Download This Guide
Changes in Behavior and Syntax
The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:
Application Layer Gateways (ALGs)
- On all branch SRX Series devices, with default configuration SQL ALG is disabled. If you require SQL ALG configurations, then you need to enable the SQL ALG.
- In Junos OS Release 12.1X46-D50 and earlier, on all SRX Series
devices, the DNS ALG only recorded and forwarded the DNS packets for
which the packet length exceeded the threshold value (range from 512
through 8192).
Starting in Junos OS Release 12.1X46-D55, the DNS ALG can be configured to drop the oversized DNS packets if the length exceeds the threshold value. To enable this, you need to configure the new CLI command set security alg dns oversize-message-drop. If the command set security alg dns oversize-message-drop is not configured, the DNS ALG will only record and forward the oversized DNS packets.
Application Firewall
- Prior to Junos OS Release 12.1X46-D10, when a rule specifies dynamic-application junos:HTTP without specifying any other
nested application, the rule matches all HTTP traffic whether the
traffic contains a nested application or not.
In Junos OS Release 12.1X46-D15 and later, that functionality has changed. When a rule specifies dynamic-application junos:HTTP, only HTTP traffic with no nested members is matched.
Consider the following application firewall ruleset:
rule-sets http-ruleset {rule rule1 {match {dynamic-application [junos:HTTP];}then {deny;}}default-rule {permit;}}Prior to Junos OS Release 11.4R6, the sample rules would be applied to traffic as shown in the following list:
- HTTP traffic with or without nested applications would
be denied by rule1.
HTTP traffic with a nested application, such as junos:FACEBOOK or junos:TWITTER, would be denied by rule1.
- All other traffic would be permitted by the default rule.
In Junos OS Release 11.4R6 and later, the dynamic application junos:HTTP matches only the HTTP traffic that contains no recognizable nested application. The sample rules would now be applied differently:
- Only the HTTP traffic with no nested application would
be denied by rule1.
HTTP traffic with a nested application, such as junos:FACEBOOK or junos:TWITTER, would no longer match rule1.
- All other traffic would be permitted by the default rule.
HTTP traffic with a nested application, such as junos:FACEBOOK or junos:TWITTER, would be permitted by the default rule.
- HTTP traffic with or without nested applications would
be denied by rule1.
- In Junos OS Release 12.1X46-D10 and earlier, if a nested application
is not configured in any rule, then the nested application would match
the default rule and take action specified in the default rule.
Starting in Junos OS Release 12.1X46-D10, the functionality has changed. If a nested application matches the default rule, then the application firewall uses the application type to match the rule and takes action specified in the rule. Use the set security application-firewall nested-application dynamic-lookup enable command to control the behavior of the nested application, so that both the application and the nested application are consistent.
The default behavior of nested application before Junos OS Release 12.1X46-D10:
- Application firewall matches with the specific rule, if the nested application is configured explicitly in a rule.
- Application firewall matches with the default rule, if the nested application is not configured explicitly in a rule.
- Records the statistics of the application firewall in the matched rule.
The new behavior of nested application in Junos OS Release 12.1X46-D10:
- Application firewall matches with an application rule during application firewall policy lookup, if there is no explicit rule for the nested application.
- Application firewall matches with a specific rule, if the nested application is configured explicitly in a rule.
- Records the statistics of the application firewall in the matched rule.
Chassis Cluster
- Starting from Junos OS Release 12.1X46-D40, for all branch SRX Series devices, reth interface supports proxy ARP.
Command-Line Interface (CLI)
New or Changed CLI
- Starting in Junos OS Release 12.1X46-D30, for all branch SRX
Series devices there is an option to remove the peer loop check for
private AS numbers. The no-peer-loop-check option has been
added under the remove-privatecommand at the following
hierarchy levels:
[edit logical-systems logical-system-name protocols bgp]
[edit protocols bgp]
[edit routing-instances routing-instance-name protocols bgp]
- Starting in Junos OS Release 12.1X46-D20, for all branch SRX Series devices in chassis cluster mode, there is a node option available for all show chassis CLI commands. The node option displays status information for all FPCs or for the specified FPC on a specific node (device) in the cluster.
