New and Changed Features
This section describes the new features and enhancements to existing features in Junos OS Release 18.4R1 for the SRX Series devices.
Junos OS Release 18.4R1 supports the following Juniper Networks security platforms: vSRX, SRX300/320, SRX340/345, SRX550HM, SRX1500, SRX4100/4200, SRX4600, SRX5400, SRX5600, and SRX5800. Most security features in this release were previously delivered in Junos OS for SRX Series “X” releases from 12.1X44 through 15.1X49-D150. Security features delivered in Junos OS for SRX Series “X” releases after 15.1X49-D150 are not available in 18.4 releases.
CLI enhancements to support J-Web (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, the show service application-identification command is enhanced to display applications and application group details in J-Web.
The show service application-identification command used with the new entries option provides the following functionality:
Alphabetical list application and application group details.
Pagination support to limit the number of entries in output.
Display of details in a sorted order.
Using filters on output columns to search applications easily.
SSL decryption port mirroring (SRX Series and vSRX)—Junos OS Release 18.4R1 introduces SSL decryption mirroring for SSL forward and reverse proxy. SSL decryption mirroring enables you to forward a copy of SSL decrypted traffic to a configured mirror port on a server that is acting as a traffic collection tool.
To use the decryption mirroring feature, configure the mirror interface and the MAC address of the port in the SSL proxy profile, and apply the SSL proxy profile as the application service in the security policy. Traffic matching the policy rule is decrypted, and a copy of SSL-decrypted traffic is forwarded to the configured mirror port.
[See SSL Proxy.]
Application path selection based on link preference and priority (SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100 SRX4200, and vSRX)—Starting in Junos OS Release 18.4R1, you can configure Application Quality of Experience (AppQoE) to select an application path based on the link priority and the link type when multiple links are available.
For application path selection, a list of paths to a specific destination, which meets SLA requirements, is made available. From the list, AppQoE selects a path that matches the configured link preference. Paths are WAN links used for forwarding application traffic. You can select an MPLS or Internet link as the preferred path, and assign a priority from the range 1-255 (value of 1 indicates highest priority).
Schedulers support for APBR (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, support for configuring policy schedulers for an advanced policy-based routing (APBR) policy is available. Using a policy scheduler, you can schedule APBR policy execution at a specified time and enforce the policy for a specified duration.
To use a scheduler for an APBR policy, you must create a scheduler and refer to scheduler in your APBR policy configuration. The policy scheduler activates and deactivates a policy according to the scheduled time. When the scheduler times out, the associated policy is deactivated.
Dedicated Chassis Cluster fabric ports—Starting in Junos OS Release 18.4R1, the SRX4600 devices support dedicated chassis cluster fabric ports.
[See SRX Series Chassis Cluster Configuration Overview, Understanding SRX Series Chassis Cluster Slot Numbering and Physical Port and Logical Interface Naming, Chassis Cluster Control Plane Interfaces, and Media Access Control Security (MACsec) on Chassis Cluster.]
Chassis cluster resiliency (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, a three-layered model is introduced to detect software and hardware failures that impact chassis cluster performance. Flapping of em0 and control path software or hardware failures are detected and state transitions and failovers are triggered using this model. Following are the three layers:
Layer 1 : Identifies and detects the components that are causing the failures.
Layer 2 : Detects the failures that are not detected by Layer1.
Layer 3 : Shares the health information of the system between the two nodes over control and fabric links.
The set chassis cluster health-monitoring command is introduced to enable monitoring the health of chassis cluster.
[See Chassis Cluster Resiliency.]
Flow-Based and Packet-Based Processing
SRX5K-SPC3 card with flow support in chassis cluster mode (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, the SRX5K-SPC3 and SRX5K-SPC-4-15-320 (SPC2) cards can operate together in a mixed-mode configuration on the SRX5000 line of devices using the same slot number in both nodes. If you are adding the SPC3 SPCs to the SRX5000 devices, you must install the new SPCs in the lowest-numbered slot of any SPC that provides central point functionality. SPC3 interoperates with the SRX5000 I/O cards (IOC2, IOC3), Switch Control Boards (SCB2, SCB3), Routing Engines, and SPC2 cards.
General Packet Radio Service (GPRS)
IPv6 support on GTP (SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 18.4R1, GPRS tunneling protocol (GTP) traffic security inspection is supported on IPv6 addresses along with existing IPv4 support. With this enhancement, a GTP tunnel using either IPv4 and IPv6 addresses is established for individual user endpoints (UEs) between a Serving GPRS Support Node (SGSN) in 3G or a Service Gateway (S-GW) and a Gateway GPRS Support Node (GGSN) in 3G or a PDN Gateway (P-GW) in 4G.
