This section describes new features and enhancements to existing features in Junos OS Release 19.4 for vSRX.
For more information see Overview of the available virtual SRX models, vSRX and vSRX 3.0.
Release 19.4R2 New and Changed Features
Performance and Scaling
Support for multicore scaling on AWS (vSRX 3.0)—Starting in Junos OS Release 19.4R2, vSRX 3.0 instances with the Software Receive Side Scaling (SWRSS) feature can scale up the number of vCPUs on instances with ENA support in AWS. The ENA enabled instances allows more RSS queues. With the SWRSS feature, the dynamic ratio between number of vCPUs and RSS queues allows the scale up of vSRX with larger AWS EC2 instance types.
Monitoring and Troubleshooting
AWS CloudWatch and Security Hub integration (vSRX 3.0)—Starting in Junos OS Release 19.4R2, vSRX is integrated with AWS CloudWatch and Security Hub monitoring and management services for sending health statistics and key events such as instance failure to CloudWatch. With this integration, vSRX 3.0 can publish native metrics data and logs to AWS cloud, which administrators can monitor to identify the vSRX 3.0 status.
To enable this feature, run the set security cloud aws cloudwatch log file <name> and the set security cloud aws cloudwatch log file <file-name> security-hub-import configuration commands.
To view statistics using these features, use the show security cloud aws cloudwatch log statistics and show security cloud aws cloudwatch metric statistics commands.
Release 19.4R1 New and Changed Features
Encrypted control link (vSRX)—Starting in Junos OS Release 19.4R1, the existing control link functionality is enhanced to support encryption. This enforces confidentiality and integrity of the control link data. The chassis cluster control link supports an optional encrypted security feature that you can configure and activate. Using IPsec for internal communication between devices, the configurations that pass through the chassis cluster link from the primary node to the secondary node are encrypted. To enable this feature, run the set security ipsec internal security-association manual encryption ike-ha-link-encryption enable configuration command. You must reboot both the nodes to active this configuration.
You can verify the configured IKE HA link encryption algorithm using the show security internal-security-association command.
Support for SR-IOV HA with trust mode disabled for KVM (vSRX and vSRX 3.0)—Starting in Junos OS Release 19.4R1, SR-IOV HA is supported with trust mode disabled. With this support traffic flow is smooth and secured. This feature is only for KVM-based systems.
You can enable this mode by configuring the use-active-child-mac-on-reth and use-actual-mac-on-physical-interfaces options at the [edit chassis cluster] hierarchy level. If you configure commands in a cluster, the hypervisor assigns the child physical interface’s MAC address. The MAC address of the parent reth interface is overwritten by the MAC address of the active child physical interface.
You must configure the commands use-active-child-mac-on-reth and use-actual-mac-on-physical-interfaces together to enable this feature. You need to reboot both the nodes in the cluster for the commands to take effect.
Support for CoS in PMI mode (vSRX)—Starting in Junos OS Release 19.4R1, vSRX instances support the following Class of Service (CoS) features in PowerMode IPsec (PMI) mode.
Per-flow CoS functions for GTP-U traffic in PMI mode
Advanced resource management (vSRX 3.0)—Starting in Junos OS Release 19.4R1, vSRX 3.0 manages the additional system resource requirements for UTM-and IDP-specific services by reallocating CPU cores and extra memory. These values for memory and CPU cores are not user configured. Previously, system resources such as memory and CPU cores were fixed.
You can view the allocated CPU and memory for advance security services on vSRX 3.0 instance by using the show security forward-options resource-manager settings command. To view the flow session scaling, use the show security monitoring command.
Performance and Scaling
Support for multicore scaling on Hyper-V (vSRX 3.0)—Starting in Junos OS Release 19.4R1, vSRX 3.0 instances on Microsoft Hyper-V can be scaled by using the Software Receive Side Scaling (SWRSS) feature based on the vCPUs supported.
For SWRSS, up to 32 vCPUs can be used for each vSRX instance, and the ratio of worker thread and the IO thread is 4:1 to deliver better performance.
Platform and Infrastructure
Data Plane Development Kit (DPDK) version upgrade to 18.11 (vSRX)—Starting in Junos OS Release 19.4R1, DPDK version 18.11 is supported on vSRX. With this feature the Mellanox Connect Network Interface Card (NIC) on vSRX now supports OSPF Multicast and VLANs.
User Access and Authentication
Microsoft Azure Key Vault (HSM) integration (vSRX 3.0)—Starting in Junos OS Release 19.4R1, vSRX 3.0 is integrated with Microsoft Azure Key Vault hardware security module (HSM). With the integration of Microsoft Azure Key vault HSM, vSRX can protect and manage sensitive data such as private cryptographic keys, passwords, and configurations.
Support for Avira scan engine on antivirus module (vSRX 3.0)—Starting in Junos OS Release 19.4R1, vSRX 3.0 instances support the Avira scan engine, which is an on-device antivirus scanning engine. The Avira scan engine, scans data by accessing the virus pattern database. It provides a full file-based antivirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled.