Download This Guide
Changes in Behavior and Syntax
The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:
Application Firewall
- Prior to Junos OS Release 12.1X46-D10, when a rule specifies dynamic-application junos:HTTP without specifying any other
nested application, the rule matches all HTTP traffic whether the
traffic contains a nested application or not.
In Junos OS Release 12.1X46-D15 and later, that functionality has changed. When a rule specifies dynamic-application junos:HTTP, only HTTP traffic with no nested members is matched.
Consider the following application firewall ruleset:
rule-sets http-ruleset {rule rule1 {match {dynamic-application [junos:HTTP];}then {deny;}}default-rule {permit;}}Prior to Junos OS Release 11.4R6, the sample rules would be applied to traffic as shown in the following list:
- HTTP traffic with or without nested applications would
be denied by rule1.
HTTP traffic with a nested application, such as junos:FACEBOOK or junos:TWITTER, would be denied by rule1.
- All other traffic would be permitted by the default rule.
In Junos OS Release 11.4R6 and later, the dynamic application junos:HTTP matches only the HTTP traffic that contains no recognizable nested application. The sample rules would now be applied differently:
- Only the HTTP traffic with no nested application would
be denied by rule1.
HTTP traffic with a nested application, such as junos:FACEBOOK or junos:TWITTER, would no longer match rule1.
- All other traffic would be permitted by the default rule.
HTTP traffic with a nested application, such as junos:FACEBOOK or junos:TWITTER, would be permitted by the default rule.
- HTTP traffic with or without nested applications would
be denied by rule1.
- In Junos OS Release 12.1X46-D10 and earlier, if a nested application
is not configured in any rule, then the nested application would match
the default rule and take action specified in the default rule.
Starting in Junos OS Release 12.1X46-D10, the functionality has changed. If a nested application matches the default rule, then the application firewall uses the application type to match the rule and takes action specified in the rule. Use the set security application-firewall nested-application dynamic-lookup enable command to control the behavior of the nested application, so that both the application and the nested application are consistent.
The default behavior of nested application before Junos OS Release 12.1X46-D10:
- Application firewall matches with the specific rule, if the nested application is configured explicitly in a rule.
- Application firewall matches with the default rule, if the nested application is not configured explicitly in a rule.
- Records the statistics of the application firewall in the matched rule.
The new behavior of nested application in Junos OS Release 12.1X46-D10:
- Application firewall matches with an application rule during application firewall policy lookup, if there is no explicit rule for the nested application.
- Application firewall matches with a specific rule, if the nested application is configured explicitly in a rule.
- Records the statistics of the application firewall in the matched rule.
Application Layer Gateways (ALGs)
- On all high-end SRX Series devices, with default configuration SQL ALG is disabled. If you require SQL ALG configurations, then you need to enable the SQL ALG.
- In Junos OS Release 12.1X46-D50 and earlier, on all SRX Series
devices, the DNS ALG only recorded and forwarded the DNS packets for
which the packet length exceeded the threshold value (range from 512
through 8192).
Starting in Junos OS Release 12.1X46-D55, the DNS ALG can be configured to drop the oversized DNS packets if the length exceeds the threshold value. To enable this, you need to configure the new CLI command set security alg dns oversize-message-drop. If the command set security alg dns oversize-message-drop is not configured, the DNS ALG will only record and forward the oversized DNS packets.
Application-Level Distributed Denial of Service
- Application-level distributed denial of service, which is used to identify malicious bot clients and to drop or deny traffic if requests exceed configured thresholds, will be deprecated in future releases. As a replacement product for this feature, we recommend that you migrate to the Juniper DDoS Secure product line. For more details, contact your sales engineer.
Chassis Cluster
- In Junos OS Release 12.1X46-D10 and earlier, in a chassis
cluster mode, when a secondary node failed, no notification was sent
to report the secondary node failure.
Starting in Junos OS Release 12.1X46-D15, in a chassis cluster mode, when a secondary node fails, the primary node sends the SNMP trap information to report secondary node failures. New SNMP traps are added to report failures on the secondary node.
Sample SNMP trap sent when the monitored interface failed on the secondary node:
2014-02-18 17:36:56 10.157.83.10(via 10.157.84.10 [10.157.84.10]) TRAP, SNMP v1, community ntrap .iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific Trap (1) Uptime: 1:29:31.53 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "100" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "0" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority is set to 0, Monitoring objects are down"
2014-02-18 17:36:56 10.157.84.10 [10.157.84.10]: .iso.3.6.1.2.1.1.3.0 = Timeticks: (537153) 1:29:31.53 .iso.3.6.1.6.3.1.1.4.1.0 = OID: .iso.3.6.1.4.1.2636.3.39.1.14.1.0.1 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "100" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "0" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority is set to 0, Monitoring objects are down" .iso.3.6.1.6.3.1.1.4.3.0 = OID: .iso.3.6.1.4.1.2636.1.1.1.2.28
Sample SNMP trap sent when the failed interface is restored on the secondary node:
2014-02-18 17:38:46 10.157.83.10(via 10.157.84.10 [10.157.84.10]) TRAP, SNMP v1, community ntrap .iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific Trap (1) Uptime: 1:31:20.64 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "0" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "100" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority restored, Monitoring object failures are cleared"
2014-02-18 17:38:46 10.157.84.10 [10.157.84.10]: .iso.3.6.1.2.1.1.3.0 = Timeticks: (548064) 1:31:20.64 .iso.3.6.1.6.3.1.1.4.1.0 = OID: .iso.3.6.1.4.1.2636.3.39.1.14.1.0.1 .iso.3.6.1.4.1.2636.3.39.1.14.1.1.1.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.2.0 = "7" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.3.0 = "1" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.4.0 = "0" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.5.0 = "100" .iso.3.6.1.4.1.2636.3.39.1.14.1.1.6.0 = "Priority restored, Monitoring object failures are cleared" .iso.3.6.1.6.3.1.1.4.3.0 = OID: .iso.3.6.1.4.1.2636.1.1.1.2.28
- When an SRX Series device is operating in chassis cluster mode and encounter any IA-chip access issue in an SPC or a I/O Card (IOC), a minor FPC alarm will be activated to trigger redundancy group failover.