- Prior to Junos OS Release 12.1X46-D10, when you configured the
DNS proxy server using the set system services dns dns-proxy view view-name domain domain-name forwarder CLI statement, if the IP address specified in the
forwarder option was not available, the DNS query was forwarded to
the default DNS servers (DNS servers provided by the ISP). The device
acquired the public IP addresses from the default DNS servers.
Starting in Junos OS Release 12.1X46-D10, the forward-only option is added to the set system services dns dns-proxy view view-name domain domain-name forward-only CLI statement.
You can use the forward-only option to prevent the device from acquiring the public IP addresses from the DNS servers (by terminating the DNS query) in cases when the specified IP address is unreachable.
- On all branch SRX Series and J Series devices, the following
commands are now supported:
CLI Command
Description
show pppoe interfaces
List all PPPoE sessions.
request pppoe connect
Connect to all sessions that are down.
request pppoe connect pppoe interface name
Connect only to the specified session.
request pppoe disconnect
Disconnect all sessions that are up.
request pppoe disconnect session id or pppoe interface name
Disconnect only the specified session, identified by either a session ID or a PPPoE interface name.
- On all J Series devices, a new CLI request system (halt | power-off | reboot) power-off fpc command has been introduced
to bring Flexible PIC Concentrators (FPCs) offline before Routing
Engines are shut down. This command prevents the short network outage
because of the Layer 2 loop.
CLI Command
Description
request system halt power-off fpc
Bring FPC offline and then halt the system.
request system power-off power-off fpc
Bring FPC offline and then power off the system.
request system reboot power-off fpc
Bring FPC offline and then reboot the system.
Deprecated Items for Security Hierarchy
- Table 2 lists
deprecated items (such as CLI statements, commands, options, and interfaces).
CLI statements and commands are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration. We strongly recommend that you phase out deprecated items and replace them with supported alternatives.
Table 2: Items Deprecated in Release 12.1
Deprecated Item
Replacement
Hierarchy Level or Command Syntax
Additional Information
download-timeout
-
download-timeout timeout
On all branch SRX Series devices, the download-timeout command is deprecated. If the configuration is present, then that configuration will be ignored. The IDP process internally triggers the security package to install when an automatic download is completed. There is no need to configure any download timeout.
node
-
request security idp security-package download
On all branch SRX Series devices operating in a chassis cluster, the request security idp security-package download command with the node option is not supported:
request security idp security-package download node primary
request security idp security-package download node local
request security idp security-package download node all
Compatibility
- Version compatibility for Junos SDK—Beginning with Junos OS Release 12.1X44-D10, Junos OS applications
will install on the Junos OS only if the application is built with
the same release as the Junos OS release on which the application
is being installed.
For example, an application built with Junos OS Release 12.1R2 will only install on Junos OS Release 12.1R2 and will not install on Junos OS Release 12.1R1 or Junos OS Release 12.1R3.
Flow and Processing
- The minimum value you can configure for TCP session initialization is 4 seconds. The default value is 20 seconds; if required you can set the TCP session initialization value to less than 20 seconds.
- On all branch SRX Series devices, the default value of type of service (ToS) for IKE packets has been changed from 0x00 to 0xc0.
- On all branch SRX Series and J Series devices, you can configure the TCP session timeout in a half-closed state by using the apply-to-half-close-state statement at the [edit security flow tcp-session time-wait-state] hierarchy level. This enables the system to apply the configured session timeout on receiving only one FIN packet (either client-to-server or server-to-client). When this statement is not configured, the default behavior takes effect, which is to apply the configured session timeout on receiving both the FIN packets. The default TCP session timeout remains 150 seconds. [See apply-to-half-close-state.]
Hardware
- On SRX550 devices, the mini-USB console cable provides a “break” message to the Windows application whenever the console cable is unplugged and re-plugged. If you have configured “debugger-on-break”, the system goes to the db> prompt because the system receives a break character. This behavior is specific to the mini-USB console.
