Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for vSRX.

Authentication and Access Control

  • ChaCha20-Poly1305 algorithm deprecation for SSH cipher option—The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option.

    [See ssh (System Services).]

EVPN

  • Limit on number of IP address associations per MAC address per bridge domain in EVPN MAC-IP database—By default, devices can associate a maximum of 200 IP addresses with a single MAC address per bridge domain. We provide a new CLI statement to customize this limit, mac-ip-limit statement at the [edit protocols evpn] hierarchy level. In most use cases, you don't need to change the default limit. If you want to change the default limit, we recommend that you don't set this limit to more than 300 IP addresses per MAC address per bridge domain. Otherwise, you might see very high CPU usage on the device, which can degrade system performance.

    [See mac-ip-limit.]

User Interface and Configuration

  • Configuration database maximum size increased (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've enhanced the extend-size statement at the [edit system configuration-database] hierarchy level to increase the maximum database size. On devices with a default configuration database size of ~400 MB, extend-size increases the maximum database size to ~2 GB. On devices with a default configuration database size of ~660 MB, extend-size increases the maximum database size to ~2.2 GB.

    [See configuration-database.]

VPNs

  • Enhancements to fix the digest option functionality for key pair generated with DSA and ECDSA (SRX Series and vSRX 3.0)–In earlier releases, when you generated local self-signed certificates using sha-256 digest and DSA or ECDSA encryption using request security pki generate-key-pair certificate-id certificate-id-name size size type (dsa | ecdsa) and request security pki local-certificate generate-self-signed certificate-id certificate-id-name digest sha-256 domain-name domain-name subject subject-distinguished-name commands, the generated signature always used sha1 digest. Starting this release, the specified digest, sha-256, is used for the signature digest. You can verify using show security pki local-certificate certificate-id certificate-id-name detail

  • Enhancement to the output of clear and regenerate key pair commands (vSRX 3.0)–We've modified the output of the following commands when you clear and regenerate the same key pair to manage the secure data using hardware security module (HSM).

    Starting in Junos OS 23.4R1 release, the command:

    • clear security pki key-pair certificate-id certificate-id-name displays the message Key pair deleted successfully from the device. Key pair will be purged from the keyvault based on it's own preferences, as opposed to the message Key pair deleted successfully displayed in previous releases.
    • request security pki generate-key-pair certificate-id certificate-id-name displays the message error:Failed to generate key pair. If the keypair was created and deleted before, please ensure that the keypair has been purged from the keyvault as opposed to the message error: Failed to generate key pair displayed in previous releases.

    We made these changes to align with the cloud provider's restriction on key pair deletion, if any.

  • Enhancements to the help string description for the threshold and interval options for VPN monitoring options (SRX Series and vSRX 3.0)–We've enhanced the help string description of the threshold and interval options available in the configuration statement [set security ipsec vpn-monitor-options] to include the default values. You'll see the following description with the default values:

    [See ipsec (Security).]

  • Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the [edit security ipsec vpn vpn-name] hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

    [See show security ipsec security-associations.]

  • Reauthentication frequency recommendation for IPsec VPN with PPK (SRX Series and vSRX 3.0)—For IPsec VPN, including the Auto Discovery VPN (ADVPN), with post-quantum pre-shared key (PPK) encryption, when the IKE security association is negotiated with the quantum keys, the iked process performs rekeying after 4 seconds to secure the channel. If you set the reauthentication frequency to 1, rekeying doesn't happen after 4 seconds. So we recommend you to set the reauthentication frequency to more than 1 as the first reauthentication count is used by the PPK default rekey.

    [See Quantum Safe IPsec VPN.]