Learn about new features and enhancements to existing features introduced in Junos OS Release 20.1R1 for vSRX and vSRX 3.0.
For more information see Overview of the available virtual SRX models, vSRX and vSRX 3.0.
Logical and Tenant Systems
Support for logical systems and tenant systems (vSRX and vSRX 3.0)—Starting in Junos OS Release 20.1R1, you can configure logical systems and tenant systems on vSRX and vSRX 3.0 instances.
With Junos OS, you can partition a single security device into multiple logical devices that can perform independent tasks. You can partition a single device into the following secure contexts:
Each logical system has its own discrete administrative domain, logical interfaces, routing instances, security firewall, and other security features. A tenant system provides logical partitioning of the SRX Series device into multiple domains similar to logical systems and provides high scalability.
Elastic Mode support with Resource Management (vSRX 3.0)—Starting in Junos OS Release 20.1R1, when vSRX 3.0 performs resource management, the vCPUs and RAM available to the instance are assigned based on what has been allocated prior to launching the instance. By implementing this enhancement, the CLI output of the show chassis hardware command will no longer display the fixed size of cores and memory used by the vSRX 3.0 that was displayed previously.
In public cloud environments such as AWS, Azure and Google Cloud Platform, where there are fixed core and memory instance types on offer, the vSRX 3.0instance will perform resource management based on the available core and memory. Please refer to the public cloud documentation for more information on the configuration of vSRX 3.0 on supported instance types.
[See show chassis hardware (View).]
User Access and Authentication
VPN support with Microsoft Azure Key Vault (HSM) (vSRX 3.0)—Starting in Junos OS Release 20.1R1, you can safeguard the private keys used by PKI daemon and IKED using Microsoft Azure Key Vault hardware security module (HSM) service. You can establish a PKI daemon-based VPN tunnel using the keypairs generated at the HSM. The HSM server creates, stores, and performs the needed keypair operations. To enable VPN support with HSM, you need to enable the master encryption key using the request security hsm master-encryption-password set plain-text-password configuration command. After you enable HSM, all the PKI daemons keypairs previously created are deleted.
PowerMode IPsec support (vSRX 3.0)—Starting in Junos OS Release 20.1R1, PowerMode IPsec is a new mode of operation for vSRX instances that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PowerMode IPsec is a small software block inside the SRXPFE (SRX Series Packet Forwarding Engine) that is activated when PowerMode is enabled.
You enable PowerMode IPsec processing by using the set security flow power-mode-ipsec command.
To disable PowerMode IPsec processing, use the delete security flow power-mode-ipsec command to delete the statement from the configuration and then reboot the vSRX VM.
Support for authentication and cipher algorithms in PowerMode IPsec mode (vSRX 3.0)—Starting in Junos OS Release 20.1R1, you can use authentication algorithms (SHA1: hmac-sha1-96 and SHA2: hmac-sha-256-128) and cipher algorithms (aes-128-cbc, aes-192-cbc, and aes-256-cbc) along with all the existing ciphers in PowerMode IPsec (PMI) mode on vSRX3.0 instances.