Changes in Default Behavior and Syntax in Junos OS Release 10.3 for SRX Series Services Gateways and J Series Services Routers

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:

Application Layer Gateways (ALGs)

The show security alg msrpc object-id-map CLI command has a chassis cluster node option to permit the output to be restricted to a particular node or to query the entire cluster. The show security alg msrpc object-id-map node CLI command options are <node-id | all | local | primary>.

AppSecure

When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.
Note: The order value range for predefined signatures is 1 through 32,767. We recommend that you use an order range higher than 32,767 for custom signatures.
The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.

Chassis Cluster

On SRX650 devices in a chassis cluster, the T1/E1 PIC goes offline and does not come online.
Removing Control VLAN 4094 in Chassis Cluster— For SRX Series branch devices (SRX100, SRX210, SRX240, and SRX650), the existing virtual LAN (VLAN) tag used for control-link traffic will be replaced with the use of experimental Ether type 0x88b5. However, backward compatibility is also supported for devices that have already deployed chassis cluster with VLAN tagging in place.
- To toggle between VLAN and Ether type modes, use the following command:
  set chassis cluster control-link-vlan enable/disable
  Note: You must perform a reboot to initialize this configuration change.
- To show whether control port tagging is enabled or disabled, use the following command:
  set chassis cluster information
- To view the chassis cluster information, use the following command:
  show chassis cluster information
  user@host > show chassis cluster information
  The following is a sample output of the command:
```
node0
-----------------------------------------------------
Control link statistics:
    Control link 0:
                                   
Fabric link statistics:
    Probes sent: 1248
                                   
    Sequence number of last probe received: 0
Chassis cluster LED information:
    Current LED color: Green
Control port tagging:  Disabled                 

Cold Synchronization:  
```
In a chassis cluster configuration on an SRX100, SRX210, SRX240, or SRX650 device, the default values of the heartbeat-threshold and heartbeat-interval options in the [edit chassis cluster] hierarchy are 8 beats and 2000 ms respectively. These values cannot be changed on these devices.

Command-Line Interface (CLI)

On AX411 Access Points, the possible completions available for the CLI command set wlan access-point < ap_name > radio < radio_num > radio-options channel number ? have changed from previous implementations.
Now this CLI command displays the following possible completions:
Example 1:
user@host# set wlan access-point ap6 radio 1 radio-options channel number ? Possible completions:
36 Channel 36
40 Channel 40
44 Channel 44
48 Channel 48
52 Channel 52
56 Channel 56
60 Channel 60
64 Channel 64
100 Channel 100
108 Channel 108
112 Channel 112
116 Channel 116
120 Channel 120
124 Channel 124
128 Channel 128
132 Channel 132
136 Channel 136
140 Channel 140
149 Channel 149
153 Channel 153
157 Channel 157
161 Channel 161
165 Channel 165
auto Automatically selected
Example 2:
user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
1 Channel 1
2 Channel 2
3 Channel 3
4 Channel 4
5 Channel 5
6 Channel 6
7 Channel 7
8 Channel 8
9 Channel 9
10 Channel 10
11 Channel 11
12 Channel 12
13 Channel 13
14 Channel 14
auto Automatically selected
On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change.
On SRX210 devices with Integrated Convergence Services, registrations do not work when PCS is configured and removed through the CLI. The dial tone disappears when the analog station calls the SIP station. As a workaround, either run the restart rtmd command or restart the device.
On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy command has been changed to set security datapath-debug.
On AX411 Access Points, the possible completions available for the CLI command set wlan access-point mav0 radio 1 radio-options mode? have changed from previous implementations.
Now this CLI command displays the following possible completions:
- Example 1:
  user@host# set wlan access-point mav0 radio 1 radio-options mode ?
  Possible completions:
  5GHz Radio Frequency -5GHz-n
  a Radio Frequency -a
  an Radio Frequency -an
  [edit]
- Example 2:
  user@host# set wlan access-point mav0 radio 2 radio-options mode ?
  Possible completions:
  2.4GHz Radio Frequency --2.4GHz-n
  bg Radio Frequency -bg
  bgn Radio Frequency -bgn
On SRX Series devices, the show system storage partitions command now displays the partitioning scheme details on SRX Series devices.
- Example 1:
  show system storage partitions (dual root partitioning)
  user@host# show system storage partitions
  Boot Media: internal (da0)
  Active Partition: da0s2a
  Backup Partition: da0s1a
  Currently booted from: active (da0s2a)
  Partitions Information:
  Partition Size Mountpoint
  s1a 293M altroot
  s2a 293M /
  s3e 24M /config
  s3f 342M /var
  s4a 30M recovery
- Example 2:
  show system storage partitions (single root partitioning)
  user@host# show system storage partitions
  Boot Media: internal (da0)
  Partitions Information:
  Partition Size Mountpoint
  s1a 898M /
  s1e 24M /config
  s1f 61M /var
  show system storage
  partitions (USB)
- Example 3:
  show system storage partitions (usb)
  user@host# show system storage partitions
  Boot Media: usb (da1)
  Active Partition: da1s1a
  Backup Partition: da1s2a
  Currently booted from: active (da1s1a)
  Partitions Information:
  Partition Size Mountpoint
  s1a 293M /
  s2a 293M altroot
  s3e 24M /config
  s3f 342M /var
  s4a 30M recovery