- Starting in Junos OS Release 12.1X46-D15, external clocking is enabled on SRX550 devices with a DS3/E3 interface. In Junos OS Release 12.1X46-D10 and earlier, the external clocking option was disabled to overcome the limitations present in the hardware to support this clocking option.
Installation and Upgrade
- Starting in Junos OS Release 12.1X46-D55, the request system scripts add package-name no-copy | unlink command is updated to include the following options for installing
AI Script install packages on SRX Series devices in a chassis cluster:
- master- Install AI script packages on the primary node.
- backup- Install AI script packages on the secondary node.
This enhancement eliminates the need for separate AI script installations on the primary node and the secondary node.
Interfaces and Routing
- A new attribute, max-synacks-queued, is added to IDP sensor configuration TCP reassembler. This attribute defines the maximum syn/ack queued with different SEQ numbers and takes the values 0 through 5. Also, a new counter, Duplicate Syn/Ack with different SEQ, is added to the IDP TCP reassembler. This counter displays the number of syn/ack packets with different SEQ numbers.
- On SRX240 and SRX650 devices, for the Layer 2 LAG interface, the hash algorithm for load balancing is now based on source IP address and destination IP address instead of source MAC address and destination MAC address.
Intrusion Detection and Prevention (IDP)
- In Junos OS releases earlier than Junos OS Release 12.1X46-D25,
TACACS+ options for authentication and accounting did not include
an option for configuring a timestamp and time zone.
In Junos OS Release 12.1X46-D25 and later releases, you can use the timestamp-and-timezone option at the [edit system tacplus-options] hierarchy to include start time, stop time, and time zone attributes in start/stop accounting records. [See tacplus-options.]
- A system log message is generated when an IDP signature database update or policy compilation fails with an empty dynamic group. The system-generated log message is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty.
- By default, values for IDP reassembler packet memory and
application identification packet memory used by IDP are established
as percentages of all memory. In most cases, these default values
are adequate.
- If a deployment exhibits an excessive number of dropped
TCP packets or retransmissions resulting in high IDP reassembly memory
usage, use the following option:
The max-packet-mem-ratio option to reset the percentage of available IDP memory for IDP reassembly packet memory. Acceptable values are between 5 and 40 percent.
set security idp sensor-configuration re-assembler max-packet-mem-ratio percentage-value
Note: The max-packet-mem option has been deprecated and replaced by the new max-packet-mem-ratio option.
- If a deployment exhibits an excessive number of ignored
IDP sessions due to reassembler and application identification memory
allocation failures, use the following options:
- The max-packet-memory-ratio option sets application
identification packet memory limit as a percentage of available IDP
memory. This memory is only used by IDP in cases where application
identification delays identifying an application. Acceptable values
are between 5 and 40 percent.set security idp sensor-configuration application-identification max-packet-memory-ratio percentage-value
- The max-reass-packet-memory-ratio option sets
the reassembly packet memory limit for application identification
as a percentage of available IDP memory. Acceptable values are between
5 and 40 percent.set security idp sensor-configuration application-identification max-reass-packet-memory-ratio percentage-value
Note: The max-packet-memory option has been deprecated and replaced by the new max-packet-memory-ratio and max-reass-packet-memory-ratio options.
- The max-packet-memory-ratio option sets application
identification packet memory limit as a percentage of available IDP
memory. This memory is only used by IDP in cases where application
identification delays identifying an application. Acceptable values
are between 5 and 40 percent.
- If a deployment exhibits an excessive number of dropped
TCP packets or retransmissions resulting in high IDP reassembly memory
usage, use the following option:
- On all branch SRX Series devices with a single session, when
IDP is activated, the upload and download speeds are slow when compared
to the firewall performance numbers.
To overcome this issue, a new CLI command, set security idp sensor-configuration ips session-pkt-depth, is introduced, for which the session-pkt-depth sensor-configuration value is global for any session.
The session-pkt-depth sensor-configuration value specifies the number of packets per session that are inspected by IDP. Any packets beyond the specified value are not inspected. For example, when session-pkt-depth sensor-configuration is configured as “n”, the IDP inspection happens only for first (n-1) packets in that session. Packets from the nth packet onwards are ignored by IDP.
