Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for SRX Series

 

These release notes accompany Junos OS Release 20.4R3 for the SRX Series Services Gateways. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What’s New

Learn about new features introduced in the Junos OS main and maintenance releases for the SRX Series.

What's New in Release 20.4R3

There are no new features for SRX Series Services Gateways in Junos OS Release 20.4R3.

What's New in Release 20.4R2

There are no new features for SRX Series Services Gateways in Junos OS Release 20.4R2.

What's New in Release 20.4R1

Application Layer Gateways (ALGs)

  • SIP ALG load-balancing enhancement (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.4R1, you can configure two new CLI commands to distribute the SIP load among all the available SPUs to better balance SIP traffic. The new commands are set security alg sip bulk-call-mode and set security alg sip enable-call-distribution.

    [See bulk-call-mode and enable-call-distribution.]

Application Security

  • AppQoE support for SaaS applications (NFX Series and SRX Series)—Starting in Junos OS Release 20.4R1, we’ve extended application quality of experience (AppQoE) support for Software as a Service (SaaS) applications.

    AppQoE performs service-level agreement (SLA) measurements across the available WAN links such as underlay, GRE, IPsec or MPLS over GRE. It then sends SaaS application data over the most SLA-compliant link to provide a consistent service.

    To configure AppQoE for SaaS applications:

    1. Define the SLA rule type as SaaS (set security advance-policy-based-routing sla-rule sla1 type saas ).

    2. Include SaaS server details in the address book (set security address-book global address address-book dns-name saas-server-url ipv4-only).

    3. Attach the SLA rule to the policy-based APBR profile.

    [See Application Quality of Experience.]

  • SNI-based dynamic application information for SSL proxy profile (SRX Series)—Starting in Junos OS Release 20.4R1, we’ve enhanced the selection mechanism for SSL proxy profiles. An SSL proxy can now use Server Name Indication (SNI) TLS extensions to identify dynamic applications.

    SSL proxy defers SSL profile selection until the dynamic application is detected in a client hello message based on the SNI. Next, the SSL proxy does a firewall rule lookup based on the identified application and selects an appropriate SSL proxy profile.

    Using SNI-based dynamic application information results in more accurate SSL proxy profile selection for the session. By default, this feature is enabled on SRX Series devices.

    [See Unified Policies for SSL Proxy and global-config (Services).]

  • Granular control over DNS-over-HTTP and DNS-over-TLS application traffic (NFX Series, SRX Series and vSRX)—In Junos OS Release 20.4R1, we introduce a new micro-application, DNS-ENCRYPTED, to enhance the application signature package. By configuring this micro-application in a security policy, you can have granular control for DNS-over-HTTP and DNS-over-TLS application traffic.

    The DNS-ENCRYPTED application is enabled by default. You can disable it using the request services application-identification application disable DNS-ENCRYPTED command.

    You can view the details of the micro-applications using the show services show services application-identification application detail command.

    [See Application Identification Support for Micro-Applications.]

  • Support for tunneling applications in unified policies (SRX Series and vSRX)—In Junos OS Release 20.4R1, we’ve enhanced unified policy functionality on security devices to manage tunneling applications. You can now block a specific tunneling application by using a unified policy.

    For example, to block tunneling applications such as QUIC or SOCKS, you can configure a unified policy with the deny or reject action for these applications.

    [See Application Identification Support for Unified Policies.]

ATP Cloud

  • Support for filtering DNS requests for disallowed domains (SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 20.4R1, you can configure DNS filtering to identify DNS requests for disallowed domains. You can either:

    • Block access to the disallowed domain by sending a DNS response that contains the IP address or fully qualified domain name (FQDN) of a DNS sinkhole server. This ensures that when the client attempts to send traffic to the disallowed domain, the traffic instead goes to the sinkhole server.

    • Log the DNS request and reject access.

    The DNS sinkhole must be configured only for DNS profile category.

    [See dns-filtering, security-intelligence, clear services security-intelligence dns-statistics, and show services security-intelligence dns-statistics.]

Authentication and Access Control

  • Logical domain support for device identity authentication (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.4R1, we've enabled logical system and tenant system support for policy search that uses device information from JIMS. The user firewall uses the logical system name or the tenant name as a differentiator. The logical system name or tenant name must be globally unique and consistent in the JIMS server and SRX Series device. The JIMS server forwards the differentiator to be included in the device identification authentication entries. The device authentication entries are distributed into the root logical system.

    [See Understanding Integrated User Firewall support in a Logical System, end-user-profile.]

Chassis Clustering

  • Enabling and disabling control link (SRX1500)—Starting in Junos OS Release 20.4R1, you can enable or disable the control links on SRX1500 using the operational and configuration mode CLI commands listed below.

    In earlier Junos OS releases, if you wanted to disable the control links and fabric links, you had to manually unplug the cables for control links and fabric links, which was very inconvenient.

    Using these commands helps you control the status of the cluster nodes and provides protection against version mismatch during a cluster upgrade, and minimizes failovers.

    Table 4: Configuration and Operational Mode Commands

    Configuration Mode

    Operational Mode

    To disable the control link, run the set chassis cluster control-interface (node0 | node1) disable command on node 0 or node 1.

    Note: If you disable the links using the configuration command, then the links remain disabled even after system reboot.

    To disable the control link from the local node, run the request chassis cluster control-interface (node0 | node1) disable command.

    Note: If you have disabled control link using the operational mode CLI commands, the links will be enabled after system reboot.

    To enable the control link, run the delete chassis cluster control-interface (node0 | node1) disable on both the nodes.

    To enable the control link from the local node, run the request chassis cluster control-interface (node0 | node1) enable command.

    You need to ensure that you disable the control and fabric interfaces on both nodes using CLI configuration, to keep control and fabric links disabled when you reboot the nodes.

    Use the set interfaces (fab0 | fab1) disable and delete interfaces (fab0 | fab1) disable CLI commands to disable or enable the fabric interfaces.

    [See cluster (Chassis).]

  • In-service software upgrade (ISSU) (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.4R1, you can use the new status option with the request system software in-service-upgrade command to display ISSU status during upgrade.

    [See request system software in-service-upgrade.]

  • Support for single PSU operation without alarms (SRX1500 and SRX4600)—Starting in Junos OS Release 20.4R1, a new argument, pem-absence, is available at the [edit chassis alarm] hierarchy level. You can use set chassis alarm pem-absence ignore to ignore the power supply unit (PSU) alarm. By default, the PSU alarm is raised when any PSU is missing or not energized.

    [See Understanding Chassis Alarms, show chassis alarms, and pem-absence.]

Flow-Based and Packet-Based Processing

  • Express Path+ support for packet-based services in traditional and unified policies (SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.4R1, Express Path+ (formerly known as services offloading) is supported for packet-based services in traditional and unified policies.

    Table 5 lists the features that are supported by Express Path+.

    Table 5: Features Supported by Express Path+

    Supported Features

    ALG

    APBR (application based routing)

    The Express Path+ works after APBR ignores subsequent traffic.

    Web Filtering

    GPRS (GTP and SCTP)

    IDP

    Screens

    See Understanding Screens Options on SRX Series Devices.

    Juniper Security Intelligence (SecIntel)

    Unified Policies with AppID and URL category matching

    UserFW

    [See Express Path Overview.]

  • New resource-manager commands (SRX5400)—Starting in Junos OS 20.4R1 Release, you can configure memory load and CPU resources using three new resource-manager configuration statements. The new configuration statements service-memory, session-memory, and cpu are available at the [edit security resource-manager] hierarchy level.

    [See services-memory (resource-manager), session-memory (resource-manager), cpu (resource-manager), show resource-manager memory, show resource-manager, show resource-manager cpu, and show security flow session.]

  • Support for trace and debug of data packets (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.4R1, you can trace packet footprints. To enable tracing of packet footprints, use the traceoptions flag jexec command at the [edit security flow] or [edit logical-systems logical system name security flow] hierarchy level.

    The packet trace logs are captured in a sequential time order. The sequential trace enhances flow debuggability for packet processing with multiple logical systems and tenant systems, tunnel piping, multiple reinjection, and so on.

    [See traceoptions (Security Flow) and show security flow status.]

  • Pass-through authentication of IP-IP and GRE tunnel traffic in TAP mode (SRX300, SRX320, SRX340, SRX345, SRX380, SRX550 HM, SRX1500, and vSRX)—Starting in Junos OS Release 20.4R1, SRX Series devices perform pass-through authentication of IP-IP and GRE tunnel traffic when in TAP mode. To use TAP mode, connect the SRX Series device to the mirror port of the connected switch, which provides a copy of the traffic traversing the switch. In TAP mode, the SRX Series device processes incoming traffic from the TAP interface and generates a security log or report containing with information about threats detected, application usage, and user details.

    [See Configure User Authentication Methods.]

  • Enhancement in Resource Management (SRX Series Devices)—Starting in Junos OS Release 20.4R1, when the Layer7 packets such as ALG or User Firewall create flow sessions, you can control whether to drop the packet or forward the packet if resource is busy.

    Configure the security-service under the edit security forwarding-options hierarchy to implement the resource management. When you configure the security service as fail-open, the session skips the application level and forwards the packet.

    By default, the security service is fail-closed, and allows the session to drop at the application level. When you use fail-closed option, make sure set security forwarding-options security-service fail-open is not configured.

    [See Traffic Processing on SRX Series Devices Overview]

  • Enhancement of Flow Reroute in Multiple Routing Table (SRX Series Devices)—Starting in Junos OS Release 20.4R1, the flow reroutes the traffic using multiple routing table. Earlier to this release, flow reroute was supported with only one routing table.

    If there is one routing table involved in route lookup, there is no change in the implementation of reroute. If there are more than one routing table involved in the route lookup and when there is a route change in any one of the routing table, you can mark all the affected flows for reroute. We support 16 routing tables.

    [See Traffic Processing on SRX Series Devices Overview]

Interfaces and Chassis

  • CPU load monitoring (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.4R1, the reswatch process is used to monitor Routing Engine CPU load and Junos kernel usage.

    [See resource-watch.]

  • Support for captive portal on Wi-Fi Mini-Physical Interface Module (SRX320, SRX340, SRX345, SRX380, and SRX550HM)—Starting in Junos OS Release 20.4R1, we support captive portal for integrated guest access management on the Wi-Fi Mini-PIM card. You can set up captive portal authentication to do either of the following:

    • Redirect Web browser requests to a login page that requires the user to input a simple password.

    • Use username and password authentication with the RADIUS server.

    To configure captive portal, you must enable a DHCP server and configure two address pools for the Wi-Fi interface. After you configure captive portal, you can customize the login page display settings.

    You can enable or disable captive portal on different virtual access points (VAPs), VAPs under the same access point use the same captive portal authentication type.

    [See Wi-Fi Mini-Physical Interface Module Overview.]

  • Support for Annex J and G.Fast with specialized SFP (SRX380, SRX300, SRX320, SRX340, and SRX345)—Starting in Junos OS Release 20.4R1, we support G.Fast and Annex J specification with SFP xDSL for ADSL2/ADSL2+ and all VDSL2 profiles on SRX Series devices. Annex J is a specification in ITU-T recommendations G.992.3 and G.992.5 for all digital mode ADSL with improved spectral compatibility with ADSL over ISDN. You can configure Annex J by using the dsl-sfp-options cli command.

    [See Configuring ADSL Interfaces].

Intrusion Detection and Prevention

  • IDP utility to read PCAP and generate protocol (SRX1500, SRX4200, SRX4600, vSRX, and vSRX3.0)—Starting in Junos OS Release 20.4R1, you can use the pcap-analysis operational command to display the generated IDP context.

    Execute the operational command request security idp pcap-analysis /var/tmp/http.pcap from-zone trust to-zone untrust by providing the zone details for selecting the corresponding interface. The output displays as a list of IDP contexts associated with the PCAP, and the data matched for that IDP context and attacks. However, configure the rulebase, IDP active policy, interfaces with necessary configuration like IPv4 addresses, zones, and policies for pcap utility to detect contexts and attacks.

    You can process upto 3MB files and save a maximum length of 8K of context data to generate a unique context.

    [See IDP Utility for PCAP]

Juniper Extension Toolkit (JET)

  • Juniper Extension Toolkit (JET) support for 64-bit applications (MX5, MX10, MX40, MX80, MX104, MX150, MX204, MX240, MX480, MX960, MX2008, MX2010, MX2020, MX10003, MX10008, MX ELM, JunosV Firefly, cSRX, SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM, SRX650, SRX720E, SRX750E, SRX1400, SRX1500,SRX3400, SRX3600, SRX4100, SRX4200, SRX4400, SRX4600, SRX4800, SRX5400, SRX5600, SRX5800, SRX7X0E, SRX-ES7, SRX-ES8, VMX, and VSRX)—Starting in Junos OS Release 20.4R1, JET supports 64-bit applications. Use the following commands to compile 64-bit applications for use with the AMD64 or ARM64 64-bit processor architecture.

    • mk-amd64: Compiles the application for use with AMD64 and Junos OS with FreeBSD.

    • mk-amd64,bsdx: Compiles the application for use with AMD64 and Junos OS with upgraded FreeBSD.

    • mk-arm64,bsdx: Compiles the application for use with ARM64 and Junos OS with upgraded FreeBSD.

    [See Develop On-Device JET Applications.]

Junos OS XML and API Scripting

  • Start time option for interval-based internal events that trigger event policies (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.4R1, when you create an interval-based internal event for triggering event policies, you can specify the start date and time for the initial event. To specify a start time, configure the start-time option along with the time-interval option at the [edit event-options generate-event] hierarchy level.

    [See Generating Internal Events to Trigger Event Policies.]

J-Web

  • Enhanced Setup Wizard (SRX Series)—Starting in Junos OS Release 20.4R1, we’ve refreshed the Setup Wizard settings for better experience. You can:

    • Access the wizard with the changed menu by selecting Device Administration>Reset Configuration.

    • View the new look of the wizard page.

    • Create one admin user with super user permissions.

    • Add and search NTP servers inline.

    • Synchronize device time with your computer time.

    • Configure interfaces directly under Zones & Interfaces instead of using a pop-up page.

    • Configure Tap settings with reorganized options.

    • View improved statements in the commit-success page.

    In Standalone mode, the Setup Wizard does not support advanced services configuration.

    [See Start J-Web.]

  • Support for captive portal (SRX Series)—Starting in Junos OS Release 20.4R1, you can configure captive portal while creating a rule on the Security Policies page. Captive portal authenticates the user request access to an SRX Series protected resource using an HTTPS browser. You can access these configuration options at Security Policies & Objects>Security Policies.

    [See Add a Rule.]

  • Change in the Monitor tab menus (SRX Series)—Starting in Junos OS Release 20.4R1, we’ve reorganized the Monitor tab into the following menus for enhanced experience:

    • Interfaces

    • Logs

    • Maps and Charts

    • Statistics

    • Reports

    Additionally:

    • Support for Adobe Flash Player will end on December 31, 2020. Therefore, J-Web will support only the Monitor tab submenus that don’t require flash components.

    • A new Traffic Map page is added under Monitor>Maps and Charts. Use this page to visualize inbound and outbound traffic between geographic regions.

    [See Monitor Interfaces and Monitor Traffic Map.]

  • Enhanced Source NAT feature (SRX Series)—Starting in Junos OS Release 20.4R1, we’ve refreshed the Source NAT page to improve user experience. You can configure:

    • Source NAT inline on the NAT Policies page (Create>Source NAT).

    • Source NAT pool and destination NAT pool on the NAT Pools page (Create>Source NAT Pool or Create>Destination NAT Pool).

    [See About the NAT Policies Page.]

Layer 2 Features

  • LLDP on routed and reth interfaces (SRX1500)—Starting in Junos OS Release 20.4R1, Link Layer Discovery Protocol (LLDP) is supported on routed interfaces and redundant Ethernet (reth) interfaces. LLDP is a link-layer protocol used by network devices to advertise capabilities, identity, and other information to a LAN.

