Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Flow-based and Packet-based Processing

  • Express Path support for Fragmentation (SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 23.4R1, we support fragmentation for unequal maximum transmission units (MTUs) on service offload (SOF) path in network processing unit (NPU).

    For more information, see Express Path Overview

  • Support drop-flow to prevent security attack - (SRX Series Firewall, vSRX3.0, cSRX, NFX150, NFX250, and NFX350)—Starting in Junos OS Release 23.4R1, we support a new featue drop-flow to prevent security attack. You can control and limit the number of max-session for the drop-flow. The session in the drop-flow is valid for 4 seconds by default. During a drop-flow, the session state displays as Drop, but in the flow, the state remains as Valid.

    The drop-flow feature is enabled by default. To disable the feature, use the set security flow drop-flow max-sessions 0 command. To delete only the drop-flow featue, use the run clear security flow session drop-flow command.

    To view the current drop-flow configuration, use the show security flow drop-flow command, and the view all the available drop-flow, use the show security flow session drop-flow command.

    [See Flow Based Session.]

  • Support for TCP enhancement - (SRX Series Firewall)—Starting in Junos OS Release 23.4R1, we support TCP fast open (FSO) and TCP selective acknowledge. FSO uses the first TCP connection to acquire the FSO cookie, in the second connection TCP FSO uses the cookie acquired through the first session to perform fast open. When you invoke SYN proxy for a specific TCP connection, TCP fast open for this connection is disabled.

    [See TCP Sessions.]

  • Support for aggressive aging- (SRX Series Firewall)—Starting in Junos OS Release 23.4R1, in addition to the exisiting aging control, we have add a more fine-tuned control on early-ageout for a session based on application, protocol, and default. If all the three cutoff time options are configured, the application cutoff time takes precedence followed by protocol, and then the default.

    [See Understanding Session Characteristics for SRX Series Firewalls.]

  • Global IP allowlist support for all screen options (SRX Series Firewall and vSRX3.0)—Starting in Junos OS Release 23.4R1, you can configure an allowlist for all IP screen options at a zone level. When you configure an allowlist at a zone level, all the addresses from the specific sources are allowed to bypass the attack detection check. Global IP allowlist supports both IPv4 and IPv6 addresses and a maximum of 32 allowlist groups. You can configure a single address or a subnet address.

    [See White-list (Security-Zone), Understanding Allowlists for All Screen Options, and Screens Options for Attack Detection and Prevention.]