New and Changed Features
This section describes the new features and
enhancements to existing features in Junos OS Release 18.3R1 for the
SRX Series devices.
Junos OS Release 18.3R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550M, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D150. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D150 are not available in 18.3 releases.
Downloading the Junos OS application signature package from a proxy server (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can download the Junos OS application signature package from a proxy server. You can download and install application signature package hosted on an external server when a Web proxy is already deployed on your device.
To download the signature package by using a proxy server, configure a profile with host and port details of the proxy server, and use the set services application-identification download proxy-profile profile-name command to connect to the external server through a specified proxy server.
The download retrieves the application signature package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.
Elliptic Curve Digital Signature Algorithm (ECDSA) cipher support (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, ECDSA cipher suites are supported in SSL proxy for digital signing. ECDSA ciphers are based on Elliptic Curve Cryptography (ECC). ECDSA cipher suites are available with smaller keys, and provide faster and more secure cryptography across the Internet.
SSL proxy supports only the ECC certificate with the Elliptic Prime Curve 256-bit (P-256).
[See SSL Proxy Overview.]
URL category-based routing (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, advanced policy-based routing (APBR) feature is enhanced to include URL categories as match criteria in an APBR profile to enable URL category-based routing. URL categories are based on destination IP address, and the category identification is leveraged from Enhanced Web Filtering and local Web filtering results from UTM. APBR uses the details to match traffic and route the matching traffic to a specified next-hop device.
URL category-based routing enables redirecting the traffic based on a specific website or a URL category to ensure that the Web traffic arrives at the appropriate destination.
Authentication and Access
IPv6 support for configuring the JIMS server and filtering IP addresses (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, IPv6 addresses are supported to connect the Juniper Identity Management Service (JIMS) primary server and secondary server, in addition to existing IPv4 address support. Also, IPv6 addresses are supported to configure a filter based on IP addresses for the advanced query feature, in addition to existing IPv4 address support.
Authentication, Authorization and Accounting
Support for password change policy enhancement (SRX Series)—Starting in Junos OS Release 18.3R1, the Junos password change policy for local user accounts is enhanced to comply with certain additional password policies. As part of the policy improvement, you can configure the following:
minimum-character-changes—The number of characters by which the new password should be different from the existing password.
minimum-reuse—The number of older passwords, which should not match the new password.
Flow-Based and Packet-Based Processing
Selective stateless packet forwarding (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 18.3R1, selective stateless packet forwarding services are supported on SRX1500, SRX4100, SRX4200, and SRX4600 devices in addition to the existing support on SRX300, SRX320, SRX340, SRX345, and SRX550M devices. Using selective stateless packet forwarding services, the device is configured to provide packet-based processing for selected traffic based on the firewall filter input terms. The remaining traffic that is not filtered is processed using flow-based forwarding.
Selective stateless packet forwarding is supported on the following protocols:
CCC-Ethernet switching cross-connects
GTP tunnel enhancements (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 18.3R1, GPRS tunneling protocol (GTP) is enhanced to update the GTP tunnel and session lifetime to avoid GTP tunnel timeout issues. Even if the GTP-U validation is disabled, the GTP-U traffic can refresh the GTP tunnel to avoid timeout. Only GTPv1 and GTPv2 tunnels, not GTPv0 tunnels, are refreshed by the GTP-U traffic. Before refreshing the GTP tunnel, you must enable the GTP-U distribution.
On SRX5400, SRX5600, and SRX5800 devices, the number of GTP tunnels supported per SPU is increased from 200,000 tunnels to 600,000 tunnels, for a total of 2,400,000 tunnels per SPC2 card.
[See Monitoring GTP Traffic.]
Intrusion Detection and Protection (IDP)
Downloading the IDP security package through an explicit proxy server (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can download the IDP security package through an explicit Web proxy server.
To download the IDP security package that hosts on an external server, you need to configure a proxy profile and use the proxy host and port details that are configured in the proxy profile.
This feature allows you to use a deployed Web proxy server on your device for access and authentication for HTTP and HTTPS outbound sessions.
Support for multiple IDP policies (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, with unified policies configured on an SRX Series device, you can configure multiple IDP policies and set one of those policies as the default IDP policy. If multiple IDP policies are configured for a session and when policy conflict occurs, the device applies the default IDP policy for that session and thus resolves any policy conflicts.
If you have configured two or more IDP policies in a unified security policy, then you must configure the default IDP policy.
[See IDP Policies Overview.]
User visibility improvements for IDP attacks (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can view the attack objects that are available in an attack object group (predefined, dynamic, and custom attack groups) and the group to which a predefined attack object belongs.
You can use the following new commands to view the details of attack objects in a group and the group to which a predefined attack belongs:
show security idp attack attack-list attack-group attack-group-name
show security idp attack group-list attack-name
Interfaces and Chassis
Management Ethernet interface (fxp0) is confined in a non-default virtual routing and forwarding table (SRX Series)—Starting in Junos OS Release 18.3R1, you can confine the management interface in a dedicated management instance by setting a new CLI configuration statement, management-instance, at the [edit system] hierarchy level. By doing so, operators will ensure that management traffic no longer has to share a routing table (that is, the default.inet.0 table) with other control or protocol traffic in the system. Instead, there is a mgmt_junos routing instance introduced for management traffic.
Logical Systems and Tenant Systems
Application identification support enhancement for logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, the application identification (AppID) support for logical systems now includes two new options to display and clear logical system statistics and counters. The user logical system administrator can view the AppID signature package status and version. The custom signatures configured by the master logical system administrator can be configured in the user logical system security policies. You can view the information about AppID signature package status and version by using the commands show services application-identification status and show services application-identification version.