    [See LLDP Overview.]

Logical Systems and Tenant Systems

  • Support for MAP-E confidentiality CLI statement (NFX150, NFX250, NFX350, and SRX1500)—Starting in Junos OS Release 20.4R1, we’ve introduced a global MAP-E confidentiality CLI statement to hide MAP-E rule parameters in CLI show commands and logs. To enable this configuration, include the confidentiality statement at the [edit security softwires map-e] hierarchy level. You need administrator privileges to enable or disable this configuration. This feature is supported for all domains of MAP-E.

    [See confidentiality and show security softwires map-e confidentiality status.]

Multinode High Availability

  • Multinode high availability solution (SRX5400, SRX5600, and SRX5800 with SPC3 card)—In Junos OS Release 20.4R1, we introduce the multinode high availability solution, where two SRX Series devices can be either co-located or spread across geographies. This solution also provides redundancy across service levels.

    When you configure multinode high availability in the SRX Series device (in the active-backup mode), one node acts as the active device and the other acts as the backup device, ensuring failover of services to the backup device in the event of software, hardware, or path monitoring failure. Traffic is then routed toward the active node by upstream and downstream routers.

    The active and backup nodes are interconnected with an IP-based link called interchassis link (ICL). The active and backup nodes synchronize data plane based session states. They also synchronize control plane states for certain services.

    Table 6 lists the multinode high availability features that we support.

    Table 6: Feature Support for Multinode High Availability

    Feature

    Description

    Active and Backup modes

    We've introduced active and backup states on SRX Series devices that operate in the multinode HA mode.

    [See Multinode High Availability.]

    IPsec VPN support

    IPsec feature is supported on multinode HA. IPsec runs actively on one node (or active node). It can fail over to the secondary node (or backup node). IKE negotiations occur from the active node and the states are synchronized with the backup node. After synchronization, the backup node takes over the primary role and continues without bringing down the tunnels after switchover.

    You can run the show command(s) on both active and backup nodes to display the status of IKE and IPsec security associations. You can delete the IKE and IPsec security associations only on the active node.

    [See Support for VPN on HA Nodes in Multinode High Availability Solution.]

    When a packet enters a flow session which is on IPsec VPN and on the backup node, the packet is dropped. When the packet enters a clear text session, irrespective of the control plane transition state the clear text session moves to the active state. When you configure the set chassis high-availability services-redundancy-group 1 process-packet-on-backup command, the IPsec VPN related packet is not dropped in the backup node.

Network Management and Monitoring

  • Configuration retrieval using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you can use the configuration revision identifier feature to view the configuration for a specific revision. This configuration database revision can be viewed with the CLI command show system configuration revision.

    [See show system configuration revision.]

  • Junos XML protocol operations support loading and comparing configurations using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, the Junos XML management protocol operations support loading and comparing configurations by referencing the configuration revision identifier of a committed configuration. You can execute the <load-configuration> operation with the configuration-revision attribute to load the configuration with the given revision identifier into the candidate configuration. Additionally, you can compare the candidate or active configuration to a previously committed configuration by referencing the configuration revision identifier for the comparison configuration. The <get-configuration> operation supports the compare="configuration-revision" and configuration-revision attributes to perform the comparison.

    [See <get-configuration> and <load-configuration>.]

Securing GTP and SCTP Traffic

  • Support for listening mode, syslog identity information, and rate-limit configuration enhancement (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.4R1, we support:

    • GTP listening mode—The SRX Series firewall enables GPRS tunneling protocol (GTP) listening mode on the S5, S8, or S11 interface. In listening mode, the firewall can perform sanity check and stateful inspection on GTP packets per GTP configuration. To configure, include the listening-mode statement at the [edit security gtp profile profile-name] hierarchy level.

    • Syslog identity information—This feature adds information such as the user equipment (UE) IP address, International Mobile Station Identity (IMSI), and access point name (APN) to existing syslog messages during GTP management. This helps in mapping identities between a user ID and an IP address.

    • rate-limit configuration enhancement—We’ve added an alarm threshold option and a drop threshold option to the existing rate-limit configuration. This enhancement reduces the duplicate drop logs for the destination GPRS support node (GSN).

    [See listening-mode, and rate-limit (Security GTP).]

Security

  • Unified policies support for zone-context and global-level policies (SRX Series and vSRX)—Starting in Junos OS Release 20.4R1, unified policies support both zone-context and global-level policies at the same time. In previous releases, unified policies supported only zone-context policies.

    If there is any unified policy match, either in a zone-context or in a global context, then it is added to potential match list.

    If there is no match in the zone-context, policy search occurs in the global context.

    [See Global Security Policies.]

  • Tunnel inspection for VXLAN passthrough (SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 20.4R1, you can allow L4 or L7 services to perform an inspection against the inner ethernet frame. VXLAN is one of the supported protocols and is designed to accommodate most overlay or underlay protocols which require inner inspection. VXLAN traffic is only inspected if there is a security policy configured to perform the inspection.

    [See tunnel-inspection and show security flow session.]

  • Security policy support for security inspection on VXLAN tunnels (SRX4100, SRX4200, SRX4600, and vSRX)—Starting in Junos OS Release 20.4R1, you can perform security inspection on VXLAN tunnels by performing policy control twice. Configure an outer policy for the outer header and an inner policy for the inner header.

    Configure a tunnel inspection profile to connect the outer policy and inner policy. The tunnel inspection profile is attached to the outer policy and it points to a group of inner policies (policy set). When the packet matchs the outer policy, the SRX device decapsulates the packet to get the inner header. Using inner packet content along with the attached tunnel inspection profile of outer policy, the second policy lookup gets the desired inner policy applies the security services to inner packet.

    [See tunnel-inspection.]

  • Support for unidirectional session refreshing (SRX Series)—Starting in Junos OS Release 20.4R1, SRX Series device support unidirectional session refreshing. You can do either of the following:

    • Refresh a session by any packet from any direction. This is an existing session-refreshing mechanism and the default behavior.

    • Refresh a session by only the packets in the initial direction (unidirectional refreshing).

    By default, unidirectional session refreshing is disabled. To enable the feature, include the unidirectional-session-refreshing statement at the [edit security zones security-zone zone-name] hierarchy level.

    [See unidirectional-session-refreshing.]

Unified Threat Management (UTM)

  • Custom response page in UTM Web filtering profile (SRX Series and vSRX)—Starting in Junos OS Release 20.4R1, you can configure a custom response page for a URL that is configured with the block or quarantine actions in the UTM Web filtering profile. The custom response page can include predefined page variables, your corporate branding, acceptable use policies, and links to your internal resources. You can enable the custom-page statement at the [edit security utm custom-objects custom-message name type] hierarchy level and configure the customized HTML file at the [edit security utm custom-objects custom-message name custom-page-file file-name] hierarchy level.

    [See custom-page, custom-page-file, and custom-message (Security Web Filtering).]

  • URL pattern wildcard enhancement (SRX Series and vSRX)—Starting in Junos OS Release 20.4R1, the URL pattern supports new regular expressions and defines new pattern matching rules for the domain name and URL path. This enhancement allows you to configure better and user-friendly URL pattern matching in the Web filtering function. You can use the asterisk (*), caret (^), and question mark (?) wildcards for a domain name match. The URL match supports the prefix match and keyword match. You can use the asterisk (*) wildcard for the URL match.

    [See url-pattern.]

  • Dynamic-address group rescan enhancement (SRX Series and vSRX)—In the current dynamic-address implementation, when you add a host address to the dynamic-address group, the system does not terminate and rescan the existing sessions of the host. Starting in Junos OS Release 20.4R1, when you add a host address to the dynamic-address group, the system rescans the sessions including the existing sessions to ensure that the traffic matches the updated policy. The session-scan option is disabled by default. You can enable the session-scan option at the [edit security dynamic-address address-name name session-scan] or [edit security dynamic-address session-scan] hierarchy level.

    [See session-scan and hold-interval.]

