Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the JUNOS Software documentation:

Application Layer Gateways (ALGs)

The following CLI commands have been removed as part of RPC ALG data structure cleanup:
- clear security alg msrpc portmap
- clear security alg sunrpc portmap
- show security alg msrpc portmap
- show security alg sunrpc portmap
The show security alg msrpc object-id-map CLI command has a chassis cluster node option to permit the output to be restricted to a particular node or to query the entire cluster. The show security alg msrpc object-id-map node CLI command options are <node-id | all | local | primary>.

Chassis Cluster

On SRX650 devices in chassis cluster mode, the T1/E1 PIC goes offline and does not come online.
The automatic pause timer functionality related to IP address monitoring for redundancy groups has been removed. Instead, a configurable hold-down-interval timer for all redundancy groups has been instituted. See the “Configuring a Dampening Time Between Back-to-Back Redundancy Group Failovers” section of the JUNOS Software Security Configuration Guide.
IP address monitoring on redundancy group 0 is now supported.
The chassis cluster redundancy-group group-number ip-monitoring threshold CLI command has been removed. Instead, use the chassis cluster redundancy-group group-number ip-monitoring global-threshold command.
IP address monitoring on virtual routers is now supported.

Command-Line Interface (CLI)

On AX411 Access Points, the possible completions available for the CLI command set wlan access-point < ap_name > radio < radio_num > radio-options channel number ? have changed from previous Implementations.
Now this CLI command displays the following possible completions:
Example 1:
user@host# set wlan access-point ap6 radio 1 radio-options channel number ? Possible completions:
36 Channel 36
40 Channel 40
44 Channel 44
48 Channel 48
52 Channel 52
56 Channel 56
60 Channel 60
64 Channel 64
100 Channel 100
108 Channel 108
112 Channel 112
116 Channel 116
120 Channel 120
124 Channel 124
128 Channel 128
132 Channel 132
136 Channel 136
140 Channel 140
149 Channel 149
153 Channel 153
157 Channel 157
161 Channel 161
165 Channel 165
auto Automatically selected
Example 2:
user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
1 Channel 1
2 Channel 2
3 Channel 3
4 Channel 4
5 Channel 5
6 Channel 6
7 Channel 7
8 Channel 8
9 Channel 9
10 Channel 10
11 Channel 11
12 Channel 12
13 Channel 13
14 Channel 14
auto Automatically selected

On SRX Series devices, the show security monitoring fpc 0 command is now available.

The output of this CLI command on SRX Series devices differs from previous implementations on other devices. Note the following sample output:

show security monitoring fpc 0

FPC 0

PIC 0

CPU utilization : 0 %

Memory utilization : 65 %

Current flow session : 0

Max flow session : 131072

Note: When SRX Series devices operate in packet mode, flow sessions will not be created and current flow session will remain zero as shown in the sample output above. The maximum number of sessions will differ from one device to another. On SRX3400, SRX3600, SRX5600, AND SRX5800 devices, the output will include two more lines: SPU current cp session and SPU max cp session.

On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls if any MPIMs are configured. The voice calls through the MPIM do not work. Run the CLI restart rtmd command after making a configuration change to the MPIM ports.
On SRX210 devices with Integrated Convergence Services, registrations do not work when PCS is configured and removed thorough the CLI. The dial tone dissappears when the analog station calls the SIP station. As a workaround, either run the rtmd restart command or restart the device.
On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy command has been changed to set security datapath-debug.
On AX411 Access Points, the possible completions available for the CLI command set wlan access-point mav0 radio 1 radio-options mode? are changed from previous implementations.
Now this CLI command displays the possible completions as shown below:
- Example 1:
  user@host# set wlan access-point mav0 radio 1 radio-options mode ?
  Possible completions:
  5GHz Radio Frequency -5GHz-n
  a Radio Frequency -a
  an Radio Frequency -an
  [edit]
- Example 2:
  user@host# set wlan access-point mav0 radio 2 radio-options mode ?
  Possible completions:
  2.4GHz Radio Frequency --2.4GHz-n
  bg Radio Frequency -bg
  bgn Radio Frequency -bgn
On SRX Series devices, the show system storage partitions command now displays the partitioning scheme details on SRX Series devices.
- Example 1:
  show system storage partitions (dual root partitioning)
  user@host# show system storage partitions
  Boot Media: internal (da0)
  Active Partition: da0s2a
  Backup Partition: da0s1a
  Currently booted from: active (da0s2a)
  Partitions Information:
  Partition Size Mountpoint
  s1a 293M altroot
  s2a 293M /
  s3e 24M /config
  s3f 342M /var
  s4a 30M recovery
- Example 2:
  show system storage partitions (single root partitioning)
  user@host# show system storage partitions
  Boot Media: internal (da0)
  Partitions Information:
  Partition Size Mountpoint
  s1a 898M /
  s1e 24M /config
  s1f 61M /var
  show system storage
  partitions (USB)
- Example 3:
  show system storage partitions (usb)
  user@host# show system storage partitions
  Boot Media: usb (da1)
  Active Partition: da1s1a
  Backup Partition: da1s2a
  Currently booted from: active (da1s1a)
  Partitions Information:
  Partition Size Mountpoint
  s1a 293M /
  s2a 293M altroot
  s3e 24M /config
  s3f 342M /var
  s4a 30M recovery

