What’s Changed in Release 21.1R1
Flow-Based and Packet-Based Processing
-
Self-generated IKE packets choose outgoing interface matching source IP address (SRX Series)—A self-generated IKE packet always selects the ECMP outgoing interface that matches the source IP address. Note that we don't support filter-based forwarding for self-generated traffic with rerouting.
General Routing
-
Change in show security firewall-authentication jims operational command (SRX4600)—Starting in Junos OS Release 21.1R1, the
show security firewall-authentication jims (statistics | display)
operational command includes thedisplay
option.[See show security firewall-authentication jims statistics.]
-
New output field added in
show pfe statistics traffic
command (SRX380)—Starting in Junos OS Release 21.1R1, you'll seeUnicast EAPOL
in the output of theshow pfe statistics traffic
command.[See show pfe statistics traffic.]
-
Default MKA transmit interval (SRX380)—On SRX380 devices, the default MACsec Key Agreement (MKA) transmit interval is 2000 milliseconds. If you deploy an SRX380 device with another security peer device with a MACsec secure link, you must change the MKA transmit interval on the peer device to 2000 milliseconds to match the new default MKA transmit interval of the SRX380 device.
[See transmit-interval (MACsec).]
Intrusion Detection and Prevention
-
Intelligent offload state (SRX Series)—We've introduced a new field in the
show security idp status
command to see the status of the IDP Intelligent offload.[See show security idp status.]
Junos XML API and Scripting
-
The
jcs:invoke()
function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Thejcs:invoke()
extension function supports theno-login-logout
parameter in SLAX commit scripts. If you include the parameter, the function does not generate and logUI_LOGIN_EVENT
andUI_LOGOUT_EVENT
messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the rootUI_LOGIN_EVENT
andUI_LOGOUT_EVENT
messages are included in system log files. -
The
jcs:invoke()
function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Thejcs:invoke()
extension function supports theno-login-logout
parameter in SLAX event scripts. If you include the parameter, the function does not generate and logUI_LOGIN_EVENT
andUI_LOGOUT_EVENT
messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the rootUI_LOGIN_EVENT
andUI_LOGOUT_EVENT
messages are included in system log files. -
Python 2.7 deprecation (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 21.1R1, devices running Junos OS no longer support Python 2.7. We've deprecated the corresponding
language python
statement at the[edit system scripts]
hierarchy level. To execute Python scripts, configure thelanguage python3
statement at the[edit system scripts]
hierarchy level to execute the scripts using Python 3.[See Understanding Python Automation Scripts for Devices Running Junos OS.]
Network Management and Monitoring
-
Support for specifying the YANG modules to advertise in the NETCONF capabilities and supported schema list (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—You can configure devices to emit third-party, standard, and Junos OS native YANG modules in the capabilities exchange of a NETCONF session by configuring the appropriate statements at the
[edit system services netconf hello-message yang-module-capabilities]
hierarchy level. In addition, you can specify the YANG schemas that the NETCONF server should include in its list of supported schemas by configuring the appropriate statements at the[edit system services netconf netconf-monitoring netconf-state-schemas]
hierarchy level.[See hello-message and netconf-monitoring.]
-
Support for disconnecting unresponsive NETCONF-over-SSH clients (ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—You can enable devices to automatically disconnect unresponsive NETCONF-over-SSH clients by configuring the
client-alive-interval
andclient-alive-count-max
statements at the[edit system services netconf ssh]
hierarchy level. Theclient-alive-interval
statement specifies the timeout interval in seconds, after which, if no data has been received from the client, the device requests a response. Theclient-alive-count-max
statement specifies the threshold of missed client-alive responses that triggers the device to disconnect the client, thereby terminating the NETCONF session.[See ssh (NETCONF).]
User Interface and Configuration
-
Verbose format option to export JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the
verbose
statement at the[edit system export-format json]
hierarchy level. We changed the default format to export configuration data in JavaScript Object Notation (JSON) fromverbose
toietf
starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the[edit system export-format json]
hierarchy level. Although theverbose
statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.[See export-format.]
VPNs
-
Support for trace options log levels (SRX5400, SRX5600, and SRX5800)—You can configure the log levels using the
level (all | error | info | notice | verbose | warning)
statement at theedit security ike traceoptions
hierarchy level for troubleshooting the IKE issues.[See traceoptions ].
-
View the traffic selector type for an IPsec tunnel (SRX Series and MX Series)—You can run the
show security ipsec security-associations detail
command to display the traffic selector type for a VPN. Theshow security ipsec security-associations detail
command displaysproxy-id
ortraffic-selector
as a value for theTS Type
output field based on your configuration.