- Starting from Junos OS Release 12.1X46-D40, for all high-end SRX Series devices, reth interface supports proxy ARP.
Command-Line Interface (CLI)
New or Changed CLI
- In Junos OS releases earlier than Junos OS Release 12.1X46-D25,
TACACS+ options for authentication and accounting did not include
an option for configuring a timestamp and time zone.
In Junos OS Release 12.1X46-D25 and later releases, you can use the timestamp-and-timezone option at the [edit system tacplus-options] hierarchy to include start time, stop time, and time zone attributes in start/stop accounting records. [See tacplus-options.]
- On all high-end SRX Series devices, on SPC and next-generation
SPCs, IDP dedicated modes are supported only with the inline-tap option. In the inline-tap mode option, the weight equal option is not supported.
Other IDP dedicated mode configurations such as dedicated weight IDP, dedicated firewall, and dedicated equal are not supported.
The following IDP dedicated mode configuration statements are not supported:
- set security forwarding-process application-services maximize-idp-sessions weight firewall
- set security forwarding-process application-services maximize-idp-sessions weight idp
- set security forwarding-process application-services maximize-idp-sessions weight equal
- set security forwarding-process application-services maximize-idp-sessions inline-tap weight equal
- The following configuration statements are supported:
- set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall
- set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp
- Starting in Junos OS Release 12.1X46-D10, on SRX3400 and SRX3600 devices, the value for licenses used in the output of the show system license command correctly displays a 1 in the full-cp-key field. Prior to this release, the output displayed a 0.
- Prior to Junos OS Release 12.1X46-D10, when you configured the
DNS proxy server using the set system services dns dns-proxy view view-name domain domain-name forwarder CLI statement, if the IP address specified in the
forwarder option was not available, the DNS query was forwarded to
the default DNS servers (DNS servers provided by the ISP). The device
acquired the public IP addresses from the default DNS servers.
Starting in Junos OS Release 12.1X46-D10, the forward-only option is added to the set system services dns dns-proxy view view-name domain domain-name forward-only CLI statement.
You can use the forward-only option to prevent the device from acquiring the public IP addresses from the DNS servers (by terminating the DNS query) in cases when the specified IP address is unreachable.
Deprecated Items for High-End SRX Series Services Gateways
Table 11 lists deprecated items (such as CLI statements, commands, options, and interfaces).
CLI statements and commands are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration. We strongly recommend that you phase out deprecated items and replace them with supported alternatives.
Table 11: Items Deprecated in Release 12.1
Deprecated Item | Replacement | Hierarchy Level or Command Syntax | Additional Information |
|---|---|---|---|
download-timeout | - | download-timeout timeout | On all high-end SRX Series devices, the download-timeout command is deprecated. If the configuration is present, then the configuration is ignored. The IDP process internally triggers the security package to install when an automatic download is completed. There is no need to configure any download timeout. |
node | - | request security idp security-package download | On all high-end SRX Series devices operating in a chassis cluster, the following request security idp security-package download commands with the node option are not supported:
|
Table 12: Items Deprecated in Junos OS Release 12.1X46
Deprecated Item | Replacement | Hierarchy Level or Command Syntax | Additional Information |
|---|---|---|---|
mcc-mnc | imsi-prefix | edit security gprs gtp profile profile-name apn pattern-string | On all high-end SRX Series devices, the mcc-mnc command is not supported. |
Table 13 lists the deprecated system log messages in Junos OS Release 12.1X46.
Table 13: Deprecated System Log Messages in Junos OS Release 12.1X46
Deprecated Item | Replacement |
|---|---|
RT_GTP_PKT_ECHO_REQUEST RT_GTP_PKT_ECHO_REPONSE | RT_GTP_V0_PKT_ECHO_REQUEST RT_GTP_V0_PKT_ECHO_RESPONSE RT_GTP_V1_PKT_ECHO_REQUEST RT_GTP_V1_PKT_ECHO_RESPONSE RT_GTP_V2_PKT_ECHO_REQUEST RT_GTP_V2_PKT_ECHO_RESPONSE |
Compatibility
- Version compatibility for Junos SDK—Beginning with Junos OS Release 12.1X44-D10, Junos OS applications
will install on the Junos OS only if the application is built with
the same release as the Junos OS release on which the application
is being installed.
For example, an application built with Junos OS Release 12.1R2 will only install on Junos OS Release 12.1R2 and will not install on Junos OS Release 12.1R1 or Junos OS Release 12.1R3.
