Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    New and Changed Features

    This section describes the new features and enhancements to existing features in Junos OS Release 17.4R1 for the SRX Series devices.

    Junos OS Release 17.4R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800.

    Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 15.1X49-D80 through 15.1X49-D100. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D100 are not available in 17.4R1.

    Note: Junos OS for SRX Series 17.4R1 documentation includes references to SRX4600 Services Gateway. SRX4600 is not supported in Junos OS Release 17.4R1.

    New features for security platforms in Junos OS Release 17.4R1 include:


    • H.323 gateway-to-gateway support (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, the gateway-to-gateway call feature is supported on the H.323 ALG. This feature introduces one-to-many mapping between an H.225 control session and H.323 calls as multiple H.323 calls go through a single control session.

      [See Understanding H.323 ALG.]

    • NAT64 support for H.323 ALG (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, the H.323 ALG supports NAT64 rules in an IPv6 network.

      [See Understanding H.323 ALG.]

    Application Security

    • Advanced policy-based routing (APBR) with midstream support (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, SRX Series Services Gateways support advanced policy-based routing (APBR) with an additional enhancement to apply the APBR in the middle of a session (midstream support). With this enhancement, you can apply APBR for a non-cacheable application and also for the first session of the cacheable application.

      You can fine-tune the outbound traffic with APBR configuration (for example, limiting route changes and terminating sessions) to avoid issues such as excessive transitions due to frequent route changes.

      The enhancement provides more flexible traffic-handling capabilities that offer granular control for forwarding packets.

      [See Understanding Advanced Policy-Based Routing.]

    • Application tracking enhancements to support category and subcategory (SRX Series, vSRX instances)—Starting from Junos OS Release 17.4R1, AppTrack session create, session close, and volume update logs include new fields category and subcategory. AppTrack syslog message provide general information about the application type, and including category and subcategory of the application in the message, helps in categorizing the applications.

      [Understanding AppTrack.]

    Authentication and Access

    • User firewall support for IPv6 (SRX Series, vSRX instances)—Starting in Junos OS Release 17.4R1, SRX Series devices support IPv6 addresses for user firewall (UserFW) authentication. This feature allows IPv6 traffic to match any security policy configured for source identity. Previously, if a security policy was configured for source identity and “any” was specified for its IP address, the UserFW module ignored the IPv6 traffic. IPv6 addresses are supported for the following authentication sources:
      • Active directory authentication table
      • Device identity with active directory authentication
      • Local authentication table
      • Firewall authentication table

      [See Overview of Integrated User Firewall.]

    Chassis Cluster

    • Media Access Control Security (MACsec) (SRX4600)– Starting in Junos OS Release 17.4, Media Access Control Security(MACsec) is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode to secure point-to-point Ethernet links between two nodes in a cluster.

      In the SRX chassis cluster implementation, the control and fabric link carry secure traffic between two nodes in clear text format. Because of this, it is important to encrypt the data between the two nodes. MACsec is an industry-standard security technology that provides secure communication and identifies and prevents most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec can be used in combination with other security protocols to provide end-to-end network security.

      See Understanding Media Access Control Security (MACsec).

    • Preemptive delay timer (SRX Series)—Starting with Junos OS Release 17.4R1, a failover delay timer is introduced on SRX Series devices in a chassis cluster to limit the flapping of redundancy group state between the secondary and the primary nodes in a preemptive failover.

      Back-to-back failovers of a redundancy group in a short interval can cause the cluster to exhibit unpredictable behavior because of flapping of the active and backup systems.

      To prevent this, a delay timer can be configured to delay the immediate failover for a configured period of time--between 1 and 21,600 seconds. In addition, you can configure the preemptive limit to restrict the number of failovers (1 to 50) in a given time period (1 to 1440 seconds) when preemption is enabled for a redundancy group.

      This enhancement enables the administrator to introduce a failover delay, which can reduce the number of failovers and result in a more stable network state due to the reduction in active / backup flapping within the redundancy group.

      [Understanding Chassis Cluster Redundancy Group Failover.]

    Class of Service (CoS)

    • Support for CoS on dl0 Interface on SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can configure the following class of service (CoS) features on the dl0 interface for 4G wireless modems: behavior aggregate classifiers, multifield classifiers, policers, shapers, schedulers, and rewrite rules. The dialer interface, dl0, is a logical interface for configuring properties for modem connections.

      [See LTE Mini-PIM Overview.]

    • Support CoS on Logical Tunnel Interface in a Chassis Cluster on SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, queuing is supported on logical tunnel (lt) interfaces to allow CoS configuration.

      [See CoS Queuing for Tunnels Overview.]

    • Support for port-based egress traffic shaping and policing on SRX Series devices— Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, you can configure egress traffic shaping and policing at the physical port level, which limits the egress traffic rate of all logical interfaces on the port.

