Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Table of Contents
Navigation  Back up to About Overview 
ContentIndex
 
[+] Expand All
[-] Collapse All

Documentation Updates

This section lists the errata and changes in Junos OS Release 12.1X46 documentation.

Documentation Updates for the Junos OS Software Documentation

This section lists improvements and outstanding issues with the software documentation.

Junos OS for SRX Series Documentation

The Junos OS for SRX Series technical documentation set has been expanded, restructured, and retitled in Junos OS Release 12.1X46-D10 to make it more comprehensive, easy-to-use, and intuitive. Highlights:

  • (New) The Complete Software Guide consolidates all of the release-specific content that applies to Junos OS for SRX Series devices (except release notes) into a three volume set of PDFs that you can download and view offline. The first volume contains getting started and administration information; the second contains feature information; the third contains developer information. You can find the PDFs in the Downloads box on the right side of the Junos OS for SRX Series Services Gateways, Release 15.1X49-D70 index page.
  • (New) The Getting Started Guide for Branch SRX Series describes how to get up and running with branch SRX Series devices.
  • (Expanded) The Monitoring and Troubleshooting for Security Devices contains significantly more content to help network and security managers keep their SRX Series devices running smoothly in their production environments.
  • (Expanded) The Junos OS for SRX Series Services Gateways, Release 15.1X49-D70 index page has been expanded to serve as a “one stop shop” for all of your Junos OS for SRX Series technical documentation needs.

Junos OS Release Notes

In Junos OS 12.1X46-D10 Release Notes and Junos OS 12.X46-D15 Maintenance Release Notes, the SCCP ALG feature description has the following incorrect information:

Support for SCCP v20—This feature is supported on all SRX Series devices.

Starting in Junos OS Release 12.1X46-D10, the SCCP ALG supports version 20. In SCCP v20, several SCCP messages have been updated with a new format.

The correct information is as follows:

Support for SCCP v20—This feature is supported on all SRX Series devices. Starting in Junos OS Release 12.1X46-D10, the SCCP ALG supports SCCP versions 16, 17, and 20 and several SCCP messages have been updated with a new format. Cisco Call Manager (CM) version 7 uses SCCP version 20.

Administration Guide for Security Devices

  • The following note is added to the Administration Guide for Security Devices, in the Encrypting Configuration Files topic:

    Note: The request system set-encryption-key command is not supported on high-end SRX devices, therefore, this task does not apply to such devices.

  • Under the Configuration tab, the “Minimum DHCP Local Server Configuration” topic has been updated to replace the pool name and group name with more appropriate names. The text should read as follows:
    [edit access]
    address-assignment { pool acmenetwork family inet { network 192.168.1.0/24; }}
    [edit system services]
    dhcp-local-server { group mobileusers { interface ge-1/0/1.0 }}
    [edit interfaces ge-1/0/1 unit 0]
    family { inet { address 192.168.1.1/24 }}

Application Identification Feature Guide for Security Devices

  • Under the Administration tab, in the example titled “Example: Creating a Configuration Workflow for SSL Proxy,” there is an incorrect openssl command. In Step 2d of the procedure for Generating self-signed root CA certificates using openssl in the section “Generating and Configuring a Root CA,” the correct command is openssl req -new -x509 -days 1095 –key keys/ssl-proxy-ca.key –out certs/ssl-inspect-ca.cer. Additionally, the request security pki ca-certificate load ca-profile profile-ca1 filename profile-ca1.crt has been added to Figure 1.

BGP Feature Guide for Security Devices

  • In “Example: Configuring Route Authentication for BGP,” the following configuration steps in the CLI quick configuration and in the step-by-step procedure sections are not supported on SRX Series devices:
    set security authentication-key-chains key-chain bgp-auth tolerance 30
    set security authentication-key-chains key-chain bgp-auth key 0 secret this-is-the-secret-password
    set security authentication-key-chains key-chain bgp-auth key 0 start-time 2011-6-23.20:19:33-0700
    set security authentication-key-chains key-chain bgp-auth key 1 secret this-is-another-secret-password
    set security authentication-key-chains key-chain bgp-auth key 1 start-time 2012-6-23.20:19:33-0700

