Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Key Features in Junos OS Release 21.2

Start here to learn about the key features in Junos OS Release 21.2. For more information about a feature, click the link in the feature description.

  • AutoVPN PSK support (SRX5000 line of devices with SPC3 card and vSRX)—To enable the VPN gateway to use a different IKE preshared key (PSK) for authenticating each remote peer, use the new CLI commands seeded-pre-shared-key ascii-text or seeded-pre-shared-key hexadecimal under the [edit security ike policy policy_name] hierarchy level. See policy.

    To enable the VPN gateway to use the same IKE PSK for authenticating all remote peers, use the existing CLI commands pre-sharedkey ascii-text or pre-shared-key hexadecimal.

    We also introduce an optional configuration to bypass the IKE ID validation. Use the general-ikeid configuration statement under the [edit security ike gateway gateway_name dynamic] hierarchy level to bypass the IKE ID validation. If you enable this option, then during authentication of the remote peer, the SRX Series device and vSRX skips the IKE ID validation, and accepts all IKE ID types (hostname, user@hostname). See general-ikeid.

    [See AutoVPN on Hub-and-Spoke Devices and Example: Configuring AutoVPN with Pre-Shared Key.]

  • Display dynamic-applications and URL category hit counts in a security policy (NFX Series and SRX Series)—Starting in Junos OS Release 21.2R1, we've enhanced the show security policies hit-count command to include the dynamic applications and URL categories options. You can now display the utility rate of the policy according to the number of hits for the dynamic applications and URL categories.

    [See show security policies hit-count.]

  • cSRX support on AWS (cSRX)—Starting in Junos OS Release 21.2R1, you can deploy cSRX Container Firewall in Amazon Web Services (AWS) Cloud using Amazon Elastic Kubernetes Services (Amazon EKS), which is a fully managed Kubernetes service.

    With cSRX, you can also set up automated service provisioning and orchestration, distributed and multitenant traffic security, centralized management with Juniper® Security Director (including dynamic policy and address update, remote log collections, security events monitoring), and scalable security services with small footprints.

    cSRX is available with 60 days free trial eval license (S-CSRX-A1 SKU). The eval license in cSRX expires after 60 days.

    You can purchase bring your own license (BYOL) from Juniper Networks or a Juniper Networks authorized reseller for using the software features on the cSRX. Use this license to customize your license, subscription, and support.

    [See cSRX Deployment Guide for AWS and Flex Software License for cSRX.]

  • DNS DGA and tunnel detection (SRX Series)—Starting in Junos OS Release 21.2R1, you can configure DNS Domain Generation Algorithm (DGA) detection and DNS tunnel detection. This feature enables you to block the malicious domains and DNS-tunneled requests or responses generated by infected hosts and command-and-control (C&C) servers. DGA periodically generates a large number of domain names that are used as rendezvous points (RPs) with their C&C servers. DNS tunneling is a cyberattack method that encodes the data of malicious programs or protocols in DNS queries and responses.

    Use the set security-metadata-streaming policy policy-name detections dga and set security-metadata-streaming policy policy-name detections tunneling commands at the [edit services] hierarchy to configure DNS DGA and tunneling detections.

    [See security-metadata-streaming.]

  • End-of-message notification for Routing Engine sensors (EX2300, EX4300, EX4300-MP, EX9200, MX240, MX960, MX10016, MX2010, MX2020, PTX1000, PTX3000, PTX10001, QFX5100, QFX5110, QFX5120, and QFX10002)—Starting in Junos OS Release 21.2R1, we've introduced an end-of-message (EoM) Boolean flag for all Junos telemetry interface (JTI) Routing Engine sensors. The flag notifies the collector that the current wrap has completed for a particular sensor path. A wrap is a complete key-value data dump for all the leaves under a sensor path.

    The EoM flag also enables the collector to detect when the end of wrap occurs without having to compare stream creation timestamp values that the collector receives from the packets. Comparing timestamp values is costly time-wise and delays data aggregation.