Flow and Processing
SPU software changes for the SPC—The following changes apply to all high-end SRX Series devices:
- Each SPU runs a 64-bit FreeBSD kernel instead of the 32-bit FreeBSD kernel.
- Each SPU runs a 64-bit flowd instead of the 32-bit version for increased scalability.
- With the 64-bit OS, ksynd and ifstates on the SPU run in 64-bit mode.
- TCP initial timeout enhancement–The minimum value you can configure for TCP session initialization is 4 seconds. The default value is 20 seconds; if required you can set the TCP session initialization value to less than 20 seconds.
- Starting with Junos OS Release 12.1X46-D10, you can configure
the timeout value for a multicast flow session. In Junos OS Release
12.1X45-D10 and earlier, the timeout value for a multicast flow session
was based on the packet IP protocol, which was not configurable.
Multicast flow sessions have one template flow session and one or more leaf sessions. Because these sessions are linked together, they can have only one timeout value. The earlier implementation ignored the configurable timeout values of individual policies of each leaf session, and considered only the packet IP protocol timeout, which was not configurable. For example, for UDP this timeout value was always 60 seconds. As a result, multicast streams with a packet interval of more than 60 seconds experienced premature aging-out of flow sessions and packet drops.
In the new implementation, multicast flow sessions consider the timeout values configured in leaf session policies along with the IP protocol timeout values. The highest of these timeout values is selected as the template session timeout. You can configure the timeout value for the leaf session policy using custom applications.
[See Configuring the Timeout Value for Multicast Flow Sessions.]
- On all high end SRX Series devices, you can configure the TCP session timeout in a half-closed state by using the apply-to-half-close-state statement at the [edit security flow tcp-session time-wait-state] hierarchy level. This enables the system to apply the configured session timeout on receiving only one FIN packet (either client-to-server or server-to-client). When this statement is not configured, the default behavior takes effect, which is to apply the configured session timeout on receiving both the FIN packets. The default TCP session timeout remains 150 seconds. [See apply-to-half-close-state.]
- On all high-end SRX Series devices, the TCP sequence check in NPU is disabled in the services-offload mode. Prior to this release, NPU TCP sequence check was always enabled and caused intermittent TCP packet drop when permitted by the services-offload policy.
Installation and Upgrade
- Starting in Junos OS Release 12.1X46-D55, the request system scripts add package-name no-copy | unlink command is updated to include the following options for installing
AI Script install packages on SRX Series devices in a chassis cluster:
- master- Install AI script packages on the primary node.
- backup- Install AI script packages on the secondary node.
This enhancement eliminates the need for separate AI script installations on the primary node and the secondary node.
Intrusion Detection and Prevention (IDP)
- A system log message is generated when an IDP signature database update or policy compilation fails with an empty dynamic group. The system-generated log message is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty.
- A new attribute, max-synacks-queued, is added to IDP sensor configuration TCP reassembler. This attribute defines the maximum syn/ack queued with different SEQ numbers and takes the values 0 through 5. Also, a new counter, Duplicate Syn/Ack with different SEQ, is added to the IDP TCP reassembler. This counter displays the number of syn/ack packets with different SEQ numbers.
- New sensor configuration options have been added to log run
conditions as IDP session capacity and memory limits are approached,
and to analyze traffic dropped by IDP and application identification
due to exceeding these limitations.
- At start up, traffic is ignored by IDP by default if the
IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before
the IDP policy is loaded.
Use the following configuration command to drop traffic before the IDP policy is loaded:
set security idp sensor-configuration flow drop-if-no-policy-loadedThe following new counters have been added to the show security idp counters flow command output to analyze dropped traffic due to the drop-if-no-policy-loaded option:
Sessions dropped due to no policy 0
- By default, IDP ignores failover sessions in an SRX chassis
cluster deployment. The drop-on-failover option changes
this behavior and automatically drops sessions that are in the process
of being inspected on the primary node when a failover to the secondary
node occurs.
Use the following configuration command to drop failover sessions:
set security idp sensor-configuration flow drop-on-failoverThe following new counter has been added to the show security idp counters flow command output to analyze dropped failover traffic due to the drop-on-failover option:
Fail-over sessions dropped 0
- By default, sessions are not dropped if the IDP session
limit or resource limits are exceeded. In this case, IDP and other
sessions are dropped only when the device’s session capacity
or resources are depleted. The drop-on-limit option changes
this behavior and drops sessions when resource limits are exceeded.
Use the following configuration commands to set or remove the drop-on-limit option:
set security idp sensor-configuration flow drop-on-limitdelete security idp sensor-configuration flow drop-on-limitThe following new counters have been added to the show security idp counters flow command output to analyze dropped IDP traffic due to the drop-on-limit option:
SM Sessions encountered memory failures 0
SM Packets on sessions with memory failures 0
SM Sessions dropped 0
Both directions flows ignored 0
IDP Stream Sessions dropped due to memory failure 0
IDP Stream Sessions ignored due to memory failure 0
IDP Stream Sessions closed due to memory failure 0
Number of times Sessions exceed high mark 0
Number of times Sessions drop below low mark 0
Memory of Sessions exceeds high mark 0
Memory of Sessions drops below low mark 0
The following counters have also been added to the show security idp counters application-identification command output to analyze dropped application identification traffic due to the drop-on-limit option:
AI-session dropped due to malloc failure before session create 0
AI-Sessions dropped due to malloc failure after create 0
AI-Packets received on sessions marked for drop due to malloc failure 0
The following options have been added to trigger informative log messages about current run conditions. When set, the log messages are triggered whether the drop-on-limit option is set or not.