The default value of session-pkt-depth sensor-configuration is zero. When the default value of zero is used, the session-pkt-depth value is not addressed, and IDP performs a full inspection of the session.
- Starting in Junos OS Release 12.1X46-D25, the show security idp counters flow command output is changed to include new fields.
Table 3 lists the output fields for the show security idp counters flow command. Output fields are listed in the approximate order in which they appear.
Table 3: show security idp counters flow Output Fields
Field Name
Description
Fast-path packets
Number of packets that are set through fast path after completing IDP policy lookup.
Slow-path packets
Number of packets that are sent through slow path during IDP policy lookup.
Session construction failed
(Unsupported)
Number of times the packet failed to establish the session.
Session limit reached
Number of sessions that reached IDP sessions limit.
Session inspection depth reached
Number of sessions that reached inspection depth.
Memory limit reached
Number of sessions that reached memory limit.
Not a new session
(Unsupported)
Number of sessions that extended beyond time limit.
Invalid index at age-out
(Unsupported)
Invalid session index in session age-out message.
Packet logging
Number of packets saved for packet logging.
Policy cache hits
Number of sessions that matched policy cache.
Policy cache misses
Number of sessions that did not match policy cache.
Policy cache entries
Number of policy cache entries.
Maximum flow hash collisions
Maximum number of packets, of one flow, that share the same hash value.
Flow hash collisions
Number of packets that share the same hash value.
Gates added
Number of gate entries added for dynamic port identification.
Gate matches
(Unsupported)
Number of times a gate is matched.
Sessions deleted
Number of sessions deleted.
Sessions aged-out
(Unsupported)
Number of sessions that are aged out if no traffic is received within session timeout value.
Sessions in-use while aged-out
(Unsupported)
Number of sessions in use during session age-out.
TCP flows marked dead on RST/FIN
Number of sessions marked dead on TCP RST/FIN.
policy init failed
Policy initiation failed.
Number of sessions exceeds high mark
Number of sessions that exceed high mark.
Number of sessions drops below low mark
Number of sessions that fall below low mark.
Memory of sessions exceeds high mark
Session memory exceeds high mark.
Memory of sessions drops below low mark
Session memory drops below low mark.
Sessions constructed
Number of sessions established.
SM Sessions encountered memory failures
Number of SM sessions encountered memory failure.
SM Packets on sessions with memory failures
Number of SM packets on SM sessions with memory failure.
SM Sessions dropped
Number of SM sessions dropped.
SM sessions ignored
Number of sessions ignored in Security Module (SM).
SM sessions interested
Number of SM sessions interested.
SM sessions not interested
Number of SM sessions not interested.
SM sessions interest error
Number of errors created for SM sessions interested.
Sessions destructed
Number of sessions destructed.
SM Session Create
Number of SM sessions created.
SM Packet Process
Number of packets processed from SM.
SM FTP data session ignored by IDP
Number of SM FTP data sessions that are ignored by IDP.
SM Session close
Number of SM sessions closed.
SM client-to-server packets
Number of SM client-to-server packets.
SM server-to-client packets
Number of SM server-to-client packets.
SM client-to-server L7 bytes
Number of SM client-to-server Layer 7 bytes.
SM server-to-client L7 bytes
Number of SM server-to-client Layer 7 bytes.
Client-to-server flows ignored
Number of client-to-server flow sessions that are ignored.
Server-to-client flows ignored
Number of server-to-client flow sessions that are ignored.
Both directions flows ignored
Number of server-to-client and client-to-server flow sessions that are ignored.
Fail-over sessions dropped
Number of fail-over sessions dropped.
Sessions dropped due to no policy
Number of sessions dropped because there was no active IDP policy.
IDP Stream Sessions dropped due to memory failure
Number of IDP stream sessions that are dropped because of memory failure.
IDP Stream Sessions ignored due to memory failure
Number of IDP stream sessions that are ignored because of memory failure.
IDP Stream Sessions closed due to memory failure
Number of IDP stream sessions that are closed because of memory failure.
IDP Stream Sessions accepted
Number of IDP stream sessions that are accepted.
