Errata and Changes in Documentation for JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers
This section lists outstanding issues with the documentation.
Application Layer Gateways (ALGs)
- The following section has been removed from the JUNOS Software Security Configuration Guide to reflect RPC ALG data structure cleanup: “Display the Sun RPC Port Mapping Table.”
- The “Verifying the RPC ALG Tables” section of the JUNOS Software Security Configuration Guide has been renamed to “Verifying the Microsoft RPC ALG Tables” to reflect RPC ALG data structure cleanup.
- ALG configuration examples in the JUNOS Software Security Configuration Guide incorrectly show policy-based NAT configurations. NAT configurations are now rule-based.
Command-Line Interface (CLI)
The following sections have been removed from the Junos OS CLI Reference to reflect RPC ALG data structure cleanup:
- show security alg sunrpc portmap
- clear security alg sunrpc portmap
The “Services Configuration Statement Hierarchy” section in the Junos OS CLI Reference refers to the JUNOS Services Interfaces Configuration Guide, which has the following error in the section “Data Size” and “Configuring the Probe”:
- The minimum data size required by the UDP timestamp probe is identified as 44 bytes.
Documentation for J Series and SRX Series Branch Devices
The documentation contains information for new functionality for J Series devices and SRX Series branch devices (SRX100, SRX210, SRX240, and SRX650), but the J Series and SRX Series branch devices are not supported in this release.
Flow
The Junos OS CLI Reference and Junos OS Security Configuration Guide state that the following aggressive aging statements are supported on all SRX Series devices when in fact they are not supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices:
- [edit security flow aging early-ageout]
- [edit security flow aging high-watermark]
- [edit security flow aging low-watermark
- Information about secure context and router context has been removed from the Junos OS Administration Guide for Security Devices and the JUNOS Software Security Configuration Guide. If you want to use both flow-based and packet-based forwarding simultaneously on a system, use the selective stateless packet-based services feature instead. For more information, see “Configuring Selective Stateless Packet-Based Services” in the Junos OS Administration Guide for Security Devices.
Hardware Documentation
- The “DOCSIS Mini-Physical Interface Module”
chapter in the SRX Series Services Gateways for the Branch
Physical Interface Modules Hardware Guide erroneously states
that EuroDOCSIS 3.0 and DOCSIS J (Japan) models of the DOCSIS Mini-PIM
are supported.
The guide should state that only DOCSIS 3.0 US model of DOCSIS Mini-PIM is supported.
- The SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide erroneously lists the maximum MTU (Bytes) for the Serial Mini-PIM as 1504. The correct value for this section is 2000.
- The “Understanding Built-In Ethernet Ports”
section in the SRX100, SRX210, and SRX240 Hardware Guides erroneously
states the following:
- The services gateway acts as a DHCP client out of the built-in Ethernet ports. If the services gateway does not find a DHCP server within a few seconds, the device acts as a DHCP server and assigns an IP address as 192.168.1.1/24. With the device temporarily acting as a DHCP server, you can manually configure it with the J-Web interface.
- The correct information for this section is:
- For the SRX100 Services Gateway Hardware Guide: The services gateway acts as a DHCP client on port fe-0/0/0 and ports fe-0/0/1 to fe-0/0/7 act as DHCP server.
- For the SRX210 Services Gateway Hardware Guide: The services gateway acts as a DHCP client on port ge-0/0/0 and ports ge-0/0/1 and fe-0/0/2 to fe-0/0/7 act as DHCP server.
- For the SRX240 Services Gateway Hardware Guide: The services gateway acts as a DHCP client on port ge-0/0/0 and ports ge-0/0/1 to ge-0/0/15 act as DHCP server.
The “Upgrading the SRX100 Services Gateway Low Memory Version to a High Memory” section in the SRX100 Services Gateway Hardware Guide should also state the following information:
- The SRX100 Services Gateway High Memory model is shipped with the license key.
- The SRX240 Services Gateway (High Memory with DC Power Supply
Model) Compliance Statements for Network Equipment Building System
(NEBS) topic in the SRX240 Services Gateway Hardware Guide incorrectly
states that the battery return connection is to be treated as a Common
DC return (DC-C), as defined in GR-1089-CORE.
The guide should state that the battery return connection is to be treated as a Isolated DC return (DC-I), as defined in GR-1089-CORE.
The following SRX Series Quick Start Guides erroneously provide an IP address of 192.168.1/24 in the Part 4: Ensure That the Management Device Acquires an IP Address section:
- SRX100 Services Gateway Quick Start Guide
- SRX210 Services Gateway Quick Start Guide
- SRX240 Services Gateway Quick Start Guide
- Chapter 2, “SRX650 Services Gateway Hardware Components
and Specifications,” in the SRX650 Services Gateway
Hardware Guide has the following errors:
- The CompactFlash card supported by the services gateway is identified as STEC 1 GB. This is incorrect: both STEC 1 GB and STEC 2 GB cards are supported.
- The USB device supported by the services gateway is identified as Sandisk Micro Cruzer 1 GB. This is incorrect: both Sandisk Micro Cruzer 1 GB and Micro Cruzer 2 GB devices are supported.
- The show chassis environment cb 0 command mentioned in the SRX5600 Services Gateway Hardware Guide is modified to show chassis environment cb node 0.
