Download This Guide
New and Changed Features
The following features have been added to Junos OS Release 12.1X46. Following the description is the title of the manual or manuals to consult for further information.
 | Note: For the latest updates about support and issues on Junos Pulse, see the Junos Pulse Release Notes. |
- Release 12.1X46-D55 Software Features
- Release 12.1X46-D30 Software Features
- Release 12.1X46-D20 Software Features
- Release 12.1X46-D15 Software Features
- Release 12.1X46-D10 Software Features
Release 12.1X46-D55 Software Features
Interfaces
- G.993.5 Vectoring support for VDSL modules on SRX
Series devices— Starting with Junos OS Release
12.1X46-D55, firmware version, v2.16.0, is available for SRX-MP-1VDSL-A
to support VDSL vectoring. Vectoring on VDSL reduces crosstalk and
increases network bandwidth.
[For more information, see Upgrading the VDSL PIC Firmware in the Junos OS Release 15.1X49-D50 Feature Guide. ]
Release 12.1X46-D30 Software Features
Application Layer Gateways (ALGs)
- MS-RPC ALG and Sun RPC ALG map table scaling for SRX Series devices— Starting with Junos OS Release 12.1x46-D30, the MS-RPC ALG and Sun RPC ALG dynamically allocate new mapping entries instead of using a default size (512 entries). They also offer a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.
Release 12.1X46-D20 Software Features
Chassis Cluster
- Autorecovery of fabric link [SRX
Series]—The fabric link feature supports autorecovery, which
includes the following enhancements:
- Fabric monitoring feature is enabled by default on high-end SRX Series, and hence recovery of fabric link and synchronization takes place automatically.
- If the fabric link goes down, RG1+ becomes ineligible on either the secondary node or the node with failures, by default. The node remains in this state until the fabric link comes up or the other node goes away.
- If the fabric link goes down followed by the control link, then after approximately 66 seconds the secondary node (or the node with failures) assumes that the remote node is dead and takes over as the primary node.
- Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster debugging functionality has
the following enhancements:
- The show chassis cluster status command output includes failure reasons (acronyms and their expansions) when the redundancy group's priority is zero.
- Cleaner jsrpd process includes removing unwanted logs and moving the debug log message from level LOG_INFO to LOG_DEBUG.
- The show chassis cluster information command output displays redundancy group, LED, and monitored failure details.
- SNMP traps send messages when a node's weight goes down and also when it recovers.
- The show chassis cluster ip-monitoring command output displays both the global threshold and the current threshold of each node and displays the weight of each monitored IP address.
- A syslog message appears when the control link goes down.
Public Key Infrastructure (PKI)
- Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the revocation status
of X509 certificates. Requests are sent to the OCSP server(s) configured
in a CA profile with the ocsp url statement at the [edit security pki ca-profile profile-name revocation-check] hierarchy level. The use-ocsp option must also be configured.
If there is no response from the OCSP server, the request is then
sent to the location specified in the certificate's AuthorityInfoAccess
extension.
[See the “Public Key Infrastructure (PKI)” section in the Junos OS 12.1X46-D20 Feature Guide .]
Routing Protocols
- OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also known as OSPF version 3 (OSPFv3),
does not have built-in authentication to ensure that routing packets
are not altered and re-sent to the router. In Junos OS Release 12.1X46-D20,
IPsec can be used to secure OSPFv3 interfaces and virtual links and
provide encryption for OSPF packets.
To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the security-association sa-name configuration option at the [edit security ipsec] hierarchy level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link configuration.
[See the “Routing Protocols” section in the Junos OS 12.1X46-D20 Feature Guide .]
Unified Threat Management (UTM)
- UTM license enforcement [SRX Series]—License enforcement is supported for UTM features, including
Sophos antivirus, enhanced Web filtering, and antispam filtering on
all high-end SRX Series devices in addition to branch SRX Series devices.
You can add or remove UTM licenses on SRX Series devices. Each feature
license is tied to exactly one software feature and is valid for exactly
one device.
Table 1 lists the license modules and the license names.
Table 1: UTM License Information
UTM Module
License Name
SAV
av_key_sophos_engine
AS
anti_spam_key_sbl
EWF
wf_key_websense_ewf
[See the “UTM” section in the Junos OS 12.1X46-D20 Feature Guide .]
[See License Enforcement.]
Release 12.1X46-D15 Software Features
IP Monitoring
- IP monitoring with interface as next-hop
option [Branch SRX Series]—IP monitoring enables
you to configure a static route with a P2P interface as a next-hop
action when IP monitoring has failed.