- The max-sessions-offset option sets an offset
for the maximum IDP session limit. When the number of IDP sessions
exceeds the maximum session limit, a warning is logged that conditions
exist where IDP sessions could be dropped. When the number of IDP
sessions drops below the maximum IDP session limit minus the offset
value, a message is logged that conditions have returned to normal.
Jul 19 04:38:13 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233893, FPC 4 PIC 1 IDP total sessions pass through high mark 100000. IDP may drop new sessions. Total sessions dropped 0.
Jul 19 04:38:21 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233901, FPC 4 PIC 1 IDP total sessions drop below low mark 99000. IDP working in normal mode. Total sessions dropped 24373.
Use the following configuration command to set the max-sessions-offset option:
set security idp sensor-configuration flow max-sessions-offset offset-value - The min-objcache-limit-lt option sets a lower
threshold for available cache memory. The threshold value is expressed
as a percentage of available IDP cache memory. If the available cache
memory drops below the lower threshold level, a message is logged
stating that conditions exist where IDP sessions could be dropped
because of memory allocation failures. For example, the following
message shows that the IDP cache memory has dropped below the lower
threshold and that a number of sessions have been dropped:
Jul 19 04:07:33 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232053, FPC 4 PIC 1 IDP total available objcache(used 4253368304, limit 7247757312) drops below low mark 3986266515. IDP may drop new sessions. Total sessions dropped 1002593.
Use the following configuration command to set the min-objcache-limit-lt option:
set security idp sensor-configuration flow min-objcache-limit-lt lower-threshold-value - The min-objcache-limit-ut option sets an upper
threshold for available cache memory. The threshold value is expressed
as a percentage of available IDP cache memory. If available IDP cache
memory returns to the upper threshold level, a message is logged stating
that available cache memory has returned to normal. For example, the
following message shows that the available IDP cache memory has increased
above the upper threshold and that it is now performing normally:
Jul 19 04:13:47 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232428, FPC 4 PIC 1 IDP total available objcache(used 2782950560, limit 7247757312) increases above high mark 4348654380. IDP working in normal mode. Total sessions dropped 13424632.
Note: This message is triggered only if the lower threshold has been reached and the available memory has returned above the upper threshold. Fluctuations in available memory that dropped below the upper threshold but did not fall below the lower threshold would not trigger the message.
Use the following configuration commands to set the min-objcache-limit-ut option:
set security idp sensor-configuration flow min-objcache-limit-ut upper-threshold-value
- The max-sessions-offset option sets an offset
for the maximum IDP session limit. When the number of IDP sessions
exceeds the maximum session limit, a warning is logged that conditions
exist where IDP sessions could be dropped. When the number of IDP
sessions drops below the maximum IDP session limit minus the offset
value, a message is logged that conditions have returned to normal.
- At start up, traffic is ignored by IDP by default if the
IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before
the IDP policy is loaded.
- On all high-end SRX Series devices with a single session, when
IDP is activated, the upload and download speeds are slow when compared
to the firewall performance numbers.
To overcome this issue, a new CLI command, set security idp sensor-configuration ips session-pkt-depth, is introduced, for which the session-pkt-depth sensor-configuration value is global for any session.
The session-pkt-depth sensor-configuration value specifies the number of packets per session that are inspected by IDP. Any packets beyond the specified value are not inspected. For example, when session-pkt-depth sensor-configuration is configured as “n”, the IDP inspection happens only for first (n-1) packets in that session. Packets from the nth packet onwards are ignored by IDP.
The default value of session-pkt-depth sensor-configuration is zero. When the default value of zero is used, the session-pkt-depth value is not addressed, and IDP performs a full inspection of the session.
- Starting in Junos OS Release 12.1X46-D25, the show security idp counters flow command output is changed to include new fields.
Table 14 lists the output fields for the show security idp counters flow command. Output fields are listed in the approximate order in which they appear.
Table 14: show security idp counters flow Output Fields
Field Name
Description
Fast-path packets
Number of packets that are set through fast path after completing IDP policy lookup.
Slow-path packets
Number of packets that are sent through slow path during IDP policy lookup.
Session construction failed
(Unsupported)
Number of times the packet failed to establish the session.
Session limit reached
Number of sessions that reached IDP sessions limit.
Session inspection depth reached
Number of sessions that reached inspection depth.
Memory limit reached
Number of sessions that reached memory limit.
Not a new session
(Unsupported)
Number of sessions that extended beyond time limit.
Invalid index at age-out
(Unsupported)
Invalid session index in session age-out message.
Packet logging
Number of packets saved for packet logging.
Policy cache hits
Number of sessions that matched policy cache.
Policy cache misses
Number of sessions that did not match policy cache.
Policy cache entries
Number of policy cache entries.
Maximum flow hash collisions
Maximum number of packets, of one flow, that share the same hash value.
Flow hash collisions
Number of packets that share the same hash value.
Gates added
Number of gate entries added for dynamic port identification.