Chassis Cluster Feature Guide for Security Devices

  • In Step 5 of “Upgrading the Second Routing Engine When Using Chassis Cluster Dual Control Links on SRX5600 and SRX5800 Devices,” the bytes per second value is incorrectly shown as bs = 64k. The actual value is 1m.
  • The set chassis cluster cluster-id cluster-id node node reboot operational mode command is missing from the Administration tab. This operational mode command sets the chassis cluster identifier (ID) and node ID on each device, and reboots the devices to enable clustering. This command has two options: cluster-id cluster-id (0 through 255) and node node (0 or 1). The system uses the chassis cluster ID and chassis cluster node ID to apply the correct configuration for each node (for example, when you use the apply-groups command to configure the chassis cluster management interface). The chassis cluster ID and node ID statements are written to the EPROM, and the statements take effect when the system is rebooted. Setting a cluster ID to 0 is equivalent to disabling a cluster. Support for extended cluster identifiers (more than 15 identifiers) added in Junos OS Release 12.1X46-D10. A cluster ID greater than 15 can only be set when the fabric and control link interfaces are connected back-to-back. The command has the following privilege level: maintenance.

    If you have a cluster set up and running with an earlier release of Junos OS, you can upgrade to Junos OS Release 12.1X46-D10 or later and re-create a cluster with cluster IDs greater than 16. If for any reason you decide to revert to the previous version of Junos OS that did not support extended cluster IDs, the system comes up with standalone devices after you reboot. If the cluster ID set is less than 16 and you roll back to a previous release, the system comes back with the previous setup.

J-Web

  • J-Web pages for stateless firewall filters—There is no documentation describing the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6 Firewall Filters. After configuring the filters, select Assign to Interfaces to assign your configured filters to interfaces.

Junos OS CLI User Guide

  • In the log-prefix topic, SRX Series is missing from the list of supported platforms and release information.

SNMP MIBs and Traps Reference

  • The “Enterprise-Specific MIBs and Supported Devices” topic incorrectly states that the SNMP IDP MIB is supported on high-end SRX Series devices. The SNMP IDP MIB is not supported on high-end SRX Series devices.

Modem Interfaces Feature Guide for Security Devices

  • The Example: Configuring the 3G Wireless Modem Interface in Modem Interfaces Guide provides the following incorrect information for configuring a dialer filter for the 3G wireless modem interface:
    • user@host# set firewall family inet dialer-filter corporate-traffic-only term term1 from source-address 20.20.90.4/32
    • user@host# set firewall family inet dialer-filter corporate-traffic-only term term1 from destination-address 200.200.201.1/32
    • user@host# set firewall family inet dialer-filter corporate-traffic-only term term1 then note

    The following incorrect configuration output is included:

    [edit]user@host# show firewall family inet dialer-filter corporate-traffic-only
    term term1 { from { source-address {20.20.90.4/32;}destination-address {200.200.201.1/32;}}then note;}

    The correct configuration is:

    user@host# set firewall family inet dialer-filter corporate-traffic-only term term1 then note

    The following configuration is output from the correct configuration:

    [edit]user@host# show firewall
    family inet { dialer-filter corporate-traffic-only {term term-1 {then note;}}}

Multicast Feature Guide for Security Devices

  • Multicast Source Discovery Protocol (MSDP) is not supported on SRX Series devices in any type of custom routing instance.

Network Address Translation

The command show security nat source persistent-nat-table under Network Address Translation > Administration > Source NAT Operational Commands has the following errors:

  • The command is missing the summary option:summary—Display persistent NAT bindings summary.
  • The command contains incomplete sample output —The corrected sample output is as follows:

show security nat source persistent–nat–table internal-ip internal-port

user@host> show security nat source persistent–nat–table internal-ip 9.9.9.1 internal-port 60784
   
Internal                        Reflective        Source     Type         Left_time/  Curr_Sess_Num/ Source
 In_IP  In_Port I_Proto Ref_IP    Ref_Port R_Proto NAT Pool                Conf_time   Max_Sess_Num  NAT Rule
9.9.9.1  60784   udp  66.66.66.68  60784     udp   dynamic-customer-source any-remote-host  254/300  0/30 105