ICAP redirect profile support for logical systems (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support the Internet Content Adaptation Protocol (ICAP) service redirect when the device is configured for logical systems.
ICAP is a lightweight protocol used to extend transparent proxy servers, thereby freeing up resources. ICAP redirect profile is only allowed to attach on the policy that belongs to the same logical system.
IDP support for logical systems (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, the intrusion detection and prevention (IDP) support is extended to logical systems.
IDP support allows the following actions for logical systems:
Configure individual IDP policies.
Verify the IDP policy load and compilation status.
View the attacks detected and service statistics.
A single IDP security package is installed at the master logical system that is shared by all other logical systems. Only the master logical system administrator can configure the sensor-configuration statement and this is used by other logical systems.
[See IDP for Logical Systems.]
Logical systems support (SRX4600)—Starting in Junos OS Release 18.3R1, logical systems are supported on the SRX4600 Services Gateway in addition to the existing support on SRX1500, SRX3400, SRX3600, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800.
New context-oid option for trap-options configuration statement to distinguish the traps which come from a non-default routing instance and non-default logical system (SRX Series)—In Junos OS Release 18.3R1, a new option, context-oid, for the trap-options statement allows you to handle prefixes such as <routing-instance name>@<trap-group> or <logical-system name>/<routing-instance name>@<trap-group> as an additional varbind.
Tenant systems support (SRX Series)—Starting in Junos OS Release 18.3R1, tenant systems are supported. A tenant system provides logical partitioning of the SRX Series device into multiple domains similar to logical systems and provides high scalability. A tenant system supports routing, services and security features. A tenant system is created by the master administrator. The tenant system supports independent provisioning and administration. The master administrator uses the resource profiles to specify resource allocation for a tenant system. The tenant system administrator can configure and view the security features for the tenant systems.
The following features that are supported on the logical systems are now extended to tenant systems:
NAT (source NAT, destination NAT, and static NAT)
[See NAT for Tenant Systems.]
Firewall authentication (pass-through authentication, Web authentication, user firewall authentication, and push authentication entries to Juniper Identity Management Service (JIMS))
ALG (data and VoIP)
[See ALG for Tenant Systems.]
Security policies, zones, and logs
Screen options for attack detection and prevention
Logical tunnel interfaces and GRE tunnels
[See Flow for Tenant Systems.]
UTM support for logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, unified threat management (UTM) is supported on logical systems. Use the set security utm default-configuration command to create a default UTM profile at the master logical system level. You can configure policies, profiles, and custom objects for UTM for each logical system. For a user logical system, parameters such as mime-whitelist and url-whitelist in an antivirus profile and address-blacklist and address-whitelist in an antispam profile can be configured at the following hierarchy levels, respectively:
[edit security utm feature-profile anti-virus sophos-engine profile]
[edit security utm feature-profile anti-spam sbl profile]
User firewall support in logical systems (SRX Series)—Starting in Junos OS Release 18.3R1, user logical systems share user firewall authentication entries such as authentication entry timeout and invalid authentication entry timeout attributes with the master logical system.
The support for authentication sources is extended to local authentication, Active Directory authentication, and firewall authentication, in addition to the existing supported authentication sources such as Juniper Identity Management Service (JIMS) and Clear Pass authentication.
NAT configuration check on egress interfaces after reroute (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, support for retaining an existing session with Network Address Translation (NAT) rule is available when there is a change in egress interface because of rerouting.
If the new egress interface and the previous egress interface are in the same security zone and there is no change in the matched NAT rule or if no rule is applied before and after rerouting, the session is retained with the existing NAT rule. Otherwise, the session expires and new session is created after retransmit or subsequent traffic is received.
Session persistence after NAT configuration change (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support Network Address Translation (NAT) session persistence. With NAT session persistence enabled on your device, if there are any changes in the NAT configuration, then the device retains the existing NAT sessions instead of clearing them.
NAT session persistence is supported only for source NAT in the following scenarios:
Source pool—Change in an address range in a Port Address Translation (PAT) pool.
Source rule—Change in match conditions for the address book, application, destination IP address, destination port, source IP address, and destination port fields.
Platform and Infrastructure
Juniper Sky ATP Added Platform Support—Junos OS Release 18.3R1 adds support for SRX300 and SRX320 devices with Juniper Sky ATP.
Support to disable graceful restart helper mode during an interface failure (SRX Series)—Starting in Junos OS Release 18.3R1, you can prevent SRX Series devices from entering the graceful restart helper mode when the device is configured with BFD with a single-hop external BGP (EBGP).
To disable the graceful restart helper mode capability, include the dont-help-shared-fate-bfd-down statement at the [edit protocols bgp graceful-restart] hierarchy level. When the helper mode is not enabled, data traffic continues to be forwarded to an alternate path even if there is an interface failure.
Explicit proxy support for Enhanced Web Filtering and Sophos antivirus (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support the use of an explicit proxy for the cloud-based connectivity for Enhanced Web Filtering (EWF) and Sophos antivirus (SAV). It hides the identity of the source device and establishes a connection with the destination device.
To use the explicit proxy, create one or more proxy profiles and refer to those profiles:
In EWF, to establish connection with the Websense Threatseeker Cloud (TSC) server and dynamically load new EWF categories without any software upgrade.
In SAV, to connect to the pattern update server using the proxy host IP address.
[See Understanding Explicit Proxy.]