Gate matches
(Unsupported)
Number of times a gate is matched.
Sessions deleted
Number of sessions deleted.
Sessions aged-out
(Unsupported)
Number of sessions that are aged out if no traffic is received within session timeout value.
Sessions in-use while aged-out
(Unsupported)
Number of sessions in use during session age-out.
TCP flows marked dead on RST/FIN
Number of sessions marked dead on TCP RST/FIN.
policy init failed
Policy initiation failed.
Number of sessions exceeds high mark
Number of sessions that exceed high mark.
Number of sessions drops below low mark
Number of sessions that fall below low mark.
Memory of sessions exceeds high mark
Session memory exceeds high mark.
Memory of sessions drops below low mark
Session memory drops below low mark.
Sessions constructed
Number of sessions established.
SM Sessions encountered memory failures
Number of SM sessions encountered memory failure.
SM Packets on sessions with memory failures
Number of SM packets on SM sessions with memory failure.
SM Sessions dropped
Number of SM sessions dropped.
SM sessions ignored
Number of sessions ignored in Security Module (SM).
SM sessions interested
Number of SM sessions interested.
SM sessions not interested
Number of SM sessions not interested.
SM sessions interest error
Number of errors created for SM sessions interested.
Sessions destructed
Number of sessions destructed.
SM Session Create
Number of SM sessions created.
SM Packet Process
Number of packets processed from SM.
SM FTP data session ignored by IDP
Number of SM FTP data sessions that are ignored by IDP.
SM Session close
Number of SM sessions closed.
SM client-to-server packets
Number of SM client-to-server packets.
SM server-to-client packets
Number of SM server-to-client packets.
SM client-to-server L7 bytes
Number of SM client-to-server Layer 7 bytes.
SM server-to-client L7 bytes
Number of SM server-to-client Layer 7 bytes.
Client-to-server flows ignored
Number of client-to-server flow sessions that are ignored.
Server-to-client flows ignored
Number of server-to-client flow sessions that are ignored.
Both directions flows ignored
Number of server-to-client and client-to-server flow sessions that are ignored.
Fail-over sessions dropped
Number of fail-over sessions dropped.
Sessions dropped due to no policy
Number of sessions dropped because there was no active IDP policy.
IDP Stream Sessions dropped due to memory failure
Number of IDP stream sessions that are dropped because of memory failure.
IDP Stream Sessions ignored due to memory failure
Number of IDP stream sessions that are ignored because of memory failure.
IDP Stream Sessions closed due to memory failure
Number of IDP stream sessions that are closed because of memory failure.
IDP Stream Sessions accepted
Number of IDP stream sessions that are accepted.
IDP Stream Sessions constructed
Number of IDP stream sessions that are constructed.
IDP Stream Sessions destructed
Number of IDP stream sessions that are destructed.
IDP Stream Move Data
Number of Stream data events handled by IDP.
IDP Stream Sessions ignored on JSF SSL Event
Number of IDP stream sessions that are ignored because of a JSF SSL proxy event.
IDP Stream Sessions not processed for no matching rules
Number of IDP stream sessions that are not processed for no matching rules.
IDP Stream stbuf dropped
Number of IDP stream plugin buffers dropped.
IDP Stream stbuf reinjected
Number of IDP stream plugin buffers injected.
Busy packets from stream plugin
Number of packets saved as one or more packets of this session from stream plugin.
Busy packets from packets plugin
Number of saved packets for IDP stream plugin sessions.
Bad kpp
Number of internal marked packets logged for IDP processing.
Lsys policy id lookup failed sessions
Number of sessions that failed logical systems policy lookup
Busy packets
Number of packets saved as one or more packets of this session are handed off for asynchronous processing.
Busy packet errors
Number of packets found with IP checksum error after asynchronous processing is completed.
Dropped queued packets
(async mode)
Number of queued packets dropped based on policy action, reinjection failures, or if the session is marked to destruct.
Dropped queued packets failed
(async mode)
Not used currently.
Reinjected packets (async mode)
Number of packets reinjected into the queue.
Reinjected packets failed(async mode)
Number of failed reinjected packets.
AI saved processed packet
Number of AI packets saved for which the asynchronous processing is completed.
Busy packet count incremented
Number of times the busy packet count incremented in asynchronous processing.
busy packet count decremented
Number of times the busy packet count decremented in asynchronous processing.
session destructed in pme
Number of sessions destructed as a part of asynchronous result processing.
session destruct set in pme
Number of sessions set to be destructed as a result of asynchronous processing.
KQ op
Number of sessions with one of the following status:
- KQ op hold–number of times packets held by IDP.
- KQ op drop–number of times packets dropped by IDP.
- KQ op route–number of times IDP decided to be route the packet directly.
- KQ op Continue–number of times IDP decided to continue to process the packet.
- KQ op error–number of times error occurred while IPD processing packet.
- KQ op stop–number of times IDP decided to stop processing the packet.
PME wait not set
Number of AI saved packets given for signature matching.
PME wait set
Number of packets given for signature matching without AI save.