Configuration

J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address.
On SRX100, SRX210, SRX240 and, SRX650 devices, the current JUNOS Software default configuration is inconsistent with the one in Secure Services Gateways, thus causing problems when users migrate to SRX Series devices. As a workaround, users should ensure the following steps are taken:
- The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP client enabled).
- The rest of the on-board ports should be bridged together, with a VLAN IFL and DHCP server enabled (where applicable).
- Default policies should allow trust->untrust traffic.
- Default NAT rules should apply interface-nat for all trust->untrust traffic.
- DNS/Wins parameters should be passed from server to client and, if not available, users should preconfigure a DNS server (required for download of security packages).
The default values for IKE and IPsec security association (SA) lifetimes for standard VPNs have been changed in this release:
- The default value for the lifetime-seconds configuration statement at the [edit security ike proposal proposal-name] hierarchy level has been changed from 3600 seconds to 28,800 seconds.
- The default value for the lifetime-seconds configuration statement at the [edit security ipsec proposal proposal-name] hierarchy level has been changed from 28,800 seconds to 3600 seconds.

Flow and Processing

On SRX Series devices, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.
To modify the factory defaults, use the following commands:

root@host# set system max-configurations-on-flash number

root@host# set system max-configuration-rollbacks number
where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.
On J Series devices, the following configuration changes must be done after rollback or upgrade from JUNOS Release 10.1 to 9.6 and earlier releases.
- Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.
- Remove fragmentation-map from the [class-of-service] hierarchy level and from [class-of-service interfaces lsq-0/0/0], if configured.
- Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.
- Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.
- If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map and the configuration hierarchy is enabled on lsq-0/0/0 in JUNOS Release 10.1, then
  - Add interleave-fragments under [ls-0/0/0 unit 0]
  - Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service] to classify packets to Q2
If the aforementioned instructions are not followed, the bundle will be incorrectly processed.

Interfaces and Routing

On SRX Series devices, to minimize the size of system logs, the default logging level in the factory configuration has been changed from any any to any critical.
On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set routing-options flow CLI statements are no longer available, because BGP flow spec functionality is not supported on these devices.
On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallation functionality on an interface enables a DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server.

Intrusion Detection and Prevention (IDP)

On SRX5600 and SRX5800 devices, while running commands in IDP, ensure that you provide the service field values for custom attack definitions in lowercase.
In the following example, the protocol service field value udp is specified in lowercase:
set security idp custom-attack temp severity info attack-type signature context packet direction any pattern .* protocol udp destination-port match equal value 1333
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, for brute force and time-binding-related attacks, the logging is to be done only when the match count is equal to the threshold. That is, only one log is generated within the 60-second period in which the threshold is measured. This process prevents repetitive logs from being generated and ensures consistency with other IDP platforms like IDP-standalone.
On SRX Series and J Series devices, the IDP ip-action statement is now supported on TCP, UDP, and ICMP flows. When the ip-action target is service, the ip-action flow is applied if the traffic matches the values specified for source port, destination port, source address, and destination address. However, for ICMP flows, the destination port is 0, so that any ICMP flow matching source port, source address, and destination address is blocked. For more information, see the JUNOS Software CLI Reference.
On SRX3400 and SRX3600 devices in Layer 2 and Layer 3 integrated mode, mode, 30 percent to 40 percent of the logs created in IDP are not exited from IDP. In Layer 2 and Layer 3 dedicated mode, the logs are exited properly.

J-Web

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined Attacks and Predefined Attack Groups, users do not need to type the attack names. Instead, users can select attacks from the Predefined Attacks and Predefined Attack Group lists and click the left arrow to add them.
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status (Alarm, HA, ExpressCard, Power Status, and Power) shown in the front panel for Chassis View does not replicate the exact status of the device.

Management and Administration

On SRX5600 and SRX5800 devices running a previous release of JUNOS Software, security logs were always timestamped using the UTC time zone. In JUNOS Release 10.1, you can use the set system time-zone CLI command to specify the local time zone that the system should use when timestamping the security logs. If you want to timestamp logs using the UTC time zone, use the set system time-zone utc and set security log utc-timestamp CLI statements.
Configuring the External CompactFlash card on SRX650 Services Gateways:
The SRX650 Services Gateway includes 2–GB CompactFlash storage devices:
- The Services and Routing Engine (SRE) contains a hot-pluggable CompactFlash (external CompactFlash) storage device used to upload and download files.
- The chassis contains an internal compact flash used to store the operating system.
By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device.
To take a snapshot on the external CompactFlash:
1. Take a snapshot from the internal CompactFlash to the USB storage device using the request system snapshot media usb CLI command.
2. Reboot the device from the USB storage device by using the request system reboot media usb command.
3. Go to the U-boot prompt. For more information, see the "Accessing the U-Boot Prompt" section in the JUNOS Software Administration Guide.
4. At the U-boot prompt, set the following variables:
  set ext.cf.pref 1
  save
  reset
5. Once the system is booted from the USB storage device, take a snapshot on the external CompactFlash using the request system snapshot media external command.
Note: Once the snapshot has been taken on the external CompactFlash, we recommend you to set the ext.cf.pref to 0 at the U-boot prompt.

Security

J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use the order radius password or ldap password.