      [See shaping-rate (CoS Interfaces).]

    Flow-based and Packet-based Processing


    • Support for GTP handover group (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)—Starting with Junos OS Release 17.4R1, GTP handover group configuration is supported on GTP profiles. An administrator can configure a GTP profile and associate a GTP handover group to a GTP profile.

      A GTP handover group is a set of SGSNs or serving gateway (SGW) with a common address-book library. When a GTP handover group name is referenced by a GTP profile, the device checks to see if the current SGSN/SGW address and the proposed SGSN/SGW address are contained within the same GTP handover group. If both the current and proposed SGSN/SGW addresses are contained within the same GTP handover group, then the handover is allowed. If both the current and proposed SGSN/SGW addresses are not within the same GTP handover group, then the profile for the default handover group is used.

      This feature enables the administrator to define policies that determine whether handover can happen between individual SGSNs/SGW and/or groups of SGSNs/SGW for roaming.

      [See GTP Handover Group Overview.]


    • SRX345 Services Gateway (DC power supply model)—The SRX345 Services Gateway now includes a DC model. The DC model has a single internal power supply, which is not field-replaceable. The DC model supports the same features as those supported on the existing SRX345 Services Gateways. The minimum Junos OS release supported on the DC model is 17.4R1. The services gateway can be managed using the CLI, Junos Space, and J-Web.

      [See SRX345 Services Gateway Description.]

    Interface and Chassis

    • MACsec support (SRX300, SRX320, SRX340 and SRX345)—Starting in Junos OS Release 17.4R1, Media Access Control Security (MACsec) is supported on all MACsec-capable ports of SRX300, SRx320, SRX340 and SRX345 devices.

      On SRX300 line devices MACsec is supported on the following ports:

      • SRX300 and SRX320: 2 ports (on two fixed SFP interfaces.)
      • SRX340 and SRX345: 16 ports (on eight fixed SFP interfaces + eight fixed Ethernet ports)

      [See Understanding Media Access Control Security (MACsec).]

    • PPPoE support on SRX Series and vSRX devices—Starting in Junos OS Release 17.4R1, SRX series devices and vSRX support Point-to-Point Protocol over Ethernet (PPPoE). You can connect multiple hosts on an Ethernet LAN to a remote site through a single customer premises equipment (CPE) device. The hosts share a common digital subscriber line (DSL), a cable modem, or a wireless connection to the Internet.

      [See Understanding PPPoE Interfaces.]

    • RFC 4638 support for SRX300, SRX320, SRX340, SRX345, and SRX550M devices— Starting in Junos OS Release 17.4R1, you can use the PPP-Max-Payload option to override the default behavior of the PPPoE client by providing a maximum size that the PPP payload can support in both sending and receiving directions. The PPPoE server might allow the negotiation of an MRU larger than 1492 and the use of an MTU larger than 1492.

      [See Understanding MTU and MRU Configuration for PPP Subscribers.]

    Installation and Upgrade

    • Upgraded FreeBSD support (SRX1500, SRX4100, SRX4200, and vSRX instances)—Starting with junos OS Release 17.4R1, the Junos Control Plane (JCP) virtual machine (VM) in the SRX Series devices is upgraded to support FreeBSD 11. Two virtual CPUs (VCPU) are allocated for JCP VM in the Linux host to improve Routing Engine performance for SRX4100 and SRX4200 devices and vSRX instances. For vSRX, additional vCPU will be allocated if you allocate more CPUs than the minimum required. For SRX1500 devices, no additional CPUs are available to allocate for JCP VM.

      [See Understanding Junos OS with Upgraded FreeBSD for SRX Series Devices.]

    Logical System

    • Logical system (LSYS) support (SRX1500)—Starting in Junos OS Release 17.4R1, the logical system feature is supported on SRX1500 devices in addition to the existing support on SRX Series devices such as SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800. A logical system provides virtualization on a device that is partitioned into multiple logical administrative segments. Each segment can have its own security, routing, and bridging attributes.

      [See Understanding Logical Systems for SRX Series Services Gateways.]


    • Support for multiple, smaller configuration YANG modules (SRX Series)—Starting in Junos OS Release 17.4R1, the YANG module for the Junos OS configuration schema is split into a root configuration module that is augmented by multiple, smaller modules. The root configuration module comprises the top-level configuration node and any nodes that are not emitted as separate modules. Separate, smaller modules augment the root configuration module for the different configuration statement hierarchies. Smaller configuration modules enable YANG tools and utilities to more quickly and efficiently compile and work with the modules, because they only need to import the modules required for the current operation.

      [See Understanding the YANG Modules That Define the Junos OS Configuration.]


