Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

What's Changed

Learn about what changed in this release for SRX Series.

Network Management and Monitoring

  • Operator login class is restricted from viewing NETCONF trace files that are no-world-readable (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you configure NETCONF tracing options at the [edit system services netconf traceoptions] hierarchy level and you restrict file access to the file owner by setting or omitting the no-world-readable statement (the default), users assigned to the operator login class do not have permissions to view the trace file.

Software Installation and Upgrade

  • New options for the request system snapshot command (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The request system snapshot command includes new options for non-recovery snapshots. You can include the name option to specify a user-defined name for the snapshot, and you can include the configuration or no-configuration option to include or exclude configuration files in the snapshot. By default, the snapshot saves the configuration files, which include the contents of the /config and /var directories and certain SSH files.

    [See request system snapshot (Junos OS with Upgraded FreeBSD).]

VPNs

  • Limited ECDSA Certificate Support with SSL Proxy (SRX Series and vSRX 3.0)—With SSL proxy configured on SRX Series firewall and vSRX Virtual firewalls:

    • ECDSA based websites with P-384/P-521 server certificates are not accessible with any root-ca certificate as the security device has limitation to support only P-256 group.

    • When RSA based root-ca and P-384/P-521 ECDSA root-ca certificate is configured, all ECDSA websites will not be accessible as SSL-Terminator is negotiated with RSA, which is why the security device is sending only RSA ciphers and sigalgs to the destination web server while doing the SSL handshake. To ensure both ECDSA and RSA-based websites are accessible along with the RSA root certificate, configure a 256-bits ECDSA root certificate.

    • In some scenarios, even if 256-bit ECDSA root certificate is used in the SSL proxy configuration, ECDSA based websites with P-256 server certificates are not accessible if the server does not support P-256 groups.

    • In other scenarios, even if 256-bit ECDSA root certificate is used in the SSL proxy configuration, ECDSA based websites with P-256 server certificates are not accessible if the server supports sigalgs other than P-256. The issue is seen in hardware offload mode with failing signature verification. As hardware offload for ECDSA certificate is introduced in Junos OS release 22.1R1, this issue will not be observed if you use Junos OS released prior to 22.1R1. Also, the issue is not seen if the SSL-proxy for ECDSA certificate is handled in software.