What's Changed

Support for routing-instance and source address for application signature download (SRX Series Firewalls)—New configuration options enable you to specify a custom routing instance and source address for downloading application identification signature packages. This change enables enhanced traffic routing control and aligns signature downloads with specific network policies.

[See Configuring Application Signature Package Download Options.]

For push-to-identity-management to successfully push the authentication entry to JIMS, you must configure JIMS and verify that JIMS status is online.

[See push-to-identity-management.]

Support for IPv6 in Enhanced Web filtering (EWF) (SRX Series Firewall)—Use this feature to enable IPv6 support in server settings for Content Security Enhanced Web Filtering and Sophos Antivirus. Configure IPv6 addresses in proxy profiles and host name fields to improve compatibility and reachability across IPv6 networks. By default, IPv4 web filtering remains enabled.

Antivirus syslog enhancement (SRX Series Firewall)—We've added the following fields in the antivirus syslog:

• application

• application-category

• file-size

• file-hash

• malware-info

• nested-application

• policy-name

• threat-score

[See show log.]

Web filtering syslog enhancement (SRX Series Firewall)—We've added the policy-name field in the Web filtering syslog.

[See show log.]

Web filtering cache-preload status enhancement (SRX Series Firewall and vSRX)—We've added the Download status field in the show security utm web-filtering cache-preload status operational command output.

[See show security utm web-filtering cache-preload status.]

Standardized byte accounting for non-VLAN Ethernet packets across SPC3 and IOC (SRX Series Firewall)—Starting from this release, for an Ethernet header without VLAN, the byte count increment for packets sized 100 bytes has been standardized across SPC3 and IOC processing units.

Previously, SPC3 processed packets showed an increment of 86 bytes, while IOC packets showed 100 bytes. Now, both SPC3 and IOC units uniformly skip counting the Ethernet header, resulting in a consistent byte count increment of 86 bytes per packet. This enhancement ensures uniformity in packet processing and accurate byte count accounting across different processing units.

Enable or disable IEEE 802.3x pause for NICs in FPC 0 (SRX4700)—SRX4700 allows you to control Lossless Flow Control (IEEE 802.3x Pause) on NICs associated with FPC 0 to optimize performance under burst-heavy or asymmetric CPU load conditions. By default, lossless flow control is enabled to provide maximum buffering and protect against congestion. You can disable flow control to prevent pause-frame propagation and ensure that traffic continues to reach underutilized CPUs even when other CPUs are congested.

Configure using:

• set chassis fpc 0 lossless-flow-control lossless-flow-control-enable

• set chassis fpc 0 lossless-flow-control no-lossless-flow-control-enable

This setting applies only to NICs on FPC 0 (SRXPFE).

The configuration takes effect immediately (no reboot required) and persists across system reboots, VMHOST reboots, and SRXPFE restarts.

[See Flow Control for Ethernet Interfaces.]

IPv6 support for Multinode High Availability Configuration (SRX Series Firewalls) —A new enhancement has been added to support the configuration of IPv6 addresses for the active signal route, backup signal route, and install on failure route options under services-redundancy-group configurations on your MNHA setup. With this update, you can now configure IPv6 addresses, facilitating compatibility with IPv6 networks and improving overall network interoperability.

[ See Multinode High Availability]

Identity Aware Firewall—Firewall users must keep the captive portal web login page open after they successfully authenticate. The system automatically logs the user out of the captive portal when the login page is closed.

[See Captive Portal Authentication and Configure Authentication Methods for SRX Firewall Users.]

You can now boot vSRX 3.0 with either UEFI or BIOS.

ARP restriction for VLAN IDs 3072 to 4094 (SRX4700)—You cannot configure VLAN IDs ranging from 3072 to 4094. This ensures correct network behavior and prevents potential conflicts within these VLAN ranges, promoting network stability and reliability.

Improved Handling of IDP Policy Compilation Status (SRX Series Firewall)—Previously, if an IDP policy compilation failed and a subsequent commit did not involve IDP changes, the compilation status could be lost or appear blank. This has been resolved—the system now retains and displays the last known policy compilation status, even when later commits do not trigger policy recompilation or when the policy is unloaded due to configuration changes. There is no change in the underlying IDP functionality, only in how the status message is preserved.

Deprecation of shell option—The shell option no longer requires a separate configuration and is now the default behavior. Deprecating the shell option enhances efficiency and simplifies management tasks.

New option for debug collector data storage path—We've included the option outdir to specify an output directory for storing debug collector data in a customised path. This allows you to organise and access diagnostic information more efficiently, adapting storage to your specific requirements.

[See request system debug-info.]

Enhanced syslog fields for screen event monitoring (SRX Series Firewalls)—We have added new fields to screen-related syslogs to improve network security monitoring and analysis. The syslogs now include additional fields such as source port, destination port, destination zone name, session ID, policy name, application user, threat score, and threat severity. These fields apply to various screen types like RT_SCREEN_IP, RT_SCREEN_ICMP, RT_SCREEN_TCP, RT_SCREEN_TCP_DST_IP, RT_SCREEN_UDP, and RT_SCREEN_TCP_SRC_IP. This enhancement allows for more detailed analysis and monitoring, improving threat detection and response capabilities.