    To use this feature with gRPC Network Management Interface (gNMI) transport or Remote Procedure Call (gRPC), retrieve the protobuf files from the relevant branch on the Juniper Networks download site:

    • GnmiJuniperTelemetryHeaderExtension.proto (gNMI)
    • agent.proto (for gRPC)

    For example: https://github.com/Juniper/telemetry/blob/master/20.3/20.3R1/protos/GnmiJuniperTelemetryHeaderExtension.proto.

    After you download and install the new protobuf files on a collector, the EoM field is present in the packets received.

    [See Understanding OpenConfig and gRPC on Junos Telemetry Interface.]

  • Mellanox support (vSRX 3.0)—Starting in Junos OS Release 21.2R1, vSRX 3.0 instances that you deploy on VMware and kernel-based virtual machine (KVM) support the Mellanox ConnectX-4 and ConnectX-5 family adapters.

    [See vSRX Deployment for KVM.]

  • Optimized inter-subnet multicast support with symmetric bridge domain configuration in an EVPN-VXLAN fabric (QFX5110, QFX5120, QFX10002-36Q, and QFX10002-72Q)—Starting in Junos OS Release 21.2R1, you can configure optimized inter-subnet multicast (OISM) on leaf devices and border leaf devices in an EVPN-VXLAN edge-routed bridging overlay fabric. This feature helps optimize the routing of multicast traffic across VLANs in an EVPN tenant domain. This feature uses a supplemental bridge domain (SBD) and a multicast VLAN (MVLAN) to route multicast traffic from or to devices outside of the fabric. This feature also works with existing IGMP snooping and selective multicast (SMET) forwarding optimizations to minimize replication in the EVPN core when bridging within tenant VLANs.

    With this implementation, you must enable OISM and IGMP snooping on all the leaf and border leaf devices in the EVPN-VXLAN fabric. You also must configure the SBD and all tenant VLANs symmetrically on all leaf and border leaf devices in the fabric.

    You can use OISM with:

    • EVPN on the default-switch instance with VLAN-aware bundle service model (Layer 2)
    • Routing instances of type vrf (Layer 3)
    • EVPN single-homing or multihoming (all-active mode)
    • IGMPv2
    • Multicast sources and receivers within the EVPN data center
    • Multicast sources and receivers outside the EVPN data center that are reachable through the border leaf devices
  • Enhanced CFM support (ACX5448, ACX5448-M, and ACX5448-D)—Starting in Junos OS Release 21.2R1, you can enable the performance monitoring responder functionality without enabling the transmission of continuity check messages (CCM). To enable the performance monitoring responder functionality without enabling CCM transmission, configure our new configuration statement send-zero-interval-ccm under the [edit protocols protocols oam ethernet connectivity-fault-management] hierarchy level. After you configure the statement, if the continuity-check is not enabled, CCMs are not transmitted, but are programmed to receive the CFM packets for that maintenance endpoint (MEP) level.

    [See IEEE 802.1ag OAM Connectivity Fault Management Overview and connectivity-fault-management (EX Series Switch Only).]

  • Enhancements to prefix-limit and accepted-prefix-limit configuration statements, and updates to show bgp neighbor command (ACX1000, EX9200, MX Series, PTX5000, and QFX10002)— Starting from Junos OS Release 21.2R1, the prefix-limit and accepted-prefix-limit configuration statements include the following options:

    • drop-excess <percentage>—If you include the drop-excess <percentage> option and specify a percentage, the excess routes are dropped when the number of prefixes exceeds the specified percentage.
    • hide-excess <percentage>—If you include the hide-excess <percentage> option and specify a percentage, the excess routes are hidden when the number of prefixes exceeds the specified percentage.

    The show bgp neighbor command has been enhanced to display the following additional information:

    • Count of prefixes that are dropped or hidden based on network layer reachability information (NLRI) when the maximum allowed prefixes threshold is exceeded.
    • Alerts when a peer starts to drop or hide routes.
    • Configuration details of the prefix-limit and accepted-prefix-limit configuration statements.