IDP Stream Sessions constructed
Number of IDP stream sessions that are constructed.
IDP Stream Sessions destructed
Number of IDP stream sessions that are destructed.
IDP Stream Move Data
Number of Stream data events handled by IDP.
IDP Stream Sessions ignored on JSF SSL Event
Number of IDP stream sessions that are ignored because of a JSF SSL proxy event.
IDP Stream Sessions not processed for no matching rules
Number of IDP stream sessions that are not processed for no matching rules.
IDP Stream stbuf dropped
Number of IDP stream plugin buffers dropped.
IDP Stream stbuf reinjected
Number of IDP stream plugin buffers injected.
Busy packets from stream plugin
Number of packets saved as one or more packets of this session from stream plugin.
Busy packets from packets plugin
Number of saved packets for IDP stream plugin sessions.
Bad kpp
Number of internal marked packets logged for IDP processing.
Lsys policy id lookup failed sessions
Number of sessions that failed logical systems policy lookup
Busy packets
Number of packets saved as one or more packets of this session are handed off for asynchronous processing.
Busy packet errors
Number of packets found with IP checksum error after asynchronous processing is completed.
Dropped queued packets
(async mode)
Number of queued packets dropped based on policy action, reinjection failures, or if the session is marked to destruct.
Dropped queued packets failed
(async mode)
Not used currently.
Reinjected packets (async mode)
Number of packets reinjected into the queue.
Reinjected packets failed(async mode)
Number of failed reinjected packets.
AI saved processed packet
Number of AI packets saved for which the asynchronous processing is completed.
Busy packet count incremented
Number of times the busy packet count incremented in asynchronous processing.
busy packet count decremented
Number of times the busy packet count decremented in asynchronous processing.
session destructed in pme
Number of sessions destructed as a part of asynchronous result processing.
session destruct set in pme
Number of sessions set to be destructed as a result of asynchronous processing.
KQ op
Number of sessions with one of the following status:
- KQ op hold–number of times packets held by IDP.
- KQ op drop–number of times packets dropped by IDP.
- KQ op route–number of times IDP decided to be route the packet directly.
- KQ op Continue–number of times IDP decided to continue to process the packet.
- KQ op error–number of times error occurred while IPD processing packet.
- KQ op stop–number of times IDP decided to stop processing the packet.
PME wait not set
Number of AI saved packets given for signature matching.
PME wait set
Number of packets given for signature matching without AI save.
PME KQ run not called
Number of times signature matching results processed out of packet receiving order.
show security idp counters flow
user@host> show security idp counters flowIDP counter type Value Fast-path packets 0 Slow-path packets 0 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 0 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 0 Policy init failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 Sessions constructed 0 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 0 SM Sessions not interested 0 SM Sessions interest error 0 Sessions destructed 0 SM Session Create 0 SM Packet Process 0 SM ftp data session ignored by idp 0 SM Session close 0 SM Client-to-server packets 0 SM Server-to-client packets 0 SM Client-to-server L7 bytes 0 SM Server-to-client L7 bytes 0 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Both directions flows ignored 0 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 0 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0
J-Web
- On all high-end SRX Series devices, on the Monitor > Events and Alarms > Security Events page, the Is global policy check box is introduced.
- On all branch SRX Series and J Series devices, the username
field does not accept HTML tags or the “<” and “>”
characters. The following error message appears:
A username cannot include certain characters, including < and >
- On all branch SRX Series devices, on the Monitoring Policies page, the Deactivate and Move functions on the toolbar and the Count and Log action columns in the output table are not supported and will no longer be available.
- On all branch SRX Series devices, on the Checking Policies page, the Delete and Deactivate buttons are not supported and will no longer be available.
Logical Systems
- In Junos OS releases earlier than Junos OS Release 12.1X46-D10,
when a logical tunnel interface with an IPv4 address and an Ethernet
encapsulation type is configured, a configuration check is performed
to ensure that the address is not identical to its peer logical tunnel
interface address and that both addresses are on the same subnet.
However, when a logical tunnel interface with an IPv6 address and
an Ethernet encapsulation type is configured, no such configuration
check is performed.
