Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

What's Changed

 

Learn about what changed in Junos OS main and maintenance releases for SRX Series.

Application Security

  • Starting in Junos OS Release 19.4R1, you have the flexibility to limit the application identification inspection as follows:

    • Inspection Limit for TCP and UDP Sessions

      You can set the byte limit and the packet limit for application identification (AppID) in a UDP or in a TCP session. AppID concludes the classification based on the configured inspection limit. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled. The global AppID cache is enabled by default.

      To configure the byte limit and the packet limit, use the following configuration statements from the [edit] hierarchy:

      Table 1 provides the range and default value for configuring the byte limit and the packet limit for TCP and UDP sessions.

      Table 1: Maximum Byte Limit and Packet Byte Limit for TCP and UDP Sessions

      Session

      Limit

      Range

      Default Value

      TCP

      Byte limit

      0 through 4294967295

      • 6000

      • For Junos OS Release 15.1X49-D200, the default value is 10000.

      Packet limit

      0 through 4294967295

      Zero

      UDP

      Byte limit

      0 through 4294967295

      Zero

      Packet limit

      0 through 4294967295

      • 10

      • For Junos OS Release 15.1X49-D200, the default value is 20.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

      If you set the both the byte-limit and the packet-limit options, AppID inspects the session until both the limits are reached.

      You can disable the TCP or UDP inspection limit by configuring the corresponding byte-limit and the packet-limit values to zero.

    • Global Offload Byte Limit (Other Sessions)

      You can set the byte limit for the AppID to conclude the classification and identify the application in a session. On exceeding the limit, AppID terminates the application classification.

      If AppID does not conclude the final classification within the configured limits, or the session is not offloaded due to tunnelling behavior of some applications, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled (the global AppID cache is enabled by default).

      To configure the byte limit, use the following configuration statement from the [edit] hierarchy:

      The default value for the global-offload-byte-limit option is 10000 and the range is 0 through 4294967295.

      You can disable the global offload byte limit by configuring the global-offload-byte-limit value to zero.

      The byte limit excludes the IP header and the TCP/UDP header lengths.

    • Starting in Junos OS Release 19.4R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

      If your configuration includes enabled performance mode option with max-packet-threshold in Junos OS releases 15.1X49-D200 and 19.4R, AppID concludes the application classification on reaching the lowest value configured in the TCP or UDP inspection limit or in the global offload byte limit, or in the maximum packet threshold for DPI performance mode option.

    [See Application Identification Inspection Limit and application-identification]

  • Starting in Junos OS Release 19.4R1, the apbr-rule-type field in the system log message displays the value as none if no rule is applied when you have disabled midstream for the application. Updated syslog message sample is as following:

  • Starting in Junos OS Releases 19.4R1, security policy does not support using following applications as dynamic-applications match criteria:

    • junos:HTTPS

    • junos:POP3S

    • junos:IMAPS

    • junos:SMTPS

    Software upgrade to the Junos OS Releases 19.4R1 fails during the validation if any of the security policies are configured with junos:HTTPS, junos:POP3S, junos:IMAPS, junos:SMTPS as dynamic-applications as match criteria. We recommend you to remove any configuration that includes these dynamic-applications as match criteria in security policies.

    We recommend you to use the request system software validate package-name option before upgrading to the above mentioned releases.

Authentication and Access Control

  • Enabling and disabling SSH login password or challenge-response authentication (SRX Series)—Starting in Junos OS Release 19.4R1, you can disable either the SSH login password or the challenge-response authentication at the [edit system services ssh] hierarchy level.

    In Junos OS releases earlier than Release 19.4R1, you can enable and disable both SSH login password and the challenge-response authentication simultaneously at the [edit system services ssh] hierarchy level.

    [See Configuring SSH Service for Remote Access to the Router or Switch.]

Network Management and Monitoring

  • SSHD process authentication logs timestamp (SRX Series)—Starting in Junos OS Release 19.4R1, the SSHD process authentication logs use only the time zone that is defined in the system time zone. In Junos OS releases earlier than Release 19.4R1, the SSHD process authentication logs sometimes use the system time zone and the UTC time zone.

    [See Overview of Junos OS System Log Messages.]

  • Change in On-box reporting factory-default configuration (SRX1500, SRX4100, SRX4200, SRX4600 and vSRX)—Starting in Junos OS Release 19.4R1, the factory-default configuration does not include on-box reporting configuration to increase the solid-state drive (SSD) lifetime. You can enable the on-box reporting by configuring the set security log report CLI command at [edit security log] hierarchy.

    [See Understanding On-Box Logging and Reporting.]

  • Change in jnxJsFlowMIB statistics display (SRX Series)—Starting in Junos OS Release 19.4R1, in a chassis cluster, you can see the statistics on all SPUs of both nodes using the show snmp mib walk jnxJsFlowMIB command. In the earlier releases, you can see the statistics only on local SPUs.

    [See SNMP MIB Explorer.]

Port Security

  • Configuring source mac filters (SRX300 and SRX550 Services Gateway)—In this release of Junos OS, fixed an issue that prevented source mac filters from being configured on an interface. The error effected both the accept-source-mac and source-address-filter statements and resulted in one of the following error messages: accept-source-mac not allowed in switching mode and source mac filters not allowed in switching mode.

VPNs

  • IKE gateway dynamic distinguished name attributes (SRX Series devices)—Starting in Junos OS Release 19.4R1, you can now configure only one dynamic distinguished name (DN) attribute among container-string and wildcard-string at [edit security ike gateway gateway_name dynamic distinguished-name] hierarchy. If you try configuring the second attribute after you configure the first attribute, the first attribute is replaced with the second attribute. Before you upgrade your device, you must remove one of the attributes if you have configured both the attributes.

    [See distinguished-name (Security) and Understanding IKE Identity Configuration.]

  • CoS Forward Class name (SRX Series devices)—Starting in Junos OS Release 19.4R1, we have deprecated the CLI option fc-name (CoS Forward Class name) in the new iked process that displays security associations (SAs) under show command show security ipsec sa.

    [See show security ipsec security-associations.]