What's Changed
Learn about what changed in this release for SRX Series.
Content Security
-
Juniper NextGen Web filtering license warning enhancement (SRX Series and vSRX)—Starting in Junos OS Release 24.4R1, if you configure the Web Filtering type as
juniper-enhanced
orng-juniper
without a corresponding valid license, the system does not generate a warning message. You can confirm whether the Web Filtering is down due to a missing license using theshow security utm web-filtering status
comamnd.Earlier to this release, if you configure Web Filtering type as
juniper-enhanced
orng-juniper
without a valid license, the system generated a warning message.[See show security utm web-filtering status and Juniper NextGen Web Filtering Overview.]
Interfaces and Chassis
-
Autonegotiation in xe ports (SRX380)—Starting in Junos Release 24.2R2, autonegotiation is disabled by default on all the four xe ports of SRX380 Firewalls. It is recommended to disable the autonegotiation at the remote end devices. To change the autonegotiation default recommended behavior, use the
set interfaces xe-x/y/z gigether-options auto-negotiation
command.
Junos XML API and Scripting
-
Commit script input to identify software upgrades during boot time (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The
junos-context
node-set includes thesw-upgrade-in-progress
tag. Commit scripts can test thesw-upgrade-in-progress
tag value to determine if the commit is taking place during boot time and a software upgrade is in progress. The tag value isyes
if the commit takes place during the first reboot after a software upgrade, software downgrade, or rollback. The tag value isno
if the device is booting normally.[See Global Parameters and Variables in Junos OS Automation Scripts.]
PKI
-
Enhancement to fix output with Junos PyEz for duplicate keys in PKI (MX Series, SRX Series, EX Series)—In earlier releases, though the CLI output displayed all the duplicate keys for the corresponding hash algorithms in PKI using
show security pki local-certificate detail | display json
command, for the same requested data, Junos PyEz displayed the last key only. Starting this release, the CLI output and the PyEz displays all the duplicate keys with the enhanced tags.
User Interface and Configuration
-
Compact format deprecated for JSON-formatted state data (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've removed the
compact
option at the[edit system export-format state-data json]
hierarchy level because Junos devices no longer support emitting JSON-formatted state data in compact format. -
Access privileges for request support information command (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series Firewalls, and vSRX Virtual Firewall)—The
request support information
command is designed to generate system information for troubleshooting and debugging purposes. Users with the specific access privilegesmaintenance
,view
, andview-configuration
can execute request support information command.
VPN
-
Compliance check is added for Juniper Secure Connect (SRX Series, and vSRX 3.0)—In Junos OS, we have added a compliance check to enforce that only Juniper Secure Connect clients can establish remote access VPN connections, and to reject connection requests from non-compliant remote access clients. You'll notice this behavior for the VPN connection using the remote access profile attached to the IPsec VPN object.
-
Changes to syslog messages for IPsec VPN service (SRX Series, and vSRX 3.0)—We've made changes to the syslog messages for the IPsec VPN service. You'll notice that: Tunnel-id field is added to the KMD_PM_SA_ESTABLISHED syslog messages when running IPsec VPN service using the kmd process. - New syslog message IKE_VPN_SA_ESTABLISHED is added for an IPsec rekey event when running IPsec VPN service using the iked process.
-
Changes to the lifetime-kilobytes option in IPsec VPN Security Association (SRX Series Firewalls, and vSRX 3.0)—The minimum allowed IPsec proposal lifetime-kilobytes value is changed from 64KB to 64000KB for IPsec VPN Security Association.
[See proposal (Security IPsec).]
-
Changes to syslog messages for IPsec VPN service (SRX Series, and vSRX 3.0)—We've made changes to the syslog messages for the IPsec VPN service. You'll notice that: - Tunnel-id field is added to the KMD_PM_SA_ESTABLISHED syslog messages when running IPsec VPN service using the kmd process. New syslog message IKE_VPN_SA_ESTABLISHED is added for an IPsec rekey event when running IPsec VPN service using the iked process.