Starting in Junos OS Release 12.1X46-D10, a check is performed for IPv6 configurations. However, this change can cause existing IPv6 configurations to fail.
Multiprotocol Label Switching (MPLS)
- Starting in Junos OS Release 12.1X46-D55, the vrf-table-label statement allows mapping of the inner label to a specific Virtual Routing and Forwarding (VRF). This mapping allows examination of the encapsulated IP header at an egress VPN router. For SRX Series devices, the vrf-table-label statement is currently supported only on physical interfaces. As a workaround, deactivate vrf-table-label or use physical interfaces.
Network Address Translation (NAT)
- Starting with Junos OS Release 12.1X46-D55, the port-overloading-factor option and the port-range option at the [edit security nat source pool source-pool-name port] hierarchy level can be configured together. Prior to Release 12.1X46-D55, the options would overwrite each other.
Network Time Protocol
- When the NTP client or server is enabled in the edit system ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks.
Policy Applications
- In Junos OS releases earlier than Junos OS Release 12.1X46-D15,
when you set the count option on a security policy using
the CLI statement security policies from-zone zone-name to-zone zone-name policy policy-name then, the count is based on the number of packets and bytes
of all network traffic that the policy allows to pass through the
device.
In Junos OS Release 12.1X46-D15 and later, when you set the count option, the count is based on the number of packets and bytes of all network traffic the policy allows to pass through the device in both directions: the originating traffic from the client to the server (from the from-zone to the to-zone), and the return traffic from the server to the originating client.
Simple Network Management Protocol (SNMP)
- On all branch SRX Series and J Series devices, the screen SNMP trap jnxJsScreenCfgChange will not be sent during reboot.
System Logs
On all branch SRX Series devices, the following system log messages have been updated to include the certificate ID:
- PKID_PV_KEYPAIR_DEL
Existing message: Key-Pair deletion failed
New message: Key-Pair deletion failed for <cert-id>
- PKID_PV_CERT_DEL
Existing message: Certificate deletion has occurred
New message: Certificate deletion has occurred for <cert-id>
- PKID_PV_CERT_LOAD
Existing message: Certificate has been successfully loaded
New message: Certificate <cert-id> has been successfully loaded
- PKID_PV_KEYPAIR_GEN
Existing message: Key-Pair has been generated
New message: Key-Pair has been generated for <cert-id>
- In Junos OS Release 12.1X46-D50 and earlier, the structured
log of Web filtering has inappropriate field names.
Starting in Junos OS Release 12.1X46-D55, the structured log fields have changed. The corresponding fields in the UTM Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are now fixed with the appropriate structured log fields.
The following example shows WEBFILTER_URL_BLOCKED messages before Junos OS Release 12.1X46-D55:
<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" name="cat1" error-message="BY_BLACK_LIST" profile-name="uf1" object-name="www.example.com" pathname="/" username="N/A" roles="N/A"] WebFilter: ACTION="URL Blocked "192.0.2.3(58071)->198.51.100.2(80) CATEGORY="cat1" REASON="BY_BLACK_LIST" PROFILE="uf1" URL=www.example.com OBJ=/ username N/A roles N/A
The following example shows WEBFILTER_URL_BLOCKED messages in Junos OS Release 12.1X46-D55, indicating the change in structured log fields:
<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.example.com" obj="/" username="N/A" roles="N/A"] WebFilter: ACTION="URL Blocked "192.0.2.3(58071)->198.51.100.2(80) CATEGORY="cat1" REASON="BY_BLACK_LIST" PROFILE="uf1" URL=www.example.com OBJ=/ username N/A roles N/A
The structured log field changes in the UTM Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are as follows:
- name -> category
- error-message -> reason
- profile-name -> profile
- object-name -> url
- pathname -> obj
System Management
- During a load override, to enhance the memory for the commit
script, make sure you load the configuration by applying the following
commands before commit:
set system scripts commit max-datasize 800000000
set system scripts op max-datasize 800000000
User Interface and Configuration
- You can configure only one rewrite rule for one logical interface. When you configure multiple rewrite rules for one logical interface, an error message is displayed and the commit fails.
