Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

New and Changed Features

 

This section describes new features and enhancements to existing features in Junos OS Release 17.4 for vSRX.

New Features for Junos OS Release 17.4R3 for vSRX

There are no new features or enhancements to existing features for vSRX in Junos OS Release 17.4R3.

New Features for Junos OS Release 17.4R2 for vSRX

This section describes new features and enhancements to existing features in Junos OS Release 17.4R2 for vSRX.

Note

The Junos OS Release 17.4R2 for vSRX is at feature parity with Junos OS Release 17.4R1. For the complete list of new feature in Junos OS Release 17.4R1, see Junos OS Release 17.4R1 for vSRX Release Notes  .

X2 Monitoring

  • vSRX: Ability to send port mirrored traffic on an IPSec interface—Starting in Junos OS Release 17.4R2, if the output X2 interface of a mirror filter is configured to an st0 interface to filter traffic that you want to analyze, the packet can be duplicated and encrypted by the IPSec tunnel bound to the st0 interface. This enhancement supports the ability of the vSRX instance to send traffic mirrored from a port on a IPSec tunnel. Mirrored traffic includes unmodified Layer 3 headers.

    [See Understanding X2 Traffic Monitoring.]

New Features for Junos OS Release 17.4R1 for vSRX

Junos OS Release 17.4R1 for vSRX is at feature parity with Junos OS Release 15.1X49-D100 for vSRX. See Junos OS Release 15.1X49-D100 for vSRX Release Notes   for a list of new features added in Junos OS Release 15.1X49-D100 for vSRX.

This section describes new features and enhancements to existing features in Junos OS Release 17.4R1 for vSRX.

ALG

  • H.323 gateway-to-gateway support (SRX Series and vSRX instances)—Starting in Junos OS Release 17.4R1, the gateway-to-gateway call feature is supported on the H.323 Application Layer Gateway (ALG). This feature introduces one-to-many mapping between an H.225 control session and H.323 calls as multiple H.323 calls go through a single control session.

    To set up messages in the gateway-to-gateway call process, the H.323 ALG differentiates the calls coming from the H.323 gateway-to-gateway session and inserts the related call_hash_entry into the hash table. The H.323 gateway-to-gateway session messages get a call from the hash table and the non-H.323 gateway-to-gateway session messages get a call directly from the H.225 session.

    [See Understanding H.323 ALG.]

  • NAT64 support for H.323 ALG (SRX Series and vSRX instances)—Starting in Junos OS Release 17.4R1, the H.323 Application Layer Gateway (ALG) supports NAT64 rules in an IPv6 network. Shrinking the create and free messages improved the high availability (HA) synchronization.

    [See Understanding H.323 ALG.]

Application Security

  • Advanced policy-based routing (APBR) with enhancements (SRX Series and vSRX instances)—Starting in Junos OS Release 17.4R1, SRX Series device and vSRX support advanced policy-based routing (APBR) with an additional enhancement to apply the APBR in the middle of a session (midstream support). With this enhancement, you can apply APBR for a non-cacheable application and also for the first session of the cacheable application. You can fine-tune the outbound traffic with APBR configuration (for example, limiting route changes and terminating sessions) to avoid issues such as excessive transitions due to frequent route changes. The enhancement provides more flexible traffic-handling capabilities that offer granular control for forwarding packets.

    [See Understanding Advanced Policy-Based Routing.]

  • Application Tracking enhancements to support category and subcategory (SRX Series and vSRX instances)—Starting in Junos OS Release 17.4R1, AppTrack session create, session close, and volume update logs include new fields category and subcategory. AppTrack, an application tracking tool, collects byte, packet, and duration statistics for application flows in the specified zone. Including category and subcategory of the application in the AppTrack syslog message, which provide general information about the application type, helps in categorizing the applications.

    [See Understanding AppTrack.]

AutoVPN

  • IPv6 address support for point-to-point AutoVPN networks that use traffic selectors (SRX Series and vSRX instances)—Starting in Junos OS Release 17.4R1, AutoVPN networks that use secure tunnel interfaces in point-to-point mode support IPv6 addresses for traffic selectors and for IKE peers.

    [See Understanding AutoVPN.]

Cloud-Init Support

  • vSRX cloud-init support for AWS—Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX for AWS image to help simplify configuring new vSRX instances operating in AWS according to a specified user-data file. Cloud-init is performed during the first-time boot of a vSRX instance.

    [See Using Cloud-Init in AWS to Automate the Initialization of vSRX Instances.]

GPRS

  • Support for GTP handover group (SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX instances)— Starting in Junos OS Release 17.4R1, GTP handover group configuration is supported on GTP profiles. An administrator can configure a GTP profile and associate a GTP handover group to a GTP profile.

    A GTP handover group is a set of SGSNs or serving gateway (SGW) with a common address-book library. When a GTP handover group name is referenced by a GTP profile, the device checks to see if the current SGSN/SGW address and the proposed SGSN/SGW address is contained within the same GTP handover group. If both the current and proposed SGSN/SGW addresses are contained within the same GTP handover group, then the handover is allowed. If both the current and proposed SGSN/SGW addresses are not within the same GTP handover group, then the profile for the default handover group is used.