show security nat source persistent–nat–table all

user@host> show security nat source persistent–nat–table all
 Internal             Reflective                  Source     Type          Left_time/  Curr_Sess_Num/  Source
 In_IP     In_Port I_Proto Ref_IP       Ref_Port R_Proto NAT Pool                    Conf_time   Max_Sess_Num    NAT Rule
9.9.9.1    63893   tcp    66.66.66.68   63893     tcp    dynamic-customer-source any-remote-host  192/300   0/30 105
9.9.9.1    64014   udp    66.66.66.68   64014     udp    dynamic-customer-source any-remote-host  244/300   0/30 105
9.9.9.1    60784   udp    66.66.66.68   60784     udp    dynamic-customer-source any-remote-host  254/300   0/30 105
9.9.9.1    57022   udp    66.66.66.68   57022     udp    dynamic-customer-source any-remote-host  264/300   0/30 105
9.9.9.1    53009   udp    66.66.66.68   53009     udp    dynamic-customer-source any-remote-host  268/300   0/30 105
9.9.9.1    49225   udp    66.66.66.68   49225     udp    dynamic-customer-source any-remote-host  272/300   0/30 105
9.9.9.1    52150   udp    66.66.66.68   52150     udp    dynamic-customer-source any-remote-host  274/300   0/30 105
9.9.9.1    59770   udp    66.66.66.68   59770     udp    dynamic-customer-source any-remote-host  278/300   0/30 105
9.9.9.1    61497   udp    66.66.66.68   61497     udp    dynamic-customer-source any-remote-host  282/300   0/30 105
9.9.9.1    56843   udp    66.66.66.68   56843     udp    dynamic-customer-source any-remote-host    -/300   1/30 105

show security nat source persistent-nat-table summary

user@host> show security nat source persistent-nat-table summary 
Persistent NAT Table Statistics on FPC5 PIC0:
binding total : 65536 
binding in use : 0
enode total : 524288
enode in use : 0

Routing Protocols Overview for Security Devices

  • The default route preference value in the “Understanding Route Preference Values” topic for Static and Static LSPs lists the values incorrectly. The correct values are as follows:

    How Route Is Learned

    Default Preference

    Static

    5

    Static LSPs

    6

Security Policy Applications Feature Guide for Security Devices

  • The show security policies command output description is missing the definition for the following Policy statistics fields:
    • Output packets—The total number of packets actually processed by the device.
    • Session rate—The total number of active and deleted sessions.
  • On the Overview tab, under IP-Related Predefined Policy Applications, in the topic entitled “Understanding IP-Related Predefined Policy Applications,” the Port column for both TCP-ANY and UDP-ANY should indicate 0-65535. The lead-in sentence should read, “Each entry includes the port and a description of the application.” TCP-ANY means any application that is using TCP, so there is no default port for it. The same is true for UDP-ANY.
  • In the topic entitled “Understanding Miscellaneous Predefined Policy Applications,” table “Predefined Miscellaneous Applications” is incomplete. Under the RADIUS row, add a new row:

    Table 17: Predefined Miscellaneous Applications

    Application

    Port

    Description

    RADIUS Accounting

    1813

    Enables the collecting of statistical data about users logging in to or out from a LAN and sending the data to a RADIUS Accounting server.

    In table “Predefined Miscellaneous Applications” replace the IPsec-NAT row with the following:

    Table 18: Predefined Miscellaneous Applications

    Application

    Port

    Description

    IKE

    500

    Internet Key Exchange is the protocol that sets up a security association in the IPsec protocol suite.

    IKE-NAT

    4500

    Helps to perform Layer 3 NAT for S2C IKE traffic.

    Table 19: Predefined Miscellaneous Applications

    Application

    Port

    Description

    VoIP

    389

    Internet Locator Service (ILS)

    522

    User Location Service (ULS)

    1503

    T.120 Data sharing

    1719

    H.225 RAS message

    1720

    Q.931 Call Setup

    1731

    Audio Call Control

    5060

    SIP protocol

Various Guides

Documentation Updates for the Junos OS Hardware Documentation

This section lists outstanding issues with the hardware documentation.

SRX5600 Services Gateway Hardware Guide

  • The “Accessory Box Parts List” table in the “Verifying the SRX5600 Services Gateway Parts Received” topic lists the quantities for split washers, DC power terminal lugs, and 3 in. x 5 in. pink bag incorrectly. The correct quantities are as follows:

    Part

    Quantity

    Split washers 1/4

    34

    DC power terminal lugs, 6-AWG

    9

    3 in. x 5 in. pink bag

    5

    The “Accessory Box Parts List” table in the “Verifying the SRX5600 Services Gateway Parts Received” topic is missing the following information:

    Part

    Quantity

    Screws (4 x 8 mm long, 1.5 mm pitch)

    4

    SFP, Gigabit Ethernet, 850 nm, 550 m reach, SX, DDM

    2

    Fiber optic cable, Duplex, LC/LC, Multimode, 3 m

    1

Modified: 2017-01-19

Download This Guide

Related Documentation

Modified: 2017-01-19

Previous Page Next Page