Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Release Notes: Junos®OS Release
12.1X47-D10 for the SRX Series
Release 12.1X47-D1017 September 2014Revision 3
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . 7
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . 7
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Intrusion Detection Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1Copyright © 2014, Juniper Networks, Inc.
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
CLI and J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 23
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Integrated User Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
TCP-Based DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 29
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 36
Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Documentation Updates for the Junos OS Software Documentation . . . . . . 47
IDP Policies Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . 47
Multicast Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . . . 48
Various Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Copyright © 2014, Juniper Networks, Inc.2
Junos OS 12.1X47 Release Notes
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . 50
End-of-Life Announcement for J Series devices and the low-Memory
Versions of SRX100 and SRX200 Lines . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Upgrading and Downgrading Among Junos OS Releases . . . . . . . . . . . . . . . . 51
Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Network and Security Manager Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Upgrade and Downgrade Scripts for Address Book Configuration . . . . . . . . . 53
About Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Running Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . 54
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 55
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 55
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Transceiver Compatibility for SRX Series Devices . . . . . . . . . . . . . . . . . . 56
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3Copyright © 2014, Juniper Networks, Inc.
Introduction
Junos OS runs on the following Juniper Networks®
hardware: ACX Series, EX Series, M
Series, MX Series, PTX Series, QFabric, QFX Series, SRX Series, and T Series.
These release notes accompany Junos OS Release 12.1X47-D10 for the SRX Series. They
describe new and changed features, known behavior, and known and resolved problems
in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at https://www.juniper.net/techpubs/software/junos/.
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 12.1X47-D10 for the SRX Series.
• Hardware Features on page 4
• Software Features on page 5
Hardware Features
Interfaces and Chassis
• MICwith twenty 1-Gigabit Ethernet SFP ports (SRX-MIC-20GE-SFP) [SRX5400,
SRX5600, SRX5800]—MICs install into MPCs to add different combinations of Ethernet
interfaces to your services gateway to suit the specific needs of your network.
The SRX-MIC-20GE-SFP can be installed in an MPC to add twenty 1-Gigabit Ethernet
small form-factor pluggable (SFP) Ethernet ports.
You can install up to two MICs in the slots in each MPC. The SRX-MIC-20GE-SFP is
hot-pluggable. You can remove and replace the MIC without powering off the services
gateway, but the routing functions of the system are interrupted when the MIC is
removed.
[See MICwith 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP.]
• Support forSFP+10-GigabitandQSFP+40-GigabitEthernettransceivers [SRX5400,
SRX5600, SRX5800]—The following transceivers are supported:
SupportedCardModelDescriptionTransceiver Model
SRX-MIC-10XG-SFPPSFP+ 10GBASE-LR Gigabit Ethernet opticmodule, 1310 nm for up to 10 km transmissionon single mode fiber (SMF) cable
SRX-SFPP-10G-LR
SRX-MIC-2X40G-QSFPQSFP+ 40GBASE-LR4 Gigabit Ethernetsingle-mode optic module, 1310 nm for up to10 km transmission on single mode fiber(SMF) cable
SRX-QSFP-40G-LR4
Copyright © 2014, Juniper Networks, Inc.4
Junos OS 12.1X47 Release Notes
Software Features
Application Identification and Tracking
• Application-level distributed denial of service [SRX Series]—As announced in Junos
OS Release 12.1X46-D10, application-level distributed denial of service is being
deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future
release per the Juniper Networks deprecation process. As a replacement product for
this feature, we recommend that you migrate to the Juniper Networks DDoS Secure
product line. For more details, contact your sales engineer.
• Default trusted CA certificates for SSL forward proxy [High-end SRX Series]—SSL
forward proxy uses trusted CA certificates for server authentication. Junos OS provides
a default list of trusted CA certificates that you can easily load on to your system using
adefault command option. Alternatively, you can continue to use the CA profile feature
to define your own list of trusted CA certificates and import them on to your system.
[See Services Offloading Overview.]
• Next-generationapplication identification [SRX100H2, SRX110H2-VA, SRX110H2-VB,
SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550,
SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and
SRX5800]—Next-generation application identification recognizes Web-based and
other applications and protocols at different network layers using characteristics other
than port number.
With next-generation application identification, applications are identified by using a
downloadable protocol bundle containing application signatures and parsing
information. Here, identification is based on protocol behavior and session management.
Next-generation application identification builds on the legacy application identification
functionality and provides more effective detection capabilities for evasive applications
such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications,
enables dynamic update of the detector engine without requiring Junos OS code
upgrade, and increases the application count to around 2900.
[See Application Identification Feature Guide for Security Devices.]
• Next-generation application identification predefined signatures [SRX100H2,
SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2,
SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600,
SRX5400, SRX5600, and SRX5800]—Next-generation application identification
eliminates previously implemented pattern-based matching technology and particular
signature constructs for each application. The new detection mechanism has its own
data feed and constructs to identify applications. Next-generation application
identification eliminates the generation of nested application and treats nested
application as normal applications.
[See Application Identification Feature Guide for Security Devices.]
5Copyright © 2014, Juniper Networks, Inc.
New and Changed Features
Chassis Cluster
• Autorecoveryof fabric link [SRX Series]—The fabric link feature supports autorecovery,
which includes the following enhancements:
• Fabric monitoring feature is enabled by default on high-end SRX Series, and hence
recovery of fabric link and synchronization takes place automatically.
• If the fabric link goes down, RG1+ becomes ineligible on either the secondary node
or the node with failures, by default. The node remains in this state until the fabric
link comes up or the other node goes away.
• If the fabric link goes down followed by the control link, then after approximately 66
seconds the secondary node (or the node with failures) assumes that the remote
node is dead and takes over as the primary node.
[See Understanding Chassis Cluster Fabric Links.]
• Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster
debugging functionality has the following enhancements:
• The showchassisclusterstatuscommand output includes failure reasons (acronyms
and their expansions) when the redundancy group's priority is zero.
• Cleaner jsrpd process includes removing unwanted logs and moving the debug log
message from level LOG_INFO to LOG_DEBUG.
• The show chassis cluster information command output displays redundancy group,
LED, and monitored failure details.
• SNMP traps send messages when a node's weight goes down and also when it
recovers.
• The show chassis cluster ip-monitoring command output displays both the global
threshold and the current threshold of each node and displays the weight of each
monitored IP address.
• A system log message appears when the control link goes down.
[See show chassis cluster ip-monitoring status.]
• In-service software upgrade (ISSU) progress display [High-end SRX Series]—ISSU
supports a progress indicator. During an upgrade, you can see the progress of an ISSU
and the time expected to complete a process. To enable this feature use the show
chassis cluster information issu command at the console. In addition, you can monitor
real-time ISSU progress through a new session to collect, report, and display cold
synchronization status on SPUs.
[See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.]
• NTP time synchronization in chassis cluster [SRX Series]—Network Time Protocol
(NTP) is used to synchronize the time between the Packet Forwarding Engine and the
Routing Engine in a standalone device and between two devices in a chassis cluster.
In standalone device and chassis cluster mode, the primary Routing Engine runs the
NTP process to get the time from the external NTP server. The secondary Routing
Copyright © 2014, Juniper Networks, Inc.6
Junos OS 12.1X47 Release Notes
Engine uses NTP to get the time from the primary Routing Engine. On both standalone
devices and clusters, the Packet Forwarding Engine uses NTP to get the time from the
local Routing Engine.
[See Chassis Cluster Feature Guide for Security Devices.]
• Sync backup node configuration from primary node [SRX Series]—Chassis cluster
supports automatic configuration synchronization. When a secondary node joins a
standalone primary node and a chassis cluster is formed, the primary node configuration
is copied and applied to the secondary node. This enhancement saves the user from
spending time on manual copying of the configuration on both nodes.
[See SRX Series Chassis Cluster Configuration Overview.]
• TCP support for DNS [SRX Series]—Prior to Junos OS Release 12.1X47-D10, DNS
resolution was performed with UDP as a transport. Messages carried by UDP are
restricted to 512 bytes; longer messages are truncated and the traffic class (TC) bit is
set in the header. The maximum length of UDP DNS response messages is 512 bytes
and the maximum length of TCP DNS response message is 65,535 bytes. A DNS resolver
knows whether the response is complete if the TC bit when it is set in the header.
[See Reconnaissance Deterrence Feature Guide for Security Devices.]
Dynamic Host Configuration Protocol (DHCP)
• DHCPserverandDHCPclient [SRX Series]—The DHCP server and DHCP client include
chassis cluster support for high-end SRX Series devices in addition to branch SRX
Series devices.
[See Administration Guide for Security Devices.]
Flow-Based and Packet-Based Processing
• LAG support in services-offloadmode [High-end SRX Series]—LAGs are supported
in services-offload mode. LAG combines links and provides increased bandwidth and
link availability. Services offloading reduces packet latency by processing and forwarding
packets in the network processor instead of in the SPU. Supporting aggregation of
links in the services-offload mode combines the benefits of both these features and
provides enhanced throughput, link redundancy, and reduced packet latency.
[See Services Offloading Overview.]
• Services offloading [SRX5600 and SRX5800]—The following services offloading
features are supported:
• Per-wing statistics counters
• Services-offload traffic across different network processors
• End-to-end debugging in services-offload mode
[See Services Offloading Overview and Example: Configuring an NPC on SRX3000 Line
Devices or SRX1400 Devices to Support Services Offloading.]
7Copyright © 2014, Juniper Networks, Inc.
New and Changed Features
General Packet Radio Service (GPRS)
• SCTP IPv6support [High-end SRX Series]—The SCTP module allows you to configure
the SCTP profile with an IPv6 address and then process the IPv6 traffic. The SCTP
module checks every extension header until it finds the SCTP header and then processes
the SCTP header and ignores all the other headers.
An SCTP endpoint can be a multihomed host with either all IPv4 addresses or all IPv6
addresses. An SCTP endpoint also supports NAT-PT in two directions, from an IPv4
address format to an IPv6 address format, and vice versa.
[See General Packet Radio Service Feature Guide for Security Devices.]
• SCTPmultichunk inspection [High-end SRX Series]—The SCTP firewall checks all
chunks in a message and then permits or drops the packet based on the policy. You
can enable the SCTP multichunk inspection and disable the SCTP chunk inspection
to check only the first chunk. If a data chunk is not allowed to pass through the SCTP
profile because of protocol blocking or rate limiting, the SCTP firewall resets this chunk
to a null PDU and continues to check the next chunk. If all chunks in a packet are null
PDUs, the SCTP firewall drops the packet.
[See General Packet Radio Service Feature Guide for Security Devices.]
Interfaces and Chassis
• Promiscuousmode support on the SRX5K-MPC [SRX5400, SRX5600,
SRX5800]—Promiscuous mode function is supported on the SRX5000 line MPC
(SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces
on the MICs.
By default, an interface enables MAC filtering. You can configure promiscuous mode
on the interface to disable MAC filtering. When you delete the promiscuous mode
configuration, the interface will perform MAC filtering again. You can change the MAC
address of the interface even when the interface is operating in promiscuous mode.
When the interface is operating in normal mode again, the MAC filtering function on
MPC uses the new MAC address to filter packets.
[See Understanding Promiscuous Mode on Ethernet Interfaces.]
J-Web
• Improved browser support for J-Web [SRX Series]—J-Web is enhanced to support
modern browsers like Microsoft Internet Explorer version 8.0, 9.0, and 10.0, Mozilla
Firefox version 23+, and Google Chrome version 28+ to provide cross-platform browser
compatibility.
The following tables shows the browser support for J-Web application.
Copyright © 2014, Juniper Networks, Inc.8
Junos OS 12.1X47 Release Notes
Table 1: Browser Compatibility on SRX Series Devices
RecommendedBrowserSupported BrowsersApplicationDevice
Mozilla Firefoxversion 23+
• Microsoft Internet Explorerversion 8.0, 9.0, and 10.0
• Mozilla Firefox version 23+
• Google Chrome version28+
J-WebSRX100, SRX110, SRX210,SRX220, SRX240, SRX550,SRX650, SRX1400,SRX3400, SRX3600,SRX5400, SRX5600, andSRX5800
• J-Web support for chassis cluster wizard [SRX Series]—A new J-Web wizard is
introduced to support chassis clustering. J-Web provides a step-by-step wizard that
assists in setting up chassis cluster with a default basic configuration.
