Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

What’s Changed

Learn about what changed in this release for SRX Series.

Platform and Infrastructure

  • SRX Series devices does not drop session with server certificate chain more than 6.

  • from-zone and to-zone are optional when policy match is done for global policies (SRX Series)—When you use match criteria to troubleshoot traffic problems for global policies, from-zone and to-zone need not be provided while performing the policy match.

    [See show security match-policies.]

  • sFlow configuration—sFlow configuration is allowed only on et, xe, and ge interfaces in EVO-based platforms. All other interfaces are blocked for configuring sFlow on EVO platforms. A cli error will be thrown if sFlow is configured on any other interface other than et, xe or ge interface.

SSL Proxy

  • No session cache entry store during SSL session resumption (SRX Series Devices)—When an SSL session attempts to re-initiates a full handshake and the server rejects that session resumption, the session cache does not store session information and remains empty. This issue is seen in a setup where a client device is using TLS1.1 version and the server is using TLS1.3 (maximum) version.

    In Junos OS Release 22.3R1, the session cache stores session information even when the session resumption is rejected, and you can see the session cache entries using the show services ssl proxy session-cache entries summary command.

Unified Threat Management (UTM)

  • Content filtering CLI updates (SRX Series and vSRX)—We've the following updates to the content filtering CLI:

    • Trimmed the list of file types supported for content filtering rule match criteria. Instead of uniquely representing different variants of a file type, now only one file-type string represents all variants. Hence, the show security utm content-filtering statistics output is also updated to align with the new file types available in the rule match criteria.

    • Renamed the content filtering security logging option seclog to log to match with the Junos OS configuration standard.

    • Rephrased the reason string associated with content filtering security log message.

[See show security utm content-filtering statistics, content-filtering (Security Feature Profile), and content-filtering (Security UTM Policy).]

VPLS

  • No output byte increment on VPLS interface when configured with output filter with policer action (SRX Series Devices)—When you upgrade your device to Junos OS Release 19.4R3-S1 or later, and the VPLS interface has an output filter with policer action applied to it, the VPLS interface does not pass the traffic. Because of this issue, the output bytes do not increment on that interface, and when you display details using the show interfaces <interface-name> extensive | no-more command output, the VPLS interface shows output bytes as 0. In Junos OS Release 22.3R1, the show interfaces interface-name extensive | no-more command output shows the correct details.

  • Tunnel MTU— On SRX5000 line, the tunnel MTU is not displayed in the CLI output if the tunnel MTU is not configured.