VPNs

  • Support for load redistribution (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.4R1, you can redistribute or migrate a tunnel that belongs to a site-to-site or Auto VPN gateway to a new processing unit. Load distribution of tunnels tears down the tunnels associated with a peer and anchors them to the user-specified processing unit the next time a tunnel for the same peer is established. Use the request security re-distribution ipsec-vpn command to specify the processing unit to which you want to distribute or migrate the tunnels.

    [ See request security re-distribution ipsec-vpn, show security re-distribution ipsec-vpn, and show security ipsec tunnel-distribution. ]

  • PowerMode IPsec support (SRX4600)—PowerMode IPsec (PMI) is supported on SRX5400, SRX5600, SRX5800, and vSRX. Starting in Junos OS Release 20.4R1, you can configure PMI on the SRX4600 also. PMI provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel Advanced Encryption Standard New Instructions (AES-NI). SRX4600 also supports the fat core feature that increases single tunnel performance. If one of the tunnels loaded with high traffic and other tunnels have less traffic, the resources share within the fat group and result in an even CPU utilization of the resources.

    [See Improving IPsec Performance with PowerMode IPsec and power-mode-ipsec.]

  • PowerMode IPsec performance improvement (SRX5400, SRX5600, and SRX5800 with SPC3 cards)—Starting in Junos OS Release 20.4R1, we've improved PowerMode IPsec (PMI) performance by distributing load between the AES-NI instructions on the SPUs and the on-board Intel QuickAssist Technology (QAT), Hardware-based cryptographic acceleration for symmetric fat tunnels in SPC3 cards provides higher performance. Load balancing helps to provide higher throughput for IPsec. PMI uses AES-NI and QAT for encryption and FPGA for decryption of cryptographic operation. To enable QAT with AES-NI, include power-mode-ipsec-qat at the [edit security flow] hierarchy level.

    [See power-mode-ipsec-qat and inline-fpga-crypto.]

What's Changed

Learn about what changed in the Junos OS main and maintenance releases for SRX Series.

What’s Changed in Release 20.4R3

Network Management and Monitoring

  • The configuration accepts only defined identity values for nodes of type identityref in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—If you configure a statement that has type identityref in the corresponding YANG data model, the device accepts only defined identity values (as defined by an identity statement) as valid input. In earlier releases, the device also accepts values that are not defined identity values.

What’s Changed in Release 20.4R2

Flow-Based and Packet-Based Processing

  • Default MKA transmit interval (SRX380)—On SRX380 devices, the default MACsec Key Agreement (MKA) transmit interval is 2000 milliseconds. If you deploy an SRX380 device with other security peer device with MACsec secure link, you must change the MKA transmit interval on the peer device to 2000 milliseconds to match the new default MKA transmit interval of the SRX380 device.

    [See transmit-interval (MACsec).]

  • New output field added in show pfe statistics traffic command (SRX380)—Starting in Junos OS Release, you’ll see Unicast EAPOL in the output of the show pfe statistics traffic command.

    [See show pfe statistics traffic.]

  • Self-generated IKE packets chooses outgoing interface matching source IP Address (SRX Series) — A self-generated Internet Key Exchange (IKE) packet always select the ECMP outgoing interface that matches source IP address. Note that filter-based forwarding for self-generated traffic with rerouting is not supported.

Junos XML API and Scripting

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

VPNs

  • View the traffic selector type for an IPsec tunnel (SRX Series and MX Series)—You can run the show security ipsec security-associations detail command to display the traffic selector type for a VPN. The show security ipsec security-associations detail command displays proxy-id or traffic-selector as a value for the TS Type output field based on your configuration.

    [See show security ipsec security-associations.]

What’s Changed in Release 20.4R1

Class of Service (CoS)

  • We've corrected the output of the "show class-of-service interface | display xml" command. Output of the following sort: <container> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> </container> will now appear correctly as: <container> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> </container> <container> <leaf-1> data </leaf-1> <leaf-2> data </leaf-2> <leaf-3> data </leaf-3> </container>

Flow-Based and Packet-Based Processing

  • On SRX Series devices in earlier releases, when the session table was full there was no alarm set to indicate this. Starting from this release, when the percent of flow session table utilization is 95% on FPC and PIC, an alarm message ? Flow session table is almost full on FPC <number> PIC <number>? is set. Similarly, when the percent of DCP session table utilization is 95% on FPC and PIC, an alarm message ? DCP session table is almost full on FPC <number> PIC <number>? is set.

    [ See Understanding Session Cache.]

  • Default MKA transmit interval (SRX380)—On SRX380 devices, the default MACsec Key Agreement (MKA) transmit interval is 2000 milliseconds. If you deploy an SRX380 device with other security peer device with MACsec secure link, you must change the MKA transmit interval on the peer device to 2000 milliseconds to match the new default MKA transmit interval of the SRX380 device.

    [See transmit-interval (MACsec)transmit-interval (MACsec).]

Intrusion Detection and Prevention (IDP)

  • Intelligent Offload State (SRX Series)— We have introduced a new field in the show security idp status command to see the status of the IDP Intelligent offload.

    [See show security idp status.]

Interfaces and Chassis

  • g mode supported on radio 2.4GHz of Wi-Fi MPIM (SRX320, SRX340, SRX345, and SRX550M)—Starting in Junos OS Release 20.4R1, radio 2 with frequency 2.4 GHz supports mode g on SRX Wi-Fi MPIM.

    [See Wi-Fi Mini Physical Interface Module (MPIM)].

J-Web

  • Adobe Flash Player support (SRX Series)—Adobe Flash Player support will end on December 31, 2020. Due to this, the Flash dependent J-Web monitor pages will not load correctly for Junos OS Release 20.3R1 and earlier releases.

  • Change in the J-Web browser tab title (SRX Series)—The J-Web browser tab title displays the device model and hostname. These details are also displayed when you hover over the J-Web browser tab.

    For example, when you access J-Web for an SRX320 device with the hostname srx320-xyz, the J-Web browser tab displays the title as J-Web (srx320 – srx320-xyz).

    If the hostname isn’t configured, the J-Web browser tab title displays the host URL or IP address; for example, J-Web (srx320 – <device IP address>).

Network Address Translation (NAT)

  • Port block allocation support (SRX300, SRX320, SRX340, SRX345, SRX380, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600)—You can configure the port block allocation size 1 through 64512. To save system memory, the recommended port block allocation size is 64. If you configure the port block allocation size lesser than 64, the system displays the warning message warning: To save system memory, the block size is recommended to be no less than 64. In the earlier releases, you can configure port block allocation size 1 through 64512 on SRX5400, SRX5600, and SRX5800 only.

    [See Configure Port Block Allocation Size.]

Network Management and Monitoring

  • Warning changed for configuration statements that correspond to deviate not-supported nodes in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you configure a statement corresponding to a YANG data model node that defines the deviate not-supported statement, the Junos OS configuration annotates that statement with the comment Warning: statement ignored: unsupported platform. In earlier releases, the warning is Warning: 'statement' is deprecated.

Platform and Infrastructure

Securing GTP and SCTP Traffic

  • Deprecated CLI configuration statements and operational commands for GTP and SCTP (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.4R1, we've removed the term gprs from all the configuration statements and operational commands for GTP and SCTP. As a part of this change:

    • We've deprecated the [set security gprs] hierarchy-level and all the configuration options under this hierarchy-level.

    • All the configuration statements previously available under the [set security gprs gtp] hierarchy-level are now available under the [set security gtp] hierarchy-level.

    • All the configuration statements previously available under the [set security gprs sctp] hierarchy-level are now available under the [set security sctp] hierarchy-level.

    • Replace the show security gprs gtp configuration command by show security gtp profile command.

    • Replace the identifier option by profile-name in the show security gtp profile command.

    • For default applications like junos-gprs-gtp and junos-gprs-sctp, you need not remove the term gprs.

    [See Configuration Statements and Operational Commands.]

User Interface and Configuration

  • Verbose format option for exporting JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the edit system export-format json hierarchy level. The default format for exporting configuration data in JSON changed from verbose format to ietf format starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the edit system export-format json hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.

    [See export-format.]