PME KQ run not called
Number of times signature matching results processed out of packet receiving order.
show security idp counters flow
user@host> show security idp counters flowIDP counter type Value Fast-path packets 0 Slow-path packets 0 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 0 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 0 Policy init failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 Sessions constructed 0 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 0 SM Sessions not interested 0 SM Sessions interest error 0 Sessions destructed 0 SM Session Create 0 SM Packet Process 0 SM ftp data session ignored by idp 0 SM Session close 0 SM Client-to-server packets 0 SM Server-to-client packets 0 SM Client-to-server L7 bytes 0 SM Server-to-client L7 bytes 0 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Both directions flows ignored 0 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 0 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0
J-Web
- On all high-end SRX Series devices, on the Monitoring Policies page, the Deactivate and Move functions on the toolbar and the Count and Log action columns in the output table are not supported and will no longer be available.
- On all high-end SRX Series devices, on the Checking Policies page, the Delete and Deactivate buttons are not supported and will no longer be available.
- On all high-end SRX Series devices, on the Monitor > Events and Alarms > Security Events page, the Is global policy check box is introduced.
Logical Systems
- In Junos OS releases earlier than Junos OS Release 12.1X46-D10,
when a logical tunnel interface with an IPv4 address and an Ethernet
encapsulation type is configured, a configuration check is performed
to ensure that the address is not identical to its peer logical tunnel
interface address and that both addresses are on the same subnet.
However, when a logical tunnel interface with an IPv6 address and
an Ethernet encapsulation type is configured, no such configuration
check is performed.
Starting in Junos OS Release 12.1X46-D10, a check is performed for IPv6 configurations. However, this change can cause existing IPv6 configurations to fail.
Network Address Translation (NAT)
- Starting with Junos OS Release 12.1X46-D55, the port-overloading-factor option and the port-range option at the [edit security nat source pool source-pool-name port] hierarchy level can be configured together. Prior to Release 12.1X46-D55, the options would overwrite each other.
Management Information Bases (MIBs)
- On all high-end SRX Series devices in a chassis cluster, the
calculation of the primary and secondary node sessions in the JnxJsSPUMonitoringObjectsTable
object of the SPU monitoring MIB is incorrect. The MIB JnxJsSPUMonitoringCurrentTotalSession
incorrectly displays total sessions.
A doubled session count is displayed because the active and backup nodes are treated as separate sessions, although these nodes are not separate sessions.
Count only the session numbers on the local node, thereby avoiding a double count, and local total sessions are displayed.
The SPUMonitoringCurrentTotalSession object of the MIB adds information per each SPU from the local node.
[See SNMP MIBS and Traps Reference for SRX1400 and SRX3000 Line Services Gateways.]
[See SNMP MIBS and Traps Reference for SRX5000 Line Services Gateways.]
Network Time Protocol
- When the NTP client or server is enabled in the edit system ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks.
Policy Applications
- In Junos OS releases earlier than Junos OS Release 12.1X46-D15,
when you set the count option on a security policy using
the CLI statement security policies from-zone zone-name to-zone zone-name policy policy-name then, the count is based on the number of packets and bytes
of all network traffic that the policy allows to pass through the
device.
In Junos OS Release 12.1X46-D15 and later, when you set the count option, the count is based on the number of packets and bytes of all network traffic the policy allows to pass through the device in both directions: the originating traffic from the client to the server (from the from-zone to the to-zone), and the return traffic from the server to the originating client.
Security Policies
- Security policies are stored in both the Routing Engine
and the Packet Forwarding Engine. When you modify the policies on
the Routing Engine side, the policies are synchronized to the Packet
Forwarding Engine side when you commit the configuration.
The policies in the Routing Engine and Packet Forwarding Engine must always be in synchronization for the configuration to commit successfully. Under certain circumstances, policies in the Routing Engine and the Packet Forwarding Engine might be out of sync resulting in generation of system core files upon commit completion.
Starting in Junos OS Release 12.1X44-D10, the synchronization mechanism of security policies between the Routing Engine and the Packet Forwarding Engine is improved. These improvements significantly lower the probability of security policies becoming out of sync between the Routing Engine and the Packet Forwarding Engine.
However, if an out-of-sync condition occurs, the following error message will be displayed when you attempt to commit a configuration:
Policy is out of sync between RE and PFE <SPU-name(s)>. Please resync before commit.
error: configuration check-out failedTo re-synchronize policies between the Routing Engine and the Packet Forwarding Engine, you must:
- Reboot the device (device in standalone mode)
- Reboot both devices (devices in a chassis cluster mode)
Session Timeout for Reroute Failure
- The route-change-timeout configuration statement at the [edit security flow] hierarchy level sets the timeout when a session is rerouted but there is a reroute failure (for example, the new route uses a different egress zone from the previous route). In previous releases, the route-change-timeout statement was disabled by default. In Release 12.1X46-D10, the route-change-timeout configuration is enabled by default and the default timeout value is 6 seconds.
Simple Network Management Protocol (SNMP)
- On all high-end SRX Series devices, the screen SNMP trap jnxJsScreenCfgChange will not be sent during reboot.
- Prior to Junos OS Release 12.1X46-D20, the fault management
system did not display the SPUs of next-generation SPCs because the
XLP PICs were not defined in the MIB files. The Juniper MIBS jnxContentsType
did not return the correct OID for next-generation SPCs.
