Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for SRX Series.

General Routing

  • G.8275.1 profile configuration with PTP, SyncE, and hybrid mode (Junos)—On all Junos platforms, when configuring the G.8275.1 profile, it is mandatory to configure Precision Time Protocol (PTP), Synchronous Ethernet (SyncE), and hybrid mode. Earlier, the system would not raise a commit error even if the required hybrid and SyncE configurations were missing while configuring G.8275.1 profile. However, going forward you will not be able to configure the G.8275.1 profile without configuring PTP, SyncE and hybrid mode to be compliant with the ITU-T standards.

    [See G.8275.1 Telecom Profile].

Intrusion Detection and Prevention (IDP)

  • Improved Handling of IDP Policy Compilation Status (SRX Series)—Previously, if an IDP policy compilation failed and a subsequent commit did not involve IDP changes, the compilation status could be lost or appear blank. This has been resolved--the system now retains and displays the last known policy compilation status, even when later commits do not trigger policy recompilation or when the policy is unloaded due to configuration changes. There is no change in the underlying IDP functionality, only in how the status message is preserved.

J-Web

  • You can upgrade the zone-based address book to global address books in Global Addresses page. To do this, click Upgrade in the right-side corner of the Global Addresses table. Then, click Yes to continue with the upgrade and click OK to complete. During the upgrade, the system appends the zone name to the zone address name.

Platform Infrastructure

  • ARP restriction for VLAN IDs 3072 to 4094 (SRX4700)—You cannot configure VLAN IDs ranging from 3072 to 4094. This ensures correct network behavior and prevents potential conflicts within these VLAN ranges, promoting network stability and reliability.

Public Key Infrastructure

  • Certificate enrollment system logs (Junos)—We've added system logs to notify if there is an SCEP and CMPv2 certificate failure. On SCEP certificate enrollment failure, you can see the PKID_SCEP_EE_CERT_ENROLL_FAIL message. On CMPv2 certificate enrollment failure, you can see the PKID_CMPV2_EE_CERT_ENROLL_FAIL message.

    [See System Log Explorer.]

SSL Proxy

  • Configuration Limits for SSL Proxy Profiles—We have updated the limits for Trusted CA certificates, Server certificates, and URL categories in both SSL forward proxy and SSL reverse proxy configurations. These changes ensure compliance with the maximum configuration blob size limit of 56,986 bytes.

    Changes in Limit Size:

    • Trusted CA certificate/Server certificates: Maximum limit - 400 (reduced from 1024)
    • URL categories: Maximum limit - 800 (unchanged)

    Configuration Statements:

    Note: In the reverse proxy configuration, ensure combined size of server certificates and URL categories does not exceed 56,986 bytes. If the combined size exceeds the limit, the following error message is displayed during commit: This error provides a breakdown of memory usage, helping you adjust the configuration accordingly.

    [See Configuring SSL Proxy.]

User Access and Authentication

User Interface and Configuration

  • Changes to the show system storage command output (ACX Series, EX Series, MX Series, QFX Series, and SRX Series)—We've updated the show system storage command output to include only true (physical) storage and exclude any host/hypervisor level storage. In earlier releases, the output also includes a container/jail storage, which does not have a separate storage of its own.

    [See show system storage.]

VPNs

  • Support for hmac-sha-384/512 authentication in PMI (SRX Series Firewalls and vSRX 3.0)—You can configure hmac-sha-384 and hmac-sha-512 authentication algorithms with PowerMode IPsec (PMI) when running IPsec VPN with the iked process.

    [See PowerMode IPsec.]