    [See prefix-limit, accepted-prefix-limit, show bgp neighbor, and Multiprotocol BGP.]

  • TCP proxy short-circuit (SRX Series)—Starting in Junos OS Release 21.2R1, for a session with an active TCP proxy plug-in, the SRX Series device disables TCP proxy if there is no further requirement for the TCP proxy plug-in based on the user-defined configuration or the state of the flow. This enhancement significantly improves the session flow performance.

    Automated Express Path+ (SRX4600, SRX5400, SRX5600, and SRX5800)—To enable Express Path+ (formerly known as services offloading) in releases before Junos OS Release 21.2R1, administrators need to manually define individual policies that they want to accelerate with network processing (NP) ASICs. Starting in Junos OS Release 21.2R1, administrators can use automated Express Path+ on the listed SRX Series devices to automatically offload all the eligible sessions to the ASIC network processors. This enhancement significantly improves the session flow performance.

    Automated Express Path+ requires underlying network processor cache (NP-cache) infrastructure. Starting in Junos OS Release 21.2R1, we've enabled NP-cache by default on the SRX5000 line of devices. Before this release, the SRX4600 had NP-cache enabled by default.

    [See Express Path.]

  • Juniper Agile Licensing (EX2300, EX3400, EX4300, and EX4400)—Starting in Junos OS Release 21.2R1, the listed EX Series switches support Juniper Agile Licensing.

    Juniper Agile Licensing provides simplified and centralized license administration and deployment. You can use Juniper Agile Licensing to install and manage licenses for hardware and software features.

    Juniper Agile Licensing supports soft enforcement and hard enforcement of hardware and software feature licenses.

    • With soft enforcement, if you configure a feature without a license, Junos OS displays a warning when you commit the configuration. However, the feature remains operational. In addition, Junos OS generates periodic alarms indicating that you need the license to use the feature. You can see the list of alarms at System Log Explorer.

    • With hard enforcement, if you configure a feature without a license, Junos OS displays a warning when you commit the configuration. The feature is not operational until the license is installed. In addition, Junos OS generates periodic syslog messages indicating that you need the license to use the feature. You can see the list of syslog messages at System Log Explorer.

    Table 1 describes the licensing support for soft-enforced features on EX2300 switches.

    Table 1: Licensed Features on EX2300 switches

    License Model

    Use Case Examples or Solutions

    Feature List

    Standard

    Campus and access Layer 2 or Layer 3

    • Layer 2 and Layer 3 filters

    • Layer 2 (xSTP, 802.1Q, and LAG)

    • Layer 2 and Layer 3 QoS

    • Layer 3 (static)

    • IGMP snooping

    • Operation, Administration, and Maintenance (OAM) link fault management (LFM)

    • Q-in-Q

    • sFlow

    • SNMP

    • Junos telemetry interface (JTI)

    • Virtual Chassis*

    Advanced

    Campus and access Layer 2 or Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • IPv6 routing protocols: Multicast Listener Discovery (MLD) version 1 and MLD version 2, OSPF version 3, PIM multicast, VRRP version 3

    • Multicast Source Discovery protocol (MSDP)

    • OAM and Maintenance CFM

    • OSPF version 2 or OSPF version 3

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • VRRP

    Virtual Chassis*—We've included Virtual Chassis license in the Standard license model on EX2300-C 12-port switches. However, we don't include the Virtual Chassis license on EX2300 24-port and 48-port switch models. You need to purchase the license separately.

    Table 2 describes the licensing support for soft-enforced features on EX3400 switches.

