.4R2:

  1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage:

  2. Select the name of the Junos OS platform for the software that you want to download.
  3. Select the Software tab.
  4. Select the release number (the number of the software version that you want to download) from the Version drop-down list to the right of the Download Software page.
  5. In the Install Package section of the Software tab, select the software package for the release.
  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  7. Review and accept the End User License Agreement.
  8. Download the software to a local host.
  9. Copy the software to the device or to your internal software distribution site.
  10. Install the new package on the device.