IPv6 DNS resolution option in security log stream configuration (SRX Series Firewalls and vSRX3.0)—You can enable the prefer-ipv6-dns option under the show security log stream s1 host configuration hierarchy to prioritize IPv6 address resolution for DNS queries. This option ensures that IPv6 addresses are used instead of the default IPv4 addresses. This configuration enhances IPv6 network compatibility and supports environments that require IPv6 addressing.

G.8275.1 profile configuration with PTP, SyncE, and hybrid mode (Junos)—On all Junos platforms, when configuring the G.8275.1 profile, it is mandatory to configure Precision Time Protocol (PTP), Synchronous Ethernet (SyncE), and hybrid mode. Earlier, the system would not raise a commit error even if the required hybrid and SyncE configurations were missing while configuring G.8275.1 profile. However, going forward you will not be able to configure the G.8275.1 profile without configuring PTP, SyncE and hybrid mode to be compliant with the ITU-T standards.

[See G.8275.1 Telecom Profile.]

You can now enable zeroization on a vSRX 3.0 Virtual Firewall using CLI to destroy Critical Security Parameters (CSPs). Run the request system zeroize command to zeroize the system configuration and keys. When you run this command all the configuration information is removed, and the key values are reset and the vSRX 3.0 firewall is reverted to factory defaults after reboot.

IPv6 address range support in address book configuration—You can configure IPv6 address ranges within the address book, enabling more flexible network management. With this feature IPv6 range configurations can be split into multiple prefixes. You must handle this feature carefully as it transforms ranges into multiple prefixes.

Configuration Limits for SSL Proxy Profiles—We have updated the limits for Trusted CA certificates, Server certificates, and URL categories in both SSL forward proxy and SSL reverse proxy configurations. These changes ensure compliance with the maximum configuration blob size limit of 56,986 bytes.

• Trusted CA certificate/Server certificates: Maximum limit 400 (reduced from 1024)

• URL categories: Maximum limit 800 (unchanged)

[See Configuring SSL Proxy.]

Generate genstate YANG modules on Junos devices—You can use show system schema operational command or equivalent RPC to generate the genstate YANG modules in the specified output directory on a device.

[See show system schema.]

Default installation of junos-ike package on additional platforms (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX 3.0)—The junos-ike package is installed by default on SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0 firewalls, ensuring the default support for iked process for IPsec VPN service. This aligns with the existing default installation of the package on SRX5000 line with Routing Engine 3 (SRX5K-SPC3 with RE3). You can delete the junos-ike package using the command request system software delete junos-ike. This runs the kmd process on these firewalls, allowing flexible management of your security infrastructure.

[See IPsec VPN Overview.]

Global option to disable inline IPsec hardware offloading (SRX4700)—You can disable hardware offloading of IPsec tunnel processing in the Packet Forwarding Engine ASIC. Use the command set security ipsec hw-offload-disable to globally disable this inline IPsec processing of packets. When you configure the statement, the firewall processes IPsec tunnels in CPU instead of the Packet Forwarding Engine ASIC. This statement replaces the previous hidden option no-hw-offload at the [edit security ipsec] hierarchy level. This global configuration provides a streamlined approach to managing IPsec hardware offloading settings at the firewall level.

[See ipsec (Security).]

Deprecation of weak algorithms in IPsec VPN (SRX Series and vSRX 3.0)—We've deprecated the weak algorithms in IKE and IPsec proposals. You'll no longer be able to use the following algorithms:

You will receive a warning message if you configure these deprecated algorithms explicitly. As an alternative, we recommend that you configure the stronger algorithms to enhance the security in IPsec VPN.

[See proposal (Security IKE, and proposal (Security IPsec).]

SCEP certificate re-enrollment (SRX Series)—The RFC8894 states that the challenge password is optional when an existing certificate signs a renewal request. The challenge password is not mandatory. You can commit the configuration without the challenge password.

[See Enroll a Certificate.]

Configuration validation for HA link encryption (SRX Series)—New validation checks have been introduced to restrict the configuration of tunnel MTU for HA link encryption tunnels in a Multinode High Availability setup. The validation check ensures that the end-to-end MTU for HA links using IPv6 encryption meets the minimum requirement of 2000 bytes, helping maintain optimal performance and reliability during high availability operations. For example, if your configuration includes the following stanza, you'll receive a commit check error: user@host# set security ipsec vpn L3HA_IPSEC_VPN tunnel-mtu <bytes>.

[See Multinode High Availability.]

Support for hmac-sha-384/512 authentication in PMI (SRX Series Firewalls and vSRX 3.0)—You can configure hmac-sha-384 and hmac-sha-512 authentication algorithms with PowerMode IPsec (PMI) when running IPsec VPN with the iked process.

[See PowerMode IPsec.]