The following added functions support the track-ip option:
- Next-hop type checking: IP address or interface.
- Interface type checking for next-hop. Only a P2P interface is supported; an error message results when the configuration is committed.
- You can use the interface as a next-hop to construct route parameters and call RPD API to add a static route; log route addition results.
- You can use existing code to delete the route when the primary route recovers.
[See “IP Monitoring” section in Junos OS 12.1X46-D15 Feature Guide .]
Release 12.1X46-D10 Software Features
Application Layer Gateways (ALGs)
- ALG message buffer optimization—Starting
in Junos OS Release 12.1X46-D10, the ALG message buffer optimization
feature has been enhanced to reduce high memory consumption. This
feature is supported on all SRX Series and J Series devices.
A message buffer is allocated only when the packet is ready to process. The buffer is freed after the packet completes ALG handling, including modifying the payload, performing NAT, opening a pinhole for a new connection between a client and a server, and transferring data between a client and a server located on opposite sides of a Juniper Networks device.
This feature has the following enhancements:
- Unnecessary objcache buffering is avoided, resulting in low memory utilization.
- jbuf manipulation is used to simplify the message buffer logic.
- Full-fledged message buffer support for the ALG line breaker is more flexible.
- ALG Manager and ALG plug-in logic clarity are optimized.
[See alg-manager.]
- IPv6 support for SIP ALG—This
feature is supported on all SRX Series and J Series devices.
Starting with Junos OS Release 12.1X46-D10, IPv6 is supported on the SIP ALG along with NAT-PT mode and NAT64 address translation.
The SIP ALG processes the IPv6 address in the same way it processes the IPv4 address for updating the payload if NAT is configured and opening pinholes for future traffic.
NAT-PT is implemented by normal NAT from IPv6 address to IPv4 address and vice versa. The SIP ALG processes those address translations in payload just as the addresses are processed in normal NAT.
NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. NAT64 is required to keep the IPv6 to IPv4 address mapping.
Previously, Session Traversal Utilities for NAT (STUN) worked without the SIP ALG. This means that the SIP ALG was not involved when persistent NAT was configured.
Starting with Junos OS Release 12.1X46-D10, STUN can coexist with the SIP ALG and SIP ALG is involved when persistent NAT is configured.
- IPv6 support for RTSP ALG—This
feature is supported on all SRX Series and J Series devices.
Real-Time Streaming Protocol (RTSP) is an Application Layer protocol for controlling the delivery of data with real-time properties. The RTSP ALG accesses existing media files over the network and controls the replay of the media.
Starting with Junos OS Release 12.1X46-D10, IPv6 is supported on the RTSP ALG along with NAT-PT mode and NAT64 address translation.
This feature enables the RTSP ALG to parse IPv6 RTSP packets, open an IPv6 pattern pinhole, and translate the Layer 7 IPv6 address according to the NAT configuration. Also, support for IPv6 RTSP transaction pass through under permission policy and IPv6 RTSP transaction pass through under NAT-PT and NAT 64 are enabled.
- IPv6 support for PPTP ALG—Starting
with Junos OS Release 12.X46-D10, this feature is supported on all
SRX Series devices.
PPTP ALG provides an ALG for the Point-to-Point Tunneling Protocol (PPTP). The PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and popularly applied on Linux systems; it is widely deployed for building VPNs.
To support IPv6, the PPTP ALG parses both IPv4 and IPv6 PPTP packets, performs NAT, and then opens a pinhole for the data tunnel. The flow module supports IPv6 to parse the GRE packet and use the GRE call ID as fake port information to search the session table and gate table.
- Support for SCCP v20—This feature
is supported on all SRX Series devices.
Starting in Junos OS Release 12.1X46-D10, the SCCP ALG supports SCCP versions 16, 17, and 20 and several SCCP messages have been updated with a new format. Cisco Call Manager (CM) version 7 uses SCCP version 20.
AppSecure
- Application-aware quality of service (AppQoS)—Starting in Junos OS Release 12.1X46-D10, AppQoS is supported
on all branch SRX Series devices.
AppQoS provides a mechanism for prioritizing traffic utilizing the results of the Application Identification Engine. AppQoS provides application-level traffic control for administrators needing to ensure that business-critical applications get preferential treatment.
AppQoS enables the network administrator to meter, mark, and honor traffic priority based on application policies. It provides application-aware DSCP marking by implementing Layer 7 application-based DSCP rewriters. To apply different loss priority levels to different traffic groups, Layer 2-based to Layer 4-based honoring has been expanded to Layer 7. AppQoS accomplishes application-aware rate limiting by setting the bandwidth limit and burst size limit for different applications.
