J-Web
-
Support for Juniper NextGen Web Filtering (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, Juniper NextGen is available at Security Services > Content Security:
-
In Default Configuration, under Web Filtering.
-
In Web Filtering Profiles > Create Web Filtering Profiles, under Engine Type.
Juniper NextGen intercepts the HTTP and HTTPS traffic and sends URL or destination IP address information to the Juniper NextGen Web Filtering (NGWF) Cloud. The Juniper Networks® SRX Series Firewalls (SRX Series) use URL categorization and site reputation information from the NGWF Cloud to act on traffic.
]See About the Default Configuration Page and Add a Web Filtering Profile.]
-
-
Support for migrating to Juniper NextGen (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports Migrate to Juniper NextGen in Security Services > Content Security > Web Filtering Profiles. You can use this option to migrate from Juniper Enhanced Web Filtering profile to Juniper NextGen Web Filtering profile.
-
Support for Juniper NextGen base filter (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports ng-default-filter base filter in Device Administration > Security Package Management > URL Categories. You can click on ng-default-filter to view the available Juniper NextGen base filter categories.
-
Support for URL categorization (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports:
-
Manage URL Categorization under URL Categorization in Device Administration > Security Package Management > URL Categories. You can use this page to add a new URL to a category or change the category of an existing URL.
-
Check URL Categorization Status under URL Categorization in Device Administration > Security Package Management > URL Categories. You can use this page to check the URL recategorization status.
[See Manage URL Categorization and Check URL Recategorizarion Status.]
-
-
Support for internal SA encryption algorithm (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we’ve added Algorithm under Internal SA Encryption in Network > VPN > IPsec VPN > Global Settings. The 3DES-CBC algorithm specifies the encryption algorithm for the internal Routing-Engine-to-Routing-Engine IPsec SA configuration. The AES-128-CBC algorithm specifies the encryption algorithm for high availability encryption link.
[See IPsec VPN Global Settings.]
-
Support for IKE HA link (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we’ve added IKE HA Link under Internal SA Encryption in Network > VPN > IPsec VPN > Global Settings. You can use this to enable or disable HA link encryption IKE internal messages for chassis cluster devices.
[See IPsec VPN Global Settings.]
-
Support for installation or uninstallation of IKE package (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, you can install or uninstall IKE package on your Juniper Networks® SRX Series Firewall using Install IKE package or Uninstall IKE package. This option is available in Network > VPN > IPsec VPN > Global Settings.
[See IPsec VPN Global Settings.]
-
Support for SNMP Traps (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we’ve added the following fields under General in Network > VPN > IPsec VPN > Global Settings.
-
IKE SNMP trap—Controls the sending of SNMP traps.
-
Tunnel Down—Generates traps for IPsec tunnel going down only when the associated peer IKE SA is up.
-
Peer Down—Generates traps when peer goes down.
[See IPsec VPN Global Settings.]
-
-
Support for Internet Control Message Protocol (ICMP) Big Packet Warning (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, for junos-ike package installed devices, J-Web supports ICMP big packet warning under IPsec Settings Advanced Configuration for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. You can use this option to enable or disable sending ICMP packet too big notifications for IPv6 packets.
[See Create a Remote Access VPN—Juniper Secure Connect, Create a Remote Access VPN—NCP Exclusive Client, and Create a Site-to-Site VPN.]
-
Support for Tunnel MTU (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, for junos-ike package installed devices, J-Web supports Tunnel MTU under IPsec Settings Advanced Configuration for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. Tunnel MTU specifies the maximum transmit packet size for IPsec tunnels.
[See Create a Remote Access VPN—Juniper Secure Connect, Create a Remote Access VPN—NCP Exclusive Client, and Create a Site-to-Site VPN.]
-
Support for Extended Sequence Number (ESN) (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, for junos-ike package installed devices, J-Web supports ESN under IPsec Settings Advanced Configuration for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. ESN allows IPsec to use 64-bit sequence number. If ESN is not enabled, 32-bit sequence number is used by default.
[See Create a Remote Access VPN—Juniper Secure Connect, Create a Remote Access VPN—NCP Exclusive Client, and Create a Site-to-Site VPN.]
-
IKE settings enhancements (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports the following for the junos-ikepackage installed devices:
-
SHA 512-bit IKE authentication algorithm under IKE Settings for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. Juniper Networks® SRX Series Firewalls use these authentication algorithms to verify the authenticity and integrity of a packet.
-
Group 15, group 16, and group 21 DH groups under IKE Settings for IKE Settings for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. A Diffie-Hellman (DH) exchange allows the participants to produce a shared secret value.
[See Create a Remote Access VPN—Juniper Secure Connect, Create a Remote Access VPN—NCP Exclusive Client, and Create a Site-to-Site VPN.]
-
-
IPsec settings enhancements (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports the following for the junos-ike package installed devices:
-
HMAC-SHA 384 and HMAC-SHA 512 IPsec authentication algorithm under IPsec Settings for IKE Settings for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. SRX Series Firewall uses these authentication algorithms to verify the authenticity and integrity of a packet.
-
Group 15, group 16, and group 21 IPsec perfect forward secrecy keys under IPsec Settings for IKE Settings for Site-Site to VPN, NCP Exclusive Client and Juniper Secure Connect. The Juniper Networks® SRX Series Firewalls use this method to generate the encryption key.
[See Create a Remote Access VPN—Juniper Secure Connect, Create a Remote Access VPN—NCP Exclusive Client, and Create a Site-to-Site VPN.]
-
-
Support for IPv6 address (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports the following for the junos-ike package installed devices:
-
External Interface supports IPv6 address in Network > VPN > IPsec VPN > Juniper Secure Connect > Local Gateway.
-
Global Address supports IPv6 address in Network > VPN > IPsec VPN > Juniper Secure Connect > Local Gateway > Protected Networks > Add.
-
Address assignment supports IPv6 address in Network > VPN > IPsec VPN > Juniper Secure Connect > Local Gateway > User Authentication > Add.
-
Source Interface supports IPv6 address in Security Services > Firewall Authentication > Access Profile > Create Access Profile.
[See Create a Remote Access VPN—Juniper Secure Connect and Add an Access Profile.]
-
-
Support for excluded address ranges (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports Excluded Address Ranges in Security Services > Firewall Authentication > Address Pools > Create Address Pool. You can use this option to exclude a single address or range of addresses.
[See Add an Address Pool.]
-
Support for static address binding (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports Static Address Binding in Security Services > Firewall Authentication > Address Pools > Create Address Pool. You can use this option to assign a specific IP address to a username or MAC address.
[See Add an Address Pool.]
-
Support for linked address pool (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports Linked Address Pool in Security Services > Firewall Authentication > Address Pools > Create Address Pool. You can use this option to create a secondary assignment pool and link it to a primary address assignment pool. The secondary pool provides a backup pool for local address assignment.
[See Add an Address Pool.]
-
Support for LDAP traffic over Secure Sockets Layer/Transport Layer Security (SSL/TLS) technology (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, J-Web supports LDAP over TLS/SSL in Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create LDAP Server. You can set LDAP traffic to be confidential and secure by using Secure Sockets Layer/Transport Layer Security (SSL/TLS) technology.
[See Add an Access Profile.]