[See GPRS Overview.]
Enhancements to GTP-C Tunnel (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, the GTP-C tunnel is enhanced to support tunnel-based session distribution to speed up the tunnel setup process and load-balance the sessions between the SPUs. The GTP-C tunnels and the GTP-C tunnel sessions are distributed by the SGSN tunnel endpoint identifier (TEID) of the tunnel. Use the set security forwarding-process application-services enable-gtpu-distribution command to enable the tunnel-based session distribution where the GTP-C traffic of different tunnels is spread across different SPUs.
[See GPRS Overview.]
Interfaces and Chassis
Support for up and down delay timers on reth interfaces (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, you can configure up and down delay timers for redundant Ethernet (reth) interfaces. The delay timers keep the reth interfaces up or down, respectively, to prevent the routing protocols from reconverging and to avoid loss of traffic during a crash or when links flap.
On SRX series devices, the default delay timer for down hold-time is 11 seconds, and the default delay timer for up hold-time is 0 seconds. To configure the timers, include the reth 1 hold-time down timer and reth 1 hold-time up timer statements at the [edit interfaces] hierarchy level.
Half-duplex link support (SRX340 and SRX345)—Starting in Junos OS release 18.4R1, half-duplex mode is supported on SRX340 and SRX345 devices. Half duplex enables bidirectional communication, but signals can flow in only one direction at a time. Full-duplex communication means that both ends of the communication can send and receive signals at the same time. By default, half duplex is configured. If the link partner is set to autonegotiate the link, then the link is autonegotiated to full duplex or half duplex. If the link is not set to autonegotiation, then the link defaults to half duplex unless the interface is explicitly configured for full duplex.
Intrusion Detection and Protection (IDP)
Support for custom time bindings in a time-binding custom attack (SRX Series)—Starting in Junos OS Release 18.4R1, you can configure the maximum time interval between any two instances of a time-binding custom attack. The range for the maximum time interval is 0 minutes and 0 seconds through 60 minutes and 0 seconds. In Junos OS releases before 18.4R1, the maximum time interval between any two instances of a time-binding attack is 60 seconds.
The interval time-interval statement is introduced at the [edit security idp custom-attack attack-name time-binding] hierarchy to configure a custom time-binding.
User visibility improvements for IDP attacks within an IDP Policy (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, you can view and validate the complete set of attacks that are configured for an IDP policy (predefined, dynamic, and custom attacks).
Use the show security idp attack attack-list policy policy-name command to view the attacks that are configured for an IDP policy.
IDP policy rematch (SRX Series)—Starting in Junos OS Release 18.4R1, when a new IDP policy is loaded, the existing sessions are inspected using the newly loaded policy and are not ignored for IDP processing.
[See IDP Policies Overview.]
Logical Systems and Tenant Systems
Starting in Junos OS Release 18.4R1, the following features that are supported on the logical systems are now extended to tenant systems:
Dynamic address support for tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, the tenant system user can create dynamic address entries within a tenant system. A dynamic address entry contains IP ranges extracted from external sources. The security policies use the dynamic address in the source-address or destination-address field. The tenant system administrator can view the dynamic address information, including name, feeds, properties, and number of IPv4 and IPv6 entries for tenant systems, by using the show security dynamic-address command.
DHCP support for tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, DHCP provides support for DHCP clients, DHCP relay agents, and IPv6 dynamic servers for prefix delegation for tenant systems. The DHCP relay agent operates as the interface between DHCP clients and IPv6 dynamic server for tenant systems, and also relays DHCP messages between DHCP clients and DHCP servers on different IP address networks.
[See DHCP for Tenant Systems.]
SRX5K-SPC3 card support for tenant systems (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, support for the SRX5K-SPC3 services processing card is introduced for tenant systems.
[See Tenant Systems Overview.]
Application firewall support on tenant systems (SRX Series)—Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources appfw-rule-set and appfw-rule in a tenant system. The application firewall rules can be reordered using the command insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2.
Application firewall is a group of fine-grained application control policies to allow or deny the traffic based on the dynamic application name or the group names. It enhances security policy creation and enforcement based on the applications rather than traditional port and protocol analysis.
Interfaces support enhancement on tenant systems (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, support for interfaces is enhanced on tenants systems with the following changes:
You can configure an interface in the tenant system similar to how you configure an interface in a logical system.
All types of interfaces that can be configured in a logical system can also be configured in a tenant system.
All the interfaces that are configured in a tenant system are associated with the routing instance configured for that tenant system.
