What's Changed
Learn about what changed in this release for SRX Series Firewalls.
Content Security
-
Avira antivirus scanning mode supported on SRX1600 device (SRX1600)—SRX1600 device supports the Avira antivirus scan in light mode only and it does not support the heavy mode. Therefore, we've removed the
onbox-av-load-flavor
statement at theedit chassis
hierarchy level for SRX1600 device. -
URL check operational command update (SRX Series)—Starting in Junos OS Release 23.4R1, you can use the
test security utm web-filtering url-check
test command to check the category and reputation of a URL. Earlier to this release thetest security utm enhanced-web-filtering url-check
test command was used to check the category and reputation of a URL.
J-Web
-
Updated Security Package URL (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we've updated the security package URL in Device Administration > Security Package Management > URL Categories Settings. You can use this URL to download Juniper NextGen or Juniper Enhanced Web Filtering package.
[See URL Categories Settings.]
-
Internal SA is now called Internal SA Encryption (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Internal SA to Inter SA Encryption and Internal SA Keys to Key in Network > VPN > IPsec VPN > Global Settings.
[See IPsec VPN Global Settings.]
-
Name is now called Identifier (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Name to Identifier and Network Address to Subnet in Security Services > Firewall Authentication > Address Pools.
[See About the Address Pools Page.]
-
Address Range is now called Named Address Ranges (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Address Range to Named Address Ranges in Security Services > Firewall Authentication > Address Pools.
[See About the Address Pools Page.]
-
Routing Instance is now called Source Virtual Router (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Routing Instance to Source Virtual Router and Source Address to Source Interface in Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create Radius Server and Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create LDAP Server.
[See Add an Access Profile.]
Junos XML API and Scripting
-
XML output tags changed for
request-commit-server-pause
andrequest-commit-server-start
(ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've changed the XML output for therequest system commit server pause
command (request-commit-server-pause
RPC) and therequest system commit server start
command (request-commit-server-start
RPC). The root element is<commit-server-operation>
instead of<commit-server-information>
, and the<output>
tag is renamed to<message>
.
Network Management and Monitoring
-
NETCONF
<copy-config>
operations support afile://
URI for copy to file operations (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The NETCONF<copy-config>
operation supports using afile://
URI when<url>
is the target and specifies the absolute path of a local file.[See <copy-config>.]
User Interface and Configuration
-
Viewing files with the
file compare files
command requires users to havemaintenance
permission —Thefile compare files
command in Junos OS and Junos OS Evolved requires a user to have a login class withmaintenance
permission.[See Login Classes Overview.]
VPNs
-
Invalid kmd-instance option when iked is enabled for IPsec VPNs (SRX Series)—We have removed the option
kmd-instance
when you enable the iked process using junos-iked package for running IPsec VPN features in Junos OS Release 23.4R1. This option is applicable when you have kmd process for IPsec VPN features. -
Options related to FPC, PIC and KMD instance are invalid in show security ike sa command with IKED process (SRX Series)—With
junos-ike
package installed for running IPsec VPN usingIKED
process, the optionsfpc
,pic
andkmd-instance
will not be seen inshow security ike security-associations
hierarchy. These options are invalid and removed from the CLI from Junos OS Release 23.4R1. This means, you cannot useshow security ike sa fpc 0 pic 0
command with IPsec VPN running IKED process on your SRX Series Firewall. -
Enhancements to IKE configuration management for clearing IKE stats on secondary node (SRX Series)—In Earlier Junos OS Releases, in a Chassis Cluster mode, the ike-config-Management (IKEMD) process did not respond to management requests on the secondary node. The command
clear security ike stats
, fails with the error messageerror: IKE-Config-Management not responding to management requests
on the secondary node. Starting in Junos OS Release 22.4R3, the command runs successfully without the error on the secondary node. -
Introduction of extensive option for IPsec security associations (MX Series, SRX Series and vSRX 3.0)—We've introduced the
extensive
option for theshow security ipsec security-associations
command. Use this option to display IPsec security associations with all the tunnel events. Use the existingdetail
option to display upto ten events in reverse chronological order. -
Enhancements to address CA certificate validation failure (SRX Series and vSRX 3.0)–For the CA certificates, the certificate validation fails with the Lets Encrypt server when using the configuration statement
set security pki ca-profile ISRG revocation-check crl url
as PKI sends the OCSP request on HTTP 1.0 with the requestorName. We made modifications to the behaviour in order to send the OCSP request using HTTP 1.1 without the requestorName by default.-
To send the requestorName when using HTTP 1.1, use the hidden option
add-requestor-name-payload
at theedit security pki ca-profile ca-profile-name revocation-check ocsp
hierarchy level. -
To send the OCSP request using the HTTP 1.0, use the hidden option
use-http-1.0
at theedit security pki ca-profile ca-profile-name revocation-check ocsp
hierarchy level to ensure backward compatibility.
-
-
Enhancements to the IKE configuration management commands in chassis cluster (SRX Series)–In earlier Junos OS releases, in a chassis cluster mode, the following commands failed with the error message
error: IKE-Config-Management not responding to management requests
on the secondary node:-
show security ike statistics
-
show security ike sa ha-link-encryption
-
show security ipsec sa ha-link-encryption
-
show security ipsec inactive-tunnels ha-link-encryption
-
clear security ike sa ha-link-encryption
-
clear security ipsec sa ha-link-encryption
You should run these commands only on the primary node rather than the secondary node. Starting in Junos OS Release 23.4R1, you'll not see the error message as the secondary node has no output to display.
-
-
Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of
show security ipsec security-associations detail
when you enablevpn-monitor
at theedit security ipsec vpn vpn-name
hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displaysthreshold
andinterval
values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes. -
Modification to the XML tags for
show security ipsec
commands (SRX Series and vSRX 3.0)–We've changed the XML tags for the following commands atshow security ipsec
.Command
New XML Tag
Old XML Tag
show security ipsec tunnel-events-statistics |display xml validate
ipsec-tunnel-event-statistics
usp-ipsec-tunnel-event-statistics-information
show security ipsec inactive-tunnels detail | display xml validate
ipsec-unestablished-tunnel-information
ipsec-security-association-information
Starting in Junos OS Release 23.4R1, with the new XML tags, you’ll notice that the
show security ipsec commands
emits valid XML.