    This feature enables the administrator to define policies that determine whether handover can happen between individual SGSNs/SGW and/or groups of SGSNs/SGW for roaming.

Installation and Upgrade

  • Upgraded FreeBSD support for JunosOS (SRX1500, SRX4100, SRX4200 devices, and vSRX instances)—Starting in Junos OS Release 17.4R1, the Junos OS is upgraded to support FreeBSD 11. The Junos Control Plane (JCP) virtual machine (VM) in the SRX devices are upgraded to support the FreeBSD 11. Two virtual CPUs (vCPU) are allocated for JCP VM in Linux host to improve JUNOS Routing Engine performance for SRX4100, SRX4200 devices and vSRX instances. For vSRX, an additional vCPU will be allocated to vJUNOS if the user allocates more CPUs than the minimum required. For SRX1500 devices, no additional CPUs are available to allocate for JCP VM.

    [See Understanding Junos OS with Upgraded FreeBSD for SRX Series Devices.]

LLDP

  • vSRX: LLDP support in Layer 3 Mode —Starting in Junos OS Release 17.4R1, Link Layer Discovery Protocol (LLDP) is enabled on the vSRX. LLDP is a link layer protocol used for exchanging different device related information.

    [See Ethernet Ports Switching Overview.]

UDP

  • UDP flood screen whitelist (SRX300, SRX320, SRX340, SRX345, SRX1400, SRX4100, SRX4200 devices, and vSRX instances)— Starting in Junos OS Release 17.4R1, the UDP flood whitelist mechanism is implemented. When UDP is enabled in a zone, all the UDP traffic performs UDP flood attack detection. The UDP packets that are above the threshold level will be dropped. To avoid these packet drops and instead allow these packets to bypass UDP flood detection, the UDP flood screen whitelist is implemented.

    To support UDP flood whitelist, the traffic from addresses in the whitelist groups will bypass UDP flood check. Both IPv4 and IPv6 whitelists are supported and can be configured using a single address or a subnet address. UDP flood whitelist supports a maximum of 32 whitelist groups and each group has 32 or fewer IPv4 or IPv6 addresses.

    [See Understanding UDP Flood Attacks.]

VPN

  • IPv6 address support for point-to-point AutoVPN networks that use traffic selectors (SRX Series and vSRX instances)—Starting in Junos OS Release 17.4R1, AutoVPN networks that use secure tunnel interfaces in point-to-point mode support IPv6 addresses for traffic selectors and for IKE peers.

    Note

    IPv6 addresses are not supported for AutoVPN networks in point-to-multipoint secure tunnel mode.

    [See Understanding AutoVPN and Understanding AutoVPN with Traffic Selectors.]

vSRX Architecture Illustration

vSRX Architecture

Figure 1 is a high-level illustration of the vSRX architecture.

Figure 1: vSRX Architecture



vSRX Architecture

Supported Features

For details about Junos OS features supported on vSRX, see Feature Explorer: vSRX.

Supported Features References

Table 1 lists documentation references to Junos OS features that are supported on vSRX.

Note

Some vSRX features require a license. See vSRX Feature Licenses Overview for more details.

Table 1: Documentation References for Junos OS Features Supported on vSRX

Feature

Feature Documentation

vSRX Platform

Application Firewall (AppFW)

Application Firewall Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Identification (AppID)

Understanding Application Identification Techniques

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Layer Gateways (ALGs)

ALG Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Quality of Service (AppQoS)

Understanding Application QoS (AppQoS)

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Attack Detection and Prevention (ADP)

Attack Detection and Prevention Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Chassis cluster support for Virtio driver

Chassis Cluster Overview

KVM

Chassis cluster support for VMXNET3 driver

Chassis Cluster Overview

VMware

Chassis cluster support for Windows Hyper-V Server 2016

Chassis Cluster Overview

Hyper-V

Class of service (CoS)

Understanding Class of Service

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Dynamic Host Configuration Protocol (DHCP)

Understanding Interfaces

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Flow and packet processing

Juniper Networks Devices Processing Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Intrusion Detection and Prevention (IDP)

Understanding Intrusion Detection and Prevention

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

IPsec VPN

IPsec VPN Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Multiprotocol Label Switching (MPLS)

MPLS Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Multicast

Multicast Overview

VMware, KVM, and Contrail

Network Address Translation (NAT)

Introduction to NAT

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Routing protocols

Junos OS Routing Protocols Library

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Security building bocks

Understanding Security Basics

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Transparent mode

Ethernet Switching and Layer 2 Transparent Mode Overview

VMware, KVM, and Contrail

Unified Threat Management (UTM)

Unified Threat Management Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

User authentication

Understanding User Authentication for Security Devices

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Unsupported Features

While vSRX supports many of the Junos OS features supported on other SRX Series devices, not all features are supported. For information about Junos OS features that are not supported on vSRX, see Known Behavior and SRX Series Features Not Supported on vSRX for specific support limitations.

Changes in Behavior and Syntax

There are no changes in behavior and syntax for vSRX in Junos OS Release 17.4R3.

For the most complete and latest information about changes in command behavior and syntax applicable to all SRX Series platforms in Junos OS Release 17.4, see Changes in Behavior and Syntax for SRX.