    • Source NAT resource allocation improved (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation.

      [See Understanding Central Point Architecture Enhancements for NAT.]

    Platforms and Infrastructure

    • SRX4600 Services Gateway—Starting in Junos OS Release 17.4R1, Junos OS supports the SRX4600 Services Gateway. The SRX4600 device is a high-end dynamic services gateway that consolidates security functionality, networking services, and uncompromised performance for medium to large enterprises. With advanced security and threat mitigation capabilities, SRX4600 device can be used for campus edge integrated firewall, data center edge firewall, data center core firewall, LTE security gateway, and Gi/SGi firewall.

      SRX4600 device supports Juniper’s Software-Defined Secure Network (SDSN) framework, including Sky Advanced Threat Prevention (Sky ATP), which is built around automated and actionable intelligence that can be shared quickly to recognize and mitigate threats.

      The SRX4600 device supports the following software features:

      • Stateful firewall
      • Application security suite
      • UTM (Sophos AV, Web filtering, content filtering, and antispam)
      • IDP
      • Advanced anti-malware
      • High availability (Chassis cluster)
        • Dual HA control ports (10G)
        • MACsec support for HA ports
      • Ethernet interfaces through QSFP28 (100G/40G/4x10G modes), QSFP+ (40G/4x10G modes) and SFP+ (10G mode)
      • IPsec VPN, including AutoVPN and Group VPNv2
      • QoS and network services
      • J-Web
      • Routing policies with multicast

      Although the Junos OS SRX4600 device supports the same services that run on the Junos OS SRX5000 Series devices, it differs in its infrastructure implementation. The SRX4600 device is built on the X86 multi-core processor with the Eagle chip and its flow architecture has been modified to maximize use of that processor. The SRX4600 implements use of an individual thread for each session that is dedicated to management of that session and its flow. As a result, out-of-packet problems that can occur with concurrent processing are eliminated.

      Installation packages available for SRX4600 devices are, Preboot Execution Environment (PXE), USB install media package, and CLI upgrade.

      You can use the show chassis hardware command to display the part number and the model number of the SRX4600 device. You can type uname -a in a terminal on your host OS to verify that the host OS is using the latest kernel version.

      You can use the show security ipsec tunnel-distribution command to display the number of VPN tunnels anchored in each thread ID.

      [See Understanding Flow Processing on the SRX4600 Device.]

    Routing Policy and Firewall Filters

    • Maximum number of addresses per security policy increased (SRX550M)—Starting in Junos OS Release 17.4R1, the maximum number of addresses per policy has been increased from 1024 to 2048 for SRX550M. SRX300, SRX320, SRX340 and SRX345 devices already support 2048 source and 2048 destination addresses per policy.

    Routing Protocols

    • Support for EBGP route server (SRX Series)—Starting in Junos OS Release 17.4R1, BGP feature is enhanced to support EBGP route server functionality. A BGP route server is the external BGP (EBGP) equivalent of an internal IBGP (IBGP) route reflector that simplifies the number of direct point-to-point EBGP sessions required in a network. EBGP route server propagates unmodified BGP routing information between external BGP peers to facilitate high scale exchange of routes in peering points such as Internet Exchange Points (IXPs). When BGP is configured as a route server, EBGP routes are propagated between peers unmodified, with full attribute transparency (NEXT_HOP, AS_PATH, MULTI_EXIT_DISC, AIGP, and Communities).

      The BGP JET bgp_route_service.proto API has been enhanced to support route server functionality as follows:

      • Program the EBGP route server.
      • Inject routes to the specific route server RIB for selectively advertising it to the client groups in client-specific RIBs.

      The BGP JET bgp_route_service.proto API includes a peer-type object that identifies individual routes as either EBGP or IBGP (default).

      [See BGP Route Server Overview.]

    System Logging

    • On-box reporting enhancements (SRX Series, vSRX instances)—Starting in Junos OS Release 17.4R1, SRX4600 devices support the on-box reporting feature, which is already supported on SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200 devices and vSRX instances. Also, the on-box reports are now enhanced to provide comprehensive and detailed reports.

      The on-box reporting feature now provides the following enhancements:

      • AppTrack API gets information on application category, subcategory, and risk level. An RTLOG module uses this API to get and send information to the local log management process (daemon).
      • Reports for applications, categories, subcategories, risk levels, and botnet threats are now by count and volume.
      • Application information is generated in UTM log reports.
      • Logs can now be listed from latest to oldest. Previously, logs were sorted only from oldest to latest.
      • SRX4600 devices now have a hard disk partition available to save traffic logs.

      [See Understanding On-Box Logging and Reporting.]

