Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Release 18.1R1 New and Changed Features

 

This section describes new features and enhancements to existing features in Junos OS Release 18.1R1 for vSRX.

New Features for Junos OS Release 18.1R1 for vSRX

This section describes new features and enhancements to existing features in Junos OS Release 18.1R1 for vSRX.

vSRX: Mellanox support

  • Mellanox support for vSRX on KVM deployment—Starting in Junos OS Release 18.1R1, a vSRX instance deployed on KVM supports SR-IOV on the Mellanox ConnectX-3 and ConnectX-4 Family Adapters. For a summary of vSRX sizes (number of vCPU and amount of vRAM) that support the Mellanox ConnectX-3 and ConnectX-4 Family Adapters, see vSRX Scale Up Performance.

    [See vSRX Deployment Guide for KVM.]

vSRX: X2 Monitoring

  • vSRX: Ability to send port mirrored traffic on an IPSec interface—Starting in Junos OS Release 18.1R1, if the output X2 interface of a mirror filter is configured to an st0 interface to filter traffic that you want to analyze, the packet can be duplicated and encrypted by the IPSec tunnel bound to the st0 interface. This enhancement supports the ability of the vSRX instance to send traffic mirrored from a port on a IPSec tunnel. Mirrored traffic includes unmodified Layer 3 headers.

    [See Understanding X2 Traffic Monitoring.]

Authentication and Access

  • IPv6 support for Network Access Control (NAC) (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, SRX Series devices and vSRX instances support IPv6 for network access control (NAC) system. You can configure Web API client address with IPv6 address. Web API supports IPv6 user or device entries obtained from JIMS. SRX Series device can query JIMS periodically for batches of newly generated IPv6 user or device for identity information. SRX Series can query the JIMS for identity information for an individual user or device based on the IPv6 address when IPv6 traffic hits SRX Series. SRX Series device firewall authentication can push IPv6 IP-user mapping information to JIMS.

    [See Understanding the SRX Series Advanced Query Feature for Obtaining User Identity Information from JIMS .]

CoS

  • Support for rewrite rules for both inner and outer VLAN tags on IEEE-802.1 packets (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, SRX Series devices and vSRX instances support applying rewrite rules to both inner and outer VLAN tags on IEEE802.1 packets. To apply rewrite rules to both inner and outer VLAN tags, set the vlan-tag outer-and-inner option at the [edit class-of-service interfaces interface-name unit unit-number rewrite-rules ieee-802.1 rewrite-name] hierarchy level.

    [See rewrite-rules (CoS Interfaces).]

Flow-based and Packet-based Processing

  • Enhancements for the show security flow statistics operational command (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, the output for the show security flow statistics command is modified; the Packets forwarded command output field is changed to Packets received, which displays the actual number of fowarded packets and ignores the dropped packets. In earlier Junos OS releases, this field included the dropped packets. Additionally, the new fields Packets transmitted, Packets forwarded/queued, and Packets copied have been created.

    [See show security flow statistics.]

IKE Gateway Extended Authentication (XAuth)

  • XAuth client username supports a length of 128-characters (SRX Series, vSRX instances)—Starting in Junos OS Release 18.1R1, on all SRX Series devices, and vSRX instances, the maximum number of characters allowed for an IKE gateway Extended Authentication (XAuth) client username is 128 characters.

Network Management and Monitoring

  • Two-Way Active Measurement Protocol (TWAMP) Support (SRX4100 and SRX4200 devices, and vSRX instances)—Starting in Junos OS Release 18.1R1, the Two-Way Active Measurement Protocol (TWAMP) is supported on SRX4100 and SRX4200 devices and vSRX instances in addition to the existing support on SRX Series devices such as SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500. TWAMP is a standard protocol framework that defines control and test session separation based on the client/server architecture. The TWAMP-Control protocol is used to set up performance measurement sessions between a TWAMP client and a TWAMP server, and the TWAMP-Test protocol is used to send and receive performance measurement probes.

    [See Two-Way Active Measurement Protocol (TWAMP) Overview.]

VPN

  • Binding trusted CAs to an IKE Policy (SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices, and vSRX instances)—Starting in Junos OS Release 18.1R1, you can group trusted certificate authorities (CAs) and bind any specific CA or groups of CAs to an IKE policy. You can configure and assign a trusted CA group for a client network. Any CA from a particular group can validate the certificate for that particular client network. For any incoming connection request, only the certificate issued by the particular trusted CA of that client network gets validated. If not, the connection will not be established.

