Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

What’s Changed in Release 21.1R1

Flow-Based and Packet-Based Processing

  • Self-generated IKE packets choose outgoing interface matching source IP address (SRX Series)—A self-generated IKE packet always selects the ECMP outgoing interface that matches the source IP address. Note that we don't support filter-based forwarding for self-generated traffic with rerouting.

General Routing

  • Change in show security firewall-authentication jims operational command (SRX4600)—Starting in Junos OS Release 21.1R1, the show security firewall-authentication jims (statistics | display) operational command includes the display option.

    [See show security firewall-authentication jims statistics.]

  • New output field added in show pfe statistics traffic command (SRX380)—Starting in Junos OS Release 21.1R1, you'll see Unicast EAPOL in the output of the show pfe statistics traffic command.

    [See show pfe statistics traffic.]

  • Default MKA transmit interval (SRX380)—On SRX380 devices, the default MACsec Key Agreement (MKA) transmit interval is 2000 milliseconds. If you deploy an SRX380 device with another security peer device with a MACsec secure link, you must change the MKA transmit interval on the peer device to 2000 milliseconds to match the new default MKA transmit interval of the SRX380 device.

    [See transmit-interval (MACsec).]

Intrusion Detection and Prevention

  • Intelligent offload state (SRX Series)—We've introduced a new field in the show security idp status command to see the status of the IDP Intelligent offload.

    [See show security idp status.]

Junos XML API and Scripting

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • Python 2.7 deprecation (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 21.1R1, devices running Junos OS no longer support Python 2.7. We've deprecated the corresponding language python statement at the [edit system scripts] hierarchy level. To execute Python scripts, configure the language python3 statement at the [edit system scripts] hierarchy level to execute the scripts using Python 3.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

Network Management and Monitoring

  • Support for specifying the YANG modules to advertise in the NETCONF capabilities and supported schema list (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—You can configure devices to emit third-party, standard, and Junos OS native YANG modules in the capabilities exchange of a NETCONF session by configuring the appropriate statements at the [edit system services netconf hello-message yang-module-capabilities] hierarchy level. In addition, you can specify the YANG schemas that the NETCONF server should include in its list of supported schemas by configuring the appropriate statements at the [edit system services netconf netconf-monitoring netconf-state-schemas] hierarchy level.

    [See hello-message and netconf-monitoring.]

  • Support for disconnecting unresponsive NETCONF-over-SSH clients (ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—You can enable devices to automatically disconnect unresponsive NETCONF-over-SSH clients by configuring the client-alive-interval and client-alive-count-max statements at the [edit system services netconf ssh] hierarchy level. The client-alive-interval statement specifies the timeout interval in seconds, after which, if no data has been received from the client, the device requests a response. The client-alive-count-max statement specifies the threshold of missed client-alive responses that triggers the device to disconnect the client, thereby terminating the NETCONF session.

    [See ssh (NETCONF).]

User Interface and Configuration

  • Verbose format option to export JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the [edit system export-format json] hierarchy level. We changed the default format to export configuration data in JavaScript Object Notation (JSON) from verbose to ietf starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the [edit system export-format json] hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.

    [See export-format.]

VPNs

  • Support for trace options log levels (SRX5400, SRX5600, and SRX5800)—You can configure the log levels using the level (all | error | info | notice | verbose | warning) statement at the edit security ike traceoptions hierarchy level for troubleshooting the IKE issues.

    [See traceoptions ].

  • View the traffic selector type for an IPsec tunnel (SRX Series and MX Series)—You can run the show security ipsec security-associations detail command to display the traffic selector type for a VPN. The show security ipsec security-associations detail command displays proxy-id or traffic-selector as a value for the TS Type output field based on your configuration.

    [See show security ipsec security-associations.]