• J-WebUI improvements [SRX Series]—The J-Web user interface is improved for better
usability.
The following navigational changes are made to the Configuration tab:
• Additional filter options are enabled on the Interface Configuration page.
• Layout of the Zones and Screens page is enhanced.
• A few menu items are renamed for clarity.
• New buttons are introduced for launching wizards.
• Application tracking (previously on the Security Logging page) is moved to the
Application Tracking Configuration page.
The Dashboard tab includes a link for setting the rescue configuration.
Layer 2 Features
• Layer 2 transparentmode support on the SRX5K-MPC [SRX5400, SRX5600,
SRX5800]—Layer 2 transparent mode is supported on the SRX5000 line MPC
(SRX5K-MPC).
When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces
on the SRX5K-MPC as Layer 2 bridging ports to support Layer 2 traffic.
The SPU supports all security services for Layer 2 bridging functions, and the MPC
delivers the ingress packets to the SPU and forwards the egress packets that are
encapsulated by the SPU to the outgoing interfaces.
[See Layer 2 Bridging and Transparent Mode Overview.]
Multicast
• Layer 3multicast functionality on the SRX5K-MPC [SRX5400, SRX5600, and
SRX5800]—Layer 3 multicast functionality is supported on the SRX5000 line MPC
(SRX5K-MPC).
9Copyright © 2014, Juniper Networks, Inc.
New and Changed Features
The SRX5K-MPC collaborates with the Routing Engine, central point, and SPU to
support the following Layer 3 multicast functionality:
• Supports IP multicast routing protocols for forwarding multicast traffic
• Establishes and coordinates operations between multicast shared trees and
shortest-path tree (SPT)
• Forwards and receives IP multicast traffic
[See Multicast Feature Guide for Security Devices.]
Network Address Translation (NAT)
• Increased IP address pool limit [SRX5400, SRX5600, and SRX5800]—This feature
is only supported on SRX5000 line with the SPC II (SRX5K-SPC-4-15-320). This feature
increases the maximum number of IP addresses for NAT bindings to 1,000,000 from
12,000. When using more than 12,000 IP addresses, configure the twin port range to
limit the number of ports.
• Portblockallocation [High-end SRX Series]—This feature allocates ports to subscribers
in blocks and generates logs during block allocation or release. Deterministic port block
allocation allows the mapping of a subscriber’s IP address to an external address and
port number using predefined algorithms. This feature reduces excessive log generation.
To configure port block allocation, include the block-size, max-blocks-per-host,
block-active-timeout, and log statements at the [edit security nat pool pool-name port
block-allocation ] hierarchy level.
To configure deterministic port block allocation, include the block-size and host
statements at the [edit security source pool pool-name port deterministic ] hierarchy
level.
• Source and destination NAT rule application [SRX Series]—The rule match criteria
for source and destination NAT includes a new application option. This option enables
you to configure up to 3072 application terms per rule. In addition, you can configure
up to 8 single destination ports or port ranges with the rule match destination-port
option. Previously, you could configure only a single port or port range.
[See match (Security Destination NAT) and match (Security Source NAT).]
• Twin port configuration [SRX5400, SRX5600, and SRX5800]—This feature lets you
configure the twin port range for source NAT pools to avoid port overloading. The
maximum number of translation ports is 384 million. The default twin port range is
2048, which accommodates 12,000 IP addresses.
To set the global default twin port range for all source pools, use the set security nat
source pool-default-twin-port-range low to high statement.
To set the twin port range for a specific pool, use the set security nat source pool
pool-name port range twin-port low to high statement.
NOTE: If the twinport range isconfigured forasmaller range, thenattackerscanmore easily predict the translated port.
Copyright © 2014, Juniper Networks, Inc.10
Junos OS 12.1X47 Release Notes
NetworkManagement andMonitoring
• IPmonitoring of reth interface LAGs [High-end SRX Series]—In addition to the reth
interface, IP monitoring through a redundant LAG is supported to take advantage of
both throughput and redundancy.
IP monitoring checks the end-to-end connectivity of configured IP addresses and allows
a redundancy group to automatically fail over when the monitored IP address is not
reachable through the reth interface. Both the primary and secondary devices in the
chassis cluster monitor specific IP addresses to determine whether an upstream device
in the network is reachable.
[See IP Monitoring Overview.]
• IPmonitoringwith interface asnext-hopoption [SRX Series]—IP monitoring enables
you to configure a static route with a P2P interface as a next-hop action when IP
monitoring has failed.
The following added functions support the track-ip option:
• Next-hop type checking: IP address or interface.
• Interface type checking for next-hop. Only a P2P interface is supported; an error
message results when the configuration is committed.
• You can use the interface as a next-hop to construct route parameters and call RPD
API to add a static route; log route addition results.
• You can use existing code to delete the route when the primary route recovers.
[See show services ip-monitoring status.]
11Copyright © 2014, Juniper Networks, Inc.
New and Changed Features
Port Security
• UDP port scan protection [SRX Series]—The UDP port scanning feature is similar to
TCP port scanning in capabilities, user commands, and operational implementation.
The UDP port scanning option is disabled by default. The default threshold period
value is 5000 microseconds. You can manually set the threshold period value, which
ranges from 1000 to 1,000,000 microseconds. This feature protects against DDoS
attacks on some exposed public UDP services by allowing fewer than 10 new sessions
in the configured threshold period for each zone and source IP.
[See Understanding Port Scanning.]
Public Key Infrastructure (PKI)
• Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the
revocation status of X509 certificates. Requests are sent to the OCSP server(s)
configured in a CA profile with the oscp url statement at the [edit security pki ca-profile
profile-name revocation-check] hierarchy level. The use-ocsp option must also be
configured. If there is no response from the OCSP server, the request is then sent to
the location specified in the certificate's AuthorityInfoAccess extension.
[See Understanding Online Certificate Status Protocol.]
Routing Protocols
• OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also
known as OSPF version 3 (OSPFv3), does not have built-in authentication to ensure
that routing packets are not altered and re-sent to the router. IPsec can be used to
secure OSPFv3 interfaces and virtual links and provide encryption for OSPF packets.
To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the
security-association sa-name configuration option at the [edit security ipsec] hierarchy
level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link
configuration.
[See Understanding OSPF and OSPFv3 Authentication on SRX Series Devices.]
Security Policy
• Integrated user firewall [SRX Series]—This feature retrieves user-to-IP address
mappings from the Windows Active Directory to use as match criteria in firewall policies.
The SRX Series device polls the event log of the Active Directory Controller (ADC) to
determine who has logged on. The username and group are queried from the LDAP
service in the ADC. The SRX Series device uses the IP address, username, and group
information to generate authentication entries that the UserFW module uses to enforce
user-based and group-based policy control over traffic.
• Multiplezones forpolicies [SRX Series]—This feature enables you to configure multiple
source zones and multiple destination zones in one global policy. Previously, you had
to create a separate policy for each from-zone/to-zone pair, even when other attributes,
such as source-address or destination-address were identical.
[See Global Policy Overview.]
Copyright © 2014, Juniper Networks, Inc.12
Junos OS 12.1X47 Release Notes
Unified Threat Management (UTM)
• Downloadable Kaspersky scan engine [Branch SRX Series]—The Kaspersky scan
engine is provided as a downloadable UTM module instead of a preinstalled, module
in UTM.
To use this feature, your SRX Series device must have an active UTM license. When
you install the KAV license the system automatically downloads the Kaspersky module
from the Juniper Networks server and runs it.
When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled
Kaspersky engine, then the downloaded module replaces the original module on the
device. Regardless of the UTM license status, when the KAV license is deleted from
the device, the Kaspersky engine and all files associated with KAV are removed from
the system immediately.
[See Full Antivirus Protection Overview.]
• UTM license enforcement [SRX Series]—License enforcement is supported for UTM
features, including Sophos antivirus, enhanced Web filtering, and antispam filtering
on all high-end SRX Series devices in addition to branch SRX Series devices. You can
add or remove UTM licenses on SRX Series devices. Each feature license is tied to
exactly one software feature and is valid for exactly one device.
Table 2 on page 13 lists the license modules and the license names.
Table 2: UTM License Information
License NameUTMModule
av_key_sophos_engineSAV
anti_spam_key_sblAS
wf_key_websense_ewfEWF
[See License Enforcement.]
• UTM on next-generation SPC [SRX5400, SRX5600, and SRX5800]—This feature
provides support for UTM features, including Sophos antivirus, content filtering,
antispam, and enhanced Web filtering on next-generation SPCs.
VPNs
• HMAC-SHA-256-128 authentication [High-end SRX Series]—HMAC-SHA-256-128
authentication is supported for IPsec proposals and manual security associations on
high-end SRX Series devices. You can specify thehmac-sha-256-128option at the [edit
security ipsecproposalproposal-name] and the [editsecurity ipsecvpnvpn-namemanual]
hierarchy levels.
[See authentication (Security IPsec) and authentication-algorithm (Security IPsec).]
13Copyright © 2014, Juniper Networks, Inc.
New and Changed Features
RelatedDocumentation
Changes in Behavior and Syntax on page 15•
• Known Behavior on page 19
• Known Issues on page 28
• Resolved Issues on page 34
• Documentation Updates on page 47
• Migration, Upgrade, and Downgrade Instructions on page 50
Copyright © 2014, Juniper Networks, Inc.14
Junos OS 12.1X47 Release Notes
Changes in Behavior and Syntax
This section lists the changes in behavior of Junos OS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 12.1X47-D10.
Application Identification and Tracking
• Next-generation application identification eliminates the generation of new nested
applications and treats existing nested applications as single applications. In addition,
next-generation application identification does not support custom applications or
custom application groups.
Existing configurations involving any nested applications, custom applications, or
custom application groups are ignored and the following warning messages are
displayed as system log messages:
APPID_CUSTOM_APP_UNSUPPORTED: Ignoring unsupported custom app configuration.APPID_CUSTOM_NESTAPP_UNSUPPORTED: Ignoring unsupported custom nested app configuration.APPID_CUSTOM_APPGRP_UNSUPPORTED: Ignoring unsupported custom app group configuration.
Though configurations commit successfully, related functionality will not be available.
For more information, see “Known Behavior” on page 19.
• When you upgrade to Junos OS Release 12.1X47-D10, you might have problems with
application firewall and application QoS rules not being enforced for some applications
and IDP policy load failures.
Applications or application groups for which services are not enforced or applications
that can cause IDP policy load failures are indicated by the following system log
message:
APPID_APP_GRP_UNSUPPORTED
Example:
APPID_APP_GRP_UNSUPPORTED: Ignoringunsupportedentry junos:JOOST inpath[edit
class-of-service application-traffic-control rule-sets RS8 rule 1 match application
junos:JOOST][editsecurity idpcustom-attackcs2attack-typesignatureprotocol-binding
nested-application JOOST]
APPID_APP_GRP_UNSUPPORTED: Ignoringunsupportedentry junos:PPLIVE inpath[edit
security application-firewall rule-sets apptest rule 1 match dynamic-application
junos:PPLIVE][editclass-of-serviceapplication-traffic-control rule-setsRS8rule 1match
application junos:PPLIVE]
To avoid these problems, we recommend that you upgrade to the latest signature
package.
15Copyright © 2014, Juniper Networks, Inc.
Changes in Behavior and Syntax
NOTE: If you are using any applications or application groups that are notpresent in the latest signature package, youmust remove them fromapplication firewall and application QoS rules and IDP policies forinstallation to complete successfully.
Chassis Cluster
• Starting in Junos OS Release 12.1X46-D20, for all branch SRX Series devices in chassis
cluster mode, there is a node option available for all show chassis CLI commands. The
nodeoption displays status information for all FPCs or for the specified FPC on a specific
node (device) in the cluster.
