Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

New and Changed Features

 

This section describes the new features and enhancements to existing features in the Junos OS main release and the maintenance releases for vSRX.

New Features for Junos OS Release 18.3R3 for vSRX

There are no new features or enhancements to existing features for vSRX in Junos OS Release 18.3R3.

New Features for Junos OS Release 18.3R2 for vSRX

There are no new features or enhancements to existing features for vSRX in Junos OS Release 18.3R2.

New Features for Junos OS Release 18.3R1 for vSRX

This section describes new features and enhancements to existing features in Junos OS Release 18.3R1 for vSRX.

Application Security

  • Downloading Junos OS application signature package from proxy server (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, support for downloading the application identification signature package from a proxy server is available. Application signature package is hosted on an external server, and can be downloaded and installed on the device. You can download the signature package when a Web proxy is already deployed on your device as part the overall security solution.

    To download the signature package using a proxy sever:

    1. Configure a profile with host and port details of the proxy server.

    2. Use the set services application-identification download proxy-profile profile-name command to connect to the external server through a specified proxy server.

    The download retrieves the application signature package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.

    [See Predefined Application Signatures for Application Identification.]

  • Elliptic Curve Digital Signature Algorithm (ECDSA) cipher support (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, ECDSA cipher suites are supported in SSL proxy for digital signing. ECDSA ciphers are based on Elliptic Curve Cryptography (ECC). ECDSA cipher suites are available with smaller keys, and provide faster and more secure cryptography across the Internet.

    SSL proxy only supports the ECC certificate with the Elliptic Prime Curve 256-bit (P-256).

    [See SSL Proxy Overview.]

  • URL category-based routing (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, the advanced policy-based routing (APBR) feature is enhanced to include URL categories as match criteria in the APBR profile to enable URL category-based routing. URL categories are based on the destination server IP address, and the category identification is leveraged from the Enhanced Web Filtering (EWF) and local Web filtering results from the unified threat management (UTM) module. APBR uses the details to match the traffic and route the matching traffic to a specified next-hop device.

    URL category-based routing enables you to redirect the traffic based on a specific website or a URL category to ensure that the Web traffic arrives at the appropriate destination in the network.

    [See Advanced Policy-Based Routing.]

Authentication and Access

  • IPv6 support for configuring the JIMS server and filtering IP addresses (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, IPv6 addresses are supported to connect the Juniper Identity Management Service (JIMS) primary server and secondary server, in addition to existing IPv4 address support. Also, IPv6 addresses are supported to configure a filter based on IP addresses for the advanced query feature, in addition to existing IPv4 address support.

    [See Understanding the SRX Series Advanced Query Feature for Obtaining User Identity Information from JIMS.]

Flow-Based and Packet-Based Processing

  • vSRX: PowerMode IPsec performance improvement (phase I)—Starting in Junos OS Release 18.3R1, PowerMode IPsec is a new mode of operation for vSRX instances that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PowerMode IPsec is small software block inside the SRXPFE (SRX Packet Forwarding Engine) that is activated when PowerMode is enabled.

    You enable PowerMode IPsec processing by using the set security flow power-mode-ipsec command. You must reboot the vSRX VM to apply the statement.

    Note

    To disable PowerMode IPsec processing, use the delete security flow power-mode-ipsec command to delete the statement from the configuration and then reboot the vSRX VM.

    Table 1 summarizes the features supported in PowerMode IPsec, along with the features that are not supported.

    Table 1: Summary of Features Supported in PowerMode IPsec

    Supported Features in PowerMode IPsec

    Non-Supported Features in PowerMode IPsec

    • IPsec functionality

    • Traffic selectors

    • St0 interface

    • All control plane IKE functionality

    • AutoVPN with traffic selector

    • AutoVPN with routing protocol

    • IPv6

    • Stateful Layer 4 firewall

    • ADVPN

    • High-availability

    • NAT-T

    • NAT

    • IPsec in IPsec

    • GTP/SCTP firewall

    • Application firewall/AppSecure

    • QoS

    • Nested tunnel

    • Screen

    • Multicast

    • Host traffic

    Note the following usage considerations with PowerMode IPsec:

    • Antireplay maximum window size supported is 64

    • Post/pre-fragment packets will not go through PowerMode IPsec

    • Any fragments received on an interface will not go through PowerMode IPsec

    • A tunnel session belongs to either PowerMode IPsec or non-PowerMode IPsec

    The session is marked as non-PMI and operates in non-PowerMode if the session is configured with any of the non-supported features listed in Table 1. This behavior is also true if any fragments are received. For an existing session, if any of the features listed in Table 1 are configured, then the session is moved from PMI to non-PMI.

    [See Juniper Networks Devices Processing Overview.]

Intrusion Detection and Protection (IDP)

  • Support for multiple IDP policies (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, with unified policies configured on an SRX Series device, you can configure multiple IDP policies and set one of those policies as the default IDP policy. If multiple IDP policies are configured for a session and when policy conflict occurs, the device applies the default IDP policy for that session and thus resolves any policy conflicts.

    If you have configured two or more IDP policies in a unified security policy, then you must configure the default IDP policy.

    To configure an IDP policy as the default policy, use the set security idp default-policy policy-name command.

    [See Understanding Multiple IDP Policies for Unified Policies.]

  • User visibility improvements for IDP attacks (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, you can view the attacks that are available in an attack group (predefined, dynamic, and custom attack groups) and the group to which a predefined attack belongs.

