Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.3R1 for the SRX Series.
API and Scripting
MD5 and SHA-1 hashing algorithms are no longer supported for script checksums (SRX Series)—Starting in Junos OS Release 18.3R1, Junos OS does not support configuring an MD5 or SHA-1 checksum hash to verify the integrity of local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) scripts or support using an MD5 or SHA-1 checksum hash with the op url url key option to verify the integrity of remote op scripts.
Passive packet probe (SRX Series, vSRX)—Starting in Junos OS Release 18.3R1, on all supported SRX Series devices and vSRX instances, in order to detect if a link or path is down by passive probes, a minimum of three probe requests and 100% packet loss must occur in a sampling period for a given session to trigger SLA violation.
IDP signature download (SRX Series)—On SRX Series devices, the ignore-appid-failure option is introduced in the [security idp security-package install] hierarchy in Junos OS Release 18.3R1.
When you configure signature installation to enable the ignore-appid-failure option, IDP signature download or installation does not fail even if application identification download or installation fails during IDP signature download or installation. This option is not enabled by default. You have to enable this option.
Licensing (SRX Series)—Starting in Junos OS Release 18.3R1, the display xml rpc CLI option is supported for request system license add and request system license save commands while installing licenses on Juniper Networks devices.
License for logical systems or tenant systems (SRX Series)—Starting in Junos OS Release 18.3R1, an SRX Series device running logical or tenant systems includes three licenses by default. One license for a master logical system and the other two licenses for user-defined logical or tenant system. The system does not allow you to configure additional logical or tenant systems if the number of logical and tenant systems exceeds the number of available licenses. In the earlier releases, the system allowed you to configure additional logical systems even if the number of logical systems exceeds the limit, but with a warning message of non-licensed logical-systems do not pass traffic.
Network Management and Monitoring
SNMP traps sent from backup node (SRX Series)—Starting in Junos OS Release 18.3R1, for SRX Series clusters, the backup node runs as a separate entity; therefore, traps need to be sent from the cluster’s backup node as well as from the primary node. Previously, there was a block on backup nodes sending SNMP traps to the network management system.
Junos OS does not support managing YANG packages in configuration mode (SRX Series)—Starting in Junos OS Release 18.3R1, Junos OS does not support adding, deleting, or updating YANG packages using the run command in configuration mode.
HMAC DRBG support in non-FIPS mode (SRX Series)—Starting in Junos OS Release 18.3R1, HMAC DRBG is available in non-FIPS mode. HMAC DRBG is a cryptographically secure pseudo-random number generator. Only root users can configure HMAC DRBG in non-FIPS mode. In Junos OS releases prior to 18.3R1, HMAC DRBG was only available in FIPS mode.
Include the hmac-drbg statement at the [edit system rng] hierarchy level to configure HMAC DRBG and reboot the device for the change to take effect.
Default encryption algorithm for PKI certificates (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, the default encryption algorithm that is used for validating automatically and manually generated self-signed PKI certificates is Secure Hash Algorithm 256 (SHA-256).
In releases before Junos OS Release 18.3R1, the default encryption algorithm is SHA-1.