What's Changed
Learn about what changed in this release for vSRX.
Authentication and Access Control
-
For push-to-identity-management to successfully push the authentication entry to JIMS, you must configure JIMS and verify that JIMS status is online.
[See push-to-identity-management.]
Infrastructure
-
You can now boot vSRX 3.0 with either UEFI or BIOS.
Network Management
-
IPv6 DNS resolution option in security log stream configuration (SRX Series Firewalls and vSRX3.0)—You can enable the
prefer-ipv6-dnsoption under theshow security log stream s1 hostconfiguration hierarchy to prioritize IPv6 address resolution for DNS queries. This option ensures that IPv6 addresses are used instead of the default IPv4 addresses. This configuration enhances IPv6 network compatibility and supports environments that require IPv6 addressing.
Platform and Infrastructure
-
G.8275.1 profile configuration with PTP, SyncE, and hybrid mode (Junos)—On all Junos platforms, when configuring the G.8275.1 profile, it is mandatory to configure Precision Time Protocol (PTP), Synchronous Ethernet (SyncE), and hybrid mode. Earlier, the system would not raise a commit error even if the required hybrid and SyncE configurations were missing while configuring G.8275.1 profile. However, going forward you will not be able to configure the G.8275.1 profile without configuring PTP, SyncE and hybrid mode to be compliant with the ITU-T standards.
[See G.8275.1 Telecom Profile.]
-
You can now enable zeroization on a vSRX 3.0 Virtual Firewall using CLI to destroy Critical Security Parameters (CSPs). Run the request system zeroize command to zeroize the system configuration and keys. When you run this command all the configuration information is removed, and the key values are reset and the vSRX 3.0 firewall is reverted to factory defaults after reboot.
User Interface and Configuration
-
Generate genstate YANG modules on Junos devices—You can use
show system schemaoperational command or equivalent RPC to generate the genstate YANG modules in the specified output directory on a device.[See show system schema.]
VPNs
-
Default installation of junos-ike package on additional platforms (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX 3.0)—The
junos-ikepackage is installed by default on SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0 firewalls, ensuring the default support forikedprocess for IPsec VPN service. This aligns with the existing default installation of the package on SRX5000 line with Routing Engine 3 (SRX5K-SPC3 with RE3). You can delete thejunos-ikepackage using the commandrequest system software delete junos-ike. This runs thekmdprocess on these firewalls, allowing flexible management of your security infrastructure.[See IPsec VPN Overview.]
-
Deprecation of weak algorithms in IPsec VPN (SRX Series and vSRX 3.0)—We've deprecated the weak algorithms in IKE and IPsec proposals. You'll no longer be able to use the following algorithms:
Table 1: Deprecated Junos CLI Options Type Algorithm Junos CLI Statement Encryption Algorithm in IKE Proposal des-cbcand3des-cbcset security ike proposal name encryption-algorithmAuthentication Algorithm in IKE Proposal md5andsha1set security ike proposal name authentication-algorithmDH Group in IKE Proposal group1,group2, andgroup5set security ike proposal name dh-groupEncryption Algorithm in IKE Proposal des-cbcand3des-cbcset security ipsec proposal name encryption-algorithmAuthentication Algorithm in IKE Proposal hmac-md5-96andhmac-sha1-96set security ipsec proposal name authentication-algorithmYou will receive a warning message if you configure these deprecated algorithms explicitly. As an alternative, we recommend that you configure the stronger algorithms to enhance the security in IPsec VPN.
[See proposal (Security IKE, and proposal (Security IPsec).]
-
Support for hmac-sha-384/512 authentication in PMI (SRX Series Firewalls and vSRX 3.0)—You can configure hmac-sha-384 and hmac-sha-512 authentication algorithms with PowerMode IPsec (PMI) when running IPsec VPN with the iked process.
[See PowerMode IPsec.]