Flow-Based and Packet-Based Processing
• Prior to Junos OS Release 12.1X46-D10, the SRX Series devices did not decode SCTP
source and destination ports for IPv6 traffic but instead used a preset port 1 to create
flow sessions. These preset ports did not match corresponding security policies and
caused the system to drop SCTP IPv6 traffic.
Starting in Junos OS Release 12.1X47-D10, the actual SCTP source and destination
ports (instead of the preset port 1) will be used to create flow sessions for the SCTP
IPv6 traffic.
Intrusion Detection Prevention (IDP)
New sensor configuration options have been added to log run conditions as IDP session
capacity and memory limits are approached, and to analyze traffic dropped by IDP and
application identification due to exceeding these limitations.
• drop-if-no-policy-loaded—At start up, traffic is ignored by IDP by default if the IDP policy
is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that
all sessions are dropped before the IDP policy is loaded.
• drop-on-failover—By default, IDP ignores failover sessions in an SRX chassis cluster
deployment. The drop-on-failover option changes this behavior and automatically
drops sessions that are in the process of being inspected on the primary node when a
failover to the secondary node occurs.
• drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource
limits are exceeded. In this case, IDP and other sessions are dropped only when the
device’s session capacity or resources are depleted. The drop-on-limit option changes
this behavior and drops sessions when resource limits are exceeded.
• max-sessions-offset—Themax-sessions-offset option sets an offset for the maximum
IDP session limit. When the number of IDP sessions exceeds the maximum session
limit, a warning is logged that conditions exist where IDP sessions could be dropped.
When the number of IDP sessions drops below the maximum IDP session limit minus
the offset value, a message is logged that conditions have returned to normal.
Copyright © 2014, Juniper Networks, Inc.16
Junos OS 12.1X47 Release Notes
• min-objcache-limit-lt—The min-objcache-limit-lt option sets a lower threshold for
available cache memory. The threshold value is expressed as a percentage of available
IDP cache memory. If the available cache memory drops below the lower threshold
level, a message is logged stating that conditions exist where IDP sessions could be
dropped because of memory allocation failures.
• min-objcache-limit-ut—The min-objcache-limit-ut option sets an upper threshold for
available cache memory. The threshold value is expressed as a percentage of available
IDP cache memory. If available IDP cache memory returns to the upper threshold level,
a message is logged stating that available cache memory has returned to normal. For
example, the following message shows that the available IDP cache memory has
increased above the upper threshold and that it is now performing normally:
• On all SRX Series devices with a single session, when IDP is activated, the upload and
download speeds are slow when compared to the firewall performance numbers.
To overcome this issue, a new CLI command set security idp sensor-configuration ips
session-pkt-depth is introduced and this session-pkt-depth sensor-configuration is
global for any session.
The session-pkt-depth sensor-configuration CLI value specifies the number of packets
in a session the IDP inspection happens, beyond this value the IDP will not be inspecting
the packets in that session. For example, when the session-pkt-depth
sensor-configuration CLI value is configured as “n”, the IDP inspection happens only
for first (n-1) packets in that session. From the nth packet, the session is ignored by
IDP. The default value of session-pkt-depth sensor-configuration is “0” and when the
value is “0” the session-pkt-depth is not mentioned, and the IDP performs a full
inspection of the session.
17Copyright © 2014, Juniper Networks, Inc.
Changes in Behavior and Syntax
Network Time Protocol
• On all SRX Series devices, when the NTP client or server is enabled in the edit system
ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages
supported by the monlist feature within the NTP might allow remote attackers, causing
a denial of service. To identify the attack, apply a firewall filter and configure the router's
loopback address to allow only trusted addresses and networks.
Security
• Starting in Junos OS Release 12.1X47-D10, on all branch SRX Series devices, the Routing
Engine memory is decreased to 960 MB when an advanced service such as
next-generation application identification, IDP, or UTM is enabled on the device.
VPNs
• AutoVPN multicast deprecated—Support for multicast traffic in an AutoVPN
hub-and-spoke network is deprecated and will be removed in a future release.
AutoVPN hubs are supported on SRX240, SRX550, SRX650, SRX1400, SRX3400,
SRX5600, and SRX5800 devices. AutoVPN spokes are supported on SRX100, SRX210,
SRX220, SRX240, SRX550, SRX650, and SRX1400 devices.
RelatedDocumentation
New and Changed Features on page 4•
• Known Behavior on page 19
• Known Issues on page 28
• Resolved Issues on page 34
• Documentation Updates on page 47
• Migration, Upgrade, and Downgrade Instructions on page 50
Copyright © 2014, Juniper Networks, Inc.18
Junos OS 12.1X47 Release Notes
Known Behavior
This section contains the known behaviors, system maximums, and limitations in hardware
and software in Junos OS Release 12.1X47-D10.
Application Identification and Tracking
• In Junos OS Release 12.1X47-D10 with application identification enabled, an impact on
the application traffic throughput is observed compared to Junos OS Release 12.1X46
or earlier releases under the following scenarios:
• Application system cache is disabled
• Average session data length is very small (less than 44 KB)
• Specific application traffic distributed extensively across non-standard random ports
• Certain application traffic generator profiles are used (not in typical real-world
deployments)
You can use the new performance mode CLI command for improving application traffic
throughput by configuring the enable-performance-mode parameter.
• Use the set services application-identification enable-performance-mode command
to set the deep packet inspection (DPI) in performance mode with default packet
inspection limit as two packets, including both client-to-server and server-to-client
directions.
• Use the set services application-identification enable-performance-mode
max-packet-threshold value command to set the maximum packet threshold for DPI
performance mode based on your input, including both client-to-server and
server-to-client directions. Packet inspection limit can be changed with this CLI
command. Range for the max-packet-threshold value is 1 through 100.
• Use thedeleteservicesapplication-identificationenable-performance-modecommand
to switch DPI to default accuracy mode and disable the performance mode.
NOTE: By default, DPI performancemode is not enabled on the SRXSeries device.
Use the show services application-identification status command to display detailed
information about application identification status.
In the following sample, the DPI Performance mode field displays whether the DPI
performance mode is enabled or not. This field is displayed in the CLI command output
only if the performance mode is enabled.
pic: 2/1
Application IdentificationStatus EnabledSessions under app detection 0Engine Version 4.18.2-24.006 (build date Jul 30 2014)Max TCP session packet memory 30000
19Copyright © 2014, Juniper Networks, Inc.
Known Behavior
Force packet plugin DisabledForce stream plugin DisabledDPI Performance mode: Enabled Statistics collection interval 1 (in minutes)
Application System CacheStatus EnabledNegative cache status DisabledMax Number of entries in cache 262144Cache timeout 3600 (in seconds)
Protocol BundleDownload Server https://services.netscreen.com/cgi-bin/index.cgiAutoUpdate DisabledSlot 1:Application package version 2399Status ActiveVersion 1.40.0-26.006 (build date May 1 2014)Sessions 0Slot 2Application package version 0Status FreeVersionSessions 0
• On all SRX Series devices, in next-generation application identification, the CLI
statements and commands listed in Table 3 on page 20 are deprecated—rather than
immediately removed—to provide backward compatibility and a chance to bring your
configuration into compliance with the new configuration.
Table 3: Items Deprecated in Junos OS Release 12.1X47-D10
Additional InformationHierarchyStatement
Configure a custom nestedapplication definition that will beused by the system to identify thenested application as it passesthrough the device.
[edit servicesapplication-identification]
nested-application
Configure nested applicationoptions for applicationidentification services.
[edit servicesapplication-identification]
nested-application-settings
Enable encryption and P2Pdetection.
[edit servicesapplication-identification]
enable-heuristics
Configure the maximum numberof bytes to be applied with theapplication signatures.
[edit servicesapplication-identification]
max-checked-bytes
Copyright © 2014, Juniper Networks, Inc.20
Junos OS 12.1X47 Release Notes
Table 3: Items Deprecated in Junos OS Release 12.1X47-D10 (continued)
Additional InformationHierarchyStatement
Specify the nested applicationname during configuration ofcustom attack objects to detectknown or unknown attacks.
NOTE: All nested applications thatused to be listed under thisstatement are now listed underapplication application-namestatement at [edit security idpcustom-attack attack-nameattack-type signature/chainprotocol-binding] hierarchies.
[edit security idpcustom-attackattack-name attack-typesignature protocol-binding]
[edit security idpcustom-attackattack-name attack-typechain protocol-binding]
nested-application
Enable the nested applicationdynamic lookup to match theapplication firewall with anapplication rule during applicationfirewall policy lookup, if there is noexplicit rule for nested application.
[securityapplication-firewall]
nested-application
Specify the maximum number ofsessions application identificationmaintains. If the value reaches themaximum, all new sessions aredropped
[edit servicesapplication-identification]
max-sessions
Copy a predefined applicationsignature from the database to theconfiguration and change thename.
NArequest servicesapplication-identificationapplication copypredefined-application-name
Display application identificationcounters for SSL-encrypted traffic.
NAshow servicesapplication-identificationcounterssl-encrypted-sessions
• On all SRX Series devices, custom application signatures are not supported with this
version of application identification.
As a part of this change, the CLI statements used for configuring custom applications
as listed in Table 4 on page 21 are not supported in this release.
Table 4: Statements Not Supported in Junos OS Release 12.1X47-D10
Additional InformationHierarchyStatement
Configure a custom application definition forthe desired application name that will be usedby the system to identify the application as itpasses through the device.
[edit servicesapplication-identification]
application
21Copyright © 2014, Juniper Networks, Inc.
Known Behavior
Table 4: Statements Not Supported in Junos OS Release12.1X47-D10 (continued)
Additional InformationHierarchyStatement
Specify any number of associated predefinedapplications, user-defined applications, andother groups for ease of use in configuringapplication-based policies.
[edit servicesapplication-identification]
application-group
• On all SRX Series devices, application-level distributed denial of service is being
deprecated in Junos OS Release 12.1X47-D10. As a part of this change, the CLI
statements and commands listed in Table 5 on page 22 are deprecated—rather than
immediately removed—to provide backward compatibility and a chance to bring your
configuration into compliance with the new configuration.
Table 5: Items Deprecated in Junos OS Release 12.1X47-D10
Additional InformationHierarchyStatement
Configure application-level distributeddenial-of-service (DDoS) protection.
[edit security idp]application-ddos
Configure the rulebase parameters forapplication-level DDoS attacks.
[edit security idpidp-policypolicy-name]
rulebase-ddos
Enables application-level DDoS statisticscollection.
[edit security idpsensor-configuration]
application-ddos
Clear application-level distributeddenial-of-service (DDoS) state includingcontext, context value, and clientclassification.
–clear security idpapplication-ddos cache
Display basic statistics for the servers beingprotected by the IDP application-levelDDoS feature.
–show security idpapplication-ddosapplication
Display the status of all IDPapplication-DDoS counter values.
–show security idp countersapplication-ddos
Clear the status of all IDPapplication-DDoS counter values.
–clear security idp countersapplication-ddos
We strongly recommend that you phase out deprecated items and replace them with
supported alternatives.
• On all high-end SRX Series devices, application-level distributed denial-of-service
(application-level DDoS) detection does not work if two rules with different
application-level DDoS applications process traffic going to a single destination
application server. When setting up application-level DDoS rules, make sure that you
do not configure rulebase-ddos rules that have two different application-ddos objects
Copyright © 2014, Juniper Networks, Inc.22
Junos OS 12.1X47 Release Notes
when the traffic destined to one application server can process more than one rule.
Essentially, for each protected application server, you have to configure the
application-level DDoS rules so that traffic destined for one protected server processes
only one application-level DDoS rule.
NOTE: Application-level DDoS rules are terminal, whichmeans that oncetraffic is processed by one rule, it will not be processed by other rules.
