Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    New and Changed Features

    This section describes the new features and enhancements to existing features in Junos OS Release 18.1R2 for the SRX Series devices.

    Release 18.1R2 New and Changed Features

    There are no new features in Junos OS Release 18.1R2 for the SRX Series devices.

    Junos OS Release 18.1R2 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.

    Release 18.1R1 New and Changed Features

    Junos OS Release 18.1R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D120. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D120 are not available in 18.1 releases.

    Application Security

    • Data Loss Prevention [SRX] —Starting in Junos OS Release 18.1, SRX Series devices supports Data Loss Prevention (DLP) to redirect HTTP or HTTPS traffic to any third party server through Internet Content Adaptation Protocol.

      ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages using REQMOD which encapsulates HTTP request messages and RESPMOD which is encapsulates HTTP response messages.

      See SSL Proxy.

    • Optimizing SSL/TLS performance for HTTPS traffic (SRX Series, vSRX) —Starting from Junos OS Release 18.1R1, SSL/TLS performance is optimized by minimizing the time required for performing the decryption by using the following methods:

      • Using optimized cipher suites

      • Maintaining the certificate cache

      Enhanced SSL/TLS performance for HTTPS traffic results in improved website performance without compromising security, and maximizes user experience.

      [See SSL Proxy].

    • SSL proxy support (SRX300, SRX320)—Starting in Junos OS Release 18.1R1, SSL proxy support is available on SRX300 and SRX320 devices. SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL relies on digital certificates and private-public key exchange pairs for client and server authentication to ensure secure communication.

      [See SSL Proxy].

    Authentication and Access

    • IPv6 support for network access control (NAC) (SRX Series, vSRX)—Starting with Junos OS Release 18.1R1, SRX Series devices support IPv6 for the network access control (NAC) system. You can configure a Web API client address with an IPv6 address and Web API supports IPv6 user or device entries obtained from Juniper Identity Management Service (JIMS). An SRX Series device can query JIMS periodically for batches of newly generated IPv6 users or devices for identity information. The SRX Series can query JIMS for identity information for an individual user or device based on the IPv6 address when the IPv6 traffic hits the SRX Series device. The SRX Series device firewall authentication can push IPv6 IP-user mapping information to JIMS.

      [See Understanding the SRX Series Advanced Query Feature for Obtaining User Identity Information from JIMS .]

    Chassis Cluster

    • VRRP and VRRPv3 support on redundant Ethernet interface to provide redundancy (SRX Series, vSRX)—Starting with Junos OS Release 18.1R1, SRX Series devices in a chassis cluster support the Virtual Router Redundancy Protocol (VRRP) and VRRPv3 on reth interfaces to provide redundancy, route advertising, and load sharing. Using VRRP, a secondary node can take over a failed primary node within a few seconds with minimum VRRP traffic and without any interaction with the hosts.

      [See Understanding VRRP on SRX Series Devices.]

    Class of Service (CoS)

    • Support for rewrite rules for both inner and outer VLAN tags on IEEE802.1 packets (SRX Series)—Starting with Junos OS Release 18.1R1, SRX Series devices support applying rewrite rules to both inner and outer VLAN tags on IEEE802.1 packets. To apply rewrite rules to both inner and outer VLAN tags, set the vlan-tag outer-and-inner option at the [edit class-of-service interfaces interface-name unit unit-number rewrite-rules ieee-802.1 rewrite-name] hierarchy level.

      [See rewrite-rules (CoS Interfaces)]

    Flow-Based and Packet-Based Processing

    • Enhancement for show security flow statistics operational command (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, the output of the show security flow statistics command has been modified. The Packets forwarded field has been split into the Packets received and Packets transmitted fields. The Packets received field displays the actual number of packets received, including those dropped by the system. The Packet transmitted field displays the number of packets returned to jexec for transmission. The Packets forwarded/queued field displays the actual number of packets forwarded excluding the dropped packets.

      Additionally, a new field, Packets copied has been created to provide information about packets copied by other modules including fragmentation and TCP proxy.

      [See show security flow statistics.]

    Interfaces and Chassis

    • Support for 4x10-Gigabit Ethernet Optical Breakouts (SRX4600)—Starting in Junos OS Release 18.1R1, you can use optical breakout cable to configure four 10-Gigabit Ethernet interfaces on each 40-Gigabit Ethernet port on an SRX4600. By default, FPC 1 PIC 0 comes up with the default setting of four 40-Gigabit Ethernet ports. This new feature allows the 40 Gigabit Ethernet port to be configured in 4X10-Gigabit Ethernet mode by plugging in QSFPP-4X10-Gigabit Ethernet optics connecting with 4x10-Gigabit Ethernet breakout cables. You use QSFP+ transceivers to connect the 40-Gbps (default speed) port to the breakout cable, which connects to four SFP+ transceivers at the other end thus converting that port into four 10-Gbps interfaces).

      For example, on FPC 1 PIC 0, to configure each 40-Gbps port as four 10-Gbps interfaces, execute the set chassis fpc 1 pic 0 pic-mode 10G command.