Dynamic Host Configuration Protocol (DHCP)
- DHCP relay—Starting in Junos OS Release 12.1X46-D10, the existing DHCP relay feature on all branch SRX Series devices has been enhanced to include chassis cluster support.
Flow and Processing
- Enhanced IPv6 support for the screen feature—This feature is supported on all branch SRX Series and J Series
devices.
IPv6 support is extended for the following screen features:
- IPv6 extension header checking and filtering
- IPv6 packet header checking and filtering
- ICMPv6 checking and filtering
New statements and commands allow you to configure these enhancements using security zones similar to previous screen configurations. You can enable, disable, and update screens to drop packets, create logs, and provide increased statistics for IPv6 traffic.
Note: By default, IPv6 packets bypass the screen feature.
- Enhanced IPv6 support for flow—This
feature is supported on all branch SRX Series and J Series devices.
IPv6 support is extended for checking and filtering IPv6 extension headers (in accordance with RFC 2460) and IPv6 link-local addresses (in accordance with RFC 4291) in a flow. Nonconforming IPv6 packets will be discarded.
- Enhancements to flow trace options—This feature is supported on all branch SRX Series and J Series
devices.
Starting in Junos OS Release 12.1X46-D10, flow trace granularity has been enhanced to filter logs effectively. As a result you can access relevant trace messages easily and avoid large traces that slow down your system. You can set the level of message you want displayed by using the new trace-level statement at the [edit security flow traceoptions] hierarchy level. You can use new flags to trace additional operations such as fragmentation, high availability, multicast, session, tunnel, and route.
[See traceoptions (Security Flow).]
- Monitoring flow sessions—This
feature is supported on all branch SRX Series and J Series devices.
Beginning with Junos OS Release 12.1X46-D10, you can monitor flow using filters that match different criteria (such as source and destination addresses). New operational mode commands monitor security flow filter and monitor security flow file have been added. These commands allow you to debug without having to commit or modify your running configuration. Previously, you were required to commit the configuration to turn on trace options, which could possibly change the state of your device.
Intrusion Detection and Prevention (IDP)
- IDP IPv6 inspection—Starting
in Junos OS Release 12.1X46-D10, IDP supports IPv6 inspection on the
SRX100, SRX210, SRX220, SRX240, SRX550, and SRX650. IPv6 builds upon
the functionality of IPv4, providing improvements to addressing, configuration
and maintenance, and security.
This feature supports:
- IPv6 traffic inspection
- Attack detection inspection in protocol decoders that support IPv6
- IDP signature database
- IDP logging
- Application identification results
Use the show security flow session idp family command with the inet or inet6 option to view IPv4 or IPv6 statistics.
[See IDP Monitoring and Troubleshooting Guide for Security Devices.]
- IDP security packet capture—Starting
in Junos OS Release 12.1X46-D10, this feature is supported on the
SRX100, SRX210, SRX220, SRX240, SRX550, and SRX650.
Viewing packets that precede and follow an attack helps you determine the purpose and extent of an attempted attack, whether an attack was successful, and if any network damage was caused. Packet analysis also aids in defining attack signatures to minimize false positives.
Use the show security idp counters packet-log command to display details about the progress, success, and failure of packet capture activity.
You can specify pre-attack, post-attack, and post-attack timeout values. The pre-attack and post-attack default values are 1, and the default post-attack timeout value is 5.
Note: Support for packet capture is available only once on each session.
IP Spoofing
- IP spoofing in transparent mode—Starting in Junos OS Release 12.1X46-D10, this feature is
supported on all branch SRX Series devices.
The IP spoofing feature has been enhanced to include Layer 2 transparent mode support. IP spoofing is most frequently used in denial-of-service attacks. In an IP spoofing attack, the attacker gains access to a restricted area of the network and inserts a false source address in the packet header to make the packet appear to come from a trusted source. When SRX Series devices are operating in transparent mode, the IP spoof-checking mechanism makes use of address book entries.
Note:
- IP spoofing in Layer 2 transparent mode does not support DNS and wildcard addresses.
- IP spoofing in Layer 2 transparent mode is not supported on IPv6, because branch SRX Series devices do not support IPv6 in Layer 2 transparent mode.
[See Understanding IP Spoofing in Layer 2 Transparent Mode.]
