Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for SRX Series.

Content Security

  • Juniper NextGen Web filtering license warning enhancement (SRX Series and vSRX)—Starting in Junos OS Release 24.4R1, if you configure the Web Filtering type as juniper-enhanced or ng-juniper without a corresponding valid license, the system does not generate a warning message. You can confirm whether the Web Filtering is down due to a missing license using the show security utm web-filtering status comamnd.

    Earlier to this release, if you configure Web Filtering type as juniper-enhanced or ng-juniper without a valid license, the system generated a warning message.

    [See show security utm web-filtering status and Juniper NextGen Web Filtering Overview.]

Interfaces and Chassis

  • Autonegotiation in xe ports (SRX380)—Starting in Junos Release 24.2R2, autonegotiation is disabled by default on all the four xe ports of SRX380 Firewalls. It is recommended to disable the autonegotiation at the remote end devices. To change the autonegotiation default recommended behavior, use the set interfaces xe-x/y/z gigether-options auto-negotiation command.

Junos XML API and Scripting

  • Commit script input to identify software upgrades during boot time (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The junos-context node-set includes the sw-upgrade-in-progress tag. Commit scripts can test the sw-upgrade-in-progress tag value to determine if the commit is taking place during boot time and a software upgrade is in progress. The tag value is yes if the commit takes place during the first reboot after a software upgrade, software downgrade, or rollback. The tag value is no if the device is booting normally.

    [See Global Parameters and Variables in Junos OS Automation Scripts.]

Network Management and Monitoring

  • DES deprecation for SNMPv3 (Junos)—The Data Encryption Standard (DES) privacy protocol for SNMPv3 is deprecated due to weak security and vulnerability to cryptographic attacks. For enhanced security, configure the triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (CFB128-AES-128 Privacy Protocol) as the encryption algorithm for SNMPv3 users.

    [See privacy-3des and privacy-aes128.]

PKI

  • Enhancement to fix output with Junos PyEz for duplicate keys in PKI (MX Series, SRX Series, EX Series)—In earlier releases, though the CLI output displayed all the duplicate keys for the corresponding hash algorithms in PKI using show security pki local-certificate detail | display json command, for the same requested data, Junos PyEz displayed the last key only. Starting this release, the CLI output and the PyEz displays all the duplicate keys with the enhanced tags.

User Interface and Configuration

  • Compact format deprecated for JSON-formatted state data (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've removed the compact option at the [edit system export-format state-data json] hierarchy level because Junos devices no longer support emitting JSON-formatted state data in compact format.

  • Access privileges for request support information command (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series Firewalls, and vSRX Virtual Firewall)—The request support information command is designed to generate system information for troubleshooting and debugging purposes. Users with the specific access privileges maintenance, view, and view-configuration can execute request support information command.

  • Changes to the show system information and show version command output (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The show system information command output lists the Hostname field first instead of last. The show version command output includes the Family field. The Family field identifies the device family under which the device is categorized, for example, junos, junos-es, junos-ex, or junos-qfx.

    [See show system information and show version.]

VPN

  • Compliance check is added for Juniper Secure Connect (SRX Series, and vSRX 3.0)—In Junos OS, we have added a compliance check to enforce that only Juniper Secure Connect clients can establish remote access VPN connections, and to reject connection requests from non-compliant remote access clients. You'll notice this behavior for the VPN connection using the remote access profile attached to the IPsec VPN object.

  • Changes to syslog messages for IPsec VPN service (SRX Series, and vSRX 3.0)—We've made changes to the syslog messages for the IPsec VPN service. You'll notice that: Tunnel-id field is added to the KMD_PM_SA_ESTABLISHED syslog messages when running IPsec VPN service using the kmd process. - New syslog message IKE_VPN_SA_ESTABLISHED is added for an IPsec rekey event when running IPsec VPN service using the iked process.

  • Changes to the lifetime-kilobytes option in IPsec VPN Security Association (SRX Series Firewalls, and vSRX 3.0)—The minimum allowed IPsec proposal lifetime-kilobytes value is changed from 64KB to 64000KB for IPsec VPN Security Association.

    [See proposal (Security IPsec).]

  • Changes to syslog messages for IPsec VPN service (SRX Series, and vSRX 3.0)—We've made changes to the syslog messages for the IPsec VPN service. You'll notice that: - Tunnel-id field is added to the KMD_PM_SA_ESTABLISHED syslog messages when running IPsec VPN service using the kmd process. New syslog message IKE_VPN_SA_ESTABLISHED is added for an IPsec rekey event when running IPsec VPN service using the iked process.

  • Support for iPadOS for prelogon compliance checks in Juniper Secure Connect (SRX Series, and vSRX3.0)—You can configure prelogon compliance checks on your firewall to allow or reject endpoints running iPadOS. Use the ipados option at the [edit security remote-access compliance pre-logon name term name match platform] hierarchy level to enforce these checks. This ensures that only compliant iPadOS devices are permitted access, enhancing the security of your network.

    [See compliance (Juniper Secure Connect).]

  • Invalid CLI command removal for IPsec VPN with iked process (SRX Series and vSRX 3.0)—When running IPsec VPN services using the iked process, your firewall no longer displays the unsupported Junos OS CLI command clear security ike respond-bad-spi-count. This update prevents invalid command displays for the unrecognized CLIs. You can continue to use the command with the kmd process.

    [See clear security ike respond-bad-spi-count.]