Starting in Junos OS Release 12.1X46-D20, the
mib-jnx-chas-defines.txtMIB file is updated with the jnxPicType1ASPCXLP XLP PIC. Use the show snmp mib walk jnxContentsType command to display the details for the XLP PIC.Sample output displaying the incorrect OID:
root@host> show snmp mib walk jnxContentsType … jnxContentsType.8.4.1.0 = 0.0 jnxContentsType.8.4.2.0 = 0.0 jnxContentsType.8.4.3.0 = 0.0 jnxContentsType.8.4.4.0 = 0.0 …
For brevity, the show command output includes only the output that is relevant. Any other output on the system has been replaced with ellipses(...).
Sample output displaying the correct OID:
root@host> show snmp mib walk jnxContentsType … jnxContentsType.8.4.1.0 = jnxPicType1ASPCXLP jnxContentsType.8.4.2.0 = jnxPicType2ASPCXLP jnxContentsType.8.4.3.0 = jnxPicType2ASPCXLP jnxContentsType.8.4.4.0 = jnxPicType2ASPCXLP …
System Logs
- In Junos OS Release 12.1X46-D10 and earlier, the session-id-32
in application volume tracing (AVT) logs were not prefixed with the
spu-id, whereas the flow logs were prefixed with the spu-id.
Starting in Junos OS Release 12.1X46-D10 and later, that functionality has changed. The AVT logs are now prefixed with the spu-id, so that the session-ids in AVT logs are consistent with the flow logs and unique across the system.
The following example shows session-id-32 logging before Junos OS Release 12.1X46:
Oct 4 09:13:14 bournville RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed idle Timeout: 4.0.0.1/9->5.0.0.1/33631 icmp 4.0.0.1/9->5.0.0.1/33631 None None 1 1 untrust trust 180000308 1(84) 0(0) 59 ICMP-ECHO UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN
Oct 4 09:13:14 bournville RT_FLOW: APPTRACK_SESSION_CLOSE: AppTrack session closed idle Timeout: 4.0.0.1/9->5.0.0.1/33631 icmp ICMP-ECHO UNKNOWN 4.0.0.1/9->5.0.0.1/33631 None None 1 1 untrust trust 308 1(84) 0(0) 59 N/A N/A No
The following example shows session-id-32 logging in Junos OS Release 12.1X46-D10, indicating the fix in the flow and AVT logs:
Oct 4 13:57:38 bournville RT_FLOW: RT_FLOW_SESSION_CREATE: session created 4.0.0.1/58565->5.0.0.1/21 junos-ftp 4.0.0.1/58565->5.0.0.1/21 None None 6 1 untrust trust 180000001 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Oct 4 13:57:38 bournville RT_FLOW: APPTRACK_SESSION_CREATE: AppTrack session created 4.0.0.1/58565->5.0.0.1/21 junos-ftp UNKNOWN UNKNOWN 4.0.0.1/58565->5.0.0.1/21 None None 6 1 untrust trust 180000001 N/A N/A UNKNOWN
- On all high-end SRX Series devices, the attribute type
of packets-from-client and packets-from-server options in the system logs of the following modules have been changed
from unit to string:
- App Track module— APPTRACK_SESSION_CLOSE, APPTRACK_SESSION_CLOSE_LS, APPTRACK_SESSION_VOL_UPDATE and APPTRACK_SESSION_VOL_UPDATE_LS
- Session module—RT_FLOW_SESSION_CLOSE and RT_FLOW_SESSION_CLOSE_LS
On all high-end SRX Series devices, the following system log messages have been updated to include the certificate ID:
- PKID_PV_KEYPAIR_DEL
Existing message: Key-Pair deletion failed
New message: Key-Pair deletion failed for <cert-id>
- PKID_PV_CERT_DEL
Existing message: Certificate deletion has occurred
New message: Certificate deletion has occurred for <cert-id>
- PKID_PV_CERT_LOAD
Existing message: Certificate has been successfully loaded
New message: Certificate <cert-id> has been successfully loaded
- PKID_PV_KEYPAIR_GEN
Existing message: Key-Pair has been generated
New message: Key-Pair has been generated for <cert-id>
- In Junos OS Release 12.1X46-D50 and earlier, the structured
log of Web filtering has inappropriate field names.
Starting in Junos OS Release 12.1X46-D55, the structured log fields have changed. The corresponding fields in the UTM Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are now fixed with the appropriate structured log fields.
The following example shows WEBFILTER_URL_BLOCKED messages before Junos OS Release 12.1X46-D55:
<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" name="cat1" error-message="BY_BLACK_LIST" profile-name="uf1" object-name="www.example.com" pathname="/" username="N/A" roles="N/A"] WebFilter: ACTION="URL Blocked "192.0.2.3(58071)->198.51.100.2(80) CATEGORY="cat1" REASON="BY_BLACK_LIST" PROFILE="uf1" URL=www.example.com OBJ=/ username N/A roles N/A
The following example shows WEBFILTER_URL_BLOCKED messages in Junos OS Release 12.1X46-D55, indicating the change in structured log fields:
<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.example.com" obj="/" username="N/A" roles="N/A"] WebFilter: ACTION="URL Blocked "192.0.2.3(58071)->198.51.100.2(80) CATEGORY="cat1" REASON="BY_BLACK_LIST" PROFILE="uf1" URL=www.example.com OBJ=/ username N/A roles N/A
The structured log field changes in the UTM Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are as follows:
- name -> category
- error-message -> reason
- profile-name -> profile
- object-name -> url
- pathname -> obj
System Management
- On an SRX5800 device in transparent mode, if the device
is not processing multicast OSPFv3 hello packets, to fix this condition
you must remove the “delete security flow bridge no-packet-flooding”
statement from the configuration.