    Table 2: Licensed Features on EX3400 switches

    License Model

    Use Case Examples or Solutions

    Feature List

    Standard

    Campus and access Layer 2 or Layer 3

    • Layer 2 and Layer 3 filters

    • Layer 2 (xSTP, 802.1Q, and LAG)

    • Layer 2 and Layer 3 QoS

    • Layer 3 (static)

    • IGMP snooping

    • Operations, Administration, and Maintenance (OAM) link fault management (LFM)

    • Q-in-Q

    • sFlow

    • SNMP

    • Junos telemetry interface (JTI)

    • Virtual Chassis

    Advanced

    Campus and access Layer 2 or Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • IPv6 routing protocols: Multicast Listener Discovery (MLD) version 1 and MLD version 2, OSPF version 3, PIM multicast, VRRP version 3, and virtual router support for unicast

    • Filter-based forwarding (FBF)
    • Multicast Source Discovery protocol (MSDP)

    • OAM CFM

    • OSPF version 2 or OSPF version 3

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • Unicast reverse-path forwarding (unicast RPF)

    • Virtual router

    • VRRP

    Premium

    Campus and access Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • IPv6 routing protocols: Multicast Listener Discovery (MLD) version 1 and MLD version 2, OSPF version 3, PIM multicast, VRRPv3, virtual router support for unicast, and FBF

    • Multicast Source Discovery Protocol (MSDP)

    • OAM CFM

    • OSPF version 2 or OSPF version 3

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • Unicast reverse-path forwarding (unicast RPF)

    • Virtual router

    • VRRP

    • BGP and multiprotocol BGP (MBGP)

    • IS-IS

    Table 3 describes the licensing support for soft-enforced features on EX4300 switches.

    Table 3: Licensed Features on EX4300 switches

    License Model

    Use Case Examples or Solutions

    Feature List

    Standard

    Campus and access Layer 2 or Layer 3

    • Layer 2 and Layer 3 filters

    • Layer 2 (xSTP, 802.1Q, and LAG)

    • Layer 2 and Layer 3 QoS

    • Layer 3 (static)

    • IGMP snooping

    • Operations, Administration, and Maintenance (OAM) link fault management (LFM)

    • Q-in-Q

    • sFlow

    • SNMP

    • Junos telemetry interface (JTI)

    • Virtual Chassis

    Advanced

    Campus and access Layer 2 or Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • Multicast Source Discovery protocol (MSDP)

    • OAM CFM

    • OSPF version 2 or OSPF version 3

    • FBF

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • Unicast reverse-path forwarding (unicast RPF)

    • Virtual router

    • VRRP

    Premium

    Campus and access Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • CFM (IEEE 802.1ag)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • Multicast Source Discovery Protocol (MSDP)

    • OAM CFM

    • OSPF version 2 or OSPF version 3

    • FBF

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • Unicast reverse-path forwarding (unicast RPF)

    • Virtual router

    • VRRP

    • BGP and multiprotocol BGP (MBGP)

    • IS-IS

    • EVPN-VXLAN

      • Supported only on EX4300-48MP switch.

      • Requires the BGP for configuration.

    Table 4 describes the licensing support for soft-enforced features on EX4400 switches.

    Table 4: Licensed Features on EX4400 switches

    License Model

    Use Case Examples or Solutions

    Feature List

    Standard

    Campus and access Layer 2 or Layer 3

    • Layer 2 and Layer 3 filters

    • Layer 2 (xSTP, 802.1Q, and LAG)

    • Layer 2 and Layer 3 QoS

    • Layer 3 (static)

    • IGMP snooping

    • Operations, Administration, and Maintenance (OAM) link fault management (LFM)

    • Q-in-Q

    • sFlow

    • SNMP

    • Junos telemetry interface (JTI)

    • Virtual Chassis

    Advanced

    Campus and access Layer 2 or Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • Multicast Source Discovery protocol (MSDP)

    • OAM CFM

    • OSPF version 2 or OSPF version 3

    • FBF

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • Unicast reverse-path forwarding (unicast RPF)

    • Virtual router

    • VRRP

    Premium

    Campus and access Layer 3

    • Bidirectional Forwarding Detection (BFD)

    • CFM (IEEE 802.1ag)

    • IGMP version 1, IGMP version 2, and IGMP version 3

    • Multicast Source Discovery Protocol (MSDP)

    • OAM CFM

    • OSPF version 2 or OSPF version 3

    • FBF

    • Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

    • Real-time performance monitoring (RPM)

    • RIP IPv6 (RIPng)

    • Unicast reverse-path forwarding (unicast RPF)

    • Virtual router

    • VRRP

    • BGP and multiprotocol BGP (MBGP)

    • IS-IS

    • EVPN-VXLAN

      • Requires the BGP for configuration.

