What’s Changed in Release 21.4R3
Flow-Based Packet-Based Processing
-
Unable to connect with OCSP Server for Revocation Check (SRX Series Devices and vSRX)—When performing revocation check using OCSP, the SRX device does not attempts to connect with the OCSP server when the OCSP server URL contains a domain name that the DNS server cannot resolve. In this case, when the SRX device cannot establish connection to the OCSP server and when one of the following configuration options is set, the OCSP revocation check will either allow or fallback to using CRL:u
-
set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure disable
-
set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crl
When the SRX device cannot establish connection to the OCSP server and if these options are not configured, then the certificate validation fails.
[See ocsp (Security PKI).]
-
-
Changes to TCP-MSS override priority for GRE (SRX Series and vSRX 3.0)—
On SRX Series firewall and vSRX virtual firewalls, Transmission Control Protocol Maximum Segment Size (TCP-MSS) may not override in GRE over IPsec scenarios (GREoIPsec). This may result in more fragmentation in the network as GREoIPsec traffic isn't modified for TCP-MSS. To ensure that TCP-MSS works with GREoIPsec, ensure to set the priority of MSS applied to the TCP traffic in the following order (highest to lowest):
-
gre-in
andgre-out
based on direction for the GREoIPSec TCP traffic. -
ipsec-vpn
for GREoIPsec and IPsec traffic. -
all-tcp
for all the tcp traffic.
-
Network Management and Monitoring
-
Changes to the NETCONF
<edit-config>
RPC response (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the<edit-config>
operation returns an error, the NETCONF server does not emit a<load-error-count>
element in the RPC response. In earlier releases, the<edit-config>
RPC response includes the<load-error-count>
element when the operation fails.
Platform and Infrastructure
-
Device does not drop session with server certificate chain more than 6.PR1663062
Unified Threat Management (UTM)
-
Content filtering CLI updates (SRX Series and vSRX)—We've the following updates to the content filtering CLI:
- Trimmed the list of file types supported for content filtering rule
match criteria. Instead of uniquely representing different variants of a
file type, now only one
file-type
string represents all variants. Hence, theshow security utm content-filtering statistics
output is also updated to align with the new file types available in the rule match criteria. - Renamed the content filtering security logging option
seclog
tolog
to match with the Junos OS configuration standard. - Rephrased the
reason
string associated with content filtering security log message.
[See content-filtering (Security UTM Policy), content-filtering (Security Feature Profile), and show security utm content-filtering statistics.]
- Trimmed the list of file types supported for content filtering rule
match criteria. Instead of uniquely representing different variants of a
file type, now only one