VPNs

  • Dynamic CA profiles loaded only on active nodes (SRX5400, SRX5600, and SRX5800)—When you enable the multinode high availability feature, the dynamic CA profiles are loaded only on the node during the IKE negotiation. If a failover occurs, the new active node undergoes a new IKE negotiation and loads the dynamic CA certificates as part of that negotiation. When PKID restarts, dynamic CA certificates are deleted only from the node where PKID was restarted.

  • Public key infrastructure warning message (SRX5400, SRX5600, SRX5800)—When you generate a public key infrastructure (PKI) public/private key pair for a local digital certificate, with key pair size of 4096 bits and DSA encryption, a warning message is displayed. root@hostname> request security pki generate-key-pair certificate-id test type dsa size 4096 Generating a key-pair with a large modulus is very time-consuming. Progress is reported to the trace log, and a log message is generated upon completion. Because generating a local digital certificate with large key pair size is time consuming, we recommend you to check the trace log for the progress of generating a key pair.

    [See request security pki generate-key-pair (Security).request security pki generate-key-pair (Security).]

  • Delay in VPN tunnel establishment negotiation (SRX5400, SRX5600, and SRX5800) —In an IPsec VPN configuration, if you configure the establish-tunnels immediately option under the [edit security ipsec vpn <vpn-name>] hierarchy, it may take up to five seconds to start the negotiation for VPN tunnel establishment. In the earlier Junos OS releases, the negotiation for VPN tunnel establishment starts immediately.

    [See vpn (Security).]

  • The junos-ike package installed by default (SRX5000 line of devices)— For the SRX5000 line of devices with RE3 installed, the junos-ike package is installed by default. As a result, the iked and ikemd processes run on the Routing Engine by default instead of the IPsec key management daemon (kmd). In earlier Junos OS releases, the junos-ike package is an optional package for SRX5000 devices with RE3, and IPsec Key Management Daemon (KMD) runs by default.

    [See Enabling IPsec VPN Feature Set on SRX5K-SPC3 Services Processing Card.]

  • IKE index displayed in show security ipsec security-associations detail output (SRX5400,SRX5600, and SRX5800)—When you execute the show security ipsec security-associations detail command, a new output field, IKE SA Index, corresponding to every IPsec Security Association (SA) within a tunnel is displayed under each IPsec SA information.

    [See show security ipsec security-associations.]

Known Limitations

Learn about known limitations in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • For accelerated flows such as Express Path, the packet or byte counters in the session close log and show session output take into account only the values that accumulated while traversing the NP. PR1546430

General Routing

  • IPC cannot afford pushing 50,000 NAT rules with complicated matching criteria from Routing Engine to Packet Forwarding Engine. It is hard to simply provide how much rules with complicated matching criteria can be supported, because memory size consumption depends on different rule content. PR1481845

  • Junos OS DHCP server pool change br-lan will wait for the lease timeout before getting a new IP in the new DHCP pool. PR1516241

  • In SRX380, MACsec show security macsec statistics command, when encryption-offset is enabled, the encrypted bytes and encrypted packets will include both encrypted and protected bytes. PR1534840

  • On SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, if CoS code points with values other than 000 are configured, packet loss might be seen for certain traffic patterns due to the firewall not having enough buffer. PR1544709

  • Due to enhancements in AppID starting Junos OS Release 21.1R1, database files are not compatible with earlier releases. Hence, this issue is expected to be seen during downgrade from Junos OS Release 21.1R1 to earlier releases. PR1554490

  • On all Junos platforms, the l2ald crash could be observed on changing the routing-instance from VPLS to non-L2 routing-instance, with same routing-instance name is being used for both VPLS and non-L2 routing-instance. PR1586516

J-Web

  • The Threat Map page available under the Monitor menu does not support a redirection to the Logs page from top destination countries, top source countries, and specific country threat count. PR1542392

  • HTTP client application wget version 1.12 or lower version uses HTTP/1.0 protocol version for their requests will be facing request timeout issue. PR1552063

  • In the NAT Policies page: White space when reordering multiple rules: When you try to reorder more than one rule at a time using drag and drop, a white space is seen in the rule dropped area. It will disappear when the grid is scrolled up or down. Hit count value zero when searching for a rule: The hit count field in the search results will always show zero when searching for rules. But in the normal grid view when not performing the search operation, the Hit count is updated correctly. Policy grid is greyed out while adding a new rule with an existing context or ruleset expanded and scrolled down almost more than 20 rules. The page loads normally if you refresh the menu. Select all checkbox and delete: When Select all checkbox is used repeatedly or when deleting multiple rules using Select all checkbox, you may receive a browser warning: A Web page is slowing down your browser. PR1558757

  • The Firefox browser displays an unsaved changes error message in the J-Web Basic Settings page if the Autofill logins and passwords option is selected under the Browser Privacy and security settings. PR1560549

Routing Policy and Firewall Filters

  • On all SRX platforms with TCP proxy is enabled, firewall TCP proxy does not send the window scale TCP option if the dynamic application is configured in the security policies, This might cause the throughput to reduce. PR1492738

VPNs

  • In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • On the SRX5000 line of devices with an SPC3 card, sometimes IKE SA is not seen on the device when the st0 binding on the VPN configuration object is changed from one interface to another (for example, st0.x to st0.y). PR1441411

  • In SPC2 and SPC3 mixed-mode HA deployments, tunnel per second (TPS) is getting affected while dead peer detection (DCD) is being served on existing tunnels. This limitation is due to a large chunk of CPU being occupied by infrastructure (gencfg) used by IKED to synchronize its DPD state to the backup nodes. PR1473482

Open Issues

Learn about open issues in this release for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Flow-Based and Packet-Based Processing

  • Use an antireplay window size of 512 for IPv4 or IPv6 in fat-tunnel. The ESP sequence check might otherwise report out-of-order packets if the fat-tunnel parallel encryption is within 384 packets (12 cores * 32 packets in one batch). Hence, there are no out-of-order packets with 512 antireplay window size. PR1470637

General Routing

  • The LLDP protocol can be configured on SRX4000 and SRX5000 lines of devices, although it is not actually supported on those platforms. PR1540797

  • The PKI CMPv2 (RFC 4210) client certificate enrolment does not properly work on SRX Series devices when using root-CA. PR1549954

  • In syslog, application name can appear as UNKNOWN if security services are enabled and traffic hits application system cache. PR1557241

  • PKID core might occur during cert signature validation . This core is not very frequent and occurs due to memory corruption . PR1573892

  • With ssl-proxy configured along with web-proxy, the client session might not closed on the device even though proxy session ends gracefully. PR1580526

  • SRX platforms using SkyATP with security-intelligence configured, might disconnect from the cloud after several days with the error "Connection status: Request client certificate failed". The issue can be recovered by the CLI command "restart pki-service". PR1585362

  • Web-proxy: Getting UNKNOWN instead of HTTP-PROXY for application and UNKNOWN instead of GOOGLE-GEN in RT-FLOW close messages These messages can be seen in the RT-flow close log and these are due to JDPI not engaged for the session. This may affect the app identification for the web-proxy session traffic. PR1588139

  • On SRX345, icmp checksum error and packet drops are observed while doing rapid ping on vdsl interface with MTU 1514. PR1591230

  • In 20.3 R3, 20.4R3 and 21.1R2, Sometimes on reboot schedule-report are not getting generated. PR1594377

  • For release 20.3R3 & 20.4R3 & 21.1R2 & 21.2R1, phone-home ZTP is failing on branch srx as phone home client is unable to connect to Phone Home Server/Redirect Server. PR1598462

  • With Network Address Translation (NAT) and Endpoint-independent Mapping (EIM) enabled, traffic unsupported by EIM might not be translated due to packets injected back to NAT gateway. When this issue happens, EIM unsupported traffic could be dropped. Also, the issue could cause looping at NAT gateway. In the end, looping occurred at NAT gateway affects device performance. PR1601890

Infrastructure

  • 21.2 latest is in stable12 bsd release. there is a limitation where image validation is not supported across different bsd versions. image validation will fail from stable11 to stable12. for upgrade between different bsd releases, we have to use "no-validate" option. however, currently ISSU doesnt support no-validate option. PR 1569992 tracks the ISSU infra change to include no-validate option. PR1568757

