Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

What’s Changed in Release 21.4R3

Flow-Based Packet-Based Processing

  • Unable to connect with OCSP Server for Revocation Check (SRX Series Devices and vSRX)—When performing revocation check using OCSP, the SRX device does not attempts to connect with the OCSP server when the OCSP server URL contains a domain name that the DNS server cannot resolve. In this case, when the SRX device cannot establish connection to the OCSP server and when one of the following configuration options is set, the OCSP revocation check will either allow or fallback to using CRL:u

    • set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure disable

    • set security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crl

    When the SRX device cannot establish connection to the OCSP server and if these options are not configured, then the certificate validation fails.

    [See ocsp (Security PKI).]

  • Changes to TCP-MSS override priority for GRE (SRX Series and vSRX 3.0)

    On SRX Series firewall and vSRX virtual firewalls, Transmission Control Protocol Maximum Segment Size (TCP-MSS) may not override in GRE over IPsec scenarios (GREoIPsec). This may result in more fragmentation in the network as GREoIPsec traffic isn't modified for TCP-MSS. To ensure that TCP-MSS works with GREoIPsec, ensure to set the priority of MSS applied to the TCP traffic in the following order (highest to lowest):

    • gre-in and gre-out based on direction for the GREoIPSec TCP traffic.

    • ipsec-vpn for GREoIPsec and IPsec traffic.

    • all-tcp for all the tcp traffic.

Network Management and Monitoring

  • Changes to the NETCONF <edit-config> RPC response (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the <edit-config> operation returns an error, the NETCONF server does not emit a <load-error-count> element in the RPC response. In earlier releases, the <edit-config> RPC response includes the <load-error-count> element when the operation fails.

Platform and Infrastructure

  • Device does not drop session with server certificate chain more than 6.PR1663062

Unified Threat Management (UTM)

  • Content filtering CLI updates (SRX Series and vSRX)—We've the following updates to the content filtering CLI:

    • Trimmed the list of file types supported for content filtering rule match criteria. Instead of uniquely representing different variants of a file type, now only one file-type string represents all variants. Hence, the show security utm content-filtering statistics output is also updated to align with the new file types available in the rule match criteria.
    • Renamed the content filtering security logging option seclog to log to match with the Junos OS configuration standard.
    • Rephrased the reason string associated with content filtering security log message.

    [See content-filtering (Security UTM Policy), content-filtering (Security Feature Profile), and show security utm content-filtering statistics.]