Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Migration, Upgrade, and Downgrade Instructions

This section includes the following topics:

• Upgrading an AppSecure Device
• Network and Security Manager Support
• Upgrade and Downgrade Scripts for Address Book Configuration
• Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases
• Hardware Requirements

Upgrading an AppSecure Device

Use the no-validate Option for AppSecure Devices.

For devices implementing AppSecure services, use the no-validate option when upgrading from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature package used with AppSecure services in previous releases has been moved from the configuration file to a signature database. This change in location can trigger an error during the validation step and interrupt the Junos OS upgrade. The no-validate option bypasses this step.

Network and Security Manager Support

Network and Security Manager (NSM) support for High-End SRX Series Services Gateways with Junos OS 12.1X46-D10 is available only with NSM versions 2012.2R6 / 2012.1R10 and later. For additional information, see Network and Security Manager documentation.

Upgrade and Downgrade Scripts for Address Book Configuration

Beginning with Junos OS Release 11.4 or later, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS Release 11.1 and earlier, address books were defined under the [security zones] hierarchy (zone-defined configuration).

You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system.

Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see Figure 7).

• About Upgrade and Downgrade Scripts
• Running Upgrade and Downgrade Scripts

About Upgrade and Downgrade Scripts

• Use the default address book configuration—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.
• Use the upgrade script—You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books. For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected.

  After upgrading to the zone-attached address book configuration:

  • You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit.
  • You cannot configure address books using the J-Web interface.

  For information on how to configure zone-attached address books, see the Junos OS Release 11.4 documentation.

• Use the downgrade script—After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation.

  Note: Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book.

Figure 7: Upgrade and Downgrade Scripts for Address Books

Running Upgrade and Downgrade Scripts

• The scripts cannot run unless the configuration on your system has been committed. Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run.
• The scripts cannot run when the global address book exists on your system.
• If you upgrade your device to Junos OS Release 11.4 or later and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. The upgrade script converts all zone-defined configurations in the master logical system and user logical systems.

  Note: You cannot run the downgrade script on logical systems.

For information about implementing and executing Junos operation scripts, see the Junos OS Configuration and Operations Automation Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 12.1X44, 12.1X46, and 12.3X48 are EEOL releases. You can upgrade from Junos OS Release 12.1X44 to Release 12.1X46 or even from Junos OS Release 12.1X44 to Release 12.3X48. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For additional information about how to upgrade and downgrade, see the Installation and Upgrade Guide for Security Devices.

Hardware Requirements

Transceiver Compatibility for SRX Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used on high-end SRX Series Services Gateways interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.

Please contact Juniper Networks for the correct transceiver part number for your device.

Related Documentation

• New and Changed Features
• Documentation Updates
• Changes in Behavior and Syntax