Configuration

J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address.
On SRX100, SRX210, SRX240 and, SRX650 devices, the current Junos OS default configuration is inconsistent with the one in Secure Services Gateways, thus causing problems when users migrate to SRX Series devices. As a workaround, users should ensure the following steps are taken:
- The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP client enabled).
- The rest of the on-board ports should be bridged together, with a VLAN IFL and DHCP server enabled (where applicable).
- Default policies should allow trust->untrust traffic.
- Default NAT rules should apply interface-nat for all trust->untrust traffic.
- DNS/Wins parameters should be passed from server to client and, if not available, users should preconfigure a DNS server (required for download of security packages).

Flow and Processing

On SRX Series devices, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.
To modify the factory defaults, use the following commands:

root@host# set system max-configurations-on-flash number

root@host# set system max-configuration-rollbacks number
where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.
On J Series devices, the following configuration changes must be done after rollback or upgrade from Junos OS Release 10.3 to 9.6 and earlier releases.
- Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.
- Remove fragmentation-map from the [class-of-service] hierarchy level and from [class-of-service interfaces lsq-0/0/0], if configured.
- Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.
- Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.
- If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map and the configuration hierarchy is enabled on lsq-0/0/0 in Junos OS Release 10.3, then
  - Add interleave-fragments under [ls-0/0/0 unit 0]
  - Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service] to classify packets to Q2
If the aforementioned instructions are not followed, the bundle will be incorrectly processed.
On SRX Series devices, as per the new behavior, on configuring identical IPs on a single interface we would no longer be getting a warning message, instead a syslog message will be created.
On SRX5600 devices, when an authentication policy is being matched by traffic, deleting the authentication configuration from this policy might cause crash.

Interfaces and Routing

On SRX Series devices, to minimize the size of system logs, the default logging level in the factory configuration has been changed from any any to any critical.
On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set routing-options flow CLI statements are no longer available, because BGP flow spec functionality is not supported on these devices.
On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallation functionality on an interface enables a DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server.
On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping simple filter rules and policing rules has been changed. For SRX3000 line devices, the number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type. For SRX5000 line devices, the number of simple filter and policing rules is 2000 for each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is not achievable because of a hardware limitation.
On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices, the Loopback LED is turned ON based on the Loopback configuration as well as when the FDL loopback commands are executed from the remote-end. The Loopback LED remains OFF when no FDL Loopback commands are executed from the remote-end, even though remote-loopback-respond is configured on the HOST.
On J4350 devices, ping does not go through even if the ISDN call is connected and the dialer watch is configured. This issue occurs only when media MTU on CISCO devices is bigger than the MTU configured on J-Series devices. As a workaround, keep MTU configured on J-Series equal or bigger than the one set in CISCO box.
On J4350 devices, the ping operation is not successful even if the ISDN call does is connected and the dialer watch is configured. This issue occurs only when media MTU value on CISCO devices is larger than the MTU value configured on JSeries devices. As a workaround, configure the MTU value on JSeries devices to be equal or larger than the value set for Cisco devices.

