Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for SRX Series.

EVPN

  • Flow-label configuration status for EVPN ELAN services. The output for the show evpn instance extensive command now displays the flow-label and flow-label-static operational status for a device and not for the routing instances. A device with flow-label enabled supports flow-aware transport (FAT) flow labels and advertises its support to its neighbors. A device with flow-label-static enabled supports FAT flow labels but does not advertise its capabilities.

High Availability

  • In Junos OS releases before 22.4R1, when an SRG changes into Ineligible state due to control-plane failure, a system reboot was required to recover the SRG. Starting in Junos OS Release 22.4R1, the system reboot is not required to recover the SRG, you can restart the control plane process by using the restart ike-key-management command.

  • Starting in Junos OS Release 22.4R1, you can associate IPsec VPN services to one of the multiple service redundancy groups (SRGs) configured on SRX Series firewalls in Multinode High Availability.

    Releases before 22.4R1 supported only SRG0 and SRG1, and SRG1 was associated to IPsec VPN by default. In 22.4R1, SRG1 is not associated to the IPSec VPN service by default. You must associate the IPsec VPN service to any of the SRGs by specifying the following statement:

    [See Multinode High Availability.]

Network Management and Monitoring

  • Junos YANG modules for RPCs include the junos:command extension statement (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—The Junos YANG modules that define RPCs for operational mode commands include the junos:command extension statement in schemas emitted with extensions. The statement defines the CLI command for the corresponding RPC. The Juniper yang GitHub repository stores the RPC schemas with extensions in the rpc-with-extensions directory for the given release and device family. Additionally, when you configure the emit-extensions statement at the [edit system services netconf yang-modules] hierarchy level and generate the YANG schemas on the local device, the YANG modules for RPCs include the junos:command extension statement.

Platform and Infrastructure

  • from-zone and to-zone are optional when policy match is done for global policies (SRX Series)—When you use match criteria to troubleshoot traffic problems for global policies, from-zone and to-zone need not be provided while performing the policy match.

    [See show security match-policies.]

  • Time zone support for local certificate verification (SRX1500 and SRX5600)—Starting in this release, when the local certificate verification fails, you can see the time zone for the failed local certificate in the command output and system log messages.

User Interface and Configuration

  • Changes to the JSON encoding of configuration data for YANG leaf nodes of type identityref (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—If a YANG leaf node is type identityref, Junos devices emit the namespace-qualified form of the identity in the JSON encoding of that node. In addition, Junos devices accept both the simple (no namespace) and the namespace-qualified form of an identity in JSON configuration data. In earlier releases, Junos devices only emit and accept the simple form of an identity. Emitting and accepting the namespace-qualified identity ensures that the device can properly resolve the value in the event that the YANG data model defines an identity and a leaf node containing the identifyref value in different modules.

  • The file copy command supports only text-formatted output in the CLI (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—The file copy command does not emit output when the operation is successful and supports only text-formatted output when an error occurs. The file copy command does not support using the | display xml filter or the | display json filter to display command output in XML or JSON format in any release. We've removed these options from the CLI.

VPNs

  • Removal of power mode IPsec Intel QAT option in IPsec VPN (SRX Series)—We have removed the option power-mode-ipsec-qat at [edit security flow] hierarchy level from Junos CLI for display. This option is now hidden as it is not recommended to be configured with multiple IPsec VPN tunnels. We continue to use AES-NI in PMI mode for better performance than QAT.

    [See Improving IPsec Performance with PowerMode IPsec.]