      After you commit the configuration, for the new configuration to take effect, you must reboot the device or chassis cluster. [See SRX4600 Gateway Rate-Selectability Overview.]

    • Support for default 10-Gbps ports to operate at 1-Gbps speed (SRX4600)—Starting in Junos OS Release 18.1R1, SRX4600 supports 1-Gbps port speed on the default 10-Gbps ports on its 8-port PICs and on two dedicated chassis cluster control ports on the 4-port chassis cluster PICs. The SRX4600 supports three different PIC types—8-port 10-Gigabit Ethernet PIC, 4-port 40-Gigabit or 100-Gigabit Ethernet PIC, and 4-port 10-Gigabit Ethernet PIC (in a chassis cluster). Out of the four ports on the 10-Gigabit Ethernet PIC in a chassis cluster, two ports are fabric ports and the other two ports are chassis cluster control ports. The two fabric ports do not support 1-Gbps speed. Only the two control ports of the chassis cluster support a port speed of 1 Gbps.

      Note:

      • The interface name prefix must be xe.

      • You can configure a combination of 1-Gbps and 10-Gbps speed only on the 8-port 10-Gigabit Ethernet PIC. The chassis cluster control interfaces (that is, on the 4-port 10-Gigabit Ethernet PIC) do not support multiple speeds.

      [See SRX4600 Gateway Rate-Selectability Overview.]

    Multicast

    • Layer 2 IGMP and MLD Snooping feature support (SRX1500)—Starting with Junos OS Release 18.1R1, the SRX1500 supports the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) snooping feature in Layer 2 switching mode.

      The snooping feature snoops the IGMP or MLD packets received by the switch interfaces and builds a multicast database. The SRX Series device uses the multicast database and forwards the multicast traffic only to the downstream interfaces of interested receivers. Using the multicast database to forward multicast packets helps ensure efficient use of network bandwidth.

      [See IGMP Snooping Overview and Understanding MLD Snooping.]

    Network Management and Monitoring

    • Two-Way Active Measurement Protocol (TWAMP) support (SRX4100, SRX4200 and vSRX)—Starting in Junos OS Release 18.1R1, the Two-Way Active Measurement Protocol (TWAMP) is supported on SRX4100 and SRX4200 devices and on vSRX instances in addition to the existing support on SRX Series devices such as SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500. TWAMP is a standard protocol framework that defines control and test session separation based on the client/server architecture. The TWAMP-Control protocol is used to set up performance measurement sessions between a TWAMP client and a TWAMP server, and the TWAMP-Test protocol is used to send and receive performance measurement probes.

      [See Two-Way Active Measurement Protocol (TWAMP) Overview.]

    VPN

    • Binding trusted CAs or trusted CA group to an IKE policy (SRX Series and vSRX instances)—Starting in Junos OS Release 18.1R1, you can group CA profiles (trusted CAs) in a trusted CA group and or bind a specific CA profile to an IKE policy. When a remote peer establishing a connection that matches this IKE policy, the particular CA profile or trusted CA group is used to validate the remote peer.

      A group of trusted CA servers can be created with the trusted CA group configuration statement at the [edit security pki] hierarchy level; one or multiple CA profiles can be specified. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.

      [See Understanding Certificates and PKI and Understanding Certificate Authority Profiles.]

    • IPv6 support for AutoVPN and ADVPN with dynamic routing protocol (SRX Series and vSRX instances)—Starting with Junos OS Release 18.1R1, IPv6 is supported on AutoVPN and Auto Discovery VPN (ADVPN) with point-to-multipoint secure tunnel mode. ADVPN can run with OSPFv3 routing protocol and AutoVPN can run with OSPFv3 and iBGP (internal BGP) routing protocols.

      The ospf3 option is introduced at the edit protocol hierarchy level to support IPv6 for AutoVPN and ADVPN with point-to-multipoint secure tunnel mode. In addition, the show security ipsec next-hop-tunnels command, which displays the IPsec VPN tunnels bound to a specific tunnel interface, is updated to add family and tunnel ID filters.

      [See Understanding AutoVPN and Understanding Auto Discovery VPN.]

    • IPv6 support for PKI (SRX Series and vSRX instances)—Starting in Junos OS Release 18.1, the public key infrastructure (PKI) supports IPv6 address format for the Certificate Authority (CA) server and source addresses in a CA profile. The PKI provides an infrastructure for digital certificate management. In PKI, a CA is a trusted third party agency responsible for issuing and revoking certificates. The certificates are used to create secure connections between two or more entities.

      [See Understanding Certificate Authority Profiles.]

    • SSL remote access VPN support by bypassing an application-based firewall (SRX Series and vSRX instances)—Starting with Junos OS Release 18.1R1, remote access VPN uses SSL to pass through an application level firewall using the third-party NCP Exclusive Remote Access Client on Windows, MAC OS, Apple iOS, and Android devices.

      Most intermediate Internet-facing devices allow users to establish a session over SSL (HTTPS) to any Internet-based device. This solution allows users to establish a secure communication using a full SSL session when an intermediate device blocks IPsec or UDP traffic.

      [See Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client.]

    Modified: 2018-07-10