Intrusion Detection and Prevention (IDP)

  • Starting from Junos OS Release 21.1, either greater-than or less-than are allowed for age-of-attack filter of dynamic attack group configuration. The age-of-attack field in signatures will be changed to CVE dates from activation dates. Anomalies and generic attacks will be part of all groups created. PR1397599

Platform and Infrastructure

  • If authentication (e.g., tacplus-server, radius-server) is configured on a device, it may fail to open files in a rare case, which may cause the process mgd to crash. PR1600615

Routing Policy and Firewall Filters

  • If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped. PR1454907

  • Policy Report out is not coming as expected due to this issue. From functionality point of view there is no impact on services running on data and policy lookup. So data-path services are not impacted. PR1582020

  • The issue is related to output of one of the CLI command where it display some additional then expected data. However it will not cause any issue with data path functionality on PFE. It's more like display issue. PR1582344

VPNs

  • When multiple traffic selectors are configured on a particular VPN, the iked process checks for a maximum of 1 DPD probe that is sent to the peer for the configured DPD interval. The DPD probe is sent to the peer if traffic flows over even one of the tunnels for the given VPN object. PR1366585

  • In the output of the show security ipsec inactive-tunnels command, Tunnel Down Reason is not displayed as this functionality is not supported in Junos OS Release 18.2R2 and later. PR1383329

  • On SRX5400, SRX5600, and SRX5800 devices with an SPC3 card, a new behavior has been introduced that differs from the behavior on the older SPC2 card. The SRX Series device with AutoVPN configuration can now accept multiple IPsec tunnels from a peer device (with the same source IP address and port number) using different IKE IDs. PR1407356

  • On SRX5400, SRX5600, and SRX5800 devices, during in-service software upgrade (ISSU), the IPsec tunnels flap, causing a disruption of traffic. The IPsec tunnels recover automatically after the ISSU process is completed. PR1416334

  • In some scenario(e.g configuring firewall filter) sometimes srx5K might show obsolete IPsec SA and NHTB entry even when the peer tear down the tunnel. PR1432925

  • On the SRX5000 line of devices with SPC3 and SPC2 mixed mode, with a very large number of IKE peers (60,000) with dead peer detection (DPD) enabled, IPsec tunnels might flap in some cases when IKE and IPsec rekeys are happening at the same time. PR1473523

  • Dev to Provide content PR1519830

  • IPsec protocol change for an existing VPN tunnel will not work. User must not configure an IPsec policy with proposals using both ESP and AH protocols. [A] IPSec protocol change for an existing VPN tunnel will not work. For example in the following VPN configuration: set security ipsec proposal IPSEC_PROP_AH protocol ah set security ipsec proposal IPSEC_PROP_AH authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PROP_ESP protocol esp <+=+= IPSec protocol cannot change set security ipsec proposal IPSEC_PROP_ESP authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PROP_ESP encryption-algorithm 3des-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP_ESP <+=+= cannot change 'proposals' to use a proposal using a different IPSec protocol set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL <+=+= cannot change 'ipsec-policy' to a policy using a different IPSec protocol If there is a need to change the IPSec protocol (esp or ah), the 'security ipsec vpn IPSEC_VPN' needs to be deactivated/committed first. [B] IPSec policy with both ESP and AH IPSec proposals will no longer work. For example: set security ipsec proposal IPSEC_PROP_AH protocol ah set security ipsec proposal IPSEC_PROP_AH authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PROP_ESP protocol esp set security ipsec proposal IPSEC_PROP_ESP authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PROP_ESP encryption-algorithm 3des-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP_ESP set security ipsec policy IPSEC_POL proposals IPSEC_PROP_AH <+=+= ipsec policy IPSEC_POL has both a proposal using esp and a proposal using esp This configuration will continue be allowed to commit, but the IPSec traffic will not work. User must not configure an IPSec policy with proposals using both ESP and AH protocols. PR1552701

  • On SRX5000 Series devices with SRX5K-SPC3 used or vSRXs with junos-ike package loaded, when IPsec VPN is used and SNMP get is performed on jnxIpSecTunnelMonTable, a memory corruption might be triggered, which results in the ikemd process crash. PR1582036

Resolved Issues

Learn which issues were resolved in the Junos OS main and maintenance releases for SRX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.4R3

Authentication and Access Control

  • Unified-access-control(UAC) authentication might not work post system reboot PR1585158

Chassis Clustering

  • Security policies might not be synced to all PFEs (Packet Forwarding Engine) post upgrade PR1591559

Class of Service (CoS)

  • L2 CoS rewrite (802.1p) on egress interface might not work as expected PR1570143

EVPN

  • The mustd.core process generates core file during upgrading or while committing a configuration PR1577548

Flow-Based and Packet-Based Processing

  • The srxpfe process might crash during route churn PR1572240

  • The flowd/srxpfe process might crash when clearing the TCP-Proxy session PR1573842

  • Session using custom application might timeout when RG1 failover occurs PR1580444

General Routing

  • SSL-FP Logging for non SNI session PR1442391

  • The flowd might coredump frequently on SRX340 PR1463689

  • The spcd process might crash during early initialization PR1535536

  • The kmd process might crash when the interface flaps PR1544800

  • SRX1500 reports fans running at over speed. PR1546132

  • Certain SRX4100, SRX4200 and JRR200 devices SSD may encounter "buffer I/O error" leading to drive failure PR1554716

  • The PIC in SRX5K-SPC3/MX-SPC3 card might get stuck in offline status after flowd crash occurs on it PR1560305

  • SPC3 is not supported on MX in 21.1R1 and 20.4R2 for deployment. PR1561188

  • Fabric probe packets might be processed incorrectly when power-mode-ipsec (PMI) is enabled PR1564117

  • Wi-Fi mPIM on SRX Series devices is reaching out to NTP and DNS servers. PR1569680

  • Packets with the MAC address of eth0 and macvlan0@eth0 interface might be sent out to the management interface on VMHOST platform with NG-RE PR1571753

  • MACsec not using network-control queue PR1571977

  • The srxpfe process might be crashed if BFD session is deleted from the PFE PR1578946

  • Traffic is dropped to/through VRRP virtual IP on SRX380 PR1581554

  • The ipfd process might crash with a coredump when SecProfiling thread feeds are fetched from Policy Enforcer(PE) PR1582454

  • The srxpfe process might crash on SRX1500 PR1582989

  • Packet drop or srxpfe coredump might be observed due to Glacis FPGA limitation PR1583127

  • The application-identification process may crash with a core if multiple commands are run simultaneously PR1583606

  • Secure Web proxy continue sending DNS query for unresolved DNS entry even after the entry was removed PR1585542

  • On SRX-Series devices, significant performance improvements for JDPI's micro-application identification were included in this release PR1585683

  • The 1G interfaces might not come up after device reboot PR1585698

  • The l2ald process might crash on issuing ethernet-switching commands PR1586426

  • The l2ald process might crash on changing the routing-instance PR1586516

  • On SRX-Series devices, the protocol-version command which controls TLS-versions (1.1, 1.2, 1.3, etc) within SSL-Proxy has been unhidden PR1587149

  • Garbage characters might be received in quarantine notification PR1587962

  • IP packets might be dropped on SRX platforms PR1588627

  • The jsqlsyncd process files generation might cause device to panic crash after upgrade PR1589108

  • Pass-through traffic might fail post reboot when Secure Web Proxy is configured PR1589957

  • Traffic loss might be observed for interface configured in subnet 137.63.0.0/16 PR1590040

  • The REST API does not work for SRX380 PR1590810

  • 20.1R3 & 20.3R3: SecIntel:The issue (empty feed-name) starts with the hit returned from cache which points to the node with the parameter of feed-ID (2) inconsistent with the feeds-update (when it's 1). As a result the incorrect feed-ID points to the empty entry in the array of the feed-names. PR1591236

  • Jweb Deny log nested-application="UNKNOWN" instead of specific application PR1593560

  • Node1 fpc0(SPM) goes down after ISSU and RG0 failover PR1595462

  • Jflow V9 application-id record: Network based application recognition value for IPv4 application-id are not as expected PR1595787

