Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for vSRX.

User Interface and Configuration

  • The xmlns:junos attribute includes the complete software version string (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX and vSRX)—The xmlns:junos namespace string in XML RPC replies includes the complete software version release number, which is identical to the version emitted by the show version command. In earlier releases, the xmlns:junos string includes only partial software version information.

  • Access privileges for request support information command (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series Firewalls, and vSRX Virtual Firewall)—The request support information command is designed to generate system information for troubleshooting and debugging purposes. Users with the specific access privileges maintenance , view , and view-configuration can execute request support information command.

  • Changes to the show system information and show version command output (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The show system information command output lists the Hostname field first instead of last. The show version command output includes the Family field. The Family field identifies the device family under which the device is categorized, for example, junos, junos-es, junos-ex, or junos-qfx.

    [See show system information and show version.]

VPNs

  • Enhancements to fix the digest option functionality for key pair generated with DSA and ECDSA (SRX Series and vSRX 3.0)–In earlier releases, when you generated local self-signed certificates using sha-256 digest and DSA or ECDSA encryption using request security pki generate-key-pair certificate-id certificate-id-name size size type (dsa | ecdsa) and request security pki local-certificate generate-self-signed certificate-id certificate-id-name digest sha-256 domain-name domain-name subject subject-distinguished-name commands, the generated signature always used sha1 digest. Starting this release, the specified digest, sha-256, is used for the signature digest. You can verify using show security pki local-certificate certificate-id certificate-id-name detail

  • Enhancement to the output of clear and regenerate key pair commands (vSRX 3.0)–We've modified the output of the following commands when you clear and regenerate the same key pair to manage the secure data using hardware security module (HSM).

    Starting in Junos OS 23.4R1 release, the command:

    • clear security pki key-pair certificate-id certificate-id-name displays the message Key pair deleted successfully from the device. Key pair will be purged from the keyvault based on it's own preferences, as opposed to the message Key pair deleted successfully displayed in previous releases.
    • request security pki generate-key-pair certificate-id certificate-id-name displays the message error:Failed to generate key pair. If the keypair was created and deleted before, please ensure that the keypair has been purged from the keyvault as opposed to the message error: Failed to generate key pair displayed in previous releases.

    We made these changes to align with the cloud provider's restriction on key pair deletion, if any.

  • Enhancements to the help string description for the threshold and interval options for VPN monitoring options (SRX Series and vSRX 3.0)–We've enhanced the help string description of the threshold and interval options available in the configuration statement [set security ipsec vpn-monitor-options] to include the default values. You'll see the following description with the default values:

    [See ipsec (Security).]

  • Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the [edit security ipsec vpn vpn-name] hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

    [See show security ipsec security-associations.]

  • Reauthentication frequency recommendation for IPsec VPN with PPK (SRX Series and vSRX 3.0)—For IPsec VPN, including the Auto Discovery VPN (ADVPN), with post-quantum pre-shared key (PPK) encryption, when the IKE security association is negotiated with the quantum keys, the iked process performs rekeying after 4 seconds to secure the channel. If you set the reauthentication frequency to 1, rekeying doesn't happen after 4 seconds. So we recommend you to set the reauthentication frequency to more than 1 as the first reauthentication count is used by the PPK default rekey.

    [See Quantum Safe IPsec VPN.]