The following configuration options can be committed, but they will not work properly:
ApplicationServerapplication-ddosservicedestination-ipdestination-zonesource-zone
1.1.1.1:80http-appddos1httpanydst-1source-zone-1
1.1.1.1:80http-appddos2httpanydst-1source-zone-2
• On all high-end SRX Series devices, application-level DDoS rule base (rulebase-ddos)
does not support port mapping. If you configure an application other than default, and
if the application is from either predefined Junos OS applications or a custom application
that maps an application service to a nonstandard port, application-level DDoS
detection will not work.
When you configure the application setting as default, IDP uses application identification
to detect applications running on standard and nonstandard ports; thus, the
application-level DDoS detection would work properly.
CLI and J-Web
• In CLI and J-Web, the number of users allowed to access the device is limited as follows:
SRX650SRX550SRX240SRX220SRX210SRX110SXR100Devices
111169466CLI Users
5555333J-Web Users
Dynamic Host Configuration Protocol (DHCP)
• On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode; the DHCP server
and DHCP client are not supported in Layer 2 transparent mode.
• On all SRX Series devices, DHCPv6 client authentication is not supported.
• On all SRX Series devices, logical systems and routing instances are not supported for
DHCP client in chassis cluster mode.
23Copyright © 2014, Juniper Networks, Inc.
Known Behavior
Flow-Based and Packet-Based Processing
• On all branch SRX Series devices, GRE fragmentation is not supported in packet-based
mode.
General Packet Radio Service (GPRS)
• On all high-end SRX Series devices, only a unified ISSU to an immediate Junos OS
release is supported. For example, Unified ISSU from Junos OS release 12.1X44 to Junos
OS release 12.1X45 is supported.
Hardware
• SRX5800 devices does not support a redundant SCB card (third SCB) if an SRX5k
SPC II (FRU model number: SRX5K-SPC-4-15-320) is installed on the device. If you
have installed an SRX5K SPC II on an SRX5800 device with a redundant SCB card,
make sure to remove the redundant SCB card.
• On SRX100, SRX110, SRX210, and SRX220 devices, DRAM memory is not supported.
However, chassis cluster is supported when two devices have the same 1 GB or 2 GB
of memory.
• On SRX5400, SRX5600, and SRX5800 devices, Services offloading is not supported
on Modular Port Concentrator (SRX5K-MPCs)/Modular Interface Cards (MICs).
Interfaces and Chassis
• On all branch SRX Series devices, the CLNS routing is not supported on aggregated
Ethernet interfaces.
Integrated User Firewall
• On SRX Series devices, Integrated User Firewall has the following limitations:
• IPv6 addresses are not supported.
• Logical systems are not supported.
Copyright © 2014, Juniper Networks, Inc.24
Junos OS 12.1X47 Release Notes
• The WMIC does not support multiple users logged onto the same PC.
• Domain controllers and domain PCs must be running Windows OS. The minimum
support for a windows client is Windows XP. The minimum support for a server is
Windows server 2003.
Intrusion Detection and Prevention (IDP)
• On all high-end SRX Series devices, in sniffer mode, ingress and egress interfaces work
with flow showing both source and destination interfaces as the egress interface.
As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface
names are displayed in the logs. For example, ge-0/0/2.0 as ingress interface (sniff)
and ge-0/0/2.100 as egress interface are displayed in the logs to show the source
interface as ge-0/0/2.100.
set interfaces ge-0/0/2 promiscuous-mode
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 0 vlan-id 0
set interfaces ge-0/0/2 unit 100 vlan-id 100
NOTE: OnallbranchSRXSeriesdevices, thesniffermode isnotsupported.
25Copyright © 2014, Juniper Networks, Inc.
Known Behavior
IP Monitoring
• On SRX5400, SRX5600, and SRX5800 devices, in each PIC on the 40x1GE IOC cards
only 2 of the 10 ports can be enabled with IP monitoring on both the primary and
secondary sides. If more than two ports on the same PIC are enabled with IP monitoring,
the behavior of IP monitoring through reth or RLAG on the secondary side might be
abnormal.
• On SRX5400, SRX5600, and SRX5800 devices, the maximum number of IP addresses
that can be configured for monitoring is limited to 64.
• On SRX1400, SRX3400, and SRX3600 devices, the maximum number of IP addresses
that can be configured for monitoring is limited to 32.
• On all high-end SRX Series devices, the default configuration and minimum interval
of IP monitoring is 1 second, and the maximum interval is 30 seconds.
• On all high-end SRX Series devices, the default and minimum threshold of IP monitoring
is 5, and the maximum threshold is 15.
• When IP monitoring is enabled on a different subnet than the reth IP address, then you
must configure the proxy-arp unrestricted option on the upstream router.
Network Address Translation (NAT)
• On high-end SRX Series devices, the number of IP addresses for NAT with port
translation has been increased to 1M addresses.
The SRX5000 line, however, supports a maximum of 384M translation ports and
cannot be increased. To use 1M IP addresses, you must confirm that the port number
is less than 384. The following CLI commands enable you to configure the twin port
range and limit the twin port number:
• set security nat source pool-default-twin-port-range <low> to <high>
Copyright © 2014, Juniper Networks, Inc.26
Junos OS 12.1X47 Release Notes
• set security nat source pool sp1 port range twin-port <low> to <high>
TCP-Based DNS
• On all SRX Series devices, the Routing Engine policy supports a maximum of 1024 IPv4
address prefixes and 256 IPv6 address prefixes that can be sent to the Packet
Forwarding Engine. If the maximum number of IPv4 or IPv6 address prefixes exceeds
the limits, the addresses over the limitations will not be sent to the Packet Forwarding
Engine and a system log message is generated. The maximum number of addresses
in a TCP DNS response is 4094 for IPv4 addresses and 2340 for IPv6 addresses, but
only 1024 IPv4 addresses and 256 IPv6 addresses are loaded to the Packet Forwarding
Engine.
Upgrade and Downgrade
• On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS
Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails
when attempting to validate the configuration. To resolve this, use the no-validate
option.
RelatedDocumentation
New and Changed Features on page 4•
• Changes in Behavior and Syntax on page 15
• Known Issues on page 28
• Resolved Issues on page 34
• Documentation Updates on page 47
• Migration, Upgrade, and Downgrade Instructions on page 50
27Copyright © 2014, Juniper Networks, Inc.
Known Behavior
Known Issues
This section lists the known issues in hardware and software in Junos OS Release
12.1X47-D10.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Application Identification and Tracking
• On all SRX Series devices, when you upgrade from any Junos OS release to Junos OS
Release 12.1X47-D10 with custom IDP attacks using custom nested applications, mgd
commit fails.
As a workaround, before you perform any upgrade, deactivate any custom IDP attacks.
PR999282
• On all SRX Series devices, when you upgrade Junos OS Release from 12.1X46-D10 to
12.1X47-D10, the appcache and session state synchronization is not supported because
of incompatible changes in the AppID engine. PR986569
Chassis Cluster
• On SRX1400 devices in a chassis cluster, after you commit a configuration, the LED
changes from green state to off. PR749672
• On SRX Series devices in a chassis cluster in Z mode, traffic rate-limited shows a
deviation in the traffic forwarding rate. PR779368
• On all high-end SRX Series devices in a chassis cluster, some persistent NAT table
entries cannot be removed on the SPU when the device is under heavy traffic with
multiple failovers. PR834823
• On all SRX Series devices, when Layer 2 bridging is configured, both the nodes must
be rebooted. After you reboot the primary node, the secondary node goes into a disabled
state because of a fabric link failure.
As a workaround, reboot both the nodes (including the one running as primary).
Rebooting only the disabled node does not resolve the issue. PR892374
• The secondary node in a chassis cluster environment might crash or go into DB mode
because of panic: rnh_index_alloc after frequent failover when IPsec VPN is enabled.
PR917719
• On SRX5600 and SRX5800 devices in a chassis cluster, when you run the telnet
program on either the primary or secondary Routing Engine connecting to SPUs on the
Packet Forwarding Engine side, the connection gets stuck because an incorrect source
IP is used by the telnet program in the multichassis environment.
As a workaround, when the connection gets stuck, specify the local chassis IP by using
-s parameter as its source IP for the telnet program to connect to SPUs. PR923782
• On SRX Series devices in a chassis cluster, the PIC might go offline on one of the nodes
due to RG0 failover caused by rebooting the device. PR933248
Copyright © 2014, Juniper Networks, Inc.28
Junos OS 12.1X47 Release Notes
Dynamic Host Configuration Protocol (DHCP)
• On all SRX Series devices, when the device acts as a DHCP client and if it receives a
DHCP offer containing a large lease value (for example, the lease value is greater than
or equal to 230,000,000 seconds) from a DHCP server, the DHCP process on the
device crashes. The DHCP client interface acquires an IP address, but the routes will
not be through DHCP. PR899941
• On all high-end SRX Series devices, the sub object identifier (OID) values displayed
under jnxJdhcpLocalServerBindings are incorrect. PR946036
• On all high-end SRX Series devices, after you delete the DHCP server binding, the IP
addresses assigned to the ARP and host route still exist in the device. PR947601
• On all high-end SRX Series devices, the DHCP serveroption-82does not work.PR949717
• On all high-end SRX Series devices, the DHCP server SNMP information cannot be
displayed in the logical system. PR956597
• On all high-end SRX Series devices, the DHCP relay does not work when you configure
the DHCP relay point to the local server cross-routing instance. PR964710
• On SRX1400, SRX3400, and SRX3600 devices, the DHCP client might not get an IP
address after you reboot the system. This is because the Routine Engine cannot get
an “all card ready event” notification.
As a workaround, configure a dhcp-client retransmit-attempt or a
dhcp-retransmit-intervaloption with a large value, or send a DHCP client renew request.
PR972984
• On SRX3600 devices running DHCP client service, when you restart the DHCP service
and clear the DHCP client binding, the default route is not removed immediately after
these actions. However, the default route will be deleted after 15 minutes. PR981194
Flow-Based and Packet-Based Processing
• On all branch SRX Series devices, when you clear the IPv6 neighbors or reboot the
device, one or two packets are dropped on the first ping. PR479603
• When reverse path forwarding (RPF) is enabled along with RPM, the device changes
to the db prompt and loses the reach ability when you delete some configurations.
PR869528
• On SRX Series devices with 1 GB of memory, if the advanced services license is
configured with the reduce-dp-memory option, memory is not released from the data
plane to the control plane.
As a workaround, when the advanced services license is configured, do not configure
the reduce-dp-memory option. PR895648
• On all SRX Series devices, creating a session for the from-self OSPF or from-self OSPF3
traffic is not possible. If the from-self OSPF or from-self OSPF3 traffic enters the IPsec
tunnel, you cannot perform pre-fragmentation for the traffic, because the traffic
bypasses flow fragmentation process and the jexec cannot support the IPv6
post-fragmentation process. Hence, the packet is dropped by the jexec.
29Copyright © 2014, Juniper Networks, Inc.
Known Issues
As a workaround, reduce the MTU value of st0. The Routine Engine fragments the
OSPF3 traffic and avoids the egress traffic fragmentation of the tunnel. PR918429
• On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply
the rate limiter for egress traffic. PR918942
• On all high-end SRX Series devices, the Layer 3 and Layer 4 signatures (IPP and ICMP)
are not supported. PR986058
• On all high-end SRX Series devices, when you use multicast and there are more than
600 copies of a multicast packet for a multicast group, a flowd core file is generated
when you commit the configuration. PR986592
• In Junos OS Release 12.1X47-D10, memory-allocated failure causes the NAT module
to generate a core file under the following conditions:
• SPC
• Combo mode (cp-flow)
• UTM memory and IDP sessions are enabled using the following commands:
• set security forwarding-process application-services enable-utm-memory
• set security forwarding-processapplication-servicesmaximize-idp-sessionsweight
idp
• setsecurityforwarding-processapplication-servicesmaximize-idp-sessions inline-tap
As a workaround, do any one of the following:
• On SRX Series devices with a combo-mode SPU, do not enable UTM memory and
IDP sessions at the same time using the following commands:
• set security forwarding-process application-services enable-utm-memory
• set security forwarding-processapplication-servicesmaximize-idp-sessionsweight
idp
• setsecurityforwarding-processapplication-servicesmaximize-idp-sessions inline-tap
• You can prevent the SPU from running in combo mode by inserting the
next-generation SPU before you insert the combo-mode SPU or replace the
combo-mode SPU with the next-generation SPU.
