Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for SRX Series.

Application Security

  • Deprication of ssl-version in custom signatures (SRX Series)—The ssl-version in SSL context-based custom signatures is deprecated in application signature package version 3796 and later. You can use the ssl-protocol-version option instead. The ssl-version option is deprecated-rather than immediately removed- to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration.

    [See [Custom Application Signatures for Application Identification and context.]

  • Configuration Limits for SSL Proxy Profiles—Starting in this release, we have updated the limits for Trusted CA certificates, Server certificates, and URL categories in both SSL forward proxy and SSL reverse proxy configurations. These changes ensure compliance with the maximum configuration blob size limit of 56,986 bytes.

    Changes in limit size:

    • Trusted CA certificate/server certificates: maximum limit—400 (changed from 1024)
    • URL categories: maximum limit—800 (unchanged)

    Configuration statements:

    Note: In the reverse proxy configuration, ensure combined size of server certificates and URL categories does not exceed 56,986 bytes. If the combined size exceeds the limit, the following error message is displayed during commit: This error provides a breakdown of memory usage, helping you adjust the configuration accordingly.

    [See [Configuring SSL Proxy].]

Content Security

  • Sophos antivirus configuration for ISSU (SRX Series)—To use the Sophos antivirus while performing an in-service software upgrade (ISSU), remove the following configuration options.

    • edit security utm default-configuration anti-virus forwarding-mode holdset

    • edit security utm default-configuration anti-virus forwarding-mode inline-tap

    This caution applies only to ISSU upgrades and not to standalone upgrades. Once you complete the ISSU, you can re-enable the above configurations. The Sophos antivirus feature perform as usual when both devices come up.

    [See Sophos Antivirus Configuration Overview.]

Chassis Clustering

  • Define a redundancy mode.

    • active-active: primary and secondary nodes in active mode.

    • active-backup: primary in active, secondary in backup mode.

JIMS

Juniper Secure Connect

  • Support for iPadOS for prelogon compliance checks in Juniper Secure Connect (SRX Series, and vSRX3.0)—You can configure prelogon compliance checks on your firewall to allow or reject endpoints running iPadOS. Use the ipados option at the [edit security remote-access compliance pre-logon name term name match platform] hierarchy level to enforce these checks. This ensures that only compliant iPadOS devices are permitted access, enhancing the security of your network.

    [See compliance (Juniper Secure Connect).]

Network Address Translation (NAT)

  • Support for NAT debugging (SRX Series Firewalls and vSRX) To debug NAT-related issues, use the nat option with the request support information security-components command.

    [See request support information.]

PKI

  • SSH key options for user account credentials. You can configure key-options key-options option at the set system login user <user> authentication [ssh-rsa|ssh-ecdsa|ssh-ed25519] <ssh key> hierarchy level.

    [See login.]

  • Certificate enrollment system logs (Junos)—We've added system logs to notify if there is an SCEP and CMPv2 certificate failure. On SCEP certificate enrollment failure, you can see the PKID_SCEP_EE_CERT_ENROLL_FAIL message. On CMPv2 certificate enrollment failure, you can see the PKID_CMPV2_EE_CERT_ENROLL_FAIL message.

    [See System Log Explorer.]

Platform and Infrastructure

  • Alarm added to indicate failure in writing the security logs to traffic logs (SRX4700)—We've introduced alarms indicating a failure in writing the security logs to traffic logs due to disk corruption or a read/write error. The alarms are displayed in the output of the show command show system alarms.

Security Policies

  • Secure Web Proxy Renamed as Transparent Web Proxy (SRX380, SRX320, SRX340, SRX345, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, and vSRX3.0)—Starting in Junos OS Release 25.2R1, we've renamed the secure web proxy as transparent web proxy. If you are planning to upgrade to Junos OS Release 25.2R1 and later releases, note the following points regarding using proxy functionality:

    All existing secure web proxy related CLI statements and commands are deprecated. That is—Starting in Junos OS Release 25.2R1 secure web proxy functionality is deprecated— rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. As a part of this change, the [edit services web-proxy secure-proxy] hierarchy and all the configuration options under this hierarchy are deprecated. That is, the hierarchy for transparent proxy configuration statements has changed from set services web-proxy secure-proxy to set services web-proxy transparent-proxy.

    To migrate, you will need to replace existing command hierarchies with the new ones as shown in the following table.