    On EX4400 switch, the flow-based telemetry and MACsec features are hard-enforced. You'll need a license to use these features.

    [See Flex Software License for EX Series Switches, Juniper Agile Licensing Guide, and Configuring Licenses in Junos OS.]

  • Junos Multi-Access User Plane support for 5G user plane function (MX204, MX240, MX480, MX960, and MX10003)—Starting in Junos OS Release 21.2R1, Junos Multi-Access User Plane supports routers functioning as user plane functions (UPFs) in accordance with 3GPP Release 15 CUPS architecture. This provides high-throughput 5G fixed and mobile wireless service in non-standalone (NSA) mode. This includes support for the following:

    • N3, N4, N6, and N9 interface support
    • Roaming through the N9 interface
    • GPRS tunneling protocol, user plane (GTP-U) tunneling to the control plane
    • QoS Flow ID (QFI) support for 5G QoS flows

    [See Junos Multi-Access User Plane Overview.]

  • RSVP-TE supports preempting secondary LSPs that are signaled but not active (MX Series and PTX Series)—Starting in Junos OS Release 21.2R1, you can configure the hold priority of the secondary standby label-switched path (LSP) for RSVP-Traffic Engineering (RSVP-TE). The hold priority will be used to determine if the standby non-active LSP can be preempted. This will help to bring up non-standby secondary path LSPs with higher setup priority which are not able to come-up because of bandwidth crunch. To configure the non-active hold priority value for a secondary standby path, use the non-active-hold-priority statement at the [edit protocols mpls label-switched-path <lsp-name>] hierarchy level. You can set the priority from 0 through 7, where 0 is the highest priority and 7 is the lowest.

  • Unified policy support for firewall user authentication (SRX Series and vSRX)—Starting in Junos OS Release 21.2R1, we support firewall user authentication in a security policy with dynamic applications (unified policy). You can configure pass-through or web authentication in the unified policy to restrict or permit users to access network resources.

    Firewall user authentication support in the unified policy provides an additional layer of protection in a network with dynamic traffic changes.

    [See Configure Firewall User Authentication with Unified Policies.]

  • Secure packet capture to cloud (EX4400)—Starting in Junos OS Release 21.2R1, we support secure packet capture using Junos telemetry interface (JTI). You can use this feature to capture packets from a device and send them over a secure channel to an external collector (in the cloud) for monitoring and analysis. The maximum size of the packet you can capture is 128 bytes, including the packet header and the data within. Network professionals use real-time packet capture data to troubleshoot complex issues such as network and performance degradation and poor end-user experience.

    To use secure packet capture, include the /junos/system/linecard/packet-capture resource path using a Junos RPC call.

    For ingress packet capture, include the packet-capture option in the existing firewall filter configuration at the [edit firewall family family-name filter filter-name term match-term then packet-capture] hierarchy level. Do this before you send packet capture sensor data to the collector and remove the packet-capture configuration after data is sent to the collector. After the capture is done, ingress packets with the filter match conditions are trapped to the CPU. The trapped packets then go to the collector over a secure channel in JTI-specified format in key-value pairs by means of Remote Procedure Call (gRPC) transport.

    For egress packet capture on physical interfaces (ge-*, xe-*, mge-*, and et-*), include "packet-capture-telemetry," "egress," and "interface <interface-name>" at the [edit forwarding-options] hierarchy level. For example:

    set forwarding-options packet-capture-telemetry egress interface ge-0/0/0

    set forwarding-options packet-capture-telemetry egress interface ge-0/0/10

    You can add multiple interfaces on the device for egress packet capture. When configured, host-bound egress packets are captured from the interface and sent to the collector. As with the ingress configuration, remove the configuration when packet capture is not required.