PR1019568
General Packet Radio Service (GPRS)
• On all high-end SRX Series devices, when both the Gn and Gp interface pass through
an SRX Series device, and the Gn interface is NAT-enabled, the restart counter only
takes effect on the Gn interface. PR893379
• On all high-end SRX Series devices, the SCTP association count is not equal to chassis
cluster nodes after you create and clear SCTP associations. PR968581
• On all high-end SRX Series devices, the SCTP multichunk inspection association is lost
after you perform ISSU from Junos OS Release 12.1X45-D10 to 12.1X47-D10. PR971569
Copyright © 2014, Juniper Networks, Inc.30
Junos OS 12.1X47 Release Notes
Interfaces and Routing
• On all SRX Series devices, in the SNMP jnxJdhcpRelayBindings table, the oid value for
the IP address and time have format errors. Hence, the oid value for the interface is
lost. PR908619
• SFP interfaces ge-0/0/7, ge-0/0/8, and ge-0/0/9 on the 1-Gigabit Ethernet SYSIO
card autonegotiate to 10 gigabits per second when the port status is down. PR946581
• On all high-end SRX Series devices, the interfacemonitoring option causes an
unexpected RG0 failover during the system reboot. This is because the interface
monitoring option is only applicable to the data-plane interface and it should not be
associated with the RG0, which represents control-plane redundancy. Enabling the
interfacemonitoring option under the RG0 is not supported on high-end SRX Series
devices.
As a workaround, disable the interfacemonitoring option under the RG0. PR970023
Intrusion Detection and Prevention (IDP)
• On the B and H models of SRX100, SRX210, and SRX240 devices with 1 GB of RAM,
the predefined IPS templates other than the recommended template might not compile
successfully because of low memory. PR925337
• On SRX210 and SRX220 devices, due to memory constraints, the combination of large
IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile
successfully. PR970170
Network Address Translation (NAT)
• On all SRX Series devices, when you run the show security nat source port-block
command in a chassis cluster with detail node id, the Port_Block Range,
Ports_Used/Ports_Total and Block_State/Left_Times(s) lists will have random wrong
information at the first line. This is an output issue and does not impact any feature.
PR957371
• On all high-end SRX Series devices, the PBA blocks and the deterministic table counters
might not been synched on the chassis cluster device.
For PBA NAT pool, the PBA blocks are not synced with the secondary device for the
conflict NAT resource because the master NAT port resource reuse is too fast.
For the deterministic NAT pool, the counters of Ports_Used in the deterministic table
are not synched with the secondary device for the conflict NAT resource because the
master NAT port reuse is too fast.
When both the NAT resource and the destination IP address conflict at the same time,
the session wing1 might conflict. PR965193
• On all high-end SRX Series devices, when you add a /96 IPv6 address to the host
address of the deterministic NAT pool, a nsd core file is generated when you commit
the configuration. PR985511
31Copyright © 2014, Juniper Networks, Inc.
Known Issues
Platform and Infrastructure
• On all high-end SRX Series devices, when you try to reload a kernel module that is
already linked to the kernel, an error message is displayed because the module is
already present. No functionality is impacted by the error message. PR817861
• On all SRX Series devices, when you upgrade a Junos OS release from one version to
another, some error messages will be sent out. These messages are harmless warning
messages that are generated during image checking and do not affect the ISSU.
PR926661
• If a large number of IPv6 addresses are configured on a single interface (or on a large
number of logical interfaces), the kernel might be very busy when the interface is
enabled or disabled. Key kernel modules, like TNP/RDP, cannot be scheduled in time
under such situations.
As a workaround, disable Duplicate Address Detection on the interface. PR929300
• On SRX1400 devices, when you enable the rpf-check option, the vmcore process
crashes when you commit the configuration and the RG0 failover time. The vmcore
process crashes on both the nodes in a chassis cluster during the RG0 failover time.
PR948279
• On SRX240B2 and SRX240H2 devices, when you try to upgrade the device from Junos
OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade
fails when attempting to validate the configuration.
As a workaround, use the no-validate option to bypass the validation. PR958421
• On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding
Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve
events sent to the Packet Forwarding Engine are ignored. When you configure multiple
DNS policies after the ISSU process, some of the policies will not have IP addresses in
the Packet Forwarding Engine.
As a workaround, use the request security policies resync command. PR985731
Copyright © 2014, Juniper Networks, Inc.32
Junos OS 12.1X47 Release Notes
Screens
• On SRX5600 devices, when you configure IP spoofing in Layer 2 mode, before defining
the IP spoofing and the address books for specific zones, if the delete security or delete
security zone/screen/address-book commands are executed and the configuration is
not committed, the addresses in the Packet Forwarding Engine might be incorrect. Due
to this issue, the IP spoofing might not work.
As a workaround, after executing the delete security or delete security
zone/screen/address-book command, commit the configuration before you continue
the IP spoofing configuration. Or, if the IP addresses in the Packet Forwarding Engine
are not correct, restart nsd from the CLI using the restart network-security immediately
command. PR943232
VPN
• On all high-end SRX Series devices, IPsec replay errors might be observed after RG1
failovers. PR832834
• On all high-end SRX Series devices, in an AutoVPN deployment, when the multicast
traffic sender is located behind a spoke, the multicast traffic might drop for up to 6
minutes during ISSU in the hub. The recommended AutoVPN multicast topology is to
locate the multicast source behind a hub. When you locate the multicast source behind
a spoke and if the hub is in chassis cluster mode, use the following commands to
minimize the traffic drop during ISSU in the hub:
set chassis redundancy graceful-switchover
set routing-options graceful-restart
set protocols bgp graceful-restart restart-time 600
set protocols bgp graceful-restart stale-routes-time 600
set protocols pim graceful-restart restart-duration
PR946951
RelatedDocumentation
New and Changed Features on page 4•
• Changes in Behavior and Syntax on page 15
• Known Behavior on page 19
• Resolved Issues on page 34
• Documentation Updates on page 47
• Migration, Upgrade, and Downgrade Instructions on page 50
33Copyright © 2014, Juniper Networks, Inc.
Known Issues
Resolved Issues
This section lists the issues fixed in the Junos OS main release and the maintenance
releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
Application Layer Gateways (ALGs)
• On SRX Series devices with the VoIP-related ALG (either H.323 or SIP) and NAT enabled
for the VoIP traffic, the corresponding ALG creates persistent-nat-binding entries for
the reverse VoIP traffic (even though the persistent NAT feature is not configured in
the source NAT rule) when VoIP traffic is transmitted into a custom routing instance.
Hence, the system does not apply the custom routing instance information to the
persistent-nat-binding entries, and the reverse traffic that matches the
persistent-nat-binding entries is forwarded to the default routing instance instead of
to the custom routing instance. The reverse traffic is dropped or forwarded to the wrong
place. PR924553
• On all SRX Series devices, the REAL ALG is not supported, but you can configure it from
both the CLI and J-Web. PR943123
• On all SRX Series devices with the SCCP ALG enabled, the SCCP ALG drops packets
with unknown message identification. In a NAT scenario, the SCCP ALG performs NAT
for different SCCP messages with different NAT results, and data traffic is dropped.
PR952180
• On all SRX Series devices, a flowd core file is generated because of a malformed SIP
packet. PR956157
• On all SRX Series devices, the Microsoft Active directory or Microsoft Outlook client
might get disconnected from the server because the MS-RPC ALG incorrectly drops
the data connections under heavy load. PR958625
• On all SRX Series devices, when the ALG receives IPv6 payload information for
processing and if the IPv6 flow mode is not enabled on the device, the flowd process
might crash. PR964817
• On all SRX Series devices, when RTSP ALG traffic passes through the routing-instance
type virtual-router, traffic is dropped. PR979899
Authentication and Access Control
• On all SRX Series devices, when Web authentication is enabled using the SecurID
authentication, it will fail if there is a change in the DNS server configuration. The authd
process causes the old DNS server to send the DNS request. PR885810
• On SRX Series (except the SRX110) devices in a chassis cluster working as a Unified
Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding
Engine might connect to the uac process before the uac process connects to the UAC
server. In this condition, the uac process conveys to the Packet Forwarding Engine that
Copyright © 2014, Juniper Networks, Inc.34
Junos OS 12.1X47 Release Notes
the UAC server is disconnected. When the Packet Forwarding Engine receives this
information, it denies new traffic that matches the UAC policies. The traffic is resumed
after the connection of the uac process and UAC server is established. PR946655
• On all SRX Series devices, the application firewall module might cause the Network
Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each
configuration. PR969107
Chassis Cluster
• On all SRX Series devices in a chassis cluster, the dcd process causes memory leak on
the Routing Engine when you configure a reth interface (that is, activate, deactivate,
delete, or add a reth interface). PR893759
• On all SRX Series devices in a chassis cluster, when you download the IDP signature
database from the primary node, it is not synchronized to the secondary node.PR914987
• On all high-end SRX Series devices in a chassis cluster, in certain IPv6 configurations,
the SPU sends out packets with an invalid header on the secondary node, which in turn
triggers a hardware monitoring failure on the secondary node. PR935874
• On all branch SRX Series devices in a chassis cluster, an identical address found on
both private and public interfaces, and a kernel panic occurs after RG0 failover.
PR937438
• On all SRX Series devices (except the SRX110) in a chassis cluster, in certain conditions,
the chassis cluster fabric link hello packet might be corrupted, causing the flowd process
to crash. PR939828
• Due to logic problems with the next-generation SPC nvram component, sometimes
the central Packet Forwarding Engine processor tries to yield a thread during an
interrupt-disable scenario. This operation causes the central Packet Forwarding Engine
processor to hang, and the flexible PIC concentrator is marked as offline. As a result,
the chassisd detects the flexible PIC concentrator as being down and resets all flexible
PIC concentrators, causing failover in chassis clusters. PR940392
• On all branch SRX Series devices, the counter for incoming traffic on a fabric interface
(used for chassis cluster) always shows zero (0). PR949962
• In Junos OS Release 12.1X46-D10 and earlier, in a chassis cluster environment, when a
secondary node failed, no notification was sent to report the secondary node failure.
Starting in Junos OS Release 12.1X47-D10, in a chassis cluster mode, the primary node
sends the SNMP generic event trap to report failures on the primary node and the
secondary node. PR953639
• On all SRX Series devices (except the SRX110) in an asymmetric chassis cluster scenario,
the secondary node (for example, node 1) uses a local interface to back up the interface
in the primary node (for example, node 0). If there is a route change, then the traffic is
sent to the egress from the backup interface, which is the local interface of node 1.
After the route resumes, the traffic is sent back to the egress from the primary interface,
which is the local interface of node 0. The session related to the route change is in
active state on both the nodes. Traffic might be interrupted when the session times
out on the backup node and the session on the primary node is deleted. PR951607
35Copyright © 2014, Juniper Networks, Inc.
Resolved Issues
• On all branch SRX Series devices, the G-ARP replies do not update the existing MAC
address entry. When the MAC address timer expires, a new MAC address is updated.
PR953879
• On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, when the
secondary node becomes ineligible due to control link failure and it might still forward
the traffic. This causes the reth interface to flap and the related traffic to drop when
the secondary node is in ineligible state. PR959280
• On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you disable
LACP on a reth interface, the related route's next hop remains in the hold state.
PR960994
• On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, after the
primary node power cycle, the Flexible PIC Concentrators (FPCs) on both the nodes
might lose the connection to the new primary Routing Engine, causing the FPCs on
both the nodes to get stuck in present state. PR961351
• On SRX3600 devices, the fabric-link becomes down when you execute manual failover
using the request chassis cluster failover redundancy-group 0 node 0 command.