    Table 1: Secure Web Proxy Hierarchy Replacements
    Previous Hierarchy (Secure Web Proxy) New Hierarchy (Transparent Web Proxy)
    set services web-proxy secure-proxy set services web-proxy transparent-proxy
    set security policies from-zone trust to-zone untrust policy apply_webproxy then permit application-services web-proxy profile-name <trans-proxy-profile-name> set security policies from-zone trust to-zone untrust policy apply_webproxy then permit application-services transparent-proxy profile-name <trans-proxy-profile-name>

    These adjustments ensure that your configurations are up-to-date and ready to take advantage of the new features.

    [See Transparent Web Proxy (Junos OS version 25.2R1 and later releases) and Secure Web Proxy (Junos OS version before Junos OS 25.2R1)].

User Interface and Configuration

  • Access privileges for request support information command (ACX Series, EX Series, MX Series, QFX Series, SRX Series Firewalls, and vSRX Virtual Firewall)—The request support information command is designed to generate system information for troubleshooting and debugging purposes. Users with the specific access privileges maintenance , view , and view-configuration can execute request support information command.

  • Changes to the show system storage command output (ACX Series, EX Series, MX Series, QFX Series, and SRX Series)—We've updated the show system storage command output to include only true (physical) storage and exclude any host/hypervisor level storage. In earlier releases, the output also includes a container/jail storage, which does not have a separate storage of its own.

    [See show system storage.]

  • netconf ssh is removed from the factory-default device configuration (SRX300, SRX320, SRX340 , SRX345, and SRX380)—To enhance security, we've removed the netconf ssh statement at the [edit system services] hierarchy level from the factory-default device configuration. To use this service, you can explicitly configure the statement.

VPNs

  • Global option to disable inline IPsec hardware offloading (SRX4700)—You can disable hardware offloading of IPsec tunnel processing in the Packet Forwarding Engine ASIC. Use the comman set security ipsec hw-offload-disable to globally disable this inline IPsec processing of packets. When you configure the statement, the firewall processes IPsec tunnels in CPU instead of the Packet Forwarding Engine ASIC. This statement replaces the previous hidden option no-hw-offload at the edit security ipsec hierarchy level. This global configuration provides a streamlined approach to managing IPsec hardware offloading settings at the firewall level.

    [See ipsec (Security).]

  • Deprecation of weak algorithms in IPsec VPN (SRX Series and vSRX 3.0)—We've deprecated the weak algorithms in IKE and IPsec proposals. You'll no longer be able to use the following algorithms:

    Table 2: Deprecated Junos CLI Options
    Type Algorithm Junos CLI Statement
    Encryption Algorithm in IKE Proposal des-cbc and 3des-cbc set security ike proposal name encryption-algorithm
    Authentication Algorithm in IKE Proposal md5 and sha1 set security ike proposal name authentication-algorithm
    DH Group in IKE Proposal group1, group2, and group5 set security ike proposal name dh-group
    Encryption Algorithm in IKE Proposal des-cbc and 3des-cbc set security ipsec proposal name encryption-algorithm
    Authentication Algorithm in IKE Proposal

    hmac-md5-96 and hmac-sha1-96

    		set security ipsec proposal name authentication-algorithm

    You will receive a warning message if you configure these deprecated algorithms explicitly. As an alternative, we recommend that you configure the stronger algorithms to enhance the security in IPsec VPN.

    [See proposal (Security IKE, and proposal (Security IPsec).]

  • Default installation of junos-ike package on additional platforms (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0)—The junos-ike package is installed by default on SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0 firewalls, ensuring the default support for iked process for IPsec VPN service. This aligns with the existing default installation of the package on SRX5000 line with Routing Engine 3 (SRX5K-SPC3 with RE3). You can delete the junos-ike package using the command request system software delete junos-ike. This runs the kmd process on these firewalls, allowing flexible management of your security infrastructure.

    [See IPsec VPN Feature Support with New Package.]

  • Support for iPadOS for prelogon compliance checks in Juniper Secure Connect (SRX Series, and vSRX3.0)—You can configure prelogon compliance checks on your firewall to allow or reject endpoints running iPadOS. Use the ipados option at the [edit security remote-access compliance pre-logon name term name match platform] hierarchy level to enforce these checks. This ensures that only compliant iPadOS devices are permitted access, enhancing the security of your network.

    [See compliance (Juniper Secure Connect).]