  • Delay might be observed between Services Processing Card(SPC) failing and failover to other node PR1596118

  • The flowd might core dump if application-services security policy is configured PR1597111

  • The SRXPFE process might crash and generate a core file post "targeted-broadcast forward-only" interface-config commit PR1597863

  • The flowd core may be seen if the AppQOS module receiving two packets of a session PR1597875

  • The flowd process might crash in AppQoE scenarios PR1599191

  • httpd-gk core might be observed when ipsec vpn is configured PR1599398

  • On SRX-Series devices, a core file may be generated when using DNS-Inspection features such as Secintel or DGA/Tunnel Detection PR1604773

Interfaces and Chassis

  • 20.4R2:Tenant: Facing configuration check-out failed with error message: identical local address found on rt_inst [default], intfs PR1581877

Intrusion Detection and Prevention (IDP)

  • The IDP policy process might become unresponsive and fail to compile the IDP policy after an IDP automatic update. PR1577684

  • IDP policy compilation failure for over 1000 custom signatures PR1589399

  • IDP signature DB update fails PR1594283

  • Custom attack IDP policies might fail to compile PR1598867

  • IDP policy compilation is not happening when a commit check is issued prior to a commit PR1599954

  • The srxpfe might crash while the IDP security package contains a new detector PR1601380

J-Web

  • Junos OS: J-Web allows a locally authenticated attacker to escalate their privileges to root. (CVE-2021-0278) PR1511853

  • To improve performance in Monitoring > Network > Interfaces page, Admin Status is removed, Services and Protocols data merged into one Host inbound traffic. PR1574895

  • [J-Web] zone info disappears when functional zone is configured PR1594366

  • [J-Web] a custom application name contains "any" is listed under Pre-defined Applications PR1597221

  • J-Web may not display customer defined application services if one new policy is created PR1599434

  • J-web application might crash with httpd core-dumps PR1602228

  • Radius users might not be able to view/modify configuration via J-web PR1603993

  • On all SRX platforms, some widgets in JWeb might not load properly for logical systems users PR1604929

MPLS

  • Incorrect EXP bit change might be seen in certain conditions under MPLS scenario. PR1555797

Network Address Translation (NAT)

  • Incorrect IPv6 UDP checksum inserted after translation of packet from IPv4 to IPv6 PR1596952

Platform and Infrastructure

  • Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284) PR1557881

  • On SRX5k, the alarm "Power Budget:Insufficient Power" may be raised incorrectly when the second SCB does not contain an RE PR1568183

  • Due to a nstraced memory leak, e2e debug does not get disabled from the IOC card PR1574759

Routing Policy and Firewall Filters

  • The dns-name can't be resolved if customer-defined routing instance is configured under name-server PR1539980

Routing Protocols

  • Short multicast packets drop using PIM when multicast traffic received at a non-RPT/SPT interface PR1579452

  • BGP session carrying VPNv4 prefix with IPv6 next-hop might be dropped PR1580578

Services Applications

  • Extra data-plane CPU cycles for processing GTP traffic on SRX5000 Series device PR1586367

User Interface and Configuration

  • After image upgrade device might fail to come up due to certain configurations PR1585479

VPNs

  • The iked process might crash by operational commands on the SRX5000 line of devices with SRX5000-SPC3 card installed. PR1566649

  • The SRXPFE process might crash and generate a core file when IPsec VPN is used PR1574409

  • IKEv2 soft-lifetime timer might expire later than expected time PR1574717

  • The iked process may crash when IKEv2 negotiation fails on MX/SRX devices PR1577484

  • The from-self packet might be dropped when it forwards through an IPsec VPN tunnel PR1577550

  • The flow sessions on SPC3 may get wrong Tunnel ID when "establish-tunnels on-traffic" configured under "ipsec vpn" PR1581648

  • Memory leaks on the iked process on SRX5000 Series with SRX5K-SPC3 installed PR1586324

  • The IPSec tunnel might not come up if configured with configuration payload in a certain scenario PR1593408

  • The kmd process might crash when VPN peer initiates using source-port other than 500 PR1596103

Resolved Issues: 20.4R2

Chassis Clustering

  • Disabled node on chassis cluster sent out ARP request packets. PR1548173

  • SPU pause might be seen under GPRS tunneling protocol scenario. PR1559802

Flow-Based and Packet-Based Processing

  • The THR capacity update on SRX Series devices. PR1538058

  • Adjust the default route change timeout value. PR1553621

  • The usp_max_tcplib_connection is not expected on SRX1500, SRX4100, and SRX4200 devices. PR1563881

Forwarding and Sampling

  • The configuration archive transfer-on-commit fails when running Junos OS Release 18.2R3-S6.5. PR1563641

General Routing

  • The JNH memory leak could be observed on MPCs or MICs. PR1542882

  • The output of the command show services application-identification group detail incorrectly included Micro-Applications (Micro-Apps) in the output of every group. PR1544727

  • On SRX4100 and SRX4200 devices, if PEM0 is removed, the output of jnxOperatingDescr.2 command might be incomplete. PR1547053

  • Advanced anti-malware file/email statistics does not increment with latest PB version. PR1547094

  • On vSRX2.0, vSRX3.0, SRX1500, SRX4100, SRX4200, SRX4600 running chassis cluster in Junos OS Release 18.3 or later, multiple messages of "LCC: ch_cluster_lcc_set_context:564: failed to lock chassis_vmx mutex 11" are generated in the chassisd log file. These messages may recur after every few seconds and they do not have any impact on system operation. PR1547953

  • LCMD log "gw_cb_presence:136: PEM(slot = 0): error detecting presence ( fruid = 15, drv_id = 30, status = -11 )" is generates every second on the SRX4100 and SRX4200 devices. PR1550249

  • The dcpfe process might stop and the non-channelization interfaces might not come up. PR1552798

  • On SRX1500, SRX-SFP-1GE-T(Part#740-013111) for a copper cable might be corrupted after reboot. PR1552820

  • The re-define volume is displayed in traffic map. PR1553066

  • The speed mismatch error is seen while trying to commit reth0 with gigether-options. PR1553888

  • An ipfd core file might be generated when using adaptive threat profiling. PR1554556

  • On the SRX550M device, the dumpdisklabel command fails with message "ERROR: Unknown platform srx550m". PR1557311

  • Application identity unknown packet capture utility does not function on SRX Series devices when enhanced-services mode is enabled. PR1558812

  • The show security log report top idp group-by threat-severity order-by count top-number 5 where-attack command display changes. PR1560027

  • The PKID process runs at 100 percent when the device is unable to connect to a particular URL. PR1560374

  • The DNS commands may not be executed and any new configuration may not take effect on connecting the SRX Series device to Juniper Sky ATP. PR1561169

  • The idpd process might stop when committing IDP configuration under logical systems and tenant systems during RGs failover. PR1561298

  • The flowd process might pause and generates a core dump if JFlow version 9 is configured. PR1567871

  • Traffic going through the VRRP interface might be dropped when VRRP enabled IRB interface goes down. PR1572920

Interfaces and Chassis

  • Backup Routing Engine or backup node may get stuck in bad status with improper backup-router configuration. PR1530935

Intrusion Detection and Prevention (IDP)

  • IDP now supports the ability to create dynamic-attack-groups based on attack-prefix wildcards. PR1537195

  • IDP policy load might fail post image upgrade for Junos OS 15.1X49 releases. PR1546542

  • The IDP policy process might become unresponsive and fail to compile the IDP policy after an IDP automatic update. PR1577684

J-Web

  • J-Web GUI doesn't allow to save the rules with more than 2,500 cumulative shared objects. PR1540047

  • After commit pending changes message is shown, the contents of other messages, landing page, or pop-ups will not be visible completely. PR1554024

Platform and Infrastructure

  • Commit is not failing as expected after removing the reth interface. PR1538273

  • The show chassis errors command is not supported on SRX5000 Series devices with RE3 and SCB3 installed anymore. PR1560562

  • The show chassis ethernet-switch errors command unexpectedly shows error counters for port 14 on the SRX5800 device. PR1563978