PR965077
Dynamic Host Configuration Protocol (DHCP)
• SRX100 devices send the same DHCP packets twice, but the SRX220 devices send
the DHCP packets only once. PR894760
• On all SRX Series devices, you cannot get the DHCP relay information through SNMP
if DHCP relay is configured under the logical system. For example,bash-3.2#snmpwalk
-c lsys1/default@junos-t5 -v 1 -Os-Oq-Oe-Pu-m/tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib
10.208.131.136 jnxJdhcpRelayStatistics bash-3.2#. PR909906
• On all SRX Series devices, in the DHCPv6 client command description, the word stateful
was misspelled as statefull. It is changed to stateful in the description; however, the
keyword is retained as statefull to avoid incompatibility. PR924692
• On all high-end SRX Series devices, after you configure DHCPv6 in IPv6 mode, the
dhcpv6 process crashes. PR940078
• On all high-end SRX Series devices, DHCPv6 does not work in IPv6 mode. PR942246
• On all high-end SRX Series devices, the DHCP server on the device gives the same IP
address to two different hosts and both hosts are active in the MAC binding table,
causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP
INFORM packet from a binding client and a DHCP RELEASE packet from the same
client. PR969929
Flow-Based and Packet-Based Processing
• On SRX220H2 devices, the TCP connection rate might drop by 15 percent. PR898217
• On SRX100H2 devices, the device reboots unexpectedly and multiple core files are
generated due to a DDR2 memory timing issue between DRAM and the CPU. The
symptoms include flowd core files, core files from other processes (for example, snmpd,
Copyright © 2014, Juniper Networks, Inc.36
Junos OS 12.1X47 Release Notes
ntpd, and rtlogd), and silent reboot without core files and system freeze. These core
files are related to RAM access (for example, pointer corruption in session ager ring
entry), and there are no consistent circumstances that cause these core files to be
generated. PR923364
• On all SRX Series devices, when you run the clear security flow session command with
a prefix or port filter, some of the sessions are not matched with the filter, causing a
traffic drop or delay. This issue is triggered by any of the filters. PR925369
• On all branch SRX Series devices, in some cases, the ARP response is not accepted
when the frame size is above the common value (for example, when the frame was
padded by intermediate Layer 2 devices). PR927387
• On all SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP
features that require serialization flow processing, the memory buffer might leak,
causing the flowd process to crash. PR930728
• On all SRX Series devices, when loading a configuration in private mode, the annotated
message statement is truncated to 1024 characters. PR930834
• On all SRX Series devices, if GRE tunnel configuration is committed without a correct
route to the tunnel destination, the GRE tunnel session will bind the wrong anchor
interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface
will not be updated even after the route is corrected when you commit the subsequent
configuration. PR933591
• On all SRX Series devices, the indirect next hop for ECMP is not supported. PR935867
• On all SRX Series devices (except the SRX110) configured in a chassis cluster, under
certain conditions, the flowd process might crash during the cold synchronization
process. PR936014
• On all high-end SRX Series devices, in certain circumstances, high CPU consumption
on the data plane and eventual exhaustion of the internal system buffers might corrupt
the forwarding table, causing partial traffic drops. PR938742
• On all SRX Series devices, when IKE packets are received before Junos OS default
applications are pushed to the Packet Forwarding Engine, the IKE sessions will be
established without the IKE application having been marked. As a result, the fragmented
IKE packet cannot be sent to iked, because the IKE session has not used IKE
applications. PR942730
• On all SRX Series devices, if the first packets of a single session come from both
directions at the same time, the application information on the session is corrupted
during session installation and the flowd process crashes. PR942877
• On all SRX Series devices, when the device is in packet mode, after you change an
interface configuration, the warning message warning: You have changed inet flow
mode; Youmust reboot the system for your change to take effect is displayed. The same
message is displayed on every commit until the next reboot. This message can be
safely ignored. PR949472
• On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST)
and a FIN (the second FIN of the session) at the same time for a session, the RST and
the FIN packet might get processed by different threads. As a result, the session time
37Copyright © 2014, Juniper Networks, Inc.
Resolved Issues
out updates incorrectly, and the session remains on the session table for 150 seconds.
PR950799
• On all SRX Series devices, the flowd process might crash when the system performs
persistent NAT function for ALG traffic. This is because of lack of memory to allocate
for persistent NAT bindings. PR951011
• On all SRX Series devices, when RG0 failover is triggered, the old RG0 primary device
reboots or both devices reboot. PR953723
• On SRX240, SRX550, and SRX650 devices, in certain situations, flow sessions time
out and get corrupted. This leads to the flow sessions being set to an abnormally high
value, which eventually leads to the session table becoming full. PR955630
• On all high-end SRX Series devices, the flowd process might crash during the session
installation. PR956775
• On all SRX Series devices, SSH connection is not possible between Cisco devices
running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2
or later. PR957483
• On all SRX Series devices, in a site to site VPN scenario, when the device is configured
as an IPsec initiator, the flow session time out is refreshed by the reroute packet. This
causes an old session to remain in the session table, the VPN connection not to recover,
and packet drops to occur. PR959559
• On all branch SRX Series devices, when you configure an ICMP probe-server option
under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0),
the device does not respond to ICMP requests from this interface. Other interfaces are
not affected and can continue to respond to ICMP requests. PR960932
• On all SRX Series devices, when you reboot the passive node, the CPU usage increases
on flow SPUs of the primary node and this lasts for a few seconds when the traffic
latency is increased. PR962401
• On all SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing
sessions are rerouted. PR962765
• On all branch SRX Series devices with IP spoofing screen enabled, the routing table
search might fail due to the routing table being locked by the system, causing a false
positive to an IP spoofing detection. PR967406
• On all high-end SRX Series devices, when you send SCTP packets to test the capacity,
the SCTP packet might generate a core file. PR968951
• On all SRX Series devices, white spaces are not supported in the PKI certificate name.
PR975374
• On SRX550 devices, the max flow sessions are configured incorrectly. The devices
have larger session capacities than the configured session values. PR977169
• On all branch SRX Series devices, application traffic control rate limiters are
unsupported on model H2. PR979901
• On all SRX Series devices, in rare cases, the device starts using sequential source ports
for source NAT because of random function memory corruption. PR982931
Copyright © 2014, Juniper Networks, Inc.38
Junos OS 12.1X47 Release Notes
General Packet Radio Service (GPRS)
• On all SRX Series devices, when you send the 4-way handshake control packets to
create associations for the capacity test, a core file is generated. PR980262
Hardware
• On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have
interoperability issues with the remote CSU using the national standard feature due
to the violation of ITU-T recommendation G.704. PR939944
Interfaces and Routing
• The counter for incoming traffic on a fabric interface (used for chassis cluster) always
shows zero (0). PR520962
• On SRX5600 virtual chassis, when you swap the members of a LAG, a vmcore or ksyncd
core file might be generated on the backup Routing Engine. PR711679
• On all SRX Series devices, when you configure and commit IPv6 addresses on a logical
interface, the output of the show interface terse command does not reflect the change
immediately. PR802229
• SRX5800 devices might log the Bottom Fan Tray Unable to Synch message. However,
this message can be ignored. PR833047
• On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface
dl0.0 might get stuck in the down link state. PR855897
• On SRX550 devices, the T3/E3 FPC goes offline after provisioning a switched port on
ge-0/0/0 interface. PR919617
• On SRX Series devices with the 3G USB wireless modem, when the signal is low, the
3G cellular modem interface (cl-0/0/*) displays the status as Connected even though
there is no signal or there is a low signal with no network connection. This is because
there is no mechanism for the wireless WAN process to notify the Routing Engine of
the status change even though the Packet Forwarding Engine is notified. After the
signal recovers, the 3G cellular modem interface is not able to dial again. PR923056
• On all high-end SRX Series devices, the show interfaceextensive command is cut short
with the error message error: route rpf stats get for interface. PR930630
• When IS-IS is configured between the SRX Series device and some third-party devices,
after the SRX Series device is rebooted and the IS-IS adjacency is reestablished, the
routes advertised by the third-party devices might not install into the routing table in
some cases. PR935109
• On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled
to overcome the limitation present in the hardware to support this clocking option.
With the revised version of hardware, the external clocking limitation has been fixed.
Hence the external clocking option is reenabled. PR936356
• On all SRX Series devices, deactivating static routes can lead to deactivation of other
configuration sections. PR939712
39Copyright © 2014, Juniper Networks, Inc.
Resolved Issues
• On all SRX Series devices, modifying a policy element that is deactivated by the policy
scheduler leads to problems in searching the policy tree in memory. An incorrect policy
match occurs after the policy is reactivated by the scheduler. PR944215
• On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc,
when you connect to an ae interface with LACP enabled, the LACP packets do not
pass through the ethernet-ccc encapsulated interface. PR945004
• On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2,
SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the
Point-to-Point Protocol over Ethernet (PPPoE) feature session is disconnected or the
connection is not available. PR956307
• On SRX210 and SRX220 devices, certain jumbo frames are dropped even though the
MTU is set correctly. PR963271
• On all SRX Series devices, the clearsecuritydns-cachecommand is extended to resolve
all DNS entries immediately. Similarly, the security policies containing DNS names are
updated immediately to use the refreshed IP addresses after the FQDN addresses are
resolved. PR970235
• On all SRX Series devices, when the proxy-ndp feature is enabled on the interface, the
entries in the IPv6 neighbor table from the interface might flap. PR970281
• On SRX5400, SRX5600, and SRX5800 devices, the counters displayed in the reth
interface are not correct. PR978421
Intrusion Detection and Prevention (IDP)
• On SRX Series devices with IDP enabled, high data plane CPU usage occurs in certain
SPUs for a few seconds. PR848485
• On all SRX Series devices, when you disable the option idp policy-optimizer using the
set security idp sensor-configuration no-policy-optimizer command, the policy fails to
load after reboot. PR883258
• On branch SRX Series devices with IDP enabled, when you use the hardware
Deterministic Finite Automation (DFA), which is enabled by default on all devices
except SRX100 and SRX110 in Junos OS Release 11.4, a false positive might occur for
the signature APP:RDP-BRUTE-FORCE. PR911994
• On all SRX Series devices, the new entry or flag representing an alert notification is
seen in the system log message. If the alert is configured in the IDP rules, the flag is set
to “yes”; otherwise, it is set to “no”. PR948401
• On all high-end SRX Series devices, when the LACP mode is fast and the IDP is in
inline-tap mode, a LACP flap might occur when you commit the configuration.
PR960487
• On all SRX Series devices, when you upgrade the detector version, the detector kconst
value becomes the default value. PR971010
Copyright © 2014, Juniper Networks, Inc.40
Junos OS 12.1X47 Release Notes
J-Web
• On all SRX Series devices, the httpd process generates a verbose log in the default
configuration. PR930723
• On all SRX Series devices, when you make any changes on the J-Web page and try to
commit or refresh the page, the operation might time out due to two Asynchronous
JavaScript and XML (AJAX) requests being sent out at the same time. The second
AJAX request is sent out when the first AJAX request does not receive a response.
PR935552
• When you change the password minimum-length characters from 6 to 8, J-Web shows
the error message minimum-length is 6. PR942219
• On all SRX Series devices, J-Web does not accept the keyword “any” in the address-book
object name. PR944952
• On all SRX Series devices, session logs generated by the global policies are not displayed
on the Monitor > Events and Alarms > Security events page or in the policy log window
on the Configure > Security > Policy page in J-Web. PR962892
• On all branch SRX Series device, when dynamic VPN is configured, it is not possible to
configure the local-certificate or pki-local-certificate options for Web management. A
commit error is displayed when these options are configured. Only the self-signed
certificate option can be configured. PR969672
• On J-Web, the App-FW page does not show the counter information. PR972473
Network Address Translation (NAT)
• On all SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled,
a certain crafted packet might cause the flowd process to hang or crash. A hang or
repeated crash of the flowd process creates an extended denial-of-service condition
for the devices. PR954437
• In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap
for the NAT pool with logical systems configured.