Installing Software Packages
- The current SRX210 documentation does not include the
following information:
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the root partition). If JUNOS Software installation fails as a result of insufficient space:
- Use the request system storage cleanup command to delete temporary files.
- Delete any user-created files in both the root partition and under the /var hierarchy.
Integrated Convergence Services
- The Junos OS Integrated Convergence Services Configuration and Administration Guide does not include show commands for JUNOS Release 10.2.
- On SRX210 and SRX240 devices with Integrated Convergence Services, the Transport Layer Security (TLS) option for the SIP protocol transport is not supported in JUNOS Release 10.2. However, it is documented in the Integrated Convergence Services entries of the Junos OS CLI Reference.
- The Junos OS CLI Reference contains Integrated Convergence Services statement entries for the music-on-hold feature, which is not supported for JUNOS Release 10.2.
Interfaces and Routing
- In the Junos OS Interfaces Configuration Guide for Security Devices, the “Configuring VDSL2 Interface” chapter incorrectly states that J-Web support for configuring the VDSL2 Interface is not available in JUNOS Release 10.2. The J-Web support is available for VDSL2 interfaces in JUNOS Release 10.2.
- In the Junos OS Interfaces Configuration Guide for Security Devices, the “Configuring G.SHDSL Interface” chapter incorrectly states that J-Web support for configuring the G.SHDSL Interface is not available in JUNOS Release 10.2. The J-Web support is available for G.SHDSL interfaces in JUNOS Release 10.2.
Intrusion Detection and Prevention (IDP)
- The JUNOS Software Security Configuration Guide does not state that custom attacks and custom attack groups in IDP policies can now be configured and installed even when a valid license and signature database are not installed on the device.
- The Junos OS CLI Reference and the JUNOS Software Security Configuration Guide state that the maximum acceptable range for the timeout (IDP Policy) is 0 to 65,535 seconds, whereas the ip-action timeout range has been modified to 0 to 64,800 seconds.
- The Junos OS CLI Reference and the JUNOS Software Security Configuration
Guide have missing information about the new CLI option download-timeout, which has been introduced to set security
idp security-package automatic download-timeout < value >,
to configure the download timeout in minutes. The default value for
download-timeout is one minute. If download is completed before the
download-timeout, the signature is automatically updated after the
download. If the download takes longer than download-timeout, the
auto signature update is aborted.
user@host# set security idp security-package automatic download-timeout ?Possible completions: < download-timeout >
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 – 60 seconds
Default: 1 second - The Junos OS CLI Reference incorrectly states the show security idp status and clear security idp status logs. The logs should be as follows:
- Correct show security idp status log
user@host> show security idp status
State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago)
Packets/second: 5 Peak: 11 @ 2010-02-05 06:51:58 UTC
KBits/second : 2 Peak: 5 @ 2010-02-05 06:52:06 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0]
Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC]
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
Policy Name : sample
Running Detector Version : 10.2.160091104 - Correct clear security idp status log
user@host> clear security idp status
State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago)
Packets/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC
KBits/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name: sample
Running Detector Version: 10.2.160091104 - The “Verifying the Policy Compilation and Load Status” section of the JUNOS Software Security Configuration Guide has a missing empty/new line before the IDPD Trace file heading, in the second sample output.
- Correct show security idp status log
JUNOS Software Interfaces and Routing Guide
The JUNOS Software Interfaces and Routing Guide has been divided into five smaller guides in order to make it easier to find information:
- Junos OS Class of Service Configuration Guide for Security Devices
- Junos OS Interfaces Configuration Guide for Security Devices
- Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices
- Junos OS MPLS Configuration Guide for Security Devices
- Junos OS Routing Protocols and Policies Configuration Guide for Security Devices
For the convenience of users who are familiar with the previous guide’s format, the original JUNOS Software Interface and Routing Guide, which contains all of the same information as the five new guides listed above, is also still available.
J-Web
The following information pertains to SRX Series and J Series devices:
- J-Web security package update Help page—The J-Web Security Package Update Help page does not contain information about download status.
- J-Web pages for stateless firewall filters—There is no documentation describing the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6 Firewall Filters. After configuring filters, select Assign to Interfaces to assign your configured filters to interfaces.
- There is no documentation describing the J-Web pages for media gateways. To find these pages in J-Web, go to Monitor>Media Gateway.
The following information pertains to SRX Series devices:
- Single Commit on J-Web—There
is no documentation describing the single-commit option in the J-Web
procedures located in the following documents.
- Junos OS Administration Guide for Security Devices
- Junos OS Class of Service Configuration Guide for Security Devices
- Junos OS Integrated Convergence Services Configuration and Administration Guide
- JUNOS Software Interface and Routing Guide
- Junos OS Interfaces Configuration Guide for Security Devices
- Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices
- Junos OS Security Configuration Guide
For all J-Web procedures, follow these instructions to commit a configuration:
- If Commit Preference is Validate and commit configuration changes, click OK.
- If Commit Preference is Validate configuration changes, click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
Screens
The following information pertains to SRX Series and J Series devices:
- In the JUNOS Software Design and Implementation
Guide, the “Implementing Firewall Deployments for
Branch Offices” chapter contains incorrect screen configuration
instructions.
Examples throughout this guide describe how to configure screen options using the set security screen screen-name CLI statements. Instead, you should use the set security screen ids-option screen-name CLI statements. All screen configuration options are located at the [set security screen ids-option screen-name] level of the configuration hierarchy.
