Changes in Default Behavior and Syntax in JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the JUNOS Software documentation:

Application Layer Gateways (ALGs)

• The following CLI commands have been removed as part of RPC ALG data structure cleanup:
  • clear security alg msrpc portmap
  • clear security alg sunrpc portmap
  • show security alg msrpc portmap
  • show security alg sunrpc portmap
• The show security alg msrpc object-id-map CLI command has a chassis cluster node option to permit the output to be restricted to a particular node or to query the entire cluster. The show security alg msrpc object-id-map node CLI command options are <node-id | all | local | primary>.

AppSecure

• When creating custom application or nested application signatures for JUNOS Software application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.

  Note: The order value range for predefined signatures is 1 through 32,767. We recommend that you use an order range higher than 32,767 for custom signatures.

  The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.

Chassis Cluster

• On SRX650 devices in a chassis cluster, the T1/E1 PIC goes offline and does not come online.

Command-Line Interface (CLI)

• On AX411 Access Points, the possible completions available for the CLI command set wlan access-point < ap_name > radio < radio_num > radio-options channel number ? have changed from previous implementations.

  Now this CLI command displays the following possible completions:

  Example 1:
  
  44 Channeluser@host# set wlan access-point ap6 radio 1 radio-options channel number ? Possible completions:
  36 Channel 36
  40 Channel 40 44
  48 Channel 48
  52 Channel 52
  56 Channel 56
  60 Channel 60
  64 Channel 64
  100 Channel 100
  108 Channel 108
  112 Channel 112
  116 Channel 116
  120 Channel 120
  124 Channel 124
  128 Channel 128
  132 Channel 132
  136 Channel 136
  140 Channel 140
  149 Channel 149
  153 Channel 153
  157 Channel 157
  161 Channel 161
  165 Channel 165
  auto Automatically selected
  

  Example 2:
  user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
  1 Channel 1
  2 Channel 2
  3 Channel 3
  4 Channel 4
  5 Channel 5
  6 Channel 6
  7 Channel 7
  8 Channel 8
  9 Channel 9
  10 Channel 10
  11 Channel 11
  12 Channel 12
  13 Channel 13
  14 Channel 14
  auto Automatically selected

• On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy command has been changed to set security datapath-debug.
• On AX411 Access Points, the possible completions available for the CLI command set wlan access-point mav0 radio 1 radio-options mode? have changed from previous implementations.

  Now this CLI command displays the following possible completions:

  • Example 1:
    user@host# set wlan access-point mav0 radio 1 radio-options mode ?
    Possible completions:
    5GHz Radio Frequency -5GHz-n
    a Radio Frequency -a
    an Radio Frequency -an
    [edit]
  • Example 2:
    user@host# set wlan access-point mav0 radio 2 radio-options mode ?
    Possible completions:
    2.4GHz Radio Frequency --2.4GHz-n
    bg Radio Frequency -bg
    bgn Radio Frequency -bgn
    
• On SRX Series devices, the show system storage partitions command now displays the partitioning scheme details on SRX Series devices.
  • Example 1:
    show system storage partitions (dual root partitioning)
    user@host# show system storage partitions
    Boot Media: internal (da0)
    Active Partition: da0s2a
    Backup Partition: da0s1a
    Currently booted from: active (da0s2a)
    Partitions Information:
    Partition Size Mountpoint
    s1a 293M altroot
    s2a 293M /
    s3e 24M /config
    s3f 342M /var
    s4a 30M recovery
    
  • Example 2:
    show system storage partitions (single root partitioning)
    user@host# show system storage partitions
    Boot Media: internal (da0)
    Partitions Information:
    Partition Size Mountpoint
    s1a 898M /
    s1e 24M /config
    s1f 61M /var
    show system storage
    partitions (USB)
    
  • Example 3:
    show system storage partitions (usb)
    user@host# show system storage partitions
    Boot Media: usb (da1)
    Active Partition: da1s1a
    Backup Partition: da1s2a
    Currently booted from: active (da1s1a)
    Partitions Information:
    Partition Size Mountpoint
    s1a 293M /
    s2a 293M altroot
    s3e 24M /config
    s3f 342M /var
    s4a 30M recovery
    

Configuration

• J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address.