    You can use the following new commands to view the details of attack objects in a group and the group to which the attack belongs:

    • show security idp attack attack-list attack-group attack-group-name

    • show security idp attack group-list attack-name

    [See show security idp attack attack-list and show security idp attack group-list.]

Logical Systems

  • ICAP redirect profile support for logical systems (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support the Internet Content Adaptation Protocol (ICAP) service redirect when the device is configured for logical systems.

    ICAP is a lightweight protocol used to extend transparent proxy servers, thereby freeing up resources. ICAP redirect profile is only allowed to attach on the policy that belongs to the same logical system.

    [See ICAP Redirect Support for Logical Systems.]

NAT

  • NAT configuration check on egress interfaces after reroute (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, support for retaining an existing session with Network Address Translation (NAT) rule is available when there is a change in egress interface because of rerouting.

    If the new egress interface and the previous egress interface are in the same security zone and there is no change in the matched NAT rule or if no rule is applied before and after rerouting, the session is retained with the existing NAT rule. Otherwise, the session expires and a new session is created after retransmit or subsequent traffic is received.

    [See Understanding NAT Configuration Check on Egress Interfaces after Reroute.]

  • Session persistence during NAT configuration change (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support Network Address Translation (NAT) session persistence. With NAT session persistence enabled on your device, if there are any changes in the NAT configuration, then the device retains the existing NAT sessions instead of clearing them.

    NAT session persistence is supported only for source NAT in the following scenarios:

    • Source pool— Change in an address range in a Port Address Translation (PAT) pool.

    • Source rule— Change in match conditions for the address book, application, destination IP address, destination port, source IP address, and destination port fields.

    [See Understanding NAT Session Persistence.]

Security

  • Explicit Proxy Server Support (SRX Series and vSRX)—Starting in Junos OS Release 18.3R1, SRX Series devices support the use of an explicit proxy for the cloud-based connectivity for downloading IDP security package, Enhanced Web Filtering (EWF), and Sophos antivirus on unified threat management (UTM).

    To download the IDP security package that hosts on an external server, you need to configure a proxy profile and use the proxy host and port details that are configured in the proxy profile.

    This feature allows you to use a deployed Web proxy server on your device for access and authentication for HTTP and HTTPS outbound sessions.

    For UTM features an explicit proxy hides the identity of source device, communicates directly with the UTM cloud server and establishes a connection with the destination device. The explicit proxy configuration consists of port address and direct IP address or hostname. To use the explicit proxy, create one or more proxy profiles and refer to those profiles in the configuration of EWF, upgrading predefined category and base filter, and Sophos antivirus using HTTP and HTTPS protocol.

    [See Downloading the Junos OS IDP Signature Package through an Explicit Proxy Server Overview and Understanding Explicit Proxy.]

vSRX Architecture Illustration

vSRX Architecture

Figure 1 is a high-level illustration of the vSRX architecture as of Junos OS Release 18.3R1.

Figure 1: vSRX Architecture



vSRX Architecture

Supported Features

For details about Junos OS features supported on vSRX, see Feature Explorer: vSRX.

Supported Features References

Table 2 lists documentation references to Junos OS features that are supported on vSRX.

Note

Some vSRX features require a license. See vSRX Feature Licenses Overview for more details.

Table 2: Documentation References for Junos OS Features Supported on vSRX

Feature

Feature Documentation

vSRX Platform

Application Firewall (AppFW)

Application Firewall Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Identification (AppID)

Understanding Application Identification Techniques

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Layer Gateways (ALGs)

ALG Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Application Quality of Service (AppQoS)

Understanding Application QoS (AppQoS)

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Attack Detection and Prevention (ADP)

Attack Detection and Prevention Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Chassis cluster support for virtio driver

Chassis Cluster Overview

KVM

Chassis cluster support for VMXNET3 driver

Chassis Cluster Overview

VMware

Chassis cluster support for Windows Hyper-V Server 2016

Chassis Cluster Overview

Hyper-V

Class of service (CoS)

Understanding Class of Service

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Dynamic Host Configuration Protocol (DHCP)

Understanding Interfaces

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Flow and packet processing

Juniper Networks Devices Processing Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Intrusion Detection and Prevention (IDP)

Understanding Intrusion Detection and Prevention

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

IPsec VPN

IPsec VPN Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Multiprotocol Label Switching (MPLS)

MPLS Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Multicast

Multicast Overview

VMware, KVM, and Contrail

Network Address Translation (NAT)

Introduction to NAT

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Routing protocols

Junos OS Routing Protocols Library

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Security building bocks

Understanding Security Basics

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Transparent mode

Ethernet Switching and Layer 2 Transparent Mode Overview

VMware, KVM, and Contrail

Unified Threat Management (UTM)

Unified Threat Management Overview

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

User authentication

Understanding User Authentication for Security Devices

VMware, KVM, Contrail, AWS, Azure, and Hyper-V

Unsupported Features

While vSRX supports many of the Junos OS features supported on other SRX Series devices, not all features are supported. For information about Junos OS features that are not supported on vSRX, see Known Behavior and SRX Series Features Not Supported on vSRX for specific support limitations.

Changes in Behavior and Syntax

There are no changes in behavior and syntax for vSRX in Junos OS Release 17.4R3.

For the most complete and latest information about changes in command behavior and syntax applicable to all SRX Series platforms in Junos OS Release 18.3, see Changes in Behavior and Syntax for SRX.