Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

This section lists outstanding issues with the documentation.

Application Layer Gateways (ALGs)

The following section has been removed from the JUNOS Software Security Configuration Guide to reflect RPC ALG data structure cleanup: “Display the Sun RPC Port Mapping Table.”
The “Verifying the RPC ALG Tables” section of the JUNOS Software Security Configuration Guide has been renamed to “Verifying the Microsoft RPC ALG Tables” to reflect RPC ALG data structure cleanup.
ALG configuration examples in the JUNOS Software Security Configuration Guide incorrectly show policy-based NAT configurations. NAT configurations are now rule-based.
The JUNOS Software Security Configuration Guide incorrectly states that ALGs are not supported in transparent mode on SRX3400, SRX3600, SRX5600, and SRX5800 devices. The FTP, TFTP, RTSP, and DNS ALGs are supported in transparent mode on those devices. Other ALGs are not.

Attack Detection and Prevention

The default parameters documented in the firewall/NAT screen configuration options table in the JUNOS Software Security Configuration Guide and the J-Web online Help do not match the default parameters in the CLI. The correct default parameters are:

tcp {
    syn-flood {
        alarm-threshold 1024;
        attack-threshold 200;
        source-threshold 1024;
        destination-threshold 2048;
        timeout 20;
    }
 }
[edit security screen ids-option untrust-screen]

CLI Reference

The “Services Configuration Statement Hierarchy” section in the JUNOS® Software CLI Reference refers to the JUNOS Services Interfaces Configuration Guide, which has the following error in the sections “Data Size” and “Configuring the Probe”:

The minimum data size required by the UDP timestamp probe is identified as 44 bytes. This is incorrect: the minimum data size required by the UDP timestamp probe is 52 bytes.

Command-Line Interface (CLI)

The following sections have been removed from the JUNOS Software CLI Reference to reflect RPC ALG data structure cleanup:

show security alg sunrpc portmap
clear security alg sunrpc portmap

CompactFlash Card Support

The JUNOS Software Administration Guide incorrectly states that JUNOS Software supports a 256-MB CompactFlash card size. JUNOS Software supports only 512-MB and 1024-MB CompactFlash card sizes.

Flow and Processing

The JUNOS Software CLI Reference and JUNOS Software Security Configuration Guide state that the following aggressive aging statements are supported on all SRX Series devices when in fact they are not supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices:
- [edit security flow aging early-ageout]
- [edit security flow aging high-watermark]
- [edit security flow aging low-watermark
The “Understanding Selective Stateless Packet-Based Services” section in the JUNOS Software Administration Guide states: “The following security features are not supported with selective stateless packet-based services—stateful firewall NAT, IPsec VPN, DOS screens, J-flow traffic analysis, WXC integrated security module, security policies, zones, attack detection and prevention, PKI, ALGs, and chassis cluster.” This statement is not correct. With selective packet-mode, traffic that is sent through flow is able to use all of those services, even in a single VR scenario.

Information about secure context and router context has been removed from the JUNOS Software Administration Guide and the JUNOS Software Security Configuration Guide. If you want to use both flow-based and packet-based forwarding simultaneously on a system, use the selective stateless packet-based services feature instead. For more information, see “Configuring Selective Stateless Packet-Based Services” in the JUNOS Software Administration Guide.
For a J Series Services Router, if the buffer size percentage is set to zero for T1 interfaces, traffic does not pass.

Hardware Documentation

On SRX100 devices, the Alarm LED is off, indicating that the device is starting up.
Note that when the device is on, if the Alarm LED is off, it indicates that no alarms are present on the device.
The “Configuring Basic Settings for the SRX100 Services Gateway with a Configuration Editor” section in the SRX100 Services Gateway Hardware Guide contains the following inaccuracies:
- The documentation incorrectly implies that the management port and loopback address must be defined for the device.
- The documentation should indicate that the SSH remote access can be enabled.
- The documentation indicates the CLI command set services ssh, which is incorrect. The correct command is set system services ssh.
The J-Web Initial Set Up screenshot shown in the SRX210 Services Gateway Getting Started Guide and the SRX240 Services Gateway Getting Started Guide contains the following inaccuracies: The J-Web screenshot incorrectly shows the “Enable DHCP on ge-0/0/0.0” check box as disabled in factory default settings. The J-Web screenshot should indicate the “Enable DHCP on ge-0/0/0.0” check box as enabled in factory default settings.
The show chassis environment cb 0 command mentioned in the SRX5600 Services Gateway Hardware Guide is modified to show chassis environment cb node 0.
The Power over Ethernet section in the SRX210 Services Gateway Hardware Guide incorrectly states that PoE+ support (IEEE 802.3at standard) is available on all models of SRX210 devices.
The guide should state that
- PoE (IEEE 802.3 af) support is enabled only on the SRX210 Services Gateway PoE model.
- PoE+ (IEEE802.3 at) support is enabled only on the SRX210 Services Gateway with Integrated Convergence Services model.

