What's Changed

Avira antivirus scanning mode supported on SRX1600 device (SRX1600)—SRX1600 device supports the Avira antivirus scan in light mode only and it does not support the heavy mode. Therefore, we've removed the onbox-av-load-flavor statement at the edit chassis hierarchy level for SRX1600 device.

See Example: Configure Avira Antivirus.

URL check operational command update (SRX Series)—Starting in Junos OS Release 23.4R1, you can use the test security utm web-filtering url-check test command to check the category and reputation of a URL. Earlier to this release the test security utm enhanced-web-filtering url-check test command was used to check the category and reputation of a URL.

See test security utm enhanced-web-filtering url-check.

Updated Security Package URL (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we've updated the security package URL in Device Administration > Security Package Management > URL Categories Settings. You can use this URL to download Juniper NextGen or Juniper Enhanced Web Filtering package.

[See URL Categories Settings.]

Internal SA is now called Internal SA Encryption (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Internal SA to Inter SA Encryption and Internal SA Keys to Key in Network > VPN > IPsec VPN > Global Settings.

[See IPsec VPN Global Settings.]

Name is now called Identifier (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Name to Identifier and Network Address to Subnet in Security Services > Firewall Authentication > Address Pools.

[See About the Address Pools Page.]

Address Range is now called Named Address Ranges (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Address Range to Named Address Ranges in Security Services > Firewall Authentication > Address Pools.

[See About the Address Pools Page.]

Routing Instance is now called Source Virtual Router (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Routing Instance to Source Virtual Router and Source Address to Source Interface in Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create Radius Server and Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create LDAP Server.

[See Add an Access Profile.]

XML output tags changed for request-commit-server-pause and request-commit-server-start (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've changed the XML output for the request system commit server pause command (request-commit-server-pause RPC) and the request system commit server start command (request-commit-server-start RPC). The root element is <commit-server-operation> instead of <commit-server-information>, and the <output> tag is renamed to <message>.

NETCONF <copy-config> operations support a file:// URI for copy to file operations (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The NETCONF <copy-config> operation supports using a file:// URI when <url> is the target and specifies the absolute path of a local file.

[See <copy-config>.]

Viewing files with the file compare files command requires users to have maintenance permission —The file compare files command in Junos OS and Junos OS Evolved requires a user to have a login class with maintenance permission.

[See Login Classes Overview.]

Invalid kmd-instance option when iked is enabled for IPsec VPNs (SRX Series)—We have removed the option kmd-instance when you enable the iked process using junos-iked package for running IPsec VPN features in Junos OS Release 23.4R1. This option is applicable when you have kmd process for IPsec VPN features.

[See show security ipsec security-associations.]

Options related to FPC, PIC and KMD instance are invalid in show security ike sa command with IKED process (SRX Series)—With junos-ike package installed for running IPsec VPN using IKED process, the options fpc, pic and kmd-instance will not be seen in show security ike security-associations hierarchy. These options are invalid and removed from the CLI from Junos OS Release 23.4R1. This means, you cannot use show security ike sa fpc 0 pic 0 command with IPsec VPN running IKED process on your SRX Series Firewall.

[See show security ike security-associations.]

Enhancements to IKE configuration management for clearing IKE stats on secondary node (SRX Series)—In Earlier Junos OS Releases, in a Chassis Cluster mode, the ike-config-Management (IKEMD) process did not respond to management requests on the secondary node. The command clear security ike stats, fails with the error message error: IKE-Config-Management not responding to management requests on the secondary node. Starting in Junos OS Release 22.4R3, the command runs successfully without the error on the secondary node.

Introduction of extensive option for IPsec security associations (MX Series, SRX Series and vSRX 3.0)—We've introduced the extensive option for the show security ipsec security-associations command. Use this option to display IPsec security associations with all the tunnel events. Use the existing detail option to display upto ten events in reverse chronological order.

[See show security ipsec security-associations.]

Enhancements to address CA certificate validation failure (SRX Series and vSRX 3.0)–For the CA certificates, the certificate validation fails with the Lets Encrypt server when using the configuration statement set security pki ca-profile ISRG revocation-check crl url as PKI sends the OCSP request on HTTP 1.0 with the requestorName. We made modifications to the behaviour in order to send the OCSP request using HTTP 1.1 without the requestorName by default.

• To send the requestorName when using HTTP 1.1, use the hidden option add-requestor-name-payload at the edit security pki ca-profile ca-profile-name revocation-check ocsp hierarchy level.

• To send the OCSP request using the HTTP 1.0, use the hidden option use-http-1.0 at the edit security pki ca-profile ca-profile-name revocation-check ocsp hierarchy level to ensure backward compatibility.

  [See revocation-check (Security PKI).]

Enhancements to the IKE configuration management commands in chassis cluster (SRX Series)–In earlier Junos OS releases, in a chassis cluster mode, the following commands failed with the error message error: IKE-Config-Management not responding to management requests on the secondary node:

• show security ike statistics

• show security ike sa ha-link-encryption

• show security ipsec sa ha-link-encryption

• show security ipsec inactive-tunnels ha-link-encryption

• clear security ike sa ha-link-encryption

• clear security ipsec sa ha-link-encryption

You should run these commands only on the primary node rather than the secondary node. Starting in Junos OS Release 23.4R1, you'll not see the error message as the secondary node has no output to display.

Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the edit security ipsec vpn vpn-name hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

[See show security ipsec security-associations.]

Modification to the XML tags for show security ipsec commands (SRX Series and vSRX 3.0)–We've changed the XML tags for the following commands at show security ipsec.

Starting in Junos OS Release 23.4R1, with the new XML tags, you’ll notice that the show security ipsec commands emits valid XML.