Intrusion Detection and Prevention (IDP)

On SRX3400 devices, FTP traffic does not go through expedited-forwarding queue class for FTP control connections. All other traffic like http, telnet and ping goes through expedited-forwarding queue class as expected.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification CLI commands have been moved from the [security idp sensor-configuration application-identification] hierarchy to the [edit services application-identification] hierarchy.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, for brute force and time-binding-related attacks, the logging is to be done only when the match count is equal to the threshold. That is, only one log is generated within the 60-second period in which the threshold is measured. This process prevents repetitive logs from being generated and ensures consistency with other IDP platforms like IDP-standalone.
When no attack is seen withing the 60 seconds period and the BFQ entry is flushed out, the match count starts afresh and new attack match shows up in the attack table and the log is generated as explained above.

J-Web

URL separation for J-Web and dynamic VPN— This feature prevents the dynamic VPN users from accessing J-Web accidentally or intentionally. Unique URLs for J-Web and dynamic VPN add support to the webserver for parsing all the HTTP requests it receives. The webserver also provides access permission based on the interfaces enabled for J-Web and dynamic VPN.

CLI changes: A new configuration attribute management-url is introduced at the [edit system services web-management] hierarchy level to control J-Web access when both J-Web and dynamic VPN are enabled on the same interface. The following example describes the configuration of the new attribute:
web-management {traceoptions {level all; flag dynamic-vpn;flag all;}management-url my-jweb;http;https { system-generated-certificate;}limits { debug-level 9; }session { session-limit 7; }}
Disabling J-Web: Dynamic VPN must have the configured HTTPS certificate and the webserver to communicate with the client. Therefore, the configuration at the [edit system services web-management] hierarchy level required to start the appweb webserver cannot be deleted or deactivated. To disable J-Web, the administrator must configure a loopback interface of lo0 for HTTP or HTTPS. This ensures that the webserver rejects all J-Web access requests.
web-management {traceoptions {level all; flag dynamic-vpn;flag all;}management-url my-jweb;http { interface lo0.0;}https { system-generated-certificate; } limits { debug-level 9; }session {session-limit 7; }}

Changes in the Web access behavior: The following section illustrates the changes in the Web access behavior when J-Web and dynamic VPN do not share and do share the same interface:

Case 1: J-Web and dynamic VPN do not share the same interface.

Scenario	http(s)://server host	http(s)://server host//configured attribute	http(s)://server host//dynamic-vpn
J-Web is enabled, and dynamic VPN is configured.	Navigates to the J-Web login page on the J-Web enabled interface or to the dynamic VPN login page on the dynamic VPN enabled interface depending on the server host chosen	Navigates to the J-Web login page if the J-Web attribute is configured; otherwise, navigates to the Page Not Found page	Navigates to the dynamic VPN login page
J-Web is not enabled, and dynamic VPN is not configured.	Navigates to the Page Not Found page	Navigates to the Page Not Found page	Navigates to the Page Not Found page
J-Web is enabled, and dynamic VPN is not configured.	Navigates to the J-Web login page	Navigates to the J-Web login page if the J-Web attribute is configured; otherwise navigates to the Page Not Found page	Navigates to the Page Not Found page
J-Web is not enabled, and dynamic VPN is configured.	Navigates to the dynamic VPN login page	Navigates to the Page Not Found page	Navigates to the dynamic VPN login page

Case 2: J-Web and dynamic VPN do share the same interface.

Scenario	http(s)://server host	http(s)://server host//configured attribute	http(s)://server host//dynamic-vpn
J-Web is enabled, and dynamic VPN is configured.	Navigates to the dynamic VPN login page	Navigates to the J-Web login page if the attribute is configured; otherwise navigates to the Page Not Found page	Navigates to the dynamic VPN login page
J-Web is not enabled, and dynamic VPN is not configured.	Navigates to the Page Not Found page	Navigates to the Page Not Found page	Navigates to the Page Not Found page
J-Web is enabled, and dynamic VPN is not configured.	Navigates to the J-Web login page	Navigates to the J-Web login page if the J-Web attribute is configured; otherwise navigates to the Page Not Found page	Navigates to the Page Not Found page
J-Web is not enabled, and dynamic VPN is configured.	Navigates to the dynamic VPN login page	Navigates to the Page Not Found page	Navigates to the dynamic VPN login page

