What’s Changed
Learn about what changed in this release for SRX Series.
General Routing
-
Verified the qualification of
ordered-by-user
in the hierarchies (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—The requested hierarchies are reviewed and checked to confirm if they qualify for theordered-by-user
list type. If they do not, theflag autosort
is included in the DDL definition for the list, making itordered-by-system
. The hierarchies are now indexed. The benefits from this arrangement are we get accurate data modeling and optimized configuration load in the user interface infrastructure. -
In the past inet6flow.0 was not allowed to be a primary rib in a rib-group. Starting with Release 22.3 this is now allowed.
Junos XML API and Scripting
-
Ability to commit
extension-service file
configuration when application file is unavailable—When you set theoptional
option at theedit system extension extension-service application file file-name
hierarchy level, the operating system can commit the configuration even if the file is not available at the /var/db/scripts/jet file path.[See file (JET).]
-
Ability to restart restart daemonized applications—Use the
request extension-service restart-daemonize-app application-name
command to restart a daemonized application running on a Junos device. Restarting the application can assist you with debugging and troubleshooting. -
The
xmlns:junos
attribute includes the complete software version string (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Thexmlns:junos
namespace string in XML RPC replies includes the complete software version release number, which is identical to the version emitted by theshow version
command. In earlier releases, thexmlns:junos
string includes only partial software version information.
Network Management and Monitoring
-
operator
login class is restricted from viewing NETCONF trace files that areno-world-readable
(ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you configure NETCONF tracing options at the[edit system services netconf traceoptions]
hierarchy level and you restrict file access to the file owner by setting or omitting theno-world-readable
statement (the default), users assigned to theoperator
login class do not have permissions to view the trace file.
VPNs
-
Limited ECDSA Certificate Support with SSL Proxy (SRX Series and vSRX 3.0)—With SSL proxy configured on SRX Series firewall and vSRX Virtual firewalls.
-
ECDSA based websites with P-384/P-521 server certificates are not accessible with any root-ca certificate as the security device has limitation to support only P-256 group.
-
When RSA based root-ca and P-384/P-521 ECDSA root-ca certificate is configured, all ECDSA websites will not be accessible as SSL-Terminator is negotiated with RSA, which is why the security device is sending only RSA ciphers and sigalgs to the destination web server while doing the SSL handshake. To ensure both ECDSA and RSA-based websites are accessible along with the RSA root certificate, configure a 256-bits ECDSA root certificate.
-
In some scenarios, even if 256-bit ECDSA root certificate is used in the SSL proxy configuration, ECDSA based websites with P-256 server certificates are not accessible if the server does not support P-256 groups.
-
In other scenarios, even if 256-bit ECDSA root certificate is used in the SSL proxy configuration, ECDSA based websites with P-256 server certificates are not accessible if the server supports sigalgs other than P-256. The issue is seen in hardware offload mode with failing signature verification. As hardware offload for ECDSA certificate is introduced in Junos OS release 22.1R1, this issue will not be observed if you use Junos OS released prior to 22.1R1. Also, the issue is not seen if the SSL-proxy for ECDSA certificate is handled in software.
-
VPNs
-
Syslogs to capture commit warning messages related to traffic loss prevention over VPN (SRX, vSRX, NFX platforms)—Configuration commit warnings such as
warning: Policy 'traditional' does not contain any dynamic-applications or url-categories but is placed below policies that use them. Please insert policy 'traditional' before your Unified policies
orwarning: Source address or address_set (made_up_address) not found. Please check if it is a SecProfiling Feed
caused the MGD to inform IKED or KMD process about DAX_ITEM_DELETE_ALL resulting in VPN flaps and outage events. These warnings messages are captured by syslogs to prevent traffic loss over VPN. We recommend you to resolve these syslog warning messages to prevent major outages.