Note: Packet flooding is enabled by default. If you have manually disabled packet flooding with the “set security flow bridge no-packet-flooding” statement, then use the configuration statement above to revert to the default behavior, which will allow the device to process multicast OSPFv3 hello packets.
- During a load override, to enhance the memory for the commit
script, make sure you load the configuration by applying the following
commands before commit:
set system scripts commit max-datasize 800000000
set system scripts op max-datasize 800000000
Unified Threat Management (UTM)
- Starting in Junos OS Release 12.1X46-D20, license control is supported on high-end SRX Series devices. Licensed features including anti-virus or Enhanced Web Filtering will not function until a license has been installed. The license must be installed after installing or upgrading to 12.1X46-D20. Unlicensed features such as UTM blacklists and whitelists will continue to function without a license.
- Prior to Junos OS Release 12.1X46-D20, the UTM feature profiles
such as antivirus and Web filtering were provided as a default configuration
regardless of the license requirement.
Starting in Junos OS Release 12.1X46-D20, the default configuration is removed. Use the set security utm feature-profile anti-virus type <anti-virus-type> and set security utm feature-profile web-filtering type <web-filtering-type> commands to configure specific antivirus and Web filter types in UTM feature profiles.
Unified In-Service Software Upgrade (ISSU)
On all high-end SRX Series devices, at the beginning of a chassis cluster unified ISSU, the system automatically fails over all RG-1+ redundancy groups that are not primary on the node from which you start the ISSU. This action ensures that the redundancy groups are all active on only the RG-0 primary node. You no longer need to fail over redundancy groups manually.
After the system fails over all RG-1+ redundancy groups, the system sets the manual failover bit and changes all RG-1+ primary node priorities to 255, regardless of whether the redundancy group failed over to the RG-0 primary node.
Virtual Private Networks (VPNs)
- For each VPN tunnel, both ESP and AH tunnel sessions are installed
on SPUs and the control plane. In previous Junos OS releases, two
tunnel sessions of the same protocol (ESP or AH) were installed for
each VPN tunnel. For branch SRX Series devices, tunnel sessions are
updated with the negotiated protocol after negotiation is completed.
For high-end SRX Series devices, tunnel sessions on anchor SPUs are
updated with the negotiated protocol while non-anchor SPUs retain
ESP and AH tunnel sessions.
The ESP and AH tunnel sessions are displayed in the outputs for the show security flow session and show security flow cp-session operational mode commands.
- As of Junos OS Release 11.4, checks are performed to validate
the IKE ID received from the VPN peer device. By default, SRX Series
and J Series devices validate the IKE ID received from the peer with
the IP address configured for the IKE gateway. In certain network
setups, the IKE ID received from the peer (which can be an IPv4 or
IPv6 address, fully qualified domain name, distinguished name, or
e-mail address) does not match the IKE gateway configured on the SRX
Series or J Series device. This can lead to a Phase 1 validation failure.
To modify the configuration of the SRX Series or J Series device or the peer device for the IKE ID that is used:
- Starting in Junos OS Release 12.1X46-D10, local-address can be configured at the [edit security ike gateway gateway-name] hierarchy level to specify the local gateway address when there are multiple addresses configured on an external physical interface to a VPN peer. local-address and the remote IKE gateway address must be in the same address family, either IPv4 or IPv6. Prior to Junos OS Release 12.1X46-D10, local-address was a hidden CLI configuration statement.
- On the SRX Series or J Series device, configure the remote-identity statement at the [edit security ike gateway gateway-name] hierarchy level to match the IKE ID
that is received from the peer. Values can be an IPv4 or IPv6 address,
fully qualified domain name, distinguished name, or e-mail address.
Note: If you do not configure remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the remote peer by default.
- On the peer device, ensure that the IKE ID is the same as the remote-identity configured on the SRX Series or J Series device. If the peer device is an SRX Series or J Series device, configure the local-identity statement at the [edit security ike gateway gateway-name] hierarchy level. Values can be an IPv4 or IPv6 address, fully qualified domain name, distinguished name, or e-mail address.
- On all high-end SRX Series devices, the subject fields
of a digital certificate can include Domain Component (DC), Common
Name (CN), Organization Unit (OU), Organization (O), Location (L),
State (ST), and Country (C).
In earlier releases, the show security pki ca-certificate and show security pki local-certificate CLI operational commands displayed only a single entry for each subject field, even if the certificate contained multiple entries for a field.
For example, a certificate with two OU fields such as “OU=Shipping Department, OU=Priority Mail” displayed only the first entry “OU=Shipping Department.” The show security pki ca-certificate and show security pki local-certificate CLI commands now display the entire contents of the subject field, including multiple field entries. The commands also display a new subject string output field that shows the contents of the subject field as it appears in the certificate.
- PKI objects include certificates, key pairs, and CRLs. PKI objects
are read from the PKI database when the PKI Daemon starts. The PKI
Daemon database loads all certificates into memory at boot time.
When an object is read into memory from the PKI database, the following new log message is created:
PKID_PV_OBJECT_READ: A PKI object was read into memory from <location>