Virtual Private Networks (VPNs)
- In previous Junos OS releases, the Pulse client could be automatically downloaded and installed when users logged into a branch SRX Series device that was configured for dynamic VPN. Starting with Junos OS Release 12.1X46-D30, Pulse client software is no longer available from dynamic VPN SRX Series devices and must be obtained from the Juniper Networks Download Software site at https://www.juniper.net/support/downloads/
- On all branch SRX Series devices, for path MTU calculations,
the IPsec authentication data length is fixed at 16 bytes. However,
the authentication data length for packets going through the IPsec
tunnel is in accordance with the authentication algorithm negotiated
for that tunnel.
The authentication data lengths for the different algorithms are:
- hmac-md5-96 (12 bytes)
- hmac-sha-256-128 (16 bytes)
- hmac-sha1-96 (12 bytes)
- For each VPN tunnel, both ESP and AH tunnel sessions are installed
on SPUs and the control plane. In previous Junos OS releases, two
tunnel sessions of the same protocol (ESP or AH) were installed for
each VPN tunnel. For branch SRX Series devices, tunnel sessions are
updated with the negotiated protocol after negotiation is completed.
For high-end SRX Series devices, tunnel sessions on anchor SPUs are
updated with the negotiated protocol while non-anchor SPUs retain
ESP and AH tunnel sessions.
The ESP and AH tunnel sessions are displayed in the outputs for the show security flow session and show security flow cp-session operational mode commands.
- As of Junos OS Release 11.4, checks are performed to validate
the IKE ID received from the VPN peer device. By default, SRX Series
and J Series devices validate the IKE ID received from the peer with
the IP address configured for the IKE gateway. In certain network
setups, the IKE ID received from the peer (which can be an IPv4 or
IPv6 address, fully qualified domain name, distinguished name, or
e-mail address) does not match the IKE gateway configured on the SRX
Series or J Series device. This can lead to a Phase 1 validation failure.
To modify the configuration of the SRX Series or J Series device or the peer device for the IKE ID that is used:
- On the SRX Series or J Series device, configure the remote-identity statement at the [edit security ike gateway gateway-name] hierarchy level to match the IKE ID
that is received from the peer. Values can be an IPv4 or IPv6 address,
fully qualified domain name, distinguished name, or e-mail address.
Note: If you do not configure remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the remote peer by default.
- On the peer device, ensure that the IKE ID is the same as the remote-identity configured on the SRX Series or J Series device. If the peer device is an SRX Series or J Series device, configure the local-identity statement at the [edit security ike gateway gateway-name] hierarchy level. Values can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address.
- On the SRX Series or J Series device, configure the remote-identity statement at the [edit security ike gateway gateway-name] hierarchy level to match the IKE ID
that is received from the peer. Values can be an IPv4 or IPv6 address,
fully qualified domain name, distinguished name, or e-mail address.
- The subject fields of a digital certificate can include Domain
Component (DC), Common Name (CN), Organization Unit (OU), Organization
(O), Location (L), State (ST), and Country (C).
In earlier releases, the show security pki ca-certificate and show security pki local-certificate CLI operational commands displayed only a single entry for each subject field, even if the certificate contained multiple entries for a field. For example, a certificate with two OU fields such as “OU=Shipping Department, OU=Priority Mail” displayed with only the first entry “OU=Shipping Department.” The show security pki ca-certificate and show security pki local-certificate CLI commands now display the entire contents of the subject field, including multiple field entries.
The commands also display a new subject string output field that shows the contents of the subject field as it appears in the certificate.
- When a remote user launches newly installed client software, the link to close the Web browser window does not appear in the VPN client launch page. The user must close the browser window by clicking the browser’s close button.
- Starting in Junos OS Release 12.1X46-D10, local-address can be configured at the [edit security ike gateway gateway-name] hierarchy level to specify the local gateway address when there are multiple addresses configured on an external physical interface to a VPN peer. local-address and the remote IKE gateway address must be in the same address family, either IPv4 or IPv6. Prior to Junos OS Release 12.1X46-D10, local-address was a hidden CLI configuration statement.
