What's Changed

Updated Security Package URL (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we've updated the security package URL in Device Administration > Security Package Management > URL Categories Settings. You can use this URL to download Juniper NextGen or Juniper Enhanced Web Filtering package.

[See URL Categories Settings.]

Internal SA is now called Internal SA Encryption (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Internal SA to Inter SA Encryption and Internal SA Keys to Key in Network > VPN > IPsec VPN > Global Settings.

[See IPsec VPN Global Settings.]

Name is now called Identifier (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4600, SRX5400, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Name to Identifier and Network Address to Subnet in Security Services > Firewall Authentication > Address Pools.

[See About the Address Pools Page.]

Address Range is now called Named Address Ranges (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Address Range to Named Address Ranges in Security Services > Firewall Authentication > Address Pools.

[See About the Address Pools Page.]

Routing Instance is now called Source Virtual Router (SRX Series Firewalls and vSRX3.0)—Starting in Junos OS Release 23.4R1, in J-Web, we have renamed Routing Instance to Source Virtual Router and Source Address to Source Interface in Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create Radius Server and Security Services > Firewall Authentication > Access Profile > Create Access Profile > Create LDAP Server.

[See Add an Access Profile.]

XML output tags changed for request-commit-server-pause and request-commit-server-start (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—We've changed the XML output for the request system commit server pause command (request-commit-server-pause RPC) and the request system commit server start command (request-commit-server-start RPC). The root element is <commit-server-operation> instead of <commit-server-information>, and the <output> tag is renamed to <message>.

NETCONF <copy-config> operations support a file:// URI for copy to file operations (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The NETCONF <copy-config> operation supports using a file:// URI when <url> is the target and specifies the absolute path of a local file.

[See <copy-config>.]

Introduction of extensive option for IPsec security associations (MX Series, SRX Series and vSRX 3.0)—We've introduced the extensive option for the show security ipsec security-associations command. Use this option to display IPsec security associations with all the tunnel events. Use the existing detail option to display upto ten events in reverse chronological order.

See show security ipsec security-associations.

On vSRX instances in GCP deployments with cloud-hosted Hardware Security Module (HSM), if you lose GCP HSM connectivity, then the show security hsm status command might take up to 2 minutes to work.

Enhancement to the output of clear and regenerate key pair commands (vSRX 3.0)--We’ve modified the output of the following commands when you clear and regenerate the same key pair to manage the secure data using hardware security module (HSM).

Starting in Junos OS 23.4R1 release, the command:

• clear security pki key-pair certificate-id certificate-id-name displays the message Key pair deleted successfully from the device. Key pair will be purged from the keyvault based on it's own preferences, as opposed to the message Key pair deleted successfully displayed in previous releases.
• request security pki generate-key-pair certificate-id certificate-id-name displays the message error: Failed to generate key pair. If the keypair was created and deleted before, please ensure that the keypair has been purged from the keyvault as opposed to the message error: Failed to generate key pair displayed in previous releases.

We made these changes to align with the cloud provider’s restriction on key pair deletion, if any.

Enhancements to address CA certificate validation failure (SRX Series and vSRX 3.0)–For the CA certificates, the certificate validation fails with the Lets Encrypt server when using the configuration statement set security pki ca-profile ISRG revocation-check crl url as PKI sends the OCSP request on HTTP 1.0 with the requestorName. We made modifications to the behaviour in order to send the OCSP request using HTTP 1.1 without the requestorName by default.

• To send the requestorName when using HTTP 1.1, use the hidden option add-requestor-name-payload at the edit security pki ca-profile ca-profile-name revocation-check ocsp hierarchy level.

• To send the OCSP request using the HTTP 1.0, use the hidden option use-http-1.0 at the edit security pki ca-profile ca-profile-name revocation-check ocsp hierarchy level to ensure backward compatibility.

  [See revocation-check (Security PKI).]

Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the edit security ipsec vpn vpn-name hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

[See show security ipsec security-associations.]

Modification to the XML tags for show security ipsec commands (SRX Series and vSRX 3.0)–We've changed the XML tags for the following commands at show security ipsec.

Starting in Junos OS Release 23.4R1, with the new XML tags, you’ll notice that the show security ipsec commands emits valid XML.