Routing Policy and Firewall Filters

  • Global policies working with multi-zones cause high CPU utilization. PR1549366

  • Policy configured with route-active-on condition might incorrectly work for local routes. PR1549592

  • The junos-defaults construct within a unified-policies application match criteria now restricts the ports and protocols of a flow on a per-dynamic-application basis. PR1551984

  • Unified policies in global zone contexts do not work when from-zone or to-zone is defined. PR1558009

  • On the SRX5000 line of devices, the secondary node might get stuck in performing ColdSync after a reboot, upgrade, or if ISSU is performed. PR1558382

  • The traffic might be dropped due to inserting one global policy above others on SRX Series devices. PR1558827

Unified Threat Management (UTM)

  • Stream buffer memory leak might happen when UTM is configured under unified policies. PR1557278

  • UTM license expiry event lost may cause the device can't quit in advance service mode and the maximum-sessions is decreased by half. PR1563874

User Interface and Configuration

  • The outbound-ssh routing-instance command is shown as unsupported. PR1558808

VPNs

  • On the SRX5000 line of devices with SPC3 card, when the encryption algorithm is not configured in IPsec proposal, the output of show security ipsec security-associations command might display empty space instead of keyword null for encryption algorithm. PR1507270

  • After IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537

  • Traffic that goes through policy-based IPsec tunnel might be dropped after RG0 failover. PR1550232

  • The iked process might stop with Multinode High Availability setup. PR1559121

  • When there are multiple IPsec SAs, backup SA starts IPsec rekey. PR1565132

Resolved Issues: 20.4R1

Application Layer Gateways (ALGs)

  • The SCCP ALG does not work on SRX Series devices running with Junos OS Release 17.3R1 and later. PR1535356

Flow-Based and Packet-Based Processing

  • CLI autocomplete is now available for both SecIntel and advanced anti-malware products. PR1487419

  • A condition within TCP proxy could result in downloads becoming permanently stuck or not completing. TCP proxy is used by multiple services, including Juniper ATP Cloud in block mode, ICAP, SSL proxy, antivirus, content filtering, and antispam. PR1502977

  • In a dual CPE scenario, if the rule match is completed before application identification is done, AppQoE moves the session to the other node. PR1514973

  • VRRP does not work on the redundant Ethernet interface with a VLAN ID greater than 1023. PR1515046

  • PCAP file generated using packet capture was improper on the SRX5000 line of devices. PR1515691

  • A logic issue was corrected in SSL proxy that could lead to an srxpfe or flowd core file under load. PR1516903

  • The PPPoE session does not come up after return to zero on SRX Series devices. PR1518709

  • FQDN-based security log stream does not dynamically update the IP address. PR1520071

  • TAP mode behavior has been improved and the configuration has been greatly simplified. PR1521066

  • The TCP packet might be dropped if syn-proxy protection is enabled. PR1521325

  • Hide routing-instance under edit system name-server for SRX Series devices starts from Junos OS Release 20.4. PR1521666

  • On SRX Series devices with chassis cluster, high CPU usage might be seen due to the llmd process. PR1521794

  • Adaptive threat profiling would stop submitting new IP addresses to the feed after a limit of 10,000 has been reached. PR1524284

  • On the SRX1500 device, the traffic rate shown in the CLI command is not accurate. PR1527511

  • The MAC table is null in Layer 2 mode after one pass-through session is created successfully. PR1528286

  • On SRX Series devices, a node of chassis cluster might stop passing traffic. The traffic forwarding can be restored by a manual failover to node 1. PR1528898

  • When no LSYS or TSYS flow trace is configured and no root-override is configured, the latest behavior is to not log any flow trace for that LSYS or TSYS, instead of dumping all to root flow trace as before. PR1530904

  • On SRX4100 and SRX4200 devices, four out of eight fans might not work. PR1534706

  • The firewall filter SA and DA tags are not in the log messages as expected in port details. PR1539338

  • Packet drop might be seen when a packet with destination port 0 is received on the SRX380 device. PR1540414

  • The rst-invalidate-session command does not work if configured together with the no-sequence-check command. PR1541954

  • The nsd process might crash when DNS-based allowlisting is configured under SSL proxy. PR1542942

  • Application fragmented traffic might get dropped on SRX Series devices. PR1543044

  • The Wi-Fi Mini-Physical Interface Module (Mini-PIM) does not support pure g mode with radio 2.4 GHz. PR1543824

  • Need syslog to indicate signature download completion. PR1545580

  • The flowd process might generate core files when the user changes the flow mode configuration to packet mode. PR1546653

Interfaces and Chassis

  • Fabric interface might be monitored down after chassis cluster reboot. PR1503075

  • On SRX320, SRX340, SRX345, SRX380, and SRX550M devices with an LTE Mini-Physical Interface Module (Mini-PIM), the LTE connection might drop and fail to automatically recover because of firmware issue. PR1520879

  • When SRX Series devices receive proxy ARP requests on VRRP interfaces, SRX Series devices send ARP replies with the underlying interface MAC address. PR1526851

Intrusion Detection and Prevention (IDP)

  • The flowd or srxpfe process might generate core files during the idpd process commit on SRX Series devices.PR1521682

  • Adaptive threat profiling incorrectly classifies hosts when Server-to-Client (S2C) IDP signatures are used. PR1533116

  • SOF support for partial packet plugins on traditional or unified policy.PR1542497

J-Web

  • The parameters show another LSYS at J-Web in a multiple LSYS scenario. PR1518675

  • Sometimes, when you edit the local gateway in the remote access VPN workflow under VPN>IPsec VPN, J-web might not display one or more drop-down values. PR1521788

  • In the SRX5000 line of devices, J-Web can take up to 60 seconds to 90 seconds to load 60000 security policies. PR1521841

Layer 2 Ethernet Services

  • DHCP might not work after performing request system zeroize or load factory-default on SRX Series devices. PR1521704

Network Address Translation (NAT)

  • NAT PBA size 1 on SRX Series devices. PR1525822

Platform and Infrastructure

  • Syslog reporting "PFE_FLOWD_SELFPING_PACKET_LOSS: Traffic impact: Selfping packets loss/err: 300 within 600 second" error messages in node 0 and node 1 control panel. PR1522130

Routing Policy and Firewall Filters

  • Junos OS upgrade may encounter failure in certain conditions when enabling ATP. PR1519222

  • Traffic might be dropped when policies are changed in SRX Series devices. PR1527570

  • The show security dynamic-address feed-name command could not list secprofiling feed. PR1537714

  • The flowd or srxpfe process might crash when an SRX Series or NFX Series device running Junos OS Release 18.2R1 or later supports the unified policy feature. PR1544554

  • Traffic might be dropped unexpectedly when the URL category match condition is used on a security policy. PR1546120

  • NSD process stops when the secprofiling feed name is 64 bytes. PR1549676

Routing Protocols

  • The rpd process might report 100 percent CPU usage with the BGP route damping enabled. PR1514635

Subscriber Access Management

  • Incorrect counter type (counter instead of gauge) specified for some values in MIB jnxUserAAAMib. PR1533900

Unified Threat Management (UTM)

  • UTM causes e-mails from outside to inside to not be received. PR1523222

  • Stream buffer memory leak might happen when UTM is configured under unified policies. PR1557278

VPNs

  • The IKE tunnel negotiation might fail if IKE_INIT request is re-transmitted. PR1460907

  • IPsec traffic may get dropped after RG0 failover. PR1522931

  • On all SRX Series devices using IPsec with NAT traversal, MTU size for the external interface might be changed after IPsec SA is re-established. PR1530684

  • After IPsec tunnel using policy-based VPN is overwritten by another VPN client, traffic using this IPsec tunnel will be dropped. PR1546537

Documentation Updates

There are no errata or changes in Junos OS Release 20.4R3 documentation for the SRX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths. You can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 19.3, 19.4, and 20.2 are EEOL releases. You can upgrade from Junos OS Release 19.3 to Release 19.4 or from Junos OS Release 19.3 to Release 20.2.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide for Security Devices.

For information about ISSU, see the Chassis Cluster User Guide for Security Devices.