  • G.8275.1 Telecom profile and PTP over Ethernet encapsulation support (ACX2100 and ACX2200)—Starting in Junos OS Release 21.2R1, ACX2100 and ACX2200 routers support Precision Time Protocol (PTP) over Ethernet encapsulation and G.8275.1 Telecom profile.

    The G.8275.1 Telecom profile supports the architecture defined in ITU-T G.8275 to enable the distribution of phase and time with full timing support. This profile requires all devices in the network to operate in combined or hybrid modes, which means that PTP and Synchronous Ethernet are enabled on all devices.

    PTP over Ethernet enables the effective implementation of packet-based technology that enables the operator to deliver synchronization services on packet-based mobile backhaul networks.

    [See G.8275.1 Telecom Profile and Precision Time Protocol Overview.]

  • Hardware-assisted inline BFD (QFX5120-32C and QFX5120-48Y)—Starting in Junos OS Release 21.2R1, we support a hardware implementation of the inline BFD protocol in firmware form. The ASIC firmware handles most of the BFD protocol processing. The firmware uses existing paths to forward any BFD events that must be processed by protocol processes. The ASIC firmware processes the packets more quickly than the software, so hardware-assisted inline BFD sessions can have keepalive intervals of less than a second. These platforms support this feature for single-hop and multihop IPv4 and IPv6 BFD sessions.

    [See ppm and Bidirectional Forwarding Detection (BFD).]

  • Interoperability of MPC10E with MX-SPC3 for IPSec services steering (MX240, MX480, and MX960)—Starting in Junos OS Release 21.2R1, the MPC10E-15C-MRATE and MPC10E-10C-MRATE interoperates with the MX-SPC3 card to enable the packet forwarding path that steers packets to the MX- SPC3 card. The MPC10E line card can perform the ingress or the egress processing for IPSec services packets through the st0 and vms interfaces, nexthops, and the routes programmed in the line card.

    [See MPC10E-15C-MRATE and MPC10E-10C-MRATE.]

  • Interoperability of MPC10E with MX-SPC3 to support TLB (MX240, MX480, and MX960)—Starting in Junos OS Release 21.2R1, the MPC10E-15C-MRATE and the MPC10E-10C-MRATE interoperates with the MX-SPC3 card to support traffic load balancing. Using the Traffic Load Balancer (TLB) application, you can distribute traffic among multiple servers in a server group and perform health checks to determine whether any servers should not receive traffic. TLB supports multiple VPN routing and forwarding instance (VRF) instances..

    [See Traffic Load Balancer Overview.]

  • Support for BGP MVPN (ACX710 routers)—Starting in Junos OS Release 21.2R1, ACX710 routers support BGP multicast virtual private network (MVPN) (also known as next-generation (NG) MVPN). You can configure multipoint LDP provider tunnels as the data plane for intra-AS BGP MVPNs. ACX710 routers do not support extranet MVPN.

    [See Multiprotocol BGP MVPNs Overview.]

  • Increased memory allocation for Junos VM (MX204)—Starting in Junos OS Release 21.2R1, we support increased memory allocation for Junos VM. The available VM size options are default (16GB) and high (24GB). After you update the VM size, you must perform a system reboot using the request vmhost reboot statement.

    Before you increase the memory, please contact Juniper Networks technical support to know the use cases that we support. After the memory upgrade, if you want to downgrade the Junos OS image, revert the VM memory to default and perform a system reboot using the request vmhost reboot command.

    [See VM Host Overview.]

  • TLS version 1.3 support for SSL proxy (SRX Series)—Starting in Junos OS Release 21.2R1, Secure Sockets Layer (SSL) proxy supports the Transport Layer Security (TLS) protocol version 1.3, which provides improved security and better performance. TLS version 1.3 supports the following cipher suites:

    • TLS_AES_256_GCM_SHA384

    • TLS_AES_128_GCM_SHA256

    • TLS_CHACHA20_POLY1305_SHA256

    • TLS_AES_128_CCM_SHA256

    • TLS_AES_128_CCM_8_SHA256

    [See SSL Proxy.]