Starting with Junos OS Release 12.1X47-D10, the SNMP trap for the NAT pool with
logical systems configuration can be sent from the device. PR959219
• On all high-end SRX Series devices, the source paired address table for the IPv6 PBA
pool is not released on the primary node after the session time out. PR975093
41Copyright © 2014, Juniper Networks, Inc.
Resolved Issues
Platform and Infrastructure
• On all high-end SRX Series devices, when the management-ethernet link-down ignore
command is configured under the chassis alarm hierarchy, the show chassis alarm
command does not display the fxp0: Ethernet LinkDownalarmmessage. However, the
following messages might been seen in the logs:
craftd[1163]:%DAEMON-3: attempt to delete alarm not in list
alarmd[1162]%DAEMON-4: Alarm cleared: RE color=IGNORE, class=CHASSIS
reason=Host 0 fxp0: Ethernet Link Down
PR749954
• On all SRX Series devices, when you log in to the device, the login process might crash
due to abnormal disconnection behaviors. PR802169
• On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order
packets while transferring large TCP files, the throughput might be heavily impacted.
PR881761
• When GRE is enabled, AppQoS classification, marking, or rate limit does not work for
fragmented packets in the client-to-server direction. PR924932
• On all SRX Series devices, when using JDHCP, the server does not respond to the client
with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the
client. This causes the authd process to consume a large amount of CPU usage and
increase the /mfs partition storage capacity. PR925111
• On SRX5800 device in a chassis cluster, when the device is connected to the Nexus
switch, control plane failover occurs. This failover causes the LACP timer to change
from slow periodic to fast periodic. PR926019
• On all SRX Series devices, for SCTP IPv6 traffic in traffic logs, all the source and
destination ports are marked as port 1. PR928916
• On SRX1400 devices with a SYSIO-XGE IOC cards, the xe-0/0/9 interface might not
come up when the cable is reconnected after you upgrade to Junos OS Release
12.1X47-D10. PR929276
• On all SRX Series devices, when the Network Security Daemon (NSD) holds a buffer
related to the NAT proxy-arp process, memory leak occurs. This issue occurs when
you commit the configuration. PR931329
• On SRX1400 device, if the port ge-0/0/6 plugged in with a SPF-T (part number
740-013111) transceiver, the port might be set to physically down after upgrading to
Junos OS Release. PR933751
• On SRX1400, SRX3400, and SRX3600 devices configured in a chassis cluster with a
SRX1K3K-NP-2XGE-SFPP card installed, the cold synchronization process might fail
in certain SPC cards with the message No response from peer node after 900 tries.
PR941845
Copyright © 2014, Juniper Networks, Inc.42
Junos OS 12.1X47 Release Notes
• On all SRX Series devices containing a large number of next-hop entries, and if the
interface flap happens frequently, it might cause the Routing Engine not to allocate
the next-hop index, causing the traffic to drop. PR943388
• On all branch SRX Series devices, because of a timing issue, the VLAN interface might
fail to add security zone information after the RG0 failover. PR944017
• On SRX5400, SRX5600, and SRX5800 devices with a SRX5K-SPC-4-15-320
(next-generation SPC) installed, the hardware interrupt handler checks the link up or
link down status for unused ports in the next-generation SPC internal. The
next-generation SPC might cause the Control Plane Processor (CPP) to hang, causing
all the Flexible PIC Concentrators (FPCs) to reset. PR959655
• On SRX1400, SRX3400, and SRX3600 devices, high traffic on the fxp0 interface
destabilizes the control plane functions. PR962909
Switching
• On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and
the destination MAC in the packet header is present in the SRX ARP table, the devices
reply to packets that are not destined to them. On devices in a chassis cluster, you
must ensure that packets not destined to the SRX210 do not reach the device.
PR950486
System Logging
• On SRX3400 and SRX3600 devices, the following system logs are seen in the messages
file:
sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc
These system logs do not affect the device. PR738199
• On SRX5400, SRX5600, and SRX5800 devices, when error-correcting code (ECC)
errors occur on IOC or FIOC cards, it is difficult to identify the issue because the error
is not being loaded in the device. PR900617
• The error OpenSSL: error:14090086:lib(20):func(144):reason(134) means that server
certificate verification has failed. The certificate might be a self-signed certificate or
an expired certificate. PR932274
• On all SRX Series devices, the following error message is displayed on system or event
logs after you upgrade to Junos OS Release 12.1X47-D10: Can't find ifa on e1-x/0/x.y.
This message is harmless and does not affect the E1 interfaces and can be ignored.
PR971503
• The SNMP walk for the jnxPicType2ASPCXLP object might fail and shows the
jnxPicType2ASPCXLP(couldnot resolve 'jnxPicType2ASPCXLP' toanOID)error message
in the logs and fails to receive information from the device. PR974463
43Copyright © 2014, Juniper Networks, Inc.
Resolved Issues
Unified Threat Management (UTM)
• On all branch SRX Series devices, webpages become unavailable and do not display
any content when you enable Sophos antivirus for HTTP traffic. PR906534
• On all high-end SRX Series devices, EWF logs are not marked with user role information.
PR936799
• On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option
enabled, and the intelligent-prescreening option configured, the chunked packet that
only contains chunk-size data without any actual data is recognized as an invalid data
packet, and the packet is dropped before it passes to the KAV engine in the KAV HTTP
proxy processing. PR937539
• On all branch SRX Series devices, when the category action is permit, the result is the
category site-reputation-action, and when the category reputation action is not defined,
then the results are the global site-reputation action and the default action. This
confusion occurs because the explicit permit action is not taken under the specific
category. To resolve this problem, you can directly take the configuration-explicit action
on the category. If you do not configure any action, then the next global site-reputation
action is the result. The category reputation is not used in enhanced Web filtering.
PR939352
• On all high-end SRX Series devices, when you install a license, you might see the
message license not valid for this product add license failed. Even though the message
appears, the feature still functions normally. In addition, the show system license
command does not display the Sophos antivirus, antispam, or Web filtering licenses.
PR948347
• On all branch SRX Series devices, the test security utm anti-virus command for the
antivirus feature does not work due to an Invalid argument error message. PR951124
• On all branch SRX Series devices, when the KAV license expires and a new license is
installed, deleting the old license file causes the KAV engine status to change to Not
Ready. The deleting event triggers an AV license status update. The utmd process
might recognize that the KAV license is not installed and the pattern database is
unloaded. PR954590
• On all SRX Series devices with UTM and Sophos antivirus (SAV) service enabled, if
source NAT for self-generated traffic is configured, the DNS queries from the UTM SAV
service fail as timeouts. PR963978
• On all high-end SRX Series devices, UTM blacklists and whitelists should work without
an EWF license. PR970597
VPNs
• On all SRX Series devices, when IPsec is enabled, AppQoS does not assign egress
traffic to the configured forwarding class. PR753762
• On all SRX Series devices, in a site-to-site IPsec VPN deployments using IKEv2, when
tunnels are removed through configuration change, the information is not propagated
Copyright © 2014, Juniper Networks, Inc.44
Junos OS 12.1X47 Release Notes
to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the
kmd process crashes and core files are generated. PR898198
• On all SRX Series devices, during VPN configuration change with an interface
configuration change at the same commit, or after rebooting the device with VPN and
interface configured together, the tunnel sessions created in flowd are missed. This
impacts the traffic flow on that tunnel. The invalid bind interface counter returns a
nonzero value when you run the show usp ipsec global-stat command. PR928945
• Certificate-based authentication would fail when the RSA signature from the remote
peer used SHA-256 as the message digest algorithm. PR936141
• On all SRX Series devices configured with IPsec VPN and with VPN monitor enabled,
the VPN monitor function triggers socket leak, and it might result in some critical issue,
such as flow SPUs becoming unresponsive. PR940093
• On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or
flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link
increases. PR941999
• On all SRX Series devices with multiple proxy-identity (MPID), dead routes are seen
while moving the st0 interface from one virtual router to another. PR943577
• On all branch SRX Series devices configured in a chassis cluster with route based IPsec
VPN enabled, during RG0 failover to the new primary node, if a route-based VPN does
not have IPsec SAs associated with the tunnel, then the bind interface (st0) associated
with the tunnel is marked down. The interface remains in down state, causing the VPN
traffic to drop. PR944478
• On all SRX Series devices, after traffic-selector configuration is deleted from the VPN
configuration object, the data traffic stops passing through the tunnel. PR944598
• On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage
occurs after installing the additional SPC cards without a full cluster reboot, and IPsec
tunnels carry the SCTP traffic anchored on the device. PR945162
• SRX Series devices cannot proceed to automatic certificate reenrollment through
SCEP. The certificate validity period is incorrectly calculated during the autorenewal
process. Also, when the CRL is downloaded through LDAP, it can be partially received
from the CA server and the pkid process goes up. PR946619
• On all SRX Series devices, when there are more than 100 traffic selectors configured
on a VPN configuration object along with configured, established, tunnels, if all IPsec
SAs for this VPN configuration object are cleared at the same time (because of a
configuration change on a peer or the use of the clear operational command), the
bind-interface associated with that VPN configuration object might be marked as
down. PR947103
• On all SRX Series devices, in a hub-spoke IPsec VPN scenario, when you commit the
static NHTB configuration on the multipoint secure tunnel (st0) interface, the VPN
routes might become active even though the VPN tunnel is down. This issue also occurs
when you reboot the system with static NHTBs and the related static routes are
configured. PR947149
45Copyright © 2014, Juniper Networks, Inc.
Resolved Issues
• On SRX Series devices configured as a route-based IPsec Dynamic End Point (DEP)
VPN node, the VPN tunnel interface st0.x link incorrectly remains up when IPsec Security
Association (SA) is not established, even though VPN monitoring or establish-tunnels
immediately is configured. PR947552
• On all SRX Series devices, IPsec VPN packets are dropped in a chassis cluster Z mode
when a fragmentation is required. PR956808
• On all SRX Series devices, any configuration changes to the st0.x interface might delete
NHTB entries for unrelated st0 interfaces. PR958190
• On all SRX Series devices, in some situations, if the CRL server is not reachable, a
memory leak might occur and show the kern.maxfiles limit exceeded by uid 0message
in console mode. Hence, the device administrator is not able to log in to the device
anymore. PR959194
• On all SRX Series devices, IPsec VPN tunnels could not come up due to unavailability
of buffer space. PR985494
RelatedDocumentation
New and Changed Features on page 4•
• Changes in Behavior and Syntax on page 15
• Known Behavior on page 19
• Known Issues on page 28
• Documentation Updates on page 47
• Migration, Upgrade, and Downgrade Instructions on page 50
Copyright © 2014, Juniper Networks, Inc.46
Junos OS 12.1X47 Release Notes
Documentation Updates
This section lists the errata and changes in Junos OS Release 12.1X47-D10 documentation.
Documentation Updates for the Junos OS Software Documentation
This section lists the errata and changes in the software documentation.
IDP Policies Feature Guide for Security Devices
• This guide is missing information about new policy templates.
Six new IDP Policy templates are added.
The new templates have the following features:
• They are designed for ease of use and provide balanced performance and coverage.
• The new templates include client protection, server protection, and client/server
protection.
• Each of the new templates has two versions that are device specific, a 1-gigabyte
(GB) version and a 2-GB version.
NOTE: The 1-gigabyteversions labeled 1Gshouldonlybeused fordevicesthat are limited to 1 GB ofmemory. If a 1-GB device loads anything otherthana 1-GBpolicy, thedevicemight experiencepolicy compilation errorsdueto limitedmemoryor limitedcoverage. Ifa2-GBdevice loadsanythingother than a 2-GB policy, the devicemight experience limited coverage.
Use these templates as a guideline for creating policies. We recommend that you
make a copy of these templates and use the copy (not the original) for the policy.
This approach allows you to make changes to the policy and to avoid future issues
due to changes in the policy templates.
The complete list of the new IDP policy templates is given in Table 6 on page 48
47Copyright © 2014, Juniper Networks, Inc.