J-Web
- Management support for NAT options—Starting in Junos OS Release 12.1X46-D10, support is provided
to monitor the following NAT options on all SRX Series devices:
- Utilization for all source pools
- Successful, failed, and current sessions for source pools, source rules, destination rules, and static rules
- Source addresses and source ports for static rules
- Source ports for source rules
- Support is provided to configure the following NAT options
on all SRX Series devices:
- Source address and port as match criteria for static rules
- Source port as match criteria for source rules
- Upper and lower thresholds at which an SNMP trap is triggered for source rules and pools, destination rules, and static rules
- User firewall J-Web support
- Source identity-based firewall policy—Starting in Junos OS Release 12.1X46-D10, this feature is supported on the existing Firewall Policies Configuration and Monitoring Policies pages on all branch SRX Series devices. This feature allows you to configure and monitor source identities in a firewall policy.
- New J-Web pages for user firewall—Starting in Junos OS Release 12.1X46-D10, new user firewall
pages are supported on all branch SRX Series devices.
The following webpages have been added to the J-Web user interface:
- Authentication Priority Configuration Page—You can either disable an optional authentication source or reassign a unique priority to it.
- Local Authentication Configuration Page and Local Authentication Monitoring Page—You can configure and monitor local Firewall authentication.
- UAC Settings Configuration Page and UAC Authentication Monitoring Page—You can configure UAC and monitor UAC authentication.
- Allow adding a new policy and moving an existing
policy to an arbitrary location
- Firewall Policies Configuration Page Options—Starting in Junos OS Release 12.1X46-D10, several new options on the Firewall Policies Configuration page are supported on all branch SRX Series devices. The Add menu includes Add before and Add after options that allow you to add a new policy before or after a selected policy. On the Move menu, there is a new Move to option that allows you to specify a target location. You can also drag and drop a policy to the target location.
- Checking Policies Monitoring Page—Starting in Junos OS Release 12.1X46-D10, the Move to option on the Checking Policies Monitoring page is supported on all branch SRX Series devices.
Management Information Bases (MIBs)
- SNMP aggregation for policy MIBs—Starting
in Junos OS Release 12.1X46-D10, this feature is supported on all
SRX Series devices.
A set of systemwide policy statistics such as policy-allowed packets, bytes and rates, policy-dropped packets, bytes and rates, policy flows allowed, and rate statistics have been added in the enterprise-specific policy MIB JUNIPER-JS-POLICY-MIB. You can obtain the policy statistics by using the SNMP agent or the CLI operational mode commands. Use the following CLI commands to set, clear, and display the systemwide policy statistics:
- set security policies policy-stats system-wide <disable | enable>–Configures systemwide policy statistics. Disabled by default.
- clear security policies statistics–Clears the systemwide policy statistics.
- show snmp mib walk jnxJsPolicySystemStats–Displays both IPv4 and IPv6 statistics.
- show snmp mib walk jnxJsPolicySystemStatsIPv4–Displays only IPv4 statistics.
[See Policy Objects MIB.]
Virtual Private Networks (VPNs)
- Enhanced X2 interface monitoring—This feature is supported on all SRX Series devices.
In an LTE mobile network, X2 interfaces are used to connect Evolved Node Bs (eNodeBs) for signal handover, monitoring, and radio coverage. SRX Series devices connect these eNodeBs using IPsec tunnels.
This feature enables you to monitor traffic between eNodeBs by snooping into the clear text traffic as it flows from one IPsec tunnel to another. Use the monitor-filter statement at the [edit security forwarding-options] hierarchy level to duplicate clear text packets and send them to the physical interface. You can then use Ethereal or other packet analyzers to verify or collect the X2 traffic.
- Support for IPv6 address encapsulation in route-based
one-to-one site-to-site VPN tunnels—This feature
is supported on all SRX Series devices.
In tunnel mode, IPsec encapsulates the original IP datagram—including the original IP header—within a second IP datagram. The outer IP header contains the IP address of the gateway, while the inner header contains the ultimate source and destination IP addresses. The outer and inner IP headers can have a protocol field of IPv4 or IPv6. As of Junos OS Release 12.1X46-D10, the following tunnel modes are supported on SRX Series devices:
- IPv4-in-IPv4 tunnels encapsulate IPv4 packets inside IPv4 packets.
- IPv6-in-IPv6 tunnels encapsulate IPv6 packets inside IPv6 packets.
- IPv6-in-IPv4 tunnels encapsulate IPv6 packets inside IPv4 packets.
- IPv4-in-IPv6 tunnels encapsulate IPv4 packets inside IPv6 packets.
There are no new CLI configuration statements for this feature.
IPv4 and IPv6 traffic can be routed into a single IPv4 or IPv6 tunnel; the st0 interface bound to the tunnel must be configured for both family inet and family inet6. Dual stack tunnels—parallel IPv4 and IPv6 tunnels over a single physical external interface to different VPN peers—are also supported.