[See Tenant Systems Overview.]
Network Management and Monitoring
RPM probe enhancement (SRX Series)—Starting in Junos OS Release 18.4R1, if the result of a probe or test exceeds the packet loss threshold, the real-time performance monitoring (RPM) test probe is marked as failed. The test probe also fails when the round-trip time (RTT) exceeds the configured threshold ranges from 0 through 60000000 ms. As a result, the device generates an SNMP notification (trap) and marks the RPM test as failed.
RPM allows you to perform service-level monitoring. When RPM is configured on a device, the device calculates network performance based on packet response time, jitter, and packet loss.
[See RPM Overview.]
SNMP support for monitoring the 4G LTE Mini-Physical Interface Module (Mini-PIM) status (SRX300, SRX320, SRX340, SRX345, and SRX550M)—Starting in Junos OS Release 18.4R1, you can monitor 4G LTE Mini-PIM status by using SNMP remote network management.
You can use the following commands to monitor the 4G LTE Mini-PIM status:
show snmp mib walk ascii jnxWirelessWANNetworkInfoTable
show snmp mib walk ascii jnxWirelessWANFirmwareInfoTable
In previous releases, the show modem wireless network interface interface-name and show modem wireless firmware interface interface-name commands are used to check the 4G LTE Mini-PIM status.
ARP policer support to protect Routing Engine (SRX Series)—Starting in Junos OS Release 18.4R1, you can apply policers on Address Resolution Protocol (ARP) traffic on SRX Series devices. You can configure rate limiting for the policer by specifying the bandwidth and the burst-size limit. Packets exceeding the policer limits are discarded.
The traffic to the Routing Engine is controlled by applying the policer on ARP traffic. Using policers helps prevent network congestion caused by broadcast storms.
[See ARP Policer Overview.]
New operational commands for security policy configuration (SRX Series and vSRX)—Starting in Junos OS Release 18.4R1, the following operational commands are introduced:
show security policies information
show security policies checksum
request security policies check
request security policies resync
The show security policies information command provides detailed information about the policies configured on SRX Series devices and on vSRX. The show security policies checksum, request security policies check, and request security policies resync commands are used to synchronize security policies between the Routing Engine and the Packet Forwarding Engine.
URL category-based security with unified policies (SRX Series)—Starting from Junos OS Release 18.4R1, the unified policies feature is enhanced to include URL categories as match criteria for traffic flowing through the firewall. The URL category for Web filtering enables redirecting the traffic based on configured URL Category policy for further processing on the SRX Series devices. URL categories can be configured for unified policies with or without dynamic-application applied.
A URL category can be configured as url-category any and url-category none. If url-category is not configured, the functionality is similar to url-category none.
Support to stop log messages on throughput overuse (SRX4100)—Starting with Junos OS Release 18.4R1, the enhanced performance upgrade license is required to stop the log messages that are generated if the Internet mix (IMIX) throughput exceeds 20 Gbps and 7 Mpps on the SRX4100 device.
[See Log File Sample Content.]
Avira scan engine support on antivirus module (SRX1500, SRX4100, SRX4200, and SRX4600)—Starting in Junos OS Release 18.4R1, SRX Series devices support an on-device antivirus scan engine. The on-device scan engine Avira scans the data by accessing the virus pattern database. The antivirus scan engine is provided as a UTM module that you can download and install on your SRX Series device either manually (using the request security utm anti-virus avira-engine command) or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.
Port-mirrored traffic support on an IPsec interface (SRX Series)—Starting in Junos OS Release 18.4R1, if the output X2 interface of a mirror filter is configured for an st0 interface to filter traffic that you want to analyze, the packet is duplicated and encrypted by the IPsec tunnel bound to the st0 interface. This enhancement supports SRX Series devices in sending traffic mirrored from a port on an IPsec tunnel.
[See Monitoring X2 Traffic.]
PowerMode IPsec (SRX4100 and SRX4200)—Starting in Junos OS Release 18.4R1, PowerMode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing.
You can enable PMI processing by using the set security flow power-mode-ipsec command.
The following features are supported with PMI:
Auto Discovery VPN (ADVPN)
Internet Key Exchange (IKE) functionality
SRX5K-SPC-4-15-320 (SPC2) and SRX5K-SPC3 (SPC3) support for IPsec VPN (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 18.4R1, all IPsec VPN features that were previously supported only on SPC3 (model number: SRX5K-SPC3) are now supported on both SPC2 (model number: SRX5K-SPC-4-15-320) and SPC3 installed in the SRX5000 line of devices operating in chassis cluster mode or in standalone mode.