• On SRX100, SRX210, SRX240, and SRX650 devices, the current JUNOS Software default configuration is inconsistent with the one in Secure Services Gateways, thus causing problems when users migrate to SRX Series devices. As a workaround, users should ensure the following steps are taken:

  • The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP client enabled).
  • The rest of the on-board ports should be bridged together, with a VLAN IFL and DHCP server enabled (where applicable).
  • Default policies should allow trust->untrust traffic.
  • Default NAT rules should apply interface-nat for all trust->untrust traffic.
  • DNS/Wins parameters should be passed from server to client and, if not available, users should preconfigure a DNS server (required for download of security packages).
• The default values for IKE and IPsec security association (SA) lifetimes for standard VPNs have been changed in this release:
  • The default value for the lifetime-seconds configuration statement at the [edit security ike proposal proposal-name] hierarchy level has been changed from 3600 seconds to 28,800 seconds.
  • The default value for the lifetime-seconds configuration statement at the [edit security ipsec proposal proposal-name] hierarchy level has been changed from 28,800 seconds to 3600 seconds.

Flow and Processing

• On SRX Series devices, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.

  To modify the factory defaults, use the following commands:

  
  

  root@host# set system max-configurations-on-flash number

  
  

  root@host# set system max-configuration-rollbacks number

  where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.

• On J Series devices, the following configuration changes must be done after rollback or upgrade from JUNOS Release 10.2 to 9.6 and earlier releases.

  • Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.
  • Remove fragmentation-map from the [class-of-service] hierarchy level and from [class-of-service interfaces lsq-0/0/0], if configured.
  • Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.
  • Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.
  • If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map and the configuration hierarchy is enabled on lsq-0/0/0 in JUNOS Release 10.2, then
    • Add interleave-fragments under [ls-0/0/0 unit 0]
    • Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service] to classify packets to Q2
  If the aforementioned instructions are not followed, the bundle will be incorrectly processed.
• On SRX Series devices, as per the new behavior, on configuring identical IPs on a single interface we would no longer be getting a warning message, instead a syslog message will be created.
• On SRX5600 devices, when an authentication policy is being matched by traffic, deleting the authentication configuration from this policy might cause a crash.

Interfaces and Routing

• On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices, the Loopback LED is turned ON based on the Loopback configuration as well as when the FDL loopback commands are executed from the remote-end.

  The Loopback LED remains OFF when no FDL Loopback commands are executed from the remote-end, even though remote-loopback-respond is configured on the HOST.

• On SRX Series devices, to minimize the size of system logs, the default logging level in the factory configuration has been changed from any any to any critical.
• On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set routing-options flow CLI statements are no longer available, because BGP flow spec functionality is not supported on these devices.
• On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallation functionality on an interface enables a DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server.
• On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping simple filter rules and policing rules has been changed. For SRX3000 line devices, the number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type. For SRX5000 line devices, the number of simple filter and policing rules is 2000 for each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is not achievable because of a hardware limitation.

Intrusion Detection and Prevention (IDP)

• On SRX3400 devices, FTP traffic is not going through expedited-forwarding queue class for FTP control connections. All other traffic like http, telnet and ping goes through expedited-forwarding queue class as expected.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification CLI commands have been moved from the [security idp sensor-configuration application-identification] hierarchy to the [edit services application-identification] hierarchy. For details about this change, see the section AppSecure.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, for brute force and time-binding-related attacks, the logging is to be done only when the match count is equal to the threshold. That is, only one log is generated within the 60-second period in which the threshold is measured. This process prevents repetitive logs from being generated and ensures consistency with other IDP platforms like IDP-standalone.

J-Web

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined Attacks and Predefined Attack Groups, users do not need to type the attack names. Instead, users can select attacks from the Predefined Attacks and Predefined Attack Group lists and click the left arrow to add them.
• On SRX100, SRX210, SRX240, and SRX650 devices, the LED status (Alarm, HA, ExpressCard, Power Status, and Power) shown in the front panel for Chassis View does not replicate the exact status of the device.

Management and Administration

• On SRX5600 and SRX5800 devices running a previous release of JUNOS Software, security logs were always timestamped using the UTC time zone. In JUNOS Release 10.2, you can use the set system time-zone CLI command to specify the local time zone that the system should use when timestamping the security logs. If you want to timestamp logs using the UTC time zone, use the set system time-zone utc and set security log utc-timestamp CLI statements.

WLAN

• While configuring the AX411 Access Point on your SRX devices, you must enter the WLAN admin password using the set wlan admin-authentication password command. This command prompts for the password and the password entered is stored in encrypted form.

  Without wlan config option enabled, the AX411 Access Points will be managed with the default password. Changing the wlan admin-authentication password when the wlan subsystem option is disabled might result in mismanagement of Access Points . You might have to power cycle the Access Points manually to avoid this issue. The SRX Series devices that are not using the AX411 Access Point can optionally delete the wlan config option.

• Accessing the AX411 Access Point through SSH is disabled by default. You can enable the SSH access using the set wlan access-point <name> external system services enable-ssh command.