What's Changed

The xmlns:junos attribute includes the complete software version string (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—The xmlns:junos namespace string in XML RPC replies includes the complete software version release number, which is identical to the version emitted by the show version command. In earlier releases, the xmlns:junos string includes only partial software version information.

Changes to the show system yang package (get-system-yang-packages RPC) XML output (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—The show system yang package command and <get-system-yang-packages> RPC include the following changes to the XML output:

• The root element is yang-package-information instead of yang-pkgs-info.

• A yang-package element encloses each set of package files.

• The yang-pkg-id tag is renamed to package-id.

• If the package does not contain translation scripts, the Translation Script(s) (trans-scripts) value is none.

NETCONF server's <rpc-error> response changed when <load-configuration> uses operation="delete" to delete a nonexistent configuration object (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—In an earlier release, we changed the NETCONF server's <rpc-error> response for when an <edit-config> or <load-configuration> operation uses operation="delete" to delete a configuration element that is absent in the target configuration. We've reverted the changes to the <load-configuration> response.

Changes to the RPC response for <validate> operations in RFC-compliant NETCONF sessions (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—When you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level, the NETCONF server emits only an <ok/> or <rpc-error> element in response to <validate> operations. In earlier releases, the RPC reply also includes the <commit-results> element.

Limited ECDSA Certificate Support with SSL Proxy (SRX Series and vSRX 3.0)—With SSL proxy configured on SRX Series firewall and vSRX Virtual firewalls:

• ECDSA based websites with P-384/P-521 server certificates are not accessible with any root-ca certificate as the security device has limitation to support only P-256 group.

• When RSA based root-ca and P-384/P-521 ECDSA root-ca certificate is configured, all ECDSA websites will not be accessible as SSL-Terminator is negotiated with RSA, which is why the security device is sending only RSA ciphers and sigalgs to the destination web server while doing the SSL handshake. To ensure both ECDSA and RSA-based websites are accessible along with the RSA root certificate, configure a 256-bits ECDSA root certificate.

• In some scenarios, even if 256-bit ECDSA root certificate is used in the SSL proxy configuration, ECDSA based websites with P-256 server certificates are not accessible if the server does not support P-256 groups.

• In other scenarios, even if 256-bit ECDSA root certificate is used in the SSL proxy configuration, ECDSA based websites with P-256 server certificates are not accessible if the server supports sigalgs other than P-256. The issue is seen in hardware offload mode with failing signature verification. As hardware offload for ECDSA certificate is introduced in Junos OS release 22.1R1, this issue will not be observed if you use Junos OS released prior to 22.1R1. Also, the issue is not seen if the SSL-proxy for ECDSA certificate is handled in software.

Syslogs to capture commit warning messages related to traffic loss prevention over VPN (SRX Series, vSRX, and NFX Series)—Configuration commit warnings such as warning: Policy 'traditional' does not contain any dynamic-applications or url-categories but is placed below policies that use them. Please insert policy 'traditional' before your Unified policies or warning: Source address or address_set (made_up_address) not found. Please check if it is a SecProfiling Feed caused the MGD to inform IKED or KMD process about DAX_ITEM_DELETE_ALL resulting in VPN flaps and outage events. These warnings messages are captured by syslogs to prevent traffic loss over VPN. We recommend you to resolve these syslog warning messages to prevent major outages.

New options for the request system snapshot command (ACX Series, EX Series, MX Series, QFX Series, and SRX Series)—The request system snapshot command includes new options for non-recovery snapshots. You can include the name option to specify a user-defined name for the snapshot, and you can include the configuration or no-configuration option to include or exclude configuration files in the snapshot. By default, the snapshot saves the configuration files, which include the contents of the /config and /var directories and certain SSH files.

[See request system snapshot (Junos OS with Upgraded FreeBSD).]

Enhancements to the output of local certificate ID verification when an intermediate CA certificate is deleted (SRX Series Firewalls, vSRX Virtual Firewall, and cSRX)—For devices running PKID process, we've changed the output of request security pki local-certificate verify when an intermediate CA certificate is deleted. The output now displays local certificate hub_cert1 verification failed. Cannot build cert chain..

[ See request security pki local-certificate verify (Security).]

Enhancements to alternate subject name in the output of show security pki local-certificate command (SRX Series Firewalls, vSRX 3.0)—Certificate having multiple FQDN now displays all the related domains, IPv4 or IPv6 addresses and email addresses in the Alternate subject field. These enhancements are seen in the output of show security pki local-certificate command. Earlier the command output displayed only the last FQDN details.

[ See show security pki local-certificate (View).]