Documentation Updates
Table 6: New IDP Policy Templates
Updated/Currently Available Policy TemplatesPreviouslyAvailablePolicyTemplates
root@R1# set security idp active-policy ? Possiblecompletions:<active-policy> set active policy
Client-And-Server-ProtectionClient-And-Server-Protection-1GClient-ProtectionClient-Protection-1GDMZ_ServicesDNS_ServiceFile_ServerGetting_StartedIDP_DefaultRecommendedServer-ProtectionServer-Protection-1GWeb_Server
root@R1# set security idp active-policy ?Possible completions:<active-policy> set active policy
DMZ_ServicesDNS_ServiceFile_ServerGetting_StartedIDP_DefaultRecommendedWeb_Server
Descriptions of the new IDP policy templates are provided in Table 7 on page 48
Table 7: Descriptions of the New IDP Templates
DescriptionTemplate
Designed to protect both clients and servers. To be used onhigh memory devices with 2 GB or more of memory.
Client-And-Server-Protection
Designed to protect both clients and servers. To be used onall devices, including low-memory branch devices.
Client-And-Server-Protection-1G
Designed to protect clients. To be used on high memorydevices with 2 GB or more of memory.
Client-Protection
Designed to protect clients. To be used on all devices, includinglow-memory branch devices.
Client-Protection-1G
Designed to protect servers. To be used on high memorydevices with 2 GB or more of memory.
Server-Protection
Designed to protect servers. To be used on all devices,including low-memory branch devices.
Server-Protection-1G
Multicast Feature Guide for Security Devices
Multicast Source Discovery Protocol (MSDP) is not supported on SRX Series devices in
any type of custom routing instance.
Copyright © 2014, Juniper Networks, Inc.48
Junos OS 12.1X47 Release Notes
Various Guides
• Some Junos OS user, reference, and configuration guides—for example the Junos
Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos OS
System Basics Configuration Guide—mistakenly do not indicate SRX Series device
support in the “Supported Platforms” list and other related support information;
however, many of those documented Junos OS features are supported on SRX Series
devices. For full, confirmed support information about SRX Series devices, please refer
to Feature Explorer:
http://pathfinder.juniper.net/feature-explorer/select-software.html?swName=Junos+OS&typ=1.
49Copyright © 2014, Juniper Networks, Inc.
Documentation Updates
RelatedDocumentation
New and Changed Features on page 4•
• Changes in Behavior and Syntax on page 15
• Known Behavior on page 19
• Known Issues on page 28
• Resolved Issues on page 34
• Migration, Upgrade, and Downgrade Instructions on page 50
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade
policies for Junos OS. Upgrading or downgrading Junos OS can take several hours,
depending on the size and configuration of the network.
• End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100
and SRX200 Lines on page 50
• Upgrading and Downgrading Among Junos OS Releases on page 51
• Upgrading an AppSecure Device on page 52
• Network and Security Manager Support on page 53
• Upgrade and Downgrade Scripts for Address Book Configuration on page 53
• Hardware Requirements on page 56
End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100 andSRX200 Lines
Starting in Junos OS Release 12.1X47-D10, the J Series devices and the low-memory
versions of the SRX100 and SRX200 lines are discontinued and no longer supported.
NOTE: Upgrading to Junos OS Release 12.1X47-D10 or later is not supportedon the J Series devices or on the low-memory versions of the SRX100 andSRX200 lines. If you attempt to upgrade one of these devices to Junos OS12.1X47-D10, installation will be aborted with the following error message:
ERROR: Unsupported platform <platform-name >for 12.1X47 and higher
For the model numbers of the discontinued products, the recommended replacement
products, and minimum software requirements for the replacements, see:
http://www.juniper.net/support/eol/
If you have any questions concerning this notification, please contact the JuniperNetworks
Technical Assistance Center (JTAC).
Copyright © 2014, Juniper Networks, Inc.50
Junos OS 12.1X47 Release Notes
Upgrading and Downgrading Among Junos OS Releases
All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones
webpage:
http://www.juniper.net/support/eol/junos.html
To help in understanding the examples that are presented in this section, a portion of
that table is replicated here. Note that releases footnoted with a 1 are Extended
End-of-Life (EEOL) releases.
You can directly upgrade or downgrade between any two Junos OS releases that are
within three releases of each other.
• Example: Direct release upgrade
Release 10.3 → (bypassing Releases 10.4 and 11.1) Release 11.2
To upgrade or downgrade between Junos OS releases that are more than three releases
apart, you can upgrade or downgrade first to an intermediate release that is within three
51Copyright © 2014, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
releases of the desired release, and then upgrade or downgrade from that release to the
desired release.
• Example: Multistep release downgrade
Release 11.3 → (bypassing Releases 11.2 and 11.1) Release 10.4 → Release 10.3
Juniper Networks has also provided an even more efficient method of upgrading and
downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a
calendar year and can be more than three releases apart. For a list of, EEOL releases, go
to http://www.juniper.net/support/eol/junos.html
You can directly upgrade or downgrade between any two Junos OS EEOL releases that
are within three EEOL releases of each other.
• Example: Direct EEOL release upgrade
Release 9.3 (EEOL) → (bypassing Releases 10.0 [EEOL] and 10.4 [EEOL]) Release 11.4
(EEOL)
To upgrade or downgrade between Junos OS EEOL releases that are more than three
EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within
three EEOL releases of the desired EEOL release, and then upgrade from that EEOL
release to the desired EEOL release.
• Example: Multistep release upgrade using intermediate EEOL release
Release 8.5 (EEOL) → (bypassing Releases 9.3 [EEOL] and 10.0 [EEOL]) Release 10.4
(EEOL) → Release 11.4 (EEOL)
You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade
step if your desired release is several releases later than your current release.
• Example: Multistep release upgrade using intermediate EEOL release
Release 9.6 → Release 10.0 (EEOL) → Release 10.2
For additional information about how to upgrade and downgrade, see the Junos OS
Installation and Upgrade Guide.
Upgrading an AppSecure Device
Use the no-validate Option for AppSecure Devices.
For devices implementing AppSecure services, use the no-validate option when upgrading
from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature
package used with AppSecure services in previous releases has been moved from the
configuration file to a signature database. This change in location can trigger an error
during the validation step and interrupt the Junos OS upgrade. The no-validate option
bypasses this step.
Copyright © 2014, Juniper Networks, Inc.52
Junos OS 12.1X47 Release Notes
Network and Security Manager Support
Network and Security Manager (NSM) support for SRX Series Services Gateways with
Junos OS 12.1X47-D10 is available only with NSM versions 2012.2R6 / 2012.1R10 and later.
For additional information, see Network and Security Manager documentation.
Upgrade and Downgrade Scripts for Address Book Configuration
Beginning with Junos OS Release 12.1, you can configure address books under the [security]
hierarchy and attach security zones to them (zone-attached configuration). In Junos OS
Release 11.1 and earlier, address books were defined under the [security zones] hierarchy
(zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached
configuration format or under the [securityzones]hierarchy in a zone-defined configuration
format; the CLI displays an error and fails to commit the configuration if you configure
both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the
address book configuration formats (see Figure 1 on page 54).
• About Upgrade and Downgrade Scripts on page 53
• Running Upgrade and Downgrade Scripts on page 54
• Upgrade and Downgrade Support Policy for Junos OS Releases on page 55
• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 55
About Upgrade and Downgrade Scripts
After downloading Junos OS Release 12.1, you have the following options for configuring
the address book feature:
• Use the default address book configuration—You can configure address books using
the zone-defined configuration format, which is available by default. For information
on how to configure zone-defined address books, see the Junos OS Release 11.1
documentation.
• Usetheupgradescript—You can run the upgrade script available on the Juniper Networks
support site to configure address books using the new zone-attached configuration
format. When upgrading, the system uses the zone names to create address books.
For example, addresses in the trust zone are created in an address book named
trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules
remain unaffected.
After upgrading to the zone-attached address book configuration:
• You cannot configure address books using the zone-defined address book
configuration format; the CLI displays an error and fails to commit.
• You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS
Release 12.1 documentation.
53Copyright © 2014, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
• Use the downgrade script—After upgrading to the zone-attached configuration, if you
want to revert to the zone-defined configuration, use the downgrade script available
on the Juniper Networks support site. For information on how to configure zone-defined
address books, see the Junos OS Release 11.1 documentation.
NOTE: Before running the downgrade script, make sure to revert anyconfiguration that uses addresses from the global address book.
Figure 1: Upgrade and Downgrade Scripts for Address Books
zone-attachedaddress bookconfiguration
Download Junos OSRelease 11.2 or later.
Run the upgrade script.
- Global address book isavailable by default.
- Address book is defined underthe security hierarchy.
- Zones need to be attachedto address books.
Note: Make sure to revert anyconfiguration that uses addressesfrom the global address book.
Run the downgrade script.
zone-definedaddress book
g030
699
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
• The scripts cannot run unless the configuration on your system has been committed.
Thus, if the zone-defined address book and zone-attached address book configurations
are present on your system at the same time, the scripts will not run.
• The scripts cannot run when the global address book exists on your system.
• If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the
master logical system retains any previously configured zone-defined address book
configuration. The master administrator can run the address book upgrade script to
convert the existing zone-defined configuration to the zone-attached configuration.
Copyright © 2014, Juniper Networks, Inc.54
Junos OS 12.1X47 Release Notes
The upgrade script converts all zone-defined configurations in the master logical system
and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
For information about implementing and executing Junos operation scripts, see the Junos
OS Configuration and Operations Automation Guide.
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS
Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3
(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS
Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html .
Upgrade Policy for Junos OS Extended End-Of-Life Releases
Support for upgrades and downgrades that span more than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to two EEOL releases before or after. For example,
Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos
OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4.
However, you cannot upgrade directly from a non-EEOL release that is more than three
releases ahead or behind. For example, you cannot directly upgrade from Junos OS
Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from
Junos OS Release 11.4 to Junos OS Release 10.3.
55Copyright © 2014, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
To upgrade or downgrade from a non-EEOL release to a release more than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html .
Hardware Requirements
Transceiver Compatibility for SRX Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be used
on SRX Series interface modules. Different transceiver types (long-range, short-range,
copper, and others) can be used together on multiport SFP interface modules as long
as they are provided by Juniper Networks. We cannot guarantee that the interface module
will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
RelatedDocumentation
New and Changed Features on page 4•
• Changes in Behavior and Syntax on page 15
• Known Behavior on page 19
• Known Issues on page 28
• Resolved Issues on page 34
• Documentation Updates on page 47
Product Compatibility
• Hardware Compatibility on page 56
Hardware Compatibility
To obtain information about the components that are supported on the device, and
special compatibility guidelines with the release, see the SRX Series Hardware Guide.
To determine the features supported on SRX Series devices in Junos OS Release
12.1X46-D10, use the Juniper Networks Feature Explorer, a Web-based application that
helps you to explore and compare Junos OS feature information to find the right software
release and hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/.
Third-Party Components
This product includes third-party components. To obtain a complete list of third-party
components, see Copyright and Trademark Information.
Copyright © 2014, Juniper Networks, Inc.56
Junos OS 12.1X47 Release Notes
FindingMore Information
For the latest, most complete information about known and resolved issues with the
Junos OS, see the Juniper Networks Problem Report Search application at:
http://prsearch.juniper.net.
Juniper Networks Feature Explorer is a Web-based application that helps you to explore
and compare Junos OS feature information to find the correct software release and
hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/.
Juniper Networks Content Explorer is a Web-based application that helps you explore
Juniper Networks technical documentation by product, task, and software release, and
download documentation in PDF format. Find Content Explorer at:
http://www.juniper.net/techpubs/content-applications/content-explorer/.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
• E-mail—Send your comments to [email protected]. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
57Copyright © 2014, Juniper Networks, Inc.
Finding More Information
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Casewith JTAC
You can open a case with JTAC on the Web or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net/pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
[email protected]. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
Copyright © 2014, Juniper Networks, Inc.58
Junos OS 12.1X47 Release Notes
Revision History
17, September 2014—Revision 3—Junos OS 12.1X47-D10 – SRX Series.
Copyright © 2014, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
59Copyright © 2014, Juniper Networks, Inc.
Requesting Technical Support