- Dead peer detection (DPD) enhancements—This feature is supported on all SRX Series devices.
Network devices use the DPD protocol to verify the existence and availability of other peer devices. The default DPD mode optimized sends probes if there is no incoming IKE or IPsec traffic from the peer within a configured interval after outgoing packets are sent to the peer. The always-send option sends DPD probes at configured intervals regardless of traffic activity between peers. A new configuration option probe-idle-tunnel at the [edit security ike gateway dead-peer-detection] hierarchy level sends DPD probes when there is no incoming or outgoing IKE or IPsec traffic between peers.
Note: We recommend that you configure probe-idle-tunnel instead of always-send.
For all DPD modes, Phase 1 and Phase 2 security associations are cleared if a specified number of probes are sent with no response from the peer.
- Multiple traffic selectors on a route-based VPN—This feature is supported on all branch SRX Series devices.
A traffic selector (also known as a proxy ID in IKEv1) is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. With this feature, you can define multiple traffic selectors within a specific route-based VPN, resulting in a unique SA for each traffic selector configured. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.
To configure a traffic selector, use the traffic-selector configuration statement at the [edit security ipsec vpn vpn-name] hierarchy level. The traffic selector pair is defined with the mandatory local-ip ip-address and remote-ip ip-address statements. The CLI operational command show security ipsec security-association traffic-selector traffic-selector displays SA information for the specified traffic selector.
- IKEv2 configuration payload support with RADIUS—This feature is supported on all SRX Series devices.
Configuration payload is an Internet Key Exchange (IKE) version 2 feature used to propagate provisioning information from an IKE responder to the IKE initiator. Starting with Junos OS Release 12.1X46-D10, IKEv2 configuration payload is supported with route-based VPNs only. The following attribute types, defined in RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2), can be returned to the IKE initiator by the IKE responder:
- INTERNAL_IP4_ADDRESS
- INTERNAL_IP4_NETMASK
- INTERNAL_IP4_DNS
For the IKE responder to provide the initiator with provisioning information, it must acquire the information from a specified source such as a RADIUS server. Provisioning information can also be returned from a DHCP server through a RADIUS server. On the RADIUS server, the user information should not include an authentication password. As in previous Junos OS releases for the SRX Series, the RADIUS server profile is bound to the IKE gateway using the xauth access-profile profile-name configuration at the [edit security ike gateway gateway-name] hierarchy level.
This feature is supported only for point-to-multipoint secure tunnel (st0) interfaces. For point-to-multipoint interfaces, the interfaces must be numbered and the addresses in the configuration payload INTERNAL_IP4_ADDRESS attribute type must be within the subnetwork range of the associated point-to-multipoint interface.
Note: IKEv2 on SRX Series devices does not support policy-based VPNs or VPN monitoring.
- IKEv2 with NAT-T and dynamic endpoint VPN—This feature is supported on all SRX Series devices.
Starting with Junos OS 12.1X46-D10, both IKEv2 initiators and responders in a route-based VPN can be behind NAT devices. The IKEv2 NAT-T feature supports IPsec traffic that crosses NAT devices. Static NAT and dynamic NAT are supported. In static NAT, there is a one-to-one relationship between the private and the public addresses. In dynamic NAT, there is a many-to-one or many-to-many relationship between the private and public addresses.
Dynamic endpoint (DEP) VPN is a Junos OS feature that covers IKEv2 initiator and responder perspectives. From the initiator’s perspective, DEP VPN covers the situation where the IKE external interface address is not fixed and is therefore not known by the responder. This situation can occur when the peer’s address is dynamically assigned by an ISP or when the peer’s connection crosses a NAT device that allocates addresses from a dynamic address pool. From the responder’s perspective, DEP VPN describes either a finite number of VPNs that are created for a number of VPN peers in a many-to-many scenario or a shared VPN in a many-to-one scenario.
Starting with Junos OS 12.1X46-D10, the default value for the nat-keepalive option configured at the [edit security ike gateway gateway-name] hierarchy level has been changed from 5 seconds to 20 seconds.
[See Understanding NAT-T.]
Web Authentication
- Web-redirect firewall authentication—Starting in Junos OS Release 12.1X46-D10, Web authentication
redirect enhancement is provided on all SRX Series devices.
With this feature, when you attempt to initiate a connection across the firewall, after successful authentication the browser launches your original destination URL without you needing to retype the URL.
The following message is displayed:
Redirecting to the original url, please wait