    • Support for log warning messages on throughput overuse (SRX4100)—Starting with Junos OS Release 17.4R1, when Internet mix (IMIX) throughput exceeds the limitation for an SRX4100 device, new log warning messages are logged. These log warning messages remind you that there is throughput overuse.

      [See Log File Sample Content.]


    • UDP flood screen whitelist [SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, and SRX4200 devices, and vSRX instances]— Starting with Junos OS Release 17.4, UDP flood whitelist mechanism is implemented. When UDP is enabled in a zone, all the UDP traffic performs UDP flood attack detection. The UDP packets that are above the threshold level will be dropped. To avoid these packet drops and instead allow these packets to bypass UDP flood detection, the UDP flood screen whitelist is implemented. To support UDP flood whitelist, the traffic from addresses in the whitelist groups will bypass UDP flood check. Both IPv4 and IPv6 whitelists are supported and can be configured using a single address or a subnet address. UDP flood whitelist supports a maximum of 32 whitelist groups and each group has 32 or fewer IPv4 or IPv6 addresses.

      [See Network DoS Attacks]


    • Secure Boot (SRX4600)—Starting in Junos OS Release 17.4R1, a significant system security enhancement, Secure Boot, has been introduced. The Secure Boot implementation is based on the UEFI 2.4 standard. The BIOS has been hardened and serves as a core root of trust. The BIOS updates, the bootloader, and the kernel are cryptographically protected. Secure boot is enabled by default on supported platforms.

      [See MIB Explorer.]


    • Custom URL category support for SSL forward proxy (SRX Series)—Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to include custom URL categories supported by UTM in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. SNI is an extension of the SSL/TLS protocol. Each URL category has a unique ID. The list of URL categories in the whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept the proxy or to ignore the session.

      [See SSL Proxy Overview]

    • Enhanced Web Filtering (EWF) reputation and categorization behavior support for EWF category (SRX Series)—Starting from Junos OS Release 17.4R1, predefined base filters, defined in a category file, are supported for individual EWF categories. Each EWF category has a default action in a base filter, which is attached to the user profile to act as a backup filter. If the categories are not configured in the user profile, then the base filter takes the action. Online upgradation of base filters is also supported. Further, users can apply global reputation values, provided by the Websense ThreatSeeker Cloud (TSC). For the non-category URLs, the global reputation value is used to perform filtering, and from this release onward, the reputation base scores are configurable.

      [See Understanding Enhanced Web Filtering Process.]

    • Local Web filtering enhancement to support custom category configuration (SRX Series)—Starting from Junos OS Release 17.4R1, support for custom category configuration is available for EWF, local, and Websense redirect profiles. The custom-message option is also supported in a category for local Web filtering and Websense redirect profiles. You can create multiple URL lists (custom categories) and apply them to a UTM Web filtering profile with actions such as permit, permit and log, block, and quarantine.

      To create a global whitelist or blacklist, apply a local Web filtering profile to a UTM policy and attach it to a global rule.

      [See Understanding Local Web Filtering.]

    • Support for new Websense EWF categories (SRX Series)—Starting from Junos OS Release 17.4R1, you can download and dynamically load new Enhanced Web Filtering (EWF) categories. The downloading and dynamic loading of the new EWF categories do not require a software upgrade. Websense occasionally releases new EWF categories. EWF classifies websites into categories according to host, URL, or IP address and performs filtering based on the categories.

      [See Understanding Redirect Web Filtering.]


    • Increased number of IKE security associations supported (SRX5600, SRX5800)—Starting from JunosOS Release 17.4R1, SRX5600 with 5 SPC2 cards, and SRX5800 with 10 SPC2 cards can support up to 50,000 IKE security associations (SAs) (each SPC2 card supports upto 20,000 IKE SAs (5,000 IKE SAs / SPU) ) for AutoVPN networks in point-to-point secure tunnel mode with multiple traffic selectors. There are no changes in configuration.

      [See Understanding AutoVPN.]

    • IPv6 address support for point-to-point AutoVPN networks that use traffic selectors (SRX Series, vSRX instances)—Starting with Junos OS Release 17.4R1, AutoVPN networks that use secure tunnel interfaces in point-to-point mode support IPv6 addresses for traffic selectors and for IKE peers.

      Note: IPv6 addresses are not supported for AutoVPN networks in point-to-multipoint secure tunnel mode.

      [See Understanding AutoVPN and Understanding AutoVPN with Traffic Selectors.]

    • IPsec VPN performance optimization (SRX5400, SRX5600, SRX5800)—Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. Session affinity is enabled with the set security flow load-distribution session-affinity ipsec command, while performance acceleration is enabled with the set security flow ipsec-performance-acceleration command.

      [See Accelerating the IPsec VPN Traffic Performance and Understanding VPN Session Affinity.]

    Modified: 2018-01-04