Installing Software Packages

The current SRX210 documentation does not include the following information:
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the root partition). If JUNOS Software installation fails as a result of insufficient space:
1. Use the request system storage cleanup command to delete temporary files.
2. Delete any user-created files in both the root partition and under the /var hierarchy.

The “Installing Software using the TFTPBOOT Method on the SRX100, SRX210, and SRX650 Services Gateway” section in the JUNOS Software Administration Guide contains the following inaccuracies:
- The documentation incorrectly implies that the TFTPBOOT method requires a separate secondary device to retrieve software from the TFTP server.
- The documentation should indicate that the TFTPBOOT method does not work reliably over slow speeds or large latency networks.
- The documentation indicates that before starting the installation, you only need to configure the gateway IP, device IP address, and device IP netmask manually in some cases, when actually you need to configure them manually in all cases.
- The documentation should indicate that on the SRX100, SRX210, and SRX240 devices, only the ge-0/0/0 port supports TFTP in uboot, and on the SRX650 device, all front-end ports support TFTP in uboot.
- Step 2 of the “Installing JUNOS Software Using TFTPBOOT” instructions should mention that the URL path is relative to the TFTP server’s TFTP root directory. The instructions should also mention that you should store the JUNOS Software image file in the TFTP server’s TFTP root directory.
- The documentation should indicate that the TFTPBOOT method installs software on the internal flash on SRX100, SRX210, and SRX240 devices, whereas on SRX650 devices, the TFTP method can install software on the internal or external CompactFlash card.

The JUNOS Software Administration Guide is missing the following information about installing software using USB on SRX100, SRX210, SRX240, and SRX650 devices:

You can install or recover the JUNOS Software using USB on SRX100, SRX210, SRX240, and SRX650 devices. During the installation process, the installation package from the USB is installed on the specified boot media.

Before you begin the installation, ensure the following prerequisites are met:

U-boot and Loader are up and running on the device.
USB is available with the JUNOS Software package to be installed on the device.

To install the software image on the specified boot media:

Go to the Loader prompt. For more information on accessing the Loader prompt, see “Accessing the Loader Prompt” on page 260 of the JUNOS Software Administration Guide.
Enter the following command at the Loader prompt:
Loader>install URL
Where URL is file:///package
Example:
Loader>install file:///junos-srxsme-9.4-200811.0-domestic.tgz

When you are done, the file reads the package from the USB and installs the software package. After the software installation is complete, the device boots from the specified boot media.

Note: USB to USB installation is not supported. Also, on SRX100, SRX210, and SRX240 devices, the software image will always be installed on NAND flash, but on SRX650 devices, the software image can be installed either on the internal or external CompactFlash card based on the boot media specified.

Integrated Convergence Services

The JUNOS Software Integrated Convergence Services Configuration and Administration Guide does not include show commands for JUNOS Release 10.1.
On SRX210 and SRX240 devices with Integrated Convergence Services, the Transport Layer Security (TLS) option for the SIP protocol transport is not supported in JUNOS Release 10.1. However, it is documented in the Integrated Convergence Services entries of the JUNOS Software CLI Reference Guide.
The JUNOS Software CLI Reference contains Integrated Convergence Services statement entries for the music-on-hold feature, which is not supported for JUNOS release 10.1.