    [See GTP Handover Group Overview.]

  • IPv6 support for AutoVPN and ADVPN with dynamic routing protocol (SRX Series, vSRX instances)—Starting with Junos OS Release 18.1R1, IPv6 is supported on AutoVPN and Auto Discovery VPN (ADVPN) with point-to-multipoint secure tunnel mode. ADVPN can run with OSPFv3 routing protocol and AutoVPN can run with OSPFv3 and iBGP (internal BGP) routing protocols.

    The ospf3 command is introduced to support IPv6 for AutoVPN and ADVPN with point-to-multipoint secure tunnel mode. In addition, show security ipsec next-hop-tunnels command, which displays the IPsec VPN tunnels bound to a specific tunnel interface, is updated to add family and tunnel ID filters.

  • IPv6 support for PKI (SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices, and vSRX instances)—Starting in Junos OS Release 18.1, the Public Key Infrastructure (PKI) supports IPv6 address format for the Certificate Authority (CA) server and source addresses in a CA profile. The PKI provides an infrastructure for digital certificate management. In PKI, a Certificate Authority is a trusted third party responsible for issuing and revoking certificates. These certificates are used to create secure connections between peers.

    [See Understanding Certificate Authority Profiles.]

  • SSL remote access VPN support by bypassing an application-based firewalls (SRX Series, vSRX instances)—Starting with Junos OS Release 18.1R1, remote access VPN uses SSL to pass through an application-based firewall using the third-party NCP Exclusive Remote Access Client on Windows, MAC OS, Apple iOS, and Android devices. Most intermediate Internet-facing devices allow users to establish a session over SSL (HTTPS) to any Internet-based device. This solution allows you to establish a secure communication using a full SSL session when an intermediate device blocks IPsec or UDP traffic.

    [See Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client.]

vSRX Architecture Illustration

vSRX Architecture

Figure 1 is a high-level illustration of the vSRX architecture as of Junos OS Release 18.1R2.

Figure 1: vSRX Architecture



vSRX Architecture

Supported Features

For details about Junos OS features supported on vSRX, see Feature Explorer: vSRX.

Supported Features References

Table 1 lists documentation references to Junos OS features that are supported on vSRX.

Note

Some vSRX features require a license. See vSRX Feature Licenses Overview for more details.

Table 1: Documentation References for Junos OS Features Supported on vSRX

Feature

Feature Documentation

vSRX Platform

Application Firewall (AppFW)

Application Firewall Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Identification (AppID)

Understanding Application Identification Techniques

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Layer Gateways (ALGs)

ALG Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Quality of Service (AppQoS)

Understanding Application QoS (AppQoS)

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Attack Detection and Prevention (ADP)

Attack Detection and Prevention Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Chassis cluster support for Virtio driver

Chassis Cluster Overview

KVM

Chassis cluster support for VMXNET3 driver

Chassis Cluster Overview

VMware

Chassis cluster support for Windows Hyper-V Server 2016

Chassis Cluster Overview

Hyper-V

Class of service (CoS)

Understanding Class of Service

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Dynamic Host Configuration Protocol (DHCP)

Understanding Interfaces

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Flow and packet processing

Juniper Networks Devices Processing Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Intrusion Detection and Prevention (IDP)

Understanding Intrusion Detection and Prevention

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

IPsec VPN

IPsec VPN Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Multiprotocol Label Switching (MPLS)

MPLS Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Multicast

Multicast Overview

VMware, KVM, and Contrail

Network Address Translation (NAT)

Introduction to NAT

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Routing protocols

Junos OS Routing Protocols Library

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Security building bocks

Understanding Security Basics

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Transparent mode

Ethernet Switching and Layer 2 Transparent Mode Overview

VMware, KVM, and Contrail

Unified Threat Management (UTM)

Unified Threat Management Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

User authentication

Understanding User Authentication for Security Devices

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Unsupported Features

While vSRX supports many of the Junos OS features supported on other SRX Series devices, not all features are supported. For information about Junos OS features that are not supported on vSRX, see Known Behavior and SRX Series Features Not Supported on vSRX for specific support limitations.

Changes in Behavior and Syntax

For the most complete and latest information about changes in command behavior and syntax applicable to all SRX Series platforms in Junos OS Release 18.1R2, see Changes in Behavior and Syntax for SRX.