Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for vSRX.

Juniper Secure Connect

  • Support for iPadOS for prelogon compliance checks in Juniper Secure Connect (SRX Series, and vSRX3.0)—You can configure prelogon compliance checks on your firewall to allow or reject endpoints running iPadOS. Use the ipados option at the [edit security remote-access compliance pre-logon name term name match platform] hierarchy level to enforce these checks. This ensures that only compliant iPadOS devices are permitted access, enhancing the security of your network.

    [See compliance (Juniper Secure Connect).]

Network Address Translation (NAT)

  • Support for NAT debugging (SRX Series Firewalls and vSRX) To debug NAT-related issues, use the nat option with the request support information security-components command.

    [See request support information.]

User Interface and Configuration

  • Access privileges for request support information command (ACX Series, EX Series, MX Series, QFX Series, SRX Series Firewalls, and vSRX Virtual Firewall)—The request support information command is designed to generate system information for troubleshooting and debugging purposes. Users with the specific access privileges maintenance, view, and view-configuration can execute request support information command.

VPNs

  • Deprecation of weak algorithms in IPsec VPN (SRX Series and vSRX 3.0)—We've deprecated the weak algorithms in IKE and IPsec proposals. You'll no longer be able to use the following algorithms:

    Table 1: Deprecated Junos CLI Options
    Type Algorithm Junos CLI Statement
    Encryption Algorithm in IKE Proposal des-cbc and 3des-cbc set security ike proposal name encryption-algorithm
    Authentication Algorithm in IKE Proposal md5 and sha1 set security ike proposal name authentication-algorithm
    DH Group in IKE Proposal group1, group2, and group5 set security ike proposal name dh-group
    Encryption Algorithm in IKE Proposal des-cbc and 3des-cbc set security ipsec proposal name encryption-algorithm
    Authentication Algorithm in IKE Proposal

    hmac-md5-96 and hmac-sha1-96

    		set security ipsec proposal name authentication-algorithm

    You will receive a warning message if you configure these deprecated algorithms explicitly. As an alternative, we recommend that you configure the stronger algorithms to enhance the security in IPsec VPN.

    [See proposal (Security IKE, and proposal (Security IPsec).]

  • Default installation of junos-ike package on additional platforms (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0)—The junos-ike package is installed by default on SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0 firewalls, ensuring the default support for iked process for IPsec VPN service. This aligns with the existing default installation of the package on SRX5000 line with Routing Engine 3 (SRX5K-SPC3 with RE3). You can delete the junos-ike package using the command request system software delete junos-ike. This runs the kmd process on these firewalls, allowing flexible management of your security infrastructure.

    [See IPsec VPN Feature Support with New Package.]

  • Support for iPadOS for prelogon compliance checks in Juniper Secure Connect (SRX Series, and vSRX3.0)—You can configure prelogon compliance checks on your firewall to allow or reject endpoints running iPadOS. Use the ipados option at the [edit security remote-access compliance pre-logon name term name match platform] hierarchy level to enforce these checks. This ensures that only compliant iPadOS devices are permitted access, enhancing the security of your network.

    [See compliance (Juniper Secure Connect).]