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined Attacks and Predefined Attack Groups, users do not need to type the attack names. Instead, users can select attacks from the Predefined Attacks and Predefined Attack Group lists and click the left arrow to add them.
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status (Alarm, HA, ExpressCard, Power Status, and Power) shown in the front panel for Chassis View does not replicate the exact status of the device.
On all SRX Series devices, the BIOS version is displayed on system identification on the J-Web dashboard.
Note: Delete your browser cookies to view this change.
J-Web login page is updated with the new Juniper Logo and Trademark.
The options to configure the Custom Attacks, Custom Attack Groups, and Dynamic Attack Groups are disabled because they cannot be configured from J-Web.

Management and Administration

On SRX5600 and SRX5800 devices running a previous release of Junos OS, security logs were always timestamped using the UTC time zone. In Junos OS Release 10.3, you can use the set system time-zone CLI command to specify the local time zone that the system should use when timestamping the security logs. If you want to timestamp logs using the UTC time zone, use the set system time-zone utc and set security log utc-timestamp CLI statements.
Configuring the external CompactFlash card on SRX650 Services Gateways:
The SRX650 Services Gateway includes 2-GB CompactFlash storage devices:
- The Services and Routing Engine (SRE) contains a hot-pluggable CompactFlash (external CompactFlash) storage device used to upload and download files.
- The chassis contains an internal CompactFlash used to store the operating system.
By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device.
To take a snapshot on the external CompactFlash:
1. Take a snapshot from the internal CompactFlash to the USB storage device by using the request system snapshot media usb CLI command.
2. Reboot the device from the USB storage device by using the request system reboot media usb command.
3. Go to the U-boot prompt. For more information, see the "Accessing the U-Boot Prompt" section in the Junos OS Administration guide.
4. At the U-boot prompt, set the following variables:
  set ext.cf.pref 1
  save
  reset
5. Once the system is booted from the USB storage device, take a snapshot on the external CompactFlash by using the request system snapshot media external command.
Note: Once the snapshot has been taken on the external CompactFlash, we recommend you set the ext.cf.pref to 0 at the U-boot prompt.

PoE

On SRX210-PoE devices, SDK packages might not work.

Security

J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use the order radius password or ldap password.
Any change in the Unified Access Control’s (UAC) contact interval and timeout values in the SRX Series or J Series device will be effective only after the next reconnection of the SRX Series or J Series device with the Infranet Controller.
The maximum size of a redirect payload is 1450 bytes. The size of the redirect URL is restricted to 1407 bytes (excluding a few HTTP headers). If a user accesses a destination URL that is larger than 1407 bytes, the Infranet Controller authenticates the payload, the exact length of the redirect URL is calculated, and the destination URL is trimmed such that it can fit into the redirect URL. The destination URL can be fewer than 1407 bytes based on what else is present in the redirect URL, for example, policy ID. The destination URL in the default redirect URL is trimmed such that the redirect packet payload size is limited to 1450 bytes, and if the length of the payload is larger than 1450 bytes, the excess length is trimmed and the user is directed to the destination URL that has been resized to 1450 bytes.

WLAN

While configuring the AX411 Access Point on your SRX Series devices, you must enter the WLAN admin password using the set wlan admin-authentication password command. This command prompts for the password and the password entered is stored in encrypted form.

Without wlan config option enabled, the AX411 Access Points will be managed with the default password.
Changing the wlan admin-authentication password when the wlan subsystem option is disabled might result in mismanagement of Access Points . You might have to power cycle the Access Points manually to avoid this issue.
The SRX Series devices that are not using the AX411 Access Point can optionally delete the wlan config option.

Accessing the AX411 Access Point through SSH is disabled by default. You can enable the SSH access using the set wlan access-point < name > external system services enable-ssh command.

VLAN

Native-vlan-id can be configured only when either flexible-vlan-tagging mode or interface-mode trunk is configured. The commit error has been corrected, which was previously indicating vlan-tagging mode instead of flexible-vlan-tagging mode.