Interfaces and Routing

In the JUNOS Interfaces and Routing Configuration Guide, the “Configuring VDSL2 Interface” chapter incorrectly states that J-Web support for configuring the VDSL2 interface is not available in JUNOS Release 10.1. The J-Web support is available for VDSL2 interfaces in JUNOS Software Release 10.1.
In the JUNOS Interfaces and Routing Configuration Guide, the “Configuring G.SHDSL Interface” chapter incorrectly states that J-Web support for configuring the G.SHDSL Interface is not available in JUNOS Release 10.1. The J-Web support is available for G.SHDSL interfaces in JUNOS Software Release 10.1.

Intrusion Detection and Prevention (IDP)

The JUNOS Software Security Configuration Guide does not state that custom attacks and custom attack groups in IDP policies can now be configured and installed even when a valid license and signature database are not installed on the device.
The JUNOS Software CLI Reference is missing information about the following IDP policy template commands:
- Use this command to display the download status of a policy template:
  user@host>request security idp security-package download status
```
Done; Successfully downloaded from (https://devdb.secteam.juniper.net/xmlexport.cgi).
```
- Use this command to display the installation status of a policy template:
  user@host>request security idp security-package install status
```
Done;policy-templates has been successfully updated into internal repository 
        (=>/var/db/scripts/commit/templates.xsl)!
```
The ip-action definition on SRX3400, SRX3600, SRX5600, and SRX5800 in the JUNOS Software Security Configuration Guide on page 504 Table 73 is incorrect. The correct definition should be as follows: Enables you to implicitly block a source address to protect the network from future intrusions while permitting legitimate traffic. You can configure one of the following IP action options in application-level DDoS: ip-block, ip-close, and ip-notify.
The exclude-context-values option in the JUNOS Software Security Configuration Guide on page 810 Table 101 is missing. The definition for exclude-context-values should be as follows: Configure a list of common context value patterns that should be excluded from application-level DDoS detection. For example, if you have a Web server that receives a high number of HTTP requests on home/landing page, you can exclude it from application-level DDoS detection.
The JUNOS Software CLI Reference and the JUNOS Security Configuration Guide states that the maximum acceptable range for the timeout (IDP Policy) is 65,535 seconds, whereas the ip-action timeout range has been modified to 0-64800 seconds.
The JUNOS Software CLI Reference and the JUNOS Security Configuration Guide have missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout < value >, to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download-timeout, signature is automatically updated after the download. If the download takes longer than download-timeout, auto signature update is aborted.
Syntax:
user@host# set security idp security-package automatic download-timeout ?
Possible completions: < download-timeout >
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 – 60 seconds
Default: 1 second
The JUNOS Software CLI Reference incorrectly states the show security idp status and clear security idp status logs, whereas the logs should be as follows:
- Correct show security idp status log
  
  user@host> show security idp status
  State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago)
  Packets/second: 5 Peak: 11 @ 2010-02-05 06:51:58 UTC
  KBits/second : 2 Peak: 5 @ 2010-02-05 06:52:06 UTC
  Latency (microseconds): [min: 0] [max: 0] [avg: 0]
  Packet Statistics:
  [ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0]
  Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC]
  UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
  Policy Name : sample
  Running Detector Version : 10.2.160091104
- Correct clear security idp status log
  user@host> clear security idp status
  State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago)
  Packets/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC
  KBits/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC
  Latency (microseconds): [min: 0] [max: 0] [avg: 0]
  Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
  Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
  Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
  Policy Name: sample
  Running Detector Version: 10.2.160091104
- The Verifying the Policy Compilation and Load Status section of the JUNOS Software Security Configuration Guide has a missing empty/new line before the IDPD Trace file heading, in the second sample output.
- The JUNOS Software Security Configuration Guide incorrectly states that IDP is not supported in transparent mode on SRX3400, SRX3600, SRX5600, and SRX5800 devices. IDP is supported in transparent mode on those devices.
The IDP rule notification options listed in the JUNOS Software Security Configuration Guide incorrectly include the Send Emails and Run Scripts options, which are not supported in JUNOS Release 10.1.

J-Web

The following information pertains to SRX Series and J Series devices:

J-Web security package update Help page—The J-Web Security Package Update Help page does not contain information about download status.
J-Web pages for stateless firewall filters—There is no documentation describing the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6 Firewall Filters. After configuring filters, select Assign to Interfaces to assign your configured filters to interfaces.
There is no documentation describing the J-Web pages for media gateways. To find these pages in J-Web, go to Monitor>Media Gateway.

Screens